Notice of Privacy Practices

1. Introduction

Arizona Telepsychiatry Clinic is committed to protecting your health information. This Notice of Privacy Practices describes how we collect, use, and disclose your Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act (HIPAA) and other applicable privacy laws.

As a telehealth-based psychiatric practice, we provide online ADHD evaluations and treatment services exclusively to adults in Arizona. We understand the sensitive nature of mental health information and take our responsibility to protect your privacy seriously.

2. Our Legal Duties

We are required by law to:

• Maintain the privacy of your Protected Health Information
• Provide you with this Notice of our legal duties and privacy practices
• Follow the terms of the Notice currently in effect
• Notify you if we are unable to agree to a requested restriction on how we use or disclose your information
• Notify you and the Department of Health and Human Services if a breach of your unsecured PHI occurs

3. Information We Collect

In the course of providing telepsychiatry services, we collect and maintain the following types of Protected Health Information:

Demographic Information:

• Full name
• Date of birth
• Home address
• Phone number(s)
• Email address
• Emergency contact information

Medical Information:

• Medical history and current conditions
• Psychiatric history and symptoms
• Current medications and allergies
• Family medical and psychiatric history
• Treatment notes and clinical assessments
• Prescription records
• Progress notes and treatment outcomes

Insurance and Billing Information:

• Insurance company name and policy information
• Payment information
• Billing records and claims

Technical Information from Telehealth Sessions:

• Session date, time, and duration
• Video conferencing connection data (IP address may be temporarily logged)
• Device and browser information used to access services

4. How We Use and Disclose Your Protected Health Information

A. Uses and Disclosures for Treatment, Payment, and Healthcare Operations

We may use and disclose your PHI without your written authorization for the following purposes:

Treatment:

We use and disclose your PHI to provide, coordinate, and manage your healthcare services. Examples include:

• Conducting psychiatric evaluations and assessments
• Developing and implementing treatment plans
• Prescribing and managing medications
• Consulting with other healthcare providers involved in your care
• Referring you to specialists or other mental health professionals when appropriate
• Coordinating care with your primary care physician (with your consent)

Payment:

We use and disclose your PHI to obtain payment for services provided. Examples include:

• Submitting claims to your health insurance company
• Verifying your insurance coverage and eligibility
• Processing credit card or other payment transactions
• Responding to insurance company inquiries about services provided
• Collection activities for unpaid balances

Healthcare Operations:

We use and disclose your PHI for our healthcare operations. Examples include:

• Quality assessment and improvement activities
• Training and education of healthcare professionals
• Compliance with legal and regulatory requirements
• Business planning and administrative activities
• Customer service and appointment reminders

B. Uses and Disclosures That Require Your Authorization

Other uses and disclosures of your PHI require your written authorization, including:

• Marketing purposes (we do not currently engage in marketing)
• Sale of your PHI (we do not sell your information)
• Most uses and disclosures of psychotherapy notes (if separately maintained)
• Release of information to family members, friends, or others you designate
• Any other purpose not described in this Notice

You have the right to revoke any authorization in writing at any time, except to the extent that we have already taken action in reliance on your authorization.

C. Uses and Disclosures Without Authorization (As Required or Permitted by Law)

In certain situations, we may use or disclose your PHI without your authorization:

When Required by Law:

• In response to court orders, subpoenas, or legal proceedings
• To comply with workers' compensation laws
• For law enforcement purposes in specific circumstances
• To health oversight agencies for audits and investigations

Public Health and Safety:

• To prevent or control disease, injury, or disability
• To report abuse, neglect, or domestic violence when required by law
• To report adverse events related to medications or medical devices

Health and Safety Emergencies:

• To avert a serious threat to your health or safety or that of others
• To notify appropriate authorities if we believe you present a danger to yourself or others
• In emergency treatment situations

Specialized Government Functions:

• For military and veterans' activities
• For national security and intelligence activities
• For protective services for the President and others

Coroners, Medical Examiners, and Funeral Directors:

• To identify a deceased person or determine cause of death

Research:

• For research purposes when approved by an institutional review board or privacy board (only with your authorization or when permitted by law)

5. Your Privacy Rights

Under HIPAA, you have the following rights regarding your Protected Health Information:

Right to Access Your Medical Records

You have the right to inspect and obtain a copy of your medical records and billing records. To request access:

• Submit a written request to our Privacy Officer
• We will respond within 30 days of receiving your request
• We may charge a reasonable, cost-based fee for copying and mailing
• In certain limited circumstances, we may deny access; you may request a review of the denial

Right to Request Amendment

If you believe your medical records are incorrect or incomplete, you may request an amendment:

• Submit a written request explaining the reason for the amendment
• We will respond within 60 days
• We may deny your request if the information is accurate and complete, but we will provide you with a written explanation
• You may submit a statement of disagreement that will be included in your record

Right to an Accounting of Disclosures

You have the right to receive a list of certain disclosures we have made of your PHI:

• The accounting covers up to six years prior to your request
• It does not include disclosures for treatment, payment, healthcare operations, or disclosures made with your authorization
• The first accounting in a 12-month period is free; subsequent requests may incur a reasonable fee

Right to Request Restrictions

You have the right to request restrictions on how we use or disclose your PHI:

• We are not required to agree to your request, except in one circumstance: if you pay out-of-pocket in full for a service and request that we not disclose PHI related solely to that service to your health plan, we must agree (unless disclosure is required by law)
• If we agree to a restriction, we must follow it unless the information is needed for emergency treatment
• Submit requests in writing to our Privacy Officer

Right to Request Confidential Communications

You have the right to request that we communicate with you about your PHI in a certain way or at a certain location:

• For example, you may request that we contact you only at work or only by mail
• We will accommodate reasonable requests
• Submit requests in writing to our Privacy Officer

Right to a Paper Copy of This Notice

You have the right to receive a paper copy of this Notice at any time, even if you previously agreed to receive it electronically. Contact us to request a paper copy.

Right to be Notified of a Breach

You have the right to be notified if there is a breach of your unsecured PHI.

Right to Choose Someone to Act for You

If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information.

6. Telehealth-Specific Privacy Information

Video Conferencing Technology

Arizona Telepsychiatry Clinic provides services exclusively through secure telehealth platforms. We use HIPAA-compliant video conferencing technology that includes:

• End-to-end encryption for all video sessions
• Secure, password-protected access
• No recording of sessions (unless specifically authorized by you in writing)
• Automatic disconnection and data deletion after sessions

Patient Responsibilities for Telehealth Privacy

To protect your privacy during telehealth sessions, we recommend that you:

• Join sessions from a private location where you cannot be overheard
• Use headphones or earbuds when possible
• Ensure your internet connection is secure (avoid public Wi-Fi)
• Close other applications on your device during sessions
• Use up-to-date antivirus and security software on your devices
• Do not record sessions without prior written consent

Electronic Communications

We may communicate with you via email or text message for:

• Appointment reminders
• General health information
• Administrative matters

Email and standard text messaging are not completely secure. We will not discuss detailed medical information via unsecured email or text. You may opt out of electronic communications at any time.

7. Third-Party Service Providers

To provide our services and maintain our practice, we utilize certain third-party service providers who may have access to your PHI. We enter into Business Associate Agreements (BAAs) with these providers to ensure they maintain HIPAA-compliant security and privacy practices.

Current Third-Party Services:

Data Storage and Database Services:

• Supabase: We use Supabase as our secure, cloud-based database solution to store and manage patient records, appointment information, and clinical documentation. Supabase maintains HIPAA-eligible infrastructure with encryption at rest and in transit.

Video Conferencing:

• HIPAA-compliant video conferencing platforms for telehealth sessions

Payment Processing:

• PCI-DSS compliant payment processors for credit card transactions

Insurance Claims Processing:

• Electronic health record (EHR) and billing service providers for insurance claim submissions

All third-party providers are required to:

• Implement appropriate safeguards to protect your PHI
• Use PHI only for the purposes for which they were engaged
• Report any security incidents or breaches to us immediately
• Ensure their subcontractors also comply with HIPAA requirements

We regularly review and audit our third-party providers to ensure ongoing compliance with privacy and security requirements.

8. How We Protect Your Information

Technical Safeguards:

• Encryption of data in transit and at rest
• Secure, encrypted database storage (Supabase)
• Multi-factor authentication for system access
• Regular security updates and patches
• Automatic session timeouts
• Firewall and intrusion detection systems
• Regular security audits and vulnerability assessments

Physical Safeguards:

• Secure workstations with password protection
• Encrypted hard drives
• Secure disposal of PHI (shredding, secure electronic deletion)
• Restricted access to areas where PHI is stored

Administrative Safeguards:

• Privacy and security policies and procedures
• Staff training on HIPAA compliance
• Designated Privacy Officer and Security Officer
• Risk assessments and management
• Incident response and breach notification procedures
• Business Associate Agreements with all third-party vendors

9. Breach Notification

In the event of a breach of your unsecured Protected Health Information, we will notify you in accordance with HIPAA requirements.

What is a Breach?

A breach is an unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the information.

Our Breach Response:

• We will conduct a prompt investigation of any suspected breach
• If a breach is confirmed, we will notify affected individuals without unreasonable delay and no later than 60 days after discovery
• Notification will be provided by first-class mail or, if you prefer, by email
• The notification will include:
  • A description of what happened
  • The types of information involved
  • Steps you should take to protect yourself
  • What we are doing in response
  • Contact information for further questions
• We will also notify the U.S. Department of Health and Human Services and, if applicable, the media

What You Should Do:

If you believe your PHI has been compromised or misused, please contact our Privacy Officer immediately.

10. Minimum Necessary Standard

We are required to make reasonable efforts to limit the use, disclosure, and requests for PHI to the minimum necessary to accomplish the intended purpose. This does not apply to:

• Disclosures to or requests by healthcare providers for treatment purposes
• Uses or disclosures made to you
• Uses or disclosures made pursuant to your authorization
• Disclosures to the Department of Health and Human Services for compliance investigations
• Uses or disclosures required by law

11. Marketing and Fundraising

Arizona Telepsychiatry Clinic does not use or disclose your PHI for marketing purposes. We do not sell your information to third parties.

We do not engage in fundraising activities.

12. Psychotherapy Notes

If we maintain psychotherapy notes separately from your medical record, most uses and disclosures of these notes require your written authorization. Psychotherapy notes are notes recorded by a mental health professional documenting or analyzing the contents of conversation during a private counseling session and are kept separate from the rest of your medical record.

Your authorization is not required for us to use these notes for your treatment, for training our staff, or to defend ourselves in legal proceedings brought by you.

13. Arizona State Law

Arizona has specific laws regarding mental health records and patient privacy. When Arizona law provides greater privacy protections than HIPAA, we will follow the more stringent state requirements. This includes:

• Additional protections for mental health and substance abuse treatment records
• Specific requirements for disclosure of information to family members
• Mandatory reporting requirements for abuse and neglect
• Duty to warn in cases of serious threats to safety

14. Changes to This Notice

We reserve the right to change this Notice and make the new provisions effective for all PHI we maintain, including information created or received prior to the change. If we make material changes to this Notice, we will:

• Post the revised Notice on our website with the effective date
• Provide you with a copy at your next appointment or upon request
• Make the Notice available at our office (if applicable)

The current version of our Notice will always be available on our website and upon request.

15. Complaints

If you believe your privacy rights have been violated, you have the right to file a complaint with us or with the U.S. Department of Health and Human Services.

To File a Complaint with Us:

Contact our Privacy Officer using the contact information below. Please provide your complaint in writing.

To File a Complaint with the Government:

U.S. Department of Health and Human Services
Office for Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201
Phone: 1-877-696-6775
Website: www.hhs.gov/ocr/privacy/hipaa/complaints/

16. Contact Information

17. Acknowledgment of Receipt

You will be asked to acknowledge receipt of this Notice. Your acknowledgment (or our good faith effort to obtain it) will be documented in your medical record. Signing the acknowledgment does not mean you are consenting to any use or disclosure of your PHI beyond what is described in this Notice.