HIPAA Privacy Policy

HIPAA PRIVACY POLICY

The Center for Medical Weight Loss (CMWL) takes privacy very seriously. We share a commitment with Covered Entities to protect the privacy and confidentiality of Protected Health Information that we obtain subject to the terms of a Business Associate Agreement and under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended, including, without limitation, amendments by the Health Information Technology for Economic and Clinical Health (HITECH) Act (collectively, “HIPAA/HITECH”).

This Privacy Policy is provided to help you better understand how we use, disclose, and protect Protected Health Information in accordance with the terms of Business Associate Agreements.

Definitions

  • “Business Associate” (“BA”) means an entity that performs functions or activities on behalf of a Covered Entity when those services involve access to, or the use or disclosure of, Protected Health Information.
  • “Business Associate Agreement” (“BAA”) means a formal written contract between a BA and a Covered Entity that requires the BA to comply with specific requirements related to PHI.
  • “Covered Entity” means a health plan, healthcare provider, or healthcare clearinghouse that must comply with the HIPAA Privacy Rule.
  • “Protected Health Information” (“PHI”) means all “individually identifiable health information” that is transmitted or maintained in any form or medium by a Covered Entity. Individually identifiable health information is any information that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment, or in relation to the payment for the provision of health care services.

Use and Disclosure of PHI

  • We may use or disclose PHI on behalf of, or to provide services to, Covered Entities for purposes of performing our obligations under our services agreements to Covered Entities, provided that such use or disclosure is permitted or required by the applicable Business Associate Agreement and would not violate HIPAA/HITECH, including its Privacy Rule or Security Rule as applicable to Business Associates.
  • We may use PHI internally for our own internal management, administration, data aggregation and legal obligations, but only to the extent such use of PHI is permitted or required by the applicable Business Associate Agreement and would not violate HIPAA/HITECH, including its Privacy Rule or Security Rule as applicable to Business Associates.
  • We may disclose PHI for law enforcement purposes as required by law or in response to a valid subpoena.
  • We may disclose PHI to downstream subcontractors or agents that provide supporting services to us; however, we will require such subcontractors and agents to comply with the same terms and conditions that apply to us under the applicable Business Associate Agreement and PHI, including the implementation and maintenance of required safeguards.
  • Other uses and disclosures not described in this Privacy Policy will be made only with your express written authorization.

Revocation of Your Consent to Use and Disclose PHI

Many permitted uses and disclosures of PHI are only possible with your express consent. Your written authorization is required for any use or disclosure of PHI that is not for treatment, payment or health care operations, or otherwise permitted or required by the Privacy Rule. Examples of disclosures that require your authorization include disclosures to a life insurer for coverage purposes, disclosures to an employer of the results of a pre-employment physical or lab test, disclosures to a pharmaceutical firm for marketing purposes, and disclosures of psychotherapy notes. As stated, a Covered Entity must obtain your authorization to use or disclose your PHI for marketing and for a Covered Entity’s provision of promotional gifts of nominal value. Your authorization is not required for face-to-face marketing communications between a Covered Entity and an individual. In addition, your authorization is not needed to make a communication that falls within one of the exceptions to the marketing definition. Those exceptions are communications to describe health-related products or services, or payment for them, provided by or included in a benefit plan of the Covered Entity making the communication; communications about participating providers in a provider or health plan network, replacement of or enhancements to a health plan, and health-related products or services available only to a health plan’s enrollees that add value to, but are not part of, the benefits plan; communications for treatment of the individual; and communications for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or care settings to the individual.

You may revoke your consent to use and disclose your PHI at any time by sending written revocation of your consent to the processing of your PHI to us at privacy@cmwl.com. All PHI processed before we receive your revocation of consent will be considered legally processed with your consent. In addition, you may request that all of your PHI be removed from our systems and processes by sending a written request for removal and destruction of all your data to us at privacy@cmwl.com. Upon receipt of your request, we will take all steps necessary to remove all of your PHI completely and permanently unless we are unable to do so for legal, compliance, or other legitimate reasons.

Your Rights

You may request information about:

  • The purpose of our use and disclosure of your PHI;
  • The legal basis for our your and disclosure of your PHI;
  • The categories of PHI and the subject concerned;
  • Information on the type or identity of third parties to which your PHI may be disclosed to and the protection provided;
  • The source of the PHI (if you didn’t provide it directly to us); and
  • How long it will be stored.

You have a right to:

  • Access your PHI;
  • Have inaccurate PHI corrected;
  • Request erasure of PHI;
  • Restrict the processing of your PHI;
  • Object to the processing of your PHI;
  • Data portability;
  • Opt out of PHI being transferred to a third party, unless there is a legal reason to do so; and
  • Opt out of direct marketing.

To exercise your rights, you can write to our HIPAA Compliance Officer at privacy@cmwl.com.

Requests Regarding PHI

Requests for access to your PHI, requests to amend your PHI, or requests for an accounting of disclosures of your PHI shall be in writing to our HIPAA Compliance Officer at privacy@cmwl.com. We will act on your request no later than thirty (30) calendar days after we receive your request. If we are not able to act within this timeframe, we will provide you with a written statement of the reasons for the delay and the date by which we will complete our action on your request, which date will be no more than an additional thirty (30) calendar days from the original thirty (30) days.

In the event that we deny any request, the response will include an explanation as to why access was denied. The denial of your request may be based on a number of reasons. An individual does not have a right to access PHI that is not part of a designated record set given that such information is not used to make decisions about individuals. This information may include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals. For example, a hospital’s peer review files or practitioner or provider performance evaluations, or a health plan’s quality control records that are used to improve customer service or formulary development records, may be generated from and include an individual’s PHI but might not be in the Covered Entity’s designated record set and subject to access by the individual. In addition, two categories of information are expressly excluded from the right of access. One is psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session, that are maintained separate from the rest of the patient’s medical record. The other is information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. However, the underlying PHI from the individual’s medical or payment records or other records used to generate the above types of excluded records or information remains part of the designated record set and is subject to access by the individual.

Access to PHI

As provided in the BAA, we will make available to Covered Entities information necessary for the Covered Entity to give individuals their rights of access, amendment, and accounting in accordance with HIPAA regulations.

Upon request, we will make our internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by the Business Associate on behalf of a Covered Entity, available to the Covered Entity or the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with the terms of the BAA and HIPAA regulations.

Our Responsibilities

As a Business Associate, we have a number of legal responsibilities. They include the responsibility to enter into a written BAA with Covered Entities that requires us to maintain the privacy of PHI, limit our use or disclosure of PHI to those purposes authorized by the Covered Entities, and assist Covered Entities in responding to your requests concerning your PHI; the responsibility to amend PHI relating to you when requested by a Covered Entity; the responsibility to make certain disclosures available to a Covered Entity in order for the Covered Entity to fulfill its obligation to you to provide accountings of certain disclosures to you; the responsibility to enter into a BAA with each of our subcontractors who may have access to your PHI; the responsibility to comply with Privacy Rule provisions, including rules governing the uses and disclosure of PHI and your rights concerning your PHI; the responsibility to perform a Security Rule risk analysis; the responsibility to implement Security Rule safeguards; the responsibility to train personnel concerning the HIPAA Rules; the responsibility to respond immediately to any security violation or breach; the responsibility to timely report security incidents and breaches; and the responsibility to maintain required documentation.

Safeguards

We use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for in the BAA. We have implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that we create, receive, maintain, or transmit on behalf of a Covered Entity. Such safeguards include:

  • Maintaining appropriate clearance procedures and providing supervision to assure that our workforce follows appropriate security procedures;
  • Providing appropriate training for our staff to assure that our staff complies with our security policies;
  • Making use of appropriate encryption when transmitting PHI over the Internet;
  • Utilizing appropriate storage, backup, disposal, and reuse procedures to protect PHI;
  • Utilizing appropriate authentication and access controls to safeguard PHI;
  • Utilizing appropriate security incident procedures and providing training to our staff sufficient to detect and analyze security incidents; and
  • Maintaining a current contingency plan and emergency access plan in case of an emergency to assure that the PHI we hold on behalf of a Covered Entity is available when needed.

Mitigation of Harm

In the event of a use or disclosure of PHI that is in violation of the requirements of the BAA, we will mitigate, to the extent practicable, any harmful effect resulting from the violation. Such mitigation will include:

  • Reporting any use or disclosure of PHI not provided for by the BAA and any security incident of which we become aware to the Covered Entity; and
  • Documenting such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosure of PHI in accordance with HIPAA.

Changes to Our Privacy Policy

From time to time we may change or update our Privacy Policy. We reserve the right to make changes or updates at any time. If we make material changes to the way we process your PHI, we will provide you notice via our services or by other communication channels.

How to Contact Us

If you have any questions regarding this Privacy Policy, please contact our HIPAA Compliance Officer at:

Attn: HIPAA Compliance Officer
The Center for Medical Weight Loss (CMWL)
50 N. Broadway #280
Tarrytown, NY 10591
Email: privacy@cmwl.com
Telephone: (914)-332-4190

Revised: February 6, 2024