Privacy Policy

Privacy Policy for Iora Health Website

Your privacy is important to us. This privacy policy discloses the privacy practices for iorahealth.com. This privacy policy applies solely to information collected by this web site. It covers the following:

    1. What personally identifiable information is collected from you through the web site, how it is used and with whom it may be shared.
    2. What choices are available to you regarding the use of your data.
    3. The security procedures in place to protect the misuse of your information.
    4. How you can correct any inaccuracies in the information.

Information Collection, Use, and Sharing

Iora Health is the sole owner of the information collected on this site. We only have access to information that you voluntarily give us via email or other direct contact from you.

We will not sell or rent this information to anyone.

We will use your information to respond to you, regarding the reason you contacted us. We will not share your information with any third party outside of our organization, other than as necessary to fulfill your request.

Unless you ask us not to, we may contact you via email in the future to tell you about news or changes to this privacy policy.

Your Access to and Control Over Information

You may opt out of any future contacts from us at any time. You can do the following at any time by contacting us via the email address or phone number given on our website:

  • See what data we have about you, if any.

  • Change/correct any data we have about you.

  • Have us delete any data we have about you.

  • Express any concern you have about our use of your data.

Security

We take precautions to protect your information. When you submit sensitive information via the website, your information is protected both online and offline.  Wherever we collect sensitive information (such as your phone number), that information is encrypted and transmitted to us in a secure way. You can verify this by looking for a closed lock icon at the bottom of your web browser, or looking for “https” at the beginning of the address of the web page.

While we use encryption to protect sensitive information transmitted online, we also protect your information offline. Only employees who need the information to perform a specific job (for example, billing or customer service) are granted access to personally identifiable information. The computers/servers in which we store personally identifiable information are kept in a secure environment.

Links to Other Websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information, which you provide whilst visiting such sites and this privacy statement does not govern such sites. You should exercise caution and look at the privacy statement applicable to the website in question.

How We Use Cookies

A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyze web traffic or lets us know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

We use traffic log cookies to identify which pages are being used. This helps us analyze data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.

Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

Updates

Our Privacy Policy may change from time to time and all updates will be posted on this page.  If you feel that we are not abiding by this privacy policy, you should contact us immediately via telephone at (617) 454-4672 or via email at info@iorahealth.com.


Privacy Policy for Iora Health Patients

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

In taking care of you, Iora Primary Care (the “Practice” or “we”) will be recording your medical information in our medical record.  This information is called your Protected Health Information, or PHI. We are required by law to maintain the confidentiality of health information that identifies you and to provide you with this Notice of the Practice’s legal duties and privacy practices with respect to PHI. When the Practice uses or discloses PHI, the Practice is required to abide by the terms of this Notice (or other notice in effect at the time of the use or disclosure).

How the Practice May Use and Disclose Your PHI

The following categories describe ways the Practice may use and disclose your PHI (however, not every use or disclosure in a category is listed). Your written authorization is not required before the Practice may use or disclose your PHI for the purposes listed below, unless otherwise noted.

1. Treatment. The Practice uses PHI to provide treatment and other services to you – for example, to diagnose and treat your injury or illness. With your consent, the Practice may disclose information about you to other health care providers who are involved in your care and treatment which may include sharing certain information with specialists, pharmacies and labs.

2. Payment. The Practice may use and disclose your PHI in order to work with the sponsor organization to confirm your eligibility to participate in the Practice and to collect payment. With your consent, the Practice also may disclose PHI to other health care providers so that they may seek payment for services they rendered to you. Our practice will use and with your consent, disclose share your PHI so we can keep taking care of you.

3. Operations. We may use and disclose your PHI as necessary to support the day-to-day activities and management of the Practice. For example, the Practice may use and disclose your PHI for purposes of internal administration and planning, quality review and improvement, legal services, etc.

4. Information Related to Your Care. The Practice may use your PHI to communicate with you about products or services relating to your treatment, case management or care coordination, or alternative treatments, therapies, providers or care settings. The Practice also may use your PHI to identify health-related services and products provided by the Practice that may be beneficial to your health and then contact you about the services and products. The Practice will not use or disclose your PHI for purposes of marketing (as defined by federal privacy laws) without first obtaining your prior authorization.

5. Communication with Family and Others. We may disclose health information about you to your family members or friends if we obtain your verbal agreement to do so or if we give you an opportunity to object to such a disclosure and you do not raise an objection. We may also disclose health information to your family or friends if we can infer from the circumstances, based on our professional judgment that you would not object. For example, we may assume you agree to our disclosure of your PHI to your spouse when you bring your spouse with you into the exam room or the hospital during treatment or while treatment is discussed. In situations where you are not capable of giving consent (because you are not present or due to your incapacity or medical emergency), we may, using our professional judgment, determine that a disclosure to your family member or friend is in your best interest. In that situation, we will disclose only health information relevant to the person’s involvement in your care. For example, we may inform the person who accompanied you to the emergency room that you suffered a heart attack and provide updates on your progress and prognosis. We may also use our professional judgment and experience to make reasonable inferences that it is in your best interest to allow another person to act on your behalf to pick up, for example, filled prescriptions, medical supplies, or X-rays.

Disclosures Required by Law

There are times when the Practice is required to disclose your PHI due to federal, state or local law.

1. Public Health Reporting.  Our Practice may share your PHI with public health authorities as required by law. For instance, the Practice is required to:

  • Report child abuse or neglect, elder abuse, disabled person abuse, rape or sexual assault
  • Report medical information for the purpose of preventing or controlling disease, injury or disability
  • Notify a person regarding potential exposure to a communicable disease
  • Notify a person regarding a potential risk for spreading or contracting a disease or condition,
  • Report reactions to drugs or problems with products or devices
  • Report information to your insurer and/or the state industrial accident board (and any party involved in a workers’ compensation matter) as required under laws addressing work-related illnesses and injuries or workplace medical surveillance.

2. Health Oversight Activities. Our Practice may share your PHI with a health oversight agency for activities authorized by law to ensure t­­­hat we are doing our job correctly. Oversight activities can include investigations, inspections, audits, surveys, licensure and disciplinary actions; civil, administrative and criminal procedures or actions; or other activities necessary for the government to monitor government programs, compliance with civil rights laws and the healthcare system in general.

3. Lawsuits and Similar Proceedings. Our Practice may use and share your PHI in response to a court or administrative order if you are involved in a lawsuit or similar proceeding. We also may share your PHI in response to a discovery request, subpoena or other lawful process by another party involved in a dispute, but only if we have made an effort to inform you of the request or obtain an order protecting the information the party has requested.

4. Law Enforcement. Your PHI may be disclosed to the police or other law enforcement officials as required or permitted by law or in compliance with a court order or a grand jury or administrative subpoena accompanied by a court order.

5. Deceased Patients. Our Practice may release PHI to a medical examiner or coroner as authorized by law.

6. Organ and Tissue Donation. If you are an organ donor, our Practice may release your PHI to organizations that facilitate organ, eye or tissue donation, banking, and transplantation.

7. Research. The Practice may use and share your PHI for research purposes in certain limited circumstances. We will obtain your written authorization to use your PHI for research purposes except when an Internal Review Board or Privacy Board has determined that the waiver of your authorization satisfies all of the necessary conditions to ensure minimal risk to your privacy.

8. Serious Threats to Health or Safety. Our Practice may use and share your PHI when necessary to reduce or prevent a serious threat to your health and safety or the health and safety of another individual or the public. Under these circumstances, we will only make disclosures to a person or organization able to help lessen or prevent the threat.

9. Military. Our Practice may share your PHI if you are a member of U.S. or foreign military forces (including veterans) and if required by the appropriate authorities.

10. National Security. Our Practice may share your PHI with federal officials for intelligence and national security activities authorized by law.

11. Inmates. Our Practice may share your PHI to correctional institutions or law enforcement officials if you are an inmate or under the custody of law enforcement officials. Disclosure for these purposes would be necessary: (a) for the institution to provide healthcare services to you, (b) for the safety and security of the institution, and/or (c) to protect your health and safety or the health and safety of other individuals.

12. Workers’ Compensation. Our Practice may release your PHI for workers’ compensation and similar programs.

Your Rights Regarding your PHI

1. Receive Confidential Communications. You have the right to request that the Practice communicate with you about your health and related issues in a particular manner or at a certain location. For instance, you may ask that we contact you at home, rather than work. You do not need to give a reason for your request.

2. Requesting Restrictions. If you do not want us to share your PHI, you have the right to request that we not share your PHI for treatment, payment or healthcare operations. This is called requesting restrictions. Additionally, you have the right to request that we share your PHI with only certain individuals involved in your care or the payment for your care, such as family members and friends. We will grant your request as best we can, but may not be able to comply with your request if otherwise required by law, or when the information is necessary to treat you.  In order for us to best help you with restrictions, please tell us the following: the information you wish restricted (not shared); whether you are requesting to limit our Practice’s use, disclosure or both; and to whom you want the limits to apply.

3. Inspection, Copies, and Amendments. You have the right to look at and get a copy of the PHI that is in your designated record set. If you would like to get a copy of your information, you must make your request in writing.  To the extent that electronic health records are available, you have a right to an electronic copy of your record, and, if you choose, you may direct us to transmit a copy of the electronic health record to a designated individual or entity. We may charge a fee for copies of your records. Please contact the Practice’s Privacy Officer for information about fees and to request a copy of your records. You have a right to request that we amend your PHI if you feel that the information we have is inaccurate or incomplete, as long as the Practice created the information you wish to amend. We will not make changes to medical information created by another health care provider or changes that would make your medical record inaccurate or incomplete. To request an amendment, contact the Practice’s Privacy Officer, who will assist you in completing the appropriate form.

4. Revoke your Authorization. You have the right to revoke your authorization (or consent) to our use/disclosure of your PHI, as long as you make your request in writing to the Practice. You can revoke your authorization (or consent) for future disclosures, but not for any disclosures made prior to when you first gave your authorization.

5. Right to a Paper Copy of this Notice. You are entitled to receive a paper copy of our Notice of Privacy Practices at any time. Request a copy at the Practice or by emailing us at hipaa@iorahealth.com.

6. Accounting and Access Reports. You have a right to receive a list of how and to whom certain of your medical information has been disclosed, called an “accounting of disclosures.” The accounting does not include disclosures of your PHI that pertain to treatment, payment or health care operations. To the extent that we use or maintain your PHI in an electronic designated record set, you also have a right to receive an access report indicating who has accessed such PHI (including access for the purposes of treatment, payment, and health care operations) during a period of time up to three years prior to the date of your request. We will provide an access report relating to such disclosures made by us and all of our Business Associates. Requests for an accounting and requests for an access report must be submitted in writing to the Practice.

7. Notice of a Breach. You have a right to receive a breach notification that complies with applicable Federal and State laws and regulations in the event of a breach of your unsecured PHI.

8. Revisions to Our Privacy Policies and Practices. The Practice is required by law to make sure that the privacy of your PHI is maintained, to provide you with this Notice of our legal duties and privacy practices and to abide by the terms of the Notice that is currently in effect. The Practice reserves the right to change its privacy policies and practices, including this Notice, and to make the new policies and practices, including the revised Notice provisions, effective for all PHI that we maintain. We will post a copy of the current Notice in our office. You may request a copy of it at any time.

9. Sale of PHI, Marketing and Other Uses and Disclosures Require your Authorization. The Practice will obtain your written authorization for uses and disclosures that are not identified by this notice or permitted by applicable law. We also will not use or disclose your health information for the following purposes without your specific, written Authorization:

  • For our marketing purposes (although this does not include face-to-face communication about products or services that may be of benefit to you and about prescriptions you have already been prescribed).
  • Disclosure of your psychotherapy notes. These are the notes that your behavioral health provider maintains that record your appointments with your provider and are not stored with your medical record.
  • Highly Confidential Information. In some instances, we may need specific, written authorization from you in order to disclose certain types of specially-protected information such as psychotherapy notes, HIV status, substance abuse treatment, mental health records, venereal disease information, research involving controlled substances, abortion consent forms, family planning services, and genetic testing information for purposes such as treatment, payment and healthcare operations (“Highly Confidential Information”).

If you are an emancipated minor, certain information relating to your diagnosis or treatment may be considered Highly Confidential Information and will not be disclosed to your parent or guardian without your consent. Your consent is not required, however, if a physician reasonably believes your condition to be so serious that your life or limb is endangered. Under such circumstances, we may notify your parents or legal guardian of the condition, and will inform you of any such notification. Please note that if you are a parent or legal guardian of an emancipated minor, certain portions of the emancipated minor’s medical record (or, in certain instances, the entire medical record) may not be accessible to you.

10. Your Choices. For certain health information, you can tell us your choices about what we share. If you have a clear preference for how we share your information in the situations described below, let the Practice know, and we will follow your instructions.

   a. You have both the right and choice to tell us how to:

  • Share information with your family, close friends, or others involved in your care
  • Share information in a disaster relief situation
  • Include your information in a hospital directory
  • Contact you for fundraising efforts

Note: If you are not able to tell us your preference, for example if you are unconscious, we may go ahead and share your information if we believe it is in your best interest. We may also share your information when needed to lessen a serious and imminent threat to health or safety.

   b. In these cases we never share your information unless you give us written permission:

  • Marketing purposes
  • Sale of your information
  • Most sharing of psychotherapy notes

   c. In the case of fundraising:

  • We may contact you for fundraising efforts, but you can tell us not to contact you again. 

11. Right to File a Complaint. If you believe your privacy rights have been violated, you may file a complaint with our Practice or with the Secretary of the Department of Health and Human Services (“HHS”). All complaints must be submitted in writing. You will not be penalized for filing a complaint. To file a complaint with the Practice, contact the Privacy Officer. To file a complaint with HHS, contact:

Office for Civil Rights
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Room 509F HHH Bldg.
Washington, D.C. 20201

12. If you have questions about this Notice, please contact the Practice’s Privacy Officer:

Sean S. Nabi
Iora Health
101 Tremont Street, 6th Floor
Boston, MA 02108
(617) 580-0529
hipaa@iorahealth.com

Effective Date: This Notice is effective as of April 15th 2015.