Notice of Privacy Practices for Protected Health Information
What follows is the information our lawyers want you to know so that you and The Prevention Plan are protected. What the people who work at U.S. Preventive Medicine (the company that brings you this program) want you to know is that we try to employ the Golden Rule in every decision we make about you, your health and your privacy.
This Privacy Statement was last updated on September 8, 2010. If you have not reviewed it since that date, please do so. You will not receive any other notice of changes to this statement. Privacy Information for The Prevention Plan™, thepreventionplan.com and U.S. Preventive Medicine, Inc.
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
In the course of providing services to you through The Prevention Plan, U.S. Preventive Medicine ("USPM") is committed to the privacy of your personally identifiable health information and will use strict privacy standards to protect it from unauthorized use or disclosure. This Notice informs you of USPM's privacy practices and of certain rights available to you under applicable federal and state law.
Overview of Policies. USPM is required by law to implement policies designed to maintain the privacy of your personally identifiable health information that is transmitted or maintained by USPM. This Notice refers to such health information as Protected Health Information, or “PHI.” USPM is required to make this Notice available to you to inform you about:
- Our policies regarding use and disclosure of your PHI; and
- Your privacy rights and other rights with respect to your PHI, including the right to file complaints with USPM or with the Secretary of the United States Department of Health and Human Services (the “Secretary”).
Effective Date. The effective date of this Notice, and of the policies described below, is January 1, 2008 (the "Effective Date"). USPM's use or disclosure of your PHI from and after the Effective Date will be governed by the policies described in this Notice.
Who Is Covered By This Notice? This Notice applies both to USPM and to its independent contractors who will provide you with health-related services under The Prevention Plan. Such independent contractors include physicians who will review your health records and nurses and other licensed professionals providing you with coaching services as part of The Prevention Plan.
USPM is required by law to secure, and will secure, their written agreement to abide by the policies described in this Notice before they provide you with any services. USPM’s outside prevention partners (such as weight loss centers and health clubs) are not affiliated with USPM and are not covered by the policies described in this Notice. “Prevention partners” are independently contracted parties whose services are not controlled by USPM or included in services offered by The Prevention Plan. U.S. Preventive Medicine, Inc., (and referred to as ‘USPM’ 'The Prevention Plan™' 'we' 'us' 'our'), the operator of this Website, recognizes the confidentiality of information that may be disclosed by Members in registering for or participating in The Prevention Plan and we are committed to protecting your privacy. The following discloses our information gathering and dissemination practices for this Website.
The specifics of our use of personal information are best described in the answers to the following Frequently Asked Questions:
Do you ask for personal information from your members?
Yes. We ask for your name, e-mail address, certain health and medical information and other limited personal information when you sign up as a member, when you use features such as My Activities, and when you enroll in preventive medicine action plans and services with us. We may ask for similar information at other times, such as when you access other features of our site and when you enter sweepstakes or other promotions sponsored by us and/or one of our partners. And if you are an individual Member, and not covered by an Agreement with your employer to pay USPM for our services to you, to facilitate payment and fulfillment in connection with membership, we will request personal credit card, debit card or other payment information.
As a Member of The Prevention Plan™, you can also choose to share further information about yourself, relating to The Prevention Plan™ and/or your health and information interests. The type and quantity of profile information you share in this way is entirely your choice. Information about some of your activity on the site, such as health and activity records you save, will be used by us to help you define goals and perform activities which may help you meet those goals.
How do you use my personal information?
The primary use of your personal information and personal health information, is to efficiently provide you with personalized, relevant information regarding your health status, risks and activities.
We will also use registration information to let you know about new features or other offers of interest from us and to address customer service needs and requests. We do not sell, rent or otherwise distribute the personal information you provide us, except as required by or allowed by law
Will you disclose any of my personal information to third parties?
We will not disclose your personal health information provided in connection with membership registration or activities, except as described in this Privacy Statement or as may be required or allowed by law, or to protect our rights or property.
Information submitted by you online (such as information about your personal health status, history and/or activities, your name, address, e-mail address) may be used by USPM to design new activities, information sets, quality review and process improvement purposes and for assisting you in defining your health goals, your activities to meet those goals and to improve your experience with The Prevention Plan™. We will not, except as may be required by law, share with any other party your password or payment information.
Other circumstances where limited personal information may be disclosed are specifically described when the data is collected, or in the rules of sweepstakes or other promotions.
We do reserve the right to disclose de-identified, aggregated user statistics, such as "45 percent of our users are female" or "10,000 members indicate an interest in hypertension" in order to describe our services to prospective partners, advertisers, and other third parties.
Under protection of confidentiality agreements, we use third party processors in some cases to help us provide services and manage our Websites and relationships with you. These may include data-base management and information technology services, credit card processing, removing duplicate information from lists and providing other customer services. Third-party processors and providers will be given access only to that information needed to perform their support functions, and they are regulated and bound by the same confidentiality and legal requirements as we are.
As our business continues to grow, we might buy or sell subsidiaries or business units. In these transactions, customer information is often one of the transferred assets, remaining subject to promises made in existing privacy statements. Also, in the event that The Prevention Plan™, or substantially all of its assets are acquired, customer information will, as a matter of course, be one of the transferred assets.
What about Genetic Information?
Due to the Genetic Information Nondiscrimination Act of 2008 (GINA), employers are no longer allowed to inquire about genetic information regarding employees and their dependents. Genetic information means, with respect to any individual, information about such individual's genetic tests, the genetic tests of family members of such individual, and the manifestation of a disease or disorder in family members of such individual. A genetic test does not include a cholesterol test, blood glucose test or test for the presence of alcohol or drugs. Though all conversations and communications with your health coach are private and confidential, employees and dependents who receive this benefit from their employer are encouraged NOT to disclose any genetic information as described above. If your employer offers an incentive program, the incentive is solely based upon enrollment and engagement; members are NOT required to complete the family history section of the assessments in this portal or share any genetic information in order to receive the participation incentive. Completion of any Assessments and/or disclosure of genetic information between you and your Prevention Specialist are completely voluntary.
What about purchases from Prevention Plan Partners or other linked Websites?
If you click away from thepreventionplan.com to visit the Website of any third party, you may be asked for your credit card or other personal information in order to purchase or use products and services offered. These companies have their own privacy and data collection practices. We have no responsibility or liability for these independent policies. You should therefore review their privacy policies carefully if you have concerns about how your information may be used.
Will you use my information for direct mailings?
We will send electronic mail or other mail to you, for the purpose of informing you of changes or additions to The Prevention Plan™, or to thepreventionplan.com website or regarding prevention related products and services. If you do not want to receive such mailings, you may opt out at any time by using the unsubscribe link listed in the e-mail.
Do you use "IP Addresses" and "cookies"?
IP Addresses: We do use your IP address to help diagnose problems with our server, and to administer our Website. Your IP address is also used to gather broad demographic information such as geographic distribution of our members and may be used to “geolocate” our members to allow us to provide services appropriate to your place of residence.
What else should I know about privacy?
The following details a few key issues mentioned in context above:
Member Profiles When you sign up as a member, you are provided with a member profile pre-populated with your chosen user name and, as you use the site, with other information.
Additional Services If you purchase additional services from us, additional policies may apply regarding how we maintain and use that information and your rights to control that information.
Contests & Promotions *The Prevention Plan sponsors various drawings/contests throughout the year based on member registration and participation. Members who are randomly selected as winners will have their name, city and state published on The Prevention Plan website, identifying them as a winner of said drawing/contest. If you prefer to not be identified as a winner and have your name, city and state published, you can opt out of these drawings at anytime by sending an email to MemberCare@thepreventionplan.com stating your wish to opt out of all Prevention Plan sponsored drawings/contests.
Individual prize winners are selected in a random drawing conducted by Sponsor (U.S. Preventive Medicine, Inc.) from among all eligible Prevention Plan members, nationwide. Odds of winning depend on the number of eligible members. The potential winner is subject to verification and must be a member at the time the prize is awarded. The potential winner will be notified by announcement on The Prevention Plan’s website, email, mail or phone, in Sponsor’s discretion. The potential winner will be required to sign and return to Sponsor, within thirty (30) days of the date notice or attempted notice is sent, any prize claim paperwork provided by the Sponsor. If the potential winner is unreachable or fails to respond to any notification during a period of thirty (30) consecutive days (Sponsor may elect not to leave messages on answering machines), or if the potential winner fails to respond or fails to sign and return the prize claim paperwork within the required time period, or if any attempted notification or prize delivery is returned as undeliverable, the potential winner may be disqualified and an alternate winner may be selected. The potential winner must continue to comply with all terms and conditions and winning is contingent upon fulfilling all requirements. U.S. Preventive Medicine employees and their family members are not eligible for prizes.
Prizes are awarded “as is” with no warranty or guarantee, either expressed or implied by Sponsor (U.S. Preventive Medicine, Inc.). Prizes (or portions thereof) may not be transferred, assigned, redeemed for cash or substituted, except that the Sponsor may substitute a prize with a prize (or portion thereof) of comparable or greater value at its sole discretion. All income, federal, state and local taxes on prizes and any other costs and expenses associated with prize acceptance and use not specified herein as being provided are the Winner’s sole responsibility. Winner will be issued an IRS Form 1099 as required by federal law.
Contacting Us If you have any questions about this Privacy Statement, the practices of or your dealings with this Website, you may contact us at the following address:
The Prevention Plan™
Customer Care Center
12740 Gran Bay Parkway
Jacksonville, FL 32258
I. Use and Disclosure of Protected Health Information
A. Required Uses and Disclosures. USPM is required to disclose your PHI as follows:
(1) USPM must permit you to inspect and copy your PHI (with certain exceptions) upon request.
(2) USPM is required to disclose your PHI upon request to the Secretary in connection with the Secretary’s investigation of USPM’s compliance with federal privacy regulations.
B. Uses and Disclosures That Are Permitted Without Your Consent or Authorization.
USPM is permitted to use and disclose your PHI without obtaining your consent or authorization in connection with certain health information review and payment activities, health care operations, and other limited activities described below. This section describes how USPM will use or disclose your PHI under such circumstances.
(1) Health Information Review. Health Information Review is the review of family and current medical history and lifestyle activities that are self-reported by Prevention Plan recipients, together with the review of laboratory results generated by third party health professionals as part of The Prevention Plan. Health Information Review also includes the use of such information to create the Prevention Plan Report and other advisory materials delivered as part of The Prevention Plan. USPM may disclose your PHI to your physician if you so direct, as well as to third party health care professionals who are under contract with USPM and provide you with recommendations regarding your prevention activities. For example, USPM may disclose your PHI to
(i) physicians who provide you the physician review component of your Prevention Plan and
(ii) nurses and other persons providing you with coaching services.
(2) Payment. Payment includes, but is not limited to, the preparation and submission of invoices and other actions required to secure payment for services provided by USPM (such as billing and collection activities). Use and disclosure of your PHI for payment-related purposes may include disclosure to any person responsible for payment with respect to USPM’s services, including your employer and billing and/or collection companies. USPM will limit disclosure of your PHI to the minimum necessary to secure payment for its services.
(3) Health Care Operations. Health Care Operations include most of USPM’s business operations involving its Prevention Plan services. They include (a) quality review and improvement programs; (b) reviewing qualifications and competence of health care providers; (c) legal services and auditing; (d) business planning and development; and(e) other general business and administrative functions. Subject to applicable state law, USPM may use and disclose your PHI as needed for its Health Care Operations and for certain operations of other health care providers and health plans. For example, USPM may use PHI as part of its quality review process, to confirm that USPM and its independently contracted health care providers are providing you with the highest quality of prevention advice.
(4) Prevention Alternatives; Related Benefits and Services. USPM may use your PHI to contact you with coaching services and to inform you of (i) possible prevention options or alternatives, or (ii) health-related benefits or services that may be of interest to you.
(5) Drawings and Contests. The Prevention Plan sponsors various drawings/contests throughout the year based on member registration and participation. Members who are randomly selected as winners will have their name, city and state published on The Prevention Plan website, identifying them as a winner of said drawing/contest. If you prefer to not be identified as a winner and have your name, city and state published, you can opt out of these drawings at anytime by sending an email to MemberCare@thepreventionplan.com stating your wish to opt out of all Prevention Plan sponsored drawings/contests.
C. Uses and disclosures for which USPM is not required to secure your consent or authorization or provide you with the opportunity to object. USPM may use or disclose your PHI without your consent or authorization, and without giving you the opportunity to object, as follows:
(1) When the use or disclosure is required by law.
(2) When permitted or required for purposes of public health activities, including reports to public health authorities authorized by law to collect or receive information for the purpose of preventing or controlling disease. USPM does not generally collect such information.
(3) When authorized by law and in a manner consistent with applicable law, to report information about abuse, neglect or domestic violence to public authorities.
(4) USPM may disclose your PHI to a public health oversight agency for health oversight activities authorized by law. This includes uses or disclosures in civil, administrative or criminal investigations; inspections; licensure and disciplinary actions; and other activities necessary for appropriate oversight of the health care system or government benefit programs.
(5) USPM may disclose your PHI in the course of any judicial or administrative proceeding (e.g., in response to a subpoena or discovery request), subject to certain conditions. One of these conditions is that, if the subpoena or discovery request is not accompanied by a court order, written assurances must be given to USPM that (i) the requesting party has made a good faith attempt to provide written notice to you, together with information sufficient to permit you to raise an objection, and (ii) you did not object or any objections were resolved in favor of disclosure by the court or tribunal.
(6) When required for law enforcement purposes, as set forth in federal privacy regulations (for example, to report certain types of wounds). USPM may also release certain PHI (i) upon request to law enforcement officials for the purpose of identifying or locating a suspect, material witness or missing person, and (ii) about an individual who is or is suspected to be a victim of a crime, if the individual agrees to the disclosure or USPM is unable to obtain the individual's agreement because of emergency circumstances and certain other conditions are met.
(7) To a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death or performing other duties, as authorized by law.
(8) When consistent with applicable state law, if USPM believes in good faith that the use or disclosure of PHI is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and the disclosure is to a person reasonably able to prevent or lessen the threat, including the target of the threat.
(9) In compliance with workers' compensation or other similar programs established by law.
D. Uses and disclosures that require your written authorization. Except as otherwise indicated in this Notice, USPM will use and disclose your PHI only with your written authorization. Uses and disclosures requiring written authorization may include, for example, the use or disclosure of PHI for marketing purposes. If you authorize USPM to use or disclose your PHI in a manner described in this paragraph, you have the right to revoke that authorization, in writing, at any time. If you revoke your authorization, USPM will thereafter refrain from using or disclosing your PHI in the manner described in the authorization.
E. Your Prevention Score™. In some cases, as a condition of your participation in an employer-sponsored incentive program or in order to enroll in the employer-sponsored Prevention Plan™, your employer will require you to disclose your Prevention Score™ level. Your Prevention Score™ is not protected health information. This is for several reasons, the first being that the numeric value does not contain any of your personally identifiable medical information. The value is also linked to how proactive you are about your health as rated through your participation in wellness activities and the direct outcomes of that participation. The Prevention Score ™ has also been designed so that it has several other safeguards to ensure that your personal health information is protected. This includes the fact that USPM will only be sharing the Prevention Score™ level you reached (Level 1-4) and will never individually identify you to your employer as having a certain medical condition. By enrolling in the employer-sponsored Prevention Plan™, and by agreeing to these terms and conditions, you agree to allow USPM to disclose your Prevention Score™ level to your employer on your behalf.
II. Your Rights Regarding Protected Health Information
You have certain rights regarding PHI held or maintained by USPM. This section summarizes those rights
A. Right to Request Restrictions on Use and Disclosure. You have the right to request restrictions (in addition to those described in this Notice) on our use and disclosure of PHI under Section I.B, above. USPM is not required to agree with your request. If we do agree, we will comply with your request unless the use or disclosure of the PHI in question is required for your physician or another health care provider to provide you with emergency treatment. If you wish to request a restriction or limitation on our use or disclosure of PHI under this paragraph, you must make your request in writing to USPM’s Privacy Officer at the address set forth above. Upon receiving your request, we will notify you if we agree to your requested limitations.
B. Right to Receive Confidential Communications. You have the right to request that you receive communications of PHI from USPM in a certain way or at a certain location. For example, you may request that USPM communicate with you only at work or by mail. To request confidential communications, please submit your request in writing to USPM’s Privacy Officer at the address set forth above. You are not required to provide a reason for your request, and USPM will accommodate reasonable requests. Please be sure to specify how or where you wish to be contacted.
C. Right to Inspect and Copy Medical Information. Subject to certain limitations, you have the right to inspect and obtain a copy of your PHI. This includes most PHI maintained by USPM, except for information compiled by USPM in anticipation of legal proceedings. If you wish to inspect and copy your PHI, you must submit a written request to USPM’s Privacy Officer at the address set forth above. USPM may charge a fee to cover the cost of providing you with a copy of your PHI. USPM is also permitted to deny your request to inspect and copy PHI under certain limited circumstances. If we deny your request, you may (under most circumstances) request that the denial be reviewed by a licensed health care professional selected by USPM. We will thereafter comply with the decision of the reviewing official. USPM will respond to all requests for access to PHI under this paragraph within 30 days by (i) providing the requested access and/or copies of the requested information; (ii) notifying you in writing of our denial of your request and the reasons for our denial; or (iii) notifying you in writing that we are not able to respond within 30 days and of the date on which you may expect a response.
D. Right to Amend PHI. You have the right to request that USPM amend PHI if you believe that such information is inaccurate or incomplete. Your request must be in writing and directed to USPM’s Privacy Officer at the address set forth above. Your request must contain your reason for believing that such information is inaccurate or incomplete. USPM may deny your request for amendment if it determines that the information at issue is accurate and complete or that it: (1) was not created by USPM, unless you submit evidence providing a reasonable basis to believe that the originator of the PHI is not available to make the amendment; (2) is not part of the medical information maintained by USPM; or (3) is not part of the PHI that you have the right to inspect and copy (as described in Section II.C, above).
USPM will respond to all requests under this paragraph within 60 days by either (a) agreeing to make the requested amendment(s); (b) notifying you in writing of the denial of your request and the reasons for denial; or (c) notifying you in writing that we are not able to respond within 60 days and of the date on which you may expect a response. If USPM denies your request, you have (i) the right to submit a written statement disagreeing with our denial, which will become part of your PHI, and (ii) certain additional rights. Your additional rights and the manner in which a statement of disagreement should be submitted will be described in greater detail in USPM’s denial of your request.
E. Right to an Accounting of USPM's Use and Disclosure of Your PHI. You have the right to request an “accounting,” or list, of all disclosures by USPM of your PHI other than disclosures that are (i) described in Sections I.A(1), I.B or I.E of this Notice; (ii) made for national security or intelligence purposes; or (iii) made to law enforcement officials. Your request for an accounting must be submitted in writing to USPM’s Privacy Officer at the address set forth above. We are not required to list disclosures occurring more than 6 years prior to the date of your request. USPM will respond to all requests under this paragraph within 60 days by either (a) providing you with the requested accounting, or (b) notifying you in writing our inability to respond within 60 days and of the date on which you may expect a response. If you request more than one accounting within a 12 month period, we will impose a fee to cover our costs in providing the requested information.
F. Right to Paper Copy. You have the right to receive a paper copy of this Notice, even if you have received a copy of this Notice electronically, upon request, by submitting a written request to USPM’s Privacy Officer. If you desire to receive a paper copy of this Notice, you may do so by calling Member Care at (866) 713-1180.
III. Other Requirements with respect to PHI
A. Minimum Necessary Standard. When using or disclosing PHI or when requesting PHI from another covered entity, USPM is required to make reasonable efforts not to use, disclose or request more than the minimum amount of PHI necessary to accomplish its intended purpose, taking into account practical and technological limitations. However, the “minimum necessary” standard described in this paragraph does not apply to: (i) disclosures by USPM for Health Information Review purposes; (ii) disclosures to or requests by a health care provider for treatment purposes; (iii) disclosures made to or authorized by you; (iv) disclosures to the U.S. Department of Health and Human Services; or (v) uses or disclosures that are required by law or for USPM to comply with the law.
B. Personal Representatives. You may generally exercise your rights through a personal representative, who will be required to produce evidence of his/her authority to act on your behalf before being given access to your PHI or allowed to take any action for you. Proof of such authority may take one of the following forms: (1) a power of attorney for health care purposes, notarized by a notary public; (2) a court order appointing the person as your conservator or guardian; (3) an individual who is the parent of a minor child; or (4) any other form permitted by applicable state law.
USPM retains the discretion to deny access to PHI to a personal representative in order to protect any person who depends on others to exercise his or her rights and who may be subject to abuse or neglect.
C. De-identified Information. This Notice does not apply to information that does not identify an individual if there is no reasonable basis to believe that the information can be used to identify an individual.
IV. Changes to this Notice
USPM is required by law to maintain the privacy of your PHI and to make this Notice available to you. For so long as this Notice remains in effect, USPM is required by law to comply with the terms of this Notice. However, we reserve the right to change this Notice at any time and in any manner that is permitted under applicable law, and to make the new Notice provisions effective for all PHI that we possess on the date of the amendment or thereafter receive or generate. If we change the contents of this Notice, we will promptly post a copy of the revised Notice in a clear and prominent location on our website and make copies of the revised Notice available. In addition, you may always request a copy of the current Notice at any time, as described above.
You have the right to file a complaint with USPM or with the Secretary if you believe that your privacy rights have been violated. If you wish to file a complaint with USPM, please contact USPM’s Privacy Officer in writing at The Prevention Plan, PO Box 56863, Jacksonville, FL 32241, or (ii) by telephone, at 1 (866) 713-1180. All complaints must be submitted in writing. USPM will not penalize or discriminate against you in any manner if you choose to file a complaint.
VI. Safe Harbor Compliance
The USPM complies with the U.S.-EU Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries. The company has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view the company’s certification, please visit www.export.gov/safeharbor. Any Dispute arising regarding the collection, use, and retention of personal information from European Union member countries will be resolved under the rules of the American Arbitration Association, as part of its International Centre for Dispute Resolution/American Arbitration Association (ICDR/AAA).