This policy explains how Upheal use, disclose and protect your Protected Health Information (PHI) as a HIPAA Business Associate in accordance with Health Insurance Portability and Accountability Act (HIPAA) as amended, including, without limitation, amendments by the Health Information Technology for Economic and Clinical Health (HITECH) Act (collectively, “HIPAA/HITECH”) (“Policy”).
Upheal receive your PHI from your HIPAA Covered Entity, with whom you have a relationship for health care services, to perform certain functions or services on behalf of the Covered Entity.
- “Business Associate” means an entity that performs functions or activities on behalf of a Covered Entity when those services involve access to, or the use or disclosure of, Protected Health Information. For the purpose of this Policy, Upheal is the Business Associate.
- “Business Associate Agreement” (“BAA”) means a formal written contract between a Business Associate and a Covered Entity that requires the Business Associate to comply with specific requirements related to PHI.
- “Covered Entity” means a health plan, healthcare provider, or healthcare clearinghouse. For the purpose of this Policy, a therapist who signs up to Upheal’s Platform, as defined in Upheal’s Terms of Service for Healing professionals, Group practices and organizations, are a Covered Entity.
- “Protected Health Information” (“PHI”) is identifiable health information about you (such as your name, social security number, or address) that relates to (a) your past, present, or future physical or mental health or condition, (b) the provision of health care to you, or (c) your past, present, or future payment for the provision of health care.
Uses and Disclosures of PHI
- Upheal will use or disclose PHI on behalf of, or to provide services to, Covered Entities for purposes of performing our obligations under our services agreements to Covered Entities, provided that such use or disclosure is permitted or required by the applicable Business Associate Agreement and would not violate HIPAA, including its Privacy Rule or Security Rule as applicable to Business Associates.
- Upheal may use PHI only to the extent such use of PHI is permitted or required by Upheal’s policies including, but not limited to, the applicable Business Associate Agreement and would not violate HIPAA, including its Privacy Rule or Security Rule as applicable to Business Associates. Upheal may use de-identified data (i.e. data that does not identify an individual) for the improvement of Upheal service but only with your express written consent or authorization which you may revoke at any time.
- Upheal may disclose PHI for law enforcement purposes as required by law or in response to a valid subpoena.
- Upheal may disclose PHI to downstream subcontractors or agents that provide supporting services to us; however, Upheal will require such subcontractors and agents to comply with the same terms and conditions that apply to us under the applicable Business Associate Agreement, and in any case in accordance with the main BAA with your Covered Entity, including the implementation and maintenance of required safeguards.
- Other uses and disclosures not described in this Policy will be made only with your express written consent or authorization.
If you are a US resident in the United States, the following is a statement of your rights with respect to your PHI.
- Right to Access: You have the right to access and obtain a copy of your PHI that Upheal maintain, with certain limited exceptions.
- Right to Request Restrictions: You have the right to request restrictions on our processing of your PHI, with certain limited exceptions.
- Right to Request Confidential Communications: You have the right to request that the communication with you about your PHI is done in a certain way or at a certain location.
- Right to Request Amendment: You have the right to request the amendment of your PHI if you believe it is incorrect or incomplete, with certain limited exceptions.
- Right to an Accounting of Disclosures: You have the right to request an accounting of certain disclosures Upheal have made of your PHI.
- Right to File a Complaint: You have the right to file a complaint with us or with the Secretary of Health and Human Services if you believe Upheal have violated your privacy rights.
Upheal will make available to Covered Entities information necessary for the Covered Entity to give individuals the ability to exercise their rights in accordance with HIPAA/HITECH regulations.
Upon request, Upheal will make our internal practices, books, and records, including policies and procedures relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of a Covered Entity, available to the Covered Entity or the Secretary of the US Department of Health and Human Services for the purpose of determining compliance with the terms of the BAA and HIPAA/HITECH regulations.
As a Business Associate, Upheal have a number of legal responsibilities. They include the responsibility to enter into a written BAA with Covered Entities that requires us to maintain the privacy of PHI, limit our use or disclosure of PHI to those purposes authorized by the Covered Entities, and assist Covered Entities in responding to your requests concerning your PHI; the responsibility to amend PHI relating to you when requested by a Covered Entity; the responsibility to make certain disclosures available to a Covered Entity in order for the Covered Entity to fulfill its obligation to you to provide accountings of certain disclosures to you; the responsibility to enter into a BAA with each of our subcontractors who may have access to your PHI; the responsibility to comply with Privacy Rule provisions, including rules governing the uses and disclosure of PHI and your rights concerning your PHI; the responsibility to perform a Security Rule risk analysis; the responsibility to implement Security Rule safeguards; the responsibility to train personnel concerning the HIPAA Rules; the responsibility to respond immediately to any security violation or breach; the responsibility to timely report security incidents and breaches; and the responsibility to maintain required documentation.
Mitigation of Harm
In the event of a use or disclosure of PHI that is in violation of the requirements of the BAA, Upheal will mitigate, to the extent practicable, any harmful effect resulting from the violation. Such mitigation will include the following:
- Reporting any use or disclosure of PHI not provided for by the BAA and any security incident of which Upheal become aware to the Covered Entity; and
- Documenting such disclosures of PHI and information related to such disclosures as would be required for the Covered Entity to respond to a request for an accounting of disclosure of PHI in accordance with HIPAA/HITECH.
If you have any questions or concerns about this Policy or our privacy practices, please contact us at:
169 Madison Ave #2363
New York, NY 10016