HIPAA Notice of Privacy Practices
Your Information. Your Rights. Our Responsibilities.
Effective September 9, 2022
Personalis, Inc. (“Personalis,” “we” or “us”) is committed to protecting the privacy of your health information. We are required by law to give you notice of our legal duties and privacy practices concerning your “protected health information” as defined by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”). This Notice describes our privacy practices and your rights with respect to your protected health information. Please review it carefully.
Overview of Your Rights and Choices
You have the right to:
- Get a copy of the information Personalis has about you (“your record” or your “protected health information”)
- Correct your record
- Request confidential communication
- Ask us to limit the information we share
- Get a list of those with whom we’ve shared your information
- Get a copy of this privacy notice
- Choose someone to act for you
- File a complaint if you believe your privacy rights have been violated
You have some choices in the way that we use and share information as we:
- Tell family and friends about your record
- Market our services
Overview of Personalis’ Uses, Disclosures, and Responsibilities
Our Uses and Disclosures
We may use and share your information as we:
- We are required by law to maintain the privacy and security of your protected health information.
- We will let you know promptly if a breach occurs that may have compromised the privacy or security of your information.
- We must follow the duties and privacy practices described in this Notice and give you a copy of it.
- We will not use or share your information other than as described here unless you tell us we can in writing. If you tell us we can, you may change your mind at any time. Let us know in writing if you change your mind.
For more information see: www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/noticepp.html.
When it comes to your health information, you have certain rights. This section explains your rights and some of our responsibilities to help you.
Get a copy of your protected health information
- You can ask to see or get a copy of your test result reports and certain other protected health information we have about you. Under limited circumstances, we may deny you access to your protected health information, and if we do, we will tell you in writing of the reasons for the denial. We ask that you submit your request in writing. You may obtain a request form by contacting us at the contact information provided below.
- We will provide a copy or a summary of your protected health information, usually within 30 days of your request. We may charge a reasonable, cost-based fee.
Ask us to correct your record
- You can ask us to correct or amend protected health information about you that you think is incorrect or incomplete. We ask that you submit your request in writing. You may obtain a request form by contacting us at the contact information provided below.
- We may say “no” to your request, and if we do, we’ll tell you why in writing within 60 days.
Request confidential communications
- You can request to receive your protected health information by alternative means of communication or at alternative locations. For example, you may ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address. We ask that you submit your request in writing. You may obtain a request form by contacting us at the contact information provided below.
- We will say “yes” to all reasonable requests.
Ask us to limit what we use or share
- You can ask us not to use or share certain health information for treatment, payment, or our health care operations. We are not required to agree to your request. For example, we may say “no” if it would affect your care. We ask that you submit your request in writing. You may obtain a request form by contacting us at the contact information provided below.
- If you pay for a service or health care item out-of-pocket in full, you can ask us not to share that information for the purpose of payment or our operations with your health insurer. We will say “yes” unless a law requires us to share that information.
Get a list of those with whom we’ve shared information
- You can ask for a list (accounting) of the times we’ve shared your protected health information for six years prior to the date you ask, who we shared it with, and why. We ask that you submit your request in writing. You may obtain a request form by contacting us at the contact information provided below.
- We will include all the disclosures except for those about treatment, payment, and health care operations, and certain other disclosures (such as any for which you provided your authorization). We will provide one accounting a year for free but may charge a reasonable, cost-based fee if you ask for another one within 12 months.
Get a copy of this privacy notice
You can ask for a paper copy of this notice at any time, even if you have agreed to receive the notice electronically. We will provide you with a paper copy promptly.
Choose someone to act for you
- If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information.
- We will take reasonable steps to verify that the person has this authority and can act for you before we take any action.
File a complaint if you feel your rights are violated
- You can complain if you feel we have violated your rights by contacting Personalis at the information provided below.
- You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting www.hhs.gov/ocr/privacy/hipaa/complaints/.
- We will not retaliate against you for filing a complaint.
For certain protected health information, you can tell us your choices about what we share. If you have a clear preference for how we share your protected health information in the situations described below, talk to us. Tell us what you want us to do, and we will follow your instructions.
You have both the right and choice to tell us to:
- Share information with your family, close friends, or others involved in your care
- Share information in a disaster relief situation
If you are not able to tell us your preference (for example, if you are unconscious), we may go ahead and share your information if we believe it is in your best interest. We may also share your information when needed to lessen a serious and imminent threat to health or safety.
In addition, we will request your written authorization before using or sharing your protected health information in order to:
- Perform activities or send communications that are ”marketing” (as defined by HIPAA)
- Use or disclose your protected health information for purposes not described in this Notice.
You may revoke your authorization, in writing, at any time, except to the extent that we have already acted upon your authorization. You may revoke your authorization by contacting us at the information provided below.
In addition, we may be required under applicable state law to have written permission in order to use or share your protected health information for the purposes described in this Notice. For example, certain state laws may require your written consent before we can conduct a genetic test or use your protected health information for research purposes. In such cases, your written consent will be obtained before using or sharing your protected health information.
Our Uses and Disclosures
How do we typically use or share your health information?
We typically use or share your protected health information in the following ways.
For Your Treatment
We may use your protected health information to provide treatment and share it with other professionals who are treating you.
Example: We may use your protected health information to perform genetic testing services and share your genetic testing results with your health care providers.
For Our Health Care Operations
We may use and share your protected health information to run our organization, improve your care, contact you when necessary, and for other internal health care operations.
Example: We may retain and use your DNA or RNA and testing results for our internal quality assurance purposes, including to assess the quality of our genetic testing services.
To Collect Payment for Our Services
We may use and share your protected health information to bill and get payment from health plans or other entities for our services.
Example: We may give information about you to your health insurance plan so it will pay for your test.
How else can we use or share your health information?
We are allowed or required to share your information in other ways – usually in ways that contribute to the public good, such as public health and research. We have to meet many conditions in the law before we can share your information for these purposes. For more information see: www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html.
Help with public health and safety issues
We may share protected health information about you for public health and safety activities, such as:
- Preventing disease
- Helping with product recalls
- Reporting adverse reactions to medications
- Reporting suspected abuse, neglect, or domestic violence
- Preventing or reducing a serious threat to anyone’s health or safety
We may use or share your information for research purposes, such as to better understand genetic conditions, develop new tests, or participate in research collaborations with third parties. All research projects for which Personalis shares protected health information shall include appropriate protections for individual research subjects as required by law and an adequate plan to safeguard protected health information. We may make research uses and disclosures of your protected health information, subject to appropriate protections, if we determine the research meets certain criteria. In addition, in preparation for research when permitted by law, we may review protected health information to draft research protocols, identify or contact prospective research participants, or for similar purposes provided that legal conditions designed to protect your privacy are met. All other uses and disclosures of protected health information for research will require your written authorization.
Comply with the law
We may share information about you when required to do so by any applicable state or federal law, including with the U.S. Department of Health and Human Services if it wants to see that we’re complying with applicable federal law.
Address workers’ compensation, law enforcement, and other government requests
We may use or share health information about you:
- For workers’ compensation claims
- For law enforcement purposes or with a law enforcement official
- With health oversight agencies for activities authorized by law
- For special government functions such as military, national security, and presidential protective services
Respond to lawsuits and legal actions
We may share health information about you in response to a court or administrative order, or in response to a subpoena.
To create de-identified information and limited data sets
We may use protected health information to create de-identified health information and limited data sets. De-identified health information is health information that cannot reasonably be used to identify you. Once protected health information has been appropriately de-identified under HIPAA and other applicable law, we may use and share the de-identified health information for any purpose, such as research or the advancement of medical care.
Limited data sets are protected health information that do not include certain direct identifiers about you, such as your name or phone number. We may use and share limited data sets for purposes of research, health care operations, or public health activities as described in this Notice after entering into a HIPAA-compliant agreement with the recipient.
Changes to the Terms of this Notice
We have the right to change our privacy practices and the terms of this Notice at any time, so long as the changes are permitted by applicable law. Such changes may apply to all protected health information we have about you, including information we received or created before updating the Notice. The new notice will be available upon request and on our web site.
To contact us regarding this Notice, our privacy practices, or your privacy rights, please use the following contact information:
- Phone: 1-855-373-7978
- Email: [email protected]
- Address: 1330 O’Brien Drive, Menlo Park, CA 94025