HIPAA Compliance Notice

Our Commitment to HIPAA Compliance

Legent Health is committed to maintaining the privacy and security of Protected Health Information (PHI) in full compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), its implementing regulations, and all applicable amendments. Our referral portal facilitates the secure exchange of patient information between referring healthcare providers and receiving specialists, and we recognize the critical importance of safeguarding that information at every stage of the referral process.

This notice describes how medical information about patients may be used and disclosed through the Legent Health referral portal, and how healthcare providers using this platform can ensure compliance with applicable privacy regulations.

Protected Health Information (PHI)

Protected Health Information refers to any individually identifiable health information that is created, received, maintained, or transmitted through the Legent Health referral portal. This includes, but is not limited to:

• Patient names, dates of birth, and contact information
• Medical record numbers and account identifiers
• Clinical information submitted as part of a referral, including diagnoses, treatment histories, and clinical notes
• Insurance and billing information associated with referrals
• Any other information that could reasonably be used to identify a patient in connection with their health data

How PHI Is Used and Disclosed

Legent Health uses and discloses PHI transmitted through the referral portal only for the following permitted purposes:

• Treatment: Facilitating referrals between healthcare providers to ensure continuity of patient care, including sharing relevant clinical information with receiving physicians and specialists.
• Payment: Supporting billing and claims processes related to referred services, including verification of insurance eligibility and coordination of benefits.
• Healthcare Operations: Conducting quality assessments, referral tracking, care coordination, and operational improvements to the referral process.
• As Required by Law: Disclosing PHI when required by federal, state, or local law, including compliance with court orders, subpoenas, or public health reporting requirements.

Legent Health does not sell PHI, use PHI for marketing purposes, or disclose PHI for any purpose not expressly permitted under HIPAA without obtaining valid written authorization from the patient or their authorized representative.

Administrative, Technical, and Physical Safeguards

Legent Health has implemented comprehensive safeguards to protect the confidentiality, integrity, and availability of PHI processed through our referral portal:

• Administrative Safeguards: Designated privacy and security officers, workforce training programs, documented policies and procedures, risk assessments conducted on a regular basis, and sanctions for policy violations.
• Technical Safeguards: Encryption of data in transit and at rest, unique user authentication credentials, role-based access controls, automatic session timeouts, audit logging of all access to PHI, and secure backup and recovery procedures.
• Physical Safeguards: Secure hosting infrastructure with restricted physical access, environmental controls, and facility access management for any on-premises components of our systems.

Business Associate Agreements

Legent Health enters into Business Associate Agreements (BAAs) with all third-party service providers and subcontractors who create, receive, maintain, or transmit PHI on our behalf. These agreements require our business associates to implement appropriate safeguards, report security incidents and breaches, and comply with all applicable provisions of HIPAA and the HITECH Act. Healthcare providers using the Legent Health referral portal may request a copy of our standard BAA by contacting our Privacy Officer.

Patient Rights Under HIPAA

Patients whose PHI is processed through the Legent Health referral portal retain the following rights under HIPAA:

• Right to Access: Patients may request access to their PHI held within the referral portal, including copies of referral records.
• Right to Amendment: Patients may request amendments to their PHI if they believe the information is inaccurate or incomplete.
• Right to an Accounting of Disclosures: Patients may request an accounting of certain disclosures of their PHI made through the portal.
• Right to Request Restrictions: Patients may request restrictions on certain uses and disclosures of their PHI, though Legent Health is not required to agree to all requests.
• Right to Confidential Communications: Patients may request that communications regarding their PHI be conducted through alternative means or at alternative locations.
• Right to a Copy of This Notice: Patients may request a paper or electronic copy of this HIPAA Compliance Notice at any time.

To exercise any of these rights, patients or their authorized representatives should contact the referring or receiving healthcare provider, or reach out to the Legent Health Privacy Officer directly.

Breach Notification Procedures

In the event of a breach of unsecured PHI, Legent Health will comply with all notification requirements under HIPAA and the HITECH Act:

• Affected individuals will be notified in writing without unreasonable delay and no later than 60 days following discovery of the breach.
• The U.S. Department of Health and Human Services (HHS) will be notified as required, including immediate notification for breaches affecting 500 or more individuals.
• Prominent media outlets in affected jurisdictions will be notified for breaches affecting 500 or more residents of a state or jurisdiction.
• Breach notifications will include a description of the breach, the types of information involved, steps individuals should take to protect themselves, actions Legent Health is taking in response, and contact information for further inquiries.

Minimum Necessary Standard

Legent Health applies the minimum necessary standard to all uses, disclosures, and requests for PHI processed through the referral portal. This means that access to PHI is limited to the minimum amount of information reasonably necessary to accomplish the intended purpose of the use, disclosure, or request. Role-based access controls within the portal ensure that each user can access only the PHI relevant to their authorized function in the referral process.

Training and Awareness

All Legent Health workforce members who have access to PHI through the referral portal receive comprehensive HIPAA training upon onboarding and on an annual basis thereafter. Training covers the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and organization-specific policies and procedures. Additional training is provided when there are material changes to HIPAA regulations or to Legent Health's privacy and security practices. Healthcare providers using the portal are responsible for ensuring their own workforce members are appropriately trained on HIPAA compliance.

HITECH Act Compliance

Legent Health complies with the Health Information Technology for Economic and Clinical Health (HITECH) Act, which strengthens HIPAA protections for electronic health information. Our compliance efforts include enhanced breach notification obligations, the application of HIPAA Security Rule requirements to business associates, increased penalties for noncompliance, and the implementation of technology safeguards that support the secure electronic exchange of health information through the referral portal.

Complaints Process

If you believe that Legent Health has violated your privacy rights or the privacy rights of a patient, you may file a complaint through the following channels:

• Contact the Legent Health Privacy Officer at privacy@legenthealth.com
• File a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, by visiting www.hhs.gov/ocr/complaints or by calling 1-800-368-1019

Legent Health will not retaliate against any individual for filing a complaint regarding our privacy practices.

Contact Information

For questions about this HIPAA Compliance Notice, our privacy practices, or to exercise any patient rights described herein, please contact: