PATH Data Privacy, Security, and Information Handling Policy

Effective Date: August 7, 2025  |  Last Updated: November 4, 2025

The Partnership for Achieving Total Health (“PATH”, “we”, “us”) is committed to protecting your private health information. This policy explains: 

• How we collect, use, and share patient health information through our Health Information Exchange, PelEX
• Your rights regarding your information
• The measures we take to keep your data safe
• How to contact us with questions or complaints 

1. Purpose 

We operate the PelEX Health Information Exchange to help health care providers securely share information that improves care, coordination, and outcomes. This policy serves to: 

• Describe our legal duties under the Health Insurance Portability and Accountability Act (HIPAA) and other laws 
• Explain how we handle Patient Data 
• Outline your privacy rights 
• Tell you how to control your information 

Patient Data means your protected health information (PHI): past, present, or future health information that identifies you. 

2. Who Oversees This Policy 

• PATH Board of Directors  
• The Louisiana Public Health Institute (LPHI) HIPAA Compliance Committee & Research Ethics Compliance Committee (RECC)  
• All Participants (hospitals, clinics, research partners, etc.) must follow these rules and relevant laws. 

3. Compliance with Laws 

We follow all federal, state, and local privacy laws, including: 

• Health Insurance Portability and Accountability Act (HIPAA)
• Louisiana privacy regulations 
• Specialized rules for genetic, mental health, and substance use disorder data (including 42 CFR Part 2) 

We will disclose Patient Data only when allowed or required by law. 

4. How We May Use and Share Your Patient Data 

We only use or share your health information for permitted purposes: 

a. Treatment, Payment, and Operations: 

• Share with your doctors, nurses, and other providers for your care 

b. Public Health and Safety:

• Report health trends or disease outbreaks 
• Disaster relief 
• To help prevent a serious health or safety threat

c. Legal and Government:

• Coroners or medical examiners for identification or cause of death
• Government agencies, auditors, and law enforcement, when required
• Any other use that is permitted or required under HIPAA, or other applicable law governing the use and disclosure of Patient Data.

5. Special Rules for Sensitive Information 

Certain health information requires extra protection and will only be shared when allowed by specific laws: 

• Genetic information (LA RS 40:1299.6, LA RS 22:1023) 
• Psychotherapy notes (HIPAA 45 CFR 164.501) 
• Substance use disorder treatment records from SAMHSA Part 2 programs 
• Any other sensitive category created by future law 

6. What We Never Do 

• Sell or use your data for marketing or other commercial purposes 
• Share data with unauthorized individuals 
• Disclose information for purposes not allowed by HIPAA or this policy 

7. Who Has Access 

• Healthcare providers: Only authorized healthcare providers who participate in PelEX and have a treatment, payment, or healthcare operations relationship with you can access your information. 
• Security measures: We limit access to authorized users only and regularly monitor for unauthorized activity.
  • Participants can revoke or adjust their authorized users at any time 
  • All users must follow PATH’s Terms & Conditions and system security rules 
• External networks: We may participate in other health information exchange networks to improve care coordination. 

8. Patient Consent and Opt-Out 

PelEX uses an opt-out model: 

• Your information is included automatically unless you choose to opt out 
• Opting out stops any new sharing via PelEX within 10 business days 
• Information shared before you opt-out cannot be removed from our records 
• Your medical records will still be kept as required by law 

Exceptions: 

• Some organizations (like behavioral health providers) may require opt-in to share certain records 
• In emergencies, your data may still be shared 

How to Opt Out: 

• Fill out the Patient Opt-Out Request Form on our website 
• Or call our HIPAA Privacy & Compliance Manager at (504) 301-9835 

9. Data Security 

We protect your information by: 

• Following HIPAA and security standards set by the National Institute of Standards and Technology (NIST)
• Conducting annual risk assessments and continuous security monitoring 
• Annual security reviews 
• Continuous monitoring for unauthorized activity 
• Having a disaster recovery plan 
• Blocking malware or other harmful software from entering PelEX 
• Semiannual employee privacy and security training  

10. Breach Notification 

If your PHI is accessed without authorization: 

• We will investigate and mitigate harm 
• The responsible party (PATH or the participant) will notify you in plain language
• Notices will explain what happened, what was involved, and what’s being done to prevent future breaches
• All breaches will be reported to the government when required 

11. Your Rights 

You have the right to: 

• See or get a copy of your Patient Data from your health care provider  
• Request corrections from your health care provider if you believe your information is wrong or incomplete 
• Get a list of disclosures of your health information 
• Receive a paper copy of this policy 
• Be notified if your unsecured PHI is breached 

12. Changes to This Policy 

We may update this policy at any time. Changes take effect once posted on our website and apply to all existing and future data we hold. Shape 

13. Questions or Complaints 

• Use our online complaint form or call (504) 301-9835.
• You can also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights.
• We will not retaliate against you for filing a complaint