HIPAA NOTICE

At Album Health, Inc., we take privacy extremely seriously. As a healthcare company, we operate in accordance with all applicable privacy and data protection laws. Doing so is core to both our philosophy as an organization and our ability to create life-changing product experiences for our participants. If you have any questions or concerns about our privacy practices or this consent, please contact us at privacy@albumhealth.com.

HIPAA NOTICE
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

  1. Who Must Follow This Notice

Album Health, Inc., (“Album Health”) provides you with health care by working with health coaches and other health care providers (referred to as “we,” “our,” or “us”) when you apply for or participate in the Album Health Program (the “Services”). This is a joint notice of our information privacy practices (“Notice”). The following people or groups will follow this Notice:

  • any health care provider who provides services to you at or from Album Health’s locations. These professionals include health coaches and others;
  • all departments and units of our organization, including mobile units; and
  • our employees and contractors, including regional support offices and affiliates. These entities, sites and locations may share medical information with each other for treatment, payment, or health care operations purposes described in this Notice. In addition, we also use and share your information for other reasons as allowed and required by law. If you have any questions about this Notice, please see our contact information on the last page of this Notice.
  1. Our Commitment to Your Privacy

We understand that medical information about you and your health is private and personal. We are dedicated to maintaining the privacy and integrity of the protected health information that we receive from you as part of your application for or participation in the Services (“PHI”). PHI is information about you that we receive from you as part of your registration for or participation in the Services that may be used to identify you (such as your name, social security number, or address), and that relates to (a) your past, present, or future physical or mental health or condition, (b) the provision of health care to you, or (c) your past, present, or future payment for the provision of health care. In providing services to you, we will receive and create records containing your PHI. We need these records to provide you with quality services and to comply with certain legal requirements. We are required by law to maintain the privacy of your PHI and to provide you with notice of our legal duties and privacy practices with respect to your PHI. When we use or disclose your PHI, we are required to abide by the terms of this Notice (or other Notice in effect at the time of the use or disclosure). This Notice applies to the records of services you receive at or from Album Health, whether created by our staff or you. We will gladly explain this Notice to you or your family member.

  1. How We May Use and Disclose Protected Health Information About You

This section of our Notice tells how we may use PHI about you. We will protect PHI as much as we can under the law. Sometimes state law gives more protection to PHI than federal law. Sometimes federal law gives more protection than state law. In each case, we will apply the laws that protect PHI the most. We are required to maintain the confidentiality of your PHI, and we have policies and procedures and other safeguards to help protect your PHI from improper use and disclosure. The following categories describe different ways that we use your PHI within Album Health and disclose your PHI to persons and entities outside of Album Health. We have not listed every use or disclosure within the categories below, but all permitted uses and disclosures will fall within one of the following categories. In addition, there are some uses and disclosures that will require your specific authorization. How much PHI may legally be used or disclosed without your written permission will vary depending, for example, on the intended purpose of the use or disclosure. Sometimes we may only need to use or disclose a limited amount of PHI, such as to send you a reminder or to confirm your health insurance coverage. At other times, we may need to use or disclose more PHI such as when a doctor is providing medical treatment.

  • Disclosure at your request. We may disclose information when requested by you. This disclosure at your request may require written authorization by you.
  • Treatment. Our staff, including trainees, involved in your services may use and disclose your PHI to evaluate your health care needs. In addition, we may contact you to provide reminders or information about health-related benefits and services that may be of interest to you.
  • Health care operations. We may use and disclose your PHI for our health care operations and the health care operations of certain other entities that have or have had a relationship with you. These health care operations include internal administration and planning and various activities that improve the quality and cost effectiveness of the services delivered to you. Examples include, but are not limited to, using information about you to improve quality of services, quality assessment activities, disease management programs, patient satisfaction surveys, compiling medical information, training, de-identifying PHI and benchmarking.
  • Business associates. Some services in our organization are provided through our contracts with covered entities and business associates. Examples of business associates include accreditation agencies, management consultants and quality assurance reviewers. We may disclose your PHI to our business associates so that they can perform the job we have asked them to do. To protect your PHI, we require our business associates to sign a contract or written agreement stating that they will appropriately safeguard your PHI.
  • Health-related products and services. We may use and disclose your PHI to tell you about our health-related products or services that may be of interest to you.
  • Communications with family and others when you are present. Sometimes a family member or other person involved in your care will be present when we are discussing your PHI with you. We may use or disclose your PHI to a family member, other relative, a close personal friend or any other person identified by you when you are present for, or otherwise available prior to, the disclosure, if we (1) obtain your agreement; (2) provide you with the opportunity to object to the disclosure and you do not object; or (3) reasonably infer that you do not object to the disclosure.
  • Threat to health or safety. We may use and disclose your PHI when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat as determined by us in good faith.
  1. Special Situations That Do Not Require Your Authorization

The following categories describe unique circumstances in which Album Health may use or disclose your PHI without your authorization.

  • Public health activities. We may disclose your PHI for the following public health activities to: (1) prevent or control disease, injury or disability; (2) report births and deaths; (3) report regarding the abuse or neglect of children, elders and dependent adults; (4) report reactions to medications or problems with products; (5) notify people of recalls of products they may be using; (6) notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; and (7) notify emergency response employees regarding possible exposure to HIV/AIDS, to the extent necessary to comply with state and federal laws.
  • Victims of abuse, neglect or domestic violence. If we reasonably believe you are a victim of abuse, neglect, or domestic violence, we may disclose your PHI to a governmental authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence.
  • Health oversight activities. We may disclose your PHI to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.
  • Lawsuits and other legal disputes. We may use and disclose PHI in responding to a court or administrative order, a subpoena, or a discovery request. We may also use and disclose your PHI to the extent permitted by law without your authorization, for example, to defend a lawsuit or arbitration.
  • Law enforcement officials. We may disclose your PHI to the police or other law enforcement officials as required or permitted by law: (1) in response to a court order, subpoena, warrant, summons or similar process; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) about the victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement; (4) about a death we believe may be the result of a criminal conduct; (5) about criminal conduct at Album Health; and (6) in emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime.
  • Decedents. We may disclose your PHI to a coroner or medical examiner as authorized by law.
  • Organ and tissue donation. We may disclose your PHI to organizations that facilitate organ, eye or tissue procurement, tissue banking or transplantation.
  • Research that does not involve your treatment. When a research study does not involve any treatment, we may disclose your PHI to researchers. To do this, we will either ask your permission to use your PHI or we will use a special process that protects the privacy of your PHI. In addition, we may use information that cannot be identified as your PHI, but that includes certain limited information (such as your date of birth and dates of service). We will use this information for research, quality assurance activities, and other similar purposes and, if we disclose this limited information, we will obtain special protections for the information disclosed.
  • Specialized government functions. We may use and disclose your PHI to units of the government with special functions, such as the U.S. military or the U.S. Department of State, under certain circumstances. We may use and disclose your PHI to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law. We may use and disclose your PHI to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state, or conduct special investigations.
  • Inmates. If you are an inmate of a correctional institution or under custody of a law enforcement official, we may disclose PHI about you to the correctional institution or the law enforcement official. This is necessary for the correctional institution to provide you with health care, to protect your health and safety and the health and safety of others, and to protect the safety and security of the correctional institution.
  • Workers’ compensation. We may disclose your PHI as authorized by and to the extent necessary to comply with state laws relating to workers’ compensation or other similar programs.
  • As required by law. We may use and disclose your PHI when required to do so by any other law not already referred to in the preceding categories. For example, the Secretary of the Department of Health and Human Services may review our compliance efforts, which may include seeing your PHI.
  1. Situations Requiring Your Written Authorization

If there are reasons we need to use your PHI that have not been described in the sections above, we will obtain your written permission. This permission is described as a written “authorization.” If you authorize us to use or disclose PHI about you, you may revoke that authorization in writing at any time. If you revoke your authorization, we will no longer use or disclose PHI about you for the reasons stated in your written authorization, except to the extent we have already acted in reliance on your authorization. You understand that we are unable to take back any disclosures we have already made with your permission, and we are required to retain our records of the care we provide to you. Some typical disclosures that require your authorization are:

  • Special categories of treatment information. In most cases, federal or state law requires your written authorization or the written authorization of your representative for disclosures of drug and alcohol abuse treatment, Human Immunodeficiency Virus (HIV) and Acquired Immune Deficiency Syndrome (AIDS) test results, and mental health treatment.
  • Research involving your treatment. When a research study involves your treatment, we may disclose your PHI to researchers only after you have signed a specific written authorization. In addition, an Institutional Review Board (IRB) will already have reviewed the research proposal, established appropriate procedures to ensure the privacy of your PHI and approved the research. You do not have to sign the authorization, but if you refuse you cannot be part of the research study and may be denied research-related treatment.
  • Marketing. We must also obtain your written authorization (“Your Marketing Authorization”) prior to using your PHI to send you any marketing materials. We can, however, provide you with marketing materials in a face-to-face encounter without obtaining Your Marketing Authorization. We are also permitted to give you a promotional gift of nominal value, if we so choose, without obtaining Your Marketing Authorization. In addition, we may communicate with you about products or services relating to your treatment, case management or care coordination, or alternative treatments, therapies, providers or care settings without Your Marketing Authorization. If we receive any direct or indirect payment for making such a communication, however, we would need your prior written permission to contact you. The only exceptions for seeking such permission are when our communication (i) describes only a drug or medication that is currently being prescribed for you and our payment for the communication is reasonable in amount; or (ii) is made by one of our business partners consistent with our written agreement with the business partner.
  1. Your Rights Regarding Your PHI

You have the following rights regarding PHI we maintain about you. You may contact us to obtain additional information and instructions for exercising the following rights.

  • Right to request additional restrictions. You may request restrictions on our use and disclosure of your PHI (1) for treatment, payment and health care operations, (2) to individuals (such as a family member, other relative, close personal friend or any other person identified by you) involved with your care or with payment related to your care, or (3) to notify or assist in the notification of such individuals regarding your location and general condition. While we will consider all requests for additional restrictions carefully, we are not required to agree to a requested restriction, unless the request is regarding a disclosure to a health plan for a payment or health care operation purpose and the PHI relates solely to a health care item or service for which we have been paid out-of-pocket in full. This request must be in writing. We will send you a written response. If we agree with the request, we will comply with your request except to the extent that disclosure has already occurred or if you are in need of emergency treatment and the information is needed to provide the emergency treatment.
  • Right to receive confidential communications. You may request to receive your PHI by alternative means of communication or at alternative locations. For example, you can request that we only contact you at work or by mail. To request confidential communications, you must make your request in writing. We will not ask you for the reason for your request. We will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted.
  • Inspection and copies. You may request access to your medical record file and billing records maintained by us. You may inspect and request copies of the records. Under limited circumstances, we may deny you access to a portion of your records. If you are denied access to PHI, you may request that the denial be reviewed. Another licensed health care professional chosen by us will review your request and the denial. The person conducting the review will not be the person who denied your request. We will comply with the outcome of the review.
    • If you desire access to your records, you must submit your request in writing. If your PHI is maintained in an electronic health record, you may obtain an electronic copy of your PHI and, if you choose, instruct us to transmit such copy directly to an entity or person you designate in a clear, conspicuous, and specific manner.
    • If you request paper copies, we will charge you for the costs of copying, mailing, labor and supplies associated with your request. Our fee for providing you an electronic copy of your PHI will not exceed our labor costs in responding to your request for the electronic copy (or summary or explanation).
    • You should take note that, if you are a parent or legal guardian of a minor, certain portions of the minor’s PHI will not be accessible to you (e.g., records pertaining to health care services for which the minor can lawfully give consent and therefore for which the minor has the right to inspect or obtain copies of the record; or the health care provider determines, in good faith, that access to the client records requested by the representative would have a detrimental effect on the provider’s professional relationship with the minor client or on the minor’s physical safety or psychological well-being).
  • Right to amend your records. You have the right to request that we amend PHI maintained in your medical record file or billing records. If you desire to amend your records, your request must be in writing. We will comply with your request unless we believe that the information that would be amended is accurate and complete or other special circumstances apply. If we deny your request, you will be permitted to submit a statement of disagreement for inclusion in your records.
  • Right to addendum. You have the right to add an addendum to your PHI maintained in your medical record.
  • Right to receive an accounting of disclosures. Upon written request, you may obtain an accounting of certain disclosures of your PHI made by us during any period of time six years prior to the date of your request. Your written request should indicate in what form you want the list (for example, on paper or electronically). If you request an accounting more than once during a twelve (12) month period, we will charge you for the costs involved in fulfilling your additional request. We will inform you of such costs in advance, so that you may modify or withdraw your request to save costs. In addition, we will notify you as required by law if there has been a breach of the security of your PHI.
  • Paper copy. Upon request, you may obtain a paper copy of this Notice. Even if you have agreed to receive such notice electronically, you are still entitled to a paper copy of this Notice. You may obtain a copy of this Notice at our website: [www.albumhealth.com/hipaa]. To obtain a paper copy of this Notice, contact us using the contact information at the end of this Notice.
  1. Minimum Necessary

To the extent required by law, when using or disclosing your PHI or when requesting your protected health information from a covered entity, we will make reasonable efforts not to use, disclose, or request more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use, disclosure, or request, taking into consideration practical and technological limitations.

  1. Changes to this Notice

We may change the terms of this Notice from time to time. Changes will apply to current PHI, as well as new PHI after the change occurs. We will post the new Notice on our website at [www.albumhealth.com/hipaa]. Upon your request, you may obtain any revised Notice by calling or emailing us and requesting that a revised copy be sent to you in the mail.

  1. Concerns or Complaints

If you desire further information about your privacy rights, are concerned that we have violated your privacy rights, or disagree with a decision that we made about access to your PHI, you may contact our Privacy Officer (listed below). Finally, you may send a written complaint to the U.S. Department of Health and Human Services, Office of Civil Rights. Our Privacy Officer can provide you the address. We will not take any action against you for filing a complaint.

  1. How to Contact Us

If you would like more information about your privacy rights, please contact Album Health by calling (888) 820-7267 and ask to speak with the Privacy Officer. To the extent you are required to send a written request to Album Health to exercise any right described in this Notice, you must submit your request to Album Health at: Album Health, Inc., 1717 Ingersoll Avenue, Des Moines, IA 50309 Attn: Privacy Officer Email: privacy@albumhealth.com Version Effective: June 5, 2018 Consent to Share and Release Information APPLICABLE TO U.S. RESIDENTS: Album Health, Inc., (“Album Health”), as part of administering the Album Health program (the “Services”), may have access to and use my personal health information (“PHI”), which I provide to Album Health as part of my participation in the Services. I understand that other participants may also be able to see my information, including PHI that I post and/or disclose in the course of engaging with the Services and/or Album Health. Album Health may provide aggregated, de-identified health information to the sponsor of my health plan and any third party administering my health plan; if my health plan sponsor or third-party administrator requests any of my PHI, Album Health may provide such PHI as is minimally necessary to accomplish the request in accordance with HIPAA. Furthermore, Album Health may share and use my PHI to review and improve the quality of the Services. I understand also that Album Health may store my PHI for the time period that is necessary under Album Health’s policies regarding record retention. You acknowledge that you have read and understand the terms of the Consent to Share and Release Information.