HIPAA Notice

Notice of Privacy Practices

Effective Date: January 1, 2025  |  Last Revised: March 1, 2025

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

1. Who We Are

IM65.com ("IM65," "we," "us," or "our") is a Medicare insurance marketplace platform that connects Medicare beneficiaries with IM65 Approved insurance advisors and healthcare providers. We are a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations (45 CFR Parts 160 and 164).

This Notice applies to all Protected Health Information (PHI) we receive, create, maintain, or transmit in connection with our services.

2. What Is Protected Health Information (PHI)?

PHI is any information that identifies you and relates to your past, present, or future physical or mental health condition, the provision of health care to you, or payment for health care. This includes your name, date of birth, address, phone number, Medicare ID, and information about the insurance products you are considering.

3. How We Use and Disclose Your PHI

a. Treatment Coordination

We may share your PHI with licensed insurance advisors and healthcare providers to help coordinate your Medicare coverage options. This sharing only occurs after you have provided a signed Scope of Appointment (SOA) consent form.

b. Payment Activities

We may use your PHI to facilitate payment for health care services, including verifying insurance eligibility and processing referral rewards.

c. Health Care Operations

We may use your PHI for internal operations including quality assessment, compliance auditing, and training of our advisors and staff.

d. Required by Law

We may disclose your PHI when required by federal or state law, including to the Centers for Medicare & Medicaid Services (CMS) for compliance oversight.

e. Scope of Appointment (SOA)

Per CMS regulations (42 CFR § 422.2264), we require a completed Scope of Appointment before any Medicare Advantage or Part D plan discussion. Your SOA records are retained for a minimum of 10 years as required by CMS.

4. Uses Requiring Your Written Authorization

The following uses and disclosures require your written authorization:

  • Marketing communications not directly related to your Medicare coverage
  • Sale of your PHI to third parties
  • Psychotherapy notes (if applicable)
  • Any use or disclosure not described in this Notice

You may revoke any authorization you have given us at any time by contacting us in writing at the address below.

5. Your Rights Regarding Your PHI

Right to Access

You have the right to inspect and obtain a copy of your PHI that we maintain. Requests must be submitted in writing. We will respond within 30 days.

Right to Amend

If you believe your PHI is incorrect or incomplete, you may request an amendment. We will respond within 60 days.

Right to an Accounting of Disclosures

You may request a list of disclosures we have made of your PHI during the past 6 years, except for disclosures made for treatment, payment, or health care operations.

Right to Request Restrictions

You may request restrictions on how we use or disclose your PHI. We are not required to agree, but if we do, we will honor the restriction.

Right to Confidential Communications

You may request that we communicate with you about your PHI using alternative means or at an alternative location.

Right to Request Deletion

You may request that we delete your PHI from our systems, subject to applicable legal retention requirements (SOA records must be retained 10 years per CMS; audit logs 6 years per HIPAA). Submit a deletion request here.

Right to a Paper Copy of This Notice

You may request a paper copy of this Notice at any time, even if you have agreed to receive it electronically.

6. Our Duties

We are required by law to maintain the privacy of your PHI and to provide you with this Notice of our legal duties and privacy practices. We are required to abide by the terms of this Notice currently in effect. We reserve the right to change the terms of this Notice and to make the new Notice provisions effective for all PHI we maintain. We will post the current Notice on our website and make it available upon request.

7. Security Safeguards

We implement administrative, physical, and technical safeguards to protect your PHI as required by the HIPAA Security Rule (45 CFR Part 164, Subpart C):

  • Encryption in transit: All data is transmitted over HTTPS/TLS
  • Access controls: Role-based access ensures advisors and doctors only see their own patients' data
  • Audit logging: All PHI access is logged with user identity, timestamp, and IP address, retained for 6 years
  • Session timeout: Authenticated sessions automatically expire after 20 minutes of inactivity
  • Minimum necessary: We only collect and share the minimum PHI necessary for each purpose
  • Business Associate Agreements: All advisors and healthcare providers must sign a BAA before accessing patient data

8. How to File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). We will not retaliate against you for filing a complaint.

File with IM65

Privacy Officer
IM65.com
Email: [email protected]
Phone: (800) 555-0165

File with HHS OCR

U.S. Dept. of Health & Human Services
Office for Civil Rights
www.hhs.gov/hipaa/filing-a-complaint

9. Contact Information

For questions about this Notice or to exercise your rights, contact our Privacy Officer:

IM65 Privacy Officer
IM65.com
Email: [email protected]
Phone: (800) 555-0165
Mailing Address: [Address on file with CMS]

This Notice of Privacy Practices is provided in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 45 CFR § 164.520. IM65.com is committed to protecting the privacy and security of your Protected Health Information.