Updated February 24, 2022
EVEXIA DIAGNOSTICS USER PRIVACY AND HIPAA POLICY
“HIPAA” means Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act and their implementing regulations as amended from time to time. “Protected Health Information” is individually identifiable health information that is protected by HIPAA and that we receive on behalf of practitioners subject to HIPAA. “Covered Entity” refers to a health care provider or other entity subject to HIPAA.
EDI May Change or Amend this Policy
What Information does EDI Collect?
Information You Provide to Us:
We collect information you provide to us through the Site and offline, for example when you create or modify your account, register to use our Site, purchase products or services from us, request information from us, contact customer support, fill out any form on the Site, or otherwise communicate with us. If you are a patient, this information may include:
• Email address
• Telephone number
• Payment information (credit card or debit card number, expiration date and credit card security code – solely for payment purposes)
• Date of birth
• Username and password
• Any other information requested or provided through a contact form, email, text or other message with the Site.
If you are practitioner or other user, in addition to information we collect for a patient, this information may also include:
• Zip code
• Desired medical testing
• Title / Role
• Referring colleague
• Shipping address
• Associated company name
• Other professional information
Please note if you are a practitioner and sign up to use our Services, we will handle your patients’ lab work. We will use and disclose patients’ Protected Health Information in accordance with the BA Terms with your Covered Entity.
Information Collected Automatically:
Whenever you interact with our Services, we automatically receive and record information on our server logs from your browser or device, which may include your IP address, geolocation data, device identification, “cookie” information, the type of browser and/or device you’re using to access our Services, and the page or feature you requested. “Cookies” are identifiers we, or an included third-party service embedded within the Site, transfer to your browser or device that allow us or the third-party service to recognize your browser or device and tell us or the third-party service how and when pages and features in our Services are visited and by how many people. The third-party service providers may aggregate that information across their sites and other sites that have the same services installed. You may be able to change the preferences on your browser or device to prevent or limit your device’s acceptance of cookies, but this may prevent you from taking advantage of some of our features.
The information we collect automatically may include personal information, or we may maintain it or associate it with personal information we collect in other ways or receive from third parties. It helps us to improve the Site and to deliver a better and more personalized service, including by enabling us to:
• Estimate our audience size and usage patterns.
• Store information about your preferences, allowing us to customize our Site according to your individual interests.
• Speed up your searches.
• Recognize you when you return to our Site.
We may use this data to customize content for you that we think you might like, based on your usage patterns. We may also use it to improve the Services – for example, this data can tell us how often users use a particular feature of the Services, and we can use that knowledge to make the Services more helpful to as many users as possible.
No Information from Individuals Under the Age of 18
If you are under the age of 18, please do not attempt to register with us at this Site or provide any personal information about yourself to us. If we learn that we have collected personal information from someone under 18, we will promptly delete that information. If you believe we have collected personal information from someone under the age of 18, please email us at email@example.com.
How EDI Share or Use the Personal Information it Receives
To Provide Products, Services, and Information.
We collect information from you and use the information to:
• present our Services, Site and its contents to you;
• provide you with information, products, or services that you request from us;
• fulfill any other purpose for which you provide it;
• communicate with lab companies to order and track lab-work either ordered to you or your patients;
• register and service your online account;
• provide information that you request from us;
• contact you about your lab statuses and lab orders;
• process credit card and debit card transactions;
• get products shipped to you from lab companies;
• send you promotional materials or advertisements about our products and services, as well as new features and offerings;
• enforce our Terms or other legal rights and remedies;
• provide interest-based targeted advertising to you;
• notify you about changes to our Site or any products or Services we offer or provide though it; and
• any other purposes disclosed to you at the time we collect your information or pursuant to your consent.
Sharing between Patients, Healthcare Practitioners. We share patients’ personal information with the ordering healthcare provider and their relevant medical staff in connection with getting ordered and lab results in.
Vendors and Service Providers. We may provide information to third-party vendors and service providers that help us operate and manage our Site, process orders, and fulfill and deliver products and Services that you purchase through us. These vendors and service providers will have access to your personal information in order to provide these services, but when this occurs we implement reasonable contractual and technical protections to limit their use of that information to helping us provide the service.
Legal Proceedings. We will share personal information with third party companies, organizations or individuals outside of EDI if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:
• meet any applicable law, regulation, subpoena, legal process or enforceable governmental request;
• enforce applicable Terms, including investigation of potential violations;
• detect, prevent, or otherwise address fraud, security or technical issues; or
• protect against harm to the rights, property or safety of EDI, our users, customers or the public as required or permitted by law.
Patient Access to Information
You can access and update certain information we have relating to your online account by signing into your account and going to the Account section of our Site. If you have questions about personal information we have about you or need to update your information, you can contact us at firstname.lastname@example.org or by phone at (888) 852-2723.
Your California Privacy Rights
California residents are entitled to the following privacy rights listed below.
The right to know. You have the right to request that we disclose what personal information we collect, use, disclose, and sell. Specifically, you have the right to know:
• The categories of personal information we have collected about you in the last 12 months;
• The specific pieces of personal information we have about you;
• The categories of sources from which your personal information was collected;
• The categories of your personal information that we sold or disclosed for a business purpose in the last 12 months, if any;
• The categories of third parties to whom your personal information was sold or disclosed for a business purpose in the last 12 months, if any; and
• The purpose for collecting, sharing, and selling your personal information.
Within the preceding 12 months, EDI collected the categories of personal information detailed in the “Information You Provide to Us” and the “Information Collected Automatically” sections above. The sources from and purposes for which EDI collects personal information are also described in the same sections and in the section “How does EDI Share or Use the Personal Information it Receives?” EDI has not sold or disclosed your personal information to a third party for a business purpose in the past 12 months and, except as set forth in the sections above, EDI does not further disclose your personal information for business purposes to third parties who are not service providers, nor does EDI sell your personal information.
The right to deletion. You have the right to request that we delete the personal information that we have collected or maintain about you. Under certain circumstances, we have the right to deny your request, such as if needed to comply with our legal obligations. If we deny your request for deletion, we will inform you of the reason.
The right to opt out of sale. You have the right to request that we do not sell your personal information. EDI does not sell your personal information.
The right to equal service. EDI will not discriminate against you in any way if you exercise any of your California privacy rights. Please be aware that exercising your rights may result in you being unable to use or access certain features of our Site.
To exercise your right to know and right to deletion, contact us using the email address provided in the “Questions and How to Contact Us” section below. You may exercise your right to know and your right to deletion twice a year free of charge. You may also contact us with questions or concerns concerning our privacy policies and practices using the information in the “Questions and How to Contact Us” section.
We will take steps to verify your identity before processing your request to know or request for deletion. We will not fulfill your request unless you have provided sufficient information for us to reasonably verify you are the individual about whom we collected personal information. We may request limited personal information from you in order to verify your identity, such as your name, email address, and physical address. We will only use the personal information provided in the verification process to verify your identity or authority to make a request and to track and document request responses, unless you initially provided the information for another purpose.
You may use an authorized agent to submit a request to know or a request to delete. When we verify your agent’s request, we may require the agent to provide proof that you gave the agent signed permission to submit the request. We may also ask you to verify your identity or to directly confirm with us that you provided the agent permission to submit the request.
California Civil Code Section 1798.83 (also known as the “Shine the Light” law) permits individual California residents to request certain information regarding our disclosure of certain categories of personal information to third parties for those third parties’ direct marketing purposes. To make such a request, please contact us using the information in the “Questions and How to Contact Us” section below. This request may be made no more than once per calendar year, and we reserve our right not to respond to requests submitted other than to the email or mailing addresses specified below. Note that we do not currently share personal information with third parties for those third parties’ direct marketing purposes.
Consent to Processing of Personal Data in the U.S.
HIPAA SPECIFIC PROVISIONS
A. Obligations and Activities of EDI
1.Not use or disclose PHI other than as permitted or required by the Agreement or as Required by Law;
2.Use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement;
3.Report to Client any use or disclosure of the PHI not provided for by this Agreement of which it becomes aware;
4.Ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by EDI on behalf of Client agrees to the same restrictions and conditions that apply through this Agreement to EDI with respect to such information;
5.Provide access, at the request of Client, in a timely manner, to PHI in a Designated Record Set, to Client or, as directed by Client, to an Individual in order to meet the requirements under 45 CFR § 164.524;
6.Make internal practices, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by, EDI on behalf of Client available to the Client within five (5) business days by fax or mail for purposes of the U.S. Department of Health & Human Services Secretary determining Client’s compliance with the Privacy Regulations;To document such disclosures of PHI and information related to such disclosures as would be required for Client to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.
B. Permitted Uses and Disclosures by EDI General Use and Disclosure Provisions
1.May Use or disclose PHI as required by law;
2.May not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Client, except with regards to the data aggregation, management, administration and legal responsibilities of EDI;
3.May use PHI for EDI’s proper management and administration or to carry out the legal responsibilities of EDI;
4.May use PHI with any laboratories and internal licensed physicians contracted by EDI;
5.EDI may use PHI to report violations of law to appropriate Federal and State authorities, consistent with § 164.502(j)(1).
C. Provisions for Client to Inform EDI of Privacy Practices and Restrictions
1.Client shall notify EDI of any limitation(s) in its notice of privacy practices of Client in accordance with 45 CFR § 164.520, to the extent that such limitation may affect EDI’s use or disclosure of PHI;
2.Client shall notify EDI of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect EDI’s use or disclosure of PHI;
3.Client shall notify EDI of any restriction to the use or disclosure of PHI that Client has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect EDI’s use or disclosure of PHI.
D. Obligations of EDI Upon Termination
Upon the termination of the business relationship between Client and EDI, EDI will:
1.Retain only that PHI which is necessary for EDI to continue its proper management and administration or to carry out its legal responsibilities;
2.Destroy the remaining PHI that EDI still maintains in any form;
3.Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent use or disclosure of the PHI, other than is provided for in this Section, for as long as EDI retains the PHI;
4.Not use or disclose the PHI retained by EDI other than for the purposes for which such PHI was retained and subject to the same conditions set out at above which applied prior to termination.
5.Destroy the PHI retained by EDI when it is no longer needed by EDI for its proper management and administration or to carry out its legal responsibilities.
1.Regulatory References. A reference to a section in the Privacy Regulations means the section as in effect or as amended.
2.Amendment. The Parties agree to take such action as is necessary to amend these provisions from time to time as is necessary for to comply with the requirements of the Privacy Regulations and the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 with respect to its dealings with EDI.
3.Interpretation. Any ambiguity in these provisions shall be resolved to permit Client to comply with the Privacy Regulations with respect to its dealings with EDI.
Questions and How To Contact Us