Legal

Notice of Privacy Practices

Effective Date: January 24, 2026

THIS NOTICE IS A CRITICAL LEGAL DOCUMENT. IT DESCRIBES HOW YOUR PROTECTED HEALTH INFORMATION (PHI) MAY BE USED AND DISCLOSED, YOUR RIGHTS REGARDING THIS INFORMATION, AND OUR LEGAL OBLIGATIONS. PLEASE REVIEW IT WITH CARE.

Table of Contents

PART I: INTRODUCTION & FUNDAMENTALS

1. Our Pledge: A Commitment to Your Privacy

This Notice of Privacy Practices ("Notice") is provided on behalf of the independent medical groups and their affiliated healthcare providers (collectively, the "Medical Groups," "we," "us," or "our"). We provide professional medical services through the technology platform (the “Platform”) operated by VirtuallyWell LLC (“VirtuallyWell”). We recognize the profound trust you place in us when you share your health information. We are legally and ethically bound to protect the privacy and security of that information. This Notice is designed to provide you with a comprehensive understanding of our practices and your rights.

2. Applicability: Who This Notice Governs

This Notice applies to the privacy practices of:

  • All Affiliated Healthcare Professionals: Every physician, physician assistant, nurse practitioner, and other licensed healthcare professional who is part of our workforce and provides care to you.
  • All Staff & Personnel: All employees, staff, and other personnel of the Medical Groups who may need access to your information to perform their jobs.

Our Business Associates: Third-party vendors that perform functions on our behalf. Our primary business associate is VirtuallyWell, which provides the Platform and administrative support. We require all business associates to sign a legally binding contract (a Business Associate Agreement) that obligates them to protect your PHI to the same high standard that we do.

As a healthcare provider, we are required by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") to:

  • Maintain Privacy and Security: We must implement and maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of your PHI.
  • Provide this Notice: We must provide you with this detailed Notice of our legal duties and privacy practices.
  • Adhere to this Notice: We must follow the terms of the Notice that is currently in effect.
  • Notify You of a Breach: In the unfortunate event of a data breach involving your unsecured PHI, we must notify you without unreasonable delay.

4. Core Concepts: Defining Protected Health Information (PHI)

Protected Health Information (PHI) is any information, in any form (electronic, paper, or oral), that can be used to identify you and that relates to:

Your past, present, or future physical or mental health or condition.

The provision of healthcare to you.

The past, present, or future payment for your healthcare.

PHI includes not only your clinical records but also demographic information like your name, address, date of birth, and Social Security number when linked to your health data.

PART II: USE & DISCLOSURE OF YOUR PHI

5. Standard Uses and Disclosures: Treatment, Payment, & Health Care Operations

HIPAA allows us to use and disclose your PHI without your specific written authorization for three primary purposes, known as TPO: Treatment, Payment, and Health Care Operations.

  • For Treatment: We use and disclose your PHI to provide, coordinate, and manage your healthcare.
  • For Payment: We use and disclose your PHI to bill and collect payment for the services you receive.
  • For Health Care Operations: We use and disclose your PHI for the necessary business functions of our practice.

6. In-Depth Look at Standard Uses: Specific Scenarios & Examples

Treatment Scenarios:

A provider may access your past medical history to inform a current diagnosis.

We may disclose your prescription information to a pharmacy to check for potential drug interactions.

We may share your diagnostic test results with a specialist for a consultation.

Our clinical staff may internally discuss your treatment plan to ensure care coordination.

Payment Scenarios:

We may disclose your PHI to a third-party payment processor to bill your credit card.

We may use your PHI to determine your eligibility for services or to justify charges in a billing dispute.

If you use a health plan, we may send a claim to them for payment, which includes your diagnosis and the services rendered.

Health Care Operations Scenarios:

  • Quality Improvement: We may review patient records to evaluate the performance of our providers and identify opportunities to improve patient safety and outcomes.
  • Training: We may use de-identified case information to train new clinical staff.
  • Legal & Compliance: We may disclose PHI to our attorneys or auditors to ensure we are complying with HIPAA and other laws.
  • Business Management: We may use PHI for financial planning, forecasting service demand, and other administrative tasks.

7. Uses and Disclosures Requiring Your Opportunity to Agree or Object

For certain disclosures, we must provide you with an opportunity to agree or object:

Individuals Involved in Your Care: We may disclose PHI to a family member, friend, or other person you identify who is involved in your care or payment, but only the PHI that is directly relevant to their involvement. If you are present and have the capacity to make healthcare decisions, we will ask for your agreement. In an emergency, we may use our professional judgment to disclose PHI if it is in your best interest.

8. Uses and Disclosures Requiring Your Specific Written Authorization

Any use or disclosure of your PHI not described in this Notice will be made only with your specific, voluntary written authorization. The following categories particularly require your authorization:

  • Psychotherapy Notes: Most uses and disclosures of psychotherapy notes require your explicit authorization.
  • Marketing: We will not use or disclose your PHI for marketing purposes without your authorization.
  • Sale of PHI: We will not sell your PHI without your authorization.

You may revoke your authorization at any time by submitting a written request. The revocation will not apply to disclosures we have already made in reliance on your prior authorization.

9. Special Categories of Use and Disclosure Without Authorization (Public Interest & National Priority)

HIPAA permits or requires us to use or disclose PHI without your authorization for specific public interest purposes:

  • As Required by Law: We must disclose PHI when required by a federal, state, or local law.
  • Public Health Activities: To public health authorities for purposes like preventing or controlling disease, injury, or disability.
  • Health Oversight Activities: To agencies for audits, investigations, and licensure.
  • Judicial and Administrative Proceedings: In response to a court order or subpoena.
  • Law Enforcement Purposes: To law enforcement officials for specific purposes, such as identifying a suspect or reporting a crime.

Coroners, Medical Examiners, and Funeral Directors: As necessary for them to carry out their duties.

  • Organ and Tissue Donation: To facilitate organ or tissue donation and transplantation.
  • Research: For research purposes, subject to strict privacy protections and oversight.
  • To Avert a Serious Threat: To prevent a serious and imminent threat to the health or safety of a person or the public.
  • Specialized Government Functions: For military, national security, and other government functions.
  • Workers’ Compensation: To comply with workers' compensation laws.

PART III: YOUR RIGHTS AS A PATIENT

10. Your Bill of Rights Regarding Your PHI

You have the following fundamental rights concerning your PHI. Each right is explained in detail below.

11. Right to Inspect and Obtain a Copy of Your PHI

You have the right to inspect and obtain a copy of your PHI that we maintain in a "designated record set" (your medical and billing records).

  • Process: You must submit a written request to our Privacy Officer. We will provide a form for this purpose.
  • Format: We will provide your records in the electronic format you request if it is readily producible. Otherwise, we will provide a readable hard copy or another mutually agreeable format.
  • Timeline: We will respond within 30 days of receiving your request. We may extend this time by an additional 30 days if we provide you with a written explanation for the delay.
  • Fees: We may charge a reasonable, cost-based fee for the costs of copying, mailing, or other supplies.
  • Denial: In very limited circumstances, we may deny your request (e.g., if we believe access could cause harm). We will provide a written denial with the reason and your right to have the denial reviewed.

12. Right to Request an Amendment to Your PHI

If you believe your PHI is incorrect or incomplete, you may ask us to amend it.

  • Process: Your request must be in writing and include a reason to support it.
  • Timeline: We will respond within 60 days. We may extend this by 30 days with a written explanation.
  • Denial: We may deny your request if the information is accurate and complete, was not created by us, or is not part of the records you are permitted to inspect.
  • Response: If we deny your request, we will provide a written explanation. You have the right to file a statement of disagreement, which will become part of your record.

13. Right to an Accounting of Disclosures

You have the right to a list of certain disclosures we have made of your PHI for purposes other than TPO.

  • Process: You must submit a written request specifying a time period, which may not be longer than six years.
  • Timeline & Fees: We will respond within 60 days. The first accounting in a 12-month period is free. We will charge a fee for additional requests and will notify you of the fee in advance.

14. Right to Request Restrictions on Uses and Disclosures

You have the right to request a restriction on how we use or disclose your PHI for TPO.

Our Obligation: We are not required to agree to your request, except in one limited case: if you pay for a service out-of-pocket in full and request that we not disclose information about that service to your health plan, we must honor that request.

15. Right to Request Confidential Communications

You can ask us to communicate with you in a certain way or at a certain location (e.g., only by email, or only at a specific phone number). We will accommodate all reasonable requests.

16. Right to a Copy of This Notice

You have the right to a paper or electronic copy of this Notice at any time upon request.

17. Right to Be Notified of a Breach

You have the right to be notified following a breach of your unsecured PHI.

Part Iv: Operational & Administrative Provisions

18. The Role of Business Associates, Including VirtuallyWell

We conduct some of our business functions through contracts with business associates. Our primary business associate, VirtuallyWell, provides the technology Platform and essential administrative services. When we engage a business associate, we require them to sign a Business Associate Agreement that legally obligates them to safeguard your PHI with the same level of protection that we provide.

19. Data Security: Our Safeguards

We are committed to protecting your PHI from unauthorized access, use, or disclosure. We employ a range of administrative, physical, and technical safeguards, including:

  • Administrative: Policies and procedures, security training for our workforce, and risk assessments.
  • Physical: Controlled access to our facilities and workstations.
  • Technical: Encryption, access controls, and audit logs to protect electronic PHI.

20. State-Specific Privacy Laws & Stricter Protections

Some states have laws that provide more stringent privacy protections than HIPAA, especially for sensitive information like mental health records, substance abuse treatment, genetic information, or HIV/AIDS status. We will comply with these stricter state laws where they are applicable to our services.

21. Changes to This Notice

We reserve the right to change the terms of this Notice at any time. The revised Notice will be effective for all PHI we maintain. The current Notice will always be available on the VirtuallyWell website.

22. How to File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services. You will not be retaliated against for filing a complaint.

  • To complain to us: Contact our Privacy Officer in writing at the address below.
  • To complain to the government: Contact the U.S. Department of Health and Human Services, Office for Civil Rights. You can find details at www.hhs.gov/ocr.

23. Our Privacy Officer: Contact Information

For questions, concerns, or to exercise your rights, please contact:

VirtuallyWell Privacy Officer
1633 W Innovation Way, 5th Floor
Lehi, UT 84043
Email: privacy@virtuallywell.com

24. Acknowledgment of Receipt

By using the services of the Medical Groups through the Platform, you acknowledge that you have received and have had the opportunity to review this Notice of Privacy Practices.