Privacy and Security Policy
Version: 19-Mar-2025
HIPAA Privacy
& Security
Introduction
The
Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its
implementing regulations restrict Geno.Me, Inc and Geno.Me (“Company”)
abilities to use and disclose protected health information (PHI).
Protected
Health Information. Protected health
information means information that is created or received by the Company and
relates to the past, present, or future physical or mental health condition of
a Patient/Client (“Participant”); the provision of health care to a
participant; or the past, present, or future payment for the provision of
health care to a participant; and that identifies the participant or for which
there is a reasonable basis to believe the information can be used to identify
the participant. Protected health information includes information of individuals
living or deceased.
Some examples of
PHI are:
1.
Participant’s
medical record number
2.
Participant’s
demographic information (i.e. address, telephone number)
3.
Participant
genomic health details
4.
Information
doctors, nurses and other health care providers put in a participant’s medical
record
5.
Images of the
participant
6.
Conversations a
provider has about a participant’s care or treatment with nurses and others
7. Information about a participant in a
provider’s computer system or a health insurer’s computer system
8.
Billing
information about a participant at a clinic
9. Any health information that can lead to the
identity of an individual or the contents of the information can be used to
make a reasonable assumption as to the identity of the individual
It
is the Company’s policy to comply fully with HIPAA's requirements. To that end,
all staff members who have access to PHI must comply with this HIPAA Privacy
and Security Policy. For purposes of this plan and the Company’s use and
disclosure procedures, the workforce includes individuals who would be
considered part of the workforce under HIPAA such as employees, volunteers,
interns, board members and other persons whose work performance is under the
direct control of Geno.Me, whether or not they are paid by Geno.Me. The term
"employee" or “staff member” includes all of these types of workers.
No
third-party rights (including but not limited to rights of participants,
beneficiaries, covered dependents, or business associates) are intended to be
created by this Plan. Geno.Me reserves the right to amend or change this Plan
at any time (and even retroactively) without notice.
All
staff members must comply with all applicable HIPAA privacy and information
security policies. If after an investigation you are found to have violated the
organization’s HIPAA privacy and information security policies, then you will
be subject to disciplinary action up to termination or legal ramifications if
the infraction requires it.
The
Incident Response Team is comprised of the CEO, Lead Full Stack Engineer, and
additional members deemed appropriate on an ad hoc basis in the reasonable
judgment of the management team. In the event of a security incident results in
a wrongful disclosure of PHI, the Incident Response Team will take appropriate
actions to prevent further inappropriate disclosures. In addition, Human
Resources and Legal may be consulted as part of the review team to assist in
the review and investigation of privacy incidents when required. If the
Incident Response Team have not resolved the incident, they shall involve
anyone determined to be necessary to assist in the resolution of the incident.
If participants need to be notified of any lost/stolen PHI, the appropriate
parties will send PHI Theft/Loss Disclosure Letters via email to all possible
affected individuals.
It
is the Company’s policy to train all members of its workforce who have access
to PHI on its privacy policies and procedures. All staff members receive HIPAA
training. Whenever a privacy incident has occurred management will evaluate the
occurrence to determine whether additional staff training is in order.
Depending upon the situation, it may be determined that all staff should
receive training that is specific to the privacy incident. Management will
review any privacy training developed as part of a privacy incident resolution
to ensure the materials adequately address the circumstances regarding the
privacy incident and reinforce the Company’s privacy policies and procedures.
The
Company has established technical and physical safeguards to prevent PHI from
intentionally or unintentionally being used or disclosed in violation of
HIPAA's requirements. Technical safeguards include limiting access to
information by creating computer firewalls. Physical safeguards include locking
doors or filing cabinets and periodically changing door access codes.
Additionally, any authorized staff members can only access PHI by using their
own login information.
Firewalls ensure
that only authorized employees will have access to PHI, that they will have
access to only the minimum amount of PHI necessary for their job functions, and
that they will not further use or disclose PHI in violation of HIPAA’s privacy
rules.
Currently
all data in the remote servers and is backed up using industry standards with
off-site storage of media. Geno.Me currently utilizes technology that allows
the IT team to quickly remove, disable and start staff member access to PHI.
Management
is responsible for developing and maintaining a notice of the Company’s privacy
practices that describes:
·
the uses and
disclosures of PHI that may be made by the Company;
·
the individual's
rights; and
·
the Company's
legal duties with respect to the PHI.
The
Privacy Policy will inform participants that the Company will have access to
PHI. The Privacy Policy will also provide a description of the Company’s
complaint procedures, the email address of the contact person for further
information, and the date of the notice.
The Privacy
Policy will be individually delivered to all participants:
·
on an ongoing
basis, at the time of an individual's enrollment into a Company program or at
the time of consent; and
·
within 60 days
after a material change to the notice.
Complaints
can be received at support@yourgeno.me.
Sanctions
for using or disclosing PHI in violation of this HIPAA Privacy Policy will be
imposed in accordance up to and including termination.
Geno.Me
shall mitigate, to the extent possible, any harmful effects that become known
to it because of a use or disclosure of a Participant’s PHI in violation of the
policies and procedures set forth in this Plan. As a result, if an employee
becomes aware of a disclosure of protected health information, either by a
staff member of the Company or an outside consultant/contractor, that is not in
compliance with this Policy, the employee shall immediately contact the Incident
Response Team so that the appropriate steps to mitigate the harm to the
Participant can be taken.
No employee may intimidate, threaten, coerce,
discriminate against, or take other retaliatory action against individuals for
exercising their rights, filing a complaint, participating in an investigation,
or opposing any improper practice under HIPAA.
No individual shall be required to waive his
or her privacy rights under HIPAA as a condition of treatment, payment, enrollment,
or eligibility.
The permitted and required uses and
disclosures of PHI by Geno.Me are as follows:
·
to ensure that
any agents or subcontractors to whom it provides PHI received from the Company
agree to the same restrictions and conditions that apply to Geno.Me;
·
report to the Incident
Response Team any use or disclosure of the information that is inconsistent
with the permitted uses or disclosures;
·
make PHI
available to Participants, consider their amendments and, upon request, provide
them with an accounting of PHI disclosures;
·
make the
Company’s internal practices and records relating to the use and disclosure of
PHI received by the Company available to the Department of Health and Human
Services (DHHS) upon request
The
Company’s privacy policies and procedures shall be documented and maintained
for at least six years. Policies and procedures must be changed as necessary or
appropriate to comply with changes in the law, standards, requirements, and
implementation specifications (including changes and modifications in
regulations). Any changes to policies or procedures must be promptly
documented.
If
a change in law impacts the privacy notice, the Privacy Policy must promptly be
revised and made available. Such change is effective only with respect to PHI
created or received after the effective date of the notice.
Geno.Me
shall document certain events and actions (including authorizations, requests
for information, sanctions, and complaints) relating to an individual's privacy
rights.
The
documentation of any policies and procedures, actions, activities and
designations may be maintained in either written or electronic form.
The
Company has developed an Incident Report form. This form is used to document
reports of privacy breaches that have been referred to the Incident Response
Team from staff members who have reviewed or received the suspected incident.
After
receiving the Incident Report form from staff members, the Incident Response
Team classifies the incident and its severity and analyzes the situation.
Documentation shall be retained by the Company for a minimum of six years from
the date of the reported incident.
If
the Incident Response Team is able to resolve the incident, they shall also
document the actions taken to resolve the issue in the Incident Report form.
Just
like paper records, Electronic Health Records (EHRs) must comply with HIPAA,
and other state and federal laws. Unlike paper records, electronic health
records can be encrypted - using technology that makes them unreadable to
anyone other than an authorized user - and security access parameters are set
so that only authorized individuals can view them. Further, EHRs offer the
added security of an electronic tracking system that provides an accounting
history of when records have been accessed and who accessed them.
Geno.Me will
grant access to PHI based on their job functions and responsibilities.
Management
in collaboration with IT and senior management is responsible for the
determination of which individuals require access to PHI and what level of
access they require through discussions with the individual’s manager and or
department head.
The
IT department will keep a record of authorized users and the rights that they
have been granted with respect to PHI. IT keeps a comprehensive matrix of how
and to who rights are granted. A summary of user rights can be found in the
table below.
The
Company will use and disclose PHI only as permitted under HIPAA. The terms
"use" and "disclosure" are defined as follows:
1. Use. The
sharing, employment, application, utilization, examination, or analysis of
individually identifiable health information by any person working for or
within the Company, or by a Business Associate of the Company.
2. Disclosure. For
information that is protected health information, disclosure means any release,
transfer, provision of access to, or divulging in any other manner of
individually identifiable health information to persons not employed by or
working within Geno.Me with a business need to know PHI.
All
staff who performs participant functions directly on behalf of the Company or
on behalf of group health plans will have access to PHI as determined by their
department and job description and as granted by IT.
These
employees with access may use and disclose PHI as required under HIPAA but the
PHI disclosed must be limited to the minimum amount necessary to perform the
job function. Employees with access may not disclose PHI unless an approved
compliant authorization is in place or the disclosure otherwise is in
compliance with this Plan and the use and disclosure procedures of HIPAA.
Staff
members may not access either through our information systems or the
participant’s medical record the medical and/or demographic information for
themselves, family members, friends, staff members or other individuals for
personal or other non-work-related purposes, even if written or oral
participant authorization has been given. If the staff member is a participant
in Geno.Me’s plans, the staff member must go through their Provider to request
their own PHI.
In
the very rare circumstance when a staff member’s job requires them to access
and/or copy the medical information of a family member, a staff member, or
other personally known individual, then they should immediately report the
situation to their manager who will determine whether to assign a different
staff member to complete the task involving the specific Participant.
PHI
may be disclosed for any purpose if an authorization that satisfies all of
HIPAA's requirements for a valid authorization is provided by the participant.
All uses and disclosures made pursuant to a signed authorization must be
consistent with the terms and conditions of the authorization.
PHI
may be disclosed in the following situations without a participant's
authorization, when specific requirements are satisfied. The Company’s use and
disclosure procedures describe specific requirements that must be met before
these types of disclosures may be made. Permitted are disclosures:
·
about victims of
abuse, neglect or domestic violence;
·
for judicial and
administrative proceedings;
·
for law
enforcement purposes;
·
for public health
activities;
·
for health
oversight activities;
·
about decedents;
·
for cadaver
organ, eye or tissue donation purposes;
·
for certain
limited research purposes;
·
to avert a
serious threat to health or safety;
·
for specialized
government functions; and
·
that relate to
workers' compensation programs.
HIPAA
requires that when PHI is used or disclosed, the amount disclosed generally
must be limited to the "minimum necessary" to accomplish the purpose
of the use or disclosure.
The
"minimum-necessary" standard does not apply to any of the following:
1.
uses or
disclosures made to the individual;
2.
uses or
disclosures made pursuant to a valid authorization;
3.
disclosures made
to the Department of Labor;
4.
uses or
disclosures required by law; and
5.
uses or
disclosures required to comply with HIPAA.
Minimum
Necessary When Disclosing PHI. For
making disclosures of PHI to any business associate or providers, or
internal/external auditing purposes, only the minimum necessary amount of
information will be disclosed.
All
other disclosures must be reviewed on an individual basis with management to
ensure that the amount of information disclosed is the minimum necessary to
accomplish the purpose of the disclosure.
Minimum Necessary When Requesting PHI. For making requests for disclosure of
PHI from business associates, providers or participants for purposes of claims
payment/adjudication or internal/external auditing purposes, only the minimum
necessary amount of information will be requested.
All other requests must be reviewed on an
individual basis with management to ensure that the amount of information
requested is the minimum necessary to accomplish the purpose of the disclosure.
With
the approval of the management and in compliance with HIPAA, employees may
disclose PHI to the Company's business associates and allow the Company’s
business associates to create or receive PHI on its behalf. However, prior to
doing so, the Company must first obtain assurances from the business associate
that it will appropriately safeguard the information. Before sharing PHI with
outside consultants or contractors who meet the definition of a "business
associate," employees must contact management and verify that a business
associate contract is in place.
Business
Associate is an entity that:
1.
Performs or
assists in performing a Company function or activity involving the use and
disclosure of protected health information (including claims processing or
administration, data analysis, underwriting, etc.); or
2.
Provides legal,
accounting, actuarial, consulting, data aggregation, management, accreditation,
or financial services, where the performance of such services involves giving
the service provider access to PHI.
Examples of
Business Associates are:
·
A third party
administrator that assists the Company with payment processing.
·
A CPA firm whose
accounting services to a health care provider involves access to protected
health information.
·
An attorney whose
legal services involve access to protected health information.
·
A consultant that
performs utilization reviews for the Company.
The
Company may freely use and disclose de-identified information. De-identified
information is health information that does not identify an individual and with
respect to which there is no reasonable basis to believe that the information
can be used to identify an individual. There are two ways a covered entity can
determine that information is de-identified: either by professional statistical
analysis, or by removing 18 specific identifiers.
18
specific elements listed below - relating to the participant, employee,
relatives, or employer - must be removed, and you must ascertain there is no
other available information that could be used alone or in combination to
identify an individual.
1.
Names
2.
Geographic
subdivisions smaller than a state
3. All elements of dates (except year) related to
an individual - including dates of admission, discharge, birth, death - and for
persons greater than 89 years old, the
year of birth cannot be used.
4.
Telephone numbers
5.
FAX numbers
6.
Electronic mail
addresses
7.
Social Security
Number
8.
Medical Record
numbers
9.
Health plan
beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers
including license plates
13. Device identifiers and serial numbers
14. Web URLs
15. Internet protocol addresses
16. Biometric identifiers, including finger and
voice prints
17. Full face photos, and comparable images
18. Any unique identifying number, characteristic
or code
A
person with appropriate expertise must determine that the risk is very small
that the information could be used alone or in combination with other
reasonably available information by an anticipated recipient to identify the
individual. AND this person must document the methods and justification for
this determination.
There
are instances when a participant’s friend or family member contacts Geno.Me to
ask about the location of a participant or whether the participant has used Geno.Me’s
services. In rare cases of emergency, at the discretion of senior management,
the minimum of information may be released in order to assist in resolving and
emergency situation. All inquiries of this nature should be directed to the management
for response.
When
Geno.Me, Inc. deems it necessary for an employee to work from a remote
location, PHI may be accessed and/or removed under the following circumstances:
1.
Before removing
PHI from Geno.Me for company business you must receive the approval from your
department Director and IT.
2.
Geno.Me will only
allow the paper (participant records, reports) removal of PHI when transported
in a secure lock box and when approved by the department Director and
management.
3.
The following safeguards are required of all
employees when working from a non-Geno.Me site:
i. When
outside the facility, only work on health information in a secure private
environment.
ii. Keep the
information with you at all times while in transit.
iii. Do not
permit others to have access to the information.
iv. Never
email participant information.
v. Don't save
participant information to your home computer.
vi. Do not print
records of any type.
vii. Do not
record login information on or near the computer.
viii.
Return all information the next business day
or as soon as required.
The
Company uses a third-party vendor for the storage of documents. Geno.Me, Inc.
will immediately investigate any incident that involves the loss or theft of
PHI that was mishandled.
HIPAA
gives participants the right to access and obtain copies of their PHI that the
Company or its business associates maintains. HIPAA also provides that
participants may request to have their PHI amended. The Company will provide
access to PHI and it will consider requests for amendment that are submitted in
writing by participants.
An
individual has the right to obtain an accounting of certain disclosures of his
or her own PHI. This right to an accounting extends to disclosures made in the
last six years, other than disclosures:
1.
to carry out
treatment, payment or health care operations;
2.
to individuals
about their own PHI;
3.
incident to an
otherwise permitted use or disclosure or pursuant to an authorization;
4. for purposes of creation of a facility
directory or to persons involved in the participant's care or other
notification purposes;
5.
as part of a
limited data set; or
6.
for other
national security or law enforcement purposes.
The
Company shall respond to an accounting request within 60 days. If the Company
is unable to provide the accounting within 60 days, it may extend the period by
30 days, provided that it gives the participant notice (including the reason
for the delay and the date the information will be provided) within the
original 60-day period.
The
accounting must include the date of the disclosure, the name of the receiving
party, a brief description of the information disclosed, and a brief statement
of the purpose of the disclosure (or a copy of the written request for
disclosure, if any).
The
first accounting in any 12-month period shall be provided free of charge. Company
may impose reasonable production and mailing costs for subsequent accountings. Company
is responsible for responding to a request for Accounting.
Participants
may request to receive communications regarding their PHI by alternative means
or at alternative locations. For example, participants may ask to be called
only at work rather than at home. Such requests may be honored if, in the sole
discretion of Geno.Me, the requests are reasonable.
However,
Geno.Me shall accommodate such a request if the participant clearly provides
information that the disclosure of all or part of that information could
endanger the participant. The Company maintains responsibility for
administering requests for confidential communications.
A
participant may request restrictions on the use and disclosure of the
participant's PHI. It is the Company’s policy to attempt to honor such requests
if, in the sole discretion of the Company, the requests are reasonable. Management
is charged with responsibility for processing requests for restrictions.
A
participant can request a copy of their Protected Health Information by
completing a Request for Accessing/Inspecting/Copying Health Information form
and submitting it to the Department that maintains the information being
requested. The Department must process and respond to the request.
When the
Requestor is the Participant
The
Company will take reasonable steps and exercise professional judgment to verify
the identity of the individual making a request for access to his/her own PHI.
a.
If
the request is made in electronic writing, verification
will be accomplished by requesting a name, email and birthdate.
Verification
of identity will be accomplished by asking for a valid photo identification
(such as driver’s license) if the request is made in person. Once identity is
established, authority in such situations may be determined by confirming the
person is named in the medical record or in the participant’s profile as the
participant’s legally authorized representative. Or, if there is no person
listed in the medical record as the participant’s legally authorized
representative, authority may be established by the person presenting an
original of a valid power of attorney for health care or a copy of a court
order appointing the person guardian of the participant and a valid photo I.D.
A copy of the I.D. and legal notice must be attached to the request and placed
in the Participants record.
The
Company may use any other method of verification that, in the Company’s
discretion, is reasonably calculated to verify the identity of the person
making the request. Some acceptable means of verification include, but are not
limited to:
a.
Requesting to see
a photo ID
b.
Requesting a copy
of a power of attorney
c.
Confirming
personal information with the requestor such as date of birth, policy number or
social security number
d.
Questioning a
child’s caretaker to establish the relationship with the child
e.
Calling the
requestor back through a main organization switchboard rather than a direct
number
The
purpose of this section is to address the Company’s privacy requirements for
reporting, documenting, and investigating a known or suspected action or
adverse event resulting from unauthorized use or disclosure of individually
identifiable health information.
A
privacy breach is an adverse event or action that is unplanned, unusual, and
unwanted that happens as a result of non-compliance with the privacy policies
and procedures of the Company. A privacy breach must pertain to the
unauthorized use or disclosure of health information, including ‘accidental
disclosures’ such as misdirected e-mails or faxes.
The
Incident Response Team shall immediately investigate and attempt to resolve all
reported suspected privacy breaches.
Staff
members are required to verbally report to his/her supervisor any event or
circumstance that is believed to be an inappropriate use or disclosure of a
participant PHI. If the supervisor is unavailable, the staff member must notify
the Incident Response Team within 24 hours of the incident. If the manager
determines that further review is required, the manager and staff member will
consult with the Incident Response Team to determine whether the suspected
incident warrants further investigation. In all cases and Incident Report must
be filled out and submitted to the appropriate reviewer.
The
Incident Response Team will document all privacy incidents and corrective
actions taken. Documentation shall include a description of corrective actions,
if any are necessary, or explanation of why corrective actions are not needed,
and any mitigation undertaken for each specific privacy incident. All
documentation of a privacy breach shall be maintained with the Company and
shall be retained for at least six years from the date of the investigation.
Such documentation is not considered part of the participant’s health
record.
If
the participant is not aware of a privacy incident, the Incident Response Team
shall investigate the incident thoroughly before determining whether the
participant should be informed. If the participant is aware of a privacy
incident, the Incident Response Team shall contact the participant within three
(3) business days of receiving notice of the incident. The method of contact is
at the discretion of the Incident Response Team, but resulting communications
with the participant must be documented in the incident report. In addition,
any privacy incident that includes a disclosure for which an accounting is
required must be documented and entered into accounting.
Staff
who fail to report known PHI/security incidents, or fail to report them
promptly, may be subject to disciplinary action up to termination.
Following
a breach of unsecured protected health information, covered entities must
provide notification of the breach to affected individuals if necessary and in
certain circumstances, to the media. In addition, business associates must
notify covered entities that a breach has occurred.
1.
Individual
Notice
Covered
entities must notify affected individuals following the discovery of a breach
of unsecured protected health information. Covered entities must provide this
individual notice in written form by first-class
mail, or alternatively, by e-mail if the affected individual has agreed to
receive such notices electronically. If the covered entity has insufficient or
out-of-date contact information for 10 or more individuals, the covered entity
must provide substitute individual notice by either posting the notice on the
home page of its web site or by providing the notice in major print or
broadcast media where the affected individuals likely reside. If the covered
entity has insufficient or out-of-date contact information for fewer than 10
individuals, the covered entity may provide substitute notice by an alternative
form of written, telephone, or other means.
These
individual notifications must be provided without unreasonable delay and in no
case later than 60 days following the discovery of a breach and must include,
to the extent possible, a description of the breach, a description of the types
of information that were involved in the breach, the steps affected individuals
should take to protect themselves from potential harm, a brief description of
what the covered entity is doing to investigate the breach, mitigate the harm,
and prevent further breaches, as well as contact information for the covered
entity. Additionally, for substitute notice provided via web posting or major
print or broadcast media, the notification must include a toll-free number for
individuals to contact the covered entity to determine if their protected
health information was involved in the breach.
2.
Media
Notice
Covered
entities that experience a breach affecting more than 500 residents of a State
or jurisdiction are, in addition to notifying the affected individuals,
required to provide notice to prominent media outlets serving the State or
jurisdiction. Covered entities will likely provide this notification in the
form of a press release to appropriate media outlets serving the affected area.
Like individual notice, this media notification must be provided without
unreasonable delay and in no case later than 60 days following the discovery of
a breach and must include the same information required for the individual
notice.
3.
Notice
to the Secretary
In
addition to notifying affected individuals and the media (where appropriate),
covered entities must notify the Secretary of breaches of unsecured protected
health information. Covered entities will notify the Secretary by visiting the
HHS web site and filling out and electronically submitting a breach report
form. If a breach affects 500 or more individuals, covered entities must notify
the Secretary without unreasonable delay and in no case later than 60 days
following a breach. If, however, a breach affects fewer than 500 individuals,
the covered entity may notify the
Secretary of such breaches on an annual basis. Reports of breaches affecting
fewer than 500 individuals are due to the Secretary no later than 60 days after
the end of the calendar year in which the breaches occurred.
4.
Notification
by a Business Associate
If
a breach of unsecured protected health information occurs at or by a business
associate, the business associate must notify the covered entity following the
discovery of the breach. A business associate must provide notice to the
covered entity without unreasonable delay and no later than 60 days from the
discovery of the breach. To the extent possible, the business associate should
provide the covered entity with the identification of each individual affected
by the breach as well as any information required to be provided by the covered
entity in its notification to affected individuals.
Concerns
about the Company’s privacy practices may arise in a variety of contexts and
may be received by many different persons at the Company. It is important that
the Company responds to concerns and complaints in a timely manner. When a
staff member hears or receives a complaint/concern, they should ask the
complainant whether or not the complainant wishes to file a formal complaint
and offer to assist the complainant with the form. Even if the person does not
wish to file a complaint or provide identifying information, the staff member
should proceed with the procedures outlined below.
Filing a
Complaint
a. Participant’s complaints of alleged privacy rights
violations may be forwarded through multiple channels, such as email or support
ticket. If these complaints are received by a staff member the person receiving
the complaint will:
1.
In response to an
email or support ticket – Complete the Privacy Complaint Form and immediately
forward to the Incident Response Team. Attach the written complaint to the
complaint form.
2.
In response to an
Anonymous Complaint– Complete the Privacy Complaint Form based on the
information provided and immediately forward to the Incident Response Team.
When possible, explain to the complainant that the Company has an obligation to
follow up on complaints whether or not they are anonymously filed.
b. Staff Members – Contact support@yourgeno.me. Staff members may also complete the Privacy
Complaint Form and forward to the Incident Response Team. Upon receipt of a
complaint, the Incident Response Team will initiate primary investigation.
1.
Initial
review – All complaints
will be initially reviewed by the Incident Response Team to determine if the
complaint alleges a violation of established policies and procedures or other
known regulations regarding the protection of individually identifiable health
information. If there is no legitimate allegation, the Incident Response Team will,
when possible, contact the Complainant by letter and inform him/her of this
finding within 60 days. All documentation will be maintained as prescribed in
this policy.
2.
Complaints
requiring further review – If there is a
legitimate allegation a detailed investigation will be initiated, by reviewing
the covered Company practices, contacting employees or contractors as needed,
and utilizing other Company resources as needed. Upon conclusion of the
investigation, the Incident Response Team will, when possible, contact the
Complainant by letter and inform him/her of the finding within 60 days.
c. 60-day time frame – In the event that this 60-day period cannot be
met, the Incident Response Team shall, when possible, communicate this
determination to the Complainant in writing and include an estimated timeframe
for completion of the investigation.
d. Outcome of Investigation - The purpose of the investigation is to
determine the compliance of the Company’s policies and procedures implementing
the privacy standards mandated by HIPAA. The Company will mitigate, to the
extent practicable, any harmful effect that is known of a use or disclosure of
PHI in violation of the Company’s policies and procedures or HIPAA’s privacy
requirements by the Company or any of its Business Associates. In the event
that disciplinary action is recommended, the Incident Response Team or his/her
designee will coordinate any action with management.
e. Documentation - All complaints shall be documented. The Incident
Response Team will maintain all completed complaints’ documentation for six
years from the initial date of the complaint.
The
Company shall not intimidate, threaten, coerce, discriminate against, or take
any other form of retaliatory action against any person who has reported a
privacy incident.
HIPAA
Authorization to Use and Disclose Protected Health Information
I,
hereby authorize the use and/or disclosure of the protected health information
about me described below ("PHI") to Geno.Me, Incorporated (“Geno.Me”).
The PHI that may be used and/or disclosed are the clinical summary, which
includes but is not limited to consultation notes, discharge summary notes,
history & physical, imaging narratives, laboratory report narratives,
pathology report narratives, procedure notes, progress notes.
This
authorization shall remain in effect unless I revoke it in writing prior to
that time. The covered entity that is releasing my PHI under this authorization
will not receive direct or indirect remuneration in exchange for disclosing my
PHI and will provide my PHI only to Geno.Me and to no other business or
individual. I understand that my treatment, payment, enrollment, or eligibility
for benefits will not be conditioned on whether I sign this form. I understand
that, as set forth in the notice of privacy practices, I have the right to
revoke this authorization, in writing, at any time, except to the extent that Geno.Me,
Inc. has acted in reliance upon it, by sending written notification to support@yourgeno.me. I understand that I am under no
obligation to consent to this authorization and that I am doing so upon my own
free will. I understand that my treatment, payment, enrollment, or eligibility
for benefits will not be conditioned on whether I provide consent.