HIPAA Notice of Privacy Practices                                                                        

Note: Click here to translate page to Spanish.

YOUR INFORMATION – YOUR RIGHTS – OUR RESPONSIBILITIES

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Effective Date: August 25, 2021

2Morrow is a clinically-tested, digital therapeutic platform that drives engagement and impacts outcomes.  2Morrow is committed to the safety and privacy of your protected personally identifiable information.  To that end, we operate incompliance with all applicable privacy and data protection laws including the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”) and implementing regulations (“HIPAA”).   

When it comes to your health information, you have certain rights.  This Notice of Privacy Practices explains your rights and some of our responsibilities to help you under HITECH and HIPAA, and how we will follow and respect the privacy of the health information of our users on this site and our mobile applications and related services (including the entire platform of behavior change programs, including support, research and improvements for: Smoking & Tobacco Cessation Program; Vaping Cessation Program; Quitting While Pregnant Program; Weight Management Program; Stress (and Anxiety) Program; Chronic Pain Program; and Grief, Loss, and Change Program; and the iCanQuit smoking cessation program; and other digital health programs offered in the future by 2Morrow collectively, the “Services”).

What Health Information We Collect

2Morrow takes the confidentiality of your health information seriously.  In providing our Services, some of the information we collect may constitute protected health information (“PHI”) under HIPAA.  PHI is personal information that is individually identifiable about a specific person that relates to (a) that person’s past, present, or future physical or mental health or condition; (b) the provision of health care to that person; or (c) that person’s past, present, or future payment for the provision of health care, which is created, received, transmitted, or maintained by 2Morrow, or by an employer group health plan to which 2Morrow is contracted through to provide services to you.  This Notice of Privacy Practices describes how we protect the privacy of your protected health information as a user of our Services.  As a provider of health services, 2Morrow has certain obligations under HIPAA for maintaining the privacy and security of your PHI collected while performing our Services. 

Our Responsibilities

  • We are required by law to maintain the privacy and security of your protected health information.

  • We will let you know promptly if a breach occurs that may have compromised the privacy or security of your protected personal health information.

  • We must follow the duties and privacy practices described in this notice and give you a copy of it if you so request.

What Information We Disclose

When you use our Services, 2Morrow may use and disclose your PHI for the purposes described below.  These uses and disclosures do not require your prior authorization.  You may revoke your authorization for us to use or share your health information at any time, except for uses or disclosures we have already made.  2Morrow may use and disclose your health information for the following purposes: 

Our Uses and Disclosures

The following categories describe different ways that we use and disclose your health information.  We have provided you with examples in certain categories; however, not every permissible use or disclosure will be listed in this notice.  Except where prohibited by federal or state laws that require special privacy protections, we may use and disclose your health information without your prior authorization for treatment, payment and health care operations as follows: 

Treatment:

We can use and share your health information with healthcare professionals to treat you.  For example, we can disclose your information to a treating physician in order to personalize your experience.

Payment:

We may use and share your health information to obtain payment for our services.  For example, we may disclose your PHI to your health plan to determine whether you are enrolled with the payer or eligible for health benefits that may pay for our services. 

Health Care Operations: 

We may use and share your health information for our operations related to health care.  For example, we may use your health information to administer your account.  

Business Associates:

From time to time, we work with other companies and individuals who help us deliver our services, known as “business associates.”  These entities are required to keep any PHI confidential and store it securely.  For example, we may use business associates to help store the data that we collect.

De-identifiable and Aggregated Data:

We may use and disclose your PHI in a de-identifiable and aggregated manner to analyze our users’ experiences and help improve our services. 

Research:

We can use or share your information for health research as authorized by law.  

As Required by Law:

We may use or disclose your PHI if state or federal laws require it. 

Public Health and Safety

We may use and disclose your PHI to prevent or minimize a serious threat to your health and safety or that of another person.  We may also disclose PHI to those assisting in disaster relief efforts so that others can be notified about your condition, status and location.

Law Enforcement Activities

We may also provide PHI to law enforcement officials, for example, in response to a warrant, investigative demand or similar legal process, or for officials to identify or locate a suspect, fugitive, material witness, or missing person. We may also disclose PHI to appropriate agencies if we reasonably believe an individual to be a victim of abuse, neglect or domestic violence.

Legal Proceedings

We may disclose PHI to respond to a court or administrative order, or in response to a warrant, investigation demand or other legal process.

We may also use and disclose your PHI for other purposes as permitted by HIPAA.  

Your Rights

  • Get an electronic or paper copy of your medical record.

    • You can ask to see or obtain an electronic or paper copy of your medical record and other health information we have about you.  Ask us how to do this.

    • We will permit inspection of your medical record within five (5) working days after receiving your written request.  We will provide a copy or a summary of your health information no more than fifteen (15) working days after receiving your written request.  We may charge a reasonable, cost-based fee.

  • Ask us to correct your medical record.

    • You can ask us to correct health information about you that you think is incorrect or incomplete.  Ask us how to do this. 

    • We may say “no” to your request, but we’ll tell you why in writing within 60 days.

  • Request confidential communications.

    • You can ask us to contact you in a specific way (such as home or office phone) or to send mail to a different address.

    • We will say “yes” to all reasonable requests.

  • Ask us to limit what we use or share.

    • You can ask us not to use or share certain health information for treatment, payment, or our operations.  We are not required to agree to your request, and we may say “no” if it would affect your care.

    • If you pay for a service or health care item out-of-pocket in full, you can ask us not to share that information for the purpose of payment or our operations with your health insurer.  We will say “yes” unless a law requires us to share it.

  • Get a list of those with whom we’ve shared information.

    • You can ask for a list (also referred to as an “accounting”) of the times we’ve shared your health information for six years prior to the date you ask, who we shared it with, and why.

    • We will include all the disclosures except for those about treatment, payment, and health care operations, and certain other disclosures (such as any you asked us to make).  We’ll provide one accounting a year for free but will charge a reasonable, cost-based fee if you ask for another one within 12 months.

  • Get a copy of this privacy notice.

    • You can ask for a paper copy of this notice at any time. We will provide you with a paper copy promptly.

  • Choose someone to act for you.

    • If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information.

    • We will make sure the person has this authority and can act for you before we take any action, and may require specific documentation to protect your privacy.

  • File a complaint if you feel your rights are violated.

    • You can complain if you feel we violated your rights.  To file a complaint, or to ask any questions about this Notice of Privacy Practices, you may contact us using the information at the bottom of this notice. 

    • You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights via mail or online.

    • We will not retaliate against you for filing a complaint.

Changes to the Terms of this Notice:

We can change the terms of this notice, and the changes will apply to all information we have about you.  The new notice will be available on our web site.  Upon request, we will give or mail a copy to you.

Your Choices

For certain health information, you can tell us your choices about what we share.  If you have a clear preference for how we share your information in the situations described below, talk to us.  Tell us what you want us to do, and we will follow your instructions.

  • In these cases, you have both the right and choice to tell us to:

    • Share information with your family, close friends, or others involved in your care

    • Share information in a disaster relief situation

    • Include your information in a hospital directory

    • Contact you for fundraising efforts

If you are not able to tell us your preference, for example if you are unconscious, we may go ahead and share your information if we believe it is in your best interest. We may also share your information when needed to lessen a serious and imminent threat to health or safety.

  • In these cases, we never share your information unless you give us written permission:

    • Marketing purposes

    • Sale of your information

    • Most sharing of psychotherapy notes

  • In the case of fundraising:

    • We may contact you for fundraising efforts, but you can tell us not to contact you again. 

Contact:

Privacy Officer:  Kim Hansen, Chief Technology Officer, khansen@2morrowinc.com.