Overview
This Notice of Privacy Practices (“NPP”) is provided to patients of the healthcare provider requesting the testing from Corgenix Inc., (“Corgenix”), a clinical laboratory which is part of the Sebia Group of companies. It describes how your health information (called “Protected Health Information” or “PHI”) is collected, used and disclosed by Corgenix in relation to the laboratory services we provide as well as your rights in relation to your information.
How We Protect Your Privacy
Corgenix is required to comply with relevant international, federal and state data privacy (data protection), security and genetic information laws in connection with your health information. This means that we can only collect and use your health information for purposes allowed under those laws and must safeguard your information in a manner commensurate with its sensitivity. We must also follow those laws and requirements in relation to sharing your information, such as with your physician(s), and cannot use or share it for unrelated purposes.
In the United States, PHI is protected under a federal law called the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”); and 45 C.F.R. Part 164, Subpart C, and Security Standards for the Protection of Electronic Protected Health Information (“Security Rule”), as amended by the Health Information Technology for Economic and Clinical Health Act {HITECH” Act) and the HIPAA Omnibus Rule, including all regulations, standards and guidance documents issued thereunder. For purposes of this NPP, that collection of laws and requriements is referred to as the HIPAA-HITECH Rules.
How We Use and Disclose Your Protected Health Information
This section describes the ways that Corgenix and its Business Associates are permitted to use and disclose your Protected Health Information without first seeking written authorization from you. Please note that for any of these disclosures, only the minimum necessary information (i.e., that which is necessary and relevant) from your laboratory testing record is disclosed.
Treatment
Your information may be used or disclosed in connection with treatment, such as sharing relevant information such as your laboratory test results with the healthcare provider requesting the testing as well as other designated providers involved in your care.
Payment
Your information may be used or disclosed in connection with obtaining payment for your healthcare services including seeking reimbursement under your insurance coverage. (See below for information about your right to protect your PHI from access by your health insurance company.)
Healthcare Operations
Your information may be used or disclosed for certain types of approved administrative purposes, such as performing quality checks for our laboratory testing, conducting audits, and developing reference ranges for our laboratory testing.
Business Associates Disclosures
Your information may be used or disclosed to (“Business Aassociates”), a certain type of third party retained by Corgenix to assist with our laboratory services and/or store PHI on our behalf.
Public Health Activities
Your information may be used or disclosed in connection with public health activities that are authorized by law, such as to prevent or control disease, injury or disability.
Health or Safety
Your information may be used or disclosed to prevent or lessen a serious threat to your health or safety or that of the general public.
Health Oversight Activities
Your information may be used or disclosed in connection with government or regulatory oversight or compliance, such as to health authorities to report adverse events or product defects, to enable recalls or for similar safety reasons. It may also be accessible to agencies that evaluate billing or other legal or healthcare matters.
Victims of Abuse, Neglect, or Domestic Violence
Your information may be used or disclosed in connection with reporting to government agencies authorized by law to receive reports of abuse, neglect or domestic violence.
Certain Limited Research Purposes
Your information may be used or disclosed in connection with certain limited research purposes, as authorized by law.
Workers Compensation
Your information may be used or disclosed in connection with complying with workers’ compensation laws and regulations.
Judicial, Administrative, Government and Legal Obligations
Your information may be disclosed to the police, other law enforcement officials, or the government in connection with legal proceedings, compliance with a court order or subpoena, or for other legal or judicial or law enforcement processes as authorized or required by law.
De-Identified Information
We may use your PHI to create “de-identified” information, i.e., information that is irreversibly stripped of all data elements that could be used to identify you. There are specific rules under the HIPAA-HITECH Rules about the data elements that must be removed before your information is considered “de-identified”. Once information has been de-identified as required by law, it is no longer PHI and does not fall within the scope of the HIPAA-HITECH Rules.
Other Uses of Your Information
As permitted under the HIPAA-HITECH Rules, your PHI may also be disclosed to the following agencies when it is necessary to do so, and in accordance with the ‘minimum necessary’ standard:
Uses and Disclosures With Your Written Authorization
Other than the uses and disclosures described in this Notice, Corgenix may not use or disclose your PHI without your written authorization. You also have the right to revoke a HIPAA authorization in writing.
Your Individual Rights
Right to Obtain a Copy of Your Laboratory Test Results
You have the right to obtain a copy of your laboratory test results, both directly from Corgenix and from the healthcare provider requesting the testing
Right to Request Additional Restrictions
You have the right to request additional restrictions on certain uses and disclosures of your PHI to carry out treatment, payment or healthcare operations functions as described in this Notice. For example, you can request that your PHI be disclosed to certain family members or others who may assist with your medical care, and that it not be disclosed to others. While Corgenix will consider all requests carefully, we are not always required to (or able to) apply the requested restriction.
Right to Avoid Disclosures to Insurance Companies
You have the right to request that your PHI not be provided to insurance companies (such as in relation to paying for laboratory services). If you choose to exercise that right, you must (1) inform Corgenix in writing about your request prior to receiving laboratory services from us, and (2) pay for the services in full yourself, without any insurance reimbursement. Please ask the healthcare provider submitting your specimen for laboratory testing by Corgenix for additional information.
Right to Receive Confidential Communications
In certain circumstances, you may ask to receive confidential communications of PHI in a manner outside of Corgenix’s normal procedures. In accordance with the HIPAA-HITECH Rules, Corgenix will consider all reasonable requests but we regrettably may not able to agree to all of them.
Right to Inspect and Obtain a Copy of Your Personal Health Information
You may ask to inspect or to obtain a copy of your personal health information maintained by Corgenix. You also have the right to request your information in electronic format, provided that it is maintained in that format.
Right to Amend Your Records
You have the right to ask Corgenix to amend your personal health information included the records that we maintain. If it is determined that the record is inaccurate, and where the law permits us to amend the record, we will do so. If your doctor or another person created the information that you want to change, you should ask that person to amend the information.
Right to Receive an Accounting of Disclosures
Upon request, you may obtain an accounting of disclosures of your personal health information made by Corgenix or its business associates. The accounting will not include disclosures made earlier than three years before the date of your request, and certain other disclosures that are excluded by law. If you request an accounting more than once during any 12-month period, you will be charged a reasonable fee for each accounting statement after the first one. If you request an accounting relating to disclosures by business associates, Corgenix may either provide you with such an accounting directly, or provide you with the contact information for those business associates, in order that you may request an accounting directly from them.
Right to be Notified of Security Breaches Involving Your Information
In accordance with the federal and state breach notification laws and requirements, you have the right to receive notification in the event that Corgenix or its respective Business Associates or subcontractors entrusted with your PHI suffers a security breach involving your personal information which triggers a notification obligation.
Right to Receive a Paper Copy of this Notice
You may contact Corgenix at privacy@corgenix.com to obtain an additional copy of this Notice at any time.
Copying Fees
You may be charged a reasonable fee to cover costs related to copying or preparing your information, in connection with requests for copies of your health records.
No Discrimination
Corgenix does not discriminate on the basis of race, color, national origin, age, disability, gender, or sex, including in relation to our HIPAA-HITECH compliance practices.
Revisions to This Notice
The terms of this Notice may be changed from time to time. If so, the additional protections contained in the updated Notice terms may be made effective for all of your PHI maintained by the Health Plans/Health Center, including any information that was created or received before the new Notice was issued. If this Notice is revised, the revised notice will be promptly delivered to all enrollees.
Complaints
If you believe Corgenix has violated your privacy rights, you may file a complaint with us by contacting us at privacy@corgenix.com. You also have the right to file a complaint with the U.S. Secretary of Health and Human Services.
There will be no impact (retaliation) against anyone who files a complaint based upon a legitimate belief that their privacy or security has been violated by our organization.
Contact Information to Exercise Your Rights
If you want to exercise any of your rights described in this Notice, you may do so by contacting Corgenix at privacy@corgenix.com.
Effective Date and Updates
This Notice is effective as of April 18, 2024. Corgenix may amend this Notice to reflect changes in our privacy practices as well as updates to the HIPAA-HITECH laws and requirements.