Privacy

HIPAA Notice of Privacy Practices

Effective March 1, 2023

This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

Scope of Notice

This Notice of Privacy Practices (“Notice”) applies to all protected health information (“PHI”) about you held or transmitted by Washington Gastroenterology PLLC d/b/a GI Alliance and each of its subsidiaries and affiliates who are under common control and/or common ownership that are subject to HIPAA (as defined below) and are designated for HIPAA purposes as an affiliated covered entity (collectively, “we” or “our Practice”).

PHI is any individually identifiable health information about your past, present or future physical or mental health or condition, the provision of healthcare to you, or your payment for healthcare. PHI may include information about your condition or treatment, diagnostic tests and images, and related health information.

Our Responsibilities

Our Practice is dedicated to maintaining the privacy of your PHI. Our Practice is required by the Health Insurance Portability and Accountability Act ("HIPAA") to maintain the privacy of your PHI and to provide you with notice of our legal duties and privacy practices with respect to your PHI. We are also required by law to notify affected individuals following a breach of unsecured PHI.

Our Practice must abide by the terms of this Notice while it is in effect. This Notice will remain in effect until our Practice replaces it. We reserve the right to change the terms of this Notice at any time, provided the changes comply with applicable law. If our Practice changes the terms of this Notice, the new terms will apply to all PHI we maintain, including PHI that was created or received before such changes were made. If our Practice changes this Notice, we will post the new Notice on our website and will provide copies upon request.

Uses and Disclosure of PHI that Do Not Require an Authorization

The following categories describe the different ways that our Practice may use and disclose your PHI without your authorization. Not every use and disclosure within a category will be listed. Your PHI may be stored in paper, electronic or other forms and may be disclosed electronically or by other methods.

Treatment. Our Practice may use and disclose your PHI for treatment purposes. For example, we may disclose PHI to another healthcare provider to whom we refer you. Moreover, we may use and disclose your PHI electronically, such as by providing you care via telehealth (which involves the use of electronic communications via live two-way audio or video) or by communicating with you through our patient portal (if you choose to access the portal).

Payment. Our Practice may use and disclose your PHI to obtain reimbursement for the treatment and services you receive from us or another entity involved with your care. Payment activities include billing, collections and claims management. These activities also include determinations of eligibility and coverage to obtain payment from you, an insurance company, or another third party. For example, our Practice may send claims to your health insurance provider containing certain PHI.

Healthcare Operations. Our Practice may use and disclose your PHI for healthcare operations purposes. Healthcare operations include quality assessment and improvement activities, arranging for legal services, conducting training programs, reviewing the competence and qualifications of healthcare professionals, licensing activities, and sending you information about our health-related products and services, possible treatment options or alternatives that may interest you, or appointment reminders. We may make incidental disclosures of limited PHI, such as by mailing statements to you with your name on the envelope.

Business Associates. Our Practice may disclose your PHI to third parties who provide services to our Practice or on our Practice’s behalf, known as Business Associates. Our Practice requires our Business Associates to enter an agreement to safeguard your PHI and otherwise protect your privacy as required by law.

Electronic Data Exchanges. Consistent with applicable law, we may send you text messages, emails or other electronic communications for treatment, payment, healthcare operations and other permitted purposes. Our Practice may participate in one or more Health Information Exchanges (HIEs) and may electronically share your PHI for treatment, payment, healthcare operations and other permitted purposes with other participants in the HIE. HIEs allow your healthcare providers to efficiently access and use your PHI as necessary for treatment and other lawful purposes.

Individuals Involved in Your Care or Payment for Your Care/Personal Representatives. Our Practice may disclose your PHI to your family or friends, or any other individual identified by you when they are involved in your care or in the payment for your care. Additionally, if a person has the authority by law to make healthcare decisions for you, we may disclose information about you to such patient representative and treat that patient representative the same way we would treat you with respect to your PHI. We may also disclose your PHI to a public or private entity authorized by law to assist in disaster relief efforts to notify, or assist in notifying, a HIPAA NOPP Effective Date: 03.01.2023 2 family member or personal representative about your location, general condition, or death.

Required by Law. Our Practice may use or disclose your PHI when we are required to do so by law. For example, we may disclose PHI about you to the U.S. Department of Health and Human Services if it requests such information to determine that we are complying with federal privacy law.

Public Health Activities. Our Practice may disclose your PHI to public health authorities or other governmental authorities for public health purposes including preventing and controlling disease, reporting child abuse or neglect and reporting to the Food and Drug Administration regarding the quality, safety and effectiveness of a regulated product or activity. Our Practice may, in certain circumstances, disclose PHI to persons who have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition as necessary in the conduct of a public health intervention or investigation.

Health Oversight Activities. Our Practice may disclose your PHI to a health oversight agency for authorized activities such as audits, investigations, inspections, licensing and disciplinary actions.

Abuse, Neglect or Domestic Violence. If our Practice reasonably believes you are a victim of abuse, neglect, or domestic violence, we may disclose your PHI to a government authority, including a social service protective agency, authorized by law to receive reports of abuse, neglect or domestic violence.

Judicial and Administrative Proceedings. Our Practice may disclose your PHI in response to an order from a court or administrative agency. We may also disclose your PHI in response to a subpoena, discovery request or other lawful process instituted by someone involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested.

Law Enforcement. Our Practice may disclose your PHI for law enforcement purposes as permitted by HIPAA.

Coroners, Medical Examiners and Funeral Directors. Our Practice may disclose your PHI to coroners, medical examiners and/or funeral directors for purposes such as identification, determining the cause of death, and fulfilling duties relating to deceased individuals.

Research. Our Practice may use or disclose your PHI for research when permitted by law, including when an institutional review board or privacy board has reviewed the research proposal and established a process to ensure the privacy of the requested information and approved the research.

Serious Threat to Health or Safety. Our Practice may use or disclose PHI when permitted by the applicable law to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.

Worker’s Compensation. Our Practice may disclose your PHI to the extent authorized by and to the extent necessary to comply with laws relating to worker’s compensation or other similar programs established by law.

Specialized Government Functions. Our Practice may use and disclose PHI for specialized government functions, including military and veterans’ activities, national security and intelligence activities, and to correctional institutions.

Organ Donation. Our Practice may use and disclose your PHI to entities involved in procuring, banking, and transplanting organs, eyes, and tissues to assist with donation or transplantation.

Limited Data and De-identified Data. Our Practice may remove most information that identifies you from a set of data and use and disclose this data set for research, public health, and healthcare operations, provided the recipients of the data set agree to keep it confidential. We may also de-identify your PHI and use and disclose the de-identified information for purposes permitted by law.

Use and Disclosure of PHI Pursuant to an Authorization

In any other situation not described in this Notice, our Practice will ask for your written authorization before using or disclosing information about you, in accordance with applicable law. Most uses and disclosures of PHI for marketing purposes and disclosures that constitute a sale of PHI will be made only with your written authorization. You may revoke an authorization in writing at any time. Upon receipt of the written revocation, we will stop using or disclosing your PHI for the purpose previously authorized, except to the extent that we have already taken action in reliance on the authorization.

Your Rights Regarding Your PHI

You have the following rights regarding the PHI maintained by our Practice. If you have given another individual a medical power of attorney, if another individual is appointed as your legal guardian or if another individual is authorized by law to make healthcare decisions for you (such as your custodial parent) (known as a “personal representative”), that individual may exercise any of the rights listed below for you.

Confidential Communications. You have the right to receive confidential communications of your PHI. You may request that our Practice communicates with you through alternate means or at an alternate location, and our Practice will accommodate your reasonable requests. You must submit your request in writing to our Practice. If HIPAA NOPP Effective Date: 03.01.2023 3 we are unable to contact you using the ways or locations you have requested, we may contact you using the information we have.

Restrictions. You have the right to request restrictions on certain uses and disclosures of PHI for treatment, payment or healthcare operations. You also have the right to request that our Practice restrict its disclosures of PHI to only certain individuals involved in your care or the payment of your care. You may also request to opt out of participation in HIEs. You must submit your request in writing to our Practice. Our Practice is not required to comply with your request, except we are required to agree if your request is to restrict disclosures to a health plan for purposes of carrying out payment or healthcare operations, and the information pertains solely to a healthcare item or service for which you, or a person on your behalf (other than the health plan), has paid us out-of-pocket in full. If our Practice agrees to comply with your request, we will be bound by such agreement, except when otherwise required by law or in the event of an emergency.

Access. You have the right to inspect and obtain copies of your PHI that we maintain and to direct us to send your PHI stored in an electronic record to another person designated by you, with limited exceptions. This right applies to PHI used to make decisions about you or payment for your care, subject to limited exceptions provided by law. You must submit your request in writing to our Practice using the information provided at the end of this Notice. In most cases, we will provide access to you or the person you designate to get access within 30 days of your request or, if applicable, any shorter time period required by law.

Our Practice may deny your request to inspect and/or obtain a copy of your PHI in certain limited circumstances, such as if we reasonably conclude that it would be detrimental to you. If we deny your request, we will inform you of the reason for the denial, and, in most cases, you may request a review of the denial. If you request PHI that we maintain on paper, we may provide photocopies. If you request PHI that we maintain electronically, you have the right to an electronic copy. We will use the form and format you request if readily producible.

We may impose a reasonable cost-based fee for the costs of copying, mailing, labor, and supplies associated with your request.

Amendment. You have a right to request that our Practice amend your PHI if you believe it is incorrect or incomplete, and you may request an amendment for as long as the information is maintained by our Practice. You must submit your request in writing to our Practice using the information provided at the end of this Notice and provide a reason to support the requested amendment. Our Practice may, under certain circumstances, deny your request by sending you a written notice of denial. If our Practice denies your request, you will be permitted to submit a statement of disagreement for inclusion in your records.

Accounting of Disclosures. You have a right to receive an accounting of certain disclosures our Practice has made of your PHI. This right does not include disclosures made pursuant to an authorization and certain other disclosures. You must submit your request in writing to our Practice using the information provided at the end of this Notice, and you must specify the time period involved (which must be for a period of time less than six years from the date of your request). Your first accounting within a period of 12 months will be free of charge. However, our Practice may charge you a reasonable cost-based fee for the costs involved in fulfilling any additional request made within the same 12-month period. Our Practice will inform you of such costs in advance so that you may withdraw or modify your request to save costs.

Paper Copy of this Notice. You have the right to obtain a paper copy of this Notice from our Practice at any time upon request, even if you have agreed to receive this Notice electronically. To obtain a paper copy of this notice, please email [email protected] or ask for a copy at one of our offices. Complaints You may complain to our Practice and/or to the Secretary of the Department of Health and Human Services (“the Secretary”) if you believe that your privacy rights have been violated. You may submit complaints to our Practice by contacting our Practice’s Privacy Officer at [email protected] or by calling our Privacy Officer at 1-877-373-1630.

Our Practice will not retaliate against you if you file a complaint with our Privacy Officer or the Secretary. You may file a complaint with the Secretary by contacting:

U.S. Department of Health and Human Services Office for Civil Rights

200 Independence Avenue, S.W.

Washington, D.C. 20201

Phone: 1-877-696-6775; or

www.hhs.gov/ocr/privacy/hipaa/complaints/

Contact Information

For more information about your privacy rights, please contact our Privacy Officer at [email protected] or 1-877-373-1630.