Privacy Practices

NOTICE OF PRIVACY PRACTICES

Notice of Privacy Practices

This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

Our Commitment to Your Privacy

MD Ally is dedicated to maintaining the privacy of your protected health information (‘PHI’). PHI is information about you that may be used to identify you (such as your name, social security number or address), and that relates to (a) your past, present or future physical or mental health or condition, (b) the provision of healthcare to you, or (c) your past, present, or future payment for the provision of healthcare. In conducting its business, MD Ally will receive and create records containing your PHI. MD Ally is required by law to maintain the privacy of your PHI and to provide you with notice of its legal duties and privacy practices with respect to your PHI.

MD Ally must abide by the terms of this Notice while it is in effect. This current Notice takes effect on January 1, 2020, and will remain in effect until MD Ally replaces it. MD Ally reserves the right to change the terms of this Notice at any time, as long as the changes are in compliance with applicable law. If MD Ally changes the terms of this Notice, the new terms will apply to all PHI that it maintains, including PHI that was created or received before such changes were made. If MD Ally changes this Notice, it will post the new Notice on its Web site and will make the new Notice available upon request.

Uses and Disclosures of PHI

MD Ally may use and disclose your PHI in the following ways:

Treatment, Payment and Healthcare Operations. MD Ally is permitted to use and disclose your PHI for purposes of (a) treatment, (b) payment and (c) healthcare operations. For example:
Treatment. MD Ally may disclose your PHI to another physician or healthcare provider for purposes of a visit or in connection with the provision of follow-up treatment.
Payment. MD Ally may use and disclose your PHI to your health insurer or health plan in connection with the processing and payment of claims and other charges.
Healthcare Operations. MD Ally may use and disclose your PHI in connection with its healthcare operations, such as providing customer services and conducting quality review assessments. MD Ally may engage third parties to provide various services for MD Ally. If any such third party must have access to your PHI in order to perform its services, MD Ally will require that third party to enter an agreement that binds the third party to the use and disclosure restrictions outlined in this Notice.
Authorization. MD Ally is permitted to use and disclose your PHI upon your written authorization, to the extent such use or disclosure is consistent with your authorization. You may revoke any such authorization at any time. To authorize MD Ally to disclose your PHI to a third party, download the HIPAA Authorization to Disclose Protected Health Information here and mail it to the address listed on the form.

As Required by Law. MD Ally may use and disclose your PHI to the extent required by law.

Special Circumstances

The following categories describe unique circumstances in which MD Ally may use or disclose your PHI:

Public Health Activities. MD Ally may disclose your PHI to public health authorities or other governmental authorities for purposes including preventing and controlling disease, reporting child abuse or neglect, reporting domestic violence and reporting to the Food and Drug Administration regarding the quality, safety and effectiveness of a regulated product or activity. MD Ally may, in certain circumstances disclose PHI to persons who have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition.
Workers’ Compensation. MD Ally may disclose your PHI as authorized by, and to the extent necessary to comply with, workers’ compensation programs and other similar programs relating to work-related illnesses or injuries.
Health Oversight Activities. MD Ally may disclose your PHI to a health oversight agency for authorized activities such as audits, investigations, inspections, licensing and disciplinary actions relating to the healthcare system or government benefit programs.
Judicial and Administrative Proceedings. MD Ally may disclose your PHI, in certain circumstances, as permitted by applicable law, in response to an order from a court or administrative agency, or in response to a subpoena or discovery request.
Law Enforcement. MD Ally may, under certain circumstances, disclose your PHI to a law enforcement official, such as for purposes of identifying or locating a suspect, fugitive, material witness or missing person.
Decedents. MD Ally may, under certain circumstances, disclose PHI to coroners, medical examiners and funeral directors for purposes such as identification, determining the cause of death and fulfilling duties relating to decedents.
Organ Procurement. MD Ally may, under certain circumstances, use or disclose PHI for the purposes of organ donation and transplantation.
Research. MD Ally may, under certain circumstances, use or disclose PHI that is necessary for research purposes.
Threat to Health or Safety. MD Ally may, under certain circumstances, use or disclose PHI if necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
Specialized Government Functions. MD Ally, may in certain situations, use and disclose PHI of persons who are, or were, in the Armed Forces for purposes such as ensuring proper execution of a military mission or determining entitlement to benefits. MD Ally may also disclose PHI to federal officials for intelligence and national security purposes.

Your Rights Regarding Your PHI

You have the following rights regarding the PHI maintained by MD Ally:

Confidential Communication. You have the right to receive confidential communications of your PHI. You may request that MD Ally communicate with you through alternate means or at an alternate location, and MD Ally will accommodate your reasonable requests. You must submit your request in writing to MD Ally. To submit such a request, download the Request for Restricts Request Form here and mail it to the address listed on the form.
Restrictions. You have the right to request restrictions on certain uses and disclosures of PHI for treatment, payment or healthcare operations. You also have the right to request that MD Ally restrict its disclosures of PHI to only certain individuals involved in your care or the payment of your care. You must submit your request in writing to MD Ally. MD Ally is not required to comply with your request. However, if MD Ally agrees to comply with your request, it will be bound by such agreement, except when otherwise required by law or in the event of an emergency. To submit such a request, download the Request for Restricts Request Form here and mail it to the address listed on the form.
Inspection and Copies. You have the right to inspect and copy your PHI. You must submit your request in writing to MD Ally. MD Ally may impose a fee for the costs of copying, mailing, labor and supplies associated with your request. MD Ally may deny your request to inspect and/or copy your PHI in certain limited circumstances. If that occurs, MD Ally will inform you of the reason for the denial, and you may request a review of the denial. To request access to your PHI that is not already accessible to you in the Member Portal, download the Request to Access PHI Form here and mail it to the address listed on the form.
Amendment. You have a right to request that MD Ally amend your PHI if you believe it is incorrect or incomplete, and you may request an amendment for as long as the information is maintained by MD Ally. You must submit your request in writing to MD Ally and provide a reason to support the requested amendment. MD Ally may, under certain circumstances, deny your request by sending you a written notice of denial. If MD Ally denies your request, you will be permitted to submit a statement of disagreement for inclusion in your records. To make a request to amend PHI that you cannot otherwise change yourself through the Member Portal, download the Request to Amend PHI form here and mail it to the address listed on the form.
Accounting of Disclosures. You have a right to receive an accounting of all disclosures MD Ally has made of your PHI. However, that right does not include disclosures made for treatment, payment or healthcare operations, disclosures made to you about your treatment, disclosures made pursuant to an authorization, and certain other disclosures. You must submit your request in writing to MD Ally and you must specify the time period involved (which must be for a period of time less than six years from the date of the disclosure). Your first accounting will be free of charge. However, MD Ally may charge you for the costs involved in fulfilling any additional request made within a period of 12 months. MD Ally will inform you of such costs in advance, so that you may withdraw or modify your request to save costs. To make a request for an accounting of disclosures, download the Request for an Account of Disclosures Form here and mail it to the address listed on the form.
Breach Notification. You have the right to be notified in the event that MD Ally (or a MD Ally Business Associate) discovers a breach of unsecured PHI.
Paper Copy. You have the right to obtain a paper copy of this Notice from MD Ally at any time upon request. To obtain a paper copy of this notice, please contact the Privacy Officer by writing to: Privacy Officer, MD Ally, 348 West 57th Street, Suite 180, New York, NY 10019 or sending an email to compliance@mdally.com.
Complaint. You may complain to MD Ally and to the Secretary of the Department of Health and Human Services if you believe that your privacy rights have been violated. To file a complaint with MD Ally, you must submit a statement in writing to: Privacy Officer, MD Ally, 348 West 57th Street, Suite 180, New York, NY 10019 or sending an email to compliance@mdally.com. MD Ally will not retaliate against you for filing a complaint.

Further Information. If you would like more information about your privacy rights, please send an email to the Privacy Officer at admin@mdally.com.

Individual Requests

Last updated on January 1, 2022

1. Policy
Individuals have a right to make certain requests pertaining to their PHI as described below.

1.1 Right to Inspect and Copy PHI

A. Procedure

Written Request. To inspect and copy PHI maintained by MD Ally, an individual must submit a request in writing to:
admin@mdally.com that states the individual’s name, address and the last four digits of his/her Social Security number and describes the PHI the individual is seeking. MD Ally may deny a request, as specified below.
1. Information Made Available. The designated record set to which the individual will be entitled includes: (i)
  medical records and billing records about the individual maintained by or for MD Ally as a medical practice; (ii)
  records used, in whole or in part, by or for MD Ally to make decisions about the individual.
2. Time for Response/Access. Except as provided below, any request for access is responded to no later than3 0
  days after it was received by MD Ally. A one-time extension of 30 days is available to MD Ally if it is unable to take action within the first 30 days. Within the first 30 days after the individual’s request is made, the individual will be furnished with a written
  statement that states: (i) the reasons for the delay; and (ii) the date by which a response will be provided.
Granting of Request. If a request for access to PHI is granted by MD Ally, the requesting party will be notified in
writing of the acceptance of the request and the requested access will be provided.
1. Format. The requested information will be provided in the format requested by the individual, unless it is not
  readily reducible to such form. If the requested format cannot be provided, a readable hard copy or electronic
  form as agreed to by MD Ally and the individual will be provided. To the extent the information is maintained
  electronically, MD Ally shall make available to the requesting party a copy of such information in the electronic
  form and format requested by the individual, if it is readily producible or, if not, in a readable electronic form and
  format as agreed to by MD Ally and the individual.
2. Fees. An individual will be charged a reasonable per-page fee for the hardcopy copies, or a reasonable costbased
  fee for the preparation of, an explanation or summary of the requested PHI.
Denial of Request for Access. A request to inspect and copy PHI may be denied in certain limited circumstances
specified by the Privacy Rule.
1. Format of Denial. A denial of a request for access must:
  - Be written in plain language;
  - State the basis for the denial;
  - If applicable, state the individual’s right to an independent review of the denial;
  - If applicable, provide a description of how the individual may exercise such review rights; and
  - Provide a description of how the individual may appeal the denial to MD Ally, including the name and
    address of the HIPAA Privacy Officer, or to the Secretary of HHS.
2. Making Other Information Accessible.
  - Partial Denial. If access is denied in part, the individual will be given access to any other PHI requested
    after MD Ally excludes the PHI for which access has been denied.
3. PHI Maintained by Other Entity. If access is denied, in whole or in part, because the requested information is
  not maintained by MD Ally and MD Ally knows where the requested information is maintained, MD Ally employee
  will inform the individual where to direct the request for access.
Review of Denial of Access
1. Right of Review. In certain instances, referred to above with the symbol [R], an individual whose request for
  access is denied has the right to have the denial reviewed by a licensed health care professional designated by
  MD Ally who did not participate in the original decision. In other situations, referred to above with the symbol
  [NR], MD Ally may deny an individual access without providing an opportunity for review.
2. Written Request For Review. To secure review of a denial of a request to inspect and copy PHI, an individual
  must submit a request in writing to: admin@mdally.com.
3. Review Procedure.
  - Upon receipt of a request for review of a denial, the Privacy Officer must promptly refer the matter to a
    licensed healthcare professional who was not directly involved in the denial.
  - The designated licensed healthcare professional will, within a reasonable time, review the individual’s
    request and the denial of the request based on the following standards: (i) whether access may endanger
    the life or physical safety of the individual or other person; (ii) Whether the PHI makes reference to another
    person who is not a health care provider and the access requested is reasonably likely to cause substantial
    harm to that person; or (iii) whether the access requested is made by the individual’s personal
    representative and access to the personal representative is reasonably likely to cause substantial harm to
    the individual or another person.
  - MD Ally will provide prompt written notice to the individual of the determination by the designated
    healthcare professional.
  - MD Ally will take prompt action to carry out the healthcare professional’s determination.

1.2 Requests for Confidential Communications of PHI and/or Alternative Means of Communications

A. Standard to Receive Confidential Communications
MD Ally may accommodate an individual’s reasonable request to receive communications of PHI in a confidential manner or
at an alternative location. If the individual clearly and reasonably states that the disclosure of all or part of that information
could endanger the individual, MD Ally will accommodate the individual’s request

B. Procedure

Written Request
1. For confidential communications or communications at an alternative location of PHI maintained by MD Ally, an
  individual must make a request in writing to: admin@mdally.com
Required Information. The request should:
1. state the individual’s name, address and the last four digits of his/her Social Security number;
2. specify how or where communications are to be made; and
3. if appropriate, a statement that disclosure of all or part of the information to which the request pertains could
  endanger the individual.
Granting Requests. MD Ally will accommodate reasonable requests and may condition its accommodation on:
1. Information as to how payment, if any, will be handled; and
2. Specification of an alternative address or another method of contact.

1.3 Requests to Restrict Uses and Disclosures of PHI

A. Standard to Request Restriction of Uses and Disclosures of PHI

MD Ally may accommodate an individual’s reasonable request to restrict uses and disclosures of their PHI to carry out
treatment, payment or health care operations or disclosures to a relative or individual identified by the patient, UNLESS the
disclosure is: (i) to a health plan for purposes of carrying out payment or health care operations (and not for treatment), (ii)
not otherwise required by law, and (iii) the PHI pertains solely to a health care item or service for which the health care
provider involved has been paid out-of-pocket in full – in which case MD Ally must accommodate an individual’s request.

B. Procedure

Written Request
1. For restrictions on the use or disclosure of PHI maintained by MD Ally, an individual must make a request in
  writing to: admin@mdally.com
2. Required Information. The request should:
  1. state the individual’s name, address and the last four digits of his/her Social Security number;
  2. specify what PHI is to be restricted; and
  3. to whom the restriction should apply (e.g., name of the health plan).
3. Granting Requests
  1. Required Restrictions to Health Plans: MD Ally will accommodate requests to restrict disclosures to health
    plans for payment or health care operations, as specified above and in accordance with § 164.522(a)(1).
  2. For all Other Restrictions: MD Ally will accommodate reasonable requests.

1.4 Requests for Accounting of Disclosures of PHI
A. Standard to Request an Accounting
Individuals have a right to receive an accounting from MD Ally that lists certain disclosures of their PHI made by MD Ally
during the six (6) year period prior to the request.

B. Procedure

Request for Accounting. All requests for an accounting of disclosures of PHI maintained by MD Ally must be
submitted in writing to: admin@mdally.com
Required Information. The individual’s written request must state:
1. Name, address and telephone number of the person who is the subject of the information for which an
  accounting is requested;
2. The last four digits of the individual’s Social Security number;
3. Time period for which accounting is sought — not to exceed 6 years from the date of the request; and
4. Format of the information sought — paper or electronic (if electronic, requesting party must provide an e-mail
  address).
Fees. A single accounting request within a 12-month period will be free of charge. A requesting individual will be
responsible for paying a reasonable cost-based fee for any additional accounting requests, provided they are notified
of the costs involved before they are assessed and given an opportunity to withdraw or modify the request.
Time for Response/Access. Except as stated, any request for an accounting will be acted upon no later than3 0
(thirty) days after it was received.
1. A one-time extension of 30 (thirty) days is available to MD Ally if it is unable to take action within the first 30 (thirty) days, provided that within the first 30 (thirty) days MD Ally provides the individual with a written statement setting forth the reasons for the delay and the date by which a response will be provided.

C. Contents of the Accounting

Accounting Requirements. The accounting will be written and provide the following information to the individual:
1. A list of the covered disclosures that occurred during the six (6) years preceding the request, unless that period
  is shortened by the compliance date or the individual’s request, and the date of each disclosure;
2. A list of the disclosures to or by Business Associates that occurred during the relevant time frame, and the date
  of each disclosure;
3. The name of the person or entity who received the disclosed information and, if known, the address of such
  person or entity;
  1. A brief description of the PHI disclosed in each disclosure; and
  2. A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis of the
    disclosure. In lieu of such a statement, MD Ally may provide a copy of a written request for a disclosure for the
    purpose of complying with the Secretary of HHS’s compliance activities or for disclosures for which authorization
    is not required.
Items Excluded. The accounting for disclosures will not include the following disclosures:
1. Disclosures for carrying out treatment, payment or health care operations;
2. Disclosures pursuant to a valid authorization executed by the individual;
3. Disclosures of PHI to the individuals;
4. Disclosures for the facilities directory, disclosures to persons involved in the individual’s care, or for other
notification purposes;
5. Disclosures for national security or intelligence purposes;
6. Disclosures to correctional institutions or law enforcement officials; or
7. Disclosures that occurred before April 14, 2003.
Accounting Requirements; Multiple Disclosures. If, during the period covered by the accounting request, MD Ally
has made multiple disclosures of PHI to the same person or entity for the purpose of complying with the Secretary of
HHS’s compliance activities, for disclosures for which authorization is not required, or pursuant to a single
authorization, the accounting may, with respect to such disclosures, provide:
1. The information required by Section B.1 above for the first disclosure during the accounting period;
2. The frequency, periodicity or number of disclosures made during the accounting period; and
3. The date of the last such disclosure during the accounting period.

D. Suspension of Right

Temporary Suspension of Right Through Written Request. MD Ally will temporarily suspend an individual’s right to
receive an accounting of disclosures pursuant to a health oversight agency or law enforcement official’s request if the
agency or official provides a written statement to MD Ally:
1. Stating that the accounting to the individual would likely impede the agency’s activities and;
2. Specifying the time period for which the suspension is required.
Temporary Suspension of Right Through an Oral Request. If the agency or official statement requesting that an
accounting not be disclosed is made orally, the Privacy Officer will:
1. Document the statement, including the identity of the agency or official making the statement;
2. Temporarily suspend the individual’s right to an accounting subject to the statement; and
3. Limit the temporary suspension to no longer than 30 days from the date of the oral statement, unless a written
  statement as required above is submitted during that time.

1.5 Amendment Requests
A. Standard for Amendment Requests
An individual has the right to request that MD Ally amend his/her PHI maintained in the designated record set. However, in
certain instances described below, MD Ally may deny the request.

B. Procedure

Amendment Requests. All requests for amendments must be submitted in writing to: admin@mdally.com
Required Information. The written request should state:
1. Name, address and telephone number of the person who is the subject of the information for which an
  amendment is requested;
2. The last four digits of the individual’s Social Security number; and
3. The reason(s) in support of the request.
Time for Action on Notice of an Amendment. Amendment requests will be acted upon no later than sixty (60) days
after receipt of the request.
1. A one-time thirty- (30-)day extension is available to MD Ally so long as the individual is provided, within the first
  thirty (30) days, with a written statement of the reasons for the delay and the date by which MD Ally will complete
  the requested amendment.

C. Granting an Amendment Request If MD Ally grants the request, in whole or part, it will:

Make the appropriate amendment to the PHI or record that is the subject of the request by, at a minimum, identifying
the records in the designated record set that are affected by the amendment and appending or otherwise providing a
link to the location of the amendment;
Timely inform the individual that the amendment is accepted and obtain the individual’s identification of and agreement
to have MD Ally notify the relevant persons with which the amendment needs to be shared; and
Make efforts to inform and provide, within a reasonable time, the amendment to:
1. Persons identified by the individual as having received PHI about the individual and needing the amendment; and
2. Persons, including Business Associates, that MD Ally knows have the PHI that is the subject of the amendment
  and that may have relied, or could foreseeably rely, on such information.

D. Denial of an Amendment Request

Reasons for Denial. MD Ally may deny a request for an amendment for the following reasons:
1. It is not in writing;
2. It does not include a reason to support the request;
3. The information was not created by MD Ally, unless the individual shows that the originator of the PHI is no
  longer available to make the amendment;
4. The information is not PHI kept by or for MD Ally;
5. The information is not part of the information the individual would be permitted to inspect and copy per Section
  1.1; or
6. The information that the individual seeks to amend is accurate and complete.
Timely, Written Denial. A denial will be in writing and state in plain language:
1. The basis for denying the amendment;
2. That the individual has the right to submit a written statement disagreeing with the denial, and may do so by
  submitting a written letter to the Privacy Officer that summarizes the amendment requested, and explains why
  the individual disagrees with the decision to deny the amendment;
3. That if the individual does not submit a statement of disagreement, he/she may request that his/her request for
  amendment and denial be provided with any future disclosures of the PHI that is the subject of the amendment
  request; and
4. That the individual has the right to file a formal complaint with MD Ally, and may appeal a denial of a requested
  amendment to PHI to the Secretary of HHS. The denial letter should explain how to file such complaints.

E. Disagreement and Rebuttal Procedure

Statement of Disagreement and Rebuttal. In the event that an individual files with MD Ally a statement of
disagreement, as he/she is entitled to do, the Privacy Officer may include a written rebuttal to the individual’s
statement of disagreement. If a rebuttal is prepared, a copy will be provided to the individual.
Appending to the Record. The Privacy Officer must identify the record of PHI and the record that is the subject of the
disputed amendment and append or otherwise link the following to the designated record set: (1) the individual’s
amendment request; (2) the denial; (3) the individual’s statement of disagreement, if any; and (4) the rebuttal, if any.
Future Disclosures. The following materials will be included with an individual’s PHI when disclosed:
1. Where Statement of Disagreement Filed. If a statement of disagreement has been submitted by the individual,
  MD Ally will include it with any subsequent disclosure of the PHI to which the disagreement relates. The material
  will be appended in accordance with Section 2 above or an accurate summary of any such information will be
  appended.
2. Where No Statement of Disagreement Filed. If the individual has not submitted a written statement of
  disagreement, MD Ally will include the individual’s request for amendment and its denial, or an accurate
  summary of such information, with any subsequent disclosure of PHI only if the individual has requested such
  action.
NOTICE OF AMENDMENT BY OTHER ENTITY. In the event that MD Ally is informed by another covered entity of an
amendment to an individual’s PHI, it will amend the PHI in designated record sets in accordance with Section 1.6(c)
above.

1.6 Documentation
Information related to any individual requests and titles of MD Ally personnel responsible for receiving and processing such
requests will be retained for six (6) years in accordance with MD Ally’s record retention policy.