Privacy Practices

Effective: August 4, 2020

Telemedicine HIPAA Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW YOUR MEDICAL INFORMATION MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

This Telemedicine HIPAA Notice of Privacy Practices (the “Notice”) is being provided to you, by Blueberry Medical PA, Blueberry Medical, PC, or Lyndsey Garbi M.D., PC (each, individually “Medical Group”), as that entity or its subsidiaries and affiliated entities may be formed and incorporated in your state, and the employees and practitioners that work at such entity and/or for such practices (collectively referred to herein as “We” or “Our”). It contains important information regarding your medical information. You also have the right to receive a paper copy of this Notice and may ask us to give you a copy of this Notice at any time. If you received this Notice electronically, you are still entitled to a paper copy of this Notice upon your request. You can request a paper copy of our current Notice from the Privacy Officer at (754) 702-7256, or you can access it on Blueberry Pediatrics’ website at https://www.blueberrypediatrics.com/privacy-practices/.

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) imposes numerous requirements on health care practices such as ours, defined as Covered Entities, regarding how certain individually identifiable health information – known as protected health information (“PHI”) – may be used and disclosed. We understand that medical information about you and your health is personal. We are committed to protecting medical information about you and will use it to the minimum necessary to accomplish the intended purpose of the use, disclosure or request of it. As required by law, this notice provides you with information about your rights and our legal duties and privacy practices with respect to the privacy of PHI. This notice also discusses the uses and disclosures we will make of your PHI. We must comply with the provisions of this notice as currently in effect, although we reserve the right to change the terms of this notice from time to time and to make the revised notice effective for all PHI we maintain.

PERMITTED USES AND DISCLOSURES

We can use or disclose your PHI for purposes of treatment, payment, and health care operations. For each of these categories of uses and disclosures, we have provided a description and examples below. However, not every particular use or disclosure in every category will necessarily be listed.

• “Treatment” means the provision, coordination, or management of your health care, including consultations between health care providers, including hospital, and other long-term care providers, relating to your care and referrals for health care from one health care provider to another. For example, an attending physician at the skilled nursing facility where you reside treating you for diabetes may need to know if you have a psychiatric disorder or are taking psychotropic medications because such disorders or medications may have disease-disease or drug-disease interactions with diabetes. In addition, the practitioner may need to contact another provider for purposes of treating a psychiatric disorder or condition when our providers are not available to provide your care

• “Payment” means the activities we undertake to obtain reimbursement for the health care provided to you, including billing, claims management, determinations of eligibility and coverage, collections, case management, and other utilization review activities. For example, we may need to provide PHI to your insurance carrier or a party financially responsible for your care in order to determine whether the proposed course of treatment will be covered, to determine appropriate reimbursement, or to obtain payment. Federal or state law may require us to obtain a written release from you prior to disclosing certain specially protected PHI for payment purposes, and we will ask you to sign a release when necessary under applicable law.

• “Health Care Operations” means the support functions for our practice and providers, related to referral, facilitating the telemedicine connection and visit, care coordination, compliance reviews, compliance programs, treatment and payment, quality assurance activities, receiving and responding to patient comments and complaints, provider training, audits, business planning, development, management, legal, and administrative activities. For example, we may use your PHI to evaluate the performance of our provider staff when caring for you. We may also combine PHI about many patients to make clinical qualitative review decisions or decide what additional services we should offer, what services are not needed, and whether certain treatments are effective. We may also disclose PHI for review and educational purposes. In addition, we may remove, or de- identify, information that identifies you so that others can use the de-identified information to study health care, conduct research, collect population health data, and determine methods for improved health care delivery without learning who you are.

OTHER USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION

We may also use your PHI in the following ways:

• To provide appointment reminders and schedule your availability with staff or affiliates for your treatment.
• To tell you about or recommend possible treatment alternatives or other health-related benefits and services that may be of interest to you.
• To your family, personal representative, power of attorney, guardian, or any other individual identified by you to the extent directly related to such person’s involvement in your care or the payment for your care. We may use or disclose your PHI to notify, or assist in the notification of, a family member, a personal representative, or another person responsible for your care, of your general condition or death. If you are available, we will give you an opportunity to object to these disclosures, and we will not make these disclosures if you object. If you are not available, incapacitated or unable to make informed consent decisions about your health care we will determine whether a disclosure to your family or personal representative is permitted or required by law, in your best interests, taking into account the circumstances, and act based upon our professional judgment.
• When permitted by law, we may coordinate our uses and disclosures of PHI with public or private entities authorized by law or by charter to assist in disaster relief efforts.
• We will allow your family and friends to act on your behalf to pick-up filled prescriptions and similar forms of PHI, when we determine, in our professional judgment, that it is in your best interest to make such disclosures.
• We may use or disclose your PHI for research purposes, subject to the requirements of applicable law. For example, a research project may involve comparisons of the health and recovery of all patients who received a particular medication. All research projects are subject to a special approval process which balances research needs with a patient’s need for privacy. When required, we will obtain a written authorization from you prior to using your PHI for research.
• In certain cases, we will provide your information to contractors, agents and other parties who need the information in order to perform a service for us (“Business Associates”), including, without limitation, obtaining payment for health care services, technology services providers, or carrying out other business operations. In those situations, PHI will be provided to those contractors, agents and other parties as is needed to perform their contracted tasks. Business Associates are required to enter into an agreement maintaining the privacy of the protected health information released to them under certain terms and conditions required of them by state and federal law.
• We may share your information with an insurance company, law firm or risk management organization in order to maintain professional advice about how to manage risk and legal liability, including insurance or legal claims. However, in these situations, we require third parties to provide us with assurances that they will safeguard your information under terms and conditions required by applicable state and federal law.
• We will use or disclose PHI about you when required to do so by applicable law, only to the extent necessary to meet such a requirement.
• In accordance with applicable law, we may disclose your PHI to your employer if we are retained to conduct an evaluation of whether you have a work-related illness or injury. You will be notified of these disclosures by your employer or the provider as required by applicable law.
• Incidental uses and disclosures of PHI sometimes occur and are not considered to be a violation of your rights. Incidental uses and disclosures are by-products of otherwise permitted uses or disclosures which are limited in nature and cannot be reasonably prevented.

SPECIAL SITUATIONS

Subject to the requirements of applicable law, we will make the following uses and disclosures of your PHI:

• Involuntary patients: Information regarding patients who are being treated involuntarily, pursuant to law, will be shared with other treatment providers, legal entities, third party payors and others, as necessary to provide the care and management coordination needed in compliance with state and federal law.
• Emergencies: In life threatening emergencies, we will disclose information necessary to avoid serious harm or death.
• Organ and Tissue Donation. If you are an organ donor, we may release PHI to organizations that handle organ procurement or transplantation as necessary to facilitate organ or tissue donation and transplantation.
• Public Health Activities. We may disclose PHI about you for public health activities, including disclosures:
• to prevent or control disease, injury or disability;
• to report births and deaths;
• to report child abuse or neglect;
• to persons subject to the jurisdiction of the Food and Drug Administration (FDA) for activities related to the quality, safety, or effectiveness of FDA-regulated products or services and to report reactions to medications or problems with products;
• to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition;
• to notify the appropriate government authority if we believe that an adult patient has been the victim of abuse, neglect or domestic violence. We will only make this disclosure if the patient agrees or when required or authorized by law.
• Health Oversight Activities: We may disclose PHI to federal or state agencies that oversee our activities (e.g., providing health care, seeking payment, integrity agreements, audits, and civil rights).
• Lawsuits and Disputes: If you are involved in a lawsuit or a dispute, or a guardianship proceeding, we may disclose PHI subject to certain limitations and only to the extent permissible by law.
• Law Enforcement: We may release PHI if asked to do so by a law enforcement official:
• In response to a court order, warrant, summons or similar process;
• To identify or locate a suspect, fugitive, material witness, or missing person;
• About the victim of a crime under certain limited circumstances;
• About a death we believe may be the result of criminal conduct;
• About criminal conduct on our premises; or
• In emergency circumstances, to report a crime, the location of the crime or the victims, or the identity, description or location of the person who committed the crime.
• Coroners, Medical Examiners and Funeral Directors: We may release PHI to a coroner or medical examiner. We may also release PHI about patients to funeral directors as necessary to carry out their duties.

CONFIDENTIALITY OF PATIENT RECORDS

Federal law and regulations do not protect any information about suspected child or elder abuse or neglect from being reported under applicable state law to appropriate state or local authorities.

OTHER USES OF YOUR HEALTH INFORMATION

Certain uses and disclosures of PHI will be made only with your written authorization;

• Use that constitute a sale of PHI under the Privacy Rule. Other uses and disclosures of PHI not covered by this notice or the laws that apply to us will be made only with your written authorization. You have the right to revoke that authorization at any time, provided that the revocation is in writing, except to the extent that we already have taken action in reliance on your authorization.

YOUR RIGHTS

You have the right to request restrictions on our uses and disclosures of PHI for treatment, payment and health care operations. However, we are not required to agree to your request unless the disclosure is to a health plan in order to receive payment, the PHI pertains solely to your health care items or services for which you have paid the bill in full, and the disclosure is not otherwise required by law. To request a restriction, you may make your request in writing to the Privacy Officer.

You have the right to reasonably request to receive confidential communications of your PHI by alternative means or at alternative locations, including electronically. To make such a request, you may submit your request in writing to the Privacy Officer.

You have the right to inspect and copy the PHI contained in our provider records, except for:

• psychotherapy notes, (i.e., notes that have been recorded by a mental health professional documenting counseling sessions and have been separated from the rest of your medical record);
• information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding;
• PHI involving laboratory tests when your access is restricted by law;
• if we obtained or created PHI as part of a research study, your access to the PHI may be restricted for as long as the research is in progress, provided that you agreed to the temporary denial of access when consenting to participate in the research;
• PHI contained in records kept by a federal agency or contractor when your access is restricted by law; and
• PHI obtained from someone other than us under a promise of confidentiality when the access requested would be reasonably likely to reveal the source of the information.

In order to inspect or obtain a copy of your PHI, you may submit your request in writing to the Privacy Officer. If you request a copy, we may charge you a fee for the costs of copying and mailing your records, as well as other costs associated with your request.

We may also deny a request for access to PHI under certain circumstances if there is a potential for harm to yourself or others. If we deny a request for access for this purpose, you have the right to have our denial reviewed in accordance with the requirements of applicable law.

You have the right to request an amendment to your PHI but we may deny your request for amendment, if we determine that the PHI or record that is the subject of the request:

• was not created by us, unless you provide a reasonable basis to believe that the originator of PHI is no longer available to act on the requested amendment;
• is not part of your medical or billing records or other records used to make decisions about you;
• is not available for inspection as set forth above; or
• is accurate and complete.

In any event, any agreed upon amendment will be included as an addition to, and not a replacement of, already existing records. In order to request an amendment to your PHI, you must submit your request in writing to the Privacy Officer, along with a description of the reason for your request.

You have the right to receive an accounting of disclosures of PHI made by us to individuals or entities other than to you for the six (6) years prior to your request, except for disclosures:

• to carry out treatment, payment and health care operations as provided above;
• incidental to a use or disclosure otherwise permitted or required by applicable law;
• pursuant to your written authorization;
• to persons involved in your care or for other notification purposes as provided by law;
• for national security or intelligence purposes as provided by law;
• to correctional institutions or law enforcement officials as provided by law;
• as part of a limited data set as provided by law.

To request an accounting of disclosures of your PHI, you must submit your request in writing to the Privacy Officer. Your request must state a specific time period for the accounting (e.g., the past year). The first accounting you request within a twelve (12) month period will be free. For additional accountings within twelve (12) months of the first request, we may charge you for the costs of providing the list. We will notify you of the costs involved, and you may choose to withdraw or modify your request at that time before any costs are incurred.

You have the right to receive a notification, in the event that there is a breach of your unsecured PHI, which requires notification under the Privacy Rule.

NOTICE REGARDING USE OF TECHNOLOGY

We may use electronic software, services, and equipment, including without limitation email, video conferencing technology, cloud storage and servers, internet communication, cellular network, voicemail, facsimile, electronic health record, and related technology (“Technology”) to share PHI with you or third-parties subject to the rights and restrictions contained herein. In any event, certain unencrypted storage, forwarding, communications and transfers may not be confidential. We will take measures to safeguard the data transmitted, as well as ensure its

integrity against intentional or unintentional breach or corruption. However, in very rare circumstances security protocols could fail, causing a breach of privacy or PHI.

CHANGES TO THIS NOTICE

We reserve the right to change this Notice at any time, for any reason permissible by law. We reserve the right to make the revised or changed Notice effective for PHI and medical information we already have about you as well as any information we receive in the future. We will post a copy of the current Notice at https://www.blueberrypediatrics.com/privacy-practices/. and provide copies to the facilities we provide care at.

COMPLAINTS

If you believe that your privacy rights have been violated, you should immediately contact the Privacy Officer at (754) 702-7256. We will not take action against you for filing a complaint. You also may file a complaint with the Secretary of the U. S. Department of Health and Human Services by sending a letter to: 200 Independence Avenue, S.W, Washington, D.C., 20201. Or calling: 1-877-696-6775, or visiting: www.hhs.gov/ocr/privacy/hipaa/complaints/. We will not retaliate against you for filing a complaint.

CONTACT PERSON

If you have any questions or would like further information about this Notice, please contact the Privacy Officer at (754) 702-7256.

This notice is effective as of August 4, 2020

‍