HIPAA Notice

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

1. Who Must Follow This Notice.

Omada Health, Inc. (“Omada”) provides you (the client) with health care by working with physicians, nurses, health coaches, and many other health care providers (referred to as “we,” “our,” or “us”). This is a joint notice of our information privacy practices (“Notice”). The following people or groups will follow this Notice:

  • any health care provider who provides services to you at or from Omada’s locations. These professionals include physicians, nurses, health coaches, and others.
  • all departments and units of our organization, including mobile units.
  • our employees, contractors, and volunteers, including regional support offices and affiliates. These entities, sites, and locations may share medical information with each other for treatment, payment, or health care operations purposes described in this Notice. In addition, we also use and share your information for other reasons as allowed and required by law. If you have any questions about this Notice, please see our contact information on the last page of this Notice.

2. Our Commitment to Your Privacy.

We understand that medical information about you and your health is private and personal. We are dedicated to maintaining the privacy and integrity of your protected health information (“PHI”). PHI is information about you that may be used to identify you (such as your name, social security number, or address), and that relates to (a) your past, present, or future physical or mental health or condition, (b) the provision of health care to you, or (c) your past, present, or future payment for the provision of health care. In providing services to you, we will receive and create records containing your PHI. We need these records to provide you with quality care and to comply with certain legal requirements.

We are required by law to maintain the privacy of your PHI and to provide you with notice of our legal duties and privacy practices with respect to your PHI. When we use or disclose your PHI, we are required to abide by the terms of this Notice (or other Notice in effect at the time of the use or disclosure).

This Notice applies to the records of services you receive at or from Omada, whether created by our staff or your doctor. Your doctor and other health care providers may have different practices or notices about their use and sharing of medical information in their own offices or clinics. We will gladly explain this Notice to you or your family member.

3. How We May Use and Disclose Medical Information About You.

This section of our Notice tells how we may use medical information about you. We will protect medical information as much as we can under the law. Sometimes state law gives more protection to medical information than federal law. Sometimes federal law gives more protection than state law. In each case, we will apply the laws that protect medical information the most.

We are required to maintain the confidentiality of the PHI of our patients, and we have policies and procedures and other safeguards to help protect your PHI from improper use and disclosure. The following categories describe different ways that we use your PHI within Omada and disclose your PHI to persons and entities outside of Omada. We have not listed every use or disclosure within the categories below, but all permitted uses and disclosures will fall within one of the following categories. In addition, there are some uses and disclosures that will require your specific authorization.

How much PHI is used or disclosed without your written permission will vary depending, for example, on the intended purpose of the use or disclosure. Sometimes we may only need to use or disclose a limited amount of PHI, such as to send you an appointment reminder or to confirm your health insurance coverage. At other times, we may need to use or disclose more PHI such as when a doctor is providing medical treatment.

  • Disclosure at your request. We may disclose information when requested by you. This disclosure at your request may require written authorization by you.
  • Treatment. This is the most important use and disclosure of your PHI. We may use and disclose your PHI to a physician or health care provider to provide treatment and other services to you. For example, our staff and health care personnel, including trainees, involved in your care may use and disclose your PHI to evaluate your health care needs. In addition, we may contact you to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to you. We may also disclose PHI to other providers involved in your treatment.
  • Payment. We may use and disclose your PHI to obtain payment for services that we provide to you. For example, we may make disclosures to claim and obtain payment from your health insurer, HMO, or other company that arranges or pays the cost of some or all of your health care (“Your Payor”) or to verify that Your Payor will pay for health care.
  • Health care operations. We may use and disclose your PHI for our health care operations, which include internal administration and planning and various activities that improve the quality and cost effectiveness of the care that we deliver to you. Examples are using information about you to improve quality of care, for disease management programs, patient satisfaction surveys, compiling medical information, de-identifying medical information and benchmarking.
  • Business associates. There are some services provided in our organization through contracts with business associates. Examples of business associates include accreditation agencies, management consultants, quality assurance reviewers, and billing and collection services. We may disclose your PHI to our business associates so that they can perform the job we have asked them to do. To protect your PHI, we require our business associates to sign a contract or written agreement stating that they will appropriately safeguard your PHI.
  • Appointment reminders. We may use and disclose your PHI to contact you as a reminder that you have an appointment for a consultation or other service.
  • Treatment alternatives. We may use and disclose your PHI to tell you about or recommend possible treatment options or alternatives that may be of interest to you.
  • Health-related products and services. We may use and disclose your PHI to tell you about our health-related products or services that may be of interest to you.
  • Communications with family and others when you are present. Sometimes a family member or other person involved in your care will be present when we are discussing your PHI with you. We may use or disclose your PHI to a family member, other relative, a close personal friend or any other person identified by you when you are present for, or otherwise available prior to, the disclosure, if we (1) obtain your agreement; (2) provide you with the opportunity to object to the disclosure and you do not object; or (3) reasonably infer that you do not object to the disclosure.
  • Communications with family and others when you are not present. If you are not present, or the opportunity to agree or object to a use or disclosure cannot practicably be provided because of your incapacity or an emergency, we may exercise our professional judgment to determine whether a disclosure is in your best interest. If we disclose information to a family member, other relative, or a close personal friend, we would disclose only information that we believe is directly relevant to the person’s involvement with your health care or payment related to your health care. We may also disclose your PHI in order to notify (or assist in notifying) such persons of your location, general condition or death.
  • Threat to health or safety. We may use and disclose your PHI when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.

4. Special Situations That Do Not Require Your Authorization.

The following categories describe unique circumstances in which Omada may use or disclose your PHI without your authorization.

  • Public health activities. We may disclose your PHI for the following public health activities to: (1) prevent or control disease, injury or disability; (2) report births and deaths; (3) report regarding the abuse or neglect of children, elders and dependent adults; (4) report reactions to medications or problems with products; (5) notify people of recalls of products they may be using; (6) notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; and (7) notify emergency response employees regarding possible exposure to HIV/AIDS, to the extent necessary to comply with state and federal laws.
  • *Victims of abuse, neglect or domestic violence. If we reasonably believe you are a victim of abuse, neglect, or domestic violence, we may disclose your PHI to a governmental authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence.
  • Health oversight activities. We may disclose your PHI to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.
  • Lawsuits and other legal disputes. We may use and disclose PHI in responding to a court or administrative order, a subpoena, or a discovery request. We may also use and disclose your PHI to the extent permitted by law without your authorization, for example, to defend a lawsuit or arbitration.
  • Law enforcement officials. We may disclose your PHI to the police or other law enforcement officials as required or permitted by law: (1) in response to a court order, subpoena, warrant, summons or similar process; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) about the victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement; (4) about a death we believe may be the result of a criminal conduct; (5) about criminal conduct at Omada; and (6) in emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime.
  • Decedents. We may disclose your PHI to a coroner or medical examiner as authorized by law.
  • Organ and tissue donation. We may disclose your PHI to organizations that facilitate organ, eye or tissue procurement, banking or transplantation.
  • Research that does not involve your treatment. When a research study does not involve any treatment, we may disclose your PHI to researchers. To do this, we will either ask your permission to use your PHI or we will use a special process that protects the privacy of your PHI. In addition, we may use information that cannot be identified as your PHI, but that includes certain limited information (such as your date of birth and dates of service). We will use this information for research, quality assurance activities, and other similar purposes and we will obtain special protections for the information disclosed.
  • Specialized government functions. We may use and disclose your PHI to units of the government with special functions, such as the U.S. military or the U.S. Department of State, under certain circumstances. We may use and disclose your PHI to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law. We may use and disclose your PHI to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state, or conduct special investigations.
  • Inmates. If you are an inmate of a correctional institution or under custody of a law enforcement official, we may disclose PHI about you to the correctional institution or the law enforcement official. This is necessary for the correctional institution to provide you with health care, to protect your health and safety and the health and safety of others, and to protect the safety and security of the correctional institution.
  • Workers’ compensation. We may disclose your PHI as authorized by and to the extent necessary to comply with state laws relating to workers’ compensation or other similar programs.
  • As required by law. We may use and disclose your PHI when required to do so by any other law not already referred to in the preceding categories. For example, the Secretary of the Department of Health and Human Services may review our compliance efforts, which may include seeing your PHI.

5. Situations Requiring Your Written Authorization.

If there are reasons we need to use your PHI that have not been described in the sections above, we will obtain your written permission. This permission is described as a written “authorization.” If you authorize us to use or disclose PHI about you, you may revoke that authorization in writing at any time. If you revoke your authorization, we will no longer use or disclose PHI about you for the reasons stated in your written authorization, except to the extent we have already acted in reliance on your authorization. You understand that we are unable to take back any disclosures we have already made with your permission, and we are required to retain our records of the care we provide to you. Some typical disclosures that require your authorization are:

  • Special categories of treatment information. In most cases, federal or state law requires your written authorization or the written authorization of your representative for disclosures of drug and alcohol abuse treatment, Human Immunodeficiency Virus (HIV) and Acquired Immune Deficiency Syndrome (AIDS) test results, and mental health treatment.
  • Research involving your treatment. When a research study involves your treatment, we may disclose your PHI to researchers only after you have signed a specific written authorization. In addition, an Institutional Review Board (IRB) will already have reviewed the research proposal, established appropriate procedures to ensure the privacy of your PHI and approved the research. You do not have to sign the authorization, but if you refuse you cannot be part of the research study and may be denied research-related treatment.
  • Fundraising activities. We may use demographic information and your dates of service for our own fundraising purposes, otherwise we will obtain your authorization. You may revoke any authorization at any time, in writing, but only as to future uses or disclosures, and only if we have not already acted in reliance on a previous authorization from you. If you do not want us to contact you for fundraising efforts, you must notify us in writing at the address listed at the end of this Notice.
  • Marketing. We must also obtain your written authorization (“Your Marketing Authorization”) prior to using your PHI to send you any marketing materials. We can, however, provide you with marketing materials in a face-to-face encounter without obtaining Your Marketing Authorization. We are also permitted to give you a promotional gift of nominal value, if we so choose, without obtaining Your Marketing Authorization. In addition, we may communicate with you about products or services relating to your treatment, case management or care coordination, or alternative treatments, therapies, providers or care settings without Your Marketing Authorization. If we receive any direct or indirect payment for making such a communication, however, we would need your prior written permission to contact you. The only exceptions for seeking such permission are when our communication (i) describes only a drug or medication that is currently being prescribed for you and our payment for the communication is reasonable in amount; or (ii) is made by one of our business partners consistent with our written agreement with the business partner.

6. Your Rights Regarding Medical Information About You.

You have the following rights regarding health information we maintain about you. You may contact a health information representative where services were provided to obtain additional information and instructions for exercising the following rights.

  • Right to request additional restrictions. You may request restrictions on our use and disclosure of your PHI (1) for treatment, payment and health care operations, (2) to individuals (such as a family member, other relative, close personal friend or any other person identified by you) involved with your care or with payment related to your care, or (3) to notify or assist in the notification of such individuals regarding your location and general condition. While we will consider all requests for additional restrictions carefully, we are not required to agree to a requested restriction, unless the request is regarding a disclosure to a health plan for a payment or health care operation purpose and the medical information relates solely to a health care item or service for which we have been paid out-of-pocket in full. This request must be in writing. We will send you a written response. If we agree with the request, we will comply with your request except to the extent that disclosure has already occurred or if you are in need of emergency treatment and the information is needed to provide the emergency treatment.
  • Right to receive confidential communications. You may request to receive your PHI by alternative means of communication or at alternative locations. For example, you can request that we only contact you at work or by mail. To request confidential communications, you must make your request in writing. We will not ask you for the reason for your request. We will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted.
  • Inspection and copies. You may request access to your medical record file and billing records maintained by us. You may inspect and request copies of the records. Under limited circumstances, we may deny you access to a portion of your records. If you are denied access to PHI, you may request that the denial be reviewed. Another licensed health care professional chosen by us will review your request and the denial. The person conducting the review will not be the person who denied your request. We will comply with the outcome of the review.
    • If you desire access to your records, you must submit your request in writing. If your medical information is maintained in an electronic health record, you may obtain an electronic copy of your medical information and, if you choose, instruct us to transmit such copy directly to an entity or person you designate in a clear, conspicuous, and specific manner.
    • If you request paper copies, we will charge you for the costs of copying, mailing, labor and supplies associated with your request. Our fee for providing you an electronic copy of your medical information will not exceed our labor costs in responding to your request for the electronic copy (or summary or explanation).
    • You should take note that, if you are a parent or legal guardian of a minor, certain portions of the minor’s PHI will not be accessible to you (e.g., records pertaining to health care services for which the minor can lawfully give consent and therefore for which the minor has the right to inspect or obtain copies of the record; or the health care provider determines, in good faith, that access to the client records requested by the representative would have a detrimental effect on the provider’s professional relationship with the minor client or on the minor’s physical safety or psychological well-being).
  • Right to amend your records. You have the right to request that we amend PHI maintained in your medical record file or billing records. If you desire to amend your records, your request must be in writing. We will comply with your request unless we believe that the information that would be amended is accurate and complete or other special circumstances apply. If we deny your request, you will be permitted to submit a statement of disagreement for inclusion in your records.
  • Right to addendum. You have the right to add a 250-word document (“addendum”) to your PHI.
  • Right to receive an accounting of disclosures. Upon written request, you may obtain an accounting of certain disclosures of your PHI made by us during any period of time six years prior to the date of your request, except that for requests made on or after January 1, 2011 that relate to treatment, payment or health care operation disclosures from our electronic health record system, the accounting period is three years. Your written request should indicate in what form you want the list (for example, on paper or electronically). If you request an accounting more than once during a twelve (12) month period, we will charge you for the costs involved in fulfilling your additional request. We will inform you of such costs in advance, so that you may modify or withdraw your request to save costs. In addition, we will notify you as required by law if there has been a breach of the security of your PHI.
  • Paper copy. Upon request, you may obtain a paper copy of this Notice. Even if you have agreed to receive such notice electronically, you are still entitled to a paper copy of this Notice. You may obtain a copy of this Notice at our website: https://app.preventnow.com/npp . To obtain a paper copy of this Notice, please ask us for a copy the next time you receive services at one of our locations, or contact us using the contact information at the end of this Notice.

7. Minimum Necessary.

To the extent required by law, when using or disclosing your PHI or when requesting your PHI from another covered entity, we will make reasonable efforts not to use, disclose, or request more than a limited data set (as defined below) of your PHI or, if needed by us, no more than the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, taking into consideration practical and technological limitations. For purposes of this Notice, a “limited data set”means medical information that excludes the following items:

  • Names
  • Postal address information, other than town or city, State, and zip code
  • Telephone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers, including finger and voice prints
  • Full face photographic images and any comparable images

8. Changes to this Notice.

We may change our privacy practices from time to time. Changes will apply to current PHI, as well as new PHI after the change occurs. If we make an important change, we will change our Notice. We will also post the new Notice on our website at https://app.preventnow.com/npp . If our Notice has changed, we will offer you a copy of the current Notice the next time you seek treatment at one of our locations.

9. Concerns or Complaints.

If you desire further information about your privacy rights, are concerned that we have violated your privacy rights, or disagree with a decision that we made about access to your PHI, you may contact our Privacy Officer (listed below). Finally, you may send a written complaint to the U.S. Department of Health and Human Services, Office of Civil Rights. Our Privacy Officer can provide you the address. We will not take any action against you for filing a complaint.

10. How to Contact Us.

If you would like more information about your privacy rights, please contact Omada by calling (415) 691-4503 and ask to speak with the Privacy Officer. To the extent you are required to send a written request to Omada to exercise any right described in this Notice, you must submit your request to Omada at:

Omada Health, Inc. 455 Market St. Ste 1670 San Francisco, CA 94105 Attn: Privacy Officer Fax: 415-366-1218 Email: hello@OmadaHealth.com

Version Effective: 04/01/2012