This notice describes how health information about you may be used and disclosed, and how you can get access to this information. Please review it carefully.

Upward Health provides care delivery and care coordination for individuals with complex physical and behavioral health conditions. We are committed to obtaining, maintaining, using, and disclosing your protected health information (“PHI”) in a matter that protects your privacy, as required by federal and state laws. These laws require us to provide you with this Notice of our Privacy Practices and to inform you of your rights, and our obligations, concerning your PHI. PHI is information about you, including basic demographic information, that may identify you and that relates to your past, present or future physical or behavioral health condition, treatment, or payment for health services. This Notice describes how we may use and disclose your PHI to carry out treatment, payment or healthcare operations, and for other specified purposes that are permitted or required by law. The Notice also describes your rights with respect to your PHI.

We are required to follow the privacy practices described below while this Notice is in effect. This Notice is effective as of November 1st, 2019, and will remain in effect until we change or replace it.

  1. How health information about you may be used.

    During the course of our relationship with you, we may use and disclose PHI about you without your written authorization to carry out activities related to treatment, payment, and healthcare operations. Examples of these activities are as follows:

    Treatment. We may disclose your PHI to assist providers in managing and coordinating your health care. We may make disclosures to refer you to a provider, to ensure that your physical and behavioral health providers have information necessary for your treatment or administer care management activities in which you participate.

    Payment. We may use and disclose your PHI to provide you with covered benefits, or to assist your provider or another health plan in its payment activities. We may make disclosures to manage enrollment records, make coverage determinations, administer claims, and coordinate benefits with other coverage you may have. We may also provide your PHI to our business associates, such as billing companies, claims processing companies, and others that process our health care claims.

    Healthcare Operations. We may use and disclose your PHI in connection with our healthcare operations, including accreditation, credentialing, and fraud prevention activities. Healthcare operations also includes case management and care coordination, quality assessment and improvement activities, and meeting the obligations of our contracts with insurance providers. We may also provide your PHI to accountants, attorneys, consultants and others to make sure we comply with the laws that govern us.

    Your Prior Written Consent. There is certain PHI that we will not use or disclose without your prior written consent, in accordance with state law. For example, we cannot disclose information about substance abuse or HIV/AIDS without your prior written consent. Also, we must receive your written authorization to disclose psychotherapy notes, if any, except for limited treatment, payment or health care operation activities. We also will not use or disclose your PHI for marketing purposes without your written authorization, nor will we sell your information.

    Additional Disclosure. You may specifically authorize us to use your PHI for any purpose or to disclose your PHI to anyone, by submitting such an authorization in writing. Upon receiving an authorization from you in writing we may use or disclose your PHI in accordance with that authorization.  You may revoke an authorization at any time by notifying us in writing. Your revocation will not affect any use or disclosures permitted by your authorization while it was in effect. Unless you give us a written authorization, we cannot use or disclose your PHI for any reason except those permitted by this Notice.

    Research. We may disclose your PHI for medical research studies, but only if protections and protocols are in place to ensure the privacy of your information.

    Disclosure to Your Family and Personal Representatives. Disclosures may be made to any of your personal representatives appropriately authorized to have access and control of your PHI. If we are authorized to do so, we may disclose your PHI to a family member, friend or other person to the extent necessary to help with your healthcare, transportation to or from appointment, or with payment for your healthcare. In the event of your incapacity or in emergency circumstances, we will disclose PHI based on a determination using our professional judgment disclosing only PHI that is directly relevant to the person’s involvement in your healthcare.

    De-identification of PHI. We may de-identify your PHI, meaning that we would remove all identifying features as determined by law to make it extremely unlikely that the information could identify you. De-identified information no longer qualifies as PHI, meaning that we may use and disclose it for purposes not set forth in this Notice.

    Public Health and Safety Concerns. We may use or disclose your PHI for public health and safety reasons, such as disease reporting, to public health authorities or other appropriate government agencies. Additionally, your PHI may be disclosed to a health oversight agency for oversight activities authorized by law, including civil, administrative or criminal investigations. We may also disclose your PHI to avert a serious threat to your health or safety or the health or safety of others. In some instances, we may disclose your PHI if we reasonably believe that you are a possible victim of abuse, neglect, domestic violence or the possible victim of a crime.

    The Law May Require Certain Uses or Disclosures. We may use or disclose your PHI when we are required to do so by law, including, for example, to report certain types of physical injuries. In some instances, and in accordance with applicable law, we may be required to disclose your PHI to appropriate authorities in response to a court or administrative order, subpoena, discovery request or other lawful legal process.

    Law Enforcement and National Security. Under certain circumstances we may disclose PHI relating to members of the Armed Forces to military authorities. We may disclose PHI relating to inmates or patients to correctional institutions or law enforcement personnel having lawful custody of those individuals. We may disclose PHI in response to judicial proceedings and certain law enforcement inquiries and to authorized federal officials who require PHI for lawful intelligence, counterintelligence, and other national security activities.

    Appointment Reminders. We may use or disclose your PHI to provide you with appointment reminders (such as voicemail messages, postcards, or letters). If we deliver a reminder by telephone and you are unavailable to receive our call, we may leave a message with a family member or other person who answers your telephone. We will exercise our professional judgment in delivering such messages to limit the information disclosed to the extent necessary and to assure that such disclosures are made with your best interest in mind.

    Other Reasons. We may use or disclose your PHI to address workers’ compensation claims. We may disclose your PHI as needed to organ procurement organizations, medical examiners, and funeral directors in the event of an individual’s death.

  2. How you can get access to this information.

    Access to Records. Upon submission of a written request to us, you have the right to review or receive copies of your PHI, with limited exceptions. You may request access by using the contact information listed at the end of this Notice. You may request that we provide copies in the format you request if it is readily available. We may charge you a reasonable cost-based fee relating to the production of such copies in accordance with applicable law.

    Upon written request, you have the right to receive a list of instances (during the 6 years prior to your request) in which we – or our business associates – disclosed your PHI for purposes other than treatment, payment, healthcare operations and other activities authorized by you.

    Restrictions You May Request. You have the right to request that we place additional restrictions on our use or disclosure of your PHI for treatment, payment and healthcare operations purposes as well as place additional restrictions on disclosures to individuals (family member, relative, friend, etc.) who are involved in your care or payment for your care. Depending on the circumstances of your request we may, or may not, agree to those restrictions. If we do agree to your requested restrictions we must abide by those restrictions, except in emergency treatment scenarios. If restricted information is disclosed to a health care provider for emergency treatment, we will request that the health care provider not further use or disclose the information.

    You have the right to request that we communicate with you about your PHI by alternative means or to alternative locations (e.g., at your place of business rather than at your home). We will accommodate such requests, so long as they are reasonable. Such requests must be made in writing, must specify the alternative means or location, and must provide satisfactory explanation how payments will be handled under the alternative means or location you request.

    Amendments to Your Records. You have the right to request that we amend your PHI. Such requests must be made in writing and must explain why the information should be amended. We may deny your request under certain circumstances.

    Breach. We are required to notify you if we or one of our business associates becomes aware of a security breach unless we reasonably determine, after fully investigating the situation and assessing the risk presented, that there is a low probability that the privacy or security of your PHI has been compromised. You will be notified without unreasonable delay and in no event later than sixty (60) days following discovery of the security breach. Such notification will include information about the security breach, including steps that we have taken to mitigate potential harm, and a contact person to whom to you may address additional questions.

  3. How we protect your health information.

    Your PHI, whether oral, written or electronic, is protected within the organization. Only employees who need to access such information to perform the duties of their job are granted access to protected PHI and must sign confidentiality agreements. Employees ensure that all PHI in their possession, custody or control is appropriately secured. All electronic information systems including computers, laptops and telephones are password protected. Hard copy documents are secured in locked drawers or cabinets and promptly destroyed when PHI is no longer needed.  Electronic transmissions of PHI from Upward Health to entities outside of Upward Health are secured with the appropriate data encryption technology. Fax machines are in secure non-public locations to prevent unauthorized access. All Upward Health offices are secured with locked doors and buildings, providing access only to authorized individuals.

  4. Changes to this notice.

    We reserve the right to change this Notice and the privacy practices described within at any time in accordance with applicable law. Prior to making significant changes to our privacy practices, we will alter this Notice to reflect the changes, and make the revised Notice available to you on request. Any changes we make to our privacy practices and/or this Notice may be applicable to PHI created or received by us prior to the date of the changes.

    You may request a paper copy of our Notice at any time. For more information about our privacy practices, or for additional copies of this Notice, please contact us at the information at the end of this Notice.

QUESTIONS AND COMPLAINTS

If you want more information about our privacy practices or have questions or concerns, please contact us.

If you are concerned that we may have violated your privacy rights, or you disagree with a decision we made about the use, disclosure, or access to your PHI, you may complain to us using the contact information listed at below. You also may submit a written complaint to the U.S. Department of Health and Human Services. We will provide you with the address to file such a complaint upon request.

We support your right to the privacy of your PHI. We will not retaliate in any way if you choose to file a complaint with us or with the U.S. Department of Health and Human Services.

Please direct any of your questions or complaints to:

Contact:

Dante Michaud
Chief Information Security Officer
Upward Health