Summit Pharmacy Solutions (“SPS Health”) Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Notice of Privacy Practices applies to SPS Health, a Delaware limited liability company, and its current and future affiliated entities, except to the extent that we perform services that do not involve standard electronic transactions for which the United States Department of Health and Human Services (“HHS”) has adopted standards.
As used in this Policy, terms such as “we,” “us,” “our,” and “Company” refer to current and future affiliated entities of SPS Health. For a complete list of affiliated entities of SPS Health, please contact the Privacy Officer at https://spshealth.com/contact or by email at firstname.lastname@example.org.
Protection of Protected Health Information (PHI)
Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), we are required by law to maintain the privacy of health information that identifies you, called protected health information (PHI), and to provide you with notice of our legal duties and privacy practices regarding PHI. We are committed to the protection of your PHI and will make reasonable efforts to ensure the confidentiality of your PHI, as required by statute and regulation. We take this commitment seriously and will work with you to comply with your right to receive certain information under HIPAA.
Use and Disclosure of PHI
As permitted under HIPAA, the following categories explain the types of uses and disclosures of PHI that we may make. Some of the uses and disclosures described may be limited or restricted by state laws or other legal requirements. Please contact our Privacy Officer, using the contact information provided at the end of this notice, for specific information regarding your state.
- For payment – we may use or disclose PHI to bill and collect payment for services we provide. For example, we may provide PHI to your health plan to receive payment for the health care services provided to you.
- For health care operations – we may use or disclose PHI for health care operations purposes and for our operation and management purposes. We may also disclose PHI to other health care providers or health plans that are involved in your care for their health care operations.
- Individuals involved in your care or payment for your care – We may disclose PHI to a person who is involved in your care or helps pay for your care, such as a family member or friend. We also may notify your family about your location or general condition or disclose such information to an entity assisting in a disaster relief effort. As allowed by federal and state law, we may disclose the PHI of minors to their parents or legal guardians.
- Business associates – We may disclose PHI to our business associates to perform certain business functions or provide certain business services to us. For example, we may use another company to perform billing services on our behalf. All of our business associates are required to maintain the privacy and confidentiality of your PHI. In addition, at the request of your health care providers or health plan, we may disclose PHI to their business associates for purposes of performing certain business functions or health care services on their behalf. For example, we may disclose PHI to a business associate of Medicare for purposes of medical necessity review and audit.
- Disclosure for judicial and administrative proceedings – Under certain circumstances, we may disclose your PHI during a judicial or administrative proceeding, including in response to a court or administrative order, subpoena, discovery request, or other lawful process.
- Law enforcement – we may disclose PHI for law enforcement purposes, including reporting of certain types of wounds or physical injuries or in response to a court order, warrant, subpoena or summons, or similar process authorized by law. We may also disclose PHI when the information is needed: 1) for identification or location of a suspect, fugitive, material witness or missing person, 2) about a victim of a crime, 3) about an individual who has died, 4) in relation to criminal conduct on Company premises, or 5) in emergency circumstances to report a crime, the location of the crime or victims, or the identity, description, or location of the person who committed the crime.
- As required by law – we must disclose your PHI if required to do so by federal, state, or local law.
- For treatment – we may use or disclose PHI for treatment purposes, including disclosure to physicians, nurses, medical students, pharmacies, and other health care professionals who provide you with health care services and/or are involved in the coordination of your care.
- Disclosure about victims of abuse, neglect, or domestic violence – we may disclose PHI about an individual to a government authority, including social services, if we reasonably believe that an individual is a victim of abuse, neglect, or domestic violence.
- Health oversight activities – we may disclose PHI to a health care oversight agency for activities authorized by law such as audits, civil, administrative, or criminal investigations and proceedings/actions, inspections, licensure/disciplinary actions, or other activities necessary for appropriate oversight of the health care system, government benefit programs, and compliance with regulatory requirements and civil rights laws.
- Personal Representative – we may disclose PHI to your personal representative, as established under applicable law, or to an administrator, executor, or other authorized individual associated with your estate.
- Correctional institution – we may disclose the PHI of an inmate or other individual when requested by a correctional institution or law enforcement official for health, safety, and security purposes.
- Serious threat to health or safety – we may disclose PHI if necessary to prevent or lessen a serious and/or imminent threat to health or safety to a person or the public or for law enforcement authorities to identify or apprehend an individual.
- Government functions – In certain situations, we may disclose the PHI of military personnel and veterans, including Armed Forces personnel, as required by military command authorities. Additionally, we may disclose PHI to authorized officials for national security purposes, such as protecting the President of the United States, conducting intelligence, counter-intelligence, other national security activities, and when requested by foreign military authorities. Disclosures will be made only in compliance with U.S. Law.
- Workers’ compensation – As authorized by applicable laws, we may use or disclose PHI to comply with workers’ compensation or other similar programs established to provide work-related injury or illness benefits.
- De-identified Information and Limited Data Sets: we may use and disclose health information that has been “de-identified” by removing certain identifiers making it unlikely that you could be identified. We also may disclose limited health information, contained in a “limited data set”. The limited data set does not contain any information that can directly identify you. For example, a limited data set may include your city, county and zip code, but not your name or street address.
Other Uses and Disclosures of PHI
For purposes not described above, including uses and disclosures of PHI for marketing purposes and disclosures that would constitute a sale of PHI, we will ask for patient authorization before using or disclosing PHI. If you signed an authorization form, you may revoke it, in writing, at any time, except to the extent that action has been taken in reliance on the authorization.
Information Breach Notification
We are required to provide patient notification if we discover a breach of unsecured PHI unless there is a demonstration, based on a risk assessment, that there is a low probability that the PHI has been compromised. You will be notified without unreasonable delay and no later than 60 days after discovery of the breach. Such notification will include information about what happened and what can be done to mitigate any harm.
Patient Rights Regarding PHI
Subject to certain exceptions, HIPAA establishes the following patient rights with respect to PHI:
- Right to Receive a Copy of the SPS Health Notice of Privacy Practices – You have a right to receive a copy of the SPS Health Notice of Privacy Practices at any time by contacting us at https://spshealth.com/contact, or by email at email@example.com, or by sending a written request to: HIPAA Privacy Officer, SPS Health, 11270 W. Park Place, Suite 625, Milwaukee, WI 53224. This Notice will also be posted on the internet sites of SPS Health and each affiliated entity to which this Notice applies.
- Right to Request Limits on Uses and Disclosures of your PHI – You have the right to request that we limit: 1) how we use and disclose your PHI for treatment, payment, and health care operations activities; or 2) our disclosure of PHI to individuals involved in your care or payment for your care. We will consider your request, but we are not required to agree to it unless the requested restriction involves a disclosure that is not required by law to a health plan for payment or health care operations purposes and not for treatment, and you have paid for the service in full out of pocket. If we agree to a restriction on other types of disclosures, we will state the agreed restrictions in writing and will abide by them, except in emergency situations when the disclosure is for purposes of treatment.
- Right to Request Confidential Communications – You have the right to request that we communicate with you about your PHI at an alternative address or by an alternative means. We will accommodate reasonable requests.
- Right to Receive an Accounting of Disclosures – You have a right to receive a list of certain instances in which we disclosed your PHI. This list will not include certain disclosures of PHI, such as (but not limited to) those made based on your written authorization or those made prior to the date on which we were required to comply. If you request an accounting of disclosures of PHI that were made for purposes other than treatment, payment, or health care operations, the list will include disclosures made in the past six years, unless you request a shorter period of disclosures. If you request an accounting of disclosures of PHI that were made for purposes of treatment, payment, or health care operations, the list will include only those disclosures made in the past three years for which an accounting is required by law, unless you request a shorter period of disclosures.
- Right to Correct or Update your PHI – If you believe that your PHI contains a mistake, you may request, in writing, that we correct the information. If your request is denied, we will provide an explanation of the reasoning for our denial.
How to Exercise Your Rights
To exercise any of your rights described in this notice, you must send a written request to: HIPAA Privacy Officer, SPS Health, 11270 W. Park Place, Suite 625, Milwaukee, WI 53224.
How to Contact Us or File a Complaint
If you have questions or comments regarding this Notice of Privacy Practices, or have a complaint about our use or disclosure of your PHI or our privacy practices, please contact: https://spshealth.com/contact, or send a written request to: HIPAA Privacy Officer, SPS Health, 11270 W. Park Place, Suite 625, Milwaukee, WI 53224. You also may file a complaint with the Secretary of the U.S. Department of Health and Human Services. We will not take retaliatory action against you for filing a complaint about our privacy practices.
Changes to this Notice of Privacy Practices
We reserve the right to make changes to this notice and to our privacy policies from time to time. Changes adopted will apply to any PHI we maintain about you. We are required to abide by the terms of our notice currently in effect. When changes are made, we will promptly update this notice and post the information on the websites of SPS Health and each affiliated entity to which this Notice is applicable. Please review this site periodically to ensure that you are aware of any such updates.
Effective Date of Notice: November 1, 2021
©SPS Health 2021. All rights reserved.