HIPAA Notice of Privacy Practices
Notice of Privacy Practices
Effective November 9, 2021
Keeping your health information private is vitally important to iRhythm. We are required by law to maintain the privacy of your Protected Health Information (“PHI”) and to provide you with notice of our legal duties and privacy practices with respect to PHI.
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Our Uses and Disclosures of Your Information
We may use and share your information as we:
- Treat you
- Run our organization
- Bill for your health care services
- Assist with public health and safety issues
- Do research
- Comply with the law
- Work with a medical examiner, coroner, or funeral director
- Address workers’ compensation, law enforcement, and other government requests
- Respond to lawsuits and legal actions
- Receive a copy of your paper or electronic medical record
- Correct your paper or electronic medical record
- Request confidential communication methods from iRhythm
- Ask iRhythm to limit the information we share
- Get a list of those with whom iRhythm has shared your information
- Get a copy of this privacy notice
- Choose someone to act for you
- File a complaint if you believe your privacy rights have been violated
- Direct iRhythm to tell family and friends about your condition
- Share information in an emergency situation
- Allow iRhythm to market our services or sell your information
- Provide you with this notice of our legal duties and privacy practices
- Follow the privacy practices described in this notice
- Notify you in the event of a breach of your unsecured PHI
- Not use or share your information other than as described here unless you tell us we can
For a more detailed explanation of Our Uses and Disclosures, Your Rights, and Our Responsibilities please see the comprehensive explanations below.
Definition of PHI – Your Information iRhythm May Use
As used in this notice, the terms “Protected Health Information” or “PHI” include any information that we maintain that reasonably can be used to identify you and that relates to your physical or mental health condition, the provision of health care to you, or the payment for such health care. Examples of PHI we may collect to provide our diagnostic services include:
- Name, gender, and date of birth
- Insurance information
- Address and phone number
- Email address, password, and login
- Payment information
- Prescribing physician and office
- Primary indication
- ECG recording
- Symptoms and activities you report, by time and date
- Activity level during monitoring
- Patient identification number
- Clinical information and diagnostic results
Our Uses and Disclosures
I. How iRhythm Typically Uses or Shares Your Information
We may use or disclose your PHI to provide and manage diagnostic services for you. Our use and disclosure may include consulting with other health care providers about the diagnostic services we provide. For example, we will release the results of diagnostic services to the prescribing physician treating you, or in a medical emergency to the facility treating you.
We may use or disclose PHI to obtain payment for services or treatment provided to you. We may also disclose your PHI to a health care provider or plan to obtain payment of a claim or engage in other payment activities. For example, we may contact your insurer to determine whether it will pay for the services you received and the amount of any co-payment.
We may use or disclose PHI to operate our business, such as conducting quality assessment and improvement activities, conducting fraud and abuse investigations, communicating with you about health related benefits and services or treatment alternatives that may be of interest to you, and communicating with your health care provider or health plan. We may also use your PHI to create de-identified data, which is data that no longer identifies you, and may use this de-identified data for research, business planning, data analytics, and other lawful purposes.
II. How iRhythm May Use or Share Your Information
iRhythm is allowed or required to share your information in other ways – usually in ways that contribute to the public good, such as public health and research. iRhythm has to meet legal conditions before we can share your information for these purposes. For more information visit: www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html.
As Required By Law: We may use and disclose PHI when we are required to do so by law.
Business Associates: iRhythm may disclose your PHI to third parties known as business associates so that they may perform services for us. These third parties may be provided with access to PHI needed to perform their functions. iRhythm’s business associates are required, both in their contract with iRhythm and under applicable law, to protect the privacy of your PHI and are not allowed to use or disclose any PHI other than as specified in our contract with them.
Those Involved in Your Care or Payment for Your Care: We may share PHI with your family, close friends, or others involved in your care or payment for your care if you agree or do not object in certain circumstances. If you are not able to tell us your preference -- for example if you are unconscious -- we may share your PHI if we believe it is in your best interest.
For Emergency Notification: We may disclose your PHI in the event of an emergency (e.g., to a disaster relief organization) so that your family or other persons responsible for your care can be notified about your condition, status, and location.
Law Enforcement: We may disclose PHI for law enforcement purposes, or to a law enforcement official as required by law.
Legal Process and Proceedings: We may use and disclose PHI in response to a court or administrative order, subpoena, discovery request, or other lawful process.
Public Health and Safety: We may disclose PHI to public health authorities charged with preventing or controlling disease, injury, abuse, disability, or serious threat to health or safety, such as to the Food and Drug Administration for product safety purposes.
Health Oversight Activities: We may use and disclose your PHI to health oversight agencies for activities authorized by law, such as to conduct inspections, licensing, and investigate fraud and abuse.
To Avert a Serious Threat to Health or Safety: If there is a serious threat to your health and safety or the health and safety of the public or another person, we may use and disclose your PHI to someone able to help lessen the threat.
Research: We may use and disclose your PHI for research purposes under certain circumstances, including but not limited to circumstances where the research has been approved by an institutional review board or privacy board to ensure that the privacy of your information is protected.
Special Government Functions: We may use and disclose the PHI of military personnel or inmates or other persons in lawful custody under certain circumstances. We may also use or disclose to authorized officials for lawful national security activities and protective services for the President and others, as permitted under applicable law.
Workers’ Compensation: We may use and disclose PHI as permitted by workers' compensation and similar laws.
Death and Organ Donation: We may use and disclose PHI in certain circumstances with a coroner, medical examiner, or funeral director when an individual dies. We may also use or disclose your PHI regarding tissue or organ donation.
III. Other Uses and Disclosures
Some PHI, such as HIV information, genetic information, alcohol and/or substance abuse records, and mental health records, may be subject to additional confidentiality protections under state or federal law. If so, we are required to comply with those additional protections. Please contact us at the contact information below if you have questions about stricter state or federal privacy laws applicable to your PHI.
Uses and disclosures of PHI not described in this notice will only be made with your written authorization. We will obtain your written authorization before using or disclosing psychotherapy notes (iRhythm does not collect this type of information), selling your health information, or using or disclosing it for marketing purposes except in very limited circumstances permitted by federal privacy law. If you give us such authorization, you may revoke it in writing at any time. Your revocation will not affect any use or disclosure permitted by your authorization while it was in effect.
If you wish to exercise your rights regarding your PHI, please contact us in writing using the email address contained in the contact information listed at the end of this notice.
Access: You have the right to see, or obtain copies of, most health records we maintain about you. We may charge you a reasonable fee as allowed by law to obtain this information.
Amendment or Deletion: You have the right to request that we amend health records we maintain about you if you believe they are incomplete or incorrect. If we disagree, we will explain why and your rights.
Disclosure Accounting: You have the right to request and receive a list of certain non-routine disclosures made of your PHI. If you request this list more than once in a 12-month period, we may charge you a reasonable fee as allowed by law to respond to any additional request.
Use/Disclosure Rejection or Objection: You have a right to request that we restrict our use or disclosure of your PHI for certain purposes. We are not required to agree to a requested restriction, except in the case of a disclosure to a health plan for payment of health care operation purposes and when the PHI relates to a health care item or service for which you have paid in full. We will agree to other restriction requests provided that the law allows and we determine the restriction does not impact our ability to operate our business, provide diagnostic services, and comply with the law. Even when we agree to a restriction request, we may still disclose your PHI in a medical emergency and use or disclose your PHI for public health and safety and other similar public benefit purposes permitted or required by law.
Confidential Communication: You have the right to request that we communicate with you in confidence about your PHI at an alternative address or by an alternative method. For example, you can ask that we only contact you at work or by mail. To request confidential communications, you must make your request to the Privacy Officer at the contact information below. iRhythm will not ask you the reason for the request and will accommodate all reasonable requests. The request must specify how or where you wish to be contacted.
Privacy Notice: You have the right to request and receive a paper copy of this notice at any time, even if you have previously agreed to receive it electronically.
Complaints/Violations: If you believe that we have violated your privacy rights, you may submit a complaint to us using the contact information listed at the end of this notice. You may also submit a complaint to the U.S. Department of Health and Human Services by visiting www.hhs.gov/ocr/privacy/hipaa/complaints. We will provide you with the address for the U.S. Department of Health and Human Services upon request. We support your right to protect the privacy of your PHI. We will not retaliate in any way if you choose to file a complaint with us or with the U.S. Department of Health and Human Services.
- iRhythm is required by law to provide you with this notice of our legal duties and privacy practices.
- iRhythm is required to follow the privacy practices described in this notice and provide you with a copy of it.
- iRhythm is required by law to notify you in the event of a breach of your unsecured PHI.
- iRhythm will not use or share your information other than as described here unless you tell us we can in writing. If you tell us we can, you may change your mind at any time. Let us know in writing if you change your mind.
For more information see: www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/noticepp.html.
CHANGES TO THIS NOTICE
We have the right to change our privacy practices and the terms of this notice at any time. We reserve the right to make any revised or changed notice effective for information we already have and for information that we receive in the future. You may obtain the most current notice by visiting the privacy section of our website, www.irhythmtech.com/content/privacy, or by contacting us at the contact information below.
If you have questions or would like additional information
iRhythm Technologies, Inc.
699 8th Street, Suite 600
San Francisco, CA 94103