Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

RxGenomix, LLC (“RxGenomix”) is required by law to maintain the privacy of your protected health information (as defined under the Health Insurance Portability and Accountability Act of 1996 and the regulations thereunder, as in effect from time to time (“HIPAA”)) (“PHI”) and to provide you with a notice of our legal duties and privacy practices with respect to protected health information. (“Protected health information” is referred to in this Notice as “PHI”.) This Notice of Privacy Practices (“the Notice”), describes how we may use and disclose your PHI to carry out treatment, payment or health care operations and for other specified purposes that are permitted or required by law. The Notice also describes your rights with respect to your PHI. Under HIPAA, “PHI” means information about you, including basic demographic information, that may identify you and that relates to your past, present or future physical or mental health or condition and related health care services, including payment for such services.

RxGenomix is required to follow the terms of this Notice. We will not use or disclose your PHI without your written permission, except as described in this Notice. We reserve the right to change our practices and this Notice and to make the new Notice effective for PHI we maintain. Upon your request, we will provide you with a revised Notice. You should carefully review this Notice as well as our Privacy Policy.

Your Health Information Rights

You have the following rights with respect to your PHI:

• Obtain a paper copy of the Notice of Privacy Practices upon request.You may request a copy of the Notice at any time. To obtain a copy of the Notice, contact [email protected].
• Request a restriction on certain uses and disclosures of your information.You have the right to request a restriction on the PHI that we use or disclose about you for treatment, payment, or health care operations. You also have the right to request a restriction on the PHI we disclose about you to someone who is involved in your care or payment for your care, such as a family member or friend. Except as described in this section, we are not required to agree to your request. We must agree to your request if the disclosure has been made to a health plan for the purpose of payment or health care operations and the disclosure relates to an expense for which you have paid out of pocket. To request restrictions, you must send a written request to [email protected].
• Inspect and obtain a copy of your information.You have the right to access and copy PHI about you contained in your medical and billing records for as long as RxGenomix maintains the information. To read or copy your PHI, you must send a written request to [email protected]. Additional state law requirements may apply in order to access and copy such PHI. If you request a copy of the information, we may charge you a reasonable fee for the costs of the copying, mailing, or other supplies that are necessary for the electronic transfer of your information. If we maintain an electronic health record containing your health information, you have the right to request that we send a copy of your health information in electronic format to you or a third party that you identify. We may deny your request to read and copy in certain limited circumstances. If you are denied access to your PHI, you may request that the denial be reviewed by filing a request for review with the RxGenomix’s Privacy Officer.
• Amend your information.If you feel that PHI we have about you is incomplete or incorrect, you may request that we amend the information. You may request an amendment for as long as we maintain your health information. To request an amendment, you must send a written request to [email protected]. In addition, you must include a reason that supports your request. In certain cases, we may deny your request for amendment. If we deny your request for amendment, you have the right to file a statement of disagreement with the decision with the Privacy Officer and we may prepare a rebuttal to your statement, which we will provide to you.
• Receive an accounting of disclosures of your information.You have the right to receive an accounting of certain disclosures we have made of your PHI after the effective date of this Notice. The accounting will exclude disclosures we have made directly to you, disclosures to friends or family members involved in your care, disclosures made pursuant to a valid authorization, and disclosures for notification purposes. The right to receive an accounting is subject to certain other exceptions, restrictions, and limitations. To request an accounting, you must submit your request in writing to [email protected]. Your request must specify the time period for which you are seeking an accounting, but it may not be longer than 6 years or the time period permitted by law. The first accounting you request within a 12-month period will be provided free of charge, but you may be charged for the cost of providing additional accountings during the same 12-month period. We will notify you of the cost involved, and you may choose to withdraw or modify your request at that time.
• Request communications of your information by alternative means or at alternative locations.For instance, you may request that we contact you about medical matters only in writing or at a different residence or post office box. To request confidential communication of your PHI, you must submit your request in writing to [email protected]. Your request must state how or when you would like to be contacted. We will accommodate all reasonable requests. We reserve the right to verify your identity in order to confirm the alternative contact and address information. You agree that we are entitled to rely on the alternative contact and address information that you provide to us unless and until we have received a written notice from you changing or revoking the information you have provided to us.

Examples of How We May Use and Disclose Protected Health Information About You

The following categories describe different ways that we use and disclose your protected health information. For each category of uses or disclosures, we try to explain what we mean and provide some examples.

• We will use your protected health information for treatment.For example:Information obtained by a member of your health care team will be recorded in your record and used to determine and to document the chosen course of treatment. RxGenomix will record the actions it took and its observations.
• We will use your protected health information for payment.For example:A bill may be sent to you or a third-party payor. The information on or accompanying the bill may include information that identifies you, as well as your diagnosis, procedures, and supplies used.
• We will use your protected health information for health care operations.For example:Members of our staff may use information in your health record to assess the care and outcomes in your case and others like it. This information will then be used in an effort to continually improve the quality and effectiveness of the health care and service we provide.

We are likely to use or disclose your PHI for the following purposes:

Business Associates:

There are some services provided at RxGenomix through contracts with business associates. For example, we may have a contract with a billing service. When we contract for these services, we may disclose your PHI to our business associate(s) so that they can perform the job we have asked them to do and bill RxGenomix, you, or your third-party payor for services rendered. To protect your information, however, we require all business associates to appropriately safeguard your information. Business associates are also directly responsible for compliance with federal security standards and certain provisions of the federal privacy law, to further ensure the protection of your PHI.

Communication with Individuals Involved in your Care or Payment for your Care:

Health professionals, such as a physician, pharmacist, nurse practitioner, physician assistant or nurse, using their professional judgment, may disclose to a family member, other relative, close personal friend or any other person you identify, PHI relevant to that person’s involvement in your care or payment related to your care.

Personal Communications:

Subject to certain limitations imposed by law, we may contact you to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to you. We may receive payment in exchange for making these communications. You may opt out of receiving communications for which we have been paid. To opt out, contact [email protected].

Food and Drug Administration (FDA) or Other Regulatory Agency:

We may disclose to the FDA or other regulatory agencies having jurisdiction, or persons under the jurisdiction of the FDA or such other regulatory agencies, PHI relative to adverse events with respect to food, medicines, supplements, product and product defects, or post marketing surveillance information to enable product recalls, repairs, or replacement.

Worker’s Compensation:

We may disclose your PHI to the extent authorized by and to the extent necessary to comply with laws relating to worker’s compensation or other similar programs established by law.

Public Health:

As required by law, we may disclose your PHI to public health or legal authorities charged with preventing or controlling disease, injury, or disability.

Law Enforcement:

We may disclose your PHI for law enforcement purposes as required by law or in response to a valid subpoena or court order.

As Required by Law:

We will disclose your PHI when required to do so by federal, state, or local law.

Health Oversight Activities:

We may disclose your PHI to an oversight agency for activities authorized by law. These oversight activities include audits, investigations, and inspections, as necessary for licensure and for the government to monitor the health care system, government programs, and compliance with civil rights laws.

Judicial and Administrative Proceedings:

If you are involved in a lawsuit or a dispute, we may disclose your PHI in response to a court or administrative order. Subject to applicable state law, we may also disclose health information about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made, either by us or the requesting party, to tell you about the request or to obtain an order protecting the information requested.

We are permitted to use or disclose your PHI for the following purposes:

Research:

We may disclose your PHI to researchers when their research has been approved by an institutional review board that has reviewed the research proposal and established protocols to ensure the privacy of your information.

Notification:

We may use or disclose your PHI to notify or assist in notifying a family member, your personal representative, or another person responsible for your care regarding your location and general condition.

To Avert a Serious Threat to Health or Safety:

We may use and disclose your PHI when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person.

Regulatory Compliance:

Federal law makes provision for your medical information, including PHI, to be released to an appropriate health oversight agency, public health authority or attorney, provided that a member of our workforce or business associate believes in good faith that we have engaged in unlawful conduct or have otherwise violated professional or clinical standards and are potentially endangering one or more patients, workers or the public.

Victims of Abuse or Neglect:

We may disclose PHI about you to a government authority if we reasonably believe you are a victim of abuse or neglect. We will only disclose this type of information to the extent required by law, if you agree to the disclosure, or if the disclosure is allowed by law and we believe it is necessary to prevent serious harm to you or someone else or the law enforcement or public official that is to receive the report represents that it is necessary and will not be used against you. In such cases, we will promptly inform you that a report has been or will be made unless there is reason to believe that providing this information will place you in serious harm.

Data Breach Notification:

We may use your PHI to provide legally-required notices of unauthorized access, acquisition, or disclosure of your PHI.

Other Uses and Disclosures of PHI

We will obtain your written authorization before using or disclosing your PHI for purposes other than those provided for above (or as otherwise permitted or required by law). Most disclosures of your PHI for which we receive payment will require your authorization. Uses and disclosures of your PHI for marketing require your authorization and your authorization is required for uses and disclosures of psychotherapy notes. You may revoke an authorization in writing at any time. Upon receipt of the written revocation, we will stop using or disclosing your PHI, except to the extent that we have already taken action in reliance on the authorization.

Record Retention:

We will retain PHI about you contained in your medical record and billing records in accordance with legal requirements.

Compliance with Laws

If more than one law applies to this Notice, such as state laws that are more restrictive than HIPAA, we will follow the more restrictive law.

For More Information or to Report a Problem

If you have questions or would like additional information about RxGenomix’s privacy practices, you may contact our Privacy Officer at [email protected]. If you believe your privacy rights have been violated, you can file a complaint with the Privacy Officer or with the United States Secretary of Health and Human Services. There will be no retaliation for filing a complaint.