NOTICE OF PRIVACY PRACTICES

THIS NOTICE DESCRIBES HOW PHARMASAN LABS, INC. AND NEUROSCIENCE, INC. MAY USE OR DISCLOSE MEDICAL INFORMATION ABOUT YOU AND HOW YOU MAY ACCESS THIS INFORMATION. WE ENCOURAGE YOU TO CAREFULLY REVIEW THIS NOTICE SO THAT YOU WILL UNDERSTAND OUR COMMITMENT TO THE PRIVACY AND PROTECTION OF YOUR MEDICAL INFORMATION.

Introduction

Pharmasan Labs, Inc. is a provider of diagnostic testing, information and services. NeuroScience, Inc. is a Business Associate of Pharmasan Labs that performs services on behalf of Pharmasan Labs such as data entry, billing, shipping and receiving. Pharmasan provides healthcare providers with lab report interpretation.  Collectively Pharmasan Labs, Inc. and NeuroScience, Inc. are referred to in this policy as “Companies” or “We”.

We are committed to protecting the confidentiality of individuals' laboratory test results and other protected health information that we collect or create as part of our diagnostic testing activities. This Privacy Policy notice describes the personal information we collect, and how and when we use or disclose that information. This Privacy Policy applies to all protected health information as that term is defined by federal law and regulations. Currently protected health information ("PHI") is defined as:

information that is created or received by the Company and relates to the past, present, or future physical or mental health or condition of a participant; the provision of health care to a participant; or the past, present, or future payment for the provision of health care to a participant; and that identifies the participant or for which there is a reasonable basis to believe the information can be used to identify the participant. Protected health information includes information of persons living or deceased.”

Except as permitted by law and as explained in this Notice, the Companies do not disclose any information about our past, present or future patients to anyone.

Our Privacy Obligations

The Companies are required by law to maintain the privacy of your medical and health information (Protected Health Information or PHI) and to provide you with this Notice of our legal duties and privacy practices with respect to your Protected Health Information. Your PHI at the Companies includes personal and medical information (such as your name, address, date of birth, test ordered, etc.) that we obtain from you and/or your physician or other health care practitioner. Your PHI also includes the laboratory testing results that Pharmasan creates. When we use or disclose your PHI, we are required to abide by the terms of this Notice (or other notice in effect at the time of the use or disclosure). We are also required to notify affected individuals in the event of a breach involving unsecured protected health information. Your other health care providers may have different notices regarding the use and disclosure of your PHI maintained by them.

Policies on Use and Disclosure of PHI

A.           Use and Disclosure Defined

We will use and disclose PHI only as permitted under HIPAA. The terms "use" and "disclosure" are defined as follows:

·        Use. The sharing, employment, application, utilization, examination, or analysis of individually identifiable health information by any person working for PharmasanLabs or by a Business Associate (defined below) of PharmasanLabs.

·        Disclosure. Disclosure means any release, transfer, provision of access to, or divulging in any other manner of individually identifiable health information to persons not employed by or working for Pharmasan Labs or NeuroScience, Inc.

B.           Permitted Uses and Disclosures

We will use or disclose Your PHI for treatment, payment, or healthcare operations purposes and for other purposes permitted or required by law. The following categories describe different ways that we use and disclose your PHI. Please note that not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose your PHI without your written authorization will fall within one of the categories listed below.

According to law, we do not need your authorization or permission to use or disclose your PHI for the following purposes:

1.            Treatment.

As a health care provider that provides laboratory testing for ordering physicians or other licensed health care practitioners, Pharmasan uses your PHI as part of our testing processes and Pharmasan discloses your PHI to physicians and other authorized health care professionals who need access to your laboratory results to treat you. In addition to your treating health care professional, Pharmasan may provide information about your results to NeuroScience to further interpret the results before release to your health care professional. Pharmasanmay also disclose your PHI to another testing laboratory if Pharmasanis unable to perform the testing ourselves and need to refer your specimen to that laboratory to perform the requested testing.

2.            Payment.

We may use and disclose PHI in the process of obtaining payment for services that we provide to you. For example, our billing department may send your name, date of service, test performed, diagnosis code, and other information to a health plan or insurance company to obtain payment for services we provided. In some cases we may have to contact you to obtain billing information or for other billing purposes. When required, we may use an outside collection agency to obtain payment.

3.            Health Care Operations.

We may use and disclose PHI in the course of activities necessary to support our diagnostic testing operations, which include internal administration and planning and various activities that improve the quality and cost effectiveness of the diagnostic testing and customer service that we deliver to you. For example, we may use PHI to evaluate the quality and competence of our employees and we may disclose PHI in order to resolve any complaints you may have and ensure that you have a pleasant experience with us.

4.            Disclosures to Business Associates.

We may disclose your PHI to other companies or individuals who need your PHI in order to provide specific services to us. These other entities, known as "Business Associates," generally must comply with the terms of a contract designed to ensure that they will maintain the privacy and security of your PHI in the same manner that we do. For example, we may disclose your PHI to consultants, or to private accrediting organizations that inspect and certify the quality of our laboratory.

5.            Public Health Activities.

We may disclose your PHI to public health authorities for the purpose of preventing or controlling disease, injury or disability.

6.            Health Oversight Activities.

We may disclose your PHI to a health oversight agency that oversees the health care system or government benefit programs (such as Medicare or Medicaid).

7.            Threats to Health or Safety.

We may disclose your PHI as necessary to prevent a serious threat to your health and safety or that of another person or the general public.

8.            Judicial and Administrative Proceedings.

We may disclose your PHI in the course of a judicial or administrative proceeding in response to a legal order, subpoena (under certain circumstances), order of either the Commissioner of Public Health or the Commissioner of Mental Health or other lawful process.

9.            Law Enforcement Officials.

We may disclose your PHI to the police or other law enforcement officials as required or permitted by law or in compliance with a court order or a grand jury or administrative subpoena.

10.         Research.

We may use or disclose your PHI for research purposes if an Institutional Review Board/Privacy Board approves a waiver of authorization for such use or disclosure.

11.         Specialized Government Functions.

We may use and disclose your PHI to units of the government with special functions, such as the U.S. military or the U.S. Department of State under certain circumstances as required by law.

12.         As Required by Law.

We may use and disclose your PHI when required to do so by any other law not already referred to in the preceding categories.

C.           The “Minimum-Necessary” Standard

HIPAA requires that we, or our "Business Associates," limit the amount of your PHI used or disclosed to the "minimum necessary" to accomplish the purpose of the use or disclosure. The "minimum-necessary" standard does not apply to any of the following:

·        Uses or disclosures made to you;

·        Uses or disclosures made pursuant to a valid authorization;

·        Disclosures made to HHS;

·        Uses or disclosures required by law; and

·        Uses or disclosures required to comply with HIPAA.

D.           Disclosures of PHI Pursuant to an Authorization

If we want to use or disclose your PHI for purposes that do not fall into at least one of the categories in Section A of this Notice, we would have to first obtain your written authorization. Subject to compliance with limited exceptions, we will not use or disclose psychotherapy notes, use or disclose your PHI for marketing purposes or sell your PHI, unless you have signed an authorization. You have the right to revoke your authorization at any time. If you revoke your authorization, we will no longer use or disclose your PHI for the reasons stated in your authorization except to the extent we have already taken action based on your authorization. 

We may disclose your PHI for any purpose you approve if your written authorization satisfies all of HIPAA's requirements for a valid authorization. Any uses and disclosures we make pursuant to a signed authorization must be consistent with the terms and conditions of the authorization. 

E.           Legal Rights Related to Protected Health Information

You have the right to request and receive a copy of your healthcare records we maintain. You must request a copy of your records in writing by completing and submitting our Patient Authorization for Release of Protected Health Information form. We also require that you provide a copy of a government-issued identification card to authenticate your identity. You can request to receive a copy of your PHI via United States mail, facsimile or encrypted email, if we maintain your PHI in an electronic format and we can readily produce a readable electronic copy. If you do not designate on your completed Patient Authorization for Release of Protected Health Informationform the format in which you wish to receive your records, we will send them by standard United States mail. We reserve the right to charge a reasonable fee for the cost of producing and mailing the copies of such information.

You have the right to restrict us from disclosing information to health plans concerning tests and/or services that you have paid for out-of-pocket. The federal privacy rule entitles you to request other restrictions on our uses and disclosures of PHI for treatment, payment or health care operations purposes described above. We will consider each request but are not required to agree to any restrictions.

The federal privacy rule entitles you to request to receive confidential communications of PHI if disclosing this information by the usual means could endanger you. We will accommodate all reasonable requests, subject to the restrictions and capabilities of our information processing systems.

The federal privacy rule entitles you to request to receive an accounting of certain disclosures of your PHI made by PharmasanLabs or a Business Associate in the last six years, such as disclosure to health oversight agencies. These disclosures do not include disclosures made for purposes of treatment, payment or health care operations.

You have a right to request, in writing, to inspect and obtain a copy of PHI that we maintain about you that is included in what is called a "designated record set." Additionally, when requesting information, you must reasonably describe the information you seek in your written request; and the information must be reasonably locatable and retrievable by us. We may charge you a fee to cover the cost of providing copies of this requested PHI.

You have the right to amend your PHI included in the designated record set. We may deny your request pursuant to those rules if we determine that our records are accurate and complete, if we determine that the information was not created by us, the information is not contained in our designated record set, or if access is otherwise restricted by law.

If you wish to exercise any of the legal rights described above, you must do so in writing. Contact our Privacy Officer to obtain further information about these rights, or if you would like to make such a request.

F.           Technical and Physical Safeguards

We have and will continue to implement reasonable technical and physical safeguards to prevent the PHI we maintain from being intentionally or unintentionally used or disclosed in violation of HIPAA's requirements.

G.           Mitigation of Inadvertent Disclosures of Protected Health Information

We will mitigate, to the extent possible, any harmful effects that become known to it of a use or disclosure of an individual's PHI that violates this policy.

H.           Workforce Training and Sanctions for Violations of Privacy Policy

We train our employees on maintaining the confidentiality of PHI and require employees to certify that they have received training and have read and understand this Privacy Policy. We will apply appropriate sanctions to any employee who violates this policy. 

I.             No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy

No individual may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA. No individual will be required to waive his or her privacy rights under HIPAA as a condition of treatment.

J.            Fundraising.

If we participate in fundraising activities, you may be contacted to raise funds, but you have the right to opt out of such communications.

K.           Note Regarding State Law

For all of the above purposes, when state law is more restrictive than federal law, we are required to follow the more restrictive state law.

Privacy Officer; Comments or Complaints

Our Privacy Officer will respond to complaints regarding our privacy policies and actions. The Privacy Official will investigate the complaint and communicate the results of the investigation in a timely manner to the individual. Our Privacy Officer is:

Cindy Davis

c/o NeuroScience, Inc.

373 280th Street

Osceola, WI 54020

888-342-7272

Amendments

We reserve the right to amend or change this Policy at any time (and even retroactively) without notice. If we change this Policy, we may make the new Policy effective for all PHI that we maintain, including any information created or received prior to issuing the new Policy. If we change this Policy, we will post the revised notice on our website at www.pharmasan.com or www.neurorelief.com. You also may obtain a revised Policy by contacting our Privacy Officer. This Policy does not address requirements under other federal laws or under state laws.

Effective Date: This Notice is effective as of August 8, 2016.