THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE REVIEW IT CAREFULLY.
We understand that information about your protected health information (“PHI”) is personal, and we are committed to protecting your privacy. This Notice of Privacy Practices describes our practices relating to the dispensing of medical cannabis at dispensary organizations in Illinois.
For purpose of this Notice, PHI is information about you that we obtain to provide our medical cannabis products to you and that can be used to identify you. It may include your name, contact information, identification numbers, and information about your physical and/or mental health and medical conditions, the provision of health care products to you and payment for these products.
Our Privacy Obligations
We are required to:
- Maintain the privacy of your PHI.
- Give you this Notice of our legal duties and privacy practices with respect to your PHI.
- Notify you if you are affected by a breach of unsecured PHI.
- Follow the terms of the Notice that is currently in effect.
HOW WE MAY USE AND DISCLOSE YOUR PHI WITHOUT YOUR WRITTEN AUTHORIZATION
- Treatment. We may use or disclose your PHI to dispense medical cannabis and provide product-related services. We may also use your information to recommend or describe alternative medical cannabis products or services. We may contact you to provide medical cannabis-related services, such as order and pickup reminders.
- Payment. We may use or disclose your PHI to obtain payment for our services.
- Health Care Operations. We may use or disclose your PHI for our health care operations, which include internal administration and planning and activities that improve the quality and cost effectiveness of the health care and products we provide.
- Communication with Individuals Involved in Your Care. We may share your PHI with persons you have designated as caregivers in accordance with Illinois requirements. We may also share your PHI with family members, other relatives, close friends, or other persons who are involved in your care if: 1) we obtain your agreement; 2) provide you with the opportunity to object and you do not object; or 3) we reasonably infer that you do not object to the disclosure.
- Public Health and Safety. We may share your PHI to help with public health and safety issues when we are required or permitted to do so, for example to prevent disease, report adverse reactions, report suspected abuse, neglect, domestic violence, or to prevent or reduce a threat to anyone’s health or safety.
- Health Oversight Activities. We may share your PHI with a health oversight agency for audits, investigations, inspections and licensure activities.
- Lawsuits, Disputes and Administrative Proceedings. We may disclose your PHI in response to a court or administrative order, a subpoena, a warrant, a discovery request or other lawful due process.
- Law Enforcement. We may disclose your PHI for law enforcement purposes as authorized or required by law or in compliance with a court order.
- Required by Law. We will disclose your PHI where required by any applicable federal, state, or local law.
- Workers’ Compensation. We may disclose your PHI to the extent authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs that provide benefits for work-related injuries or illness.
- Research. We may use and disclose your PHI for research purposes pursuant to a valid authorization from you or when an institutional review board or privacy board has waived the authorization requirement. Under certain circumstances, your PHI may be disclosed without your authorization to researchers preparing to conduct a research project, for research or decedents or as part of a data set that omits your name and other information that can directly identify you.
- Organ and Tissue Donation. We may share your PHI with organ procurement organizations.
- Coroners and Medical Examiners. We may release PHI to a coroner or medical examiner as authorized by law.
Other Uses and Disclosures of Your PHI in Accordance with Your Authorization
We will obtain your written authorization for the following uses and disclosures:
- Uses and disclosures for marketing purposes as defined by the United States Health Insurance Portability and Accountability Act of 1996 and related regulations (“HIPAA”).
- Disclosures of psychotherapy notes (to the extent we have any).
- Sales of your PHI to third parties (except in connection with the transfer of a business to another entity that is required to comply with HIPAA).
If you give us authorization, you may revoke it in writing at any time. However, your revocation will not affect any actions that we took in reliance on your authorization before it was revoked.
You have the following rights:
- Right to Request Restrictions. You may ask us not to use or disclose certain PHI. For example, you may ask us to not share information with certain individuals who are involved in your care or payment for care. Your request must be made in writing.
We are not required to agree to your request if it would affect your care or if we are legally required to share the information. However, we will agree to restrict disclosure for a health care item or service for which you have paid out-of-pocket in full and the disclosure is for the purpose of carrying out payment or health care operations, and not otherwise required by law.
- Right to Request Confidential Communications. You have the right to ask us to communicate with you about your PHI in a certain way or at a certain location. For example, you may request that we contact you only at a certain phone number or by mail. Your request must be made in writing. We will use our best efforts to accommodate all reasonable requests.
- Right to Inspect and Obtain a Copy. You may ask to inspect and/or obtain copies of your PHI. Your request must be made in writing. If you request copies, we may charge you a reasonable fee as permitted under HIPAA and Illinois law. We will inform you if we cannot fulfill your request, and you can ask us to reconsider the denial by contacting the Privacy Officer at the address below.
- Right to Request an Amendment. If you believe that any PHI in your records is incorrect or incomplete, you may submit a written request to correct the information. We may deny your request if you ask us to amend PHI that is accurate and complete, if we do not maintain the information, or in certain other circumstances.
- Right to an Accounting of Disclosures. You have the right to request an “accounting of disclosures,” which is a list of disclosures of your PHI that we have made to outside parties in the past six years. We will include all disclosures except for those that were necessary to carry out treatment, payment, and healthcare operations. Your request must be in writing. You may obtain one accounting of disclosures in any 12-month period for free; we may charge a reasonable fee for additional accountings of disclosures.
- Right to a Paper Copy of This Notice. You have the right to obtain a paper copy of this Notice upon request.
Changes to this Notice
We may change the terms of this Notice at any time and the changes will apply to all PHI we have about you. The new Notice will be available upon request, in medical dispensaries in Illinois, and on our website.
For More Information, to File a Complaint, and to Report a Breach of PHI
If you have questions and would like additional information, you may contact our Privacy Officer at the address below. You may also file a complaint in writing with the Privacy Officer if you believe that your privacy rights have been violated.
The Cannabist Company Holdings Inc.
Attn: Privacy Officer/Legal
321 Billerica Road, Suite 204
Chelmsford, MA 01824
In addition, you may file a complaint with the Illinois Department of Financial and Professional Regulation (IDFPR), at FPR@firstname.lastname@example.org.
If a breach occurs, you should contact IDFPR at FPR@email@example.com and the Illinois Department of Public Health (IDP) at DPH.firstname.lastname@example.org
Effective Date: July 30, 2021
Date last updated: September 26th, 2023