HIPAA Notice of Privacy Practice

Notice of Privacy Practices

This Notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

I.       Who We Are

This Notice describes the privacy practices of Mindstrong Health Services, P.C. (“Mindstrong,” “we,” “us,” or “our”) in relation to health information about you (“Protected Health Information” or “PHI”), which we collect, create, and transmit through our mobile applications (the “Apps”). Our Apps are designed to measure brain health and provide access to healthcare services. Notably, our Health App and Care App allow individuals to obtain care in a convenient location from providers who may be remote, and likewise enable providers to provide care to individuals who may be at remote locations, using these measurements of brain health.

II.       Our Privacy Obligations

We understand that your health information is personal and we are committed to protecting your privacy. In addition, we are required by law to maintain the privacy of your PHI, to provide you with this Notice and to notify you in the event of a breach of your unsecured PHI. When we use or disclose your PHI, we are required to abide by the terms of this Notice (or other notice in effect at the time of the use or disclosure).

For more general information about our privacy practices in connection with our online services, please review Mindstrong Health’s Online Privacy Policy (https://mindstronghealth.com/privacy/).

III.       Permissible Uses and Disclosures Without Your Written Authorization

In certain situations, we must obtain your written authorization in order to use and/or disclose your PHI. However, unless the PHI is Highly Confidential Information (as defined in Section IV.B below) and the applicable law regulating such information imposes special restrictions on us, we may use and disclose your PHI without your written authorization for the following purposes:

  1. Treatment. We use and disclose your Protected Health Information to provide treatment and other services to you through our Apps. Please see the following descriptions of each of the Apps.
    • Health App. The Health App will collect information about your brain health by recording the way you interact with the touch screen on your mobile device, such as the patterns of your keystrokes, taps and scrolls. It also allows you to communicate with your health care provider remotely.
    • Care App. The Care App will enable you to communicate with your health care provider remotely.
  2. Payment. We may use and disclose your PHI to obtain payment for health care services that we provide to you—for example, disclosures to claim and obtain payment from your health insurer. We may also share your PHI with your other health care providers as necessary for them to receive payment for services they render to you.
  3. Health Care Operations. We may use and disclose your PHI for our health care operations, which include internal administration and planning and various activities that improve the quality and cost effectiveness of the care that we deliver to you. For example, we may use PHI to evaluate the quality of our services or address your complaints.
  4. Disclosures to Business Associates. We may share your PHI with our “business associates,” which are service providers or other persons who use or disclose PHI to perform services for us. We enter into contracts with business associates requiring them to protect the privacy of your PHI, and we share only the minimum amount of PHI necessary for business associates to perform their duties. For instance, we will disclose your PHI to Mindstrong, Inc., which is a business associate that provides general administrative support and management services to us, but does not perform health care professional services.
  5. Disclosure to Relatives, Close Friends and Other Caregivers. We may share your PHI with a family member, other relative, a close personal friend, or any other person identified by you if: (1) we obtain your agreement or provide you with the opportunity to object, and you do not object; or (2) we reasonably infer that you do not object.
  6. Sometimes, you may be unavailable to object to a disclosure. In that case, we may exercise our professional judgment to determine whether a disclosure is in your best interests. If we disclose information under such circumstances, we would disclose only information that is directly relevant to the person’s involvement with your care.

  7. As Required by Law. We may use and disclose your PHI when required to do so by any applicable federal, state or local law.
  8. Public Health Activities. We may disclose your PHI: (1) to report health information to public health authorities for the purpose of preventing or controlling disease, injury or disability; (2) to report child abuse and neglect to a government authority authorized by law to receive such reports; and (3) to report information about products under the jurisdiction of the U.S. Food and Drug Administration.
  9. Victims of Abuse, Neglect or Domestic Violence. We may disclose your PHI if we reasonably believe you are a victim of abuse, neglect or domestic violence to a government authority authorized by law to receive reports of such abuse, neglect, or domestic violence.
  10. Health Oversight Activities. We may disclose your PHI to an agency that oversees the health care system and is charged with responsibility for ensuring compliance with the rules of government health programs such as Medicare or Medicaid.
  11. Judicial and Administrative Proceedings. We may disclose your PHI in the course of a judicial or administrative proceeding in response to a legal order or other lawful process.
  12. Law Enforcement Officials. We may disclose your PHI to the police or other law enforcement officials as required by law or in compliance with a court order.
  13. Decedents. We may disclose your Protected Health Information to a coroner or medical examiner as authorized by law.
  14. Research Activities. We may use and disclose your PHI for research purposes pursuant to a valid authorization from you or when an institutional review board or privacy board has waived the authorization requirement. Under certain circumstances, your Protected Health Information may be disclosed without your authorization to researchers preparing to conduct a research project, for research or decedents or as part of a data set that omits your name and other information that can directly identify you.

    If you participate in a research study that utilizes the Discovery App, the Discovery App will collect information about your brain health to support an academic medical center’s or other research organization’s clinical research activities.

  15. Health or Safety. We may use or disclose your PHI to prevent or lessen a serious and imminent threat to a person’s or the public’s health or safety.

IV.      Uses and Disclosures Requiring Your Written Authorization

For any purpose other than the ones described above in Section III, we only use or disclose your Protected Health Information when you give us your written authorization.

  1. Marketing. We must obtain your written authorization prior to using your PHI for purposes that are marketing under the HIPAA privacy rules. For example, we will not accept any financial payments from other organizations or individuals in exchange for making communications to you about treatments, health care providers, care coordination, products or services unless you have given us your authorization to do so or the communication is permitted by law. We may give you promotional gifts of nominal value without obtaining your written authorization.
  2. Sale of Protected Health Information. We will not share your information as part of a sale of PHI without your written authorization.
  3. Psychotherapy Notes. We will not use or disclose psychotherapy notes about you without your authorization except for use by the mental health professional who created the notes to provide treatment to you, for our internal training programs on providing mental health services, or to defend ourselves in a legal action or other proceeding brought by you.
  4. Uses and Disclosures of Your Highly Confidential Information. Federal and state law requires special privacy protections for certain health information about you (“Highly Confidential Information”), including substance use disorder records and other health information that is given special privacy protection under state or federal laws other than HIPAA. In order for us to disclose any Highly Confidential Information for a purpose other than those permitted by law, we must obtain your authorization.
  5. Cancelation of Your Authorization. You may revoke your authorization, except to the extent that we have taken action in reliance upon it, by delivering a written cancelation to the Privacy Officer identified below.

VI.    Your Individual Rights

  1. For Further Information; Complaints. If you would like more information about your privacy rights, are concerned that we have violated your privacy rights, or disagree with a decision that we made about access to your PHI, you may contact our Privacy Officer. You may also file a written complaint with the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services. Upon request, the Privacy Office will provide you with the correct address for OCR. We will not retaliate against you if you file a complaint with us or OCR.
  2. Right to Request Additional Restrictions. You may request additional restrictions on our use and disclosure of your PHI for following activities: (1) for treatment, payment and health care operations; (2) to individuals (such as a family member, other relative, close personal friend or any other person identified by you) involved with your care or with payment related to your care; or (3) to notify or assist in the notification of such individuals regarding your location and general condition. While we will consider all requests for additional restrictions carefully, we are not required to agree to most requested restrictions. We will honor a request to restrict our disclosure to a health plan for payment or health care operations purposes if the disclosure is not required by law and the information pertains solely to a health care item or service for which you (or someone on your behalf other than the health plan) have paid us out of pocket in full. If you wish to request additional restrictions, please obtain a request form from our Privacy Officer and submit the completed form to the Privacy Office.
  3. Right to Receive Alternative Communications. You may request, and we will accommodate, any reasonable written request for you to receive your PHI by alternative means of communication or at alternative locations.
  4. Right to Inspect and Copy Your Health Information. You may request access to inspect and obtain a copy of your medical and billing records maintained by us. Under limited circumstances, we may deny you access to a portion of your records. If you desire access to your records, please obtain a record request form from the Privacy Officer and submit the completed form to the Privacy Officer. If you request copies, we may charge you a reasonable copy fee.
  5. Right to Amend Your Records. You have the right to request that we amend your PHI maintained in your medical or billing records. If you desire to amend your records, please obtain an amendment request form from the Privacy Officer and submit the completed form to the Privacy Officer. We will comply with your request unless we believe that the information that would be amended is accurate and complete or other special circumstances apply.
  6. Right to Receive an Accounting of Disclosures. Upon request, you may obtain an accounting of certain disclosures of your Protected Health Information made by us during any period of time prior to the date of your request provided such period does not exceed six years. If you request an accounting more than once during a twelve (12) month period, we may charge you a reasonable fee for the accounting statement.
  7. Right to Receive Paper Copy of this Notice. Upon request, you may obtain a paper copy of this Notice, even if you agreed to receive such notice electronically.

VII.      Effective Date and Duration of This Notice

  1. Effective Date. This Notice is effective on September 24, 2018.
  2. Right to Change Terms of this Notice. We may change the terms of this Notice at any time. If we change this Notice, we may make the new notice terms effective for all your PHI that we maintain, including any information created or received prior to issuing the new notice. If we change this Notice, we will post the new notice on our website at www.mindstronghealth.com. You also may obtain any new notice by contacting the Privacy Officer.

VIII.    Privacy Officer

You may contact the Privacy Officer at info@mindstronghealth.com or by mail at:

Mindstrong, Inc.
248 Homer Ave.
Palo Alto, CA 94301