Notice of Privacy Practices

Tilda’s Notice of Privacy Practices is effective on July 27, 2021.

Tilda Research, Inc. (“Tilda”, “we”, “us”) is committed to protecting the privacy and confidentiality of your medical data. This Notice of Privacy Practices (“NOPP”) explains how Tilda may use or disclose the Protected Health Information (“PHI”, “your data”, “your medical/health information”) we collect, as required by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). It also describes your rights and our legal obligations with respect to your medical information.

If you have any questions about this Notice, please refer to the “How to Contact Us” section.

What is Your Protected Health Information (“PHI”)?

Protected health information (“PHI”) is the term given to health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates in relation to the provision of healthcare, healthcare operations and payment for healthcare services. Your PHI can be as much your physician’s medical notes about you as well as your physician’s conversation with their nurse or assistant about your medical notes.

Protected health information is often shortened to PHI, or in the case of electronic health information, ePHI.

Tilda’s Responsibility to Protect your PHI

Under HIPAA, we must:

  • Protect the privacy of your PHI;
  • Tell you about your rights and our legal duties with respect to your PHI;
  • Notify you if there is a breach that compromised your PHI; and
  • Tell you about our privacy practices and follow our notice currently in effect.

When Tilda May Use or Disclose Your Medical Information Without Requiring Your Authorization

  • Treatment

    • Tilda’s authorized staff to provide you with our services in our clinic;
    • The provision, coordination, or management of healthcare and related services among healthcare providers or by a healthcare provider with a third party;
    • The consultation between healthcare providers regarding your case;
    • Referring you from one healthcare provider to another.
  • Payment

    • Providing information to your health plan for determining your eligibility for benefits and coverage;
    • Submitting a claim for services to your health plan;
    • Providing information needed by your health plan to determine coverage, including information needed by the health plan to conduct medical review.
  • Healthcare Operations

    • Quality assessment and improvement;
    • Professional credentialing;
    • Health insurance and benefits activities;
    • Medical and utilization review;
    • Legal services;
    • Auditing;
    • Business planning, analysis, and market research;
    • Business management and general administrative activities:
      • Activities related to compliance with HIPAA and HITECH
      • Customer service
      • Resolution of internal grievances
      • Due diligence analysis related to sales and acquisitions
      • Creation of de-identified information and limited data sets.

Compliance and Other Permitted or Required Purposes

Tilda may disclose your data without your authorization for various compliance and permitted purposes as follows:

Abuse or neglect: to government entities authorized to receive reports regarding abuse, neglect, or domestic violence.

Appointment reminders, ID verification, and other clinic administrative activities: to contact you about upcoming appointments, verifying your ID or that of your caretaker, signing you in when you arrive at the clinic, send a motivational message to continue the trial, and other ancillary services.

As required or permitted by law: when we are required or permitted by laws, including workers' compensation laws. For example, Tilda must disclose your PHI to the U.S. Department of Health and Human Services upon request for purposes of determining whether Tilda is in compliance with federal privacy laws.

Business associates: to perform certain functions or activities on our behalf, such as health care operations and protecting your ePHI. These business associates must agree to safeguard your PHI.

Coroners, funeral directors, medical examiners and organ donation: to coroners, funeral directors, medical examiners and organ donation organizations as authorized by law.

Fundraising activities: Tilda does not leverage PHI for fundraising activities.

Disaster relief efforts: to an authorized public or private entity for disaster relief purposes. For example, we might disclose your PHI to help notify family members of your location or general condition.

Health information exchanges (“HIE”): we may participate in health information exchanges (HIEs) and may electronically share your medical information for treatment, payment and health care operations purposes with other participants in the HIEs, to the extent permitted by applicable law and the applicable HIE. HIEs allow us, and your other health care providers and organizations, to efficiently share and better use information necessary for your treatment and other lawful purposes. In some states, the inclusion of your medical information in an HIE is voluntary and subject to your right to opt-in or opt-out; if you choose to opt-in or not to opt-out, we may provide your medical information in accordance with applicable law to the HIEs in which we participate.

Health oversight agencies: to health oversight agencies for certain activities such as audits, examinations, investigations, inspections, and licensures.

Inmates: if you are an inmate of a correctional institution or under the custody of law enforcement officials, we may release medical information about you to the correctional institution as authorized or required by law.

Law enforcement: to law enforcement officials in certain circumstances for law enforcement purposes. By way of example and without limitation, disclosures may be made to identify or locate a suspect, witness, or missing person; to report a crime; or to provide information concerning victims of crimes.

Legal proceedings: in the course of any legal proceeding or in response to an order of a court or administrative agency and in response to a subpoena, discovery request, or other lawful process.

Military activity and veterans: to military command authorities such as the Department of Veterans Affairs, as authorized or required by law.

Minors: in general, parents and legal guardians are legal representatives of minor patients. However, in certain circumstances, as dictated by state law, minors can act on their own behalf and consent to their own treatment. In general, we will share the PHI of a patient who is a minor with the minor’s parents or guardians, unless the minor could have consented to the care themselves (except where parental disclosure may be required per applicable law).

National security and intelligence activities: to authorized federal officials for national security and intelligence purposes, as permitted or required by law.

Protective services for the President and others: to authorized federal officials in connection with providing protective services to the President of the United States and other authorized persons, as permitted or required by law.

Public health and safety: to an authorized public health authority or individual to:
Protect public health and safety.
Prevent or control disease, injury, or disability.
Report vital statistics such as births or deaths.
Investigate or track problems with prescription drugs and medical devices.

Research: Tilda engages in extensive and important research and studies. Some of our research may involve medical procedures and some is limited to collection and analysis of health data.
Enrollment in those studies can only occur after you have been informed about the study, had an opportunity to ask questions, and indicated your willingness to participate by signing a consent form. When approved through a special review process that ensures your rights are protected, other studies may be performed using your medical information without requiring your consent. These studies will not affect your treatment or welfare, and your medical information will continue to be protected.

Sharing with family and others when you are present: sometimes a family member or other person involved in your care will be present when we are discussing your PHI with you. If you object, please tell us and we won't discuss nor share your PHI, or we will ask the person to leave.

Sharing with family and others when you are not present: there may be times when it is necessary to disclose your PHI to a family member or other person involved in your care because there is an emergency, you are not present, or you lack the decision making capacity to agree or object. In those instances, we will use our professional judgment to determine if it's in your best interest to disclose your PHI. If so, we will limit the disclosure to the PHI that is directly relevant to the person's involvement with your health care.

When Tilda Requires Your Authorization to Disclose Your Medical Information

Tilda require your authorization for the following purposes:

  • Most marketing purposes
    • Exception: HIPAA and applicable laws allow communications pertaining to care or treatment and/or our products and services.
  • Psychotherapy notes
  • Sale of your information
  • Specific types of PHI: there are stricter requirements for use and disclosure of some types of PHI. For example, mental health and drug and alcohol abuse patient information, HIV tests, and genetic testing information. However, there are still circumstances in which these types of information may be used or disclosed without your authorization. Where applicable, we will give you a separate written notice, as required by law, about your privacy rights for the corresponding PHI.

To revoke your authorization, please refer to “Revoking your authorization to share your PHI” under Your Health Information Rights.

Your Health Information Rights

If you have questions about your rights or want to exercise them, please refer to the “How to Contact Us” section of this Notice.

You have the right to:

Supplemental privacy: you may request restrictions on certain uses and disclosures of your PHI via a written request specifying what information you want to limit, and what limitations on our use or disclosure of that information you wish to have imposed. You may also ask that we limit the information we give to someone who is involved in your care, such as a family member, friend or caretaker. Please note that we are not required to agree to your request, except when a restriction has been requested regarding a disclosure to a health plan in situations where the patient has paid for services in full and where the purpose of the disclosure is for payment. If we do agree, we will honor your limits unless it is an emergency situation.

Inspect and copy your PHI: you may request to inspect your PHI, or obtain a copy of your PHI in electronic form or paper copy. Your request for inspection or copy must be in writing. Tilda will provide copies in your requested format if it is readily producible, or will provide you with an alternative format you find acceptable, or if we can’t agree and we maintain the record in an electronic format, your choice of a readable electronic or hardcopy format.

  • Exceptions:
    • Child’s records or incapacitated adult: we may deny your request to access your child’s records or the records of an incapacitated adult you are representing because we believe allowing access would be reasonably likely to cause substantial harm to the patient. You have the right to appeal our decision.
    • Psychotherapy note: we may deny your request to access your psychotherapy notes. You may request to have them transferred to another mental health professional.
    • Other: inspection of the PHI subject to your request is prohibited by law or you are denied in accordance with privacy laws.

Amend or supplement your PHI: you may request that we amend your health information that you believe is incorrect or incomplete. Your request for an amendment must be in writing and provide the reason for your request. We may deny your request for the reasons listed under the Exceptions below. If we deny your request, you may submit your disagreement in writing and ask that your statement be added to your PHI.

  • Exceptions:
    • We do not have that information about you. If we know who does, we will inform you of it.
    • We did not create the information, unless the entity who created the information is no longer available to amend it.
    • You are not permitted to inspect or copy the information.
    • The information is already complete and accurate as is.

Revoke your authorization to share your PHI: if you gave us authorization to share your PHI under the section “When Tilda Require Your Authorization to Disclose Your Medical Information”, you may revoke that authorization by notifying us in writing at any time. The revocation will not apply to any authorized use or disclosure of your PHI that took place before we received your revocation. Tilda cannot withdraw any disclosures it has already made in reliance on your written authorization, and Tilda is required by law to maintain its records as to health care that has been provided to you.

Confidential communication alternatives: you may request to communicate with us by an alternative method, or at a different address. Tilda will accommodate requests whenever possible.

Accounting of disclosures of your PHI: you may request a list of disclosures we have made. Your request must be in writing and be specific enough for Tilda to be able to answer your request. A certain number of disclosures are not required to be listed (see Exceptions below), and for the ones that are, Tilda will provide up to 6 years of disclosures prior to the date of the request.

  • Exceptions:
    • Any disclosures under Treatment, Payment and Healthcare Operations.
    • Certain disclosures as permitted or required by law.

Choose someone to act for you: if you have given someone medical power of attorney or if someone is your legal guardian, to the extent permitted by law, that person can exercise your rights and make choices about your health information. We will confirm the person has the authority and can act for you before we take any action.

Breach notification: you have the right to receive written notification of any breach of your unsecured PHI. You will be notified without unreasonable delay and no later than 60 calendar days after discovery of the breach.

Copy of this Notice: you have the right to request a paper copy of this Notice.

Communication

Tilda may use PHI to send you appointment reminders and other communications related to Tilda’s services you are receiving. If you choose to communicate with us via emails, texts (SMS) or chats, you acknowledge that we may exchange PHI with you via these services.

However, these services may not be a secure method of communication. If you would prefer not to exchange PHI via email, text or chat, you can choose not to communicate with us via those means, and you can notify us to establish a different means of communication. Please refer to the “How to Contact Us” section of this Notice to do so.

How to Contact Us

If you have any questions about this Notice or would like an additional copy, please contact the Privacy Department at:

To exercise your Health Information rights that require a written request, or for any complaint, please use the address below:

Att: Privacy Department
Tilda Research Inc.
18600 MacArthur Blvd, Suite 360
Irvine, CA 92612

Tilda supports your right to protect the privacy of your PHI. Tilda will not retaliate in any way if you choose to file a complaint with Tilda or with the U.S. Department of Health and Human Services.

Changes to this Notice of Privacy Practices

Tilda may modify this Notice of Privacy Practices at any time, provided that such changes are permitted by applicable law. The revised notice will apply to all PHI Tilda handles, including existing PHI. The Notice will be posted on Tilda’s website, available at the clinic, or available upon request.

Please review this Notice from time to time to ensure you are familiar with our HIPAA privacy practices.