Terms Of Use And Notice Of Privacy Practices

Last revised on September 14, 2017

Purpose and Terms of Use
CareCognitics, LLC (“CareCognitics”) offers a technology platform to Covered Entities to better connect Individuals with their treating physicians and aid ease of sharing health related data across practitioners and Personal Representatives.
CareCognitics has entered into business associate agreements with the Covered Entities prior to the disclosure of any PHI, as set forth in, but not limited to, 45 CFR Parts 164.314 (a), 164.502 (e) and 164.504 (e).

This Terms of Use and Notice of Privacy Practices (“Notice”) informs Individuals of their rights regarding PHI and how CareCognitics may use or disclose their PHI. This Notice applies to the care-coordination platform, patient facing services like email/sms/mobile app and patient portal, collectively known as the CareCognitics Digital Health platform (“Platform”).
CareCognitics does not provide any medical advice but allows Covered Entities and Individuals to share their PHI through the Platform. CareCognitics requires Individuals and their Personal Representatives, if applicable, to provide verification of their identity. Individuals will be promoted to create a confidential PIN, which shall permit electronic access to the Individual’s PHI. HIPAA Regulations and HITECH Standards do not apply if an Individual shares his or her health information with an organization that is not covered by HIPAA. As such, an Individual shares PHI at his or her own risk.
CareCognitics documents an Individual’s acknowledgement of receipt of this Notice upon the Individual’s acceptance of its terms upon clicking on the “I Accept” button below.

Accounting of Disclosures. A written statement documenting disclosures of an Individual’s PHI, which may include the date of disclosure, the name and address of the entity or person to whom the PHI was disclosed, a brief description of the PHI disclosed, and the purpose for the disclosure.

Covered Entities. Health plans, health care clearinghouses, or health care providers who transmits any PHI in electronic form. A business associate is also a covered entity for certain standards, requirements, and specifications of HIPAA.
Designated Record Set. A grouping of PHI that is maintained, collected, or used by or for a Covered Entity (i.e., an entity regulated by the Privacy Rule), to make decisions about an Individual’s care or payment of care. PHI in a Designated Record Set may include an Individual’s medical and billing records; enrollment, claims process, and case-management record systems record or identifiable data used to make decisions about Individuals.
HIPAA. Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.
HIPAA Regulations. The regulations promulgated under HIPAA by the United States Department of Health and Human Services, including but not limited to 45 C.F.R. Part 160 and 45 C.F.R. Part 164.
HITECH Standards. The privacy, security and security Breach notification provisions applicable to a business associate under Subtitle D of the Health Information Technology for Economic and Clinical Health Act (“HITECH”), which is Title XIII of the American Recovery and Reinvestment Act of 2009 (Public Law 111-5), and any regulations promulgated thereunder.
Individual. As the term “individual” is defined in 45 C.F.R. 164.501 and will include a person who qualifies as a personal representative in accordance with 45 C.F.R. Part 164.502(g).
Privacy Rule. The Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Part 160 and Part 164, subparts A and E.
Personal Representative(s). A person who is, under applicable law, authorized to act on behalf of another Individual in making decision related to health care.

Permitted Disclosures of PHI
Except as otherwise limited in this Notice and provided that such use or disclosure would not violate the HIPAA Regulations or HITECH Standards if done by the Covered Entity, CareCognitics may use or disclose PHI to perform functions, activities, or services for, or on behalf of, the Covered Entities. CareCognitics may use PHI received in its capacity as a business associate of the Covered Entity for the proper management and administration of the performance of services for the Covered Entities.
If requested in writing by the Covered Entities, CareCognitics may use PHI to provide data aggregation services i.e. data analyses that relate to the health care operations of the respective covered entities.CareCognitics may disclose an Individual’s PHI if such Individual requires emergency treatment or is unable to communicate during an emergency.
CareCognitics may disclose PHI for certain research purposes, but only if it has protections and protocols in place to ensure the privacy of such PHI.
CareCognitics may use PHI to report violations of law to appropriate federal and state authorities, consistent with 45 C.F.R. Part l 64.502(i)(l).
CareCognitics will provide PHI to comply with an order in a legal or administrative proceeding.
CareCognitics may disclose an Individual’s PHI if it believes it is necessary to avoid a serious threat to the health and safety of the Individual or the public.
CareCognitics may disclose PHI to public health or other authorities charged with preventing or controlling disease, injury or disability, or charged with collecting public health data.
CareCognitics may disclose your PHI to a health oversight agency for activities authorized by law. These activities include audits; civil, administrative, or criminal investigations or proceedings; inspections; licensure or disciplinary actions; or other activities necessary for oversight of the health care system, government programs and compliance with civil rights laws.

CareCognitics may disclose PHI to comply with laws relating to workers’ compensation or other similar programs. If an Individual is an active military or a veteran, CareCognitics may disclose such Individual’s PHI as required by military command authorities. CareCognitics may also be required to disclose PHI to authorized federal officials for the conduct of intelligence or other national security activities.
If an Individual is an organ donor, or has not indicated that he or she does not wish to be a donor, CareCognitics may disclose such Individual’s PHI to organ procurement organizations to facilitate organ, eye, or tissue donation and transplantation.
CareCognitics may disclose PHI to coroners or medical examiners for the purposes of identifying a deceased person or determining the cause of death, and to funeral directors as necessary to carry out their duties.
Unless objected by the Individual, CareCognitics may disclose PHI to a governmental agency or private entity (such as FEMA or Red Cross) assisting with disaster relief efforts.
Permitted Data Collection
CareCognitics may ask you to provide information about yourself, in order to better serve you. Examples of information requested from you may include a birth date, name, address, phone number, email address, health insurance id, and other relevant data. Information requested from you may also include more specific details about your health conditions such as any hospitalization, any emergency room visits or issue concerning which you contacted CareCognitics for assistance. If you decide to provide personal and contact information to CareCognitics through the Platform, in no case will CareCognitics sell or license that information to third parties, except as required or permitted by law (i.e. responding to a subpoena or other legal obligation) or as authorized by you. Data and information gathered is used only to deliver requested information and respond to your questions. Contact information may also be used to contact customers or prospective customers about new products and services. Any such information that you voluntarily share with CareCognitics is kept strictly confidential and secure. CareCognitics may compile statistical information concerning the general usage of the Platform. This information allows CareCognitics to monitor its utilization and continuously improve its quality. Examples of this information would include, but not be limited to, location from where the Platform is being accessed, the number of visitors to the Platform, or to sections or pages within the Platform, patterns of traffic flowing through the Platform, length of time spent on the Platform, or in sections or pages of the Platform, the sections or the pages of the Platform that visitors frequently use as entry and exit points, utilization of the devices, browser and operating systems and versions used by visitors to the Platform.

Designated Record Set
CareCognitics allows Individuals and Personal Representatives access to PHI in a Designated Record Set. The Platform permits an individual and an individual’s Personal Representative to access an individual’s PHI at any time. An Individual or the individual’s Personal Representative may submit a request for a copy of the Individual’s PHI to CareCognitics.

Request to Amend PHI
CareCognitics allows Individuals to request that their PHI be amended. CareCognitics reviews and responds to each request by an Individual to amend their PHI in the time prescribed by the Privacy Rule. An individual’s request to amend their PHI must be in writing and must state the reason supporting the request.
CareCognitics processes and maintains amendment requests (an amendments, if approved) as required by the Privacy Rule. CareCognitics may deny an amendment request if the information that the Individual requests to amend either: (i) Is not accurate and complete; (ii) Is not part of a Designated Record Set; (iii) Is not available to the individual for inspection; or (iv) was not created by CareCognitics’ applicable client, unless the originator of the information is no longer available to act on the request.
CareCognitics shall make reasonable efforts to notify persons, organizations, or other entities, including other business associates, known by it to have received the erroneous or incomplete information and who may have relied, or could foreseeably rely, on such information to the detriment of the Individual.

Request to Restrict Use and Disclosure of PHI
CareCognitics considers each Individual’s written request to restrict the use or disclosure of the Individual’s PHI for the following purposes:
To prevent the use or disclosure of an Individual’s PHI to carry out treatment, payment, or health care operations; or
o To prevent the use and disclosure of the Individual’s PHI to the individual’s health plan if the disclosure is for the purpose of carrying out payment or health care operation and is not otherwise required by law; or the PHI pertains solely to a health care item or service for which the Individual, or the Individual’s Personal Representative has paid in full for the health care item or service; or to prevent the use and disclosure of an Individual’s PHI to a relative or any other person identified by the Individual who is involved in the treatment or payment of the Individual’s health care, or who would normally be notified in the case of an emergency.

Disclosures Requiring Written Authorization.
CareCognitics must receive an Individual’s written authorization to disclose psycho­therapy notes, except for certain treatment, payment, or health care operations activities.
CareCognitics must receive an Individual’s written authorization for any disclosure of PHI for marketing purposes or for any disclosure which is a sale of PHI.

Accounting of Disclosures
Upon request, CareCognitics provides Individuals with an Accounting of Disclosures as required by the Privacy Rule and in accordance with any subsequent amendments of the Privacy Rule i.e. an Individual has the right to request an Accounting of Disclosures of PHI made by CareCognitics (other than those made for treatment, payment or health care operations purposes) during the 6 years prior to the date of the Individual’s request. The Individual must make a written request for an accounting, specifying the time period for the accounting, to the CareCognitics Privacy and Security Officer.

** Note: If you, as an Individual, would like more information about our privacy practices or have questions or concerns, please contact us. If you are concerned that we may have violated your privacy rights, or you disagree with a decision we made regarding the use, disclosure, or access to your PHI, you may complain to us by contacting the Privacy and Security Compliance Officer at the address provided in the “Contact Us” Section. You also may submit a written complaint to the U.S. Department of Health and Human Services. We will provide you with the address to file such a complaint upon request. We support your right to the privacy of your PHI. We will not retaliate in any way if you choose to file a complaint with us or with the U.S. Department of Health and Human Services

In any other situation not described herein, CareCognitics may not disclose an Individual’s PHI without such Individual’s written authorization.
An Individual has the right to be notified if CareCognitics or one of its Covered Entities or business associates becomes aware of a breach of such Individual’s unsecured PHI.
CareCognitics will treat Personal Representatives in accordance with the authority granted to them by applicable laws, regulations, and rules.
Any exceptions to this Notice will be documented after being reviewed and approved by CareCognitics Privacy and Security Officer.
CareCognitics reserves the right to change this Notice at any time in accordance with applicable law. Prior to a substantial change to this Notice related to the uses or disclosures of an Individual’s PHI, the Individual’s right or CareCognitics’ duties, CareCognitics will revise and distribute this Notice.