Skip to main content

Health Insurance Portability and Accountability Act (HIPAA) 

Privacy Policy

Last Updated on October 31, 2024

THIS HIPAA PRIVACY POLICY DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal program that requires that all individually identifiable health information used or disclosed by us in any form, whether electronically, on paper or orally, are kept properly confidential. This Act gives you, the patient, significant new rights to understand and control how your health information is used. HIPAA provides penalties for covered entities that misuse Protected Health Information. “Protected Health Information” or “PHI” is information about you, including demographic information, that may identify you and that relates to your past, present or future physical or mental health or condition and related health care services, such as your name, date of birth, dates of services, diagnosis, treatments, medications, demographic information (name, address, home/cellular/work telephone numbers, emails, and social security number), and photographs.

1. Purpose

The purpose of this HIPAA Privacy Policy is to ensure that Althea, PBC (“Althea”) has procedures in place to comply fully with HIPAA and is prepared to use and disclose PHI in a way that complies with federal and state privacy protection laws and regulations. This HIPAA Privacy Policy describes how we may use and disclose your PHI to carry out treatment, payment or health care operations and for other purposes that are permitted or required by law. It also describes your rights to access and control your PHI.

2. HIPAA Privacy Officer

Althea shall designate a member of its staff as the HIPAA Privacy Officer. The HIPAA Privacy Officer is the Althea employee in charge of all procedures covered within this HIPAA Privacy Policy. It is the policy of Althea that the HIPAA Privacy Officer along with other specific individuals within our workforce are assigned the responsibility of implementing and maintaining this HIPAA Privacy Policy and our related compliance programs. Furthermore, it is our policy that these individuals will be provided sufficient resources and authority to fulfill their responsibilities. It is our objective to remain current in our compliance program with HIPAA regulations.

3. Permitted Uses and Disclosures

Althea shall only use or disclose your PHI if:

  • The HIPAA Privacy Rule specifically permits or requires it.
  • You give us authorization in writing.
  • To providers you select and authorize through our Site or App. We also may use and disclose PHI to tell you about treatment options, alternatives, health-related benefits, or services that may be of interest to you.
  • If you consent in writing, to our research partners including University of Colorado, Naropa University Center for Psychedelic Studies, and Psychedelic Public Policy Partnership, in connection with our research activities.
  • For the following subset of health care operations activities of the recipient covered entity (45 CFR 164.501) without needing your consent or authorization (45 CFR 164.506(c)(4):

·  Conducting quality assessment and improvement activities

·  Developing clinical guidelines

·  Conducting patient safety activities as defined in applicable regulations

·  Conducting population-based activities relating to improving health or reducing health care cost

·  Developing protocols

·  Conducting case management and care coordination (including care planning)

·  Contacting health care providers and patients with information about treatment alternatives

·  Reviewing qualifications of health care professionals

·  Evaluating performance of providers and/or health plans

·  Conducting training programs or credentialing activities

·  Supporting fraud and abuse detection and compliance programs.

SPECIAL CIRCUMSTANCES
In addition to the above, we may use and disclose PHI in the following special circumstances:

As Required by Law. We will disclose PHI when required to do so by international, federal, state or local law.

To Avert a Serious Threat to Health or Safety. We may use and disclose PHI when necessary to prevent or lessen a serious threat to your health or safety, or the health or safety of the public or another person. Any disclosure, however, will be to someone who we believe may be able to help prevent the threat.

Business Associates. We may disclose PHI to the business associates that we engage to provide services on our behalf if the information is needed for such services. For example, we may use another company to perform billing services on our behalf or to provide video conferencing services on our behalf. Our business associates are obligated, under contract with us, to protect the privacy of your information and are not allowed to use or disclose any information other than as specified in our contract with them.

Military and Veterans. If you are a member of the armed forces, we may release PHI as required by military command authorities. We also may release PHI to the appropriate foreign military authority if you are a member of a foreign military.

Workers’ Compensation. We may disclose PHI as authorized by and to the extent necessary to comply with laws relating to workers’ compensation or similar programs. These programs provide benefits for work-related injuries or illness.

Public Health Risks. We may disclose PHI for public health activities. These activities generally include disclosures to prevent or control disease, injury or disability; report births and deaths; report child abuse or neglect; report reactions to medications or problems with products; notify people of recalls of products they may be using; track certain products and monitor their use and effectiveness; if authorized by law, notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; and conduct medical surveillance of our facilities in certain limited circumstances concerning workplace illness or injury. We also may release PHI to an appropriate government authority if we believe a patient has been the victim of abuse, neglect or domestic violence; however, we will only release this information if the patient agrees or when we are required or authorized by law.

Health Oversight Activities. We may disclose PHI to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure of our facilities and providers. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.

Lawsuits and Disputes. If you are involved in a lawsuit or a dispute, we may disclose PHI in response to a court or administrative order. We also may disclose v in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested.

Law Enforcement. We may release v if asked by a law enforcement official as follows: (1) in response to a court order, subpoena, warrant, summons or similar process; (2) limited information to identify or locate a suspect, fugitive, material witness, or missing person; (3) about the victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement; (4) about a death we believe may be the result of criminal conduct; (5) about evidence of criminal conduct on our premises; and (6) in emergency circumstances to report a crime, the location of the crime or victims, or the identity, description, or location of the person who committed the crime.

De-identified Information and Limited Data Sets. Althea may use and disclose health information that has been “de-identified” by removing certain identifiers making it unlikely that you could be identified. Althea also may disclose limited health information, contained in a “limited data set”. The limited data set does not contain any information that can directly identify you. For example, a limited data set may include your city, county and zip code, but not your name or street address.

4. Minimum Necessary Use and Disclosure of Protected Health Information

Althea shall ensure that for all routine and recurring uses and disclosures of PHI (except for uses or disclosures made 1) to or as authorized by the patient or 2) as required by law for HIPAA compliance) such uses and disclosures of PHI must be limited to the minimum amount of information needed to accomplish the purpose of the use or disclosure. Althea shall also ensure that non-routine uses and disclosures will be handled pursuant to established criteria. It is also Althea’s policy that all requests for PHI (except as specified above) must be limited to the minimum amount of information needed to accomplish the purpose of the request. Under HIPAA’s minimum necessary provisions, an organization must make reasonable efforts to limit PHI to the minimum necessary to accomplish the purpose of the use, disclosure or request. (45 CFR 164.502(b)).

Althea employs additional safeguards for PHI that is subject to protection under other federal and state laws, for example, relating to mental health. As applicable, Althea will obtain your permission before disclosing the information to other health care providers who are not involved in your treatment program or care.

5. Your Rights

You have the following rights, subject to certain limitations, regarding PHI that we maintain about you:

Right to Inspect and Copy. You have the right to inspect and receive a copy of your PHI that may be used to make decisions about your care or payment for your care, including information kept in an electronic health record, and/or tell us where to send the information. Please note that there may be a charge for paper or electronic copies of your records.

Right to Amend. If you feel that PHI that we have is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is maintained by or for us. You must tell us the reason for your request.

We may deny your request for an amendment to your record. We may do this if your request is not in writing or does not include a reason to support the request. We also may deny your request if you ask us to amend information that:

  • we did not create;
  • is not part of the records used to make decisions about you;
  • is not part of the information which you are permitted to inspect and to receive a copy; or
  • is accurate and complete.

Right to an Accounting of Disclosures. You have the right to request an accounting of certain disclosures of PHI that we made.

Right to Request Restrictions. You have the right to request a restriction or limitation on the PHI that we use or disclose for treatment, payment, or health care operations. You have the right to request a limit on the PHI that we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend. For example, you could ask that we not share information about your surgery with your spouse. We are not required to agree to your request. If we agree to your request, we will comply with your request unless we need to use the information in certain emergency treatment situations.

In addition, you have the right to request that we restrict disclosure of your PHI to your health plan if the disclosure is for the purpose of carrying out payment or health care operations (and is not for the purpose of carrying out treatment) and the PHI pertains solely to a health care item or service for which you have paid in full. Althea is not required to comply with your request if you do not pay for the service in full.

Right to Request Confidential Communications. You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we contact you only by mail or at work. Your request must specify how or where you wish to be contacted. We will accommodate reasonable requests. By providing us with certain information, you expressly agree that Althea and its business associates can use certain information (such as your home/work/cellular telephone number and your email), to contact you about various matters, such as follow up appointments, collection of amounts owed and other operational matters. You agree you may be contacted through the information you have provided and by use of prerecorded/artificial voice messages and use of an automatic/predictive dialing system.

Right to a Paper Copy of This Notice. You have the right to a paper copy of this notice. You may ask us to give you a copy of this notice at any time. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice. You may obtain a copy of this notice at any time on our website at https://altheapbc.com/hipaa-privacy-policy/.

To exercise any of your rights, you may send a written request to us at the address set forth below.

6.  Safeguards; Data Breach

Althea shall implement and maintain appropriate physical safeguards designed to reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule. Althea will implement measures designed to ensure that the effects of any unauthorized use or disclosure of PHI be mitigated to the greatest extent possible.

In the event that a breach (as defined under applicable law) of your PHI in Althea’s custody or control has been confirmed to have occurred Althea will notify you within 60 days following discovery and confirmation of the breach unless a delay in notification is requested by law enforcement or otherwise required by applicable law or legal process.   

7. Training and Awareness

Althea will ensure that all members of its workforce are appropriately trained on the policies and procedures governing PHI and compliance with the HIPAA Privacy and Security Rules. New members of its workforce shall receive training on these matters within a reasonable time after they have joined the workforce. Should any policy or procedure related to the HIPAA Privacy and Security Rule materially change Althea shall provide new training to update the workforce on those changes. This training will be provided within a reasonable time after the policy or procedure materially changes. Furthermore, all training provided to the workforce will be documented indicating participants, date and subject matter.

Our HIPAA Privacy Officer will develop, coordinate, and facilitate initial and ongoing training programs on privacy, and coordinate privacy training with security training requirements. Each member of our workforce, including management, will be trained on our policies and procedures at least once annually in a formal setting, and regularly in an informal setting and as needed. Our HIPAA Privacy Officer will determine who needs additional training, the type of training that is appropriate, and the frequency with which such training will occur. New employees will participate in training within thirty (30) days following their first date of service.

All workforce members will participate in retraining on privacy policies and procedures related to the HITECH Act and the Breach Notification Rule, and on any other regulations related to the safeguarding of PHI.

Upon completing training or retraining, each member of our workforce will sign an acknowledgement form that he or she participated in training and is aware of and understands our organization’s privacy policies and procedures.

When retraining is a result of a sanction for a violation of a privacy policy or procedure by a workforce member, a copy of the workforce member’s acknowledgement form will be maintained in the personnel file of the workforce member.

8. Complaints; No Retaliation

You may submit complaints either directly to Althea’s HIPAA privacy officer or to the Secretary of Health and Human Services if you believe your privacy rights have been violated by us. You will be able to submit complaints to be submitted anonymously.  You may file a complaint with us by notifying our privacy officer of your complaint at our office and main telephone number set forth below. We will not retaliate against you for filing a complaint or otherwise exercising your rights under HIPAA.

Althea, PBC

1941 Pearl Street, #200

Boulder, CO 80302

Attn: Privacy Officer

E-mail: info@altheapbc.com

9. Retention of Records

The HIPAA Privacy Rule records retention requirement of six years will apply to PHI maintained by Althea. All records designated by HIPAA in this retention requirement will be maintained in a manner that allows for access within a reasonable period of time. This records retention time requirement may be extended at Althea’s discretion to meet with other governmental regulations or internal requirements.

10. Updates to this Privacy Policy

This HIPAA Privacy Policy may be updated periodically to reflect changes in our privacy practices and to remain in compliance with HIPAA regulations. It is your responsibility to review this HIPAA Privacy Policy from time to time to view any such changes. Your continued use of our Site or App following a change in this HIPAA Privacy Policy constitutes your consent to the revised policy.

11. Cooperation with Privacy Oversight Authorities

Althea will disclose PHI as required by the HIPAA Privacy Rule, and to HHS when it is undertaking a compliance investigation or review or enforcement action. Althea shall additionally ensure that all personnel cooperate fully with all privacy compliance reviews and investigations.

Contact Us

+1 (888) 899-7476

info@withalthea.com

Legal

Terms of Service

Privacy Policy

HIPAA Policy