1-800 Contacts and its affiliates (“1-800 Contacts,” “we,” “us,” or “our”) are committed to working to protect the privacy of information we collect from or about our customers. To the extent any information we collect or use from you is protected health information, as defined under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), this Notice of Privacy Practices (“Notice”) applies to you in the specific circumstances explained below.

The Notice is in addition to the information practices disclosed in our Online Privacy Notice and the Privacy Notice for California and Virginia Consumers applicable to other information you provide or is collected when using our Websites and mobile applications.

 

1-800 Contacts Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.  PLEASE REVIEW IT CAREFULLY.

 We at 1-800 Contacts are required by the Health Insurance Portability and Accountability Act of 1996 and its related rules and regulations (collectively “HIPAA”) to maintain the privacy of Protected Health Information (“PHI”) and to provide you with notice of our legal duties and privacy practices with respect to PHI.

PHI is information that may identify you and that relates to your past, present, or future physical or mental health or condition, the provision of health care products and services to you or payment for such services. This Notice describes how we may use and disclose PHI about you, as well as how you obtain access to such PHI. This Notice also describes your rights with respect to your PHI. We are required by HIPAA to provide this Notice to you.

We are required to follow the terms of this Notice or any change to it that is in effect. We reserve the right to change our practices and this Notice and to make the new Notice effective for all PHI we maintain. If we do so, the updated Notice will be posted on our website and will be available at any facilities and locations where you receive health care products and services from us. Upon request, we will provide any revised Notice to you.

How We May Use and Disclose Your PHI

The following categories describe different ways that we use and disclose your PHI. We have provided you with examples in certain categories; however, not every permissible use or disclosure will be listed in this Notice. Note that some types of PHI, such as HIV information, genetic information, alcohol and/or substance abuse records, and mental health records may be subject to special confidentiality protections under applicable state or federal law and we will abide by these special protections, to the extent applicable. If you would like additional information about special state law protections, you may contact the Privacy Office at privacydepartment@1800contacts.com.

I. Uses and Disclosures of PHI That Do Not Require Your Prior Authorization

Except where prohibited by federal or state laws that require special privacy protections, we may use and disclose your PHI for treatment, payment and health care operations without your prior authorization as follows:

Treatment. We may use and disclose your PHI to provide and coordinate the treatment, and services you receive, such as to fill your order and confirm your contact lens prescription. We may also use your PHI to contact you, for example, for appointment reminders, possible treatment options and alternatives, and health related benefits or services that might be of interest to you.

Payment. We may use and disclose your PHI in order to obtain payment for the health care products and services that we provide to you and for other payment activities related to the services that we provide. For example, we may contact your insurer, or other health care payor to determine whether it will pay for the products and services you need and to determine the amount of your co-payment. We will bill you or a third-party payor for the cost of the products and services we provide to you. The information on or accompanying the bill may include information that identifies you, as well as information about the services that were provided to you. We may also disclose your PHI to other health care providers or HIPAA covered entities who may need it for their payment activities.

Health Care Operations. We may use and disclose your PHI for our health care operations. Health care operations are activities necessary for us to operate our health care businesses, including the operation of our website and mobile applications. For example, we may use your PHI to monitor the performance of the staff providing treatment to you. We may use your PHI as part of our efforts to continually improve the quality and effectiveness of the products and services we provide. We may also analyze PHI to improve the quality and efficiency of health care, for example, to assess and improve outcomes for health care conditions. We may also disclose your PHI to other HIPAA covered entities that have provided services to you so that they can improve the quality and effectiveness of the health care services that they provide. We may use your PHI to create de-identified data, which is stripped of your identifiable data and no longer identifies you.

We may also use and disclose your PHI without your prior authorization for the following purposes:

  • Business Associates. We may contract with third parties to perform certain services for us, such as billing services, copy services or consulting services. These third party service providers, referred to as Business Associates, may need to access your PHI to perform services for us. They are required by contract and law to protect your PHI and only use and disclose it as necessary to perform their services for us.
  • To Communicate with Individuals Involved in Your Care or Payment for Your Care. If we determine it is in your best interest, we may disclose to a family member, other relative, close personal friend, or any other person you identify, PHI directly relevant to that person’s involvement in your care or payment related to your care. Additionally, we may disclose PHI to your “personal representative.” If a person has the authority by law to make health care decisions for you, we will generally regard that person as your “personal representative” and treat him or her the same way we would treat you with respect to your PHI.
  • Food and Drug Administration (“FDA”). We may disclose to persons under the jurisdiction of the FDA, PHI relative to adverse events with respect to drugs, foods, supplements, products and product defects, or post-marketing surveillance information to enable product recalls, repairs, or replacement.
  • Worker’s Compensation. To the extent necessary to comply with law, we may disclose your PHI to worker’s compensation or other similar programs established by law.
  • Public Health. We may disclose your PHI to public health or legal authorities charged with preventing or controlling disease, injury, or disability, including the FDA. In certain circumstances, we may also report work-related illnesses and injuries to employers for workplace safety purposes.
  • Law Enforcement. We may disclose your PHI for law enforcement purposes as required or permitted by law, including, for example, in response to a subpoena or court order, in response to a request from law enforcement, and to report limited information in certain circumstances.
  • As Required by Law. We will disclose your PHI when required to do so by federal, state or local law, for purposes related to victims of abuse, neglect, or domestic violence; pursuant to a judicial or administrative proceeding; or for purposes of law enforcement discussed in this Notice.
  • Health Oversight Activities. We may disclose your PHI to an oversight agency for activities authorized by law. These oversight activities include, but may not be limited to, audits, investigations, inspections, and credentialing, as necessary for licensure and for the government to monitor the health care system, government programs and compliance with civil rights laws.
  • Judicial and Administrative Proceedings. If you are involved in a lawsuit or a dispute, we may disclose your PHI in response to a court or administrative order. We may also disclose your PHI in response to a subpoena, discovery request, or other lawful process instituted by someone else involved in the dispute, but only if efforts have been made, either by the requesting party or us, to first tell you about the request or to obtain an order protecting the information requested.
  • Research. We may use your PHI to conduct research and we may disclose your PHI to researchers as authorized by law. For example, we may use or disclose your PHI as part of a research study when the research has been approved by an institutional review board or privacy board that has reviewed the research proposal and established protocols to advance the privacy of your information.
  • Coroners, Medical Examiners and Funeral Directors. We may release your PHI to coroners or medical examiners so that they can carry out their duties. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also disclose PHI to funeral directors consistent with applicable law to enable them to carry out their duties.
  • Notification. We may use or disclose your PHI, if we determine it is in your best interest, to notify or assist in notifying a family member, personal representative, or another person responsible for your care, regarding your location, general condition, or death.
  • Disaster Relief. We may use and disclose your PHI, if we determine it is in your best interest, to organizations for purposes of disaster relief efforts.
  • Fund raising. As permitted by applicable law, we may contact you to provide you with information about our fundraising programs. You have the right to “opt out” of receiving these communications and such fundraising materials will explain how you may request to opt out of future communications if you do not want us to contact you further for fundraising efforts.
  • Correctional Institution. If you are or become an inmate of a correctional institution, we may disclose to the institution, or its agents, PHI necessary for your health and the health and safety of other individuals.
  • To Avert a Serious Threat to Health or Safety. We may use and disclose your PHI when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person.
  • Military and Veterans. If you are a member of the armed forces, we may release PHI about you as required by military command authorities. We may also release PHI about foreign military personnel to the appropriate foreign military authority.
  • National Security, Intelligence Activities, and Protective Services for the President and Others. We may release PHI about you to federal officials for intelligence, counterintelligence, protection of the President, and other national security activities authorized by law.
  • Victims of Abuse, Neglect, or Domestic Violence. We may disclose PHI about you to a government authority if we reasonably believe you are a victim of abuse, neglect, or domestic violence. We will only disclose this type of information to the extent required by law, if you agree to the disclosure, or if the disclosure is allowed by law and we believe it is necessary to prevent serious harm to you or someone else.
II. Uses and Disclosures of PHI that Require Your Prior Authorization

Specific Uses or Disclosures Requiring Authorization. We will obtain your written authorization for the use or disclosure of PHI for marketing, and for the sale of PHI, or any other use or disclosure outside those set forth under HIPAA, except in limited circumstances where applicable law allows such uses or disclosure without your authorization.

We may use or share your PHI to promote our own products and services.  We may also use or share your PHI for marketing purposes when we discuss products or services with you or to provide you with an inexpensive promotional gift related to the product or service. When you visit and use our websites or mobile applications, we may collect and share information about your use of these websites and applications through cookies and other similar tracking technologies. This information can include PHI and technical information about your device or browser (such as, for example, your internet protocol (IP) address, operating system, device information, browser type and language, and referring URLs) as well as information about your activities or use of these websites and mobile device applications (such as, for example, access times, pages viewed, links clicked and similar information). You should review the terms contained on the website or mobile application that you use for detailed information on the type of cookies and other tracking technologies we use, what information other than PHI we collect, the reasons why we use these technologies, as well as the terms associated with that website or application.

We may agree with you to use a third-party website, application, or electronic messaging service (for example, with chat, video, or audio capabilities) for you to receive services from us. These third-party services may have separate terms and conditions and privacy policies that you must agree to (instead of or in addition to our Terms and Conditions or privacy policies).  However, when you use the third-party service, the PHI that you choose to share may be covered by this Notice.

Other Uses and Disclosures. We will obtain your written authorization before using or disclosing your PHI for purposes other than those described in this Notice or otherwise permitted by law. You may revoke an authorization in writing at any time. Upon receipt of the written revocation, we will stop using or disclosing your PHI, except to the extent that we have already taken action in reliance on the authorization.

Your Health Information Rights:

  • Obtain a paper copy of the Notice upon request. You may request a copy of our current Notice at any time. Even if you have agreed to receive the Notice electronically, you are still entitled to a paper copy. You may obtain a paper copy at the site where you obtain health care services from us or by contacting the Privacy Office.
  • Request a restriction on certain uses and disclosures of PHI. You have the right to request additional restrictions on our use or disclosure of your PHI by sending a written request to the Privacy Office. We are not required to agree to the restrictions, except in the case where the disclosure is to a health plan for purposes of carrying out payment or health care operations, is not otherwise required by law, and the PHI pertains solely to a health care item or service for which you, or a person on your behalf, has paid in full.
  • Inspect and obtain a copy of PHI. With a few exceptions, you have the right to access and obtain a copy of the PHI that we maintain about you. If we maintain an electronic health record containing your PHI, you have the right to request to obtain the PHI in an electronic format, and we may charge a reasonable, cost-based fee. To inspect or obtain a copy of your PHI, you must send a written request to the Privacy Office. You may ask us to send a copy of your PHI to other individuals or entities that you designate. We may deny your request to inspect and copy in certain limited circumstances. If you are denied access to your PHI, you may request that the denial be reviewed.
  • Request an amendment of PHI. If you feel that PHI we maintain about you is incomplete or incorrect, you may request that we amend it. To request an amendment, you must send a written request to the Privacy Office. You must include a reason that supports your request. If we deny your request for an amendment, we will provide you with a written explanation of why we denied it.
  • Receive an accounting of disclosures of PHI. With the exception of certain disclosures, you have a right to receive a list of the disclosures we have made of your PHI, in the six years prior to the date of your request, to entities or individuals other than you. To request an accounting, you must submit a request in writing to the Privacy Office. Your request must specify a time period for which you would like the accounting of disclosures to span.  Following an initial request for an accounting within any 12 month period, we may charge a reasonable, cost-based fee for any subsequent requests within that same 12 month period.  
  • Request communications of PHI by alternative means or at alternative locations. You have the right to request that we communicate with you about health matters in a certain way or at a certain location. For instance, you may request that we contact you at a different residence or post office box, or via e-mail or other electronic means. Please note if you choose to receive communications from us via e-mail or other electronic means, those may not be a secure means of communication and your PHI that may be contained in our e-mails to you will not be encrypted. This means that there is risk that your PHI in the e-mails may be intercepted and read by, or disclosed to, unauthorized third parties. To request confidential communication of your PHI, you must submit a request in writing to the Privacy Office. Your request must tell us how or where you would like to be contacted. We will accommodate all reasonable requests. However, if we are unable to contact you using the ways or locations you have requested, we may contact you using the information we have.
  • Notification of a Breach. You have a right to be notified following a breach of your unsecured PHI, and we will notify you in accordance with applicable law.
  • Where to obtain forms for submitting written requests. You may obtain forms for submitting written requests by contacting the  Privacy Officer at privacyofficer@1800contacts.com, or by telephone at 801-316-5508.
  • For More Information or to Report a Problem. If you have questions or would like additional information about our privacy practices, you may contact our  Privacy Officer  if you have any questions or concerns about this notice, please contact: Privacy Officer at 801-516-5508, privacydepartment@1800contacts.com or Legal Department 261 West Data Drive, Draper, Utah 84020. If you believe your privacy rights have been violated, you can file a complaint with the Privacy Officer or with the Secretary of Health and Human Services. There will be no retaliation for filing a complaint.

Effective Date: This Notice is effective as of November 29, 2023