NOTICE OF PRIVACY PRACTICES
Effective date: September 1, 2013
Latest Revision: November 1, 2022
THIS NOTICE DESCRIBES:
PLEASE REVIEW IT CAREFULLY
This notice describes our legal duties, privacy practices and your patient rights as determined by the Health Insurance Portability and Accountability Act (HIPAA) of 1996 as amended from time to time. We follow the terms of this Notice.
We are required by law to:
Caris also has a separate website privacy statement for how we collect and use personal information about you when you visit our website. This statement can be viewed by visiting the following link: https://www.carislifesciences.com/website-privacy/
HOW CARIS MAY USE AND DISCLOSE YOUR PROTECTED HEALTH INFORMATION
We use your Protected Health Information (PHI) for treatment, payment, or healthcare operations purposes and for other purposes permitted or required by law. Not every use or disclosure is listed in this Notice, but all of our uses or disclosures of your PHI will fall into one of the categories listed below.
For Treatment: Caris may provide PHI about you to your personal physician. We may disclose PHI about you to the appropriate doctors, nurses and health care personnel who you have authorized.
For Payment: Caris may use and disclose PHI about you so that the treatment and services you receive may be billed to and payment may be collected from you, an insurance company, or a third party. For example, we may send a claim to an insurance company that identifies you and the procedures you received from us. Your diagnosis may also be disclosed.
For Health Care Operations: Caris may use and disclose PHI about you for operational reasons. These uses and disclosures are necessary for us to make sure that all of our patients receive quality care. For example, we may use PHI to review the quality of our services and to evaluate the performance of our staff.
Business Associates: We may provide your PHI to other companies or individuals to assist us in providing specific services requiring the use and disclosure of PHI. These other entities, known as “business associates,” are required to maintain the privacy and security of PHI. Our business associates must only use your PHI for the services they perform on our behalf. For example, we may provide PHI to companies that assist us with billing of our services. We may also use an outside collection agency to obtain payment when necessary. As of February 17, 2010, business associates have independent HIPAA compliance obligations.
Caris may also use or disclose your PHI without your authorization or providing you the opportunity to agree or object in the following situations:
As Required By Law: Caris will disclose PHI about you when required to do so by federal, state, or local law. Special situations that would fall under this category include, but are not limited to:
To Avert a Serious Threat to Health or Safety: We may use and disclose PHI about you when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.
To Do Research: We may use and disclose your PHI to do research. We or external researchers may access your PHI to develop research projects or identify patients who may potentially qualify to participate in research studies. We may otherwise use your PHI for research when it is in the form of a limited data set, meaning that most identifiable information has been removed from the information, or once an institutional review board or privacy board has reviewed the research proposal and determined that your specific authorization or consent for the research use of your PHI is not needed in whole or in part. We may also use or disclose the PHI of deceased persons for research purposes if certain conditions are met. For more information about how we use information in connection with our research, please see the section titled “De-identified Information”.
Organ and Tissue Donation: If you are an organ donor, we may release PHI to organizations that handle organ procurement or organ eye or tissue transplantation or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.
Government Functions: Caris may disclose your PHI to protect public officials as directed by law or as required by military command authorities.
Workers’ Compensation: Caris may release PHI about you for workers’ compensation or similar programs.
Decedents: Caris may release PHI to a coroner, medical examiner, or funeral director as necessary to carry out their duties.
Health Oversight Activities: Caris may disclose PHI to a health oversight agency for activities authorized by law. These oversight activities may include audits, investigations, inspections, licensure and disciplinary actions. We may also share PHI about you if state or federal laws require it, including with the Department of Health and Human Services if it wants to see that we’re complying with federal privacy law.
De-identified Information: We may use your PHI to generate aggregated, de-identified or otherwise anonymous data, which does not directly identify and could not reasonably be used to identify any specific individual. There are specific rules under the law about what type of information needs to be removed before information is considered de-identified. Once the information has been de-identified as required by law, it is no longer considered PHI and not covered by this notice. We use this anonymous data to understand, develop, improve, and market our services, and it may be used or shared with third parties for any lawful purpose without further notice or compensation to you. We may disclose aggregated, de-identified or otherwise anonymous data about our users, which does not identify any individual, without restriction.
We maintain a database of de-identified health data from many patients, including de-identified DNA and RNA data, that is used to facilitate future health care discoveries. In connection with our laboratory testing services, we also typically retain leftover tissue, cells, and/or DNA or RNA extracted from your cells, which we use for internal purposes such as quality assurance and test validation. De-identified health data may be used and shared with our researchers and developers, as well as with third parties in or out of the United States, like academic researchers, universities, hospitals, laboratories, and life science, insurance, pharmaceutical, and other companies, all in accordance with applicable laws. These third parties may use the de-identified data for activities such as researching the causes of disease, developing new drugs and therapies, or helping pay for the cost of health care.
OTHER USES OF PERSONAL HEALTH INFORMATION
Other uses and disclosures of PHI not covered by this notice or the laws that apply to us will be made only with your written permission. If you provide us permission to use or disclose PHI about you, you may revoke that permission, in writing, at any time. If you revoke your permission, we will no longer use or disclose PHI about you for the reasons covered by your written authorization. You understand that we are unable to take back any disclosures we have already made with your permission, and that we are required to retain our records of the care that we provided to you.
Marketing: We may provide information to you regarding treatment alternatives or other health-related benefits that may be of interest to you, but we must abide by strict limitations on third-party funding for such communications. Your written authorization will typically be required for most uses and disclosures for marketing,
Sale of PHI: We are prohibited from selling your PHI without your prior authorization.
YOUR RIGHTS REGARDING PHI ABOUT YOU
You have the following rights regarding PHI we maintain about you:
Right to Request Restrictions: You have the right to request a restriction or limitation on the PHI we use or disclose about you for treatment, payment, or health operations. Except where you request a restriction on disclosure to your health plan and you have paid for the related services in full (and the disclosure is not required by law), we are not required to agree to your request. We are required to notify you if we fail to approve a restriction request.
Right to Request Confidential Communications: You have the right to request that we communicate with you about medical matters in a certain way or at a certain location.
Right to Receive Test Information: You have the right to receive a copy of certain PHI that we have created, including test result reports and billing records. You may request a paper copy of your PHI or an electronic copy of your PHI that we maintain electronically and you may also request that we transmit the information to you or to another individual or third party. We may charge you a reasonable, cost-based fee for providing these copies.
Right to Amend: If you feel that PHI we have about you is incorrect or incomplete, you may ask us to amend the information.
Right to Accounting of Disclosures: You have the right to request a list of the disclosures we have made of PHI about you in the past six years from the date of your written request. Under the law, this does not include disclosures made for purposes of treatment, payment, or healthcare operations except for certain disclosures made through an electronic health record.
Right to a Paper Copy of This Notice: We will provide a paper copy of this notice upon request, even if you have agreed to receive a copy of this Notice electronically.
Right to Receive Notice in the Event of a Breach: In the event of a breach of your PHI, you have the right to be notified of the breach and to be provided, to the extent available, with a description of the breach, a description of the types of information involved in the breach, the steps you should take to protect yourself from potential harm, a brief description of what we are doing to investigate the breach, mitigate harm, and prevent further breaches, as well as contact information for questions or concerns regarding the breach.
WE RESERVE THE RIGHT TO CHANGE THIS NOTICE
We reserve the right to make the revised or changed notice effective for PHI we already have about you as well as any information we receive in the future. We will post a copy of the current Notice on our website and will update the effective date accordingly.
If you believe your privacy rights have been violated, you may file a complaint with Caris or with the Secretary of the Department of Health and Human Services, Office for Civil Rights. You will not be penalized for filing a complaint.
If you have any questions or complaints, please contact:
Caris Life Sciences
Corporate Compliance Officer
750 West John Carpenter Freeway, Suite 800
Irving, TX 75039
(214) 277-8700 main
(866) 771-8946 toll free