AbleTo Notice of Privacy Practices and Site Privacy
Last revision: June 26, 2020
Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. THE PRIVACY OF YOUR HEALTH INFORMATION IS IMPORTANT TO US. All clinical services accessed through AbleTo are provided by licensed clinical social workers practicing within an independently owned professional services entity, AbleTo Behavioral Health Services, P.C. and other related professional services entities (“AbleTo, P.C.”). AbleTo, Inc. manages administrative services for AbleTo, P.C. and does not provide any clinical, mental health or other healthcare provider services. This Notice of Privacy Practices describes how AbleTo, P.C. (and AbleTo, Inc., when acting on behalf of AbleTo, P.C.) may use and disclose health information about you and how you can access this information. Together, AbleTo, Inc. and AbleTo, P.C. are referred to herein as “AbleTo”.
OUR COMMITMENT TO YOUR PRIVACY
We understand that information about you and your health is personal. We are committed to safeguarding your personal and protected health information (collectively “PHI”). PHI is any information that can identify you as an individual and your past, present or future physical or mental health condition. This notice will tell you about the ways in which we may use and disclose health information about you. We also describe your rights and certain obligations we have regarding the use and disclosure of health information.
OUR LEGAL DUTY
AbleTo is required by applicable federal and state laws to maintain the privacy of your PHI. We are also required to give you this notice about our privacy practices, our legal duties, and your rights concerning PHI. We must follow the privacy practices that are described in this notice while it is in effect.
We reserve the right to change our privacy practices and the terms of this notice at any time, provided that applicable law permits such changes. We reserve the right to make the changes in our privacy practices and the new terms of our notice effective for all PHI that we maintain, including health information we created or received before we made the changes. Before we make a significant change in our privacy practices, we will change this notice and send the new notice to you at the time
of the change. You may request a copy of our notice at any time.
We are required to notify you within 60 days of discovery of a breach in accordance with the Breach Notification Rule – 45 CFR Part 164 Subpart D(164.400 – 164.414).
USES AND DISCLOSURES OF NONPUBLIC PERSONAL INFORMATION
Nonpublic personal Information is information you give us during your enrollment, initial assessment, etc. For example: names, member identification number, addresses, type of health care benefits, payment amounts, etc. We will not give out your nonpublic personal information to anyone unless we are permitted to do so by law or have received a signed authorization form from you. You may revoke this authorization in writing at any time by emailing AbleTo at compliance@Ableto.com. This evocation will not affect any action AbleTo took in reliance on your authorization before your authorization cancellation form was processed.
USES AND DISCLOSURES OF HEALTH INFORMATION
The following categories describe different purposes for which we use and disclose PHI. For each category of uses or disclosures we will explain what we mean and try to give some examples. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of the categories. If we need to use or disclose your PHI in any other way, we will obtain your signed authorization before our use or disclosure. You may revoke this authorization in writing by emailing AbleTo at compliance@Ableto.com at any time. This revocation will not affect any actions AbleTo took in reliance on your authorization before your authorization cancellation form was processed.
• Treatment: We may disclose PHI to health care providers, including doctors or hospitals involved in your care. For example, we may disclose your medications to an emergency room physician so that he/she can avoid dangerous drug interactions. This allows providers to manage, coordinate and administer treatment.
• Payment: We may use and disclose PHI to collect payment for services. We may also disclose PHI to insurance companies, or their related entities, to coordinate the reimbursement of health insurance benefits. For example, if you provide us with
health insurance information through an additional insurance company, we may disclose PHI to that other health insurance company in order to determine which company holds the responsibility for your claims.
• Healthcare Operations: We may use and disclose PHI for purposes of performing our healthcare operations. Our healthcare operations include using PHI to determine fees, to conduct quality © AbleTo Inc., Private & Confidential Effective Date: This Notice is effective as of June 26, 2019 assessment and improvement activities, to engage in care coordination or case management, or to determine eligibility for benefits. For example, we may use or disclose PHI when working with accreditation agencies that monitor and evaluate the quality of our programs. We may also use or disclose your PHI when communicating with individuals involved in your care or payment for that care, such as friends and family, and sending appointment reminders.
• To You: We must disclose your PHI to you, as described in the Individual Rights section of this notice, below. We may
also use and disclose PHI to tell you about recommended possible treatment options or alternatives or to tell you about health related benefits or services that may be of interest to you.
• To Family and Friends: If you agree or, if you are unable to agree when the situation, (such as medical emergency or disaster relief), indicates that disclosure would be in your best interest, we may disclose PHI to a family member, friend or other person. In an emergency situation, we will only disclose the minimum amount necessary.
• To Our Business Associates: A business associate is defined as someone that assists us in managing our business. We may disclose PHI to another company that helps us manage our business. For example, we may disclose PHI to a company that manages our electronic health record. These business associates are required to sign a business associate agreement with us that limits their use or disclosure of the PHI they receive.
• To Plan Sponsors: A plan sponsor is defined as the employer or employee organization that establishes and maintains the employee’s benefit plan. If you are enrolled in a group health plan, we may disclose PHI to the plan sponsor to permit the plan sponsor to perform plan administrative functions. For example, the cost analysis of the benefit program. Before PHI is disclosed to your plan sponsor, we will receive certification from the plan sponsor that appropriate amendments have been made to group
health plan document(s) and the plan sponsor agrees to limit their use or disclosure of this information to plan administration functions only.
• Research: We may use or disclose de-identified participant data for retrospective analysis of program effectiveness. All prospective research projects require a separate consent in addition to this general notice.
• Public Health and Safety: We may disclose PHI to the extent necessary to avert a serious and imminent threat to your health or safety, or the health or safety of others. We may disclose PHI to a government agency authorized to oversee the healthcare system or government programs or its contractors, and to public health authorities for public health purposes.
• Victims of Abuse, Neglect or Domestic Violence: We may disclose PHI to appropriate authorities if we reasonably believe that you are a possible victim of abuse, neglect, domestic violence or other crimes.
• Required by Law: We may use or disclose PHI when we are required to do so by law. For example, we must disclose PHI to the U.S. Department of Health and Human Services upon request to determine whether we are in compliance with federal privacy laws.
• Process and Proceedings: We may disclose PHI in response to a court or administrative order, subpoena, discovery request, or other lawful process. Under limited circumstances, such as a court order, warrant, or grand jury subpoena, we may disclose PHI to law enforcement officials.
• Law Enforcement: We may disclose PHI to a law enforcement official investigating a suspect, fugitive, material witness, crime victim or missing person. We may disclose PHI of an inmate or other person in lawful custody of a law enforcement official or correctional institution under certain circumstances.
• Military and National Security: We may disclose to the military, PHI of Armed Forces personnel under certain circumstances. We may disclose to authorized federal officials health information required for lawful intelligence, counterintelligence, and other national security activities.
• Access: You have the right to inspect and/or copy your PHI, with limited exceptions such as information a licensed health care professional, exercising professional judgment, determines that providing access is reasonably likely to endanger the life, physical safety or cause someone substantial harm.
• Disclosure Accounting: You have the right to receive a list of instances in which we or our business associates disclosed your PHI. The list will not include disclosures we made for the purpose of treatment, payment, healthcare operations, disclosures made with your authorization, or certain other disclosures. To request a disclosure accounting, you may contact us using the contact information at the end of this notice. You may request an accounting of disclosures and the request may not exceed a six year time period. We will provide you with the date on which we made the disclosure, the name of the person or entity to whom we disclosed your PHI, a description of the PHI we disclosed and the reason for the disclosure.
• Restriction Requests: You have the right to request that we place additional restrictions on our use or disclosure of your PHI. As permitted by law, we will not honor these requests, if it prohibits us from administering your benefits.
• Confidential Communication: You have the right to request that we communicate with you confidentially about your PHI. We will honor a request to communicate to an alternative location if confidentially about your PHI. We will honor a request to communicate to an alternative location if you believe you would be endangered if we do not communicate to the alternative location. We must accommodate your request if it is reasonable and specifies the alternative location.
• Amendment: You have the right to request that we amend your PHI. Your request must be in writing, and it must explain why the information should be amended. We may deny your request if we did not create the information you want amended or if we determine the information is accurate. If we accept your request to amend the information, we will make reasonable efforts to
inform others, including people you name, of the amendment and to include the changes in any future disclosures of that information. If we deny your request, we will provide you with a written explanation. You may respond with a statement of disagreement that will be attached to the information you wanted amended.
• Electronic Notice: If you receive this notice on our web site or by electronic mail (e-mail), you are entitled to receive this notice in written form.
“De-Identified Information” means information that is neither used nor intended to be used to personally identify an individual.
Personal Information Collected About You
AbleTo is committed to ensuring that your privacy is protected when using the Web Site and has put in place suitable physical, electronic and managerial safeguards to secure the information that it collects through the Web Site. Specifically, we may collect Personal Information about you such as:
- Your name, age, email address, telephone number, username, password, and other registration information.
- Health Information that you provide us, which may include information or records relating to your medical or health history, health status and other health related information.
- Health information about you prepared or obtained by the clinicians who provide clinical services through the Site such as medical and therapy records, treatment and examination notes, and other health related information.
- Information about the computer or mobile device you are using, such as what Internet browser you use, the kind of computer or mobile device you use, and other information about how you use the Site.
- Other information you input into the Site or related services.
We may collect Personal Information about you in the following ways:
- When you register for or update an existing profile on our Services;
- When you use certain interactive tools and features of the Services;
- When you sign-up for communications from AbleTo; or
- When you participate in an online survey.
With Whom Do We Share Your Personal Information?
AbleTo does not share the Personal Information that you disclose to us via the Web Site except (i) to our service providers, consultants and agents who require such information to provide services to AbleTo; (ii) as required by law; (iii) to protect the rights and interests of AbleTo, its Website users and/or other individuals; (iv) to share certain information about your usage of the
Services with an insurer or your employer (“Sponsor”) (if applicable); (v) in special cases, such as in response to a physical threat to you or others including a reasonable determination of imminent risk of suicide and/or (vi) in the event of a corporate change in control resulting from, for example, merger, acquisition or transfer of all or substantially all of AbleTo’s assets.
Use of your Personal Information by AbleTo includes:
- To provide Services to you.
- To create De-identified Information.
- To market and promote the Site and the Services to you.
- To notify you of Site updates, appointments, reminders and other communications to which you have agreed to receive.
- To improve the quality of healthcare Services provided.
- For any other purpose for which you give us authorization.
How Do We Secure and Retain Your Information?
We have put in place technical, physical, and administrative safeguards that comply with federal and state regulations to protect the Personal Information and protected health information (“PHI”) that we collect. Among other protections described below, when you enter Personal Information (including health information in various tools through our Services), we encrypt the transmission of that information using TLS (Transport Layer Security) technology. In addition, AbleTo restricts
access to your Personal Information to employees who need the information to provide you with Services. AbleTo does not use or disclose your Personal Information or PHI except and to the extent permitted by applicable law.
Collecting and Using Non-Personally Identifiable Information
You should also be aware that when you visit our website, we collect certain non-personally-identifiable and aggregate information about you. This data helps us to analyze and improve the usefulness of the information we provide at this website. We might collect the following information:
- Web browser information. Web browsers collect and store information about the type of device and operating system you are using to access our website, as well as your device’s MAC address for facilitating network communications. Accessing this information helps us to establish a secure and consistent connection to you during your visits to our website.
- “Cookie” technology. A “cookie” is an element of data that a website can send to your browser when you link to that website. It is not a computer program and has no ability to read data residing on your computer or instruct it to perform any step or function. By assigning a unique data element to each visitor, the website is able to recognize repeat users, track usage patterns and better serve you when you return to that site. The cookie does not extract other personal information about you, such as your name or address.
- IP Address: When you subscribe to an Internet Service Provider (ISP), your computing device is assigned an IP Address. We track and store this address to help us manage security and monitor usage volume and patterns.
We may collect “Non-Personal Information” – information that cannot be used to identify you – via Cookies, Web Beacons, AbleTo mobile device applications and from external sources, even if you have not registered with or provided any Personal Information to AbleTo. If you can be identified when this information is combined with other information, or as required by law, we will treat such information as Personal Information.
What Choices Do I Have?
Updating/Removing Your Personal Information
Disclosures to Third Party Web Sites
We may use De-Identified Information created by us without restriction.
We are committed to protecting the privacy of children. The Services are not designed or intended to attract anyone under the age of 18. The Services do not collect or solicit Personal Information from any person we actually know is under the age of 18.
If you have questions or concerns about our Site Privacy Practices, or would like to report a violation, please contact us by sending an email to firstname.lastname@example.org.
AbleTo is the brand name used for products and services provided by one or more professional services entities, including AbleTo Behavioral Health Services, P.C. that is managed by or affiliated with AbleTo Inc., a management company