Joint Notice of MedStar and One Medical HIPAA Privacy Practices

Updated: July 31, 2020

THIS JOINT NOTICE OF HIPAA PRIVACY PRACTICES (“Notice”) DESCRIBES HOW YOUR HEALTH INFORMATION MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) requires us to ask each of our patients to acknowledge receipt of our Notice of HIPAA Privacy Practices. The Notice is published on our website, mobile application, and available at One Medical clinics. You can acknowledge receipt of this Notice by clicking on the “I Acknowledge Receipt of the Notice of HIPAA Privacy Practices” button, or by indicating your acknowledgement in another written or digital manner provided. You can receive a copy of this Notice by asking for one at a One Medical clinic, or by printing one from our website at any time.

One Medical has partnered with MedStar Health, Inc. and its applicable affiliates (“MedStar Health”) in the Washington, D.C. area. Each of the One Medical professional corporation affiliates together designate themselves as a single Affiliated Covered Entity (“ACE”) for purposes of compliance with HIPAA, including without limitation: One Medical Group, Inc. (a California professional corporation); One Medical Labs, Inc. (a California professional corporation); One Medical Group, P.C. (a District of Columbia professional corporation); One Medical Group, P.C. (a Virginia professional stock corporation); One Medical of NY, P.C. (a New York professional corporation), OM Services, P.A. (a Florida professional service corporation); and any other One Medical Group entities.

One Medical’s ACE participates in an organized health care arrangement with MedStar Health (the “OHCA”), as the term is defined at 45 C.F.R. § 160.103 of the HIPAA regulations. The OHCA formed between MedStar Health and One Medical’s ACE is based on the fact that MedStar Health and professional corporations in One Medical’s ACE are: (i) all covered entities under HIPAA, as the term “covered entity” is defined at 45 C.F.R. § 160.103 of the HIPAA Regulations; (ii) all participating in an organized system of health care; (iii) holding themselves out to the public as participating in a joint arrangement, as reflected in their strategic objectives, the branding of the Clinics, and the notice of privacy practices provided to patients; and (iv) participating in joint activities that include quality assessment and improvement activities in which treatment provided is assessed by One Medical and MedStar Health and utilization review in which health care decisions are reviewed by One Medical and MedStar Health.

These entities, collectively, are referred to in this policy as “the Companies.” Each of these entities, and their related sites, locations and care providers will follow the terms of this Notice. In addition, the entities, sites, locations and care providers may share medical information with each other for treatment, payment, or health care operations related to the OHCA. This designation may be amended periodically to add new covered entities that are part of One Medical’s ACE under HIPAA.

One Medical and MedStar Health Responsibilities

Under HIPAA, the Companies must take steps to protect the privacy of your Protected Health Information (“PHI”). PHI includes information that we have created or received regarding your health or payment for your health. It includes both your medical records and personal information such as your name, social security number, financial information, address, and phone number.

Under federal law, we are required to:

Uses and Disclosures of Your Protected Health Information That Do Not Require Your Authorization

The Companies use and disclose PHI in a number of ways connected to your treatment, payment for your care, our health care operations and to meet legal and governmental requirements. Some examples of how we may use or disclose your PHI without your authorization are listed below.

TREATMENT

PAYMENT

HEALTHCARE OPERATIONS

LEGAL OR GOVERNMENTAL COMPLIANCE

We may use or disclose your PHI without your authorization for legal and/or governmental purposes in the following circumstances:

Uses and Disclosures of Your Protected Health Information That Require Us to Obtain Your Authorization

Except in the situations listed in the sections above, we will use and disclose your PHI only with your written authorization. This means we will not use your PHI in the following cases, unless you give us written permission:

In some situations, federal and state laws provide special protections for specific kinds of PHI and require authorization from you before we can disclose that specially protected PHI. For example, additional protections may apply in some states to genetic, mental health, drug and alcohol abuse, rape and sexual assault, sexually transmitted disease and/or HIV/AIDS-related information, and/or to the use of your PHI in certain review and disciplinary proceedings of healthcare professionals by state authorities. In these situations, we will comply with the more stringent state laws pertaining to such use or disclosure. If you have questions about these laws, please contact the Privacy Officer at 415-291-0480 or privacy@onemedical.com.

Your Rights Regarding Your Protected Health Information

You have the right to:

Communication Platforms

We may also use PHI to send you appointment reminders and other communications relating to your care and treatment, or let you know about treatment alternatives or other health related services or benefits that may be of interest to you, via email, phone call, or text message.

We may make certain PHI, such as information about care or treatment, appointment histories and medication records, accessible to you through secured online tools such as your MyOne patient account.

If you choose to communicate with us via emails, texts or chats, you acknowledge that we may exchange PHI with you via email, text or chat, that email, text and certain chat functionality may not be a secure method of communication, and that you agree to the security risks of such communication. If you would prefer not to exchange PHI via email, text or chat, you can choose not to communicate with us via those means, and you can notify us at privacy@onemedical.com.

Changes to Privacy Practices

The Companies may modify this Notice from time to time. The revised Notice will apply to all PHI that we maintain. We will make any such changes to this Notice by posting the revised Notice on our website. The date of the last update will be clearly indicated at the top of this Notice. Please review this Notice from time to time to ensure you are familiar with our HIPAA privacy practices.

Questions and Complaints

If you have any questions about this Notice or would like an additional copy, please contact the Privacy Officer at 833-721-0404 or privacy@onemedical.com.

If you think that we may have violated your privacy rights or you disagree with a decision we made about access to your PHI, you may send a written complaint to the Privacy Officer at One Embarcadero Center, 19th Floor, San Francisco, CA 94111.