Notice of Privacy Practices

5. Procedures

SECTION 1: HOW WE MAY USE AND DISCLOSE YOUR HEALTH INFORMATION

Without Your Written Authorization:

1. Treatment: We may use and disclose your PHI to provide, coordinate, and manage your healthcare. For example, we may share your PHI with a specialist to whom you are referred, a laboratory performing tests, or a pharmacy filling your prescriptions.

2. Payment: We may use and disclose your PHI to bill and collect payment for your healthcare services. For example, we may send your PHI to your health insurance plan to obtain payment, or we may share billing information with a collection agency.

3. Healthcare Operations: We may use and disclose your PHI for our healthcare operations, which include quality assessment, staff training, compliance activities, and other administrative functions. For example, we may use your PHI to evaluate the quality of care provided by our staff.

4. Required by Law: We may use or disclose your PHI when required to do so by federal, state, or local law.

5. Public Health Activities: We may disclose your PHI for public health activities, including reporting communicable diseases, vital events (births, deaths), and product safety information to the FDA.

6. Health Oversight Activities: We may disclose your PHI to a health oversight agency for activities authorized by law, such as audits, investigations, and inspections.

7. Judicial and Administrative Proceedings: We may disclose your PHI in the course of a judicial or administrative proceeding in response to an order of a court or administrative tribunal (disclosing only the PHI expressly authorized by the order). We may disclose your PHI in response to a subpoena, discovery request, or other lawful process that is NOT accompanied by such an order only if we receive satisfactory assurances that reasonable efforts have been made either to give you notice of the request (so that you have an opportunity to object) or to secure a qualified protective order, as required by 45 CFR § 164.512(e).

8. Law Enforcement: We may disclose your PHI to a law enforcement official for purposes permitted by law, such as reporting certain types of wounds or physical injuries, or in response to a court order or warrant.

9. Coroners, Medical Examiners, Funeral Directors: We may disclose PHI to a coroner, medical examiner, or funeral director as authorized by law.

10. Organ and Tissue Donation: We may disclose PHI to organizations that handle organ, eye, or tissue procurement, banking, or transplantation.

11. Research: We may disclose your PHI for research purposes when the research has been approved by an institutional review board or privacy board.

12. To Avert a Serious Threat to Health or Safety: We may use or disclose your PHI when necessary to prevent or lessen a serious and imminent threat to your health or safety or the health or safety of the public.

13. Workers' Compensation: We may disclose your PHI for workers' compensation as authorized by law.

14. Military, Veterans, National Security: If you are a member of the armed forces, we may disclose your PHI as required by military command authorities or for national security and intelligence activities.

With Your Written Authorization: Uses and disclosures not described above will be made only with your written authorization. You may revoke your authorization at any time in writing, except to the extent that we have already acted in reliance on the authorization.

Specific categories requiring authorization include: most uses and disclosures of psychotherapy notes, uses and disclosures of PHI for marketing purposes, and disclosures that constitute the sale of PHI.

SECTION 2: YOUR RIGHTS REGARDING YOUR HEALTH INFORMATION

1. Right to Access: You have the right to inspect and obtain a copy of your PHI maintained in a designated record set. Requests must be submitted in writing. We may charge a reasonable, cost-based fee for copies. We will respond within 30 days (with one 30-day extension if needed).

2. Right to Amend: You have the right to request an amendment to your PHI if you believe it is incorrect or incomplete. Requests must be submitted in writing with the reason for the amendment. We may deny the request under certain circumstances and will provide a written explanation.

3. Right to an Accounting of Disclosures: You have the right to receive a list of certain disclosures we have made of your PHI during the six years prior to the request. This does not include disclosures made for treatment, payment, healthcare operations, or with your authorization.

4. Right to Request Restrictions: You have the right to request a restriction on certain uses or disclosures of your PHI. We are not generally required to agree to a restriction, except that we must agree to restrict disclosure of your PHI to a health plan if (a) the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law, and (b) the PHI pertains solely to a health care item or service for which you, or a person other than the health plan on your behalf, have paid us in full out of pocket.

5. Right to Request Confidential Communications: You may request that we communicate with you about your health matters in a certain way or at a certain location. We will accommodate reasonable requests.

6. Right to a Paper Copy of This Notice: You have the right to a paper copy of this notice at any time.

7. Right to File a Complaint: If you believe your privacy rights have been violated, you may file a complaint with [PRACTICE NAME] or with the Secretary of the U.S. Department of Health and Human Services. You will not be penalized for filing a complaint.

SECTION 3: OUR DUTIES

[PRACTICE NAME] is required to: maintain the privacy of your PHI, provide you with this notice, abide by the terms of this notice, and notify you following a breach of your unsecured PHI.

SECTION 4: CONTACT INFORMATION

Privacy Officer: [PRIVACY OFFICER NAME] Phone: [PHONE NUMBER] Email: [EMAIL ADDRESS] Address: [PRACTICE ADDRESS]

To file a complaint with HHS: U.S. Department of Health and Human Services Office for Civil Rights 200 Independence Avenue, S.W. Washington, D.C. 20201 https://www.hhs.gov/hipaa/filing-a-complaint/index.html 1-877-696-6775

6. Substance Use Disorder Records (42 CFR Part 2) — Conditional

[INCLUDE THIS SECTION ONLY IF [PRACTICE NAME] IS A FEDERALLY ASSISTED "PART 2 PROGRAM" OR OTHERWISE CREATES, RECEIVES, OR MAINTAINS SUBSTANCE USE DISORDER (SUD) PATIENT RECORDS PROTECTED BY 42 CFR PART 2. The federal rule aligning 42 CFR Part 2 with HIPAA was effective April 16, 2024, with a compliance date of February 16, 2026. If this section does not apply to your practice, delete it. If it applies, your legal counsel should confirm whether a single combined HIPAA/Part 2 notice or a separate Part 2 Patient Notice is appropriate.]

Substance Use Disorder Records Protected by 42 CFR Part 2. If we create, receive, or maintain substance use disorder patient records protected by 42 CFR Part 2, we will use or disclose those records only with your written consent or as otherwise permitted or required by Part 2. You may provide a single written consent for future uses and disclosures of these records for treatment, payment, and health care operations, and you may revoke that consent as permitted by Part 2 (except to the extent we have already acted in reliance on it).

Part 2 records, or any testimony describing those records, will not be used or disclosed in any civil, criminal, administrative, or legislative proceeding against you unless based on your written consent or a court order issued under Part 2 after the required notice and opportunity to be heard; any such court order must also be accompanied by a subpoena or other legal requirement compelling disclosure.

Separate written consent is required before we may use or disclose SUD counseling notes, except in the limited circumstances permitted by Part 2. [Insert any more stringent state law or program-specific limitations.]

7. Roles & Responsibilities

Privacy Officer ([PRIVACY OFFICER NAME]): Develops and maintains this NPP. Ensures the NPP is distributed to all patients. Handles patient complaints and requests regarding privacy rights. Updates the NPP when policies change.

Front Desk Staff: Provides a copy of the NPP to every new patient. Obtains a signed acknowledgment of receipt. Posts the NPP in a prominent location in the waiting area. Makes copies available to any patient who requests one.

All Workforce Members: Direct patient questions about privacy to the Privacy Officer. Follow the privacy practices described in this notice.

8. Review Schedule

This notice shall be reviewed at least annually and updated whenever there is a material change to [PRACTICE NAME]'s privacy practices, uses or disclosures of PHI, patient rights, legal duties, or other practices described in this notice. The revised notice must be made available to patients upon request and posted in the facility.

9. Regulatory References

45 CFR § 164.520 — Notice of privacy practices for protected health information (Required) 45 CFR § 164.520(a) — Standard: notice of privacy practices (right to adequate notice) 45 CFR § 164.520(b) — Content of the notice 45 CFR § 164.520(c) — Provision of notice and acknowledgment 45 CFR § 164.524 — Right of access 45 CFR § 164.526 — Right to amendment 45 CFR § 164.528 — Accounting of disclosures 45 CFR § 164.522 — Right to request restrictions and confidential communications 45 CFR § 164.512(e) — Disclosures for judicial and administrative proceedings 42 CFR Part 2 — Confidentiality of substance use disorder patient records (compliance date Feb. 16, 2026; conditional — applies only to Part 2 programs)