We collect Protected Health Information (PHI) necessary to provide quality medical care and to comply with legal requirements. This information may include:

1.1 Registration Information

• Full name, date of birth, and Social Security number
• Home address, phone number, and email address
• Emergency contact information
• Insurance information (policy numbers, group numbers, subscriber details)
• Government-issued identification
• Employment information (when applicable)

1.2 Medical Information

• Medical history, including past illnesses, surgeries, and hospitalizations
• Current and past medications, including dosages and prescribing physicians
• Allergies and adverse drug reactions
• Family medical history
• Current symptoms and reason for visit
• Vital signs (blood pressure, temperature, heart rate, etc.)
• Physical examination findings
• Diagnostic test results (X-rays, laboratory tests, etc.)
• Diagnoses and treatment plans
• Progress notes and follow-up information
• Immunization records

1.3 Payment Information

• Insurance claims and payment information
• Credit card and payment transaction details (processed through secure payment processors)
• Billing and collection records

1.4 Telehealth Information

• Video consultation recordings (when consent is provided)
• IP address and device information for security purposes
• Session logs and technical connectivity data

We use and disclose your health information for the following purposes:

2.1 Treatment

We use your PHI to provide, coordinate, and manage your medical care. This includes:

• Diagnosis and treatment of illnesses and injuries
• Prescribing medications and therapies
• Ordering and interpreting diagnostic tests
• Referrals to specialists and other healthcare providers
• Coordination with your primary care physician
• Follow-up care and monitoring

Example: We may share your X-ray results with an orthopedic specialist to whom we refer you for a suspected fracture.

2.2 Payment

We use your PHI to obtain payment for services we provide. This includes:

• Billing your insurance company for services rendered
• Determining insurance eligibility and coverage
• Processing claims and appeals
• Collection of outstanding balances
• Responding to payment-related inquiries

Example: We will submit claims to your insurance company with diagnostic codes and treatment information to obtain reimbursement.

2.3 Healthcare Operations

We use your PHI to support the operation and improvement of our clinic:

• Quality assessment and improvement activities
• Staff training and education
• Accreditation, licensing, and credentialing
• Business planning and development
• Management and administrative functions
• Compliance audits and legal reviews

2.4 Other Permitted Uses

HIPAA allows us to use or disclose your PHI without your authorization for:

• Public Health Activities: Reporting communicable diseases, disease outbreaks, and adverse drug reactions to public health authorities
• Legal Requirements: Complying with court orders, subpoenas, and other legal processes
• Law Enforcement: Responding to lawful requests from law enforcement agencies
• Health Oversight: Providing information to agencies conducting audits, investigations, or inspections
• Workers’ Compensation: Processing workers’ compensation claims when applicable
• Serious Threats: Preventing or lessening serious threats to health or safety

We implement comprehensive physical, technical, and administrative safeguards to protect your PHI from unauthorized access, use, or disclosure:

3.1 Physical Safeguards

• Secure facility access with controlled entry points
• Locked storage for physical medical records and documents
• Secure disposal of documents containing PHI (shredding, secure recycling)
• Workstation security and privacy screens
• Visitor log and badge system for facility access tracking

3.2 Technical Safeguards

• Encrypted electronic health records (EHR) systems
• Secure, password-protected user access with multi-factor authentication
• Regular security updates and patches to software systems
• Firewall protection and intrusion detection systems
• Encrypted email communication for sensitive information
• HIPAA-compliant telehealth platforms with end-to-end encryption
• Automatic logoff after periods of inactivity
• Regular data backups stored in secure, encrypted locations

3.3 Administrative Safeguards

• Comprehensive HIPAA training for all staff members
• Written policies and procedures for privacy and security
• Designated Privacy Officer responsible for compliance oversight
• Regular risk assessments and security audits
• Business Associate Agreements with third-party vendors
• Incident response plan for potential breaches
• Employee confidentiality agreements and sanctions for violations

3.4 Data Breach Notification

In the event of a breach of unsecured PHI, we will notify affected individuals and, when required, the U.S. Department of Health and Human Services and media outlets, in accordance with HIPAA Breach Notification Rules.

Under HIPAA, you have the following rights regarding your Protected Health Information:

4.1 Right to Access Your Medical Records

You have the right to inspect and obtain a copy of your medical records. To request your records:

• Submit a written request to our Privacy Officer
• We will respond within 30 days (or 60 days if records are stored off-site)
• We may charge a reasonable, cost-based fee for copies
• We may deny access in certain limited circumstances as permitted by law

4.2 Right to Request Amendment

If you believe information in your medical record is incorrect or incomplete, you may request an amendment:

• Submit a written request explaining what should be changed and why
• We may approve or deny your request
• If denied, you may submit a statement of disagreement to be included in your record
• We will notify you of our decision within 60 days

4.3 Right to Request Restrictions

You may request restrictions on how we use or disclose your PHI for treatment, payment, or healthcare operations:

• We are not required to agree to all restriction requests
• If we agree, we will comply with the restriction unless needed for emergency treatment
• We must agree to requests to restrict disclosures to health plans if you pay out-of-pocket in full

4.4 Right to Confidential Communications

You may request that we communicate with you about your health information in a specific manner or at a certain location:

• Request communications at an alternative address or phone number
• Request communications in a sealed envelope
• We will accommodate reasonable requests

4.5 Right to an Accounting of Disclosures

You have the right to receive a list of certain disclosures we have made of your PHI:

• The accounting covers the six years prior to your request (or since April 14, 2003, whichever is shorter)
• Does not include disclosures for treatment, payment, healthcare operations, or those made with your authorization
• First accounting in a 12-month period is free; subsequent requests may incur a fee

4.6 Right to a Paper Copy of This Notice

You have the right to receive a paper copy of this Privacy Policy at any time, even if you have previously agreed to receive it electronically. Contact us to request a copy.

4.7 Right to Revoke Authorization

If you have provided written authorization for a specific use or disclosure of your PHI, you may revoke that authorization at any time by submitting a written revocation. The revocation will not affect disclosures already made based on your authorization.

We may share your PHI with third parties in the following circumstances:

5.1 Business Associates

We contract with third-party service providers (“Business Associates”) who perform functions on our behalf and require access to PHI:

• Electronic health record (EHR) system vendors
• Billing and coding services
• Laboratory testing services
• Radiology interpretation services
• Telehealth platform providers
• Legal and consulting services

All Business Associates are required to sign HIPAA-compliant Business Associate Agreements ensuring they protect your PHI with the same standards we maintain.

5.2 Healthcare Providers

We may share your information with:

• Your primary care physician for care coordination
• Specialists to whom we refer you
• Hospitals, emergency departments, and other treatment facilities
• Pharmacies for prescription fulfillment
• Physical therapists, chiropractors, and other allied health professionals

5.3 Insurance Companies

We share PHI with your insurance company for:

• Claims processing and payment
• Pre-authorization and utilization review
• Coverage determinations
• Case management services

5.4 Family Members and Personal Representatives

Unless you object, we may disclose PHI to family members, friends, or others involved in your care or payment for care. We will use professional judgment to determine what information is relevant to their involvement.

We retain your medical records in accordance with federal and Arizona state law:

• Adult Patients: Medical records are retained for a minimum of 6 years from the date of last treatment
• Minor Patients: Medical records are retained until the patient reaches age 21, or for 6 years from the date of last treatment, whichever is longer
• Billing Records: Retained for 7 years to comply with IRS requirements
• X-Rays and Diagnostic Images: Retained for 5 years from the date of imaging

After the retention period expires, records are securely destroyed in compliance with HIPAA standards (shredding, incineration, or secure electronic deletion).

We reserve the right to modify this Privacy Policy at any time. Changes will be effective immediately upon posting. The revised policy will apply to all PHI we maintain, including information created or received before the changes.

We will post the current Privacy Policy at our clinic and on our website. You may request a paper copy at any time.