THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION THAT myNEXUS COLLECTS OR RECEIVES MAY BE USED AND DISCLOSED. PLEASE REVIEW IT CAREFULLY

myNEXUS, Inc. is dedicated to maintaining the privacy of patients’ protected health information (“PHI”) and other confidential personal information. PHI is individual information that may be used to identify a patient (e.g., name, Social Security Number, or address) and that relates to: (a) the patient’s past, present, or future physical or mental health or condition; (b) the provision of health care to the patient; or (c) the past, present, or future payment for the provision of health care to the patient. In conducting its business, myNEXUS will receive and create records containing PHI. myNEXUS is required to maintain the privacy of patients’ PHI and to refrain from using or disclosing PHI in any manner prohibited by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

myNEXUS must abide by the terms of this Notice of Privacy Practices (“Notice”) while it is in effect. This current Notice takes effect on January 1, 2017, and will remain in effect until myNEXUS replaces it. myNEXUS reserves the right to change the terms of this Notice at any time, as long as the changes are in compliance with applicable law. If myNEXUS changes the terms of this Notice, the new terms will apply to all PHI that it maintains, including PHI that was created or received before such changes were made. If myNEXUS changes this Notice, it will post the new Notice on its website and will make the new Notice available upon request.

HOW WE MAY USE AND DISCLOSE PATIENTS’ MEDICAL INFORMATION

The following sections describe different ways we may use and disclose PHI received or maintained by myNEXUS. We abide by all applicable laws related to the protection of this information. Not every use or disclosure will be listed below. All of the ways we are permitted to use and disclose information, however, will fall within one of the following categories:

  • Patient Authorization

    myNEXUS may use and disclose patients’ PHI with their written authorization, to the extent such use or disclosure is consistent with that authorization. A patient may revoke his or her authorization for myNEXUS to use or disclose his or her PHI at any time.
  • Business Associate Services

    We may use or disclose patients’ PHI in order to perform specified services under the business associate agreements to which myNEXUS is a party. We will only use or disclose PHI as authorized by the terms of our business associate agreements or, as described below, if required by applicable law.

    Such uses or disclosures may be for the purpose of, among other things, ensuring the proper management and administration of myNEXUS’s business operations or providing data aggregation services relating to the health care operations of our members. In performing our business associate functions, we will not use or disclose PHI in any manner that would be prohibited under HIPAA.

  • Uses or Disclosures Required by Law

    We may use or disclose patients’ PHI to the extent that: (i) such use or disclosure is required by law; and (ii) the use or disclosure complies with and is limited to the relevant requirements of such law. Such uses or disclosures may include, but are not limited to:
    • Mandatory disclosures about victims of abuse, neglect, or domestic violence;
    • Disclosure to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other oversight activities specified by law;
    • Disclosures for law enforcement purposes, including to comply with a lawfully issued subpoena, order, or warrant; or
    • Disclosure to the Secretary of the U.S. Department of Health and Human Services for purposes of assessing compliance with HIPAA requirements.

OUR PRIVACY COMMITMENTS

To ensure the protection of patients’ PHI and as required by applicable law, myNEXUS commits to the following:

  • Maintaining Security of PHI
    myNEXUS uses and will continue to use appropriate physical, administrative, and technical safeguards to ensure that all PHI we create, receive, maintain, or transmit is kept confidential and secure. This includes the use of Secure Sockets Layer (“SSL”) technology, which allows only authorized personnel to access patients’ PHI. All authorized personnel who access PHI must abide by myNEXUS’s own security and confidentiality policies.
  • Sharing of PHI

    From time to time, myNEXUS may share PHI with other individuals or entities to enable them to perform specified functions on our or our members’ behalf. To the extent myNEXUS engages subcontractors to create, receive, maintain, or transmit PHI, we will ensure that all such subcontractors agree to abide by the same restrictions and conditions on the use and disclosure of that PHI as apply to myNEXUS.

  • Patient Access to PHI
    myNEXUS will make available patients’ PHI as maintained in a designated record set for inspection and copying. Upon receiving a request by a patient for access to his or her PHI, myNEXUS will either grant such access directly to the patient or timely forward the request to the applicable member, consistent with the terms of our business associate agreements.
  • Amendments of PHI
    myNEXUS will make available patients’ PHI as maintained in a designated record set for amendment and incorporate any requested amendments, consistent with the terms of our business associate agreements
  • Accounting of Disclosures
    Consistent with the terms of our business associate agreements, myNEXUS will provide information to our members regarding any disclosures of their patients’ PHI that may be required for the member to provide an accounting of disclosures to the patient in accordance with HIPAA.
  • Reporting of Breaches
    myNEXUS will report to its members any unauthorized uses or disclosures of their patients’ PHI of which myNEXUS becomes aware, including breaches of unsecured PHI. myNEXUS will make such reports without unreasonable delay and in no case later than 60 calendar days after we discover the unauthorized use, disclosure, or breach, unless otherwise required by law or the terms of our business associate agreements.

HOW TO CONTACT US

If you would like more information or have questions about our privacy practices, please contact our Member Services Department by calling (866) 828-0337. You may also e-mail us with any questions or comments you have regarding this Notice or myNEXUS’s operations. Please note that e-mail correspondence may pass through public and private networks and may be accessed or viewed by other Internet users, without your knowledge or permission. For that reason, we recommend that any confidential information you wish to send us be mailed to the following address: myNEXUS, Inc., 109 Westpark Drive, Suite 220, Brentwood, TN 37027.