HIPAA Notice of Privacy Practices

1. Our Responsibilities

We are required by law to:

• Maintain the privacy and security of your PHI.
• Give you this Notice of our legal duties and privacy practices.
• Follow the terms of the Notice currently in effect.
• Notify you following a breach of unsecured PHI as required by law.
• Not use or disclose your PHI other than as described in this Notice,
  as permitted or required by law, or as authorized by you in writing.

2. Your Rights

You have the rights described below. To exercise these rights, please contact the Privacy Officer listed at the end of this Notice. We may ask that requests be made in writing and may need to verify your identity or authority before acting on a request.

• Get an electronic or paper copy of your medical record. You may ask to inspect or receive a copy of medical and billing information that we use to make decisions about your care. We will provide access or copies within the time required by HIPAA and applicable New York law. New York law generally gives qualified persons an opportunity to inspect patient information within 10 days of a written request. We may charge a reasonable, cost-based fee where allowed by law. We will not deny access solely because of inability to pay where New York law prohibits doing so.
• Ask us to correct your medical record. You may ask us to amend PHI that you believe is incorrect or incomplete. We may deny the request in certain circumstances, but we will explain the reason in writing.
• Request confidential communications. You may ask us to contact you in a specific way or at a specific location, such as by phone, mail, or email. We will accommodate reasonable requests.
• Ask us to limit what we use or share. You may ask us not to use or disclose certain PHI for treatment, payment, or health care operations. We are not required to agree to most requests, but if we agree, we will comply unless the information is needed for emergency treatment or another legal exception applies.
• Restrict disclosures to your health plan after full out-of-pocket payment. If you pay in full out of pocket for a health care item or service and ask us not to disclose information about that item or service to your health plan for payment or health care operations, we will honor that request unless disclosure is required by law.
• Get a list of certain disclosures. You may request an accounting of certain disclosures of your PHI. The accounting will not include disclosures for treatment, payment, health care operations, disclosures you authorized, and certain other disclosures excluded by law.
• Get a paper copy of this Notice. You may request a paper copy of this Notice at any time, even if you agreed to receive it electronically.
• Choose someone to act for you. If you have given someone medical power of attorney, if someone is your legal guardian, or if another person is authorized to act as your personal representative under law, we will recognize that person's authority after we verify it.
• File a complaint. You may file a complaint with our Privacy Officer or with the U.S. Department of Health and Human Services Office for Civil Rights if you believe your privacy rights have been violated. We will not retaliate against you for filing a complaint.

3. Your Choices

For certain health information, you can tell us your choices about what we share. If you have a clear preference for how we share information in the situations described below, tell us what you want us to do and we will follow your instructions when we can.

• Family, friends, and others involved in your care. Unless you object, we may share information with a family member, close friend, personal representative, or other person involved in your care or payment for your care, limited to information relevant to that person's involvement. If you are not able to tell us your preference, we may share information if we believe it is in your best interest.
• Disaster relief. We may share information with disaster relief organizations so they can help notify family or others of your location, general condition, or death.
• Marketing, sale of PHI, and certain other uses. We will obtain your written authorization before using or disclosing PHI for marketing when HIPAA requires authorization, before disclosing PHI in a way that constitutes a sale of PHI, and before using or disclosing psychotherapy notes if we ever create or maintain them, except as permitted by law.
• Photographs, testimonials, and promotional uses. We will not use your identifiable photographs, videos, testimonial, story, or before-and-after images for advertising, website, social media, or promotional purposes without a separate written authorization when required by law.
• Fundraising. We do not currently use PHI for fundraising communications. If that changes, we will comply with applicable law and provide any required opportunity to opt out.

You may revoke a written authorization at any time by giving us written notice, except to the extent we have already relied on the authorization.

4. How We May Use and Disclose PHI Without Your Written Authorization

The following are examples of ways we may use and disclose PHI without your written authorization when permitted or required by HIPAA and other applicable law. We will follow more stringent federal or New York privacy laws when they apply.

• Treatment. We may use and disclose PHI to provide, coordinate, or manage your care. For example, we may share information with another physician, facility, anesthesia provider, laboratory, pharmacy, or other professional involved in your care.
• Payment. We may use and disclose PHI to bill and obtain payment from you, an insurer, a health plan, a financing company, payment processor, or another responsible party. For example, we may send information to a health plan to determine eligibility, benefits, or payment for a medically necessary service.
• Health care operations. We may use and disclose PHI for activities needed to operate the practice, such as quality assessment, training, credentialing, licensing, auditing, compliance, legal services, business planning, customer service, and patient safety activities.
• Appointment reminders and health-related services. We may use PHI to contact you about appointments, follow-up care, treatment alternatives, or health related services that may interest you.
• Business associates. We may disclose PHI to vendors that perform services for us, such as billing, IT, cloud hosting, scheduling, communications, legal, accounting, compliance, or practice-management services. We require business associates to protect PHI as required by HIPAA.

5. Other Uses and Disclosures Permitted or Required by Law

• Required by law. We may use or disclose PHI when federal, state, or local law requires it, and we will limit the disclosure to what the law requires.
• Public health and safety. We may disclose PHI for public health activities, such as preventing or controlling disease, reporting adverse events, reporting suspected abuse, neglect, or domestic violence when required or authorized by law, or preventing a serious threat to health or safety.
• Health oversight. We may disclose PHI to health oversight agencies for activities authorized by law, such as audits, investigations, inspections, licensure, discipline, and compliance reviews.
• Lawsuits, disputes, and legal proceedings. We may disclose PHI in response to a court or administrative order, subpoena, discovery request, or other lawful process, but only as permitted by applicable law and after required safeguards are satisfied.
• Law enforcement. We may disclose PHI to law enforcement officials in limited circumstances permitted by law, such as in response to certain court orders, warrants, subpoenas, or to report certain injuries or crimes.
• Coroners, medical examiners, and funeral directors. We may disclose PHI to coroners, medical examiners, or funeral directors as necessary for them to perform their duties.
• Organ, eye, or tissue donation. If applicable, we may disclose PHI to organizations involved in organ, eye, or tissue donation and transplantation.
• Workers' compensation. We may disclose PHI as authorized by and to comply with workers' compensation or similar laws.
• Research. We may use or disclose PHI for research only as permitted by law, such as with your authorization, with approval from an institutional review board or privacy board, or in other limited circumstances permitted by HIPAA.
  
• Military, national security, and protective services. We may disclose PHI for certain military, national security, intelligence, protective services, or correctional institution purposes when permitted by law.

6. Special Privacy Protections

• More stringent laws. Some information may receive additional protection under federal or New York law, such as substance use disorder treatment records, HIV/AIDS-related information, genetic information, mental health information, minor consent services, reproductive health information, gender-affirming care information, and other sensitive information. We will follow applicable special protections when they apply.
• Substance use disorder records and 42 CFR Part 2. If we create, receive, or maintain records protected by 42 CFR Part 2, those records are subject to additional confidentiality requirements. Records, or testimony relaying the content of such records, may not be used or disclosed in any civil, criminal, administrative, or legislative proceedings against you unless based on your specific written consent or a court order after notice and an opportunity to be heard as provided by law. A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested record is used or disclosed.
• Legally protected health activity in New York. If we receive a request for information that may relate to reproductive health care, gender-affirming care, or other legally protected health activity under New York law, we will review the request under applicable law, provide any legally required notices, and will not disclose information unless the request satisfies applicable legal requirements.
• Minimum necessary. When HIPAA requires it, we will make reasonable efforts to limit uses, disclosures, and requests for PHI to the minimum necessary to accomplish the intended purpose.

7. Electronic Communications, Website Inquiries, and Tracking Technologies

Standard email, text messaging, social media messaging, and general website forms may not be secure and should not be used for sensitive medical information, emergencies, urgent clinical concerns, or post-operative complications. We may communicate with you electronically when permitted by law and consistent with your preferences and our policies.

We maintain a separate Website and Marketing Privacy Policy describing general website inquiries, cookies, pixels, analytics, advertising technologies, and marketing communications. We do not knowingly disclose PHI to advertising platforms for their independent advertising purposes without a valid authorization or another legal basis permitted by HIPAA.

8. Changes to this Notice

We may change the terms of this Notice at any time. The new Notice may apply to all PHI we maintain, including PHI created or received before the change. The current Notice will be available at our office and on our website, and you may request a paper copy at any time. Material changes will not be implemented before the effective date of the revised Notice unless permitted by law.

9. Contact Information and Complaints

For questions about this Notice, to exercise privacy rights, or to file a complaint with the practice, contact: