THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Privacy Policy describes how CareHalo collects and uses Personal Information about you through the use of our Website, mobile CareHalo, and through email, text, and other electronic communications between you and CareHalo. CareHalo Corporation (“CareHalo,” “we,” “our,” or “us”) respects your privacy, and we are committed to protecting it through our compliance with this policy. The Privacy Policy (our “Privacy Policy”) describes the types of information we may collect from you or that you may provide when you visit CareHalo.com or any of our affiliated websites where this Policy is posted (collectively, “Website”) and the CareHalo application (“Application”) and our practices for collecting, using, maintain, protecting, and disclosing that information.
This policy applies to information we collect:
It does not apply to information collected by:
NOTE, CareHalo is not a medical group. Any telemedicine consults and remote patient monitoring obtained through our Website or Application are provided by independent medical practitioners.
We will use and disclose your protected health information to provide, coordinate, or manage your health care and any related services. This includes the coordination or management of your health care with another provider. For example, we would disclose your protected health information, as necessary, to a home health agency that provides care to you. We will also disclose protected health information to other physicians who may be treating you. For example, your protected health information may be provided to a physician to whom you have been referred to ensure that the physician has the necessary information to diagnose or treat you. In addition, we may disclose your protected health information from time-to-time to another physician or health care provider (e.g., a specialist or laboratory) who, at the request of your physician, becomes involved in your care by providing assistance with your health care diagnosis or treatment to your physician.
Your protected health information will be used and disclosed, as needed, to obtain payment for your health care services provided by us or by another provider. This may include certain activities that your health insurance plan may undertake before it approves or pays for the health care services we recommend for you such as: making a determination of eligibility or coverage for insurance benefits, reviewing services provided to you for medical necessity, and undertaking utilization review activities. For example, obtaining approval for a hospital stay may require that your relevant protected health information be disclosed to the health plan to obtain approval for the hospital admission.
We may use or disclose, as needed, your protected health information in order to support the business activities of your physician's practice. These activities include, but are not limited to, quality assessment activities, employee review activities, training of medical students, licensing, fundraising activities, and conducting or arranging for other business activities. We will share your protected health information with third party “business associates” that perform various activities (for example, billing or transcription services) for our practice. Whenever an arrangement between our office and a business associate involves the use or disclosure of your protected health information, we will have a written contract that contains terms that will protect the privacy of your protected health information. We may use or disclose your protected health information, as necessary, to provide you with information about treatment alternatives or other health-related benefits and services that may be of interest to you. You may contact our Privacy Officer to request that these materials not be sent to you. Other Permitted and Required Uses and Disclosures That May Be Made Without Your Authorization or Opportunity to Agree or Object. We may use or disclose your protected health information in the following situations without your authorization or providing you the opportunity to agree or object. These situations include:
We may use or disclose your protected health information to the extent that the use or disclosure is required by law. The use or disclosure will be made in compliance with the law and will be limited to the relevant requirements of the law. You will be notified, if required by law, of any such uses or disclosures.
We may disclose your protected health information for public health activities and purposes to a public health authority that is permitted by law to collect or receive the information. For example, a disclosure may be made for the purpose of preventing or controlling disease, injury or disability.
We may disclose your protected health information, if authorized by law, to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading the disease or condition.
We may disclose protected health information to a health oversight agency for activities authorized by law, such as audits, investigations, and inspections. Oversight agencies seeking this information include government agencies that oversee the health care system, government benefit programs, other government regulatory programs and civil rights laws.
We may disclose your protected health information to a public health authority that is authorized by law to receive reports of child abuse or neglect. In addition, we may disclose your protected health information if we believe that you have been a victim of abuse, neglect or domestic violence to the governmental entity or agency authorized to receive such information. In this case, the disclosure will be made consistent with the requirements of applicable federal and state laws.
We may disclose your protected health information to a person or company required by the Food and Drug Administration for the purpose of quality, safety, or effectiveness of FDA-regulated products or activities including, to report adverse events, product defects or problems, biologic product deviations, to track products; to enable product recalls; to make repairs or replacements, or to conduct post marketing surveillance, as required.
We may disclose protected health information in the course of any judicial or administrative proceeding, in response to an order of a court or administrative tribunal (to the extent such disclosure is expressly authorized), or in certain conditions in response to a subpoena, discovery request or other lawful process.
We may also disclose protected health information, so long as applicable legal requirements are met, for law enforcement purposes. These law enforcement purposes include (1) legal processes and otherwise required by law, (2) limited information requests for identification and location purposes, (3) pertaining to victims of a crime, (4) suspicion that death has occurred as a result of criminal conduct, (5) in the event that a crime occurs on the premises of our practice, and (6) medical emergency (not on our practice's premises) and it is likely that a crime has occurred.
Following is a statement of your rights with respect to your protected health information and a brief description of how you may exercise these rights. You have the right to inspect and copy your protected health information. This means you may inspect and obtain a copy of protected health information about you for so long as we maintain the protected health information. You may obtain your medical record that contains medical and billing records and any other records that your physician and the practice uses for making decisions about you. As permitted by federal or state law, we may charge you a reasonable copy fee for a copy of your records. Under federal law, however, you may not inspect or copy the following records: psychotherapy notes; information compiled in reasonable anticipation of, or use in, a civil, criminal, or administrative action or proceeding; and laboratory results that are subject to law that prohibits access to protected health information. Depending on the circumstances, a decision to deny access may be reviewable. In some circumstances, you may have a right to have this decision reviewed. Please contact our Privacy Officer if you have questions about access to your medical record. You have the right to request a restriction of your protected health information. This means you may ask us not to use or disclose any part of your protected health information for the purposes of treatment, payment or health care operations. You may also request that any part of your protected health information not be disclosed to family members or friends who may be involved in your care or for notification purposes as described in this Notice of Privacy Practices. Your request must state the specific restriction requested and to whom you want the restriction to apply. Your physician is not required to agree to a restriction that you may request. If your physician does agree to the requested restriction, we may not use or disclose your protected health information in violation of that restriction unless it is needed to provide emergency treatment. With this in mind, please discuss any restriction you wish to request with your physician. You have the right to request to receive confidential communications from us by alternative means or at an alternative location. We will accommodate reasonable requests. We may also condition this accommodation by asking you for information as to how payment will be handled or specification of an alternative address or other method of contact. We will not request an explanation from you as to the basis for the request. Please make this request in writing to our Privacy Officer. You may have the right to have your physician amend your protected health information, This means you may request an amendment of protected health information about you in a designated record set for so long as we maintain this information. In certain cases, we may deny your request for an amendment. If we deny your request for amendment, you have the right to file a statement of disagreement with us and we may prepare a rebuttal to your statement and will provide you with a copy of any such rebuttal. Please contact our Privacy Officer if you have questions about amending your medical record. You have the right to receive an accounting of certain disclosures we have made, if any, of your protected health information. This right applies to disclosures for purposes other than treatment, payment or health care operations as described in this Notice of Privacy Practices. It excludes disclosures we may have made to you if you authorized us to make the disclosure, for a facility directory, to family members or friends involved in your care, or for notification purposes, for national security or intelligence, to law enforcement (as provided in the privacy rule) or correctional facilities, as part of a limited data set disclosure. You have the right to receive specific information regarding these disclosures that occur after January 1, 2020. The right to receive this information is subject to certain exceptions, restrictions and limitations. You have the right to obtain a paper copy of this notice from us, upon request, even if you have agreed to accept this notice electronically.
CareHalo retains personal information and protected health information (“PHI”) only for as long as necessary to fulfill the purposes outlined in this Notice of Privacy Practices, including to provide services, comply with legal, regulatory, contractual, and operational obligations, and resolve disputes.
Protected Health Information (PHI) is retained in accordance with applicable federal and state laws, including HIPAA requirements, which may require retention for a minimum of six (6) years from the date of creation or last effective date, whichever is later, unless a longer retention period is required by law or contract. Non-health personal information is retained only as long as necessary for business, operational, or legal purposes
When information is no longer required, CareHalo will securely delete, destroy, or de-identify such information in accordance with applicable laws and industry standards. Electronic data will be deleted using commercially reasonable methods designed to prevent recovery or reconstruction. Physical records (if any) will be destroyed using secure disposal methods.
CareHalo employs different deletion methods depending on the type of data and applicable legal requirements. For PHI and data subject to regulatory retention requirements, CareHalo uses soft deletion,which means your account is marked as “deleted” or “inactive” in our systems, your data is no longer accessible through the myCareHalo app, you cannot log in or access your account, healthcare providers retain access as required for continuity of care and legal compliance, and the data remains in our secure databases for the legally required retentionperiod. After the retention period expires, the data is permanently deleted through hard deletion. For For non-essential data not subject to retention requirements, CareHalo performs hard deletion, which means data is permanently removed from production databases. Electronic data is deleted using commercially reasonable methods designed to prevent recovery or reconstruction, and physical records (if any) are destroyed using secure disposal methods.
You must contact your healthcare provider or state health agency to request deletion of your health data. They are the data controllers and have the authority to authorize deletion.Your healthcare provider or case manager will verify your identity and eligibility for deletion,evaluate whether deletion is permitted under program rules and applicable laws, determine what data can be deleted and what must be retained, and submit an authorized deletion request to CareHalo on your behalf. Once your provider authorizes deletion, they will contact CareHalo to process the request.CareHalo cannot process deletion requests directly from patients without provider authorization. Upon receipt of an authorized deletion request from your healthcare provider or state health agency, CareHalo will take action in stages. Within forty-eight (48) hours, we will deactivate your app access, disable your login credentials, stop all app notifications, and mark your account as “deleted” in our systems. Within seven (7) days, we will soft delete PHI (marked as deleted but retained per legal requirements), hard delete non-essential data such as device tokens, app preferences, and marketing data, and remove your data from active user interfaces. Within ninety (90) days, we will purge non-PHI data from backup systems. After the retention period, which is typically six (6) years from last program activity, we will permanently delete all PHI and account data and securely destroy all associated records.
If you wish to stop using the myCareHalo app but remain enrolled in your health program, you may contact your healthcare provider or case manager. They can request app access deactivation without deleting your health records. This will disable your login to the myCareHalo app, stop app notifications, maintain your health records for provider access, and keep you enrolled in your health program. You can request reactivation at any time through your provider.
You can manage certain aspects of your data without provider authorization. You can control app permissions through your device settings, including location access, camera access, notifications, and other device features by going to Settings, then Apps, then myCareHalo, then Permissions on your device. You can also contact hello@carehalo.com to opt out of non-essential app notifications,marketing communications (if any), and usage analytics collection.
CareHalo may retain and use de-identified or aggregated data (which cannot reasonably identify you) for research, analytics, program improvement, and public health reporting. Such data is not subject to deletion requirements.
Residual copies of your information may remain in secure backup systems for a limited period of time. These copies are protected, access-restricted, and automatically overwritten or securely deleted in accordance with CareHalo’s data retention schedules.
Once your provider authorizes account deletion, you will lose access to all health records through the myCareHalo app, the ability to view care coordination information via the app, and historical assessment data and trends in the app.It is important to note that your healthcare provider retains your medical records, your provider can still access your health information as needed for care, you can request copies of your records from your provider, and account deletion does not remove you from your health program. To disenroll from your health program, you must contact your provider separately.
You may complain to us or to the Secretary of Health and Human Services if you believe your privacy rights have been violated by us. You may file a complaint with us by notifying our Privacy Officer of your complaint. We will not retaliate against you for filing a complaint. You may contact your doctor if you have any other questions about privacy practices.