HIPAA Notice of Privacy Practices

This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

This Notice describes how we may use and disclose PHI about you, and your rights with respect to that information. Crystal Clear is required by law to maintain the privacy of your PHI, to provide you with this Notice, and to abide by the terms of the Notice currently in effect.

1. Uses and disclosures that do not require your written authorization

HIPAA allows us to use and disclose your PHI without your written authorization for the following purposes:

• Treatment. To provide, coordinate, or manage your treatment with the affiliated clinicians, the Telehealth Platform, the Partner Pharmacy, and any other healthcare providers involved in your care. Example: we send your shipping address and order detail to the Partner Pharmacy so they can dispense your medication to you.
• Payment. To bill and collect payment for the Services. Example: we share the minimum payment information PayMatrix needs in order to charge your card for a membership renewal.
• Health care operations. To run our internal operations, including quality assessment, training, vendor management, audits, and accreditation. Example: we audit access to your record to make sure only authorized personnel are viewing it.
• Public health activities. To report disease, injury, vital events, and product safety issues to a public health authority that is authorized by law to collect the information.
• Victims of abuse, neglect, or domestic violence. To report to a government authority authorized by law to receive such reports, when we reasonably believe you have been a victim and the disclosure is required or permitted by law.
• Health oversight activities. To a health oversight agency conducting an audit, investigation, inspection, licensure proceeding, or other oversight activity authorized by law.
• Judicial and administrative proceedings. In response to a court or administrative order, a subpoena, or other lawful process, where the conditions set by HIPAA are met (including, in some cases, notice to you or a qualified protective order).
• Law enforcement purposes. In response to a lawful court order or process, to identify or locate a suspect, in connection with certain crime victims, or when otherwise required or permitted by law.
• To avert a serious threat to health or safety. When necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person reasonably able to prevent or lessen the threat.
• Specialized government functions. For military and veterans activities, national security and intelligence, protective services for the President, and other functions specified in 45 CFR §164.512(k).
• Workers’ compensation. To comply with workers’ compensation laws and other similar programs that provide benefits for work-related injuries.
• Decedents. To coroners, medical examiners, and funeral directors, as necessary to carry out their duties.
• Organ and tissue donation. To organizations involved in procurement, banking, or transplantation of organs or tissue, as permitted by law.
• Research. Subject to approval by an Institutional Review Board or Privacy Board, where required by HIPAA. We do not currently disclose PHI for research.
• As required by law. For any other use or disclosure required by federal, state, or local law.

2. Uses and disclosures that require your written authorization

Other uses and disclosures of your PHI will be made only with your written HIPAA authorization. In particular, we will not use or disclose your PHI for the following purposes without your authorization:

• Most uses and disclosures of psychotherapy notes, where any exist.
• Marketing communications that meet HIPAA’s definition of “marketing,” other than the limited categories that HIPAA permits without authorization (such as treatment-coordination messages, certain refill reminders, and face-to-face communications).
• Sale of your PHI. We will never sell your PHI.
• Any other use or disclosure not described in Section 1 or otherwise permitted by law.

If you give us a written authorization, you may revoke it at any time by sending a written revocation to the contact in Section 10. The revocation will not apply to uses or disclosures we have already made in reliance on the authorization.

3. How to provide or revoke a HIPAA authorization

To provide a HIPAA authorization (for example, to direct us to send your PHI to a family member, another provider, or an attorney), email us at sales@ccrxpharm.com with the subject “HIPAA Authorization,” and we will send you a form. To revoke a previously-given authorization, send a written revocation to the same address.

4. Family members and friends involved in your care

Unless you object, we may disclose PHI relevant to a person’s involvement in your care or payment for your care to a family member, other relative, close personal friend, or other person you identify. If you are not present, or are incapacitated, we will use our professional judgment about whether the disclosure is in your best interest, consistent with HIPAA.

5. Breach notification

If a breach of your unsecured PHI occurs, we will notify you without unreasonable delay and in no case later than 60 calendar days after discovery of the breach, as required by HIPAA Subpart D. The notification will include a description of what happened, the types of PHI involved, the steps you should take to protect yourself, what we are doing to investigate and mitigate, and how to contact us with questions.

6. Changes to this Notice

We reserve the right to change this Notice and to make the new Notice effective for all PHI we maintain about you, including PHI we created or received before the change. When we make a material change, we will post the updated Notice on the Site and update the “Last updated” date at the top of this document. You may also request a paper copy of the most current Notice from the contact in Section 10.

7. Your rights under HIPAA

With respect to your PHI, you have the following rights. To exercise any of them, contact us using Section 10. We may require you to make the request in writing and to verify your identity.

• Right to access and obtain a copy. You have the right to inspect and obtain a copy of the PHI we maintain about you, in the format you request (including an electronic copy if we maintain the record electronically). We will provide the copy within 30 days of your request, with a single 30-day extension if needed. We may charge a reasonable, cost-based fee.
• Right to amend. You have the right to ask us to amend PHI we maintain about you, if you believe it is incorrect or incomplete. We may deny your request in limited circumstances permitted by HIPAA; you will receive a written denial explaining why and your right to submit a disagreement statement.
• Right to an accounting of disclosures. You have the right to receive a list of disclosures we have made of your PHI for purposes other than treatment, payment, health care operations, disclosures you authorized, and certain other exceptions, going back up to six years before the date of the request.
• Right to request restrictions. You have the right to ask us to restrict certain uses and disclosures of your PHI. We are not required to agree, except in one situation: if you paid out-of-pocket and in full for a specific item or service, and you ask us to restrict disclosure to your health plan for payment or health care operations, we will agree (HIPAA requires us to).
• Right to confidential communications. You have the right to request that we communicate with you about your PHI in a specific way or at a specific location (for example, mail to a different address). We will accommodate reasonable requests.
• Right to a paper copy of this Notice. You have the right to a paper copy of this Notice on request, even if you have agreed to receive it electronically.
• Right to be notified of a breach. You have the right to be notified following a breach of your unsecured PHI, as described in Section 5.
• Right to file a complaint. You have the right to file a complaint with us (Section 9) or with the U.S. Department of Health and Human Services. We will not retaliate against you for filing a complaint.

8. How to exercise your rights

Email us at sales@ccrxpharm.com or call (813) 215-2818. We respond within the time periods required by applicable law (for HIPAA access requests, generally 30 days, with extensions possible). To prevent misuse, we may need to verify your identity before processing a request. Authorized agents acting for someone else must provide written proof of authority.

9. Filing a complaint

If you believe your privacy rights have been violated, you may file a complaint with us by contacting our Privacy Officer (Section 10). You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting hhs.gov/ocr/privacy/hipaa/complaints. We will not retaliate against you for filing a complaint.

10. Contact us

HIPAA requests, complaints, and any other matter described in this Notice should go to our Privacy Officer: