HIPAA BUSINESS ASSOCIATE PRIVACY STATEMENT
HealthRight LLC takes privacy very seriously. HealthRight is a Business Associate, which provides services, such as maintenance of medical records, customer-intake, billing and technical services to the physicians, known as Covered Entities, who provide telehealth services to our customers (“Physicians”). As a Business Associate, we share a commitment with the Physicians to protect the privacy and confidentiality of health information that we obtain about you subject to the terms of our Business Associate Agreements with Physicians and in compliance with the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act, and the HIPAA Privacy and Security Rules (collectively “HIPAA”).
This Privacy Statement is provided to help you better understand how we at HealthRight use, disclose, and protect your health information in accordance with the terms of Business Associate Agreements between HealthRight and Covered Entities such as Physicians and as required by HIPAA.
Business Associate Agreement. The Business Associate Agreement is a formal written contract between HealthRight and a Covered Entity that requires HealthRight to comply with specific requirements related to the use and disclosure of your health information.
Covered Entity. A Covered Entity is a health plan, health care provider (e.g., physician, physician group practice, hospital), or healthcare clearinghouse that must comply with HIPAA.
Use and Disclosure of Your Health Information
The following is a description of how HealthRight may use and disclose your health information:
- We may disclose your health information when you have signed a written authorization permitting the physician to disclose it.
- We may use your health information for our management, administration, data aggregation and legal obligations to the extent such use of your health information is permitted or required by the Business Associate Agreements and not prohibited by law.
- We may use or disclose your health information on behalf of, or to provide services to, Physicians for purposes of fulfilling our service obligations to the Physicians, if that use or disclosure is permitted or required by HIPAA or the Business Associate Agreement. For example:
- We may use and disclose your health information to facilitate the provision of telehealth and related services provided by Physicians.
- We may use and disclose your health information for billing and payment purposes.
- We may use and disclose your health information for the Physicians’ healthcare operations, which are business tasks that we assist with on behalf of the Physicians that are necessary for the Physicians to continue to provide telehealth services and for them to maintain quality telehealth for HealthRight customers. Whenever practical, we remove information that identifies you.
- In the event that your health information must be disclosed to a subcontractor or agent, we will ensure that, under a Subcontractor Business Associate Agreement, the subcontractor or agent agrees to abide by the same restrictions and conditions that apply to us under our Business Associate Agreements with the Physicians with respect to your health information.
- We may use your health information to report violations of law to appropriate federal and state authorities or as otherwise required by law.
- We may not use or disclose your psychotherapy notes without your written authorization.
- May not use or disclose your health information for marketing purposes unless you have authorized the Physicians to do so.
Use and Disclosure of De-Identified Health Information
For various reasons, HealthRight may use de-identified health information, and the de-identified health information of other HealthRight users. In this situation, all identifiers are removed from your health information in accordance with HIPAA requirements, so there is no reasonable basis to believe that the information can be used to identify you.
We use appropriate safeguards to prevent the use or disclosure of your health information. We have implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of your electronic health information that we create, receive, maintain, or transmit on behalf of Physicians. By way of example, such safeguards include:
- Maintaining appropriate clearance procedures and providing supervision to assure that our workforce follows appropriate security procedures;
- Providing appropriate training for our staff to assure that our staff complies with our security policies;
- Securing all transmissions of your health information within existing technology, such as sending password-protected, encrypted electronic prescriptions;
- Properly securing all communication modalities;
- Using appropriate storage, backup, disposal and reuse procedures to protect your health information;
- Using appropriate authentication and access controls to safeguard your health information, including your medical record;
- Using best efforts to secure your health information to make it unusable, unreadable or indecipherable to individuals who do not have authorization to review your health information;
- Using appropriate security incident/breach procedures and providing training to our staff sufficient to detect and analyze security incidents and breaches; and
- Maintaining a current contingency plan and emergency access plan to assure that your health information that we hold on behalf of a Physician is available when needed.
Mitigation of Harm
In the event of a use or disclosure of your health information that is in violation of the requirements of the Business Associate Agreements, we will mitigate, to the extent practicable, any harmful effect resulting from the violation. Such mitigation will include:
- Reporting to the Physician any use or disclosure of your health information not provided for by the Business Associate Agreements and any security incident of which we become aware;
- Cooperating with the Physicians; and
- Documenting disclosures of your health information and information related to such disclosures as would be required for the Physicians to respond to a request for an accounting of disclosures of your health information in accordance with HIPAA requirements.
Access to Your Health Information
We will make your health information available to Physicians, or as directed by them, to you, in accordance with your right of access under HIPAA. HealthRight will comply with your health information amendment and accounting obligations set forth in HIPAA. If you wish to access your health information, please send a written/email request to:
Chief Administrative OfficerHealthRight, LLC
181 Washington StreetConshohocken PA 19428
Or via email to:
Upon request, we will make available our internal practices, books, and records relating to the use and disclosure of your health information received from, or created or received by HealthRight on behalf of a Physician to the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with HIPAA.
INFORMED CONSENT FOR SERVICES PROVIDED BY HEALTHRIGHT LLC
Telehealth is the use of electronic communications to enable physicians at different locations to share individual customer health information for the purpose of improving customer/patient care. Customer health information may be used for diagnosis, treatment, follow-up and/or education, and may include any combination of the following: (1) medical records; (2) medical images; (3) live two-way audio or video; and (4) output data from medical devices and sound and video files. Telehealth services include remote monitoring, consultations, and prescription orders and refills, among other things.
The Physicians who will provide telehealth services to you are U.S. based, state licensed physician and are licensed in the state where you reside. HealthRight provides administrative services, such as handling intake and maintaining electronic medical records, to these physicians. This Consent is provided to help you better understand how HealthRight supplies you access to telehealth consultation services, the role of the physicians, and your responsibility for your decision to seek telehealth services. HealthRight will document your verbal consent as part of your electronic medical record.
HealthRight’s electronic systems incorporate network and software security protocols (e.g., encrypting data) to protect the confidentiality of your health information, identifying information, and imaging data, as well as measures to safeguard the data and to ensure its integrity against corruption.
Primary responsibility for your medical care and medical record should remain with your primary care doctor, if you have one. HealthRight will provide information about your telehealth consultation(s) to your personal doctor or other healthcare providers upon your written authorization.
As explained in this Consent, there are both benefits and risks in receiving telehealth services or taking any prescribed medications.
- Improved access to medical care by enabling you to remain at a remote location (home) while the Physician obtains medical information and consults at other sites.
- More efficient medical evaluation and management.
- Obtaining expertise from a doctor at a distance.
- In rare cases, information transmitted may not be sufficient to allow for appropriate medical decision making by the physicians.
- In rare cases, delays in medical evaluation and treatment could occur due to deficiencies or failures of the equipment or technology or the immediate availability of a doctor.
- In rare instances, security protocols could fail, causing a breach of privacy of customer medical information. HealthRight’s HIPAA Privacy Statement, available at www.healthright.com, describes how HealthRight would handle a breach.
- In rare instances, a lack of access to complete medical records may result in adverse drug interactions or allergic reactions or other judgment errors.
I represent that the following has been explained to me:
- I hereby consent to receiving medical services via telehealth. I understand that these telehealth services do not replace the relationship between me and my primary doctor. I also understand that the physician determines whether my needs are appropriate for a telehealth encounter.
- I understand that I may withdraw my consent to the use of telehealth in the course of my care at any time, without affecting my right to future care or treatment.
- A variety of alternative methods of medical care may be available to me, and I may choose one or more of these at any time.
- I understand that I may expect the anticipated benefits from the use of telehealth in my care, but that no results can be guaranteed or assured.
- The Health Insurance Portability and Accountability Act (HIPAA) and state laws that protect privacy and the confidentiality of medical information also apply to telehealth, and no health information obtained in the use of telehealth that identifies me will be disclosed other than as explained in this Consent and HealthRight’s HIPAA Privacy Statement.
- I understand that HealthRight and the physicians will document and record, as part of my electronic medical record, all communications and information relating to my telehealth consult.
- I have the right to review all information obtained and recorded in the course of a telehealth interaction, and may receive copies of this information from HealthRight for a reasonable fee.
- In the event that an adverse drug interaction or allergic reaction occurs, I understand that I am to contact HealthRight’s customer service center to speak with a nurse advocate who will provide me with information regarding how to receive follow-up care or assistance.
- I understand that if I am experiencing a medical emergency I will be directed to: dial 911, contact my doctor, or go to an urgent care center or emergency room. I further understand that the physicians are not able to connect me directly to any local emergency services.
- The physicians who provide telehealth services to you form a physician-patient relationship with you during the telehealth consultation.
- I understand there is a risk of technical failure during a telemedicine encounter. In the event of any problem with the website or related services, I agree that my sole remedy is to cease using the website or terminate access to the service. I agree to hold harmless HealthRight for any information lost or delays in evaluation due to such technical failures.
- I understand that I have the right to be informed of any party who will be present during my telehealth consult, and I have the right to exclude anyone from being present.
- I understand that if I fail to comply with the terms and my obligations under this Consent, HealthRight may refuse to provide access to its website/portal or the physicians’ telehealth services.
Additional State-Specific Consents.
The following apply to residents of certain states:
Texas: I may file a complaint with the Texas Board of Medicine regarding the telehealth services that I receive from the physician(s). I can submit the complaint electronically (Online Complaint Form), by mail (Complaint Form), or by phone (1-800-201-9353), in accordance with the Texas Board of Medicine’s instructions available on the Texas Board of Medicine’s website: http://www.tmb.state.tx.us/page/place-a-complaint.
Nevada (DOs only). The HealthRight physician(s) who provide telehealth services to me do not have a financial interest in HealthRight or HealthRight’s website/portal
I understand the information provided above, have discussed it with the HealthRight nurse advocate, and all of my questions have been answered to my satisfaction. I hereby give my informed consent for the use of telehealth in my medical care.