Carbon Health

Notice of HIPAA Privacy Practices

Last Updated: Nov 21, 2024


THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED BY CARBON HEALTH, AND IF APPLICABLE, OUR INDEPENDENT MEDICAL PRACTITIONER PARTNERS (DEFINED BELOW) AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Carbon Health Technologies and Carbon Health Medical (collectively “Carbon Health”) are both accountable for their compliance with HIPAA and both are required by law to maintain the privacy of your Protected Health Information.

Carbon Health Technologies, Inc. (“Carbon Health Technologies,” “we,” “our,” or “us”) is not a medical group, but is a Business Associate that has partnered with specific medical groups (“Independent Medical Practitioners”) to bring healthcare services nationwide, as well as online with our telehealth solution. Carbon Health Medical Group of Florida, P.A., Carbon Health Medical Group, Inc., Direct Urgent Care, Inc., Carbon Health Medical Group of New Jersey, P.A., Carbon Health Medical Group of Kansas, P.A. and Djavaherian Medical Practice, PLLC (collectively, “Carbon Health Medical”), are each an independent medical group with a network of United States based health care providers (each, a “Provider”).

Each of the Carbon Health entities, their related sites, locations, and care providers follow the terms of this Notice. Additionally, the entities, sites, locations and care providers may share medical information with each other for treatment, payment, or healthcare operations related to the Business Associate Agreements (“BAA”) they share.

Carbon Health medical visits at any of our clinics and Carbon Health telemedicine consults obtained through our Website or applications are provided by independent medical practitioners including, but not limited to, Carbon Health Medical. Independent providers, and your own medical provider if you do not use a Carbon Health Medical Provider, are responsible for providing you with a Notice of Privacy Practices describing their collection and use of your health information.

This Notice of HIPAA Privacy Practices is published on the Carbon Health website, in the Carbon Health applications, and is available at all Carbon Health clinics. 

In compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) we are required to ask each of our patients to acknowledge receipt of our Notice of HIPAA Privacy Practices.

You acknowledge receipt of the Notice of HIPAA Privacy Practices when you select the “Sign Form” button after being presented these forms during the account creation/sign-up process in the Carbon Health patient mobile applications or Carbon Health Patient website, or by indicating or signing your acknowledgement in another written or digital format provided to you. You can receive a copy of the Notice of HIPAA Privacy Practices by asking for one at any Carbon Health clinic, or by visiting our website and printing the form from there.

 

Carbon Health’s Commitment and Responsibilities

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) defines strict rules and regulations identifying the controls companies must implement to protect patient privacy, and our responsibility to safeguard “Protected Health Information” (“PHI”). The information collected when you authenticate to accounts in Carbon Health applications and websites, or when you communicate with our staff about healthcare matters, whether electronically, orally, or by alternative offline methods, is all considered PHI. Protected Health Information includes any and all medical information you share with Carbon Health, including your medical history and any medical records from other providers or services you share with us, and also includes more general personal information that may identify you, such as your name, social security number, billing information, addresses, phone numbers, date of birth, and email address.

Your PHI is kept safe through our commitment to your privacy, and the processes, procedures, controls, and staff training we have in place to ensure our compliance with Federal and State laws and regulations. 

In keeping with these commitments, we are proud to take responsibility for ensuring that:

  • Our Notice of Privacy Practices is made available in plain language, ensuring we are transparent when informing you and all recipients of Carbon Health products and services of our responsibilities for protecting your PHI.
  • We document all of our best practices, company policies, staff procedures, and ensure all staff receive annual training on each, such that all business and healthcare activities are performed with a clear understanding of what is required to keep your PHI safe and secure.
  • We follow the practices and procedures defined in this Notice of Privacy Practices
  • We are transparent about how we will use your PHI.
  • We are transparent about your rights to authorize disclosure of your PHI and your rights to revoke those authorizations at any time.
  • We remain transparent in our communications with you, disclosing in a timely manner if any problems arise that affect you, including informing you directly if a breach occurs (If your PHI is ever mistakenly exposed.)

Additionally, Carbon Health will always try to apply the strictest protections available on your behalf. We are committed to adhering not just with Federal and individual State regulations, but also to maximizing the protections applied to your PHI.


Uses and Disclosures of Protected Healthcare Information That Do Not Require Your Authorization

We think the title of this section seems much scarier than it is. Our own policies as well as Federal and State regulations have been designed to keep your Protected Health Information private to you. These policies and regulations, including HIPAA, have provisions to support healthcare data sharing that is performed as part of delivering healthcare services. Typically, this includes PHI used for treatment, billing and payment processing, and in healthcare operations. Some sharing is often necessary in order to deliver care, such as the sharing of PHI that occurs between doctors and a laboratory running tests, between a clinic doctor and your family doctor, between our clinic and a pharmacy, with your health insurance company, etc. HIPAA and the other regulations define exactly when and how data can be shared, and also how that sharing must be securely managed. Examples of use cases where we may use and disclose your PHI without first receiving your authorization include:

 

Treatment

Your Protected Health Information may be used or disclosed to:

  • Doctors, registered nurses, x-ray technicians and other medical staff working for Carbon Health Medical or as Independent Medical Practitioners, who are involved in providing you with healthcare services when they need access to PHI to perform their jobs.
  • Medical partners responsible for aspects of your medical care, including lab partners that may be performing tests on samples collected from you, a pharmacy to which a prescription is sent on your behalf, or a nurse that will follow up with you after a visit to ensure you are feeling better, if and when each may need access to PHI in order to provide you with care.
  • Specialists and other healthcare providers responsible for treatment and services not available at the location or time of your visit, and to whom you may be referred, may need access to PHI in order to fulfill their role in your healthcare journey.

 

Payment

Your Protected Health Information may be used or disclosed:

  • To validate your insurance eligibility and inform you of your expected out-of-pocket expenses.
  • To accept payment or bill you directly for healthcare services we provide.
  • To carry out our obligations and enforce our rights arising from contracts, including for billing and collection.

 

Healthcare Operations

Carbon Health strives for the continuous improvement of all aspects of how we deliver healthcare, and Protected Health Information is used in our healthcare operations to help us improve our services and products. PHI may be used or disclosed as follows:

  • For the administration and support of our healthcare services.
  • For conducting quality assessment and improvement activities, and population-based activities related to improving health or reducing costs.
  • For case management and care coordination.
  • For reviewing the competence or qualification of health care professionals.
  • For training health care and non-health care professionals.
  • Underwriting and other activities related to health benefits.
  • Business management and development.
  • To protect against abuses including fraud and waste.


More About Carbon Health’s Healthcare Operations

There are a number of reasons Carbon Health may use your PHI as part of providing our services to you. The most critical of these for us is ensuring we are continually conducting quality assessment and improvements of our websites, applications, and staff processes. As part of these efforts we use PHI as follows:

  • To present the contents of our websites and applications to you.
  • To provide our healthcare related products and services to you.
  • To answer your requests for information, products, or services from Carbon Health, or when we believe it is in your best interest that we inform you of additions and changes to our applications, websites, products, and services.
  • To process, fulfill, support, and administer transactions and orders for products and services you have requested.
  • To provide you with notices about your Carbon Health Technologies account.
  • To administer surveys and solicit feedback.
  • To fulfill any purpose for which you have provided PHI on which we are being asked to act.
  • For specific uses described at the time you provide the information.
  • For any other purpose for which you have provided your authorization as described in “A Note About Your Authorization to Disclose Protected Health Information.”

 

Other Purposes

In addition to the reasons above, we are permitted or required by law to share your health information in other ways that contribute to the public good. We must meet many conditions under the law before we may share your information for these reasons.

  • To protect the safety of an individual or the public when we think someone may be a victim of abuse, neglect, or domestic violence. For public health activities, or health oversight activities, that may be defined by Federal, State, or county authorities. Examples include efforts to prevent or control the spread of a disease (as when reporting Hepatitis A or Covid-19 infections, administered Covid-19 vaccinations), injury, or disability. It may also include vital events such as births, or deaths where disclosures of your PHI apply for family arrangements (your decedents), or “gift of life” purposes (organ, eye, or tissue donations).
  • To avert a threat to individual or public health or safety where there is a good faith belief that disclosure to an appropriate authority will prevent or lessen a serious or imminent threat to the health of a person or the public.
  • When we believe disclosure is necessary to identify or apprehend an individual that may have caused serious harm or is known to have escaped from lawful custody.
  • For instances where disclosure is required by law, judicial and administrative proceedings, or for law enforcement purposes such as when compelled by a court order or in response to a subpoena, or a government or regulatory request.
  • As required for specialized government functions, including a response to a public health investigation or public health surveillance activity; when helping to ensure the quality, safety, or effectiveness of an FDA-regulated product or activity, including prescription drugs, medical devices, and supplements; in compliance with regulatory and oversight agencies for activities including initial licensure, audits, reviews, examinations, inspections, and investigations.
  • To parents and legal guardians overseeing the care of minors in accordance with applicable laws and regulations. This may include sharing where parental and legal guardian consent is required for the services rendered and will exclude sharing where parental and legal guardian consent is not required, unless explicit consent in accordance with applicable laws and regulations is received from the minor. We will share a minor’s PHI with a parent or guardian when required to do so by applicable law.
  • As applies to work-related injuries or illness as with workers’ compensation or similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.
  • To more efficiently communicate with your other care providers, through our participation in Health Information Exchanges (HIE).For your protection we provide opt-in and opt-out rights to you for all HIE in which we participate, and we do so in accordance with the strictest interpretation of all applicable Federal and State laws. 

 

A Note About Research

Carbon Health is dedicated to continually improving medical outcomes. One way that we do this is by contributing to medical research for the advancement of healthcare. We may use and disclose your PHI as permitted by applicable law for research under very specific requirements and protections. This type of use or disclosure is subject to your authorization and/or oversight by an Institutional Review Board (IRB), a committee charged with protecting the privacy rights and safety of human subject research.


Uses and Disclosures of Protected Healthcare Information That Require Your Authorization

Carbon Health is committed to your privacy, and this means that your personal data is protected as yours. Without your written or electronically signed authorization, your PHI will not be shared outside of the purposes and audiences listed in the preceding sections of this NPP. We commit that:

  • Carbon Health will not sell your PHI.
  • Carbon Health will not share your PHI with your employer, unless you grant authorization for such a disclosure.
  • Carbon Health will not share your PHI with your school or educational institution, unless you provide an authorization for such a disclosure.
  • Carbon Health will not use your PHI for marketing. We will, as described above, contact you about our own websites, applications, products, and services to improve our offerings to you, and we will allow you to opt-out of even these HIPAA permitted communications (that we believe are beneficial to you.)

Additionally, Carbon Health abides by all applicable Federal and State laws regarding special protections. As stated above, we apply the most stringent of any one State’s laws to the protections of all State’s patients (save where they conflict with your individual State’s laws and regulations), and this includes the rules governing authorization requirements that must be met prior to sharing Protected Health Information related to:

  • Mental health treatment - Carbon Health will not share a mental health provider’s psychotherapy notes save for when covered by the very specific use cases defined by HIPAA. 
  • Sexual assault
  • Sexually transmitted diseases
  • Drug and alcohol abuse
  • Specific communicable diseases, including HIV/AIDS

 

A Note About Your Authorization to Disclose Protected Health Information

Outside of the permitted disclosures described elsewhere in this document, Federal and State laws and regulations, including HIPAA, have very clear rules defining the processes by which any authorization to disclose your PHI must be requested and received from you. In all cases where your authorization is required, if you have not granted your authorization in accordance with these rules, your information will not be disclosed. Additionally, if you have granted an authorization for a disclosure, it is important that you know you may revoke that authorization at any time. What this means for you is that unless you see an authorization form meeting the requirements detailed in this section, and unless you choose to sign that form (electronically or by other means), your PHI will not be shared for any reason outside those identified as permissible elsewhere in this policy. Any request made of you for your authorization to disclose your PHI must clearly, and in plain language provide:

  • A description of the information to be disclosed that identifies the information in a specific and meaningful fashion.
  • A name or other specific identification of the person(s), or class of persons, authorized to make the requested disclosure.
  • A name or other specific identification of the person(s), or class of persons, who will be the recipient of the requested disclosure.
  • A description of each purpose for which the requested disclosure is being made. (If you are asking for the disclosure of your own data, you do not need to explain your reasons other than to make a statement such as: “At the request of the individual.”
  • An expiration date, or expiration event, that relates to the defined individual purpose for which the disclosure is being made. Additionally, if you choose to contribute to the advancement of healthcare by participating in a research study, acceptable expiration statements include: “At the end of the research study”, “none”, or similar language.
  • A process for receiving your physical or electronic signature with a recorded signing date. If the authorization is signed by a personal representative, as with a Power of Attorney, Parent, or legal Guardian, a description of the representative’s authority to act for the individual is also required. 

Additionally, the request for authorization to disclose PHI will specifically state:

  • Your right to revoke the authorization, including a description of how you may revoke the authorization, as well as any exceptions to the right to revoke. (Other companies may include this in their Notice of Privacy Practices, but Carbon Health Technologies and Carbon Health Medical will include this information directly in each authorization form presented for your signature.)
  • Our commitment that your authorization to disclose your Protected Health Information will never be required for you to receive healthcare services you acquire directly from us. This protection applies to healthcare services specific to you as an individual. This protection may not apply to services organized by a third party and including you, for example: participation in research studies or employer funded medical tests for “return to work” purposes may require your authorization as a prerequisite for disclosure of your PHI to the relevant third parties.The potential for information you authorize to be disclosed pursuant to an authorization has the potential for re-disclosure by the recipient and may no longer be protected by HIPAA.
  • Your right to receive a copy of any authorization you sign.


Your Rights Regarding Your Protected Health Information

Carbon Health will always uphold your rights over the Protected Health Information belonging to you that we may obtain. We will ensure we protect your rights:

  • To access your PHI: We will protect your data, and we will also ensure that it is available to you.
  • To request that we restrict any use and disclosure of your PHI. We will not always be able to honor these requests, and we are not obligated by law or regulation to apply disclosure restrictions related to our treatment, payment, or health care operations, save in specific use cases of payment disclosures to a health plan for services you have paid in full and where the disclosure is payment related. This said, where we have documented our ability to comply with your request, we will honor that commitment in all cases, save for exceptions defined under HIPAA including when we determine that a disclosure is required for emergency treatment; or when required by the Secretary of Health and Human Services
  • To receive confidential communications of your PHI. We will make this information available to you in your accounts accessible on our websites and applications, and you may also request alternative means of secure communication. We may ask that you submit such requests in writing, but we will generally agree to secure alternative communication methods that are deemed reasonable.
  • To inspect and copy your PHI.
  • To request an amendment to your medical record if you believe health information about you is incorrect or incomplete. We may say “no” to your request, but we will tell you why in writing within 60 days.
  • To receive an accounting of disclosures. You can ask for a list (accounting) of the times we’ve shared your health information for six years prior to the date you ask, who we shared it with, and why. We will include all disclosures except for those about treatment, payment, healthcare operations, and certain other disclosures (such as those you asked us to make). We will provide one accounting a year for free but we will charge a reasonable, cost-based fee if you ask for another one within 12 months.
  • To receive notice of any breach.
  • To receive an electronic or paper copy of your PHI with some restrictions. This may potentially include charging a reasonable fee associated with the cost of printing and mailing physical copies.

You can review, copy, and update certain elements of your personal information by logging into our websites or applications and visiting either the Settings or Account sections. Additionally, we have provided detailed contact information (below) through which you may notify us of any changes or errors in the PHI we have about you. We will reply to all such contact to help you ensure that your PHI records are complete, accurate, and as current as possible.

NOTE: Your PHI is not subject to deletion. In order to ensure that healthcare records are available for patients and providers alike when needed, as well as for identifying trends in, or threats to, public health, State and Federal guidelines mandate record retention.

 

Changes to Our Notification of Privacy Practices

We will not weaken the privacy protections applied to your PHI as defined in this Notice of Privacy Practices without first notifying you. We do reserve the right to make changes to this document at any time. Those changes do not affect the privacy protections for which you have initially granted authorization until you have been made aware of revisions or updates to the NPP as outlined here. Changes will apply to all Protected Health Information we maintain. It is our policy to post any changes we make to our NPP on this page, with a notice that it has been updated on the website’s home page or the application’s home screen. If we want to make material changes to how we treat our patients’ PHI, we will notify you by email to the email address specified in your account or through a notice on the website’s home page or the application’s home screen. The date this HIPAA Notice of Privacy Practices was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date, active, and deliverable email address for you, and for periodically accessing the application or visiting our website and reviewing this NPP to check for any changes.

 

Questions, Concerns, and Complaints

If you have any questions, concerns, complaints or suggestions regarding our Privacy Practices or otherwise need to contact us, you may contact us at the contact information below. In addition to being able to report complaints to us at any time, if you believe your privacy rights have been violated or have other concerns, you may also report complaints to the national Secretary of Health and Human Services, by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting https://www.hhs.gov/ocr/privacy/hipaa/complaints/. 

Any questions, concerns, or complaints you raise will never be allowed to negatively affect the quality of care you receive from us, and there will never be any retaliation against you for any such filings.


How to Contact Us

Carbon Health Technologies, Inc. Attn: Privacy 2100 Franklin Street, Suite 355. Oakland, CA 94612 Telephone: 1-833-773-8341 Email: support@carbonhealth.com