HIPAA NOTICE OF PRIVACY PRACTICES

(“Notice”) Effective October 25, 2018
THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

We at TwelveStone Health Partners are required by law to maintain the privacy of Protected Health Information (“PHI”) and to provide you with notice of our legal duties and privacy practices with respect to PHI. References to “TwelveStone Health Partners,” “we,” “us,” and “our” include Walgreen Co. and the members of its affiliated covered entity. An affiliated covered entity is a group of organizations under common ownership or control who designate themselves as a single affiliated covered entity for purposes of compliance with the Health Insurance Portability and Accountability Act (“HIPAA”). TwelveStone Health Partners, its employees, workforce members and members of the TwelveStone Health Partners’ affiliated covered entity who are involved in providing and coordinating health care are all bound to follow the terms of this Notice of Privacy Practices (“Notice”). The members of the TwelveStone Health Partners’ affiliated covered entity will share PHI with each other for the treatment, payment and health care operations of the affiliated covered entity and as permitted by HIPAA and this Notice. For a complete list of the members of TwelveStone Health Partners’ affiliated covered entity, please contact the Privacy Office, PO Box 12369
Murfreesboro, TN 37129.

PHI is information that may identify you and that relates to your past, present, or future physical or mental health or condition, the provision of healthcare products and services to you or payment for such services. This Notice describes how we may use and disclose PHI about you, as well as how you obtain access to such PHI. This Notice also describes your rights with respect to your PHI. We are required by HIPAA to provide this Notice to you.

TwelveStone Health Partners is required to follow the terms of this Notice or any change to it that is in effect. We reserve the right to change our practices and this Notice and to make the new Notice effective for all PHI we maintain. If we do so, the updated Notice will be posted on our website and will be available at our facilities and locations where you receive health care products and services from us. Upon request, we will provide any revised Notice to you.

How We May Use and Disclose Your PHI

The following categories describe different ways that we use and disclose your PHI. We have provided you with examples in certain categories; however, not every permissible use or disclosure will be listed in this Notice. Note that some types of PHI, such as HIV information, genetic information, alcohol and/or substance abuse records, and mental health records may be subject to special confidentiality protections under applicable state or federal law and we will abide by these special protections. If you would like additional information about special state law protections, you may contact the Privacy Office, PO Box 12369
Murfreesboro, TN 37129 or visit www.TwelveStoneHealthPartners.com.

I.   Uses and Disclosures Of PHI That Do Not Require Your Prior Authorization
Except where prohibited by federal or state laws that require special privacy protections, we may use and disclose your PHI for treatment, payment and health care operations without your prior authorization as follows:

Treatment. We may use and disclose your PHI to provide and coordinate the treatment, medications, and services you receive. For example, we may disclose PHI to pharmacists, doctors, nurses, technicians and other personnel involved in your health care. We may also disclose your PHI with other third parties, such as hospitals, other pharmacies, and other health care facilities and agencies to facilitate the provision of health care services, medications, equipment, and supplies you may need. This helps to coordinate your care and make sure that everyone who is involved in your care has the information that they need about you to meet your healthcare needs.

Payment. We may use and disclose your PHI in order to obtain payment for the healthcare products and services that we provide to you and for other payment activities related to the services that we provide. For example, we may contact your insurer, pharmacy benefit manager or other health care payor to determine whether it will pay for healthcare products and services you need and to determine the amount of your co-payment. We will bill you or a third-party payor for the cost of healthcare products and services we provide to you. The information on or accompanying the bill may include information that identifies you, as well as information about the services that were provided to you or the medications you are taking. We may also disclose your PHI to other healthcare providers or HIPAA covered entities who may need it for their payment activities.

Health Care Operations. We may use and disclose your PHI for our health care operations. Health care operations are activities necessary for us to operate our healthcare businesses. For example, we may use your PHI to monitor the performance of the staff and pharmacists providing treatment to you. We may use your PHI as part of our efforts to continually improve the quality and effectiveness of the healthcare products and services we provide. We may also analyze PHI to improve the quality and efficiency of healthcare, for example, to assess and improve outcomes for healthcare conditions. We may also disclose your PHI to other HIPAA covered entities that have provided services to you so that they can improve the quality and effectiveness of the health care services that they provide. We may use your PHI to create de-identified data, which is stripped of your identifiable data and no longer identifies you.

We may also use and disclose your PHI without your prior authorization for the following purposes:
Business Associates. We may contract with third parties to perform certain services for us, such as billing services, copy services or consulting services. These third party service providers, referred to as Business Associates, may need to access your PHI to perform services for us. They are required by contract and law to protect your PHI and only use and disclose it as necessary to perform their services for us.

To Communicate with Individuals Involved in Your Care or Payment for Your Care. We may disclose to a family member, another relative, close personal friend, or any other person you identify, PHI directly relevant to that person’s involvement in your care or payment related to your care. Additionally, we may disclose PHI to your “personal representative.” If a person has the authority by law to make health care decisions for you, we will generally regard that person as your “personal representative” and treat him or her the same way we would treat you with respect to your PHI.

Food and Drug Administration (“FDA”). We may disclose to persons under the jurisdiction of the FDA, PHI relative to adverse events with respect to drugs, foods, supplements, products and product defects, or post-marketing surveillance information to enable product recalls, repairs, or replacement.

Worker’s Compensation. To the extent necessary to comply with a law, we may disclose your PHI to worker’s compensation or other similar programs established by law.

Public Health. We may disclose your PHI to public health or legal authorities charged with preventing or controlling disease, injury, or disability, including the FDA. In certain circumstances, we may also report work-related illnesses and injuries to employers for workplace safety purposes.

Law Enforcement. We may disclose your PHI for law enforcement purposes as required or permitted by law – for example, in response to a  subpoena or court order, in response to a request from law enforcement, and to report limited information in certain circumstances.

As Required by Law. We will disclose your PHI when required to do so by federal, state or local law.

Health Oversight Activities. We may disclose your PHI to an oversight agency for activities authorized by law. These oversight activities include audits, investigations, inspections, and credentialing, as necessary for licensure and for the government to monitor the health care system, government programs and compliance with civil rights laws.

Judicial and Administrative Proceedings. If you are involved in a lawsuit or a dispute, we may disclose your PHI in response to a court or administrative order. We may also disclose your PHI in response to a subpoena, discovery request, or other lawful process instituted by someone else involved in the dispute, but only if efforts have been made, either by the requesting party or us, to first tell you about the request or to obtain an order protecting the information requested.

TwelveStone Health Partners HIPAA NOTICE OF PRIVACY PRACTICES, click here to download a PDF copy.