Statement of HIPAA

Table of Contents

1. HIPAA- Rule of Privacy 

2. Covered Entities

3. Data controllers and Data processors

4. Permitted Uses and Disclosures.

5. HIPAA – Rule of Security

6. What Information Is Protected?

7. How is this Information is Protected?

8. What Rights Does the Privacy Rule Give Me over My Health Information?

9. Contact Us

1. HIPAA – Rule of Privacy.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule. The Privacy Rule standards address the use and disclosure of individuals’ health information (known as protected health information or PHI) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities”.

2. Covered Entities.

The following types of individuals and organizations are subject to the Privacy Rule and considered covered entities:

Healthcare providers: Every healthcare provider, regardless of size of practice, who electronically transmits health information in connection with our Platform at Cruz Médika. 

These services include:

o Consultations

o Inquiries

o Referral authorization requests

o Other transactions for which we have established standards under the HIPAA Transactions Rule.

Health plans:

Health plans include:

o Health, and prescription drug insurers

o Health maintenance organizations (HMOs)

o Medicare, Medicaid, Medicare + Choice, and Medicare supplement insurers

o Long-term care insurers (excluding nursing home fixed-indemnity policies)

o Employer-sponsored group health plans

o Government- and church-sponsored health plans

o Multi-employer health plans


A group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.

• Healthcare clearinghouses: Entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa. In most instances, healthcare clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or healthcare provider as a business associate.

• Business associates: A person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity. These functions, activities, or services include:

o Claims processing

o Data analysis

o Utilization review

o Billing

3. Data controllers and Data processors.

The new laws require both Data controllers (such as Cruz Médika) and Data processors (affiliated partners and health provider companies) to update their processes and technology to meet the specified requirements. We are the data controllers of user related data. The data controller is the person or organization who determines what data is extracted, what purpose it is used for and who is allowed to process the data. GDPR increases the responsibility we have to inform users and members about how their data is being used and by whom.

4. Permitted Uses and Disclosures.

The law permits, but does not require, a covered entity to use and disclose PHI, without an individual’s authorization, for the following purposes or situations:

• Disclosure to the individual (if the information is required for access or accounting of disclosures, the entity MUST disclose to the individual)

• Treatment, payment, and healthcare operations

• Opportunity to agree or object to the disclosure of PHI

o An entity can obtain informal permission by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object

• Incident to an otherwise permitted use and disclosure

• Limited dataset for research, public health, or healthcare operations

• Public interest and benefit activities—The Privacy Rule permits use and disclosure of PHI, without an individual’s authorization or permission, for 12 national priority purposes: including:

a. When required by law

b. Public health activities

c. Victims of abuse or neglect or domestic violence

d. Health oversight activities

e. Judicial and administrative proceedings

f. Law enforcement

g. Functions (such as identification) concerning deceased persons

h. Cadaveric organ, eye, or tissue donation

i. Research, under certain conditions

j. To prevent or lessen a serious threat to health or safety

k. Essential government functions

l. Workers’ compensation

5. HIPAA – Rule of Security.

While the HIPAA Privacy Rule safeguards PHI, the Security Rule protects a subset of information covered by the Privacy Rule. This subset is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. This information is called electronic protected health information, or e-PHI. The Security Rule does not apply to PHI transmitted orally or in writing.

To comply with the HIPAA – Rule of Security, all covered entities must:

• Ensure the confidentiality, integrity, and availability of all e-PHI

• Detect and safeguard against anticipated threats to the security of the information

• Protect against anticipated impermissible uses or disclosures that are not allowed by the rule

• Certify compliance by their workforce

Covered entities should rely on professional ethics and best judgment when considering requests for these permissive uses and disclosures. The HHS Office for Civil Rights enforces HIPAA rules, and all complaints should be reported to that office. HIPAA violations may result in civil monetary or criminal penalties.

6. What Information Is Protected?.

We protect personal information provided in relation to our service provision such as:

• Information your doctors, nurses, and other health care providers put in your medical record

• Conversations your doctor has about your care or treatment with nurses and others

• Information about you in your health insurer’s computer system

• Billing information about you at your clinic

• Most other health information about you held by those who must follow these laws

7. How is this Information Protected?.

Below are measure put in place to protect every user data

• Covered entities must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.

• Covered entities must reasonably limit uses and disclosures to the minimum necessary to accomplish their intended purpose.

• Covered entities must have procedures in place to limit who can view and access your health information as well as implement training programs for employees about how to protect your health information.

• Business associates also must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.

8. What Rights Does the Privacy Rule Give Me over My Health Information?

Health insurers and providers who are covered entities agree to comply with your right to: 

• Request to see and get a copy of your health records

• Right to request corrections to your health information

• Right to be notified on how your health information may be used and shared

• Right to decide if you want to give your permission before your health information can be used or shared for certain purposes, such as for marketing

• Right to request that a covered entity restrict how your health information is used or disclosed.

• Get a report on when and why your health information was shared for certain purposes

• If you believe your rights are being denied or your health information isn’t being protected, you can

o File a complaint with your provider or health insurer

o File a complaint with HHS

You should get to know these important rights, which help you protect your health information.

You can ask your provider or health insurer questions about your right.

9. Contact Us.

To send us your questions, comments, or complaints or receiving communications from us kindly email us using 

(Effective January 1th, 2023)