Pharmacy Advantage RX

Notice of Privacy Practices

Effective Date: August 1, 2017

THIS NOTICE OF PRIVACY PRACTICES (Notice) DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN OBTAIN ACCESS TO SUCH MEDICAL INFORMATION. PLEASE REVIEW IT CAREFULLY.

OUR COMMITMENT TO PRIVACY

You have entrusted Henry Ford Health System with the responsibility of providing health care for you and your family. We are dedicated to maintaining your trust. We know that the privacy of your medical information is important to you. That’s why we take our responsibility to protect the privacy of your medical information very seriously.

This Notice describes how we protect your privacy as we provide services to you. It describes the medical information we collect about you, how we use it, and with whom we share it. This Notice also explains your rights and certain obligations we have regarding the use and disclosure of your medical information.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that provides protection for the privacy and security of medical information also known as protected health information (PHI). There are also other federal and state of Michigan laws and regulations that require medical information to be kept private and secured.

We are required by HIPAA to make sure that medical information that identifies you is kept private, give you this Notice explaining your rights and our privacy obligations and privacy practices concerning your medical information, and to follow the terms of the Notice that is currently in effect.

WHO WILL FOLLOW THIS NOTICE

Henry Ford Health System (HFHS) participates with its affiliates and other health care providers and organizations (Members) to perform treatment, payment, health care operations and jointly participate in various quality improvement, population health management and multiparty assessments activities as an organized health care arrangement (OHCA). This Notice applies to all OHCA Members who work jointly with various providers and facilities as well as the HFHS insurance division and its affiliates, to accomplish many goals, which include improving the quality and efficient delivery of your health care and participating in various quality measure programs. Please be mindful that your private doctor may have different notices and policies about the use and disclosure of your medical information created in his or her office or clinic.

By participating in this HFHS OHCA, OCHA Members who may be separate legal organizations can use and disclose PHI with each other to carry out the common purpose of providing you with excellent care, treatment and services, obtaining payment for those services and carrying out health care operations relating to our common purpose, unless the use or disclosure is not allowed by law.

Additionally, HFHS OHCA Members may contract with other trusted third parties (Business Associates) to assist with providing treatment, or obtaining payment or performing healthcare operational activities. When this happens, the Member is required to enter a Business Associate Agreement (BAA) with the Business Associate which requires the Business Associate to limit its use or further disclosure of your PHI to only those purposes allowed under state or federal law and requiring it to protect the privacy and security of your PHI at all times.

COMPLAINTS

If you have any questions about this Notice, or questions or complaints about the handling of your medical information, you may contact the Information Privacy & Security Office in writing, using the information below.

You may also send a written complaint to the Secretary of the United States Department of Health and Human Services. Under no circumstances will you be retaliated against for filing a complaint. Henry Ford Health System Information Privacy & Security Office One Ford Place, Suite 2A Detroit, Michigan 48202, (888) 434-3044MyComplianceReport.com (Access Code: HFH)

CHANGES TO OUR NOTICE

We may change our Notice from time to time. The changes will apply to all medical information about you that we have at the time of the change, and to all medical information about you that we keep in the future. Generally, the changes will take effect when they appear in a revised Notice. A copy of our current Notice will be posted in our facilities and will be available to all patients.

OUR USE AND DISCLOSURE OF YOUR MEDICAL INFORMATION

Each time you receive services from a HFHS hospital, physician or other health care provider, a record of your visit is made. Typically, this record contains your symptoms, examination, test results, diagnoses, treatment and a plan for future care or treatment. This information is often referred to as your health or ‘Medical Record’. This information, linked with your name or other identifying information is used in many ways such as providing care, obtaining payment for your care and for running our business. In addition, we may maintain PHI about employer sponsored health and wellness services provided to you, including services provided at your employment site. We will use the PHI to provide you medical treatment or services and will disclose the information about you to others who provide you medical care.

Uses and disclosures of your medical information for purposes described in this Notice may be made in writing, orally, electronically, or by facsimile.

Our use and disclosure of your medical information must comply with both Michigan and federal privacy laws regulations. There are also Michigan and federal laws and regulations that place additional restrictions on the use and disclosure of certain types of medical information, including medical information about mental health, substance abuse, HIV/AIDS conditions, and certain genetic information.

For example, in most cases your written consent is needed before using or disclosing psychotherapy notes (if recorded or maintained by us), documents related to your use of Suboxone, sending you marketing information about 3rd party products or services for which we are receiving direct or indirect payment, or the sale of medical information about you, unless it is otherwise allowed by law. Your consent can always be revoked in writing, but it will not apply to any uses or disclosures that were made before you revoked your consent.

GENERAL USE & DISCLOSURES THAT DO NOT REQUIRE WRITTEN CONSENT

As permitted by HIPAA, we may generally use or disclose your medical information without obtaining prior written consent from you to carry out the activities detailed below:

Treatment: We may use and disclose your medical information to provide you with medical care and any related services in our facilities or in your home. We may also share your medical information with others who provide care to you such as hospitals, hospices, nursing homes, doctors, nurses, physician assistants, residents, medical and nursing students, therapists, technicians, spiritual care providers, nutrition staff, volunteers, emergency service and transportation providers, medical equipment providers, pharmacies, and others involved in your care that may not be listed. In addition, different hospital departments may use or disclose your medical information to assist with filling your prescriptions, requesting lab work and x-rays along with other medical needs that may not be listed.

Payment: We may use and disclose your medical information as needed to get paid for the medical care that we provide to you or to assist others who care for you to get paid for that care. For example, we may share your medical information with a billing company or with your health insurance plan to obtain prior approval for your care or to make sure your plan will cover your care. You do have the right to request information to be withheld from your insurance company or third party payor if you make a request in writing about a specific treatment or service in advance, and you pay for the services in full before we provide the specific treatment or service to you at any of our facilities.

Health Care Operations: We may use or disclose your medical information for our quality assurance activities and as needed to run our healthcare facilities.We also may use or disclose your medical information to get legal, auditing, accounting and other services and for teaching, business management and planning purposes. We may use your medical information in combination with other patients’ medical information to compare our efforts and to learn where we can improve our care and services.We may disclose your medical information to businesses and individuals who perform services for us as long as they agree to protect the privacy of that information.

OTHER USE & DISCLOSURES THAT DO NOT REQUIRE WRITTEN CONSENT

As permitted by HIPAA, we may use or disclose your medical information without obtaining prior written consent from you to carry out the activities listed below:

Appointments Reminders: We may use your medical information to contact you about upcoming appointments by regular mail, text message, email and telephone.

On-Site Contacts: While you are in our facilities, we may call your name when the doctor or other provider is ready to see you. We may need to contact you by overhead paging or we may ask you to write your name on a sign-in sheet. In these instances, we will take reasonable precautions to protect your privacy.

Patient Reunions: We may hold reunions for various patient groups to celebrate their success in treatment. If you are or were part of such a patient group, we may use your medical information to invite you.

Treatment Alternatives, Health Benefits, Fundraising, and Marketing: We may use and disclose your medical information to contact you about treatment alternatives, health-related benefits, products or services or to provide gifts of nominal value to you or your family. We may also contact you to raise funds for Henry Ford Health System or any of its subsidiaries or affiliates.

Research: Under certain circumstances, we may use or disclose medical information about you, for research purposes. However, all research projects are closely monitored by an Internal Review Board (IRB) whose job is to protect the people (patients) participating in the research project, including the privacy and security of their medical information. Each research project must be cleared through a special IRB SHARED MEDICAL RECORD/HEALTH INFORMATION EXCHANGES (HIE) INCLUDING CARE EVERYWHERE® AND JACKSON COMMUNITY MEDICAL RECORD approval process before any medical information is disclosed to researchers. Except in very limited circumstances, researchers must then obtain your written authorization before using or disclosing your medical information for their research. Researchers must also ensure that your medical information is kept private and secure. In limited circumstances, researchers may also be allowed access to your health information if the information is limited to medical information accessed in preparation for conducting research (e.g., looking at medical records for patients who have a specific medical condition for research to find a cure), the information being reviewed relates to the research, and none of the medical information used in the preparation of research leaves the institution.

To Avert a Serious Threat to Health and Safety: We may use and disclose medical information about you when necessary to prevent a serious threat to your health and safety or the health and safety of another person.

Community/public health activities and reports: We may use and disclose medical information about you to public health federal, state or local agencies regarding disease control, abuse or neglect, and health and vital statistics.

Administrative oversight: We may use and disclose medical information about you related to activities such as accreditations, audits, investigations, licensure, or determining cause of death.

Law enforcement and legal mandates: We may disclose medical information about you to law enforcement officials as allowed by law, such as to comply with warrants, subpoenas, or summonses that are issued by a judicial officer or other properly authorized administrative requests or investigative demands. We disclose medical information in the course of any judicial or administrative proceeding, but only when ordered to do so by the court or administrative tribunal.

National Security and Intelligence Activities: We may disclose medical information about you to authorized federal officials for intelligence, counterintelligence and other national security activities as authorized by law.

Protective Services for the President of the United States and Others: We may disclose medical information about you to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state or to conduct special investigations.

Workers compensation or other rehabilitative activities: We may disclose medical information about you as required by law or insurers to provide benefits for work-related or victim injuries or illnesses for you.

Organ and tissue donation and transplant reports: We may use and disclose medical information about you as required by law as necessary to facilitate organ or tissue donation and transplant.

Coroners, Medical Examiners, and Funeral Directors: We may release medical information to a coroner, medical examiner or funeral director.

Inmates: We may release medical information about you to the correctional institution or law enforcement official if you are an inmate of a correctional institution or under the custody of a law enforcement official.

USE & DISCLOSURES TO WHICH YOU HAVE THE OPPORTUNITY TO OBJECT

As permitted by HIPAA, you may object to the following use or disclosures of your medical information:

Patient Directory: Unless you object and tell us not to, we will include certain limited information about you in the patient directory while you are a patient at any of our hospitals. This information may include your name, location in the hospital, your general condition as well as your religious affiliation and may also be released to people who ask for you by name.

Individuals Involved in Your Care or Payment for Care: Unless you object and tell us not to, we may disclose medical information about you to a friend or family member who is involved in your medical care or is responsible for paying for your care. Under unique circumstances, if you are an inpatient or in the emergency room we may share limited information with your family or friends about your condition and location. For example, if you are incoherent we may share your medical information with family members or friends to assist in providing quality care during your stay. In addition, we may disclose information about you to an organization like the Red Cross, the Federal Emergency Management Agency (FEMA) who is assisting in a disaster relief effort so that your family can be notified about your condition, status and location.

Media Condition Reports: Unless you object and tell us not to, we may release your medical information for an update to the media if the media requests information about you using your full name. The following information may be disclosed: your condition described in general terms such as “good”, “fair”, “serious”, or “critical”. You have the right to request that this information not be released.

SHARED MEDICAL RECORD/HEALTH INFORMATION EXCHANGES (HIE) INCLUDING CARE EVERYWHERE® AND JACKSON COMMUNITY MEDICAL RECORD

Spiritual Care: Unless you object and tell us not to, to carry our comprehensive care to our patients, we may disclose your medical information to chaplains or other spiritual care providers. As a part of our business operations, we automatically keep medical information about you in a community wide or shared electronic medical record system that allows HFHS facilities, providers and your primary care physician (if he or she participate in an HIE), the ability to receive copies of all treatment records, emergency records, laboratory, radiology and other test results, even if he or she did not order the test or treatment. We may also participate in various electronic HIEs that help other health care providers who provide you with care to access your medical information when needed. Unless you object and tell us not to, your medical information will be available to other HIEs such as Care Everywhere®, Jackson Community Medical Record (JCMR), or other providers who use EPIC software to create and maintain their electronic health record system. For example, if you are admitted on an emergency basis to a Hospital or facility unrelated to HFHS which participates in the same shared HIE medical record system that HFHS does including JCMR or Care Everywhere®, your medical information will be available electronically to those who need it to treat you. If you wish to opt-out of having your medical information included in an HIE, you have the right to request to do so in writing. If after choosing to opt-out you wish to opt-back-in, you may also do so in writing.

YOUR RIGHT TO OPT-OUT OF CERTAIN ACTIVITIES

Opt-Out Options: We may use and disclose your medical information in a HIE, when raising funds or conducting marketing campaigns as described in the sections above. In regard to fundraising, HFHS or our OHCA Members may participate in these activities and we ask that you aid us in our efforts, while being confident that we are protecting your medical information. If you wish to opt-out of any of these activities, you have the right to request to do so in writing. If after choosing to opt-out you wish to opt-back-in, you may also do so in writing.

YOUR INDIVIDUAL RIGHTS RELATED TO YOUR MEDICAL INFORMATION

You have specific ‘rights’ related to your medical information. Information about these rights and how you can exercise your rights are included below:

Access and Copies: You have the right to review, inspect or receive a copy of the medical information that we keep about you or anyone else that you have legal authorization to access medical information about. Please note that we may charge you for our costs related to your request. We may deny your request in very limited circumstances. For example, your request may be denied if a licensed health care professional determines, in his/her best professional judgment, that access to the requested information is reasonably likely to cause harm to you or another person or is reasonably likely to endanger the life or physical safety of the individual or another person. If you are denied, you may request that the denial be reviewed and a licensed health care professional will be chosen by us to review the request and denial. Some of our facilities maintain records for a 10-year period and in some instances your medical information may not be available due to our retention policy.

Disclosure List: You have the right to receive a list of your medical information disclosures, except for disclosures related to treatment, payment or healthcare operations that do not require your consent. You may submit a written request for a time-period up to six years from the date of disclosure. Your first request in a 12-month period is free. After that, we may charge for additional requests.

Amendments: You have the right to submit a written request to amend your medical information, if you believe that information in your medical record is incorrect or that information is missing. We may deny the request if it is not in writing or if it does not include a reason to support the request. In addition, your request may be denied if our information is complete and accurate, if the medical information was not created by us, if the information is not part of the medical information kept by or for us, or is not part of the information that you would be permitted to inspect and copy under certain circumstances. We cannot remove or change the information in the record. If your request is granted, we will add in the supplemental information by an addendum.

Restrictions: You have the right to submit a written request to restrict how we use or disclose your medical information. We will send you a written response informing you about our ability to honor your request. For example, if you pay for a specific service in full completely out of pocket before you receive the service and ask us not to disclose information about that service to your insurance company, we will abide by your request.

Confidentiality: You have the right to request that your medical information be shared with you in a confidential manner, such as at work rather than at home. If you request for us to email your medical information to you, we will do so securely unless otherwise authorized by you or your legal designee.

Copies of our Notice: You have a right to receive a copy of our current Notice. If this Notice was previously sent to you electronically, you may request a paper copy at any time.

Notification of a Breach: You have a right to be notified in writing if there is a breach in the privacy or security affecting your medical information.

EXERCISING YOUR RIGHTS AND OPTING OUT

To exercise any of the rights listed above or to opt-out or object to a specific use or disclosure, please send a written request to our Information Privacy & Security Office. To help with your request you can download or receive the appropriate form(s) by: Visiting https://www.henryford.com/-/media/files/henry-ford/patients-visitors/security-and-privacy/requesting-opt-out-form—p05.pdf?la=en Or, if you do not have access to a computer, call our Integrity Line at (888) 434-3044 and request that the correct form be mailed to you. Completed forms can be submitted via: Mail: Information Privacy & Security Office, 1 Ford Place, Suite 2A, Detroit, MI 48202 Email: IPSO@hfhs.org Fax: (313) 874-9449

WHO TO CONTACT

If you have questions related to the organized healthcare arrangement or information detailed in this Notice, please contact the Information Privacy & Security Office at ipso@hfhs.org or by calling (313) 874-9561.