Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
EFFECTIVE DATE OF NOTICE: April 1, 2013

This Notice describes the privacy practices of Invitae, its employees and other personnel ("Invitae," "we" or "us").

I. Our responsibility

Invitae and the members of its workforce are committed to protecting the privacy and confidentiality of your personal information, genetic information, and laboratory test results.

Invitae is required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to keep your personal health information ("Protected Health Information") confidential. This Notice that describes our legal duties, privacy practices, and explains your patient privacy rights. When we use or disclose your Protected Health Information, we are required to abide by the terms of this Notice.

II. What is protected health information

Protected Health Information is your demographic information, medical history, laboratory results, insurance information and other health information that is collected, generated, used, and communicated by Invitae to produce genetic testing results and bill for our testing services. Examples of Protected Health Information include your name, date of birth, medical record number, social security number, insurance beneficiary number, and genetic information.

III. How we use and disclose your health information

Your Protected Health Information may be used and disclosed for treatment, payment, healthcare operations and other purposes permitted or required by law. Invitae may use and disclose your Protected Health Information for the following purposes:

Treatment

We may use or disclose your Protected Health Information for treatment purposes. For example, we may use your Protected Health Information to perform our testing services and disclose your genetic testing results to your physician and other healthcare providers involved in your care.

Payment

We may use or disclose your Protected Health Information to obtain payment for healthcare services we provide. For example, we may use and disclose your information to send a bill to your insurance company or health plan to receive payment for the services provided to you.

Healthcare Operations

We may use and disclose your Protected Health Information for our healthcare operations. For example, we may use your Protected Health Information to monitor the quality of our testing services and review the competence and qualifications of our laboratory professionals.

Persons Involved in Your Care or Payment for Your Care

We may disclose your Protected Health Information to person involved in your care or payment for your care, such as a family member, relative, or close friend, unless you object or ask us not to.

Personal Representatives

We may disclose Protected Health Information about you to your authorized personal representative, such as a lawyer, administrator, executor or other authorized person responsible you or your estate.

Minors' Protected Health Information

We may disclose Protected Health Information about minors to their parents or legal guardians.

Communications About Products and Services

We may use and disclose your Protected Health Information to contact you about other Invitae products and services which we believe may be of interest to you. Any use, disclosure, or sale of Protected Health Information to third parties for marketing purposes requires your written authorization.

Disclosures to Business Associates

We may disclose your Protected Health Information to other companies or individuals, known as "Business Associates," who provide services to us. For example, we may use a company to perform billing services on our behalf. Our Business Associates are required to protect the privacy and security of your Protected Health Information and notify us of any improper disclosure of information.

As Required by Law

We must disclose your Protected Health Information when required to do so by any applicable federal, state or local law.

Public Health Activities

We may disclose your Protected Health Information for public health-related activities. Examples include: reporting diseases to authorized public health authorities; public health investigations; or notifying a manufacturer of a product regulated by the U.S. Food and Drug Administration of a possible problem encountered when using the product in our testing process.

Health Oversight Activities

We may disclose your Protected Health Information to a healthcare oversight agency for activities that are authorized by law, such as audits, investigations, inspections and licensure activities. For example, we may disclose your Protected Health Information to agencies responsible for ensuring compliance with the rules of government health programs such as Medicare or Medicaid.

Research

Under certain circumstances, we may use or disclose your Protected Health Information for research purposes. All research projects at Invitae are subject to review by a committee responsible for ensuring the protection of individual research subjects, appropriate patient authorization, and an adequate plan to safeguard Protect Health Information. In preparation for research, we may review limited Protected Health Information to draft research protocols, to identify prospective research participants, or for similar purposes provided the information is not removed from our premises.

Organ or Tissue Procurement

We may disclose Protected Health Information to organ procurement organizations or related entities for the purpose of facilitating organ or tissue donation and transplantation.

Coroners, Medical Examiners, and Funeral Directors

We may disclose Protected Health Information to coroners, medical examiners, or funeral directors to identify a deceased patient, to determine cause of death, or other duty authorized by law.

Judicial and Administrative Proceedings

Under certain circumstances, we may disclose your Protected Health Information in the course of a judicial or administrative proceeding in response to a court order, subpoena or other lawful process.

Law Enforcement

We may disclose your Protected Health Information to the police or other law enforcement officials as required by law or in compliance with a court order, warrant, subpoena, summons, or other legal process for locating a suspect, fugitive, witness, missing person, or victim of a crime

Threats to Health or Safety

We may disclose Protected Health Information to prevent or reduce the risk of a serious and imminent threat to the health or safety of an individual or the general public.

Victims of Abuse, Neglect, or Violence

If required or authorized by law, we may disclose Protected Health Information to a government agency, such as social services or a protective services agency, if we reasonably believe that an individual adult or child is the victim of abuse, neglect, or domestic violence.

Specialized Government Functions

Under certain circumstances, we may disclose your Protected Health Information to units of the government with special functions, such as the U.S. Military or the U.S. Department of State.

Workers Compensation Programs

We may disclose your Protected Health Information as necessary to comply with requirements of workers' compensation or similar programs that provide benefits for work-related injuries or illness.

All Other Uses and Disclosures of Protected Health Information

We will ask for your written authorization before using or disclosing your Protected Health Information for any purpose not described above. You may revoke your authorization, in writing, at any time, except for disclosures that the company has already acted upon.



 

IV. Your rights regarding your medical information

You have the following rights with respect to your Protected Health Information. To exercise any of these rights, please contact our Privacy Office using the contact information provided at the end of this Notice.

Access to Protected Health Information

You, or your authorized or designated personal representative, have the right to inspect and copy the Protected Health Information maintained by us. We may deny access to certain information for specific reasons, for example, where Federal and state laws regulating laboratories prohibit us from disclosing genetic testing results directly to a patient.

Restrictions on Uses and Disclosures

You have the right to request restrictions on our use and disclosure of your Protected Health Information. While we will consider all requests for additional restrictions carefully, we are not required to agree to a requested restriction except for Payment or Operations restrictions where payment has been made "out-of-pocket" and paid-in-full. If we do agree to a requested restriction, we will notify you in writing.

Confidential Communications

You have the right to request that we communicate with you about your Protected Health Information by alternative means or to an alternative address. Your request must be in writing and must specify the alternative means or location. We will accommodate reasonable requests for confidential communications.

Correct or Update Information

If you believe the Protected Health Information we maintain about you contains an error, you may request that we correct or update your information. Your request must be in writing and must explain why the information should be corrected or updated. We may deny your request under certain circumstances and provide a written explanation.

Accounting of Disclosures

You may request a list, or accounting, of certain disclosures of your Protected Health Information made by us or our business associates for purposes other than treatment, payment, healthcare operations and certain other activities. The request must be in writing and the list will include disclosures made within the prior six years.

Copy of Notice

Upon request, you may obtain a paper or electronic copy of this Notice.



 

V. Information breach notification

We are required to notify you following the discovery a breach of unsecured Protected Health Information, unless there is a demonstration, based on a risk assessment, that there is a "low probability" that the Protected Health Information has been compromised. You will be notified in a timely fashion, no later than 60 days after discovery of the breach.

VI. Questions and complaints

If you have questions or concerns about our privacy practices or would like a more detailed explanation about your privacy rights, please contact our Privacy Office using the contact information below.

If you believe that we may have violated your privacy rights, you may submit a complaint to our Privacy Office. You also may submit a written complaint to the U.S. Department of Health and Human Services. We will provide you with the address to file your complaint with the U.S. Department of Health and Human Services upon request.

Invitae will not take retaliatory action against you and you will not be penalized in any way if you choose to file a complaint with us or with the U.S. Department of Health and Human Services.

VII. Changes to our notice of privacy practices

We reserve the right to change our privacy practices and the terms of this Notice at any time, provided such changes are permitted by applicable law.

We will promptly post any changes to this Notice on our website at www.invitae.com. Please review this website periodically to ensure that you are aware of any updates.

VIII. Contact information

When communicating with us regarding this Notice, our privacy practices, or your privacy rights, please contact the Privacy Office using the following contact information:

Invitae Corporation
Attention: Privacy Officer
458 Brannan Street
San Francisco, CA 94107
privacy@invitae.com