Notice of Privacy Practices

Innovation Health Group Inc.

Effective Date of this Notice: April 18, 2019

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

This Notice of Privacy Practices (“Notice”) applies to Innovation Health Group and each of its business units and subsidiaries, as applicable (collectively, “IHG”, “we”, “us”, or “our”).

Our Obligations

IHG is required by law to maintain the privacy and security of your protected health information (“PHI”) and provide you with this Notice of our legal duties, privacy practices, and your privacy rights regarding PHI. We are required to follow the terms of this Notice currently in effect. In the event of a breach involving unsecured PHI, we are also required to notify affected individuals, as described herein. This Notice does not apply to non “diagnostic services that we perform, such as clinical trials.

Protected Health Information

PHI is information that reasonably can be used to identify you and that relates to your past, present, or future physical or mental health condition, the provision of health care to you, or the payment for such heath care.

Information Collected and Created by IHG

We collect PHI to provide testing services, obtain payment for these services, conduct healthcare operations, and other purposes permitted or required by law. PHI may include name, address, telephone number, email address, date of birth, gender, ethnicity, medical history, diagnosis, treatment information, provider identification, medical insurance account number, and payment card information.

Protection of PHI

While there can be no guarantee of privacy, we have established reasonable and appropriate physical, technical and administrative safeguards to protect PHI against unauthorized use and disclosure and to restrict access to PHI to only those workforce members who need it in order to provide services to clients and patients and conduct business operations.

For information about sample retention and your rights related to this, please see the consent that you signed.

If you share this information or these test results with anyone, you are responsible for any compromise of confidentiality that may result from such sharing.

Uses and Disclosures of PHI

In the course of providing laboratory services, we use PHI internally and disclose it to health care providers (health care professionals requesting services, laboratory personnel involved in ordering services and other caregivers), insurers, payors, third party service providers, and government authorities, and their respective agents. Some examples of what we do with the information we collect and the reasons it might be disclosed to third parties are described below.

Treatment, Payment and Health Care Operations

We may use or disclose PHI with or without your consent to provide health care services. These include:

  • Treatment – We use and disclose PHI for your treatment purposes, including disclosure to healthcare professionals and entities who provide you healthcare services and/or are involved in the coordination of healthcare, such as providing your healthcare professional with your laboratory testing
  • Payment – We may use and disclose PHI to obtain reimbursement for our testing and/or genetic counseling services, such as billing, payment, collections activities, and determination of eligibility/enrollment and obtaining authorization for services. We will only disclose your genetic testing results to an insurer with your authorization to do so. If you are insured under another person’s health insurance policy (for example, parent, guardian, spouse, domestic partner, or former spouse), we may also send invoices to the subscriber whose policy covers your health
  • Health care operations – We may use and disclose PHI for our health care operations, such as performing quality checks on our testing, testing for accuracy of results, developing reference ranges for our tests, internal audits, accreditation functions, arranging for legal services, and for operation and management


Other Uses and Disclosures Permitted or Required by Law

We may use or disclose PHI for other important activities permitted or required by law, with or without your authorization. These include:

  • Provide You Information on Health Care Related Services – We may send you information related to your individual treatment, case management or care coordination; or to direct or recommend alternative treatment, therapies, health care providers, settings of care; or to describe a health related product or service that is provided by IHG, unless IHG receives direct or indirect payment in exchange for making the communication. HIPAA considers these non-marketing activities. We will not disclose your PHI, including genetic information, to a third party for marketing purposes without your authorization.
  • Business Associates – We may provide your PHI to other companies or individuals to perform certain business functions or services to us (“third party service providers” or “business associates”). Business associates are required to maintain the privacy and security of your PHI. For example, we may provide PHI to companies that assist us with billing of our services or to an outside collection agency to obtain payment when
  • Required by Law – We may use or disclose PHI to the extent that such use or disclosure is required by law. In addition, we may use         and disclose PHI in response to a warrant, investigative demand, summons, subpoena, court or  administrative  order,  discovery  request and any other legal, regulatory, or governmental processes. Further, we may use and disclose PHI in connection with health oversight activities (e.g., government audits of our compliance with certain laws  and  regulations,  oversight  of  government funded health benefits programs).
  • De-identified Information and Limited Data Sets ” We may use or disclose health information that has been  “de-identified”  by  removing certain identifiers (such as name, address, date of birth, etc.) making it very unlikely that you could be identified. HIPAA   does not consider de-identified data to be PHI. As permitted by law, we also may use information  contained  in  a  “Limited  Data  Set” that removes the same identifiers, however may include dates, city, county, and zip code. Limited Data Sets are considered PHI and  require reasonable and appropriate safeguards to protect
  • Research – We use and disclose PHI in connection with research performed by us and by researchers outside IHG. This research that will be published generally is subject to the oversight of an Institutional Review Board or Privacy Board. In most cases, while PHI may be used to help prepare a research project or to contact you to ask whether you want to participate in a study, it will not be further disclosed for research without your authorization. Sometimes, however, where permitted under federal law and institutional policy, and approved by an Institutional Review Board or a privacy board, PHI may be used or
  • Family, Friends and Caregivers – Under certain circumstances, we may disclose PHI to family members, other relatives, close personal friends or others that you identify to the extent it is directly relevant to their involvement with your care or payment related to your care. See “Right to Request Restrictions On Uses and Disclosures”.
  • Personal Representatives ” We may disclose PHI to your personal representative, as established under applicable law, or to an administrator, executor, or other authorized individual associated with your
  • Appointment Reminders: We may contact you to provide appointment reminders or information about genetic counseling, treatment alternatives, or other health related benefits or services that may be of interest to
  • Other Uses and Disclosures ” As permitted or required by law, we may disclose your PHI to:

 

  • Public Health Authorities
  • The Food and Drug Administration
  • Health Oversight Agencies
  • Military Command Authorities
  • National Security and Intelligence Organizations
  • Organ and Tissue Donation Organizations
  • Coroners, Medical Examiners, and Funeral Directors
  • Correctional Institutions
  • Workers Compensation Agents

Uses and Disclosures Requiring Authorizations

We may request your written authorization to use or disclose your PHI in ways not described above. If you make a special authorization and later change your mind about this, you may revoke the authorization, in writing (see “Questions and Complaints”), at any time, except to the extent that action has been taken in reliance on the authorization. In any communication with us, please provide your name, address, and a telephone number where we can reach you in case we need to contact you about your request.

  • Marketing Activities ” We must obtain your written authorization in order to use your PHI to send you marketing materials. No authorization is required for marketing material provided to you in a face-to-face communication or for promotional gifts of nominal value. See “Provide You Information on Health Care Related Services” above for what is not considered marketing by HIPAA.
  • Sale of PHI – We must obtain your written authorization prior to any sale of your

Information Breach Notification

We are required to provide notification to affected patients if we discover a breach of unsecured PHI, unless a formal risk assessment demonstrates that there is a low probability that the PHI has been compromised. You will be notified without unreasonable delay within legally required timeframes after discovery of the breach. Such notification will include information about what happened and what can be done to mitigate any harm.

Your Rights with Respect to PHI

Subject to certain exceptions, Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively “HIPAA”), establishes the following patient rights with respect to PHI.

See “Questions and Complaints” for how to contact us to make a request to exercise any of the below rights.

  • Right to Receive a Copy of this Notice: You have a right to receive a paper copy of our Notice of Privacy Practices. See “Questions and Complaints” for how to contact us to make a request for a copy of this Notice. One will be provided to you. We provide a copy of this Notice on our website innovationhealthgroup.com
  • Right to Request Restrictions on Uses and Disclosures of Your PHI: You have a right to request, in writing, that we agree to restrict certain uses and/or disclosures of your PHI related to: 1) your treatment, your payment, or to routine health care operations activities; or 2) to family members, other relatives or close friends involved in your care or payment for your care. We will consider your request, but are not required to agree to it, unless the requested restriction involves a disclosure (a) to your health plan for payment or healthcare operations purposes when you have directly paid us in full out-of-pocket; and (b) when the uses or disclosures are required by law. If we do agree to a restriction, we will state the agreed upon restrictions in writing and will abide by them, except in emergency situations for purposes of
  • Right to Confidential Communications Containing PHI: You have the right to request, in writing, that we provide confidential communications containing your PHI to you in ways or at locations that are outside our usual process, such as to a different address or by a different means. We will accommodate reasonable
  • Right to Obtain Copies of Lab Reports: You have a right to access copies of your laboratory test results that we have created. You may receive your test results: a) online when this service is made available; b) on your smartphone using our mobile app; or c) you may contact us to obtain a form to request a copy, in writing, and pay for the cost of copying, mailing, or electronic media on which the information is provided, such as a CD or flash drive, in which case we will provide it to you within 30 days of the written request or once the results are available. If you have questions about your test results, please contact your ordering health care
  • Right to Access your PHI: You have a right to review and obtain a copy of existing PHI contained in medical and billing records about you maintained by us, except any medical necessity notes or documentation (chart notes authorizing the test order) from your ordering health care professional, which you should obtain from them. You must make your request in writing and you will receive these records within 30 days. You can also request a form authorizing us to provide a copy of your information to a third party that you identify. This right is limited to existing records that are maintained, collected, used or disseminated by us and does not apply to information we compile in reasonable anticipation of, or for use in, civil, criminal or administrative actions or proceedings. We may charge you a fee for copying the information and for postage if you request a mailed
  • Right to Correct or Update Your PHI: You have a right to request that we amend the records described above for as long as we maintain them. You must make the request in writing and give a reason for the amendment. We may deny your request if: (i) we determine that we did not create the record, unless the originator of the PHI is no longer available to act on the requested amendment; or (ii) if we believe that the existing records are accurate and complete. If we do deny your request to change you PHI, we will provide you a written explanation of the reason for the denial and any additional information regarding further actions that you may take. Note that an amendment may take several forms; for example we may add an explanatory statement to a record rather than change
  • Right to Receive an Accounting of Disclosures: You have a right to receive an accounting of disclosures (a list) made by IHGto any third party in the six years prior to the date of your written request, unless you request a shorter period of disclosures. Under the law, this does not include disclosures made for the purposes of treatment, payment or health care operations; disclosures made to you or to others involved in your care; disclosures made with your authorization; disclosures made for national security or intelligence purposes or to correctional institutions or law enforcement purposes; or certain other disclosures. You must make any request for an accounting in writing and we may charge a fee to fill more than one request in any given
  • Right to Complain: If you believe your privacy rights have been violated, you have a right to file a complaint with us or with the Secretary of the Department of Health and Human Services (“DHHS”). See “Questions and Complaints” for how to contact us and/or the Secretary of

How to Exercise Your Rights

To exercise any of your rights described above, you must send a written request or complete a form that you will need to request. See “Questions and Complaints” for contact information. We will respond to requests in a timely manner.

Availability and Distribution of This Notice

This Notice should be provided by your health care professional along with your consent. It is also published on our web site at www.innovationhealthgroup.com and a paper copy is made available upon request. See “Questions and Complaints”.

Changes to Our Notice of Privacy Practices

IHG reserves the right to make changes to this Notice from time to time to reflect changes in our privacy practices. If we change this Notice, we may make the new Notice terms and practices effective for all PHI that we maintain about you, including any information created or received prior to issuing the new Notice. Understand that this Notice cannot override patient authorizations or rights, required by law. If we change this Notice, we will post the new Notice on our website at  www.innovationhealthgroup.com and identify any material changes since the previous update at the top of the Notice. Please review this site periodically to ensure you are aware of any such update.

Communicating with Us

As a convenience, IHG may make available email addresses by which you can communicate with us. Please be advised that email is not a secure means of communication, therefore we cannot guarantee the security of any information that you send to us prior to our receipt of it. This fact may also restrict our use of email in communicating any response to you – we will make every attempt to use alternate means of communicating anything that may be considered sensitive information.

Questions and Complaints

Billing questions and complaints

You may update insurance and/or billing information by contacting the Patient Billing department at (416)222-5880 or sending us a written request to the address below.

All other questions and complaints

If you wish to exercise any of your rights described above, you must send a written request or complete a form that you will need to request. If you would like a paper copy of this Notice, have any questions about it, or believe its terms or any IHGprivacy policy has been violated with respect to information about you, please let us know immediately by contacting our Client Services Department at (877) 505″7374 or sending us a written request. Please include your name, address, and a telephone number where we can contact you, and a brief description of the complaint or question. If you prefer, you may lodge an anonymous complaint.

Privacy Complaints Billing Questions All Other Questions and Complaints
Chief Privacy Officer Billing Department Client Services Department
Innovation Health Group Innovation Health Group Innovation Health Group
4120 Yonge Street, #306 4120 Yonge Street, #306 4120 Yonge Street, #306
Toronto, Ontario, Canada. M2P2B8 Toronto, Ontario, Canada. M2P2B8 Toronto, Ontario, Canada. M2P2B8

You also may file a written complaint with the Secretary of the Department of Health and Human Services, Office for Civil Rights (OCR) using one of the methods identified on www.hhs.gov/ocr/privacy/hipaa/complaints/ which include by fax, email, electronically via the OCR Compliant Portal or mail to your regional HHS Office.

Please provide as much information as possible so that the complaint can be properly investigated. We will not retaliate against a person who files a complaint with us or with the Secretary of the Department of Health and Human Services.