RxSense Notice of HIPAA Privacy Practices

Effective Date: March 1, 2019

THIS NOTICE DESCRIBES HOW PRESCRIPTION DRUG INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

PLEASE REVIEW IT CAREFULLY.


This Notice of Privacy Practices (the “Notice”) describes the privacy practices of RxSense Group LLC and its affiliates (“RxSense”). RxSense is not a Covered Entity for purposes of compliance with the Health Insurance Portability and Accountability Act (“HIPAA”), however RxSense is a Business Associate of employer-sponsored, managed care organization-sponsored, health insurance company-sponsored, and non-profit-sponsored health plans, third party administrators, pharmacy benefit managers, healthcare information technology providers, health administrative services organizations, and other organizations (collectively, “Providers”) that are Covered Entities or Business Associates to Covered Entities in the ordinary course of its business. Providers and RxSense will share Protected Health Information (“PHI”) with each other for the administration, payment, analysis, and communication of prescription drug benefit benefits as permitted by HIPAA and this Notice of Privacy Practices (“Notice”).

PHI is information about you that we obtain to provide our services to you and that can be used to identify you. It includes your name and contact information, as well as information about your health, medical conditions and prescriptions. It may relate to your past, present or future physical or mental health or condition, the provision or health care products and services to you, or payment for such products or services.

We are required by law to protect the privacy of your PHI and to provide you with this Notice explaining our legal duties and privacy practices regarding your PHI. This Notice describes how we may use and disclose your PHI. We have provided you with examples; however, not every permissible use or disclosure will be listed in this Notice. This Notice also describes your rights and the obligations we have regarding the use and disclosure of your PHI. We and our employees and workforce members are required to follow the terms of this Notice or any change to it that is in effect. We are required to follow state privacy laws when they are stricter (or more protective of your PHI) than the federal law some types of sensitive PHI, such as HIV information, minor health information, genetic information, alcohol and/or substance abuse records, and mental health records may be subject to additional confidentiality protections under state or federal law. If you would like additional information about state law protections in your state, or additional use or disclosure restrictions that may apply to sensitive PHI, please contact RxSense.

RxSense operates pharmacy savings programs under the brand name “SingleCare” and “FamilyWize” through its wholly-owned subsidiaries SingleCare Services LLC, Towers Administrators LLC d/b/a SingleCare Administrators, and FamilyWize LLC and holds Discount Medical Plan Organization licenses in all states where such licenses are required to operate a pharmacy savings program. RxSense is not operating as a Covered Entity or a Business Associate in connection with the operation of its pharmacy savings programs and information provided by consumers utilizing a SingleCare or FamilyWize pharmacy savings card is subject to the Privacy Policy found here: https://www.singlecare.com/privacy-policy and not this Notice of HIPAA Privacy Practices.

Uses and Disclosures of Your PHI for Treatment, Payment and Health Care Operations

We may use and disclose your PHI for administration, payment, analysis, and communication of prescription drug benefit benefits without your written authorization. The following categories describe and provide some examples of the different ways that may use and disclose your PHI for these purposes:

Administration: We may use and disclose your PHI to provide and coordinate the treatment, medication and services you receive. For example, we may:

  • Use and disclose your PHI to provide and coordinate the treatment, medication and services you receive under your prescription drug benefit plan.
  • Disclose your PHI to other third parties, such as pharmacies, doctors, hospitals, or other health care providers to assist them in providing care to you or for care coordination. In some instances, uses and disclosures of your PHI for these purposes may be made through a Health Information Exchange or similar shared system.
  • Contact you to provide prescription-related services, such as refill reminders, adherence communications, or treatment alternatives (e.g., available generic products).
  • Obtain prior authorization for use of a prescription drug.

Payment: We may use and disclose your PHI to obtain payment for the services we provide to you and for other payment activities related to the services we provide. For example, we may:

  • Share your PHI with your insurer, pharmacy benefit manager, or other health care payor to determine whether it will pay for your health care products and services you need and to determine the payment amount you may owe.
  • Contact you about a payment or balance due for prescriptions dispensed to you at a pharmacy or may disclose your PHI to other health care providers, health plans or other HIPAA Covered Entities who may need it for their payment activities.

Other Uses and Disclosures of Your PHI that Do Not Require Authorization

We are also allowed or required to share your PHI, without your authorization, in certain situations or when certain conditions have been met.

Business Associates: When we contract with third parties to perform certain services for us, such as data analytics for optimizing clinical and financial outcomes, drug utilization review, client billing or consulting, these third party service providers, known as Business Associates, may need access to your PHI to perform these services. They are required by law and their agreements with us to protect your PHI in the same way we do.

Individuals Involved in Your Care or Payment for Your Care: We may disclose your PHI to a friend, personal representative, family member, or any other person you identify as a caregiver, who is involved in your care or the payment related to that care. For example, we may provide prescriptions and related information to your caregiver on your behalf. We may also make these disclosures after your death unless doing so is inconsistent with any prior expressed preference documented by RxSense. Upon your death, we may disclose your PHI to an administrator, executor, or other individual authorized under law to act on behalf of your estate. If you are a minor, we may release your PHI to your parents or legal guardians when permitted or required by law (although we will keep minor health information confidential where required by applicable law).

Workers’ Compensation: We may disclose your PHI as necessary to comply with laws related to workers’ compensation or similar programs.

Law Enforcement: We may disclose your PHI to law enforcement officials as permitted or required by law. For example, we may use or disclose your PHI to report certain injuries or to report criminal conduct that occurred on our premises. We may also disclose your PHI in response to a court order, subpoena, warrant, or other similar written request from law enforcement officials.

Required by Law: We will disclose your PHI when required to do so to comply with federal, state or local law.

Judicial and Administrative Proceedings: We may disclose your PHI in response to a court or administrative order, subpoena, discovery request, or other lawful process.

Public Health and Safety Purposes: We may disclose your PHI in certain situations to help with public health and safety issues when we are required or permitted to do so, for example to: prevent disease; report adverse reactions to medications; report suspected abuse, neglect or domestic violence; or to prevent or reduce a threat to anyone’s health or safety.

Health Oversight Activities: We may disclose your PHI to an oversight agency for certain activities including audits, investigations, inspections, licensure or disciplinary actions, or civil, administrative, and criminal proceedings, and as necessary for oversight of the health care system, government programs, or compliance with civil rights laws.

Research: Under certain circumstances, we may use or disclose your PHI for research purposes. For example, we may use or disclose your PHI as part of a research study when the research has been approved by an institutional review board and there is an established protocol to ensure the privacy of your information.

Coroners, Medical Examiners and Funeral Directors: We may disclose PHI to coroners, medical directors, or funeral directors so that they can carry out their duties.

Organ or Tissue Donation: We may disclose your PHI to organ procurement organizations.

Notification: We may use or disclose your PHI to notify or assist in notifying a family member, personal representative, or any other person responsible for your care regarding your location, general condition, or death. We may also disclose your PHI to disaster relief organizations so that your family or other persons responsible for your care can be notified of your location, general condition, or death.

Correctional Institution: If you are or become an inmate of a correctional institution, we may disclose your PHI to the institution or its agents to assist them in providing your health care, protecting your health and safety or the health and safety of others.

Specialized Government Functions: We may disclose your PHI to authorized federal officials for the conduct of military, national security activities and other specialized government functions.

Uses or Disclosures for Purposes that Require Your Authorization

Use and disclosure of your PHI for other purposes may be made only with your written authorization and unless we have your authorization we will not:

  • Use or disclose your PHI for marketing purposes
  • Sell your PHI to third parties (except for in connection with the transfer of a business to another health care provider required to comply with HIPAA).
  • Share psychotherapy notes (to the extent we have any).

We will obtain your written authorization before using or disclosing your PHI for purposes other than those described in this Notice or otherwise permitted by law. You may revoke your authorization at any time by submitting a written notice to RxSense. Your revocation will be effective upon receipt; however, it will not undo any use or disclosure of your PHI that occurred before you notified us, or any actions taken based upon your authorization.

Your Health Information Rights

Written Requests and Additional Information: you may request additional information about CVS Health’s privacy practices or obtain forms for submitting written requests by contacting RxSense at 99 High Street, Suite 2800, Boston, Massachusetts 02110 or by contacting the member services number on your member benefit card.

Obtain a Copy of the Notice: You have the right to obtain a paper copy of our current Notice at any time. You may do so by contacting RxSense.

Inspect and Obtain a Copy of Your PHI: With a few exceptions, you have the right to see and get a copy of the PHI we maintain about you. You may request access to your PHI electronically. To inspect or obtain a copy of your PHI, submit a written request to RxSense. You may also ask us to provide a copy of your PHI to another person or entity. A reasonable fee may be charged for the expense of fulfilling your request as permitted under HIPAA and/or state law. We may deny your request to inspect and copy your record in certain limited circumstances. If we deny your request, we will notify you in writing and let you know if you may request a review of the denial.

Request an Amendment: If you feel that the PHI we maintain about you is incomplete or incorrect, you may request that we amend it. For example, if your date of birth is incorrect, you may request that the information be corrected. To request an amendment, submit a written request to RxSense. You must include a reason that supports your request. If we deny your request for an amendment, we will provide you with a written explanation of why we denied it.

Receive an Accounting of Disclosures: You have the right to request an accounting of disclosures we make of your PHI for purposes other than administration, payment, analysis, and communication of prescription drug benefit benefits. Please note that certain other disclosures need not be included in the accounting we provide to you. To obtain an accounting, submit a written request to RxSense. We will provide one accounting per 12-month period free of charge, but you may be charged for the cost of any subsequent accountings. We will notify you in advance of the cost involved, and you may choose to withdraw or modify your request at that time.

Request Confidential Communications: You have the right to request that we communicate with you in a certain way or at a certain location. For example, you may request that we contact you only in writing at a specific address. To request confidential communication of your PHI, submit a written request to the RxSense. Your request must state how, where, or when you would like to be contacted. We will accommodate all reasonable requests.

Request a Restriction on Certain Uses and Disclosures: You have the right to request additional restrictions on our use and disclosure of your PHI by sending a written request to RxSense. We are not required to agree to your request except where the disclosure is to a health plan or insurer for purposes of carrying out payment or health care operations, is not otherwise required by law, and the PHI is related to a health care item or service for which you, or a person on your behalf, has paid in full out-of-pocket. If you do not want a claim for payment submitted to your health plan on record, please discuss with the pharmacist or health care provider when you check in for care or before your prescription is sent to the pharmacy.

Notification of Breach: You have a right to be notified in the event there is a breach of your unsecured PHI as defined by HIPAA.

To Report a Problem

Complaints: If you believe your privacy rights have been violated, you can file a complaint with RxSense or with the Secretary of the United States Department of Health and Human Services. All complaints must be submitted in writing. You will not be penalized or otherwise retaliated against in any way for filing a complaint.

Changes to This Notice

We reserve the right to make changes to this Notice as permitted by law and to make the revised Notice effective for PHI we already have about you as well as any information we receive in the future, as of the effective date of the revised Notice. If we make material or important changes to our privacy practices, we will promptly revise our Notice. Upon request, RxSense will provide a revised Notice to you. We will also post the revised Notice on our Web site at rxsense.com and will make copies available at our facilities and locations where you receive health care products and services from us.