Dear Kashi Clinical Laboratories Customer: This Notice of Privacy Practices describes how Kashi Clinical Laboratories, its employees, and volunteers may use and disclose your protected health information (PHI) for purposes of testing, payment and health care operations, and for other purposes that are allowed or required by law. Protected health information is defined as individually identifiable health information that is maintained or transmitted in any form or medium. These rights and responsibilities are established once a client engages in a contract with Kashi Clinical Laboratories. Kashi Clinical Laboratories strongly believes in protecting the confidentiality and security of information that we collect from and about you. Kashi Clinical Laboratories has certified its participation, and compliance with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the transfer of personal information from European Union member countries and Switzerland to the United States. The principles of Safe Harbor compliance are notice, choice, onward transfer, security, data integrity, access, and enforcement. Additional information about the Safe Harbor principles and certification process can be found at http://www.export.gov/safeharbor. This notice refers to Kashi Clinical Laboratories as KCL from here forth.
I. Responsibilities of KCL
a. KCL agrees to not use or disclose protected health information other than as allowed or required by this agreement or as required by law.
b. At the request of a client, KCL agrees to restrict or limit the medical information used or disclosed for the purposes of testing, payment, and other operations.
c. KCL is not bound to agree to a restriction requested by a client as delineated in Section 1(b).
d. KCL agrees to document such disclosures of protected health information and information related to such disclosures as would be required for the covered entity to respond to a request by a client for an accounting of disclosures of protected health information in accordance with 45 CFR § 164.528.
e. KCL agrees to use appropriate precautions to prevent use or disclosure of the protected health information other than as provided for by this agreement.
f. KCL agrees to diminish, to the extent practicable, any harmful effect that is known to KCL of use or disclosure of protected health information by KCL in violation of the requirements of this agreement.
g. KCL agrees to report to its clients and/or their covered entities any use or disclosure of the protected health information not provided for by this agreement.
h. KCL agrees to ensure that any agent who is provided with the client's protected health information agrees to the same restrictions and conditions that apply through this agreement with respect to the protected information.
i. KCL agrees to provide access, at the request of its client to their own protected health information in a designated record set, or, as directed by the client, to its covered entity or to an individual in order to meet the requirements and comply with the exceptions within the Code of Federal Regulations under 45 CFR § 164.524.
j. KCL agrees to make any amendment(s) to protected health information at the request of a client and/or its covered entity in compliance and with the exceptions delineated in 45 CFR § 164.526.
k. KCL reserves the right to deny requests for amendment(s) as delineated in Section 1(j).
l. KCL agrees to accept appeals to denial of clients' request for amendment(s) as delineated in Sections 1(j) and 1(k).
m. KCL agrees to make internal practices, books, and records, including policies and procedures and protected health information, relating to the use and disclosure of protected health information received from, created or received by KCL on behalf of a client and/or its covered entity available to the covered entity, or to the secretary, in a time and manner designated by the secretary, for purposes of the covered entity complying with this agreement.
n. KCL agrees to provide to the covered entity, information collected in accordance with Section 1(b) of this agreement, to permit the covered entity to respond to a request by a client for an accounting of disclosures of protected health information in accordance with 45 CFR § 164.528.
II. Rights of KCL
a. Unless it is otherwise indicated in this agreement, KCL may use protected health information for the proper management and administration of KCL as well as meeting the legal responsibilities of KCL.
b. Unless it is otherwise indicated in this agreement, KCL may disclose protected health information for the proper management and administration of the Business Associate, unless the disclosures are required by law, or KCL obtains reasonable guarantees from the individual to whom the information is disclosed that the information will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the individual, and the individual notifies KCL of any instances of which it is aware in which the confidentiality of the information has been breached.
c. Unless it is otherwise indicated in this agreement, KCL may use protected health information to provide data aggregation services to the covered entities as permitted by 45 CFR § 164.504(e)(2)(i)(B).
d. KCL may use protected health information to report violations of law to appropriate federal and state authorities, consistent with 45 CFR § 164.502(j)(1).
III. Responsibilities of Covered Entities
a. A covered entity shall notify KCL of any limitation(s) in its notice of privacy practices of the covered entity in accordance with 45 CFR § 164.520, to the extent that such limitation may affect KCL's usage or disclosure of protected health information.
b. A covered entity shall notify KCL of any changes in, or rescinding of, permission by the client to use or disclose protected health information, to the extent that such changes may affect KCL's use or disclosure of protected health information.
c. A covered entity shall notify KCL of any restriction to the use or disclosure of protected health information that the covered entity has agreed to, in accordance with 45 CFR § 164.522, to the extent that such restriction may affect KCL's use or disclosure of protected health information.
d. A covered entity shall not request KCL to use or disclose protected health information in any manner that would not be permissible under this agreement if done by the covered entity.
e. An exception to Section 3(d) is permissible if KCL will use or disclose protected health information for data aggregation or management and administrative activities of KCL.
IV. Clients' Rights to Revocation of Protected Health Information
(1) A client may not revoke authorization for the information that had been utilized by KCL up to the point of revocation.
(2) A client may not revoke authorization that was obtained as a condition of attaining insurance coverage for the services rendered by KCL
V. Questions and Complaints
a. Kashi Clinical Laboratories Inc. is required by the Health Insurance Portability and Accountability Act (HIPAA) to provide this notice to clients and/or covered entities. Please contact Kashi Clinical Laboratories Inc. for additional information regarding KCL's compliance with HIPAA regulations and general privacy policies of the company.
b. If a client believes that his/her privacy rights have been violated, they have the right to file a complaint with KCL through writing to: Kashi Clinical Laboratories Inc., 10101 SW Barbur Blvd., Suite 200, Portland, OR 97219. The Client may also file a complaint with the Secretary of the Department of Health and Human Services at: Health and Human Services, Office of Civil Rights, U.S. Department of Health and Human Services, Atlanta Federal Center Suite 3B70, 61 Forsyth St. SW, Atlanta, GA 30303-8909; phone: (404)562-7886. www.hhs.gov