HIPAA Privacy, Confidentiality & Securit

Effective Date: April 26th, 2024

Respecting the confidentiality of healthcare information has long been a professional standard.  The mission, vision, and values of Extra Care has always protected the privacy of each person – consumers/consumers and staff. Federal law makes consumer privacy even more important.  It deals with the need to keep consumers’ health information private, confidential, and secure.

HIPAA Background – The Federal Government requires us to follow HIPAA rules and regulations.

  • Privacy Rule – Protects personal health information.
  • Security Rule – Controls the security of computerized data.
  • HI TECH – Address additional security and potential breaches.


In connection with your use of Extra Care’s services, website, mobile application, products, and other technology platforms, you may provide us with health information and other identifiable information. This health information, paired with your identifiable information, is known as “protected health information” or “PHI”. Under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Extra Care is required to provide you with this Notice of Privacy Practices (this “Notice”) that describes how we may use and share your PHI for treatment, payment, or other purposes, and how you can access your PHI that we collect.

Section 1.

Extra Care’s responsibilities under HIPAA

  • Maintaining the privacy and security of your PHI;
  • Following the duties and privacy practices described in this Notice;
  • Only using or sharing your PHI as described in this Notice unless you tell us in writing that we can use or share it in some other way;
  • Promptly letting you know if an incident occurs that may have compromised the privacy or security of your PHI.

Section 2.

We may use or share your PHI for the following reasons:

For Treatment. PHI may be used and shared in connection with your treatment and to provide you with treatment-related health care services. For example, we may disclose PHI to pharmacists or other personnel who need the information to provide you with medical care.
For Payment. PHI may be used and shared so that we or others may bill and receive payment from you, an insurance company, or a third party for the treatment and services you received.
For Health Care Operations. PHI may be used and shared in connection with our health care operations so we can operate and manage our business and ensure that our customers receive the best possible care. We may share PHI with other entities that have a relationship with you, such as your health plan, for their own health care operation activities.
Reminders, Treatment Alternatives, and Health-Related Benefits and Services. PHI may be used to contact you to remind you that you have a prescription with us. We also may use and share PHI to tell you about treatment alternatives or health-related benefits and services that may be relevant to you.
Business Associates. We may share PHI with our business associates that perform functions on our behalf or provide us with services if sharing that information is necessary for such functions or services. All of our business associates are obligated to protect the privacy of PHI and aren’t allowed to use or disclose any PHI other than as specified in a written agreement with each business associate.

Section 3.

We may be permitted or required to share your PHI in other ways (although we may have to meet certain conditions first) – usually these ways contribute to the public good, such as public health, research, and safety. Specifically, we may use or share your PHI for the following purposes:

Public Health and Safety Issues. PHI may be used and shared in connection with public health and safety issues such as helping with product recalls, preventing the spread of disease, reporting adverse reactions to medications, reporting suspected abuse or neglect, or preventing or reducing a serious threat to anyone’s health or safety.
Health Oversight Activities. PHI may be used and shared with a health oversight agency for oversight activities such as audits, investigations, inspections, and licensure.
Data Breach Notification Purposes. PHI may be used and shared to provide legally required notices of unauthorized access to or disclosure of PHI.
As Required by Law and Law Enforcement. PHI may be shared if state or federal laws require it to be shared in a given circumstance. For example, we may release PHI to a law enforcement agency if we’re required to respond to a court order or similar process. We may also share PHI in relation to criminal conduct, such as if criminal conduct occurred on our premises.
Lawsuits and Disputes. If you’re involved in a lawsuit or a dispute, we may be required to share PHI in response to a court or administrative order, subpoena, discovery request, or other lawful process by someone else involved in the dispute. To the extent not prohibited by law, we’ll first attempt to tell you about the order or request so you can decide whether to obtain an order protecting the information requested.
Specialized Government Functions. We may share PHI with departments or units of the government with special functions, such as the U.S. military or the U.S. Department of State, for intelligence, counterintelligence, and other national security activities authorized by law.

Section 4.

We’re not required to obtain your written permission to use or share your PHI for the purposes outlined in this Notice. In all other circumstances, we can only use or share your PHI with your written permission.

For example, your written permission is required for the following purposes:

Marketing. We must obtain your written permission prior to using PHI for marketing purposes as defined in HIPAA. This does not apply to face-to-face communication about products or services that may be of benefit to you, or about prescriptions you have already been prescribed.
Psychotherapy Notes. To the extent we receive them from your provider, we will not use or share psychotherapy notes about you without your permission except to defend ourselves in a legal action or other proceeding brought by you.

Please note that you’re not required to provide your permission and you may later revoke your permission at any time by sending a written revocation at the email or mailing address.

Section 5.

HIPAA grants you the following rights with respect to your PHI collected by us:

Right to Inspect and Copy. You may ask to see or get an electronic or paper copy of your medical record and other PHI we’ve about you. We’ll provide a copy or a summary of your PHI within 30 days of your request. We may charge a reasonable, cost-based processing fee for these requests.
Right to Correct. You may ask us to correct your PHI that you think is incorrect or incomplete.
Right to Confidential Communications. You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address.
Right to Request Additional Restrictions. You may ask us not to use or share your PHI for treatment, payment, or our operations, with certain individuals (such as a family member or close personal friend) involved with your care or with payment related to your care, or in order to notify other individuals about your location and general condition. While we’ll consider all requests for additional restrictions carefully, we’re not required to agree to your request, and we may decline if it would affect your care. If you pay for a service out-of-pocket in full, you can ask us not to share that information for the purpose of payment or our operations with your health insurer.
Right to Paper Copy of this Notice.
You can ask for a paper copy of this notice at any time, even if you have agreed to receive the notice electronically.
Changes to this Notice.
We may change this Notice at any time. However, we’ll give you prior notice of any major changes by placing a notice on the website, by sending you an email, or by some other manner, and we’ll let you know when the modified Notice will become effective.
Contact Us
If you would like further information about your privacy rights, want to make a specific request as detailed in this Notice or disagree with a decision that we made about access to your PHI, you may contact us at info@myextracare.com

How to File a Health Information Privacy or Security Complaint
Complaint Requirements
Anyone can file a health information privacy or security complaint. Your complaint must:

  • Be filed in writing by mail, fax, e-mail, or via the OCR Complaint Portal
  • Name the covered entity or business associate involved, and describe the acts or omissions, you believed violated the requirements of the Privacy, Security, or Breach Notification Rules
  • Be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show “good cause”

HIPAA Prohibits Retaliation
Under HIPAA an entity cannot retaliate against you for filing a complaint. You should notify OCR immediately in the event of any retaliatory action.

File a Health Information Privacy Complaint Online
Open the OCR Complaint Portal and select the type of complaint you would like to file. Complete as much information as possible, including:

  • Information about you, the complainant
  • Details of the complaint
  • Any additional information that might help OCR when reviewing your complaint

You will then need to electronically sign the complaint and complete the consent form. After completing the consent form you will be able to print out a copy of your complaint to keep for your records

File a Health Information Privacy Complaint in Writing

NOTE:  in accordance with the Office for Personnel Management’s and CDC’s guidelines on COVID 19, HHS personnel are teleworking.  OCR is committed to handling your complaint as quickly as possible.  However, for faster processing we strongly encourage you to use the OCR online portal to file complaints rather than filing via mail as our personnel on site is limited.

File a Complaint Using the Health Information Privacy Complaint Form Package
Open and fill out the Health Information Privacy Complaint Form Package – PDF in PDF format. You will need Adobe Reader software to fill out the complaint and consent forms. You may either:

  • Print and mail the completed complaint and consent forms to:
    Centralized Case Management Operations
    Department of Health and Human Services
    200 Independence Avenue, S.W.
    Room 509F HHH Bldg.
    Washington, D.C. 20201
  • Email the completed complaint and consent forms to OCRComplaint@hhs.gov (Please note that communication by unencrypted email presents a risk that personally identifiable information contained in such an email, may be intercepted by unauthorized third parties)

File A Complaint Without Using Our Health Information Privacy Complaint Package
If you prefer, you may submit a written complaint in your own format by either:

  • Print and mail the completed complaint and consent forms to:
    Centralized Case Management Operations
    Department of Health and Human Services
    200 Independence Avenue, S.W.
    Room 509F HHH Bldg.
    Washington, D.C. 20201
  • Email to OCRComplaint@hhs.gov

Be sure to include:

  • Your name
  • Full address
  • Telephone numbers (include area code)
  • E-mail address (if available)
  • Name, full address and telephone number of the person, agency, or organization you believe violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy or Security Rule
  • Brief description of what happened. How, why, and when do you believe your (or someone else’s) health information privacy rights were violated, or how the Privacy or Security Rule otherwise was violated
  • Any other relevant information
  • Your signature and date of complaint

If you are filing a complaint on someone’s behalf, also provide the name of the person on whose behalf you are filing.

You may also include:

  • If you need special accommodations for us to communicate with you about this complaint
  • Contact information for someone who can help us reach you if we cannot reach you directly
  • If you have filed your complaint somewhere else and where you’ve filed

File a Security Rule Complaint
You may file a Security Rule complaint electronically via the OCR Complaint Portal, or using our Health Information Privacy Complaint Package – PDF.

If you mail or fax the complaint, be sure to send it to the appropriate OCR regional office based on where the alleged violation took place. OCR has ten regional offices, and each regional office covers specific states. Send your complaint to the attention of the OCR Regional Manager. You do not need to sign the complaint and consent forms when you submit them by e-mail because submission by e-mail represents your signature.

Before You File a Complaint
Don’t waste time filing a complaint we can’t investigate. Review these questions before filing a health information privacy or security complaint with OCR:

Are you filing a complaint against an entity that is required by law to comply with the Privacy and Security Rules?

Not all entities are required to comply with the Privacy and Security Rules. OCR can only investigate the covered entities that must comply with these rules. Covered entities include most:

  • Doctors
  • Clinics
  • Hospitals
  • Psychologists
  • Chiropractors
  • Nursing Homes
  • Pharmacies
  • Dentists
  • Health Insurance Companies
  • Company Health Plans
  • Medicare, Medicaid, and other government programs that pay for health care

Does your complaint describe an activity that might violate the Privacy or Security Rule?
If you are not sure, go ahead and file your complaint. But, OCR can only investigate complaints that allege an action or omission that fails to comply with the Privacy or Security Rules. For example, a doctor can send your medical test results to another doctor without your permission if the doctor needs the information to treat you; this is not a violation of the Privacy Rule, so we would not investigate a complaint that described this situation.

Did the activity occur after the Privacy and Security Rules took effect?
OCR cannot investigate Privacy Rule complaints that occurred before April 14, 2003 because compliance with the Privacy Rule was not required until that date. Similarly, OCR cannot investigate Security Rule complaints that occurred before April 20, 2005.

Are you willing to give OCR your name and contact information?
OCR does not investigate complaints filed without a name and contact information on the complaint. If you want OCR to keep your name and contact information confidential during the investigation, you may specify that on the consent form.

HIPAA Privacy, Confidentiality & Securit

Get Started Today