Skip to content Skip to footer
Menu Close
Close
Contact Us

HIPAA and PHI Disclosure for GenStar Clinical Website and Services

Effective date: October 24, 2025

This disclosure describes GenStar Clinical’s handling of Protected Health Information (PHI) in connection with services performed for covered entities under HIPAA and related regulations. GenStar Clinical is not a direct patient-facing medical provider. Instead, GenStar acts as a Business Associate (BA) to health care providers, clinics, hospitals, and government health programs that are covered entities under HIPAA, and provides outsourced GI testing and procedures support as contracted. All disclosures, use, and handling of PHI by GenStar are governed by applicable BAAs and HIPAA, as well as any applicable California and Los Angeles County privacy and data protection requirements.

  1. Roles and scope under HIPAA
  • Business Associate: GenStar Clinical acts as a Business Associate to covered entities (e.g., government facilities, clinics, hospitals, and other entities that are HIPAA-covered). A Business Associate may use or disclose PHI only as permitted by contracts (BAAs) and as required by law.
  • Covered Entity: The covered entities retain primary responsibility for PHI disclosure rights (e.g., patient rights, notices, access requests). GenStar will assist the covered entity in meeting HIPAA requirements to the extent set forth in BAAs.
  • No patient-physician relationship is created by GenStar through the Website or its services. PHI is handled solely in connection with the contractual GI testing and related services performed under BAAs.
  1. Definitions
  • PHI (Protected Health Information): Individually identifiable health information transmitted or maintained in any form that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the payment for health care, and that is created, stored, or transmitted by GenStar in the course of its contractual duties.
  • BA (Business Associate): An entity that performs certain functions or activities on behalf of a covered entity that involve the use or disclosure of PHI.
  • BAA (Business Associate Agreement): A contract between GenStar and a covered entity that specifies permitted uses/disclosures of PHI and required safeguards.
  • Minimum Necessary: The principle that PHI used, disclosed, or requested is limited to the minimum necessary to accomplish the intended purpose.
  1. Permitted uses and disclosures of PHI by GenStar
  • To perform contracted GI testing, procedures, and related services for the benefit of the covered entity.
  • To manage and administer GenStar’s services and BAAs, including quality improvement, regulatory compliance, and risk management activities, to the extent necessary to perform the contracted work.
  • As required by law, regulation, or court order.
  • For the purpose of health care operations as permitted by the relevant BAAs (e.g., evaluating and improving services, provider performance, or outcomes), to the extent allowed by the BAAs and HIPAA.
  • To subcontractors or subcontracted service providers who assist in delivering the contracted services, provided such recipients are bound by BAAs or equivalent safeguards and restrictions on PHI.
  • Not for marketing, general business development, or other unrelated purposes unless and until authorized in a BA or by law.
  1. Safeguards and security (HIPAA Security Rule)
    GenStar maintains comprehensive safeguards to protect PHI, including:
  • Administrative safeguards: designated privacy and security leadership, risk assessments, policies and procedures, workforce training, incident response planning, and regular audits.
  • Physical safeguards: facility access controls, secure workspaces, and device safeguards to prevent unauthorized physical access to PHI.
  • Technical safeguards: access controls (unique user IDs, strong authentication), audit controls, integrity controls, encryption for PHI in transit and at rest where feasible, automatic logoff, and secure data transmission protocols.
  • Workforce training and clearance: ongoing HIPAA privacy and security training for all personnel with PHI access; background checks and ongoing monitoring as appropriate.
  • Contingency planning: data backup, disaster recovery, and continuity planning to protect PHI.
  1. Minimum Necessary standard
  • GenStar will limit PHI uses and disclosures to the minimum necessary to accomplish the contractual purpose and comply with BAAs, HIPAA, and applicable law. Data shared with service providers will be restricted to what is necessary for those providers to perform their functions under BAAs.
  1. Data retention, destruction, and de-identification
  • Retention: PHI retained only as long as required by BAAs, contractual obligations, and applicable law. After the termination of the contract, PHI will be returned or destroyed in accordance with the BAAs, unless the BA requires or permits continued retention.
  • De-identification and Limited Data Sets: PHI may be de-identified in accordance with HIPAA to create aggregated data sets for analytics or quality improvement, or used in limited data sets with data use agreements if the covered entity permits such use.
  1. Breach notification and incident response
  • GenStar will follow a documented incident response plan. In case of a breach involving PHI:
    • GenStar will promptly notify the covered entity of the breach, without unreasonable delay and no later than 60 days after discovery, to permit the covered entity to meet its regulatory notification obligations.
    • If the breach involves a disclosure that requires media or state-wide notices, the covered entity, not GenStar, is generally responsible for those public notices, consistent with HIPAA and applicable state law.
    • GenStar will cooperate with the covered entity’s breach response and regulatory reporting requirements as stipulated in the BAAs.
  • Incident response includes containment, remediation, investigation, documentation, and remediation of vulnerabilities to prevent recurrence.
  1. Subcontractors and business associates
  • GenStar may engage subcontractors or other service providers who may have access to PHI in the course of performing contracted services. All such entities must be bound by BAAs or equivalent agreements that impose privacy and security obligations at least as stringent as those in GenStar’s BAAs.
  • GenStar will monitor and enforce compliance with PHI protections by subcontractors.
  1. Rights of individuals and relationship to the covered entity
  • Individuals’ rights (e.g., access, amendment, accounting of disclosures, and most other rights under HIPAA) are primarily exercised through the covered entity. GenStar will support the covered entity in responding to such requests as required by the BAAs and HIPAA.
  • If individuals contact GenStar directly with PHI-related requests, GenStar will direct them to the applicable covered entity’s privacy official or the covered entity’s designated process, in coordination with the BAAs.
  1. International transfers
  • If PHI must be transmitted to or accessed by service providers outside the United States in connection with the contracted services, GenStar will ensure appropriate safeguards are in place, in accordance with HIPAA, BAAs, and applicable data protection laws.
  1. De-identification and limited data use
  • When permissible under BAAs, PHI may be de-identified to produce data sets for statistical analysis, research, or quality assurance.
  • Use of Limited Data Sets (LDS) is allowed where permitted by BAAs and requires a data use agreement describing permitted uses and disclosures.
  1. Training, governance, and audits
  • GenStar provides ongoing training to personnel with PHI access and conducts periodic internal audits to ensure HIPAA compliance and BAAs are honored.
  • GenStar will cooperate with regulatory audits as required by BAAs and law.
  1. Documentation and accountability
  • GenStar maintains records of all PHI handling activities, access logs, safeguards, incident reports, and breach notifications as required by BAAs and HIPAA.
  • GenStar designates a HIPAA Privacy and Security Officer or equivalent role responsible for overseeing PHI protections and interfacing with covered entities on HIPAA compliance matters.
  1. Relationship to the GenStar Privacy Policy and Terms of Use
  • This HIPAA and PHI Disclosure accompanies GenStar’s Privacy Policy and Website Terms of Use. In the event of any inconsistency between this disclosure and other GenStar policies, BAAs, or contracts, the BAAs and applicable legal requirements shall govern PHI handling.
  1. Contact information
  • HIPAA Privacy and Security Officer (or designated contact for HIPAA matters):
    • Email: privacy@genstarclinical.com
    • Phone: (213) 886-8170
    • Mailing address: GenStar Clinical, 5225 Wilshire Blvd. Ste. 1111, Los Angeles, CA 90036
  • For PHI-related inquiries or to initiate a request for information via the covered entity, please contact the applicable covered entity’s privacy official as provided in the BAAs.
  1. Governing law and venue
  • This disclosure and any BAAs are governed by federal HIPAA requirements and applicable California/Los Angeles County laws. Any disputes related to PHI handling shall be resolved in accordance with the governing law and venue provisions specified in the applicable BAAs, typically in Los Angeles County, City of Los Angeles, California.