10. NOTICE OF PATIENT PRIVACY PRACTICES
THE NOTICE IN THIS ARTICLE 10 (INCLUDING SECTIONS BELOW) DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
10.1. DermTech Operations, Inc. (“DERMTECH”) is required, by law, to maintain the privacy and confidentiality of your protected health information (“PHI”) and to provide our patients with notice of our legal duties and privacy practices with respect to your PHI. DermTech may access such PHI either through your and your healthcare provider’s use of the Mobile App as related to providing services to you, or through conducting of laboratory test(s) offered by DermTech and ordered by your healthcare provide.
COMMON USES AND DISCLOSURES OF YOUR HEALTH CARE INFORMATION ALLOWED UNDER THE LAW WITHOUT YOUR AUTHORIZATION:
10.2. Treatment – We may use your PHI to provide you with health treatment and services. If you obtain treatment from other providers in connection with our services, those other providers will have their own privacy practices which are not applicable to DERMTECH. You are encouraged to review the privacy practices of all providers involved in your care.
10.3. Payment – We may use and disclose your PHI so that the treatment and services you receive may be billed to and payment collected from you, your insurance company or a third party.
10.4. Health Care Operations – We may use or disclose your PHI for activities necessary to run our business, such performance of quality checks for our testing, internal audit, care coordination, budget and financial planning and general management and operation of our business.
10.5. Worker’s Compensation – We may release your PHI in order to comply with the laws related to worker’s compensation or similar programs.
10.6. Emergencies – We may disclose your PHI to a friend or family member who is involved in your medical care in the event of an emergency.
10.7. Public Health Activities – We may disclose your PHI for the purposes of preventing or controlling disease, injury, disability, or death; reporting child abuse or neglect; reporting domestic violence; or to report problems or other adverse events with products and/or services to the U.S. Food and Drug Administration.
10.8. Lawsuits and Disputes – We may disclose your PHI in the course of any administrative or judicial proceeding.
10.11. Coroners, Medical Examiners and Funeral Home Directors – We may disclose your PHI to a coroner or medical examiner.
10.12 Organ Donation – We may disclose your health information to organizations involved in procuring, banking, or transplanting organs and tissues.
10.13. Research – Under certain circumstances, we may use or disclose your PHI for research purposes within DERMTECH and with research collaborators outside of the company who are under contract and are also obligated to protect PHI. All research projects at DERMTECH are conducted in accordance with applicable law, with such protections as review by a committee responsible for ensuring the rights and welfare of research subjects, appropriate patient authorization when required, and an adequate plan to safeguard PHI.
10.14. Public Safety – We may use and share your PHI with persons who may be able to prevent or lessen a serious imminent threat to you, the public or another person’s health or safety.
10.15. Health Oversight Activities – We may release your health information to government agencies authorized to conduct audits and investigations. These government agencies monitor the operation of the health care system, government benefit programs such as Medicare and Medicaid, and compliance with government regulatory programs and civil rights laws.
10.16. Lawsuits and Disputes – We may disclose your health information if we are ordered to do so by a court or administrative tribunal that is handling a lawsuit or other dispute. We may also disclose your information in response to a subpoena, discovery request, or other lawful request by someone else involved in the dispute, but only if required judicial or other approval or necessary authorization is obtained.
10.17. Law Enforcement – When permitted by law, we may disclose your health information to law enforcement officials for certain reasons, such as complying with court orders.
10.18. Business Associates – There are some services provided in our organization through contracts with organizations that require PHI in order to provide their services. These organizations are called business associates. Examples of business associates include independent sales representatives working with your doctor, accreditation agencies, quality assurance reviewers, and third parties equipped to de-identify and mask information.
10.19. Legal Requirements – We will disclose your PHI without your permission when required to do so by federal, state, or local law.
10.20. Marketing – We cannot use your PHI for marketing or share your PHI with third parties for their own marketing purposes without your written authorization. However, in order to better serve you, we can provide you with marketing materials in a face-to face encounter without obtaining your authorization. We are also permitted to give you a promotional gift of nominal value without obtaining your authorization. In addition, we may communicate with you about products or services relating to your treatment, case management, or care coordination, or alternative treatments, therapies, providers or care settings without your authorization.
10.21. Sale – We will not sell your PHI to third parties. The sale of PHI, however, does not include a disclosure for public health purposes, for research purposes where we will only receive remuneration for our costs to prepare and transmit the health information, for treatment and payment purposes, for the sale, transfer, merger or consolidation of all or part of our company.
YOUR RIGHTS REGARDING YOUR PROTECTED HEALTH INFORMATION:
10.22. As part of your normal medical care, healthcare professionals may require access to your PHI. In the event of a request for your PHI from another healthcare provider, we will confirm that the healthcare provider is involved in your care before disclosing your PHI.
10.23. You have the right to request a limit on the PHI we disclose about you to someone who is involved in your care or the payment for your care. We are not required by law to agree to your request and we may say “no” if it will affect your care.
10.24. You may access a copy of this Notice on DERMTECH’s website. You have a right to obtain an additional paper copy of this Notice of Patient Privacy Practices upon request.
10.25. You have a right to limit disclosure of your PHI to your health plan if you pay for DERMTECH’s services in full and request that your PHI not be disclosed to your health plan.
10.26. You may request access to your DERMTECH medical record and billing records maintained by DERMTECH in order to inspect and request copies of the records. All records will be maintained for a period of time mandated by applicable state and/or federal law. If you request copies, we may charge you a reasonable fee consistent with applicable law and may charge you for our postage costs. You have the right to request an amendment to your health record if you feel the information is incorrect or incomplete. Please note that even if we accept your request, we are not required to delete any information from your health record.
10.27. You have a right to obtain an accounting (or a list) of certain disclosures of your PHI made by DERMTECH within the last 6 years. We’ll include all the disclosures except for those about treatment, payment, and health care operations and certain other disclosures (such as those that you asked us to make). We’ll provide one accounting a year for free but will charge you a reasonable, cost-based fee if you ask for another accounting within 12 months.
10.28. You have a right to request that your PHI be communicated by alternative means or at alternate locations.
10.29. You have the right to be notified of a breach of your unsecured PHI if the breach compromises the privacy and security of your information. We must provide required notices to you as soon as practicable, but no later than sixty (60) days following discovery of the breach. The notice will include a description of what happened, including the date, the type of information involved in the breach, steps you should take to protect yourself from potential harm, a brief description of the investigation into the breach, mitigation of harm and protection against further breaches and contact procedures to answer your questions.
CHANGES TO THIS NOTICE OF PATIENT PRIVACY PRACTICES:
10.30. DERMTECH may change this Notice of Patient Privacy Practices at any time in the future and will make the new provisions effective for all information that it maintains. The new notice will be available upon request and on our website.
10.31. If you have questions about any part of this Notice or if you want more information about your privacy rights, please contact us using the information provided above in Section 7.2.
10.32. If you believe your privacy rights have been violated, you may file a complaint with DERMTECH by calling 1-866-450-4223. You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting www.hhs.gov/ocr/privacy/hipaa/complaints/. We will not retaliate against you for filing a complaint.
The effective date of this DERMTECH Notice of Patient Privacy Practices is May 20, 2021.