Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW CAREFULLY.
Boston Heart Diagnostics Corporation (“Boston Heart”) is committed to protecting the privacy of your identifiable health information. This information is known as “protected health information” or “PHI”. PHI includes laboratory test orders and test results as well as invoices for the healthcare services that we provide.
Our Responsibilities
Boston Heart is required by law to maintain the privacy of your PHI. We are also required to provide you with this Notice of our legal duties and privacy practices. It describes our legal duties, privacy practices and your patient rights as determined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). We are required to follow the terms of this Notice currently in effect. We are required to notify affected individuals in the event of a breach involving unsecured PHI. HIPAA requires us to safeguard your PHI regardless of the form in which we receive it (e.g., oral, written, or recorded in other media). PHI is stored electronically and is
subject to electronic disclosure.
We reserve the right to amend the terms of this Notice to reflect changes in our privacy practices, and to make the new terms and practices applicable to all PHI that we maintain about you, including PHI created or received prior to the effective date of the Notice revision. Our Notice is displayed on our website and a copy is available upon request.
How We May Use or Disclose Your PHI
Not every use or disclosure is listed in this Notice, but all of our uses or disclosures of your PHI will fall
into one of the categories listed below.
Uses and Disclosures We May Make Without Your Authorization
We may use and disclose your health information for the following purposes without your authorization:
Treatment
We may use or disclose your PHI for treatment purposes, including for laboratory testing and exchanging PHI with physicians and other healthcare professionals for such testing and care coordination. Examples of treatment related purposes include disclosure to an ordering physician or to a pathologist to help interpret your test results. If you participate in our Lifestyle Program, we may use and disclose PHI to provide counseling and other services covered by the program. Lifestyle Program participants may also provide PHI about themselves in the course of counseling or by completing voluntary online surveys about their diet and lifestyle. That information, as well as any PHI created by a Lifestyle Coach, such as progress notes, may be disclosed to the individual’s healthcare provider.
Payment
Boston Heart will use and disclose your PHI for purposes of billing and payment. For example, we may disclose your PHI to health plans or other payers to determine whether you are enrolled with the payer or eligible for health benefits or to obtain payment for our services. If you are insured under another person’s health insurance policy (for example, parent, spouse, domestic partner or a former spouse), we may also send invoices to the subscriber whose policy covers your health services.
Healthcare Operations
Boston Heart may use and disclose your PHI for activities necessary to support our healthcare operations, such as performing quality checks on our testing, internal audits, arranging for legal services or developing reference ranges for our tests. We may make incidental disclosures of limited PHI as permitted by law.
Business Associates
We may provide your PHI to other companies or individuals that need the information to provide services to us. These other entities, known as “business associates,” are required to maintain the privacy and security of PHI. For example, we may provide information to companies that assist us with billing for our services or to an outside collection agency to obtain payment.
As Required by Law
We may use and disclose your PHI as required by law. For example, we may disclose PHI about you to the U.S. Department of Health and Human Services if it requests such information to determine that we are complying with HIPAA.
Law Enforcement Activities
We may disclose PHI to law enforcement to report certain injuries, comply with court orders or warrants or similar process, to identify a suspect, fugitive, missing person or victim or to report a crime.
Legal and Administrative Proceedings
We may disclose your PHI as required to comply with a court or administrative order. We may disclose your PHI in response to a subpoena, discovery request or other legal process in the course of a judicial or administrative proceeding, but only if efforts have been made to tell you about the request or to obtain an order of protection for the requested information. If we receive records from substance use disorder treatment programs subject to federal privacy restrictions found at 42 CFR Part 2, such records or testimony about their content cannot be used or disclosed in civil, criminal, administrative, or legislative proceedings against the individual unless based on written consent or we receive a court order entered after notice and an opportunity to be heard is provided to the individual or us, as provided by 42 CFR Part 2. A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested substance use disorder record is used or disclosed.
Research
We may disclose PHI for research purposes when an Institutional Review Board or privacy board has reviewed the research proposal and established protocols to ensure the privacy of your PHI and determined that the researcher does not need to obtain your authorization prior to using your PHI for research purposes. We may also disclose information about decedents to researchers under certain circumstances.
Other Uses and Disclosures
As permitted by HIPAA, we may disclose your PHI to:
- to a public health authority that is authorized by law to collect or receive such information including preventing or controlling disease, reporting deaths, reporting adverse effects of medications or problems with products, notification of communicable disease, and reporting abuse or neglect under certain circumstances
- to a family member, friend, or anyone else involved in your care or payment related to your care unless you object or if, in our professional judgment, the disclosure is in your best interest when you are not present or cannot agree or object because you are incapacitated and to those assisting in disaster relief efforts in an emergency
- to a health oversight agency for oversight activities authorized by law, including audits and inspections, and civil, administrative or criminal investigations, proceedings or actions
- to avert a serious threat to health or safety, so long as the disclosure is only to a person who is reasonably able to prevent or lessen such threat
- in a limited data set after removing most information that identifies you from a set of date for research, public health and health care operations, provided the recipients of the data set agree to keep it confidential or after de-identifying your PHI consistent with HIPAA for purposes permitted by law, including selling the de-identified information
- for military and veterans activities, correctional institutions and national security and intelligence activities consistent with applicable law
- to organ procurement organizations or similar entities for the purpose of facilitating organ, eye or tissue donation and transplantation to a coroner, funeral director or medical examiner to carry out their duties
- if we participate in Health Information Exchanges (HIEs), we may electronically share your PHI for treatment, payment, healthcare operations and other permitted purposes with other participants in the HIE
- to the extent necessary to comply with laws relating to workers’ compensation and work-related injuries
Note Regarding Other Laws
For all the above purposes, when state or federal law (including the substance use disorder requirements at 42 CFR Part 2) is more restrictive than HIPAA, we are required to follow the more restrictive applicable law.
Uses and Disclosures with Your Authorization
We need your written authorization to use or disclose your health information for any purpose not covered by one of the categories above. Subject to compliance with limited exceptions, we will not use or disclose your PHI for marketing purposes or sell your PHI, unless you have signed an authorization. You may revoke any authorization you sign at any time. If you revoke your authorization, we will no longer use or disclose your health information for the reasons stated in your authorization except to the extent we have already taken action based on your authorization.
You have the rights listed below. If you have given another individual a medical power of attorney, if another individual is appointed as your legal guardian or if another individual is authorized by law to make health care decisions for you (known as a “personal representative”), that individual may exercise any of the above rights listed for you.
Access PHI
You have the right to access your PHI that we maintain or request to send a copy of your PHI to another person designated by you in writing. You may receive your test results online by visiting our website at www.mybostonheart.com. If you are unable to access your results online or want to receive PHI in another manner, you may also call the Boston Heart Customer Care Team at (877) 425-1252. If your request for test information is denied, you may request that the denial be reviewed.
Amend PHI
You may request amendments to your PHI by making a written request. However, we may deny the request in some cases (such as if we determine the PHI is accurate). If we deny your request to change your PHI, we will provide you with a written explanation of the reason for denial and additional information regarding further actions that you may take.
Accounting of Disclosures
You have the right to receive a list of certain disclosures of your PHI made by us in the past six years from the date of your written request. Under the law, this does not include disclosures made pursuant to an authorization you signed or certain other purposes.
Request Restrictions
You may request that we agree to the restrictions on certain uses and disclosures of your PHI. We are not required to agree to your request, except for requests that limit disclosures to your health plan for purposes of payment or healthcare operations when you have paid us for the item or service covered by the request out-of-pocket and in full and when the uses or disclosures are not required by law.
Request Confidential Communications
You have the right to request that we send your PHI by alternative means or to an alternative address and we will accommodate reasonable requests.
Copy of this Notice
You have the right to obtain a paper copy of this Notice upon request even if you have received it electronically.
How to Exercise Your Rights
You may write or send an email to us with your specific request. Boston Heart will consider your request and provide you a response.
Complaints/Questions
If you believe your privacy rights have been violated, you have the right to file a complaint with us. You also have the right to file a complaint with the Secretary of the U.S. Department of Health and Human Services, Office for Civil Rights. We will not retaliate against any individual for filing a complaint. To file a complaint with us, or should you have any questions about this Notice, send an email to us at compliance@bostonheart.eurofinsus.com or write to us at the following address:
Boston Heart Diagnostics
Attn: Privacy Officer
200 Crossing Boulevard, Suite 100
Framingham, MA 01702
You may also contact the Privacy Officer at 256.836.7366
Effective Date
This Notice is effective February 16,2026.