This HIPAA Policy (“Policy”) describes how Novocure Inc. (“Novocure” or “We”) complies with the requirements of the Health Insurance Portability and Accountability Act (“HIPAA”). Novocure is a health care provider of durable medical equipment (“DME”), and provides DME directly to patients. As a DME provider, Novocure has access to protected health information (“PHI”) and also submits claims for reimbursement. Therefore, Novocure is a covered entity as defined under HIPAA. This Policy describes how Novocure intends to comply with the various requirements of HIPAA. This Policy only applies to PHI (as defined below) of patients that reside in the United States.
We are committed to ensuring protected health information about our patients (“PHI”) is used and disclosed in accordance with HIPAA. We are committed to creating a record of the products and services that we provide to our patients. We need this record to provide our patients with quality products and services used in their care and to comply with certain legal requirements. This Policy applies to all PHI of patients that we use and disclose in our role as a health care provider. If you have any questions regarding this Privacy Notice, please contact the Novocure Privacy Officer.
III. Our Legal Requirements
Pursuant to HIPAA, we are required, among other things, to:
- Make sure that PHI is used and disclosed only as permitted and/or required under HIPAA;
- Patients have flexibility to decide which times of the day are best for them, including at night when sleeping;
- Give our patients a notice of our legal duties and privacy practices with respect to their PHI;
- Notify our patients if we are unable to agree to a requested restriction on how their information is used and disclosed;
- Accommodate reasonable requests that our patients may make to communicate PHI by alternative means or at alternative locations;
- Obtain their written authorization for purposes other than those listed below and permitted under HIPAA; and
- Follow the terms of the Notice of Privacy Practices currently in effect.
IV. Who Will Follow Our Privacy Practices
This Policy describes Novocure’s HIPAA privacy practices and requires that of all Novocure employees, staff and business associates, as applicable, comply with it. All Novocure entities, sites and locations may share PHI with each other for treatment, payment and/or health care operations purposes as described in the Notice of Privacy Practices.
V. A Patient Has Rights Regarding Their Protected Health Information
A patient has the following rights regarding PHI we maintain about them:
- Right to Inspect and Copy. A patient has the right to inspect and copy PHI that may be used to make decisions about their care. Usually this includes medical and billing records. If a patient would like to inspect and/or copy his/her PHI, the patient should contact 855-281-9301 or email@example.com. Novocure is permitted to charge a fee for copying requested files. Novocure may also deny a patient’s request to inspect and/or copy PHI in certain circumstances. If a patient is denied access to his/her PHI, such patient may request a review of the denial. Novocure will select an independent person to review their request and the denial, and will comply with the outcome of such review.
- Right to Amend. If a patient feels that PHI we have about him/her is incorrect or incomplete, the patient may ask us to amend the information. A patient has the right to request an amendment for as long as the information is kept by us. Any patient request for an amendment to PHI should be directed to 855-281-9301 or firstname.lastname@example.org. The patient must provide a reason that supports their request and we may deny their request for an amendment if it does not include a reason to support the request. Additionally, we may deny a patient’s request to amend his/her PHI if the patient ask us to amend PHI that:
- Was not created by us, unless the person or entity that created the information is no longer available to make the amendment;
- Is not part of the PHI kept by or for us;
- Is not part of the information which our patients would be permitted to inspect and copy; or
- Is accurate and complete.
- Right to Accounting of Disclosures. Our patients have the right to request an “accounting of disclosures”. An accounting of disclosures is a list of certain disclosures we made of PHI about our patients. Novocure will provide an accounting of all disclosures with some exceptions. Novocure will NOT release the following disclosures:
- Those made for treatment, payment and health care operations;
- Those made to our patients about their own PHI;
- Those made to persons involved in their care or other notification purposes;
- Those made pursuant to an authorization signed by our patients disclosing specific uses and disclosures;
- Where the disclosures are part of a Limited Data Set (as defined in the HIPAA Act);
- Where the disclosures are incidental to an otherwise permissible disclosure;
- For national security or intelligence purposes; and
- To correctional institutions or law enforcement custodial situations.
To request this list or accounting of disclosures, a patient may contact 855-281-9301 or email@example.com. We may request that a patient submits the request in writing. A patient’s request must state a time period for which they are requesting an accounting of disclosures, which may not be longer than six years from the date of the request. A patient’s request should indicate in what form the patient want the list (i.e., paper or electronic). The first list a patient requests within a 12-month period will be free. For additional lists, we will charge the patient our reasonable costs for providing the list. We will notify the patient of the cost involved and the patient may choose to withdraw or modify their request at the time before any costs are incurred.
- Right to Request Restrictions. A patient has the right to request a restriction or limitation on the PHI we use or disclose about him/her for treatment, payment, or health care operations. A patient also has the right to request a limit on the PHI we disclose about him/her to someone who is involved in his/her care or the payment for his/her care, like a family member or friend. We are not required to agree to the request. If we do agree, we will comply with the request unless the information is needed to provide the patient with emergency treatment. A patient can contact 855-281-9301 or firstname.lastname@example.org to request restrictions. but we may request a written request. Our patients must tell us i) what information the patient wants to limit, ii) whether the patient wants to limit our use, disclosure or both, and iii) to whom the patient wants the limits to apply, for example, disclosures to his/her spouse.
- Right to Request Confidential Communications. A patient has the right to request that we communicate with him/her about medical matters in a certain way or at a certain location. For example, our patients can ask that we only contact our patients at work or by mail. A patient can contact 855-281-9301 or email@example.com to request confidential communications, but we may request a written request. We will accommodate all reasonable requests. A patient’s request must specify how or where the patient wishes to be contacted.
- Right to Revoke Authorization. A patient has the right, in those instances where written authorization is required, to revoke such authorization to use or disclose PHI except to the extent action has already been take. Such revocation must be in writing and should be sent in accordance with the authorization signed by the patient.
- Right to a Paper Copy of the Notice of Privacy Practices. A patient has the right to receive a paper copy of the Notice of Privacy Practices. A patient may ask for a copy of the Notice of Privacy Practices at any time. Even if a patient has agreed to receive the Notice of Privacy Practices electronically, a patient is still entitled to receive a paper copy of the Notice of Privacy Practices, if requested. A patient may contact 855-281-9301 or firstname.lastname@example.org to request a paper copy.
- How We May Use and Disclose Protected Health Information About Our Patients as Permitted or Required by Law. The following categories describe different ways that we are permitted to use and disclose PHI as a health care provider. Certain of these categories may not apply to our business and we may not actually use or disclose their PHI for such purposes. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted or required to use and disclosure PHI, without their authorization, will fall within one of the categories.
- For Treatment. We may use or disclosure PHI about a patient to assist healthcare professionals and providers who provide our patients with medical treatment or services. For example, we may provide PHI related to a patient’s use of our products or services to such patient’s physician and the staff at the patient’s physician’s practice to assist the physician in maintaining appropriate use of the device.
- For Payment. We may use and disclose PHI about a patient so that the products and services we provide to a patient may be billed to and payment may be collected from the patient, an insurance company or a third party. For example, we may need to receive from or disclose to a patient’s health plan, Medicare, or the medical facility a patient resided in information about the products and services we provided to the patient so the patient or another responsible payer can pay us. This may specifically include information required for the Prescription Order Form, Assignment of Benefits, MRIs, and medical record information. We may also tell a patient’s health care provider or plan about a product or service the patient is going to receive to obtain prior approval or to determine whether such patient’s provider or plan will cover that product or service.
- For Health Care Operations. We may use and disclose PHI about a patient for our health care operations and we may disclose PHI about a patient to other health care providers involved in their care for certain health care operations. These uses and disclosures are necessary to run Novocure and make sure that users of our products receive the most cost effective and therapeutic products possible. Examples of health care operations activities by Novocure include but are not limited to delivery, pick-up and service functions, collection efforts, internal auditing, business planning (including analysis of product length of use, utility, or development/improvement of reimbursement methods or policy), assessing the quality of care and outcomes in a patient’s case and similar cases, and quality assurance/improvement activities. We may also combine PHI about many patients to decide what additional products and services we should offer, what products and services are not needed, and to justify how effective our products are in the care of individuals such as our patients. We may also disclose information to medical facilities and independent researchers for review and learning purposes. We may remove information that identifies patients from a set of PHI so others may use it to study health care and health care delivery without offending the Privacy Rule.
- For Marketing Purposes. At times, Novocure, may, for the benefit of the clients, patients and market it serves, issue information, solicitations for fundraising or marketing materials on its products and services. Your rights under the Privacy rule include your ability to request restrictions or revoke the inclusion of your information at any time in all communications as well as opting into or opting out of any marketing or fundraising activities, uses and disclosures of PHI for marketing purposes, including subsidized treatment communications; disclosures that constitute a sale of PHI; and other uses and disclosures not described in this Privacy Notice or allowed by the Privacy rule.
- Notice/Reminders. We may use and disclose PHI to contact a patient or arrange for a patient’s health care provider to contact the patient regarding product delivery, maintenance, in-service or pick-up.
- Individuals Involved in Their Care or Payment for Our patients Care. We may disclose to a family member, other relative, close personal friend of a patient, or any other person identified by a patient, PHI directly relevant to such person’s involvement with a patient’s care or payment for a patient’s health care when the patient is present for, or otherwise available prior to, a disclosure and the patient is able to make health care decisions, if: (i) we obtain the patient’s agreement; (ii) we provide the patient with the opportunity to object to the disclosure and the patient fails to do so; or (iii) we infer from the circumstances, based upon professional judgment, that the patient does not object to the disclosure. We may obtain the patient’s oral agreement or disagreement to a disclosure. However, if the patient is not present, or the opportunity to agree or object to the disclosure cannot practicably be provided because of the patient’s incapacity or due to an emergency circumstance, we may, in the exercise of professional judgment, determine whether the disclosure is in such patient’s best interests, and, if so, disclose only PHI that is directly relevant to the person’s involvement with the patient’s health care.
- Research. Under certain circumstances, we may use and disclose PHI about a patient for research purposes. For example, a research project may involve comparing the health and recovery of all patients who received on product or service for the same condition. We may also disclose PHI about a patient to people preparing to conduct a research project, for example to help them look for patients with specific medical circumstances. If the researcher has access to a patient’s name, address or other identifying information that reveals who the patient is, we are required to ask for the patient’s authorization in order to disclose PHI in connection with research.
- As Required by Law. We will disclose PHI about a patient when required to do so by federal, state or local law. For example, we may disclose information for judicial and administrative proceedings pursuant to legal authority; to report information related to victims of abuse, neglect or domestic violence; or to assist law enforcement officials in their law enforcement duties.
- Government Functions. We may use and disclose PHI about a patient as required for specialized government functions such as protection of public officials, reporting to various branches of the armed services or national security activities authorized by law.
- To Avert a Serious threat to Health or Safety. We may use and disclose PHI about a patient when necessary to prevent a serious threat to such patient’s health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.
- Business Transfers. In the course of Novocure’s business, there could be an acquisition or sale of Novocure’s business assets (“Business Transfers”). Such Business Transfers may involve the sale or purchase of PHI. Also, in the event that Novocure Inc., Novocure Ltd. (Jersey Isle), or any subsidiary of Novocure Ltd. (Jersey Isle) is acquired or substantially all of Novocure Inc.’s assets are acquired, PHI likely will be one of the transferred assets.
- Workers’ Compensation. We may release PHI about a patient for workers’ compensation or similar programs. These programs provide benefits for work-related injuries or illness.
- Public Health Activities. We may use or disclose a patient’s PHI to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.
- Lawsuits and Disputes. If a patient is involved in a lawsuit or a dispute, we may disclose PHI about such patient in response to a court or administrative order. We may also disclose PHI about a patient in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell the patient about the request and obtain such patient’s written authorization or to obtain an order protecting the information requested.
- Coroners, Medical Examiners and Funeral Directors. We may release PHI to a coroner or medical examiner. This may be necessary, for example, to identify a deceased patient or determine the cause of death of such patient.
- Organ / Tissue Donation. We may use or disclose a patient’s PHI for cadaveric organ, eye or tissue donation purposes.
- Other Uses of Protected Health Information
- Other uses and discloses of PHI not covered by the Notice of Privacy Practices or otherwise permitted by laws that apply to Novocure will be made only with a patient’s written authorization. An authorization will not be required if Novocure uses or discloses health information for purposes other than as covered by the Notice of Privacy Practices or permitted by law if Novocure removes any information that individually identifies the patient before disclosing the remaining information. If a patient provides Novocure with authorization to use or disclose PHI about such patient, that patient has the right to revoke his/her permission, in writing, at any time. If a patient revokes his/her authorization, Novocure will no longer be permitted to use or disclose PHI about such patient for the reasons covered by such patient’s written authorization. However, we are unable to take back any disclosures we previously made in reliance upon the authorization provided by the patient. Novocure is required to retain records of the products and services that we provide to our patients.
- Changes to The Notice of Privacy Practices
- We reserve the right to change our information practices and to make the new provisions effective for all PHI we maintain. We also reserve the right to change the Notice of Privacy Practices at any time. We reserve the right to make the revised or changed notice effective for PHI we already have about our patients as well as any information we receive in the future. A patient may request current version of our privacy practices by contacting 855-281-9301 or email@example.com.
If a patient believes his/her privacy rights have been violated, a patient may file a complaint with us or with the Secretary of the Department of Health and Human Services at 200 Independence Avenue, S.W.; Washington, DC 20201, or reach the Secretary by phone at (202) 690-7000. To file a complaint with Novocure, a patient must submit the complaint in writing to Novocure, contact 855-281-9301 or firstname.lastname@example.org.
VII. Transactions and Code Sets
Novocure submits all transactions to healthcare payers using the transaction and code set standards described in HIPAA. Specifically, we submit claims for our products using unlisted HCPCS codes.
Effective Date: May 25, 2016