HIPAA Notice of Privacy Practices
GeneDx takes its responsibility to protect patient rights and information very seriously. We protect the privacy and security of all patient data that we handle, as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), under Title XIII of the American Recovery and Reinvestment Act of 2009.
Please find GeneDx’s HIPAA Notice of Privacy Practices below for further details.
EFFECTIVE January 9, 2023
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW THIS NOTICE CAREFULLY.
We are required by law to maintain the privacy of your protected health information or “PHI”; to provide you this detailed notice of our legal duties and privacy practices relating to your PHI (this “Notice”); to notify you following a breach of unsecured PHI; and to abide by the terms of the Notice that are currently in effect. PHI includes basic demographic information that may identify you and information that relates to your past, present or future physical or mental health or condition and related health care services. References to “GeneDx”, “we”, “us”, and “our” include GeneDx, LLC and the members of its affiliated covered entity, including Sema4 OpCo, Inc. An affiliated covered entity is a group of organizations under common ownership or control who designate themselves as a single affiliated covered entity for purposes of compliance with the Health Insurance Portability and Accountability Act (“HIPAA”). The members of the GeneDx affiliated covered entity will share PHI with each other for the treatment, payment, and health care operations of the affiliated covered entity and as permitted by HIPAA and this Notice. For a complete list of the members of the GeneDx affiliated covered entity, please contact GeneDx by emailing email@example.com.
This Notice applies to all PHI that is created or retained by us in our role as a HIPAA covered entity.
I. USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS
The following are various ways we may use and disclose your PHI for purposes of treatment, payment, and health care operations when we are acting as a HIPAA covered entity.
Treatment. We may use your PHI to provide and coordinate the treatment and services you receive. Many of the people who work for us may use or disclose your PHI in order to provide supplies and services to you or to assist others in your treatment, such as to perform diagnostic tests, or provide your test results to your physician.
For Payment. We may use and disclose your PHI for billing and payment purposes. We may disclose your PHI to an insurance or managed care company, Medicare, Medicaid or another third-party payor. For example, we may contact your health plan to confirm your coverage or to request prior approval for services that will be provided to you.
For Health Care Operations. We may use and disclose your PHI as necessary for health care operations, such as management, personnel evaluation, education and training and to monitor our quality of care. We may disclose your PHI to another entity with which you have or had a relationship if that entity requests your information for certain of its health care operations or health care fraud and abuse detection or compliance activities. For example, PHI of many patients may be combined and analyzed for purposes such as evaluating and improving quality of care and planning for services.
II. SPECIFIC USES AND DISCLOSURES OF YOUR HEALTH INFORMATION
In addition to uses and disclosures for treatment, payment and operations, we may also use or disclose your PHI as follows:
Individuals Involved in Your Care or Payment for Your Care. Unless you notify us that you object, we may disclose PHI about you to a family member, close personal friend or other person you identify, including clergy, who is involved in your care.
Emergencies. We may use and disclose your PHI as necessary in emergency treatment situations.
As Required by Law. We may use and disclose your PHI when required by law to do so.
Public Health Activities. We may disclose your PHI for public health activities. These activities may include, for example, reporting to a public health authority for preventing or controlling disease, injury or disability, or in order to deaths.
Reporting Victims of Abuse, Neglect or Domestic Violence. If we believe that you have been a victim of abuse, neglect or domestic violence, we may use and disclose your PHI to notify a government authority, if authorized by law or if you agree to the report.
Health Oversight Activities. We may disclose your PHI to a health oversight agency for activities authorized by law, such as audits, investigations, inspections and licensure actions or for activities involving government oversight of the health care system.
To Avert a Serious Threat to Health or Safety. When necessary to prevent a serious threat to your health or safety or the health or safety of the public or another person, we may use and disclose your PHI, limiting disclosures to people who are able to help lessen or prevent the threatened harm.
Judicial and Administrative Proceedings. We may disclose your PHI in response to a court or administrative order. We also may disclose your PHI to the extent necessary to respond to a subpoena, discovery request, or other lawful process after making efforts to contact you about the request and/or to obtain an order or agreement protecting the PHI.
Law Enforcement. We may disclose your PHI for certain law enforcement purposes, including, for example, to comply with a court order, warrant, or similar legal process.
Research. We may use and disclose your PHI for research purposes if the use and disclosure for research purposes has been reviewed and approved by an institutional review board or other authorized HIPAA privacy board, if the researcher is collecting information in preparing a research proposal, if the research occurs after your death, or if you consent to or authorize the use or disclosure.
Coroners, Medical Examiners, Funeral Directors, Organ Procurement Organizations. We may release your PHI to a coroner, medical examiner, funeral director or, if you are an organ donor, to an organization involved in the donation of organs and tissue.
Disaster Relief. We may disclose your PHI to a disaster relief organization for permitted notification purposes, subject to some conditions and restrictions.
Military, Veterans and other Specific Government Functions. If you are a member of the armed forces, we may use and disclose your PHI as required by military command authorities. We may disclose your PHI for national security purposes or as needed to protect the President of the United States or certain other officials or to conduct certain special investigations.
Workers’ Compensation. We may use and disclose your PHI to comply with laws relating to workers’ compensation or similar programs.
Inmates/Law Enforcement Custody. If you are under the custody of a law enforcement official or a correctional institution, we may disclose your PHI to the institution or official for certain purposes including the health and safety of you and others.
III. USES AND DISCLOSURES WITH YOUR AUTHORIZATION
We will obtain your authorization for: (1) most uses and disclosures of psychotherapy notes (as defined by HIPAA); (2) uses and disclosures of your PHI for marketing purposes; and (3) disclosures that constitute a sale of your PHI. Except as described in this Notice, we will use and disclose your PHI only with your written authorization. You may revoke an authorization in writing at any time. If you revoke an authorization, we will no longer use or disclose your PHI for the purposes covered by that authorization, except where we have already relied on the authorization.
IV. YOUR RIGHTS REGARDING YOUR PHI
Below are your rights regarding your PHI. These rights may be exercised by submitting a request to us. Each of these rights is subject to certain requirements, limitations and exceptions. At your request, we will supply you with the appropriate form to complete. You have the right to:
Request Restrictions. You have the right to request restrictions on our use and disclosure of your PHI for treatment, payment, or health care operations. You have the right to request restrictions on the PHI we disclose about you to a family member, friend or other person who is involved in your care or the payment for your care. We are not required to agree to your requested restriction (except that if you are competent, you may restrict disclosures to family members and friends). If you paid out-of-pocket in full for a health care item or service, and you do not want us to disclose PHI about that item or service to your health plan for purposes of payment or health care operations, we must comply with your request.
Access to Personal Health Information. You have the right to request, in writing, your medical or billing records or other information that may be used to make decisions about your care (your “designated record set”), subject to some exceptions. We may charge a fee for our costs in providing the requested records, consistent with applicable law.
To the extent we maintain your designated record set electronically, you also have the right to receive an electronic copy of such information. You may also direct us to send a copy directly to a third-party designated by you. We may charge a fee, consistent with applicable law, for our costs in responding to your request.
Request Amendment. You have the right to request amendment of your PHI for as long as the information is kept by or for us. Your request must be made in writing and must state the reason for the requested amendment. We may deny your request for amendment if the information: (a) was not created by us, unless the originator of the information is no longer available to act on your request; (b) is not part of the health information maintained by or for us; (c) is not part of the information to which you have a right of access; or (d) is already accurate and complete, as determined by us.
If we deny your request for amendment, we will give you a written denial including the reasons for the denial and an explanation of your right to submit a written statement disagreeing with the denial.
Request an Accounting of Disclosures. You have the right to request an “accounting” of certain disclosures of your PHI. This is a listing of disclosures made by us or by others on our behalf, but this does not include disclosures for treatment, payment and health care operations and certain other exceptions. To request an accounting of disclosures, you must submit a request in writing, stating a time period that is within six years from the date of your request. The first accounting provided within a 12-month period will be free; for further requests, we may charge you our costs.
Request a Paper Copy of This Notice. You have the right to obtain a paper copy of this Notice, even if you have agreed to receive this Notice electronically. You may request a copy of this Notice at any time by sending an email to Privacy@genedx.com.
Request Confidential Communications. You have the right to request that we communicate with you concerning your health matters in a certain manner. We will accommodate your reasonable requests.
- SPECIAL RULES REGARDING DISCLOSURE OF SPECIALLY PROTECTED INFORMATION
Under state and federal law, additional restrictions may apply to disclosures of PHI that relate to treatment or diagnosis associated with sensitive categories of health information, such as for psychiatric conditions, for substance use disorder treatment, HIV-related testing and treatment or genetic testing and treatment. This information may not be disclosed without your specific written permission, except as may be specifically required or permitted by state or federal law.
VI. FURTHER INFORMATION AND COMPLAINTS
If you have any questions about this Notice or would like further information concerning your privacy rights, please contact GeneDx by emailing firstname.lastname@example.org or by calling (800) 969-7362. Users of the Sema4 Patient Portal can access their Electronic Health Records and consent preferences in the Sema4 patient portal.
If you believe that your privacy rights have been violated, you may file a complaint in writing with us or with the Office for Civil Rights (“OCR”) in the U.S. Department of Health and Human Services. We will not retaliate against you for filing a complaint.
To file a complaint with us, contact us by email at email@example.com or by mail to our Compliance Officer at 333 Ludlow Street, North Tower, 8th floor, Stamford, CT 06902. To file a complaint with the Office for Civil Rights, send your written complaint to the OCR Regional Manager by mail to Office for Civil Rights–Region I, U.S. Department of Health and Human Services, J.F. Kennedy Federal Building – Room 1875, Boston, MA 02203, by fax to (617) 565-3809 or by email to OCRComplaint@hhs.gov.
VII. CHANGES TO THIS NOTICE
We reserve the right to change this Notice and to make the revised or new Notice provisions effective for all PHI already received and maintained by us as well as for all PHI we receive in the future. We will post a copy of the current Notice on this website. We will provide a copy of the revised Notice upon request.