HIPAA Notice
HIPAA Notice of Privacy Practices for U.S. residents
This notice is effective as of May 21, 2021
This notice describes how medical information about United States residents may be used and disclosed and how you can access this information. Please review it carefully.
GRAIL, Inc. (“GRAIL,” “we,” or “us”) is required by law to provide individuals with notice of its legal duties and privacy practices with respect to your “Protected Health Information” or “PHI” (defined below). This Notice of Privacy Practices (“Notice”) describes how we may use and disclose your PHI to carry out treatment, payment, or health care operations, and for other specified purposes that are permitted or required by law.
Our responsibilities
GRAIL and the members of its workforce are committed to protecting the privacy and confidentiality of your personal information, genetic information, and laboratory test results.
GRAIL is required by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), to maintain the privacy and security of your PHI and to provide you with a notice of our legal duties, our privacy practices, and your patient rights.
Whenever we use or disclose your PHI, we are required to abide by the terms of this Notice.
Definition of protected health information
PHI is information about you, including your demographic information, that relates to your physical or mental health condition or health care provided to you. PHI can include your medical history, laboratory results, insurance information, and other health information that is collected, generated, used, and communicated by GRAIL to produce genetic testing results and bill for our testing services. Examples of PHI include your name, date of birth, medical record number, social security number, insurance beneficiary number, and genetic information.
Uses and disclosures of your protected health information
GRAIL may use or disclose your PHI for the following purposes:
- Treatment. We may use or disclose your PHI for purposes of providing your medical treatment. For example, we may use your PHI to perform our testing services and disclose your genetic testing results to your physician and other health care providers involved in your care. Please note that GRAIL participates in electronic health information exchange(s), including the California Data Exchange Framework. Electronic health information exchanges allow healthcare providers outside of GRAIL who need information to treat you to access your health information through a secure health information exchange. To opt-out of the sharing of your health information through health information exchange(s), please contact privacy@grailbio.com.
- Payment. We may use or disclose your PHI for purposes of billing and collecting payment for our services. For example, we may disclose PHI to your health plan in order to obtain payment for the services provided to you.
- Healthcare operations. We may use or disclose your PHI to facilitate our healthcare operations. For example, we may review your PHI to monitor the quality and accuracy of our testing services and review the competence and qualifications of our laboratory professionals.
- Persons involved in your care or payment for your care. We may disclose your PHI to persons involved in your care or payment for your case, such as a family member, relative, or close friend, unless you object or ask us not to.
- Notification. We may use or disclose your PHI to notify or assist in notifying a family member, personal representative, or another person responsible for your care regarding your location and general condition.
- Personal representatives. We may disclose your PHI to your authorized personal representative, such as a lawyer, administrator, executor, or other authorized person responsible for you or your estate.
- Minors’ PHI. We may disclose PHI about minors to their parents or legal guardians.
- Communication about products and services. We may use and disclose your PHI to contact you about other GRAIL products and services which we believe may be of interest to you. We do not disclose your PHI to third parties for marketing purposes without your written authorization.
- Sale of your information. GRAIL will never sell your PHI to third parties unless you provide written authorization.
- Disclosures to business associates. We may disclose your PHI to other companies or individuals, known as “Business Associates,” who provide services to us. For example, we may use a company to perform billing services on our behalf. Our Business Associates are required to protect the privacy and security of your PHI and notify us of any improper disclosure of information.
- Fundraising. We may use or disclose your PHI to our Business Associates to contact you regarding our fundraising activities. You have the right to opt out of receiving fundraising communications.
- As required by law. We may use or disclose your PHI if required to do so by any applicable federal, state, or local law.
- Public health activities. We may disclose your PHI for public health-related activities. Examples include reporting diseases to authorized public health authorities, public health investigations, or notifying a manufacturer of a product regulated by the U.S. Food and Drug Administration (the “FDA”) of a possible problem encountered when using the product in our testing process.
- Health oversight activities. We may disclose your PHI to a healthcare oversight agency for activities that are authorized by law, such as audits, investigations, inspections, and licensure activities. For example, we may disclose your PHI to agencies responsible for ensuring compliance with the rules of government health programs, such as Medicare or Medicaid.
- Research. Under certain circumstances, we may use or disclose your PHI for research purposes within GRAIL and with research collaborators outside of GRAIL who are under contract and are also obligated to protect PHI. Generally, research projects at GRAIL are subject to review by a committee responsible for ensuring the protection of individual research subjects, appropriate patient authorization, and an adequate plan to safeguard PHI.
- Judicial and administrative proceedings. Under certain circumstances, we may disclose your PHI as required to comply with a judicial or administrative order or in response to a subpoena, discovery request, or other lawful process.
- Law enforcement. We may disclose your PHI to the police or other law enforcement officials as required by law or in compliance with a court order, warrant, subpoena, summons, or other legal process for locating a suspect, fugitive, witness, missing person, or victim of a crime.
- Threats to health and safety. We may disclose your PHI to prevent or reduce the risk of a serious and imminent threat to the health and safety of an individual or the general public.
- Victims of abuse, neglect, or violence. If required or authorized by law, we may disclose your PHI to a government agency, such as a social services or protective services agency, if we reasonably believe that an individual adult or child is the victim of abuse, neglect, or domestic violence.
- Data breach notification. We may use your PHI to provide legally required notices of unauthorized access, acquisition, or disclosure of your PHI.
- De-identification of PHI. We may de-identify your PHI by removing identifying features as determined by law to make it extremely unlikely that the information could identify you.
- Additional uses and disclosures. GRAIL may also use or disclose your PHI in other ways as permitted by law, including, but not limited to or for:
- Specialized Government Functions, including, but not limited to, military command authorities, national security and intelligence organizations, and correctional institutions
- Workers’ Compensation Programs
- Coroners, Medical Examiners, and Funeral Directors
- The FDA
- Organ and Tissue Donation Organizations
- Specialized Government Functions, including, but not limited to, military command authorities, national security and intelligence organizations, and correctional institutions
- All other disclosures. Uses and disclosures of PHI for purposes other than those described above (or as otherwise permitted or required by law) will not be made without a written authorization signed by you or your personal representative. Once you sign an authorization, you may revoke it at any time by contacting GRAIL, unless we have already relied upon it to use or disclose PHI. A revocation of authorization must be submitted to the Privacy Officer at the address provided at the end of this Notice.
Your rights regarding your medical information
You have the following rights with respect to your PHI. To exercise any of these rights, please contact our Privacy Officer using the contact information provided at the end of this Notice.
- Access to PHI and test results. You, or your authorized representative, have the right to inspect and copy your PHI maintained by us. You may retrieve your test results using an online patient portal or by requesting a copy of your information, in which case we may charge you a reasonable fee for the costs of copying, mailing, or other supplies that are necessary to fulfill your request. If we maintain an electronic health record containing your information, you have the right to request that we send a copy of your health information in electronic format to you or a third party that you identify. We may deny access to certain information for specific reasons, for example, if the access requested is reasonably likely to endanger the life or safety of you or another person. If your request for information is denied, you may request that the denial be reviewed by filing a request for review with GRAIL’s Privacy Officer.
- Restrictions on uses and disclosures. You have the right to request restrictions on our uses and disclosures of your PHI. While we will consider all requests for additional restrictions carefully, we are not required to agree to a requested restriction except for restrictions on uses or disclosures for the purpose of carrying out payment or health care operations, where you have made payment to GRAIL “out-of-pocket” and in full. If we do agree to a requested restriction, we will not disclose your PHI in accordance with the agreed-upon restriction.
- Alternative confidential communications. You may request that we communicate with you about your PHI in a specific means or to an alternative postal mail or email address. Your request must be in writing and must specify the alternative means or location. We will accommodate reasonable requests for confidential communications. We reserve the right to verify your identity in order to confirm the alternative contact and address information.
- Correct or update your information. If you believe the PHI we maintain about you contains an error, you may request that we correct or update your information. Your request must be in writing and must explain why the information should be corrected or updated. We may deny your request under certain circumstances and provide a written explanation.
- Accounting of disclosures. You may request a list, or accounting, of certain disclosures of your PHI made by GRAIL in the past six years from the date of your request. Under the law, this does not include disclosures made for purposes other than treatment, payment, healthcare operations, and certain other activities. The accounting will exclude disclosures we have made directly to you, disclosures to friends or family members involved in your care, disclosures made pursuant to a valid authorization, and disclosures for notification purposes. The request must be in writing. The first accounting you request within a twelve (12) month period will be provided free of charge, but you may be charged for the cost of providing additional accountings. We will notify you of the cost involved, and you may choose to withdraw or modify your request at that time.
- Copy of notice. You have the right to obtain a paper or electronic copy of this notice upon request.
Breach notification
GRAIL is required by law to notify you following the discovery that there has been a breach of your unsecured PHI, unless GRAIL reasonably determines, after investigating the situation and assessing the risks presented, that there is a low probability that the privacy or security of your PHI has been compromised. You will be notified in a timely manner, no later than sixty (60) days after discovery of the breach, unless state law requires notification sooner.
Changes to your notice of privacy practices
GRAIL reserves the right to amend our privacy practices and the terms of this Notice from time to time, provided such changes are permitted by applicable law. When changes are made, we will promptly post the updated Notice on the GRAIL website. Please review this website periodically to ensure that you are aware of any updates.
Compliance with laws
If more than one law applies to this Notice, such as a more stringent state law, we will follow the more stringent law.
Questions and complaints
If you have any questions or comments about our privacy practices or this Notice, or if you would like a more detailed explanation about your privacy rights, please contact our Privacy Officer using the contact information provided at the end of this Notice.
If you believe that we may have violated your privacy rights, you may submit a complaint to our Privacy Officer. You also may submit a written complaint to the U.S. Department of Health and Human Services (“HHS”). We will provide you with the address to file your complaint with HHS upon request.
GRAIL will not take retaliatory action against you, and you will not be penalized in any way,if you choose to file a complaint with us or with HHS.
Contact information
GRAIL, Inc.
Attention: Privacy Officer
1525 O’Brien Drive
Menlo Park, California 94025
By email: privacy@grailbio.com
By telephone: (833) 694‑2553
The Galleri test is recommended for use in adults with an elevated risk for cancer, such as those aged 50 or older. The Galleri test does not detect all cancers and should be used in addition to routine cancer screening tests recommended by a healthcare provider. Galleri is intended to detect cancer signals and predict where in the body the cancer signal is located. Use of Galleri is not recommended in individuals who are pregnant, 21 years old or younger, or undergoing active cancer treatment.
Results should be interpreted by a healthcare provider in the context of medical history, clinical signs and symptoms. A test result of No Cancer Signal Detected does not rule out cancer. A test result of Cancer Signal Detected requires confirmatory diagnostic evaluation by medically established procedures (e.g. imaging) to confirm cancer.
If cancer is not confirmed with further testing, it could mean that cancer is not present or testing was insufficient to detect cancer, including due to the cancer being located in a different part of the body. False-positive (a cancer signal detected when cancer is not present) and false-negative (a cancer signal not detected when cancer is present) test results do occur. Rx only.
The GRAIL clinical laboratory is certified under the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and accredited by the College of American Pathologists. The Galleri test was developed and its performance characteristics were determined by GRAIL. The Galleri test has not been cleared or approved by the Food and Drug Administration. The GRAIL clinical laboratory is regulated under CLIA to perform high-complexity testing. The Galleri test is intended for clinical purposes.