1. What information is collected from you through the web site, how it is used and with whom it may be shared.
2. What choices are available to you regarding the use of your data.
3. The security procedures in place to protect the misuse of your information.
4. How you can correct any inaccuracies in the information.
Personally Identifiable Information
We may collect personal identification information from you in a variety of ways, including, but not limited to, when you visit our site, register on the site, subscribe to our newsletter, fill out a form, and in connection with other activities, services, features or resources we make available on our site. You may be asked for, as appropriate, name, email address, mailing address, and/or phone number. You may, however, visit our site anonymously. We will collect personal identification information from you only if you voluntarily submit such information to us. You can always refuse to supply personally identification information, except that it may prevent you from engaging in certain site related activities.
Non-personally Identifiable Information
We may collect non-personal identification information about you whenever you interact with our site. Non-personal identification information may include the browser name, your activity on our website, the type of computer and technical information about your means of connection to our site, such as the operating system and the Internet service providers utilized and other similar information.
Information Use and Sharing
Iora Health is the sole owner of the information collected on this site. We will not sell or rent this information to anyone.
We will use your information to respond to you regarding the reason you contacted us. We will not share your information with any third party outside of our organization, other than as necessary to fulfill your request.
Your Access to and Control Over Information
You may opt out of any future contacts from us at any time. You can do the following at any time by contacting us via the email address or phone number given on our website:
- See what data we have about you, if any.
- Change/correct any data we have about you.
- Have us delete any data we have about you.
- Express any concern you have about our use of your data.
Please note that to opt out of ads on Facebook or Google that are targeted to your interests, you need to use your Facebook or Google Ads settings.
We take precautions to protect your information. When you submit sensitive information via the website, your information is protected both online and offline. Wherever we collect sensitive information (such as your phone number), that information is encrypted and transmitted to us in a secure way. You can verify this by looking for a closed lock icon at the bottom of your web browser, or looking for “https” at the beginning of the address of the web page.
While we use encryption to protect sensitive information transmitted online, we also protect your information offline. Only employees who need the information to perform a specific job (for example, billing or customer service) are granted access to personally identifiable information. The computers/servers in which we store personally identifiable information are kept in a secure environment.
Links to Other Websites
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and this privacy statement does not govern such sites. You should exercise caution and look at the privacy statement applicable to the website in question.
A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyze web traffic or lets us know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
We use traffic log cookies to identify which pages are being used. This helps us analyze data about web page traffic and improve our website in order to tailor it to customer needs. We may combine this information with other information we collect about you and use it for various purposes, such as improving our websites and your online experience, understanding which areas and features of our sites are popular, counting visits, understanding campaign effectiveness, tailoring our communications with you, deliver advertising and content targeted to your interests on our websites and other websites and better understand your online activity, determining whether an email has been opened and links within the email have been clicked, and for other internal business purposes.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any identifiable information about you, other than the data you choose to share with us.
Enabling these cookies is not strictly necessary for the website to work but it will provide you with a better browsing experience. You can delete or block these cookies, but if you do so, some features of this site might not work as intended. Although most browsers and devices accept cookies by default, their settings usually allow you to clear or decline cookies.To prevent your data from being used by Google Analytics, you can install Google’s opt-out browser add-on.
Your Acceptance of These Terms
By using this site, you signify your acceptance of this policy. If you do not agree to this policy, please do not use our site. Your continued use of the site following the posting of changes to this policy will be deemed your acceptance of those changes.
Notice of Privacy Practices for Iora Health Patients
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION MAY BE USED AND DISCLOSED, AND HOW YOU CAN ACCESS THIS INFORMATION. PLEASE REVIEW THIS CAREFULLY.
In providing care to you, the staff at Iora Health and the members of its affiliated covered entity (“Iora” or “we”) will record your medical information in our electronic medical record. An affiliated covered entity is a group of organizations under common ownership or control who designate themselves as a single affiliated covered entity for purposes of compliance with the Health Insurance Portability and Accountability Act (“HIPAA”).
Information that identifies you or your health information is called Protected Health Information, or PHI. We are required by law to maintain the confidentiality of your PHI. We are also required to provide you with this Notice of Privacy Practices. This Notice gives you information about Iora’s legal duties, responsibilities, and privacy practices involving your PHI. When Iora uses or discloses PHI, we must and will abide by the terms of this Notice (or the Notice in effect at the time of any use or disclosure of your PHI). The members of the Iora affiliated covered entity (“Iora ACE”) will share PHI with each other for the treatment, payment and health care operations of the Iora ACE and as permitted by HIPAA and this Notice. For a complete list of the members of the Iora ACE, please contact the Privacy Officer.
HOW IORA MAY USE OR DISCLOSE PHI
Some reasons Iora may use your PHI are listed below (though not every reason for a use or disclosure is identified.) Some uses and disclosures will require your consent, while other reasons may not.
Iora may use or disclose your PHI, with your consent, as follows:
- Research. For research purposes.
- Sale of PHI or for our Marketing Purposes. This does not include face-to-face communication about products or services that may be of benefit to you, or about prescriptions you have already been prescribed.
- Highly Confidential Information. In some instances, we may need additional, very specific, written authorization to disclose certain types of specially-protected information such as psychotherapy notes, HIV status, substance abuse treatment, mental health records, venereal disease information, research involving controlled substances, abortion consent forms, family planning services, and genetic testing information (“Highly Confidential Information”).
- Emancipated Minors. Certain information relating to your diagnosis or treatment may be Highly Confidential Information and will not be disclosed to a parent or guardian without your consent. Your consent is not required, however, if a physician reasonably believes your condition to be so serious that your life or limb is endangered. Under such circumstances, we may notify your parents or legal guardian of the condition, and will inform you of a notification. If you are a parent or legal guardian of an emancipated minor, certain portions of the emancipated minor’s medical record (or, in certain instances, the entire medical record) may not be accessible to you.
Iora may use or disclose PHI without your consent under the following circumstances:
- Treatment. Iora uses your PHI to provide treatment and other services to you to diagnose and treat your injury or illness. As part of that treatment, Iora may need to disclose PHI to other health care providers involved in your care, such as specialists, pharmacies, and labs.
- Payment. Iora may disclose your PHI to your insurance company in order to confirm your eligibility to receive care at Iora, and for Iora to collect payment for its services provided to you. Iora may also disclose your PHI to other health care providers so that they may seek payment for services they provided to you.
- Operations. We may need to use and disclose your PHI as necessary to support our day-to-day management or for internal administration and planning or quality improvement. We may also disclose PHI to other healthcare providers or payers that are involved in your care for their healthcare operations.
- Business Associates. We may share your PHI with third party business associates that perform various activities (e.g., billing, testing, or consulting) for Iora. Whenever an arrangement between a business associate and Iora involves the use or disclosure of your PHI, we will have a written agreement that will protect the privacy of your PHI.
- Individuals Involved in Your Care. We may release your PHI to a friend or family member who is involved in your medical care. We may also give information to someone who helps pay for your care. We may share your PHI with these persons if you are present or available before we share your PHI with them and you do not object to our sharing your PHI with them, or we reasonably believe that you would not object to this. If you are not present and certain circumstances indicate to us that it would be in your best interests to do so, we will share information with a friend or family member or someone else identified by you, to the extent necessary. This could include sharing information with your family or friend so that they could pick up a prescription or a medical supply.
- Death. Iora may need to release PHI to a medical examiner or coroner.
- Organ/Tissue Donation. If you are an organ donor, Iora may release PHI to organizations that facilitate organ or tissue donation, banking and transplantation.
- Serious Threats to Health or Safety. Iora may use PHI to assist with efforts to prevent serious threats to the health and safety of you or others.
- Military. Iora may share your PHI if you are, or were, a member of the U.S. or foreign military, if required by the appropriate authorities.
- National Security. We may need to share PHI with officials for national security activities.
- Correctional Institutions or Law Enforcement. If you are an inmate or in custody of law enforcement, we may need to disclose PHI:
- to the institution in order to provide healthcare to you,
- for the safety and security of the institution, and/or
- to protect your health and safety or the health and safety of others.
- Training. Your PHI may be used or disclosed for the purpose of allowing students, residents, nurses, physicians and other healthcare professionals who are interested in healthcare, pursuing careers in the medical field or desire an opportunity for an educational experience to tour, shadow employees and/or providers or engage in a clinical practicum.
- Required by Law. Iora must disclose PHI as required by federal, state or local law, for:
- Public Health Reporting. Iora is required to provide information to public health authorities to:
- Report abuse or neglect of children, the elderly or the disabled, including instances of rape or sexual assault;
- State agencies in order to prevent or control disease, injury or disability;
- Notify a person of a potential exposure to a communicable disease;
- Notify a person of a potential risk of spreading or contracting a disease or condition;
- Report adverse reactions to drugs or problems with products or devices.
- Workplace Injury or Illness. For work-related illness or injury or as required for workplace medical surveillance, we must report to the insurer and/or the state industrial accident board and/or parties involved in workers’ compensation matters.
- Lawsuits and Similar Proceedings. In the event you are involved in a lawsuit or similar proceeding, Iora may need to use and share your PHI in response to a court order, or if a lawful request has been made by another party involved in the dispute with you, but only after we have made efforts to inform you of the request or obtain an order protecting your PHI from disclosure.
- Law Enforcement. PHI may be disclosed to police or other law enforcement officials as required or permitted by law, or to comply with a subpoena accompanied by a court order.
- Public Health Reporting. Iora is required to provide information to public health authorities to:
HOW IORA MAY USE OR DISCLOSE PHI
- Communications. You may request that Iora communicate with you about your health and related issues in a particular manner (e.g., to contact you at home rather than work). You do not need to give a reason for your request.
- Restrictions. You have the right to request that we not share your PHI for treatment, payment, or healthcare operations, or that we share your PHI with only certain individuals. We will abide by your request, unless a disclosure is required by law or is necessary to treat you. To request a restriction, we will need to know: the information you wish to restrict; whether or how you want to restrict Iora’s use, disclosure or both; and to whom.
- Inspection, Copies, and Amendments. You have the right to see your PHI and have it copied. Requests for copies must be made in writing. If available, you may obtain an electronic copy of your health record, and/or may direct us to transmit a copy to a person you designate. If Iora created the information, you have a right to request that we amend the information if you believe it is inaccurate or incomplete. We cannot change medical information created by someone else, or if the change would make your medical record inaccurate or incomplete.
- Revoking your Authorization. With a written request to us, you may revoke or revise prior authorizations for future use/disclosure of your PHI.
- Obtain a Paper Copy of This Notice at Any Time. Email us at [email protected].
- Accounting and Access Reports. You have a right to receive a list of how, and to whom, PHI was disclosed. This is called an “accounting of disclosures.” This would not include disclosures of your PHI made for your treatment, payment, or health care operations. If we use or maintain your PHI in an electronic designated record set, you have a right to receive a report indicating where we (or our Business Associates) have disclosed, and/or who has accessed, your PHI (including access for the purposes of treatment, payment, and health care operations) during a period of time up to three years prior to the date of your request. Requests for an accounting of disclosures and/or requests access reports must be made in writing to Iora.
- Notice of a Breach. You have a right to receive notice of any unauthorized access of PHI.
- Right to File a Complaint. If you believe your privacy rights have been violated, you may file a complaint with our Privacy Officer or with the Secretary of the Department of Health and Human Services (“HHS”). All complaints must be submitted in writing. You will not be penalized for filing a complaint. To file a complaint with HHS, contact:
Office for Civil Rights
US Department of Health and Human Services
200 Independence Avenue SW
Room 509F HHH Bldg
Washington DC 20201
INFORMATION BREACH NOTIFICATION
Iora is required to provide patient notification if it discovers a breach of unsecured PHI unless there is a demonstration, based on a risk assessment, that there is a low probability that the PHI has been compromised. You will be notified without unreasonable delay and no later than 60 days after discovery of the breach. Such notification will include information about what happened and what can be done to mitigate any harm.
REVISIONS TO THIS NOTICE
Iora may change its privacy policies, including this Notice, and make new policies and practices, including revised Notice provisions, effective for all PHI that we maintain. A copy of the current Notice will be posted in our office and on our website.
For questions about this Notice, contact Iora’s Privacy Officer:
1 Lincoln Street, 24th Floor
Boston, MA 02111
Effective Date: This Notice is effective as of August 26th, 2020.