Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Prometheus provides clinical laboratory testing services and markets pharmaceutical products. In providing testing services, Prometheus receives, creates and discloses personal health information. In fulfilling regulatory requirements related to the pharmaceutical products, Prometheus may receive and disclose personal health information. This information is private and confidential. There are policies and procedures in place to protect the information against unlawful use and disclosure. This Notice describes information we collect, how we use that information, and when and to whom we may disclose it.
II. Protected Health Information and Our Obligations
Prometheus is required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other laws to maintain the privacy of protected health information, to provide notice of its legal duties and privacy practices and notify affected individuals in the event of a breach of their unsecured protected health information. Protected health information or "PHI" (also called "personal health information"), is current, past or future information created or received by Prometheus from physicians, patients, health plans or other sources. It is personal or medical information that relates to the physical condition of a patient, the provision of health care to that person, or payment for the provision of health care to that person. The term PHI does not generally include publicly available information, or information available or reported in a summarized or grouped manner.
This Notice describes how we may use or disclose your protected health information to carry out treatment, payment or health care operations and for other purposes that are permitted or required by HIPAA. This Notice also describes your rights of access to and control of your PHI. When we use or disclose PHI, we are required to abide by the terms of this Notice (or other notice in effect at the time of the use or disclosure).
III. Information Collected and Created by Prometheus
Prometheus collects that information that is minimally necessary to provide testing services and to obtain payment for these services. This may include your name, address, telephone number, social security number, date of birth, medical history, diagnosis, treatment, provider identification and treatment information, financial responsibility and payment information.
Prometheus creates, through its testing services, information to be used by a physician in the diagnosis of disease or condition or in the treatment of a disease or condition.
IV. Protection of PHI
Access to PHI is restricted to only those employees of Prometheus who need it in order to provide services to clients and patients. We maintain physical, technical and procedural safeguards to protect PHI against unauthorized use and disclosure. We have a Privacy Officer who is responsible for developing, educating Prometheus personnel about, and overseeing the implementation and enforcement of policies and procedures designed to safeguard PHI against inappropriate use and disclosure consistent with the applicable law.
V. Uses and Disclosures of PHI For Which Your Authorization is Not Required
In the course of providing laboratory services, Prometheus uses PHI internally and discloses it to health care providers (doctors requesting services, laboratory personnel involved in ordering services and other caregivers), insurers, third party administrators, plan sponsors and other payors (employers, health care provider organizations and others who may be responsible for paying for or administering your health benefits); vendors, consultants, government authorities; and their respective agents. They are required by law to keep PHI confidential. Some examples of what we do with the information we collect and the reasons it might be disclosed to third parties are described below.
Treatment, Payment and Healthcare Operations. We may use or disclose PHI with or without your authorization as follows:
Treatment. Prometheus is permitted to use and disclose your PHI for your treatment and to coordinate your care with others involved in your care. For example, we use and disclose PHI in order to fulfill requests by physicians to perform laboratory testing services.
Payment. Prometheus uses and discloses PHI, as necessary, to obtain reimbursement for testing services from third parties such as insurance companies or health plans. Examples of these payment activities include: billing, collections activities, determination of eligibility and obtaining authorization for testing services.
Health Care Operations - Prometheus uses and discloses PHI for our health care operations. For example, health care operations include quality assessment and improvement activities (including, including outcomes evaluation and development of clinical guidance’s where generalized knowledge is not the primary purpose of the studies resulting from such activities); activities designed to improve health or reduce health care costs; conducting or arranging for medical review, protocol development; contacting of health care providers and patients with information about treatment alternatives; conducting or arranging for legal services, and auditing functions; and internal administration and planning.
Treatment Alternatives. We may use and disclose medical information to tell you about possible treatment options or alternatives that may be of interest to you.
Health-related Products or Services. We may use and disclose medical information to tell you about our health-related products or services that may be of interest to you.
Other Activities Permitted or Required by Law:
We may use or disclose PHI for other important activities permitted or required by law, with or without your authorization. These activities include the following:
Required by Law. We may use or disclose PHI to the extent such use or disclosure is required by federal, state or local law and it complies with and is limited to the requirements of that law. The Secretary of the U.S. Department of Health and Human Services may, upon request, obtain access to PHI in our possession to review compliance with HIPAA.
Law Enforcement and Judicial and Administrative Proceedings. We use and disclose PHI for certain law enforcement purposes and in response to official subpoenas, court orders, discovery requests and other legal process.
Public Health Activities. We are permitted to use and disclose PHI for certain public health activities. Prometheus is subject to the jurisdiction of the Food and Drug Administration (FDA) for some of its products and uses and discloses PHI for purposes of activities related to the quality, safety or effectiveness of such FDA-regulated products.
Health Oversight Activities. We use and disclose PHI in connection with health oversight activities authorized by law (e.g., government audits of our compliance with certain laws and regulations; oversight of government-funded health benefits programs and civil rights laws.)
Research. We use and disclose PHI in connection with research performed by Prometheus and by researchers outside Prometheus. This research generally is subject to the oversight of an Institutional Review Board. In most cases, while PHI may be used to help prepare a research project or to contact you to ask whether you want to participate in a study, it will not be further disclosed for research without your authorization. Sometimes, however, where permitted under federal law and institutional policy, and approved by an Institutional Review Board or a privacy board, PHI may be used or disclosed. In addition, PHI may be used or disclosed to compile "limited or de-identified data sets" that do not include your name, address, social security number or other direct identifiers. These data sets may, in turn, be used for research purposes.
Family and Friends. Under certain circumstances, we may disclose PHI to family members, other relatives, or close personal friends or others that you identify to the extent it is directly relevant to their involvement with your care or payment related to your care.
Business Associates. Prometheus may disclose PHI to business associates which are third parties who contract with Prometheus to provide certain services for us such as quality and compliance reviews and audits. As provided in HIPAA, we require business associates to sign contracts stating they will appropriately safeguard your PHI and comply with other HIPAA obligations.
Military and Veterans. If you are a member of the armed forces, we may release medical information about you as required by military command authorities if and to the extent permitted by law. We may also release medical information about foreign military personnel to the appropriate foreign military authority.
VI. Uses and Disclosures That Require Your Authorization
We may not make the following uses or disclosures without your authorization:
Psychotherapy Notes. Covered entities must obtain authorization for any use or disclosure of psychotherapy notes except to carry out certain treatment, payment or health care operations.
Marketing. We must obtain your authorization for uses or disclosures of your PHI for marketing except if the communication is in the form of a face to face communication to you or we provide a promotional gift of nominal value.
Sale of PHI. We must obtain an authorization for any disclosure of PHI which involves a sale of your PHI under HIPAA.
Except as otherwise described in this Notice, we will not use or disclose your PHI without your written authorization. You have the right to revoke your authorization in writing at any time except to the extent that Prometheus has taken action in reliance on your authorization.
VII. Requesting Other Disclosures
It is possible to request that we disclose PHI to people in ways not described above. To authorize us to disclose your personal health information to a person or organization or for reasons other than those described in the section above, see the contact information at the bottom of this page. If you make a special authorization and later change your mind about this, you may send a letter to us to let us know that you would like to revoke the special authorization. In any communication with us, please provide your name, address, patient identification number or Social Security number, and a telephone number where we can reach you in case we need to contact you about your request.
VIII. Your Rights with Respect to PHI
Restrictions on Uses and Disclosures. You have a right to ask us in writing to restrict use or disclosure of your PHI related to your treatment, related to your payment or related to routine health care operations. In addition, you may request PHI disclosure restrictions to family members, other relatives or close friends involved in your care. We are not required to agree to such a restriction, except we must agree to restrict disclosure of PHI to a health plan if the disclosure is related to payment or health care operations and not otherwise required by law and the PHI relates solely to a health care item or service for which you or person on your behalf (other than the health plan) has paid us in full. If we do agree to any restriction, we will honor our agreement except in case of emergency treatment. Any restriction we agree to is not effective to prevent uses or disclosures of PHI required by the Secretary of the Department of Health and Human Services to investigate or determine our compliance with federal privacy regulations adopted under HIPAA or for certain activities permitted or required by law (see Section V above).
Alternative Communications. You may request, in writing, to receive confidential communications containing your PHI from us in ways or at locations that are outside our usual process. We will make every effort to accommodate reasonable requests.
Access. You have a right to review and obtain a copy of existing PHI contained in medical and billing records about you, including copies of completed clinical laboratory test reports. You must make your request in writing and this right is limited to existing records that are maintained, collected, used or disseminated by Prometheus. Your right to access information also does not apply to information we compile in reasonable anticipation of, or for use in, civil, criminal or administrative actions or proceedings; or to such other information that may be prohibited to be disclosed by law. We may charge a fee for any copies you request.
Amendments to PHI. You have a right to request that we amend the records described above for as long as we maintain them. You must make the request in writing and give us a reason for the amendment. We may deny your request if: (i) we determine that we did not create the record, unless the originator of the PHI is no longer available to act on the requested amendment; or (ii) if we believe that the existing records are accurate and complete. Note that an amendment may take several forms; for example we may add an explanatory statement to a record rather than changing it.
Accounting. You have a right to receive an accounting of disclosures made by Prometheus to any third party in the six years prior to the date on which the accounting is requested. This right does not apply to certain disclosures, including, but not limited to, disclosures made for the purposes of treatment, payment or health care operations; disclosures made to you or to others involved in your care; disclosures made with your authorization; disclosures made for national security or intelligence purposes or to correctional institutions or law enforcement purposes; or disclosures made prior to April 14, 2003. You must make any request for an accounting in writing and we may charge a fee to fill more than one request in any given year.
IX. Distribution and Updates of This Notice
This Notice is published on the Prometheus web site at www.prometheuslabs.com\PrivacyNotice and is made available in printed form upon request.
X. Effective Date and Duration of This Notice
We may change the terms of this notice at any time. If we change this notice, we may make the new notice terms effective for all PHI that we maintain, including any information created or received prior to issuing the new notice. If we change this notice, we will post the new notice on our Internet site at www.prometheuslabs.com.
XI. Communication with Prometheus
As a convenience, Prometheus may make available email addresses by which you can communicate with us regarding billing issues. Please be advised that email is not a secure means of communication, therefore Prometheus cannot guarantee the security of any information that you send to us prior to our receipt of it. This fact may also restrict our use of email in communicating any response to you - we will make every attempt to use alternate means of communicating anything that may be considered sensitive information.
XII. California Online Privacy Protection Act Notice
Prometheus takes privacy and security very seriously. With regard to "Do Not Track Signals" (DNT), Prometheus currently does not respond to DNT signals in browsers because we do not track individual users across the web.
Prometheus does not authorize the collection of PHI or other personally identifiable information from our website users for third party use through advertising technologies without separate user consent.
XIII. Copy of Notice, Questions or Complaints
If you would like a paper copy of this notice, have questions about it, or believe its terms or any Prometheus privacy or confidentiality policy has been violated with respect to information about you, please let us know immediately by contacting us toll-free at 1-888-423-5227 and request the Compliance/Privacy Office. Please include your name, address, and a telephone number where we can contact you, and a brief description of the complaint. If you prefer, you may lodge an anonymous complaint.
Prometheus Laboratories Inc.
9410 Carroll Park Drive
San Diego, CA 92121
Or call our Ethics Hotline at 1-888-PRO-RXDX (776-7939)
You also may contact the Secretary of the Department of Health and Human Services at:
The U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free: 1-877-696-6775
Please provide as much information as possible so that the complaint can be properly investigated. Prometheus will not retaliate against a person who files a complaint with us or with the Secretary of the Department of Health and Human Services.