1.1 This procedure describes how personal information about you may be used and disclosed and how you can get access to this information.
1.2 BioPath Innovations S.A. (“BPI”) is a full-service, clinical reference laboratory operating with clients, clinicians and patients in Greece. At BPI, we pledge to give you the highest quality health care and to have a relationship with you built on trust. This trust includes our commitment to respect the privacy and confidentiality of a patient’s protected health information (“PHI”). Your PHI is information about you, including demographic information, that can be used to identify you and that relates to your past, present or future physical or mental health or condition or the provision of health care services to you. The PHI that BPI typically processes begins with the personal identifying and medical history information (such as your name, address, date of birth, test ordered, test result etc.) that we obtain from your physician, health plan or other sources. In addition to safeguarding that patient data, we are also committed to protecting the confidentiality of an individual’s new PHI as generated by BPI, such as the laboratory test results that we collect, create, or communicate as part of our diagnostic testing activities completed on your behalf.
2.1.1 BPI is committed to gathering, processing, maintaining, and disclosing PHI only in a manner that is fully in compliance with all applicable local and EU laws and regulations seeking to protect patient confidentiality. BPI is and shall be in compliance with all applicable local and EU laws and regulations regarding the use and disclosure of PHI.
2.1.2 Under EU and local regulations BPI is required to provide you with this Notice of Privacy Practices (“NPP”) to inform you, the patient/ client, ahead of time about: how BPI will work with your PHI, BPI’s legal duties related to your PHI, and your own rights with respect to your PHI. BPI is also required to abide by the terms of the NPP currently in effect. Your other health care provider(s) may have different notices regarding the use and disclosure of your PHI maintained by them.
2.1.3 BPI reserves the right to change the terms of this notice, in which case, the new revised notice will be available upon request or on our website. We urge you to read this NPP carefully so that you will understand our commitment to the privacy and protection of your confidential health care information, and learn how you can involve yourself in the protection of this information.
2.1.4 If you have any questions about this NPP you can email us at the following address:
BioPath Innovations S.A.
Agiou Konstantinou, 50
2.2 Permissible Uses and Disclosures of Your PHI that BPI Can Make Without Your Authorization:
2.2.1 Your PHI will be used or disclosed for treatment, payment, or healthcare operations purposes related to the care provided to you and for other purposes as permitted or required by law. While we cannot list every possible use or disclosure, all of the ways we may use or disclose your PHI without your authorization will fall into one of the categories listed below.
2.2.2 If we want or need to use or disclose your PHI for purposes that do not fall into these general categories, we will first have to obtain your written authorization. In the event you have issued us an authorization, you have the right to withdraw your authorization in writing at any time, except if we have relied on the authorization before you inform us of your withdrawal.
2.3 BPI does not need your authorization of permission to use or disclose your PHI for the following purposes:
2.3.1 Treatment: BPI, as a health care provider that provides physicians with clinical laboratory testing for their patients, uses the PHI it receives from your physicians as part of its testing processes (to identify and enter your specimens and tests into our system(s)). Additionally, after completing the testing, BPI reports your results, as new PHI, back to your physicians and/or other authorized health care professionals who are treating you based on those results. In addition to your treating physician, we may provide your PHI to a consulting specialist physician. In those instances, because we are not local to you and your physician, we will need to confirm this type of request, in any acceptable manner (email, letter, telephone), informing us of your desired disclosure to a specialist. We may also disclose your PHI to another testing laboratory if we are unable to perform the testing ourselves and need to refer your specimen to that laboratory to perform the requested testing.
2.3.2 Payment: Our BPI billing/ accounting department will use and disclose your PHI to insurance companies, health plans, hospitals, state agencies and other providers for any necessary payment purposes. For example; we will send your name, date of service, test performed, diagnosis code, and other information to the health plan you are a member of so that the plan will pay us for the services we have provided you. This right of use extends to third parties/agencies we may need to use to assist us in collecting payment for our services.
2.3.3 Health Care Operations: Your PHI will be used in the course of activities required to support BPI’s health care operations, such as tracking our utilization of resources, detecting fraud, reviewing our billing and claims processing efficiencies, or for performing quality checks on our information systems. This information will be used internally in an effort to continually improve the quality and effectiveness of the healthcare services we provide. We may also disclose your PHI to other health care providers or payers for their health care operations, but only if they already have a relationship with you and only if the purpose is for quality assurance activities, peer review activities, detecting fraud, or for other limited purposes.
2.3.4 Disclosures to Business Associates: BPI may disclose your PHI to other companies or individuals who need your PHI in order to provide specific services to us. Because these entities are not normally providing services related to the type of what we are providing you, they are called “Business Associates”. They must comply with the specific terms of a contract, or “Business Associate Agreement”, designed to ensure that they will use and maintain the privacy and security of your PHI in the same manner that we do. Additionally, in compliance with the Privacy Rule and its own policies, BPI will make every effort possible to ensure that whatever disclosure is made of your PHI, it will be limited to that which is minimum and necessary for the support services to be provided. For example, your PHI may be disclosed to couriers we use to transport specimens. We will only provide the couriers with just the piece of PHI they need to perform their services.
2.3.5 We also may share aggregate, non-personal information about our operations, or information management systems, maintaining confidentiality of traceability.
2.4 BPI may also use or disclose your PHI without your authorization for the following purposes, as permitted or required by law:
2.4.1 When required by law: in order to comply with local or EU law, the order of the court, or the orders of a governmental agency.
2.4.2 Public health: to public health authorities for preventing or controlling disease, injury, or disability, such as reporting vital, or communicable or sexually transmitted disease information.
2.4.3 Health oversight activities: to health oversight agency for oversight activities authorized by law (for example as part of mandated laboratory inspection of our facilities by regulators).
2.4.4 Judicial and administrative proceedings: to courts, parties to a lawsuit or government agencies as may be required during the course of a judicial or administrative proceeding.
2.4.5 Law enforcement: to law enforcement officials relating to crimes and other law enforcement purposes.
2.4.6 Coroners/ Medical Examiners: to coroners, medical examiners, or funeral directors for the purpose of identification or determining the cause of death or for other duties authorized by law.
2.4.7 Research: to researchers when the individual’s waiver or alteration of authorization and the researcher’s proposed research and established research protocols have been approved by either an institutional review board or a privacy board to ensure the privacy of PHI.
2.4.8 Threat to health or safety: consistent with law, to prevent a serious threat to personal health or safety to others (an agency’s investigation of a physician’s license).
2.4.9 Specialized government functions: to military command authorities, national security and intelligence officials for activities deemed necessary to carry out their respective missions, or to law enforcement officials having custody of an inmate.
2.4.10 Workers compensation: to the extent authorized by and to the extent necessary to comply with laws relating to workers’ compensation or similar programs.
2.5 Your Rights Concerning the Privacy and Confidentiality of Your PHI:
2.5.1 Access: You have the right to look at and get a copy of your PHI. You must ask for this in writing. We will respond within thirty (30) days from receipt of your request. If your request is denied, we must explain the reasons why in writing and tell you what rights you have. If we do not have the information you seek but we do know where it is, we must inform you of that.
2.5.2 Changes: You have the right to ask us to change your PHI related to your treatment and bills if you think there has been a mistake or that information is missing. You must make your request in writing and give the reason for the request. BPI has sixty (60) days to respond to the request. If we are unable to act on the request within the 60 days, we will notify you that we are extending the response time by 30 days. If we extend the response time, we will explain the delay to you in writing and give you a new date of when to expect a response. We may deny your request. If we deny your request, we must give you a written statement with the reasons for your denial and what other steps are available to you. If we grant your request, we will ask you to tell us the persons you want to receive the changes. You need to agree to have us notify them along with any other who received the previous information before the changes were made, and who may have relied on that information to treat you.
2.5.3 Accounting: You have the right to get a record of the times your health information has been shared. You must make your request in writing. You may request this as far back the 27/06/2016; retention will be for 10 years. The listing you get will include the date, name, and address (if known) of the person or organization receiving your information. It will also include a brief explanation of the information given and the reasons for the disclosure.
The following exceptions apply:
- sharing your PHI for the purposes of treatment, payment or health care operations
- sharing your PHI if you gave permission in writing (signed an authorization form)
- sharing your information in our data systems
- sharing your information with persons involved in your care
- sharing your information to communicate with you about your health condition
- sharing your information prior to 27/06/2016.
BPI has sixty (60) days to respond to the request. If we are unable to act on the request within the 60 days, we will notify you that we are extending the response time by 30 days.
If we extend the response time, we will explain the delay to you in writing and give you a new date of when to expect a response. Your first request for a record in any 12-month period is free. Subsequent requests will be at a cost. We will notify you of the fee before we do the work so that you may stop the request if you do not wish to pay the fee.
2.5.4 Restrictions: You have the right to ask for restrictions on the uses of your health information for treatment, payment or health care operations. BPI is not required to agree to your request. You may not ask us to restrict uses and disclosures that we are legally required to make.
2.5.5 Confidential Communications: You have the right to request how and where BPI is to send your PHI or communicate with you regarding any PHI, including billing information. It is your responsibility to provide us with contact information we can use to contact you. We may ask that you put your request in writing, but we do not have the right to ask you the reason for this.
2.5.6 Notice of Privacy Practices: You have the right to receive a paper copy of this NPP upon request, even if you previously agreed to receive this NPP electronically.
2.6 How We Protect Information Online – Offline
2.6.1 We exercise great care to protect your personal information. This includes, among other things, using industry standard techniques such as firewalls, encryption, and intrusion detection. As a result, while we strive to protect your personal information, we cannot ensure or warrant the security of any information you transmit to us or receive from us. This is especially true for information you transmit to us via email since we have no way of protecting that information until it reaches us since email does not have the security features that are built into our websites.
2.6.2 De-personalized data is maintained with routine procedures utilizing anonymized client codes from receipt to release within our QMS (quality management system), and all other physical or IT (information technology) based systems inclusive of telephone and facsimile. Web-based and LIMS (laboratory information management systems) data transfer and storage processes maintain ISO27001 relevant procedures and adhere to our Information Security Policy, sample processing, and Business Continuity Plan.
2.6.3 In addition, we limit BPI employees and contractors’ access to personal information. Only those employees and contractors with a business reason to know have access to this information. We educate our employees about the importance of maintaining confidentiality of customer information.
2.6.4 We review our security arrangements from time to time as we deem appropriate.
2.7 How can you help protect your information?
If you are using a BPI website for which you registered and choose a password, we recommend that you do not divulge your password to anyone. We will never ask you for your password in an unsolicited phone call or in an unsolicited email. Also remember to sign out of the BPI website and close your browser window when you have finished your work. This is to ensure that others cannot access your personal information and correspondence if others have access to your computer.
2.8 Links to Other Sites
We want to provide site visitors valuable information, services and products. Featured programs and other site content within the BPI site may link our users to third party sites. BPI does not control and is not responsible for practices of any third-party websites, although they will be subject to our “Business Associate Agreement” terms and conditions.
Note:From time to time, we may change this privacy statement. For example, as we update and improve our services, new features may require modifications to the privacy statement. Accordingly, please check back periodically.
2.9 Non-Discrimination Notice
BPI does not discriminate on the basis of race, color, national origin, age, disability, or sex. BPI does not exclude people or treat them differently because of race, color, national origin, age, disability, or sex.
2.10 How to exercise your rights:
To exercise any of your privacy rights, please write to us at the address at the beginning of this NPP with your specific written request. Be sure to include sufficient information for us to identify all of your records. For additional details, or for instructions regarding how to exercise these rights, please contact us.
2.11 How to File a Complaint:
If you believe your privacy rights have been violated, you have the right to register a complaint with BPI, or the European Courts of Justice (cvce.eu). BPI will not retaliate against any individual for filing a complaint. You may file a complaint by writing to us at the address at the beginning of this NPP.