HIPAA Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Our Commitment to Your Privacy

MDS Genie is committed to protecting the privacy of your Protected Health Information (PHI). This Notice of Privacy Practices describes how we may use and disclose your PHI to carry out treatment, payment, or healthcare operations, and for other purposes that are permitted or required by law. It also describes your rights to access and control your PHI.

We are required by law to:

Maintain the privacy and security of your PHI
Provide you with this Notice of our legal duties and privacy practices
Follow the terms of the Notice currently in effect
Notify you following a breach of unsecured PHI

1. How We May Use and Disclose Your PHI

1.1 Uses and Disclosures for Treatment, Payment, and Healthcare Operations

Treatment: We may use and disclose your PHI to assist healthcare providers in your treatment. For example:

Processing MDS assessments based on your clinical notes
Providing PDPM categorization and reimbursement calculations
Generating care planning recommendations
Analyzing clinical data for assessment accuracy

Payment: We may use and disclose your PHI for payment activities. For example:

Processing subscription payments for facilities
Calculating PDPM reimbursement amounts
Billing for services rendered
Managing accounts and collecting fees

Healthcare Operations: We may use and disclose your PHI for healthcare operations. For example:

Quality improvement and assessment validation
Training staff on MDS assessment procedures
Conducting audits for compliance
Business planning and management
Customer service and technical support

1.2 Uses and Disclosures That Require Your Authorization

Other uses and disclosures of PHI not covered by this Notice will be made only with your written authorization. You may revoke such authorization at any time in writing, except to the extent that we have already taken action in reliance on the authorization.

We will obtain your written authorization for:

Marketing purposes
Sale of PHI
Psychotherapy notes (if applicable)
Any other use or disclosure not described in this Notice

1.3 Uses and Disclosures Without Your Authorization

We may use or disclose your PHI without your authorization in the following situations:

As Required by Law: We will disclose PHI when required to do so by federal, state, or local law.

Public Health Activities: We may disclose PHI to public health authorities for purposes such as:

Preventing or controlling disease, injury, or disability
Reporting adverse events or product defects
Notifying persons of recalls of products

Health Oversight Activities: We may disclose PHI to health oversight agencies for activities authorized by law, such as audits, investigations, inspections, and licensure.

Legal Proceedings: We may disclose PHI in response to a court or administrative order, subpoena, discovery request, or other lawful process.

Law Enforcement: We may disclose PHI to law enforcement officials for law enforcement purposes as required by law or in response to a valid subpoena.

To Avert a Serious Threat: We may use and disclose PHI when necessary to prevent a serious and imminent threat to the health or safety of a person or the public.

2. Your Rights Regarding Your PHI

You have the following rights with respect to your PHI. To exercise any of these rights, please contact our Privacy Officer using the contact information at the end of this Notice.

2.1 Right to Access

You have the right to inspect and obtain a copy of your PHI that we maintain. To request access:

Submit a written request to our Privacy Officer
We will respond within 30 days of receipt
We may charge a reasonable, cost-based fee for copying and postage
We may deny access in certain limited circumstances as permitted by law

2.2 Right to Amend

You have the right to request that we amend your PHI if you believe it is incorrect or incomplete. To request an amendment:

Submit a written request with the reason for the amendment
We will respond within 60 days
We may deny your request if the PHI was not created by us, is not part of our records, or is accurate and complete
If we deny your request, you may submit a written statement of disagreement

2.3 Right to an Accounting of Disclosures

You have the right to receive a list of certain disclosures we have made of your PHI. This list will not include:

Disclosures for treatment, payment, or healthcare operations
Disclosures made to you
Disclosures made pursuant to your authorization
Disclosures for national security or intelligence purposes
Disclosures to correctional institutions or law enforcement officials

2.4 Right to Request Restrictions

You have the right to request restrictions on certain uses and disclosures of your PHI. We are not required to agree to your request except in one situation:

If you pay for a service or healthcare item out-of-pocket in full, you can ask us not to share information about that service with your health insurer for payment or healthcare operations purposes

2.5 Right to Request Confidential Communications

You have the right to request that we communicate with you about your PHI by alternative means or at alternative locations. For example, you may request that we contact you only by mail or at a different address.

2.6 Right to a Paper Copy of This Notice

You have the right to obtain a paper copy of this Notice upon request, even if you have agreed to receive the Notice electronically.

2.7 Right to Be Notified of a Breach

You have the right to be notified in the event that we (or one of our Business Associates) discover a breach of your unsecured PHI.

3. Our Responsibilities

3.1 Safeguarding Your Information

We maintain physical, electronic, and procedural safeguards to protect your PHI, including:

Physical Safeguards: Secure facilities with restricted access, locked file cabinets, and controlled facility access
Technical Safeguards:
- 256-bit AES-GCM field-level encryption for sensitive data
- SSL/TLS encryption for all data in transit
- Multi-factor authentication for administrator access
- Regular security audits and vulnerability assessments
- Automated intrusion detection and prevention systems
Administrative Safeguards:
- Role-based access controls (Admin, MDS Coordinator, Nurse)
- Comprehensive audit logging with 7-year retention
- HIPAA training for all workforce members
- Business Associate Agreements with all vendors
- Incident response and breach notification procedures

3.2 Minimum Necessary Standard

We will make reasonable efforts to limit the use and disclosure of your PHI to the minimum necessary to accomplish the intended purpose, except when disclosure is made to you, pursuant to your authorization, or as otherwise permitted or required by law.

3.3 Business Associates

We may disclose your PHI to our Business Associates who perform functions on our behalf or provide us with services if the PHI is necessary for such functions or services. Our Business Associates include:

Microsoft Azure OpenAI (AI processing with HIPAA Business Associate Agreement)
Render.com (HIPAA-compliant hosting infrastructure)
Stripe (payment processing - limited PHI exposure)
Resend (email service - no PHI transmitted)

All Business Associates are required to sign agreements requiring them to safeguard your PHI and use it only as permitted by their contract with us.

4. Breach Notification

In the event of a breach of your unsecured PHI, we will notify you as required by law. Notification will be made:

Without unreasonable delay and no later than 60 days after discovery of the breach
By first-class mail to your last known address, or by email if you have agreed to electronic notice
The notice will include:
- A brief description of what happened
- The types of PHI involved
- Steps you should take to protect yourself
- What we are doing to investigate and mitigate harm
- Contact information for questions

5. Changes to This Notice

We reserve the right to change this Notice and to make the revised or new Notice effective for all PHI we already have as well as any PHI we create or receive in the future. We will:

Post the current Notice on our website at www.mdsgenie.ai/hipaa-notice
Make copies of the current Notice available upon request
Notify you if we make material changes to the Notice
Include the effective date on each version of the Notice

6. Complaints

If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights.

You will not be penalized or retaliated against for filing a complaint.

To file a complaint with us:

Contact our Privacy Officer using the information below
Submit your complaint in writing
We will investigate and respond within 30 days

To file a complaint with HHS:

Visit: www.hhs.gov/hipaa/filing-a-complaint
Call: 1-877-696-6775
Mail: Office for Civil Rights, U.S. Department of Health and Human Services, 200 Independence Avenue S.W., Washington, D.C. 20201

7. Contact Information

Privacy Officer

MDS Genie Privacy Office
Email: privacy@mdsgenie.ai
Phone: 1-800-MDS-HIPAA (1-800-637-4472)
Address: MDS Genie Privacy Office
342 N Water St, Suite 600
Milwaukee, WI 53202

Hours: Monday - Friday, 9:00 AM - 5:00 PM CT

8. Acknowledgment of Receipt

We will request that you sign an acknowledgment that you have received this Notice. If you decline to sign an acknowledgment, we will continue to provide treatment and services, and we will document your refusal to sign.

For Digital Acknowledgment: By using our Service and accepting our Terms of Service, you acknowledge that you have received and reviewed this HIPAA Notice of Privacy Practices. Your electronic acceptance constitutes your written acknowledgment as required by HIPAA regulations.

Related Documents:
Privacy Policy | Terms of Service | Home

Back to Home