HIPAA Notice of Privacy Practices

Last Updated: September 28, 2023

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

This Notice describes the privacy practices of Myriad Genetics Laboratories, Inc. (“MGL”), Assurex Health, Inc. (“Assurex”) and Myriad Women’s Health, Inc. (“MWH”) that are covered by the Health Insurance Portability and Accountability Act (“HIPAA”). These companies are subsidiaries of Myriad Genetics, Inc., and are each Covered Entities under HIPAA. These companies have designated themselves as members of an Affiliated Covered Entity, which is a group of HIPAA Covered Entities under common control that can designate themselves as a single entity for purposes of HIPAA compliance. References to “we” or “Myriad” in this Notice refer to the Affiliated Covered Entity. References to “you” or “your” in this Notice refer to you, our patient.

We offer genetic tests for cancer risk assessment and management (MGL), mental health (Assurex) and prenatal care (MWH) under the following brands: BRACAnalysis CDx®, EndoPredict®, Foresight®, GeneSight®, MyChoice® CDx, MyRisk®, Prequel®, Precise Tumor and Prolaris®. This Notice does not apply to services that other affiliated companies may offer, such as our subsidiary Gateway Genomics, LLC (“Gateway”), which is not a HIPAA Covered Entity. Gateway offers DNA-based prenatal and pediatric tests under the brand SneakPeek®.

What is Protected Health Information?

Protected Health Information, or PHI, is information about you that may identify you and relates to your physical or mental health or condition, the provision of healthcare services to you, and/or payment for those services. Examples of PHI include your name, home address, date of birth, email, phone number, insurance identification number, medical history, and laboratory test results.

We receive PHI about you from healthcare providers who order our laboratory tests for you, and we create PHI when we provide and bill for our laboratory testing and other services. We retain your PHI as part of your medical record to continue to provide our services and to comply with legal requirements.

Our Responsibilities

HIPAA requires us to protect the privacy of your PHI and to notify you of any breach of your unsecured PHI.

HIPAA also requires us to provide this Notice to you to describe our privacy practices, including:

  • our legal duties with respect to your PHI,
  • how we use and disclose your PHI,
  • your rights with respect to your PHI,
  • how you may exercise your rights, and
  • how you may file a complaint if you feel we have violated your rights.

This Notice only describes our privacy practices in the United States under HIPAA, which is a federal law. Many states also have privacy laws and, when applicable, we will follow any state law that is more protective of your medical or genetic information or that provides you with greater rights.

When we use or disclose your PHI, we are required to follow the terms of this Notice. We will not use or disclose your PHI without your permission, except as described in this Notice. We reserve the right to change our privacy practices and this Notice at any time and to make the new Notice effective for any of your PHI we already have. If we change this Notice, we will publish a revised Notice on our website.

Uses or Disclosures of your PHI

Except where prohibited by laws that require special privacy protections, we may use or disclose your PHI for certain purposes without your authorization. The primary purposes for which we use and disclose your PHI without your authorization are for your treatment, for billing and collecting payment for that treatment, and for administrative and management reasons necessary to run our companies, called healthcare operations.

We may also use or disclose your PHI in certain specific circumstances that may or may not apply to you. In some of those circumstances your authorization is not required for us to use or disclose your PHI. In other circumstances, however, we are required to obtain your authorization before using or disclosing your PHI. To help you understand these circumstances, we have provided examples of permissible uses and disclosures below, but please be aware that we have not described every permissible use or disclosure.

Uses or Disclosures Without your Authorization

Treatment. We perform laboratory tests ordered by authorized healthcare providers, and we use and disclose PHI when we process the test orders, perform the tests, and provide the test results to the ordering providers or to other providers involved in your care. Additional examples of uses and disclosures for treatment are coordination and consultation with you and your providers about our testing services, sending appointment reminders, or sending kits to collect your specimen for testing.

Payment. We may use and disclose your protected health information to bill and obtain payment from health plans or other entities for the services we provide to you. For example, we may contact your health plan to verify coverage for the services we are providing, to get prior approval for those services when required, or to generate a claim for the services provided to obtain payment.

Healthcare Operations. We may use and disclose your PHI to support our healthcare operations, which are administrative and management activities necessary for us to run our business. Healthcare operations include activities such as monitoring and improving the quality of our testing, evaluating outcomes, developing assays and protocols, training, and customer service. We may also disclose your PHI to other HIPAA Covered Entities who are or have been involved in your care for certain of their activities, such as care coordination or quality assessment.

Communications with you about our Products and Services. We may use or disclose your PHI to communicate with you, including by email or text message, about health-related products and services we offer that may be of interest to you. For example, we may send messages about treatment alternatives or options.

Business Associates. We may disclose your PHI to Myriad affiliates or third parties outside of the Myriad family that need the PHI to perform services for us. These affiliates or third parties are called “business associates,” and they are required by contract and by law to maintain the privacy and security of your PHI. For example, we may disclose PHI to our business associates that handle collections on unpaid accounts, copying services, or cloud storage on our behalf.

Personal Representatives. We may disclose your PHI to persons authorized by law to make healthcare decisions for you, including to parents or guardians of minors. Upon your death, we may disclose PHI to those authorized by law to act on behalf of your estate.

Persons Involved in your Care or Payment for your Care, Including Disaster Relief. We may disclose your PHI to people, such as family members, relatives, or friends who are involved in your care or payment for your care. If you are available, we will ask you to agree or object to these disclosures. If you are not present or otherwise unable to agree or object, we will use our judgment to make a disclosure in your best interests. In either case, we will limit our disclosures to those directly relevant to such person’s involvement in your care or payment for your care. We may also disclose your PHI to entities authorized to assist in disaster relief, so that family or friends can be notified about your location, general condition, or death in specific situations.

Upon your death, we may disclose your PHI to people who were involved with your care or payment for your care before your death. We will limit disclosures to those directly relevant to their involvement with your care or payment for your care before your death, unless doing so would be inconsistent with any of your prior expressed preferences of which we are aware.

Create De-identified Information and Limited Data Sets. We may de-identify your PHI, which means that we remove information that can reasonably be used to identify you. There are specific legal rules governing what type of information needs to be removed before information is considered de-identified. Once information has been de-identified in the method required by law, it is no longer subject to this Notice, and we may use or disclose it for any lawful purpose without further notice or compensation to you.

We may use de-identified data to improve our healthcare services and to contribute to internal and external healthcare research and discoveries. For example, we may use de-identified data to:

  • develop and improve our genetic tests,
  • contribute to our variant classification program,
  • alone, or in collaboration with others, conduct clinical research or studies, the results of which may be published in peer reviewed journals, or
  • make contributions to our internal de-identified registry or publicly available databases maintained by entities such as the National Center for Biotechnology Information (NCBI), or ClinVar.

We may also create a limited data set, which is PHI with direct identifiers, such as your name and date of birth, removed. There are specific legal rules governing what type of information needs to be removed before information is considered to be a limited data set. We may use and disclose limited data sets only for purposes of research, healthcare operations and public health activities, and only after we enter into an agreement called a data use agreement with the recipient of the limited data set, which includes safeguards required by law.

Research. We may use and disclose PHI for research. Your written authorization is generally required before we may use or disclose your PHI to others to conduct research. However, we may use or disclose your PHI for research without your authorization if we or the party we share the PHI with is conducting research that has been approved by an Institutional Review Board or Privacy Board that has reviewed the research proposal, established protocols to protect your privacy, and determined that your specific authorization is not required.

We may provide access to PHI in our possession to help others design (but not carry out) research projects and identify, and in some cases contact, individuals for potential participation in research studies or other activities preparatory to research, provided the PHI does not leave our possession.

We may use and disclose your PHI for research when it is de-identified, or when we have entered into a data use agreement with the recipient of the information and the information is in the form of a limited data set, which means that the information does not directly identify you.

Finally, under certain conditions, we may use or disclose PHI of deceased persons for research purposes.

Required by Law. We may use or disclose your PHI if and to the extent required by law.

Law Enforcement and Legal Proceedings. We may use or disclose your PHI if certain conditions are met for a variety of legal processes or proceedings. For example, we may disclose your PHI to law enforcement officials in response to a warrant, investigative demand or similar legal process, or to officials to help them identify or locate a victim, suspect, fugitive, material witness, or missing person. We may disclose your PHI as required to comply with an enforceable court or administrative order. We may also disclose your PHI in response to a valid subpoena, summons, discovery request, or other lawful process, but only if we or the requesting party have made efforts to tell you about the request or to obtain an order protecting the PHI requested.

Specialized Government Functions. Under certain circumstances we may disclose your PHI to government agencies, such military command authorities, national security and intelligence organizations, protective services, or correctional institutions.

Public Health Activities and Threats to Health and Safety. We may use and disclose your PHI if necessary to prevent or lessen a serious threat to your health or safety or that of another person. We may disclose your PHI to public health or legal authorities who are charged with preventing or controlling disease, injury, or disability, receiving reports of child abuse and neglect, and to individuals who may have been exposed to communicable diseases.

Public Health Activities and Threats to Health and Safety. We may disclose your PHI to agencies for activities authorized by law, including audits, investigations, inspections, licensure or disciplinary actions, or other activities necessary for oversight of the healthcare system, government programs, or compliance with civil rights laws.

The Food and Drug Administration (FDA). We may disclose your PHI to the FDA, or persons under the jurisdiction of the FDA, when the PHI relates to adverse events associated with drugs, foods, supplements, products and product defects, or post marketing surveillance information to enable product recalls, repairs, or replacement.

Employers. We may disclose PHI to your employer, but only if we are providing healthcare to you at your employer’s request as a result of workplace illness or injury or medical surveillance in the workplace.

Schools. We may disclose your PHI regarding immunizations to schools with appropriate permissions.

Organ, Eye or Tissue Donations. We may disclose your PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of organs, eyes, or tissues.

Coroners, Medical Examiners and Funeral Directors. We may release your PHI to a coroner, medical examiner, or funeral director consistent with applicable law to enable them to perform their duties.

Workers’ Compensation. We may disclose PHI to the extent authorized by workers’ compensation or similar laws that provide benefits for work related injury or illness.

U.S. Department of Health and Human Services, Office for Civil Rights (HHS). We are required to disclose your PHI to the Secretary of HHS in certain circumstances when they investigate our compliance with HIPAA.

Incidental Uses and Disclosures. We may incidentally use or disclose your PHI in the course of our primary uses and disclosures, such as for treatment, payment, or healthcare operations. We are permitted to make such incidental uses and disclosures, as long as we take reasonable steps to minimize them and have in place reasonable safeguards.

Uses and Disclosures with Your Authorization

We will obtain your written authorization before using or disclosing your PHI for purposes other than those described above, including disclosures of PHI to third parties for their marketing purposes, disclosures of psychotherapy notes, or disclosures that would constitute a sale of PHI under HIPAA.

If you do provide authorization for the disclosure of your PHI, you may revoke it at any time, in writing, as directed in the authorization document. Upon receipt of the written revocation, we will stop the use or disclosure you had authorized, except to the extent we or our business associates have already acted in reliance on the authorization.

Your Rights Regarding your PHI and How You May Exercise Them

You, or an individual with authority to act on your behalf, have the following rights with respect to your PHI. Please make all requests to exercise your individual rights in writing and direct them to the Privacy Office, using the Privacy Office contact information in this Notice. For more efficient processing, access requests may also be made as set forth in the Access section, below.

Access. You have the right to inspect or obtain a copy of your PHI that we hold about you that we may use to make decisions about your healthcare or payment for your healthcare. You can also ask us to send copies of your PHI to a third party. We call this your right of “access.” We will provide the PHI in the form or format you requested if we can, and if we cannot, we will seek your agreement to send it in a different form or format. We reserve the right to charge a reasonable cost-based fee. In certain situations, we may deny your request. If we do, we will tell you why, and in some cases, you will have the right to ask for a review of our denial.

Access requests for any of our tests must be submitted to us in writing, which can be done using Myriad’s record request form.

Alternatively, you may call or email our Customer Support teams, and they will provide you with a form. The number/email to call will vary based on the test we have performed for you.

If we performed a GeneSight® test, please call 866-757-9204 or send an email to [email protected] or [email protected].

If we performed a women’s health, oncology or urology test please call 888-268-6795 or send an email to [email protected].

Restrictions. You have the right to request restrictions on our use and disclosure of your PHI for purposes of treatment, payment, or healthcare operations. You also have the right to request that we limit the PHI we disclose to someone involved in your care, or payment for your care, like a family member or friend. We are not required to agree to your request, unless your request is to limit disclosures to your health plan for purposes of payment or healthcare operations and you, or someone other than your health plan, has paid us in full for the out-of-pocket price of the item or service covered by the request. If we agree to your restriction, we will comply with your request unless the information is needed to provide you with emergency treatment, the disclosure is required by law, or the disclosure is one we are permitted or required to make without your authorization, as outlined above.

Confidential Communications. You have the right to request to receive communications from us involving your PHI in specific ways or at specific locations. For example, you can ask that we only contact you by mail or at a specific address. When you make this request in writing to our Privacy Office, please be sure to tell us how and where you would like us to contact you and, when appropriate, how payment will be made. We will not require an explanation and will accommodate reasonable requests if we are able.

Amendments. If you feel that the PHI we have about you is incomplete or incorrect, you may request that we amend it. When you submit your written request to the Privacy Office, you must include the reasons for your request. If we accept your request, we will add the amendment to our existing records. We may deny your request for certain reasons, such as, for example, if we did not create the information or we believe the information we have is accurate and complete. If we deny your request, we will tell you why, and if appropriate, provide information about your additional rights.

Accounting of Disclosures. You have a right to receive a list, called an accounting, of our disclosures of your PHI for a period of up to six years from the date of your request. This list will not include all disclosures of PHI, such as those made for treatment, payment, healthcare operations, or disclosures made based on your authorization.

Copy of this Notice:

You may print or download a copy of this Notice from our website or obtain a paper copy of the Notice upon request.

Complaints:

If you believe that we have violated your privacy rights, you have the right to file a complaint with our Privacy Office. You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”). We will provide you with the address to file a complaint with HHS upon your request. We will not retaliate against you if you file a complaint with us or with HHS.

How to Contact the Privacy Office:

If you have questions about this Notice, want to exercise your individual rights or would like to file a complaint with us about our privacy practices, you can write to us at the following address:
Myriad Genetics, Inc.
322 North 2200 West
Salt Lake City, Utah 84116
ATTN: Myriad Privacy Office

You may also call us at (866) 485-1599 or send us an email at [email protected]

Note: Please limit the sensitive information you share with us if you choose to communicate by regular email. Regular email may not be secure, as there is some risk that PHI in the email can viewed or accessed by unauthorized parties. If you choose to communicate by regular email, you acknowledge and agree to assume the risk.

Spanish version