Notice of Privacy Practices
Effective Date: May 25, 2018
Last Modified: November 16, 2022
Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Foundation Medicine is committed to obtaining, maintaining, using and disclosing patient protected health information in a manner that protects patient privacy. We urge you to read this Notice of Privacy Practices (“Notice”) carefully in order to understand both our commitment to the privacy of your protected health information and your rights.
Foundation Medicine is required by law to maintain the privacy of your protected health information and to provide you with a notice of our legal duties and privacy practices with respect to protected health information. This Notice describes how we may use and disclose your protected health information to carry out treatment, payment or health care operations and for other specified purposes that are permitted or required by law. This Notice also describes your rights with respect to your protected health information. “Protected health information” or “PHI” is information about you, including basic demographic information, that may identify you and that relates to your past, present or future physical or mental health or condition and related health care services.
We are required to follow the terms of this Notice. We will not use or disclose your PHI without your permission, except as described in this Notice. We reserve the right to change our practices and this Notice as and to the extent permitted by law and to make a new Notice effective for all PHI we maintain. Any new Notice will be available upon your request and will be posted on our website.
Examples of How We Use and Disclose Protected Health Information About You
Your PHI may be used and disclosed for treatment, payment, healthcare operations, and other purposes permitted or required by law. If we wish to use or disclose your PHI for other purposes, we would have to obtain your authorization. We may, however, use or disclose your PHI without specific authorization or permission for certain purposes, including:
Treatment: We may use and disclose your PHI to provide and coordinate the treatment and services you receive. For example, we may use your information to perform diagnostic tests, or provide your test results to your physician.
Payment: We may use and disclose your PHI to others for purposes of billing and receiving payment for treatment and services that you receive. For example, we will submit a claim to you or your health plan/insurer that includes information that identifies you and the type of services we performed for you.
Health Care Operations: We may use or disclose your PHI in order to support the operations of our laboratories and monitor, evaluate and improve the quality of the services we provide, and for other internal management purposes. For example, we may use information in your health record to evaluate the services our laboratories provide or to train our staff.
To Communicate with Individuals Involved in Your Care or Payment for Your Care: We may disclose to a family member, other relative, close personal friend or any other person you identify, PHI directly relevant to that person’s involvement in your care or payment related to your care.
Minors’ Protected Health Information: As permitted by federal and state law, we may disclose PHI about minors to their parents or guardians.
Business Associates: There are some services provided by Foundation Medicine through contracts with business associates (e.g., billing services), and we may disclose your PHI to our business associates so that they can perform the job we have asked them to do. To protect your information, however, we require business associates to appropriately safeguard your information.
Food and Drug Administration (FDA): We may disclose to the FDA, or persons under the jurisdiction of the FDA, PHI relative to adverse events with respect to drugs, foods, supplements, products and product defects, or post marketing surveillance information to enable product recalls, repairs, or replacement.
Workers’ Compensation: We may disclose your PHI to the extent authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs established by law.
Public Health: As required by law, we may disclose your PHI to public health or legal authorities charged with preventing or controlling disease, injury, or disability.
Law Enforcement: We may disclose your PHI for law enforcement purposes as permitted by law, or in response to a valid subpoena or court order.
As Required by Law: We will disclose your PHI when required to do so by federal, state, or local law.
Health Oversight Activities: We may disclose your PHI to an oversight agency for activities authorized by law. These oversight activities include audits, investigations, and inspections necessary for licensure and for the government to monitor the health care system, government programs, and compliance with civil rights laws.
Judicial and Administrative Proceedings: If you are involved in a lawsuit or a dispute, we may disclose your PHI in response to a court or administrative order. We may also disclose PHI in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made, either by the requesting party or by us to tell you about the request or to obtain an order protecting the information requested.
Research: Researchers may be given limited access to your PHI remotely or on-site at Foundation Medicine so that they can develop research projects and identify patients who may potentially qualify to participate in research studies. Other uses or disclosures of your PHI for research purposes are permitted without authorization when your PHI is in the form of a limited data set or once an institutional review board or privacy board has reviewed the research proposal, determined whether you need to provide specific consent for the research use of your PHI and established protocols to ensure the privacy of your information, or determined that the researcher will be provided only with information that does not identify you directly.
De-Identified Information: We may use your PHI to create “de-identified” information, which means that information that can be used to identify you will be removed. There are specific rules under the law about what type of information needs to be removed before information is considered de-identified. Once information has been de-identified as required by law, it is no longer subject to this Notice, and we may use it for any purpose without any further notice or compensation to you.
Coroners, Medical Examiners, and Funeral Directors: We may release your PHI to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also disclose PHI to funeral directors consistent with applicable law to enable them to carry out their duties.
Organ or Tissue Procurement Organizations: Consistent with applicable law, we may disclose your PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of organs for the purpose of tissue donation and transplant.
Personal Representative: We may use or disclose your PHI to your personal representative, as established under applicable law, or to an administrator, executor or other authorized individual associated with your estate.
Correctional Institution: If you are or become an inmate of a correctional institution, we may disclose to the institution or its agents PHI necessary for your health and the health and safety of other individuals.
To Avert a Serious Threat to Health or Safety: We may use and disclose your PHI when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person.
Military and Veterans: If you are a member of the armed forces, we may release PHI about you as required by military command authorities. We may also release PHI about foreign military personnel to the appropriate foreign military authority.
Specialized Government Functions: Under certain circumstances, we may disclose your PHI to units of the government with specialized functions such as the U.S. Military or the U.S. Department of State in response to requests as authorized by law.
Victims of Abuse or Neglect: We may disclose PHI about you to a government authority if we reasonably believe you are a victim of abuse or neglect. We will only disclose this type of information to the extent required by law, if you agree to the disclosure, or if the disclosure is allowed by law and we believe it is necessary to prevent serious harm to you or someone else.
Secretary of the U.S. Department of Health and Human Services. We are required to disclose your PHI to the Secretary of the U.S. Department of Health and Human Services (HHS) in certain circumstances when the Secretary is investigating or determining our compliance with the HIPAA Privacy Rule.
Other Uses and Disclosures of PHI
We will obtain your written authorization, or the written authorization of a parent or guardian as appropriate, before using or disclosing your PHI for purposes other than those described above, including uses and disclosures of PHI for marketing purposes and disclosures that would constitute a sale of PHI. You may revoke this authorization in writing at any time. Upon receipt of the written revocation, we will stop using or disclosing your PHI, except to the extent that we have already taken action in reliance on the authorization.
Breach Notification: We are required by law to notify you if we discover a breach of unsecured PHI, unless we can demonstrate, based on a risk assessment, that there is a low probability that the PHI was compromised. If a breach happens, we will notify you as soon as we can, and are required by law to notify you within 60 days after we learn of the breach. We will let you know what happened and what you can do to mitigate any potential harm.
Restrictions on Uses and Disclosures: Federal and state laws provide special protections for, and may restrict the use or disclosure of, certain kinds of PHI. For example, additional protections may apply in some states to genetic, mental health, biometric, minors, prescriptions, reproductive health, drug and alcohol abuse, rape and sexual assault, sexually transmitted disease and/or HIV/AIDS-related information. In these situations, we will comply with the more stringent applicable laws pertaining to such use or disclosure.
Your Health Information Rights
You have the right to:
Obtain a paper copy of the Notice upon request. You may request a copy of our current Notice at any time by emailing email@example.com. Even if you have agreed to receive the Notice electronically, you are still entitled to a paper copy.
Request a restriction on certain uses and disclosures of PHI. You have the right to request additional restrictions on our use or disclosure of your PHI for treatment, payment or health care operations activities, or to individuals involved in your care, by sending a written request to the Privacy Officer at the address below or by emailing firstname.lastname@example.org. We are not required to agree to those restrictions unless the disclosure is not required by law and you paid for the service in full out of pocket.
Request an amendment of PHI. If you feel that PHI we maintain about you is incomplete or incorrect, you may request that we amend it. To request an amendment, send a written request to the Privacy Officer at the address below or submit this form to email@example.com. In certain cases, we may deny your request for amendment. For example, in circumstances under which the patient would be denied access to his/her PHI, we may deny a request for amendment.
Receive an accounting of disclosures of PHI. You have the right to receive an accounting of the disclosures we have made of your PHI. The right to receive an accounting is subject to certain exceptions, restrictions, and limitations. To request an accounting, send a written request to the Privacy Officer at the address below, or by email to firstname.lastname@example.org. Your request must specify the time period for which you would like an accounting, but this time period may not be longer than six years, and a shorter period may apply for some disclosures.
Request communications of PHI by alternative means or at alternative locations. You have a right to request to receive communications of PHI by alternate means or at alternate locations. For instance, you may request that we contact you about medical matters only in writing or at a different residence or post office box. To request confidential communication of your PHI, send a written request to the Privacy Officer at the address below, or by email to email@example.com. Your request must state how or where you would like to be contacted. We will accommodate all reasonable requests.
Request a copy of your medical information. You have the right to request a copy of certain PHI we may have about you. To request a copy of your PHI, please call +1 (888) 988-3639, send a written request to the Privacy Officer at the address below, or submit this form via email to firstname.lastname@example.org. If we maintain your PHI electronically, you will have the right to request that we send a copy of your PHI in an electronic format to you and may have the right to request that we send a copy to a third party that you identify. We may charge a fee for the costs of copying, mailing or other permitted supplies associated with your request. In some cases, you may receive a summary of this PHI. This may include a reasonable fee for creating and sending the summary. We may deny access to certain information in limited circumstances.
If you have questions or would like additional information about our privacy practices, you may contact Foundation Medicine’s Privacy Officer at:
Foundation Medicine, Inc.
Attention: Privacy Officer
150 Second Street
Cambridge, MA 02141
Report a Problem
If you believe your privacy rights have been violated, you can file a complaint with Foundation Medicine’s Privacy Officer. You may also submit a written complaint to the Office for Civil Rights of the U.S. Department of Health and Human Services (contact information below). There will be no retaliation for filing a complaint.
Centralized Case Management Operations
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Room 509F HHH Bldg.
Washington, D.C. 20201