Effective date: 06/24/2019

Notice of Privacy Practices

This notice describes how medical information may be used and disclosed, and how you can access this information. Please review this carefully.

In providing care to you, the staff at Iora Health and the members of its affiliated covered entity (“Iora” or “we”) will record your medical information in our electronic medical record. An affiliated covered entity is a group of organizations under common ownership or control who designate themselves as a single affiliated covered entity for purposes of compliance with the Health Insurance Portability and Accountability Act (“HIPAA”).

Information that identifies you or your health information is called Protected Health Information, or PHI. We are required by law to maintain the confidentiality of your PHI. We are also required to provide you with this Notice of Privacy Practices. This Notice gives you information about Iora’s legal duties, responsibilities, and privacy practices involving your PHI. When Iora uses or discloses PHI, we must and will abide by the terms of this Notice (or the Notice in effect at the time of any use or disclosure of your PHI). The members of the Iora affiliated covered entity (“Iora ACE”) will share PHI with each other for the treatment, payment and health care operations of the Iora ACE and as permitted by HIPAA and this Notice. For a complete list of the members of the Iora ACE, please contact the Privacy Officer.

How Iora May Use or Disclose PHI

Some reasons Iora may use your PHI are listed below (though not every reason for a use or disclosure is identified.) Some uses and disclosures will require your consent, while other reasons may not.

  1. Iora may use or disclose your PHI, with your consent, as follows:
    1. Research. For research purposes.
    2. Sale of PHI or for our Marketing Purposes. This does not include face-to-face communication about products or services that may be of benefit to you, or about prescriptions you have already been prescribed.
    3. Highly Confidential Information. In some instances, we may need additional, very specific, written authorization to disclose certain types of specially-protected information such as psychotherapy notes, HIV status, substance abuse treatment, mental health records, venereal disease information, research involving controlled substances, abortion consent forms, family planning services, and genetic testing information (“Highly Confidential Information”).
    4. Emancipated Minors. Certain information relating to your diagnosis or treatment may be Highly Confidential Information and will not be disclosed to a parent or guardian without your consent. Your consent is not required, however, if a physician reasonably believes your condition to be so serious that your life or limb is endangered. Under such circumstances, we may notify your parents or legal guardian of the condition, and will inform you of a notification. If you are a parent or legal guardian of an emancipated minor, certain portions of the emancipated minor’s medical record (or, in certain instances, the entire medical record) may not be accessible to you.
  2. Iora may use or disclose PHI without your consent under the following circumstances:
    1. Treatment. Iora uses your PHI to provide treatment and other services to you to diagnose and treat your injury or illness. As part of that treatment, Iora may need to disclose PHI to other health care providers involved in your care, such as specialists, pharmacies, and labs.
    2. Payment. Iora may disclose your PHI to your insurance company in order to confirm your eligibility to receive care at Iora, and for Iora to collect payment for its services provided to you. Iora may also disclose your PHI to other health care providers so that they may seek payment for services they provided to you.
    3. Operations. We may need to use and disclose your PHI as necessary to support our day-to-day management or for internal administration and planning or quality improvement. We may also disclose PHI to other healthcare providers or payers that are involved in your care for their healthcare operations.
    4. Business Associates. We may share your PHI with third party business associates that perform various activities (e.g., billing, testing, or consulting) for Iora. Whenever an arrangement between a business associate and Iora involves the use or disclosure of your PHI, we will have a written agreement that will protect the privacy of your PHI.
    5. Individuals Involved in Your Care. We may release your PHI to a friend or family member who is involved in your medical care. We may also give information to someone who helps pay for your care. We may share your PHI with these persons if you are present or available before we share your PHI with them and you do not object to our sharing your PHI with them, or we reasonably believe that you would not object to this. If you are not present and certain circumstances indicate to us that it would be in your best interests to do so, we will share information with a friend or family member or someone else identified by you, to the extent necessary. This could include sharing information with your family or friend so that they could pick up a prescription or a medical supply.
    6. Death. Iora may need to release PHI to a medical examiner or coroner.
    7. Organ/Tissue Donation. If you are an organ donor, Iora may release PHI to organizations that facilitate organ or tissue donation, banking and transplantation.
    8. Serious Threats to Health or Safety. Iora may use PHI to assist with efforts to prevent serious threats to the health and safety of you or others.
    9. Military. Iora may share your PHI if you are, or were, a member of the U.S. or foreign military, if required by the appropriate authorities.
    10. National Security. We may need to share PHI with officials for national security activities.
    11. Correctional Institutions or Law Enforcement. If you are an inmate or in custody of law enforcement, we may need to disclose PHI:
      1. to the institution in order to provide healthcare to you,
      2. for the safety and security of the institution, and/or
      3. to protect your health and safety or the health and safety of others.
    12. Training. Your PHI may be used or disclosed for the purpose of allowing students, residents, nurses, physicians and other healthcare professionals who are interested in healthcare, pursuing careers in the medical field or desire an opportunity for an educational experience to tour, shadow employees and/or providers or engage in a clinical practicum.
    13. Required by Law. Iora must disclose PHI as required by federal, state or local law, for:
      1. Public Health Reporting. Iora is required to provide information to public health authorities to:
        1. Report abuse or neglect of children, the elderly or the disabled, including instances of rape or sexual assault;
        2. State agencies in order to prevent or control disease, injury or disability;
        3. Notify a person of a potential exposure to a communicable disease;
        4. Notify a person of a potential risk of spreading or contracting a disease or condition;
        5. Report adverse reactions to drugs or problems with products or devices.
      2. Workplace Injury or Illness. For work-related illness or injury or as required for workplace medical surveillance, we must report to the insurer and/or the state industrial accident board and/or parties involved in workers’ compensation matters.
      3. Lawsuits and Similar Proceedings. In the event you are involved in a lawsuit or similar proceeding, Iora may need to use and share your PHI in response to a court order, or if a lawful request has been made by another party involved in the dispute with you, but only after we have made efforts to inform you of the request or obtain an order protecting your PHI from disclosure.
      4. Law Enforcement. PHI may be disclosed to police or other law enforcement officials as required or permitted by law, or to comply with a subpoena accompanied by a court order.

Rights Regarding your PHI

  1. Communications. You may request that Iora communicate with you about your health and related issues in a particular manner (e.g., to contact you at home rather than work). You do not need to give a reason for your request.
  2. Restrictions. You have the right to request that we not share your PHI for treatment, payment, or healthcare operations, or that we share your PHI with only certain individuals. We will abide by your request, unless a disclosure is required by law or is necessary to treat you. To request a restriction, we will need to know: the information you wish to restrict; whether or how you want to restrict Iora’s use, disclosure or both; and to whom.
  3. Inspection, Copies, and Amendments. You have the right to see your PHI and have it copied. Requests for copies must be made in writing. If available, you may obtain an electronic copy of your health record, and/or may direct us to transmit a copy to a person you designate. If Iora created the information, you have a right to request that we amend the information if you believe it is inaccurate or incomplete. We cannot change medical information created by someone else, or if the change would make your medical record inaccurate or incomplete.
  4. Revoking your Authorization. With a written request to us, you may revoke or revise prior authorizations for future use/disclosure of your PHI.
  5. Obtain a Paper Copy of This Notice at Any Time. Email us at hipaa@iorahealth.com.
  6. Accounting and Access Reports. You have a right to receive a list of how, and to whom, PHI was disclosed. This is called an “accounting of disclosures.” This would not include disclosures of your PHI made for your treatment, payment, or health care operations. If we use or maintain your PHI in an electronic designated record set, you have a right to receive a report indicating where we (or our Business Associates) have disclosed, and/or who has accessed, your PHI (including access for the purposes of treatment, payment, and health care operations) during a period of time up to three years prior to the date of your request. Requests for an accounting of disclosures and/or requests access reports must be made in writing to Iora.
  7. Notice of a Breach. You have a right to receive notice of any unauthorized access of PHI.
  8. Right to File a Complaint. If you believe your privacy rights have been violated, you may file a complaint with our Privacy Officer or with the Secretary of the Department of Health and Human Services (“HHS”). All complaints must be submitted in writing. You will not be penalized for filing a complaint. To file a complaint with HHS, contact:
  9. Office for Civil Rights
    US Department of Health and Human Services
    200 Independence Avenue SW
    Room 509F HHH Bldg
    Washington DC 20201

Information Breach Notification

Iora is required to provide patient notification if it discovers a breach of unsecured PHI unless there is a demonstration, based on a risk assessment, that there is a low probability that the PHI has been compromised. You will be notified without unreasonable delay and no later than 60 days after discovery of the breach. Such notification will include information about what happened and what can be done to mitigate any harm.

Revisions to this Notice

Iora may change its privacy policies, including this Notice, and make new policies and practices, including revised Notice provisions, effective for all PHI that we maintain. A copy of the current Notice will be posted in our office and on our website.


For questions about this Notice, contact Iora’s Privacy Officer:

Privacy Officer
Iora Health
101 Tremont Street, 6th Floor
Boston, MA 02108