Notice of Privacy Practices

©VERACYTE 2021

NOTICE OF PRIVACY PRACTICES FOR PHI

VERSION 02 | JUNE 10, 2019 (PDP01-001 A05 V02)
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

If you have any questions about this notice, please contact the office of the HalioDx Privacy and Security Office (privacy@haliodx.com)

WHO WILL FOLLOW THIS NOTICE.

  • All employees, staff and other healthcare personnel associated with Veracyte.

OUR PLEDGE REGARDING MEDICAL INFORMATION:

We understand that medical information about you and your health is personal. We are committed to protecting medical information about you.

This notice applies to any and all of the records of your care generated by Veracyte.

This notice tells you about the ways in which we may use and disclose your medical information. It also describes your rights and certain obligations we have regarding use and disclosure of information.

WE ARE REQUIRED BY LAW TO:

  • Make sure that medical information that identifies you is kept private;
  • Give you this notice of our legal duties and privacy practices; and
  • Follow the terms of the notice that is currently in effect.

HOW WE MAY USE AND DISCLOSE MEDICAL INFORMATION ABOUT YOU.

The following categories describe the different ways we may use and disclose medical information. For each category of uses or disclosure we will explain what we mean and give examples. Not every use or disclosure in a category will be listed, however all of the ways we are permitted to use and disclose information fall within one of the categories.

  • For treatment (medical services). We may use medical information about you to provide you with medical services. We may disclose medical information about you to doctors, nurses, technicians, medical students, or other Veracyte personnel and care providers who are involved in your care.

Among those caring for you are medical, nursing, and other health care personnel in training who, unless you request otherwise, may be present during your care as part of their education however this will not be the case of Veracyte personel. We will not use still or motion pictures and closed-circuit television monitoring of your care.

We will not share medical information about you in order to coordinate the different things you may need, such as for example prescriptions, lab work, X-rays and emergency medical transportation, as well as with family members or others providing services that are part of your care as Veracyte is not involved in such activities.

  • For payment. Veracyte may use and disclose your medical information so that it or other entities involved in your care may obtain payment from you, an insurance company, or a third party for services you receive. We may disclose your medical information to any person, Social Security Administration, insurance or benefit payor, health care service plan or worker’s compensation carrier which is, or may be, responsible for part or your entire bill. We may also tell your insurer about the medical service / test you are going to receive to obtain prior approval, to determine whether your plan will cover the test, or to resolve an appeal or grievance. Veracyte is required to agree, if you request, to restrict disclosure of PHI to a health plan for any healthcare item or service which you have paid in full out of pocket.
  • For Health Care Operations. We may use and disclose medical information about you for our health care operations. These uses and disclosures are necessary to run Veracyte. For example, we may use medical information to review our laboratory services or to evaluate the performance of our staff. We may combine medical information to decide what additional laboratory services Veracyte should offer, what laboratory services are not needed. We may disclose information to doctors, nurses, technicians, students training, and other Veracyte personnel for review and learning purposes. We may combine the medical information we have with other medical information from other health care entities to compare how we are doing and see where we can make improvements in the services we offer. Veracyte may also disclose information to private accreditation organizations. We may use your information to assist in granting hospital privileges to providers. We may also provide to others information that does not identify you so that that they may use it to study health care.
  • Health-Related Benefits and Services. We may use and disclose your information to tell you about health-related benefits or services.
  • Fundraising Activities. Veracyte does not engage in fundraising activities currently.
  • Research. Under certain circumstances, we may use and disclose medical information about you for research purposes, regardless of the funding for such research. For example, a research project may involve the re-processing of your medical information to verify the accuracy of Veracyte digital pathology software applications if we decide to upgrade them. All research projects, however, are subject to a special approval process. This process evaluates a proposed research project and its medical information, trying to balance the research needs with the patient’s need for privacy of their medical information. Before we use or disclose medical information for research the project will have been approved through this research approval process.
  • As Required By Law. We will disclose medical information about you when required to do so by federal, state or local law. This includes, but is not limited to, disclosures to mandated patient registries.
  • To Avert a Serious Threat to Health or Safety. We may disclose medical information about you to a person able to help prevent a serious threat to your health and safety or the health and safety of the public or another person.
  • To Sponsors of Group Health Plans. We may disclose your medical information to the sponsor of a self-funded group health plan, as defined under ERISA. We may also give your employer information on whether you are enrolled in or have dis-enrolled from a health plan offered by your employer.
  • Marketing. Veracyte does not engage in marketing activities utilizing PHI.
  • Activities Requiring Authorization. Veracyte requires specific patient authorization for disclosure of Protected Health Information in the event of 1) Disclosure that constitutes a sale of PHI, 2) Disclosures of PHI for Marketing purposes and, 3) Disclosure of psychotherapy notes. You may revoke an authorization at any time.

SPECIAL SITUATIONS

  • Military and Veterans. We may release medical information about members of the domestic or foreign armed forces as required by the appropriate military command authorities.
  • Workers’ Compensation. We may release medical information about you for workers’ compensation and similar programs.
  • Public Health Activities. We may disclose medical information about you for public health activities. These activities include the following:
    • to report child abuse or neglect
    • to report reactions to medications or problems with products;
    • to notify people of recalls of products they may be using;
    • to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition;
    • to notify appropriate government authority if we believe a patient has been the victim of abuse, neglect or domestic violence where you agree or when required or authorized by law.
  • Health Oversight Activities. We may disclose medical information to a health oversight agency for activities authorized by law. These oversight activities include, but are not limited to, audits, investigations, examinations, inspections, and licensure.
  • Lawsuits and Disputes. If you are involved in a lawsuit or a dispute, we may disclose medical information about you in response to a court or administrative order. We may also disclose medical information about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request. We also may disclose information to Veracyte’s attorneys and, in accordance with applicable state law, to attorneys working on Veracyte’s behalf.
  • Law Enforcement. We may release medical information if asked to do so by a law enforcement official:
    • In response to a court order, subpoena, warrant, summons or similar process;
    • To identify or locate a suspect, fugitive, material witness, or missing person;
    • About the victim of a crime if, under certain limited circumstances, we are unable to obtain the patient’s agreement;
    • About a death we believe may be the result of criminal conduct;
    • About criminal conduct at the location of an Veracyte entity; and
    • In emergency circumstances to report a crime; the location of crime or victims; or the identity, description of location of person(s) who committed the crime.
  • Coroners, Medical Examiners and Funeral Directors. We may release medical information to a coroner, medical examiner or funeral director as necessary for them to carry out their duties.
  • National Security and Intelligence Activities. We may release medical information about you to authorized federal officials for intelligence, counterintelligence, or other national security activities.
  • Protective Services for the President and Others. We may disclose medical information about you to authorized federal officials so they may provide protection to the President, other authorized persons, or foreign heads of state or conduct special investigations.
  • Inmates. If you are an inmate of a correctional institution or under the custody of law enforcement official, we may release medical information about you to the correctional institution or law enforcement official. This release would be necessary (1) for the institution to provide you with health care; (2) to protect your health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.
  • Uses and Disclosures Regarding Food and Drug Administration (FDA)-Regulated Products and Activities. We may disclose protected health information, without your authorization, to a person subject to the jurisdiction of the FDA for public health purposes related to the quality, safety or effectiveness of FDA-regulated products or activities such as collecting or reporting adverse events, dangerous products, and defects or problems with FDA-regulated products.
  • All Other Uses & Disclosures of PHI. Any other use and/or disclosure of your PHI not specified in this notice will require a signed authorization prior to use.

YOUR RIGHTS REGARDING MEDICAL INFORMATION WE MAINTAIN ABOUT YOU.

You have the following rights regarding your medical information:

  • Right to Inspect and Copy. You have the right to inspect and copy medical information that may be used to make decisions about your care. Usually, this includes medical and billing records. To inspect and copy medical information that may be used to make decisions about you, you must submit your request in writing. You have a right to obtain paper or electronic copy. You may also request where the information is to be sent. If you request a copy of the information, we may charge a fee for the costs of copying, mailing or other supplies associated with your request. We may deny your request to inspect and copy in certain very limited circumstances. If you are denied access to medical information, you may request that the denial be reviewed. Another licensed health care professional chosen by Veracyte will review your request and the denial. The person conducting the review will not be the person who denied your request. We will comply with the outcome of the review.
  • Right to Amend. If you feel that medical information we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by or for Veracyte. To request an amendment, your request must be made in writing and submitted to Veracyte. You must provide a reason that supports your request. We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that:
    • Was not created by us, unless the person or entity that created the information is no longer available to make the amendment;
    • Is not part of the medical information kept by or for Veracyte;
    • Is not part of the information which you would be permitted to inspect and copy; or
    • Is accurate and complete.
  • Right to an Accounting of Disclosures. You have the right to request an "accounting of disclosures." This is a list of the disclosures we made of medical information about you. It does not include disclosure made for treatment (medical service), payment, health care operations, disclosure you authorize or other disclosure for which an accounting is not required under HIPAA. To request this list or accounting of disclosure you must submit your request in writing.. Your request must state the time period which may not be longer that six years. Your request should indicate in what form you want the list (for example, on paper, electronically.) The first list you request within a 12 month period will be free. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.
  • Right to Request Restrictions. You have the right to request a restriction or limitation on the medical information we use or disclose about you for treatment, payment or health care operations. You also have the right to request a limit on the medical information we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend. For example, you could ask that we not use or disclose information about a surgery you had. We are not required to agree with your request. If we do agree, we will comply with your request restrictions. You must make your request in writing. In your request, you must tell us (1) what information you want to limit; (2) whether you want to limit our use, disclosure or both; and (3) to whom you want the limits to apply, i.e. disclosures to your spouse.
  • Right to Request Confidential Communications. You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we contact you at work or by mail. To request confidential communications, you may make your request in writing to Veracyte. You may also telephone the office of the Privacy Contact Person, however in order to protect your privacy we may not be able to accommodate requests made by telephone. We will not ask you the reason for your request, and will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted.
  • Right to a Paper Copy of This Notice. You have the right to a paper copy of this notice at any time, even if you have previously agreed to receive this notice electronically. To obtain a paper copy of this notice, please write or call Veracyte.
  • Right to Breach Notification. In the event that unsecured protected health information is inappropriately disclosed, an investigation of the event will be conducted. If it is determined to be a breach of your information, you will receive notification of the breach by first class mail.
  • Rights of the Deceased. PHI of an individual that has been deceased for 50 years or more is NOT covered by HIPAA. Covered Entities are permitted to disclose a deceased person’s PHI to family members and others who were involved in the care or payment for care if not contrary to prior expressed preference.

CHANGE TO THIS NOTICE.

We reserve the right to change this notice. We reserve the right to make the revised or changed notice effective for medical information we already have about you as well as any information we receive in the future. We will post a copy of the current notice with the effective date in Veracyte.

If you believe your privacy rights have been violated, you may file a complaint with Veracyte or with the Secretary of the Department of Health and Human Services. To file a complaint with Veracyte, contact the Privacy Contact Person. All complaints must be submitted in writing. You will not be penalized or retaliated against for filing a complaint.

Other Uses of Medical Information.

Other uses and disclosures of medical information not covered by this notice or the laws that apply to us will be made only with your written permission. If you provide us with permission to use or disclose medical information about you, you may revoke that permission, in writing, at any time. If you revoke your permission, we will no longer use or disclose medical information about you for the reasons covered by your written authorization. You understand that we are unable to take back any disclosures we have already made with your permission, and that we are required to retain our records of care and services that we provide to you.