IN-NETWORK AUTHORIZED PROVIDER

COVID TEST DELIVERY PROGRAM

Notice of HIPAA Privacy Practices

Last Updated: September 30, 2022
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

iOpen and your selected medical provider are both accountable for compliance with HIPAA and both are required by law to maintain the privacy of your Protected Health Information.

iOpen World (“iOpen,” “we,” “our,” or “us”) are not a medical group, but is a Business Associate in alignment with US Careways PC, LLC to bring the iOpen vaccination passport globally (collectively “iOpen”). Your selected medical provider (each, a “Provider”) is independent from iOpen and is not associated with iOpen in any way.

Each Provider entity, their related sites, locations, and care providers is federally regulated to follow terms in compliance with federal consent requirements for the release of PHI records pursuant to 45 CFR 164.508. Additionally, the independent entities, sites, locations and care providers may use your medical information for treatment, payment, or healthcare operations after the release of the record.

All medical visits are provided by independent medical practitioners. Your medical provider is responsible for providing you with a Notice of Privacy Practices describing their collection and use of your health information.

This Notice of HIPAA Privacy Practices is made available to you particular to the release of your PHI from the independent medical practitioner(s).

In compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) we are required to ask each of the iOpen users to acknowledge receipt of our Notice of HIPAA Privacy Practices.

You acknowledge receipt of the Notice of HIPAA Privacy Practices when you select the “Sign Form” button after being presented these forms during the account creation/sign-up process in the iOpen mobile applications or website, or by indicating or signing your acknowledgement in another written or digital format provided to you. You can receive a copy of the Notice of HIPAA Privacy Practices by printing this disclosure by visiting our website and printing the form from there.

Your acknowledging the Notice of HIPAA Privacy Practices is required by HIPAA and iOpen, and if you do not wish to be bound by this Notice you are not authorized to access or use our Website, Applications, or make use of our vaccination passport services, and you must promptly exit our Websites or Applications.
iOpen’s Commitment and Responsibilities

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) defines strict rules and regulations identifying the controls companies must implement to protect patient privacy, and our responsibility to guard “Protected Health Information” (“PHI”). The information collected when you authenticate to accounts in iOpen Applications and Websites, or when you communicate with our staff about healthcare matters, whether electronically, orally, or by alternative offline methods, is all considered PHI. PHI includes any and all medical information you share with iOpen, including your medical history and any medical records from other providers or services you share with us, and also includes more general personal information that may identify you, such as your name, social security number, billing information, addresses, phone numbers, date of birth, and email address.

Your Protected Health Information is kept safe through our commitment to your privacy, and the processes, procedures, controls, and staff training we have in place to ensure our compliance with federal and state laws and regulations.

In keeping with these commitments, we are proud to take responsibility for ensuring that:

Our Privacy Practices are made available in plain language: ensuring we are transparent when informing you and all users of iOpen services of our responsibilities for protecting your PHI.
We document all of our best practices, company policies, staff procedures, and ensure all staff receive training on each, such that all business and healthcare activities are performed with a clear understanding of what is required to keep your data private.
We follow the practices and procedures defined in this Notice of Privacy Practices
We are transparent about how in providing our services we will use your Protected Health Information.
We are transparent about your rights to authorize disclosure of Protected Health Information and your rights to revoke those authorizations at any time.
We remain transparent in our communications with you, disclosing in a timely manner if any problems arise that affect you: informing you directly if a breach occurs (If your PHI is ever mistakenly exposed.)

Additionally, on your behalf iOpen will always try to apply the strictest protections available on your behalf: we are committed to adhering not just with federal and individual state regulations, but also to maximizing the protections applied to your data, which we do by applying the more stringent of protections defined by any individual state to all states (unless that causes a direct conflict with your own state’s laws.)
Uses and Disclosures of Protected Healthcare Information That Do Not Require Your Authorization

Our own policies as well as Federal and State regulations have been designed to keep your Protected Health Information private to you. These policies and regulations, including HIPAA, have provisions to support healthcare data storage and sharing that is performed as part of related services. HIPAA and the other regulations define exactly when and how data can be shared, and also how that sharing must be securely managed. iOpen is not a medical practice and does not provide medical treatment, payment for medical services, administrate or support health care services. iOpen does support:

For public health activities, or health oversight activities, that may be defined by federal, state, or county authorities. Examples include efforts to prevent or control the spread of a disease (as when reporting Covid-19 infections, administered Covid-19 vaccinations), injury, or disability, but also includes vital events such as births, or deaths where disclosures of your PHI apply for family arrangements (your decedents).
To avert a threat to individual or public health or safety: as when we, in good faith, and in compliance with applicable laws and regulations, believe disclosure to an appropriate authority will prevent or lessen a serious or imminent threat.
For instances where disclosure is required by law, judicial and administrative proceedings, or for law enforcement purposes such as when compelled by a court order or in response to a subpoena, or a government or regulatory request
As required for specialized government functions, including a response to a public health investigation or public health surveillance activity; when helping to ensure the quality, safety, or effectiveness of an FDA-regulated product or activity, including prescription drugs, medical devices, and supplements; in compliance with regulatory and oversight agencies for activities including initial licensure, audits, reviews, examinations, inspections, investigations.
To parents and legal guardians overseeing the care of minors in accordance with applicable laws and regulations. This may include sharing where parental and legal guardian consent is required for the services rendered and will exclude sharing where parental and legal guardian consent is not required, unless explicit consent in accordance with applicable laws and regulations is received from the minor. We will share a minor’s data with a parent or guardian when required to do so by applicable law.
As applies to work-related injuries or illness as with workers’ compensation or similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.
To more efficiently communicate with your other care providers, through our participation in Health Information Exchanges (HIE) that enable us to share your healthcare information with other organizations lawfully participating in treatment, payment, or healthcare operations involving you. For your protection we provide opt-in and opt-out rights to you for all HIE in which we participate, and we do so in accordance with the strictest interpretation of all applicable federal and state laws.

More About iOpen

There are a number of reasons iOpen may use your PHI as part of providing our services to you. The most critical of these for us, are in ensuring we are continually conducting quality assessment and improvements of our websites, applications, and staff processes in order to continually improve how we deliver our services to you. As part of these efforts we use PHI:

To present our Websites and Applications, and their contents to you.
To provide our healthcare related products and services to you.
To answer your requests for information, products, or services from iOpen, or when we believe it is in your best interest that we inform you of additions and changes to our applications, websites, products, and services.
To process, fulfill, support, and administer transactions and orders for products and services you have requested.
To provide you with notices about your iOpen account.
To administer surveys and solicit feedback.
To fulfill any purpose for which you have provided PHI on which we are being asked to act.
For specific uses described at the time you provide the information.
For any other purpose for which you have provided your authorization as described in “A Note About Your Authorization to Disclose Protected Health Information”

While federal and state regulations, including HIPAA, make accommodations for sharing Protected Health Information for research purposes, and this sharing is only allowed with authorized Institutional Review Boards (IRB), and under specific circumstances, iOpen does not participate in this kind of legal sharing of your PHI without explicitly first requesting then receiving your authorization. We do think this kind of research is important, and that you should know that each IRB is required to protect your PHI, poses minimal risk to your privacy, and can offer great benefits to healthcare research. Choosing to share your data for research purposes, and as a contribution to improving healthcare, is completely voluntary, and you will never be required to share your PHI in order to receive care, and non-participation in research sharing will have no effect on the quality of care you receive.
Uses and Disclosures of PHI That Require Your Authorization to Release Records Received by iOpen

iOpen is committed to your privacy, and this means that your data is protected as yours, and that without your written or electronically signed authorization, your PHI will not be shared outside of the purposes and audiences listed in the preceding sections of this Policy. Other than for the purposes described in this document, we commit that:

iOpen will not sell your Protected Health Information.
iOpen will not share your Protected Health Information with your employer or any one else, unless you grant authorization for such a disclosure.
iOpen will not share your Protected Health Information with your school or educational institution, unless you provide an authorization for such a disclosure.
iOpen will not use your Protected Health Information for Marketing (We will, as described above, contact you about our own Websites, Applications, products, and services to improve our offerings to you, but we will not let a third party market to you, and we will additionally always allow you to opt-out of even these HIPAA permitted communications that we believe are beneficial to you.)

Additionally, iOpen abides by all applicable Federal and State laws regarding special protections. As stated above, we apply the most stringent of any one state’s laws to the protections of all state’s patients (save where they conflict with your individual state’s laws and regulations), and this includes the rules involving:

Mental health treatment
Sexual assault
Sexually transmitted diseases
Drug and alcohol abuse
Specific communicable diseases, including HIV/AIDS

A Note About Your Authorization to Disclose Protected Health Information

Outside of the permitted disclosures described elsewhere in this document, Federal and state laws and regulations, including HIPAA, have very clear rules defining the processes by which any authorization to disclose your Protected Health Information must be requested and received from you. In all cases where your authorization is required, if you have not granted your authorization in accordance with these rules, your information will not be disclosed. Additionally, if you have granted an authorization for a disclosure, it is important that you know you may revoke that authorization at any time. What this means for you, is that unless you see an authorization form meeting the requirements detailed in this section, and unless you choose to sign that form (electronically or by other means), your data will not be shared for any reason outside those identified as permissible elsewhere in this policy. Any request made of you for your authorization to disclose your PHI must clearly, and in plain language provide:

A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
A name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
A name or other specific identification of the person(s), or class of persons, who will be the recipient of the requested use or disclosure.
A description of each purpose for which the requested use or disclosure is being made. (If you are asking for the disclosure of your own data, you do not need to explain your reasons other than to make a statement such as: “At the request of the individual.”
An expiration date, or expiration event that relates to the defined individual purpose for which the use or disclosure is being made. Additionally, if you choose to contribute to the advancement of healthcare by participating in a research study, acceptable expiration statements include: “At the end of the research study”, “none”, or similar language.
A process for receiving your physical or electronic signature with a recorded signing date. If the authorization is signed by a personal representative, as with a Power of Attorney, Parent, or legal Guardian, a description of the representative’s authority to act for the individual is also required.

Additionally, the request for authorization to disclose PHI will specifically state:

Your right to revoke the authorization, including a description of how you may revoke the authorization, as well as any exceptions to the right to revoke. (Other companies may include this in their Notice of Privacy Practices, but iOpen will include this information directly in each authorization form presented for your signature.)
Our commitment that your authorization to disclose your Protected Health Information will never be required for you to receive healthcare services you acquire directly from us: This protection applies to healthcare services specific to you as an individual. This protection may not apply to services organized by a third party and including you, for example: participation in research studies may require your authorization as a prerequisite for study participation, and similarly, healthcare processes initiated specifically for disclosure to a third party, as with employer funded medical tests for “return to work” purposes, may not be available from iOpen and the third parties involved, without your authorizing the disclosure for which those activities have been organized.
The potential for information you authorize to be disclosed to a third party to end up subject to redisclosure by that third party, and if that third party is not required to comply with HIPAA, mention that it is possible the information will no longer receive the original protections applied when it was first provided to your healthcare provider.
Your right to receive a copy of any authorization you sign.

Your Rights Regarding Your Protected Health Information

iOpen will always uphold your rights over the Protected Health Information belonging to you that we may obtain. We will ensure we protect your rights:

To access your data: We will protect your data, and we will also ensure that it is available to you.
To request that we restrict any use and disclosure of your data. We will not always be able to honor these requests, and we are not obligated by law or regulation to apply disclosure restrictions related to our treatment, payment, or health care operations, save in specific use cases of payment disclosures to a health plan for services you have paid in full and where the disclosure is payment related. This said, where we have documented our ability to comply with your request, we will honor that commitment in all cases, save for exceptions defined under HIPAA including when: We determine that a disclosure is required for emergency treatment (in that use case we will request that the party to whom the data is disclosed does not disclose the information any further); When required by the Secretary of Health and Human Services
To receive confidential communications of your Protected Health Information. We will make this information available to you in your accounts accessible on our websites and applications, and you may also request alternative means of secure communication. We may ask that you submit such requests in writing, but we will generally agree to secure alternative communication methods that are deemed reasonable.
To inspect and copy your Protected Health Information.
To request corrections to your data.
To receive an accounting of disclosures.
To receive notice of any breach.
To receive an electronic or paper copy of your PHI with some restrictions. This may potentially include charging a reasonable fee associated with the cost of printing and mailing physical copies.

You can review, copy, and change your Personal Data by logging into our Websites or Applications and visiting either the Settings or Account sections. Additionally, we have provided detailed Contact Information (below) through which you may notify us of any changes or errors in the Personal Data we have about you. We will reply to all such contact to help you ensure that your PHI records are complete, accurate, and as current as possible. If desired, you may also contact us to have us disable or delete your account. For any deletion request, we will make every effort to delete your account and all personal information you have shared with us. Please note that while we will do everything we can to comply with any deletion request, we are not permitted to delete PHI if we believe it would violate any law or legal requirement, or cause the information to be incorrect.

Our commitment to the privacy of your Protected Health Information, and to transparency in our adherence to this Notice of Privacy Practices includes our making this notice available to you on paper when requested through the contact information below. In protecting your right to receive an accounting of any disclosures of your Protected Health Information, we have committed that we will make such an accounting available covering minimally the 6 years prior to which the accounting is requested, and covering all disclosures not otherwise excepted by HIPAA.
De-identification

Health information that does not identify an individual, and data for which there is no reasonable basis to believe it could be used to identify an individual, including you, represents essentially no usefulness to identity thieves and others involved in criminal practices. While of no value for those with illegitimate motivations, this data represents great value for Healthcare, where providers and researchers employ de-identified data in accordance with the HIPAA safe harbor provision, to both protect the privacy of individuals, and also to protect the health of the many, by identifying critical trends or anomalies in group data as well as studies that follow other research pathways. iOpen does contribute to healthcare research by making data that has been de-identified in accordance with the safe harbor provision available to trusted research organizations. Safe harbor data is Protected Health Information that as specified by HIPAA has the following 18 individual identifiers removed so that it cannot identify any individual, including you:

Names
Social Security Numbers
Telephone numbers
Fax numbers
Geographic subdivisions (including addresses information) smaller than a state
All elements of dates (with the exception of year): birth and death dates, admission dates, discharge dates, ages for anyone over 89.
E-Mail addresses
Medical record numbers
Health Plan Beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identification numbers or serial numbers, license plate numbers
Device identifiers and serial numbers
Web Universal Resource Locators (URL)
Internet Protocol (IP) addresses
Biometric data (Fingerprints, Face ID, Voice Prints, etc.)
Full face photographic images and comparable images
Any other number, characteristic, or code that would uniquely identify you

In addition to the protections defined throughout this document, iOpen has committed that we will never share your Protected Health Information if we have any actual knowledge that the information could be used alone or in combination with other information to identify you or any individual who is the subject of the information, unless we have your direct authorization, documented and signed as described in A Note About Your Authorization to Disclose Protected Health Information
Changes to Our Notification of Privacy Practices

We will not weaken the privacy protections applied to your PHI as defined in this Notification of Privacy Practices without first notifying you. We do reserve the right to make changes to this document at any time, so long as those changes do not weaken the privacy protections for which you have initially granted authorization. Changes will apply to all Protected Health Information we maintain. It is our policy to post any changes we make to our Privacy Practices on this page, with a notice that the Privacy Practices has been updated on the Website’s home page or the Application’s home screen. If we want to make material changes to how we treat our users’ Personal Data, we will notify you by email to the email address specified in your account or through a notice on the Website’s home page or the Application’s home screen. The date this Privacy Policy was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date, active, and deliverable email address for you, and for periodically accessing the Application or visiting our Website and reviewing this Privacy Practices to check for any changes.
Questions, Concerns, and Complaints

If you have any questions, concerns, complaints or suggestions regarding our Privacy Practices or otherwise need to contact us, you may contact us at the contact information below or through the “Contact Us” page on our Website or in the Application. In addition to being able to report complaints to us at any time, if you believe your privacy rights have been violated or have other concerns, you may also report complaints to the national Secretary of Health and Human Services. Any questions, concerns, or complaints you raise will never be allowed to negatively affect the quality of care you receive from us, and there will never be any retaliation against you for any such filings.
How to Contact Us

iOpen World

1101 Pennsylvania Avenue NW, 3rd Floor

Washington, DC 20004

Phone: 202-670-5119

Email: support@iOpenworld.com