Notice of HIPAA Privacy Practices
Oula Health Providers’ Commitment to Your Privacy
In order to provide you with care, health care providers to whom Oula Health, Inc. (“Oula Health”) provides administrative support services, including Lower Manhattan Medical Care, P.C. and other professional corporations to which Oula Health may provide administrative support services in the future (collectively, “Providers”), must collect, create, and maintain information about you and your health.
Providers are dedicated to protecting the privacy of your protected health information (“PHI”). PHI is information about you that may be used to identify you (such as your name, social security number, email address, mobile telephone number, address, or date of birth), and that relates (a) to your past, present, or future physical or mental health or condition; (b) to the provision of healthcare to you; or (c) to your past, present, or future payment for the provision of healthcare.
Providers are required by law to maintain the privacy of your PHI and provide you with notice of their legal duties and privacy practices with respect to your PHI. Other health care providers involved in your care may have different policies or notices regarding their use and disclosure of your PHI.
This Notice describes how medical information about you may be used and disclosed and how you get access to this information. Please review it carefully.
Providers must maintain the privacy of your PHI, give you this Notice of their legal duties and privacy practices, notify you if you are affected by a breach of unsecured PHI, and abide by the terms of this Notice while it is in effect. Providers and their employees, volunteers, and other personnel must also abide by this Notice.
This updated t Notice takes effect on “last revision” date listed below.
Uses and Disclosures of PHI Without Your Authorization
Providers may use and disclose your PHI for the following purposes without your written authorization:
- Treatment, Payment, and Healthcare Operations. Providers are permitted to use and disclose your PHI for purposes of (a) treatment; (b) payment; and (c) healthcare operations. For example:
- Treatment: Providers may disclose your PHI to a physician or healthcare provider for purposes of a visit or in connection with the provision of follow-up treatment.
- Payment: Providers may use and disclose your PHI to your health insurer or health plan in connection with the processing and payment of a claim and other charges.
- Healthcare operations: Providers may use and disclose your PHI in connection with their healthcare operations, such as providing customer services and conducting quality review assessments. Providers may engage third parties to provide various services for Providers. If any such third party must have access to your PHI in order to perform its services, Providers may require that third party to enter an agreement that binds the third party to the use and disclosure restrictions provided in this Notice.
- As Required by Law. Providers may use and disclose your PHI to the extent required by law.
- Special Circumstances. The following categories describe unique circumstances in which Providers may use or disclose your PHI, subject to the limitations described in Special Protections for Reproductive Health Information below:
- Public Health Authorities: Providers may disclose your PHI to public health authorities or other governmental authorities for purposes including preventing and controlling disease , and reporting to the Food and Drug Administration regarding the quality, safety, and effectiveness of a regulated product or activity. Providers may, in certain circumstances, disclose PHI to persons who have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition.
- Workers’ Compensation: Providers may disclose your PHI as authorized by, and to the extent necessary to comply with, workers’ compensation programs and other similar programs relating to work-related illnesses or injuries.
- Victims of abuse, neglect, or domestic violence. Providers may disclose your health information to an appropriate government agency if they believe you are a victim of abuse, neglect, or domestic violence, and you agree to the disclosure or the disclosure is required or permitted by law. Providers will let you know if they disclose your health information for this purpose unless they believe that notifying you would place you or another person at risk of serious harm.
- Health Oversight Activities: Providers may disclose your PHI to a health oversight agency for authorized activities such as audits, investigations, inspections, licensing, and disciplinary actions relating to the healthcare system or government benefits programs.
- Judicial and Administrative Proceedings: Providers may disclose your PHI in certain circumstances, as permitted by applicable law, in response to an order from a court or administrative agency, or in response to subpoena or discovery request.
- Law Enforcement: Providers may disclose your PHI to a law enforcement official, such as for purposes of identifying or locating a suspect, fugitive, material witness, or missing person.
- Decedents: Providers may, under certain circumstances, disclose PHI to coroners, medical examiners, and funeral directors for purposes such as identification, determining the cause of death, and fulfilling duties relating to decedents.
- Organ Procurement: Providers may, under certain circumstances, use or disclose PHI for the purposes of organ donation and transplantation.
- Research: Providers may, under certain circumstances, use or disclose PHI in a limited data set that does not include direct identifiers such as your name, address, social security number, phone number, and email address, for research purposes. Such uses may include activities that are preparatory to research or informing you of research studies that may be of interest to you. You will not be enrolled in a research study without your prior voluntary informed consent, unless an institutional review board has waived the need to obtain informed consent.
- Threat to Health or Safety: Providers may, in certain circumstances, use or disclose PHI, if necessary, to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
- Specialized Government Functions: Providers may, in certain situations, use and disclose PHI of persons who are, or were, in the Armed Forces for purposes such as ensuring proper execution of a military mission or determining entitlement to benefits. Providers may also disclose PHI to federal officers for intelligence and national security purposes.
- Business Associate Agreements: A business associate is a person or entity that performs certain functions that involve the use or disclosure of PHI to a covered entity, such as Oula Health. Your PHI may be used or disclosed to a business associates of Providers only if Providers obtain satisfactory assurances from the business associate that the business associate will safeguard your health information from any misuse and will use the information only for certain limited permitted purposes.
- Individuals involved in your care: Unless prohibited by state law, Providers may disclose your health information to a family member, relative, or close personal friend assisting you in receiving health care services. Providers will disclose your health information to these individuals only if you tell them to do this or if they can reasonably infer that you do not object.
Uses and Disclosures that Require Your Authorization
- Authorization. Providers are permitted to use and disclose your PHI upon your written authorization, to the extent such use or disclosure is consistent with your authorization. You may revoke such authorization at any time by providing them with a written notice stating that you wish to revoke your authorization, in which case they will no longer use or disclose your health information for the purpose you authorized, except to the extent that they have relied on your prior authorization to provide your care.
To authorize Providers to disclose your PHI to a third party, send a request to Privacy Officer, Oula Health, 109 Montague Street, Brooklyn, NY 11201 to request a HIPAA Authorization to Disclose Protected Information and mail it to the address listed on the form.
Providers will not use or disclose your health information for any purpose not specified in this Notice unless Providers obtain your express written authorization or the authorization of your legally appointed representative.
- Marketing and Sale. Most uses and disclosures of PHI for marketing purposes, and disclosures that constitute a sale of medical information, require your prior express authorization. Providers will obtain your written permission for (1) most uses and disclosures of PHI for marketing purposes, as defined by HIPAA; and (2) disclosures that constitute a sale of PHI, as defined by HIPAA. If you provide Providers permission to use or disclose your PHI, you may revoke that permission in writing at any time. If you revoke your permission, your revocation will be effective upon receipt, but will not be effective to the extent that Providers or others have acted in reliance upon such permission.
- Special Protections for Reproductive Health Information.
- Uses and Disclosures Providers Will Never Make. Providers will never use or disclose your health information when the requested use or disclosure is for any of the following purposes:
- To conduct a criminal, civil, or administrative investigation for the mere act of you seeking, obtaining, providing, or facilitating reproductive health care;
- To impose criminal, civil, or administrative liability for the mere act of your seeking, obtaining, providing, or facilitating reproductive health care; or
- To identify you for either of the above purposes.
For example, Providers would not cooperate with a subpoena issued by a state in which abortion or certain kinds of contraception are illegal that is seeking your medical records in order to investigate your receipt of reproductive healthcare that you lawfully obtained.
- Uses and Disclosures for Which Providers Will Require an Attestation. Providers will not use or disclose your health information that is potentially related to reproductive health care for:
- Health oversight activities (as described in Section 2(d) above);
- Judicial and administrative proceedings (as described in Section 2(e) above);
- Law enforcement purposes (as described in Section 2(f) above); or to
- Coroners and medical examiners (as described in Section 2(g) above)
UNLESS Providers receive a valid attestation from the person requesting the use or disclosure that their request is not related to the prohibited purposes listed above in Section 6(a).
For example, if Providers receive a subpoena requesting medical records of reproductive health care that you lawfully obtained that is accompanied by a valid attestation that the subpoena relates to investigating a doctor suspected of malpractice, they would be able to lawfully disclose your information.
- Other State Laws. To the extent that you reside in a state that provides additional protections to medical information or a subset of treatment information and you are receiving care in such state, Providers will protect your information in accordance with state law.
Potential for Redisclosure. Providers want you to be aware that when they disclose your information as described in this Notice, either with or without your authorization, it has the potential to be redisclosed by the person receiving the information, and the information is no longer subject to the protections described, or protected by the laws with which Providers comply.
Your Rights Regarding Your PHI
You have the following rights regarding the PHI maintained by Providers:
- Confidential Communication. You have the right to receive confidential communications of your PHI. You may request that Providers communicate with you through alternate means or at an alternate location, and Providers will accommodate your reasonable requests. You must submit your request in writing to Privacy Officer, Oula Health, 109 Montague Street, Brooklyn, NY 11201.
- Restrictions. You have the right to request restrictions on certain uses and disclosures of PHI for treatment, payment or healthcare operations. You also have the right to request that Providers restrict their disclosures of PHI to only certain individuals involved in your care or the payment of your care. You must submit your request in writing to Privacy Officer, Oula Health, 109 Montague Street, Brooklyn, NY 11201. Providers are not required to comply with your request. However, if Providers agree to comply with your request, they will be bound by such agreement, except when otherwise required by law or in the event of an emergency.
- Inspection and Copies. You have the right to inspect and copy your PHI. You must submit your request in writing to the Privacy Officer at Oula Health. Providers may impose a fee for the costs of copying, mailing, labor, and supplies associated with your request. Providers may deny your request to inspect and/or copy your PHI in certain limited circumstances. If that occurs, Providers will inform you of the reason for the denial, and you may request a review of the denial. To request access to your PHI that is not readily accessible to you, send a request to Privacy Officer, Oula Health, 109 Montague Street, Brooklyn, NY 11201.
- Amendment. You have the right to request that Providers amend your PHI if you believe it is incorrect or incomplete, and you may request an amendment for as long as the information is maintained by Providers. You must submit your request in writing to the Privacy Officer at Oula Health and provide a reason to support the requested amendment. Providers may, under certain circumstances, deny your request by sending you a written notice of denial. If Providers deny your request, you will be permitted to submit a statement of disagreement for inclusion in your records. To make a request to amend your PHI that you cannot otherwise change yourself, send a request to Privacy Officer Oula Health, 109 Montague Street, Brooklyn, NY 11201.
- Accounting of Disclosures. You have a right to receive an accounting of all disclosures Providers have made of your PHI. However, that right does not include (1) disclosures made for treatment, payment, or healthcare operations; (2) disclosures made pursuant to an authorization; and (3) certain other disclosures. You must submit your request in writing to Oula Health and you must specify the time period involved (which must be for a period of less than six years from the date of the disclosure). Your first accounting will be free of charge. However, Providers may charge you for the costs involved in fulfilling any additional request made within a period of 12 months. Providers will inform you of such costs in advance, so you may withdraw or modify your request to save costs. To make a request for an accounting of disclosures, mail a request to Privacy Officer Oula Health, 109 Montague Street, Brooklyn, NY 11201.
- Breach Notification. You have the right to be notified in the event that Providers discover a breach of unsecured PHI.
- Paper Copy. You have the right to obtain a paper copy of this Notice at any time upon request. To obtain a paper copy of this notice, send a request to Privacy Officer, Oula Health,109 Montague Street, Brooklyn, NY 11201.
- Complaint. You may complain to Providers and the Secretary of the Department of Health and Human Services if you believe that your privacy rights have been violated. To file a complaint, you must submit a statement in writing to the Oula Health CEO. Providers will not retaliate against you for filing a complaint.
- Changes to this Notice. Providers may change the terms of this Notice at any time, as long as the changes are compliant with applicable law. If the terms of the Notice are changed, the new terms will apply to all of your health information, whether created or received by Providers before or after the date on which the Notice is changed. Any updates to the Notice will be made available on https://oulahealth.com/hipaa/ within 60 days of the date on which they become effective.
- Further Information. If you would like more information about your privacy rights, please send a request to Privacy Officer, Oula Health, 109 Montague Street, Brooklyn, NY 11201.
Last revised and effective date of this Notice: July 23, 2024.