1-800 CONTACTS NOTICE OF PRIVACY PRACTICES
We at 1-800 Contacts are required by the Health Insurance Portability and Accountability Act of 1996 and its related rules and regulations (collectively “HIPAA”) to maintain the privacy of Protected Health Information (“PHI”) and to provide you with notice of our legal duties and privacy practices with respect to PHI.
PHI is information that may identify you and that relates to your past, present, or future physical or mental health or condition, the provision of health care products and services to you or payment for such services. This Notice describes how we may use and disclose PHI about you, as well as how you obtain access to such PHI. This Notice also describes your rights with respect to your PHI. We are required by HIPAA to provide this Notice to you.
We are required to follow the terms of this Notice or any change to it that is in effect. We reserve the right to change our practices and this Notice and to make the new Notice effective for all PHI we maintain. If we do so, the updated Notice will be posted on our website and will be available at any facilities and locations where you receive health care products and services from us. Upon request, we will provide any revised Notice to you.
How We May Use and Disclose Your PHI
The following categories describe different ways that we use and disclose your PHI. We have provided you with examples in certain categories; however, not every permissible use or disclosure will be listed in this Notice. Note that some types of PHI, such as HIV information, genetic information, alcohol and/or substance abuse records, and mental health records may be subject to special confidentiality protections under applicable state or federal law and we will abide by these special protections. If you would like additional information about special state law protections, you may contact the Privacy Office.
I. Uses and Disclosures of PHI That Do Not Require Your Prior Authorization
Except where prohibited by federal or state laws that require special privacy protections, we may use and disclose your PHI for treatment, payment and health care operations without your prior authorization as follows:
Treatment. We may use and disclose your PHI to provide and coordinate the treatment, and services you receive, such as to fill your order and confirm your contact lens prescription. We may also use your PHI to contact you, for appointment reminders, possible treatment options and alternatives, and health related benefits or services that might be of interest to you.
Payment. We may use and disclose your PHI in order to obtain payment for the health care products and services that we provide to you and for other payment activities related to the services that we provide. For example, we may contact your insurer, or other health care payor to determine whether it will pay for the products and services you need and to determine the amount of your co-payment. We will bill you or a third-party payor for the cost of the products and services we provide to you. The information on or accompanying the bill may include information that identifies you, as well as information about the services that were provided to you. We may also disclose your PHI to other health care providers or HIPAA covered entities who may need it for their payment activities.
Health Care Operations. We may use and disclose your PHI for our health care operations. Health care operations are activities necessary for us to operate our health care businesses. For example, we may use your PHI to monitor the performance of the staff providing treatment to you. We may use your PHI as part of our efforts to continually improve the quality and effectiveness of the products and services we provide. We may also analyze PHI to improve the quality and efficiency of health care, for example, to assess and improve outcomes for health care conditions. We may also disclose your PHI to other HIPAA covered entities that have provided services to you so that they can improve the quality and effectiveness of the health care services that they provide. We may use your PHI to create de-identified data, which is stripped of your identifiable data and no longer identifies you.
We may also use and disclose your PHI without your prior authorization for the following purposes:
- Business Associates. We may contract with third parties to perform certain services for us, such as billing services, copy services or consulting services. These third party service providers, referred to as Business Associates, may need to access your PHI to perform services for us. They are required by contract and law to protect your PHI and only use and disclose it as necessary to perform their services for us.
- To Communicate with Individuals Involved in Your Care or Payment for Your Care. We may disclose to a family member, other relative, close personal friend, or any other person you identify, PHI directly relevant to that person's involvement in your care or payment related to your care. Additionally, we may disclose PHI to your “personal representative.” If a person has the authority by law to make health care decisions for you, we will generally regard that person as your “personal representative” and treat him or her the same way we would treat you with respect to your PHI.
- Food and Drug Administration (“FDA”). We may disclose to persons under the jurisdiction of the FDA, PHI relative to adverse events with respect to drugs, foods, supplements, products and product defects, or post-marketing surveillance information to enable product recalls, repairs, or replacement.
- Worker's Compensation. To the extent necessary to comply with law, we may disclose your PHI to worker's compensation or other similar programs established by law.
- Public Health. We may disclose your PHI to public health or legal authorities charged with preventing or controlling disease, injury, or disability, including the FDA. In certain circumstances, we may also report work-related illnesses and injuries to employers for workplace safety purposes.
- Law Enforcement. We may disclose your PHI for law enforcement purposes as required or permitted by law for example, in response to a subpoena or court order, in response to a request from law enforcement, and to report limited information in certain circumstances.
- As Required by Law. We will disclose your PHI when required to do so by federal, state or local law.
- Health Oversight Activities. We may disclose your PHI to an oversight agency for activities authorized by law. These oversight activities include audits, investigations, inspections, and credentialing, as necessary for licensure and for the government to monitor the health care system, government programs and compliance with civil rights laws.
- Judicial and Administrative Proceedings. If you are involved in a lawsuit or a dispute, we may disclose your PHI in response to a court or administrative order. We may also disclose your PHI in response to a subpoena, discovery request, or other lawful process instituted by someone else involved in the dispute, but only if efforts have been made, either by the requesting party or us, to first tell you about the request or to obtain an order protecting the information requested.
- Research. We may use your PHI to conduct research and we may disclose your PHI to researchers as authorized by law. For example, we may use or disclose your PHI as part of a research study when the research has been approved by an institutional review board or privacy board that has reviewed the research proposal and established protocols to ensure the privacy of your information.
- Coroners, Medical Examiners and Funeral Directors. We may release your PHI to coroners or medical examiners so that they can carry out their duties. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also disclose PHI to funeral directors consistent with applicable law to enable them to carry out their duties.
- Organ or Tissue Procurement Organizations. Consistent with applicable law, we may disclose your PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of organs for the purpose of tissue donation and transplant.
- Notification. We may use or disclose your PHI to notify or assist in notifying a family member, personal representative, or another person responsible for your care, regarding your location and general condition.
- Disaster Relief. We may use and disclose your PHI to organizations for purposes of disaster relief efforts.
- Fund raising. As permitted by applicable law, we may contact you to provide you with information about our fundraising programs. You have the right to “opt out” of receiving these communications and such fundraising materials will explain how you may request to opt out of future communications if you do not want us to contact you further for fundraising efforts.
- Correctional Institution. If you are or become an inmate of a correctional institution, we may disclose to the institution, or its agents, PHI necessary for your health and the health and safety of other individuals.
- To Avert a Serious Threat to Health or Safety. We may use and disclose your PHI when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person.
- Military and Veterans. If you are a member of the armed forces, we may release PHI about you as required by military command authorities. We may also release PHI about foreign military personnel to the appropriate foreign military authority.
- National Security, Intelligence Activities, and Protective Services for the President and Others. We may release PHI about you to federal officials for intelligence, counterintelligence, protection of the President, and other national security activities authorized by law.
- Victims of Abuse or Neglect. We may disclose PHI about you to a government authority if we reasonably believe you are a victim of abuse or neglect. We will only disclose this type of information to the extent required by law, if you agree to the disclosure, or if the disclosure is allowed by law and we believe it is necessary to prevent serious harm to you or someone else.
II. Uses and Disclosures of PHI that Require Your Prior Authorization
Specific Uses or Disclosures Requiring Authorization. We will obtain your written authorization for the use or disclosure of PHI for marketing, and for the sale of PHI, except in limited circumstances where applicable law allows such uses or disclosure without your authorization.
Other Uses and Disclosures. We will obtain your written authorization before using or disclosing your PHI for purposes other than those described in this Notice or otherwise permitted by law. You may revoke an authorization in writing at any time. Upon receipt of the written revocation, we will stop using or disclosing your PHI, except to the extent that we have already taken action in reliance on the authorization.
Your Health Information Rights:
- Obtain a paper copy of the Notice upon request. You may request a copy of our current Notice at any time. Even if you have agreed to receive the Notice electronically, you are still entitled to a paper copy. You may obtain a paper copy at the site where you obtain health care services from us or by contacting the Privacy Office.
- Request a restriction on certain uses and disclosures of PHI. You have the right to request additional restrictions on our use or disclosure of your PHI by sending a written request to the Privacy Office. We are not required to agree to the restrictions, except in the case where the disclosure is to a health plan for purposes of carrying out payment or health care operations, is not otherwise required by law, and the PHI pertains solely to a health care item or service for which you, or a person on your behalf, has paid in full.
- Inspect and obtain a copy of PHI. With a few exceptions, you have the right to access and obtain a copy of the PHI that we maintain about you. If we maintain an electronic health record containing your PHI, you have the right to request to obtain the PHI in an electronic format. To inspect or obtain a copy of your PHI, you must send a written request to the Privacy Office. You may ask us to send a copy of your PHI to other individuals or entities that you designate. We may deny your request to inspect and copy in certain limited circumstances. If you are denied access to your PHI, you may request that the denial be reviewed.
- Request an amendment of PHI. If you feel that PHI we maintain about you is incomplete or incorrect, you may request that we amend it. To request an amendment, you must send a written request to the Privacy Office. You must include a reason that supports your request. If we deny your request for an amendment, we will provide you with a written explanation of why we denied it.
- Receive an accounting of disclosures of PHI. With the exception of certain disclosures, you have a right to receive a list of the disclosures we have made of your PHI, in the six years prior to the date of your request, to entities or individuals other than you. To request an accounting, you must submit a request in writing to the Privacy Office. Your request must specify a time period.
- Request communications of PHI by alternative means or at alternative locations. You have the right to request that we communicate with you about health matters in a certain way or at a certain location. For instance, you may request that we contact you at a different residence or post office box, or via e-mail or other electronic means. Please note if you choose to receive communications from us via e-mail or other electronic means, those may not be a secure means of communication and your PHI that may be contained in our e-mails to you will not be encrypted. This means that there is risk that your PHI in the e-mails may be intercepted and read by, or disclosed to, unauthorized third parties. To request confidential communication of your PHI, you must submit a request in writing to the Privacy Office. Your request must tell us how or where you would like to be contacted. We will accommodate all reasonable requests. However, if we are unable to contact you using the ways or locations you have requested, we may contact you using the information we have.
- Notification of a Breach. You have a right to be notified following a breach of your unsecured PHI, and we will notify you in accordance with applicable law.
- Where to obtain forms for submitting written requests. You may obtain forms for submitting written requests by contacting the Chief Privacy Officer at email@example.com, or by telephone at 801-516-5508.
- For More Information or to Report a Problem. If you have questions or would like additional information about our privacy practices, you may contact our Chief Privacy Officer at If you have any questions or concerns about this notice, please contact: Privacy Officer at 801-516-5508, firstname.lastname@example.org or Legal Department 261 West Data Drive, Draper, Utah 84020. If you believe your privacy rights have been violated, you can file a complaint with the Privacy Officer or with the Secretary of Health and Human Services. There will be no retaliation for filing a complaint.
Effective Date This Notice is effective as of December 20, 2019