HIPAA Notice of Privacy Practices (NPP): Your Rights and How We Use Your Health Information

Access to Records

You have the right to inspect and get a copy of your Protected Health Information (PHI) that we maintain in your medical and billing records. Upon a written request, we will provide access in the form and format you request—paper or electronic—if readily producible, or in an agreed alternative. You may also direct us to send an electronic copy to a third party of your choosing to support health information portability.

We generally respond within 30 days and may take one 30‑day extension with written notice explaining the delay. We charge only a reasonable, cost‑based fee for copying, mailing, and, when applicable, preparing a summary you agree to receive. In limited situations, we may deny access as permitted by law, but you may have the right to a review of that denial.

This access right reflects core Patient Rights under HIPAA and our commitment to Privacy Rule Compliance and the Minimum Necessary Standard for uses and disclosures unrelated to your request.

Amendment of Records

If you believe your PHI is incorrect or incomplete, you may request an amendment. Submit a written request that identifies the specific information to change and explains why. We will act within 60 days, with one possible 30‑day extension and written notice.

If we grant the request, we will amend the record and notify relevant parties you identify and those we know received the information. If we deny it—for example, because we did not create the record, or it is accurate and complete—you can submit a written statement of disagreement. We will include your statement, or a summary, with future disclosures of the disputed information.

Confidential Communications

You may ask us to communicate with you by alternative means or at alternative locations (for example, sending mail to a work address or using a secure portal). We will accommodate reasonable requests, and health plans must accommodate requests when you state that disclosure could endanger you. We may ask you to specify how and where to contact you and how you will handle payment responsibilities, if applicable.

Restrictions on Use and Disclosure

You may request restrictions on how we use and disclose your PHI for treatment, payment, or health care operations, and to family or friends involved in your care. While we are not required to agree, we must comply with a request to restrict disclosure to a health plan for payment or operations when you (or someone on your behalf) pay in full out of pocket for the related item or service.

Outside of emergencies or when required by law, we honor accepted restrictions and apply the Minimum Necessary Standard to limit PHI to what is reasonably necessary. For other sharing not described in this Notice, we will obtain your Authorization for Disclosure.

Accounting of Disclosures

You may request an accounting—a list of certain disclosures of your PHI we made in the six years before your request. The accounting includes the date, recipient, a brief description of the PHI disclosed, and the purpose (or a copy of the request that required the disclosure).

The accounting excludes disclosures for treatment, payment, and health care operations; disclosures to you; those you authorized; and certain other disclosures (such as for national security, correctional institutions, or incidental disclosures). You may receive one free accounting in a 12‑month period; we may charge a reasonable fee for additional requests.

Uses of Health Information

We may use and disclose PHI without your authorization for treatment, payment, and health care operations; to comply with laws; for public health and health oversight activities; to respond to court orders and certain law enforcement requests; to avert a serious threat; for organ and tissue donation; for research under approved safeguards; for workers’ compensation; and for other specialized government functions as permitted by the Privacy Rule.

We will obtain your Authorization for Disclosure for uses and disclosures not described above, including most marketing communications, any sale of PHI, and most uses of psychotherapy notes. You may revoke an authorization at any time in writing, except to the extent we have already relied on it.

We follow the Minimum Necessary Standard for applicable uses and disclosures, implement Data Security Safeguards (administrative, physical, and technical) to protect your information, and maintain Privacy Rule Compliance. If a breach of unsecured PHI occurs, we will notify you as required.

Filing Complaints

If you believe your privacy rights have been violated, you may file a complaint with us by contacting our Privacy Officer in writing and describing what happened, when it occurred, and how we may reach you. You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, generally within 180 days of when you knew or should have known of the issue. We will not retaliate against you for filing a complaint.

In summary, this HIPAA Notice of Privacy Practices explains your Patient Rights under HIPAA—access, amendment, confidential communications, restrictions, and an accounting of disclosures—along with how and why we use and disclose PHI, when we seek your authorization, and how we protect your information with rigorous safeguards.

FAQs.

What is the purpose of the HIPAA Notice of Privacy Practices?

The Notice explains how we may use and disclose your Protected Health Information (PHI), the choices you can make, and your Patient Rights under HIPAA. It outlines permitted uses (like treatment, payment, and operations), when Authorization for Disclosure is required, and how we meet Privacy Rule Compliance and Data Security Safeguards.

How can I request an amendment to my health records?

Send us a written request identifying the information to change and why it is inaccurate or incomplete. We act within 60 days (with one possible 30‑day extension). If approved, we amend the record and notify appropriate parties; if denied, you may submit a statement of disagreement that will accompany future disclosures of the disputed information.

What types of disclosures require authorization under HIPAA?

Disclosures not otherwise permitted or required—such as most marketing, any sale of PHI, and most uses of psychotherapy notes—require your written Authorization for Disclosure. Many other disclosures described in the Notice do not require authorization, but we still apply the Minimum Necessary Standard when applicable.

How do I file a complaint if my privacy rights are violated?

You may file a written complaint with our Privacy Officer describing the concern and dates involved, or with the U.S. Department of Health and Human Services, Office for Civil Rights, generally within 180 days of learning of the issue. We prohibit retaliation and will address your concerns promptly.