HIPAA NOTICE OF PRIVACY PRACTICES (NPP)

Your Information. Your Rights. Our Responsibilities.
Effective Date: 12/1/2023
Last Updated: 12/21/2025

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

1) CONTACT / PRIVACY OFFICER
Our Health Information Privacy Officer:
Name/Title: Jason Giffi
Phone: 240-931-0139
Email: contactus@ultimatewell.com

IMPORTANT: If you email us, PLEASE DO NOT include medical details in the email. Provide enough information so we can identify you, then we will communicate through a secure method (such as a patient portal/telemedicine platform) or by phone.

Mailing Address:  5732 Buckeystown Pike, Unit 4, Frederick, MD 21704


2) OUR DUTIES
We are required by law to:
• Maintain the privacy and security of your Protected Health Information (“PHI”).
• Provide you with this Notice of our legal duties and privacy practices.
• Follow the terms of this Notice currently in effect.

PHI generally includes information about your health condition, healthcare services you receive, or payment for those services that can identify you.

We will notify you as required by law if a breach occurs that may have compromised the privacy or security of your PHI.


3) YOUR RIGHTS
When it comes to your PHI, you have certain rights. This section explains your rights and some of our responsibilities to help you.

A) Get a copy of your medical record
• You can ask to see or get an electronic or paper copy of your medical record and other PHI we have about you.
• We will provide a copy or a summary, typically within 30 days of your request (or as required by law). We may charge a reasonable, cost-based fee.

B) Ask us to correct your medical record
• You can ask us to correct PHI you believe is incorrect or incomplete.
• We may deny your request in certain cases, but we will provide a written explanation, generally within 60 days (or as required by law).

C) Request confidential communications
• You can ask us to contact you in a specific way (for example, only on a certain phone number) or to send mail to a different address.
• We will accommodate reasonable requests.

D) Ask us to limit what we use or share
• You can ask us not to use or disclose certain PHI for treatment, payment, or healthcare operations.
• We are not required to agree to all requests. If we agree, we will follow the agreed limits unless needed for emergency treatment or as required by law.
• If you pay out-of-pocket in full for a service or item, you can ask us not to share that information with your health insurer for payment or operations. We will honor that request unless a law requires us to share it.

E) Get a list of certain disclosures
• You can ask for a list (“accounting”) of certain disclosures of your PHI made in the 6 years prior to your request (excluding disclosures for treatment, payment, healthcare operations, and certain other exceptions).
• One accounting per 12 months is generally provided at no charge; we may charge a reasonable fee for additional requests in the same 12-month period.

F) Get a copy of this Notice
• You can ask for a paper copy of this Notice at any time, even if you agreed to receive it electronically.

G) Choose someone to act for you
• If you have a legal guardian or someone with medical power of attorney, that person can exercise your rights and make choices about your PHI after we verify their authority.

H) File a complaint if you believe your rights are violated
• You can complain if you believe we have violated your privacy rights by contacting our Privacy Officer.
• You can also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).
• We will not retaliate against you for filing a complaint.


4) YOUR CHOICES
You have choices for certain PHI disclosures. If you have a clear preference, tell us and we will follow your instructions, as applicable.

In these situations, you can tell us what to do:
• Share information with your family, close friends, or others involved in your care.
• Share information in a disaster relief situation.

If you are not able to tell us your preference (for example, if you are unconscious), we may share information if we believe it is in your best interest, consistent with applicable law.

Marketing:
We will not use or disclose your PHI for marketing purposes where HIPAA requires written authorization, unless you sign an authorization.

Sale of PHI:
We will not sell your PHI unless you sign an authorization (if permitted by law).

Fundraising (if applicable):
If we ever contact you for fundraising, you will have the right to opt out of those communications.


5) OUR USES AND DISCLOSURES
We may use and disclose your PHI without your written authorization in the following circumstances:

A) To treat you
We can use your PHI and share it with other professionals who are treating you (for example, laboratories, pharmacies, or other providers involved in your care).

B) To bill for services and receive payment
We can use and disclose your PHI to bill and collect payment from health plans or other entities responsible for payment, when applicable.

C) To run our practice (healthcare operations)
We can use and disclose your PHI for healthcare operations, such as quality improvement, training, licensing, auditing, business planning, and general practice administration.

D) Appointment reminders and service-related communications
We may contact you (by phone, text, email, mail, or through a portal/platform) with appointment reminders and information about services you request. You can ask for confidential communications (see Section 3C).

E) Business associates
We may disclose PHI to service providers (“business associates”) that help us operate our practice or provide services (for example, EHR/operations, telemedicine platforms, communications vendors, billing support, IT). They are required to protect PHI under HIPAA and contract terms.

Examples of business associates we may use include:
• OptiMantra (EHR/practice management/scheduling)
• MyBodySite (telemedicine, secure messaging/chat, scheduling)
• GoTo (phone/communications systems)

F) As required by law and for public health and safety
We may disclose PHI as permitted or required by law, including for:
• Public health reporting
• Health oversight activities (audits, inspections, investigations)
• Reporting abuse, neglect, or domestic violence (as allowed/required)
• Law enforcement requests (as allowed/required)
• Court orders, subpoenas, and legal proceedings (as allowed/required)
• Coroners/medical examiners and funeral directors
• Workers’ compensation claims
• To prevent or reduce a serious threat to health or safety


6) OUR RESPONSIBILITIES
• We must follow the duties and privacy practices described in this Notice.
• We will not use or disclose your PHI other than as described here unless required by law or you authorize us in writing.
• We reserve the right to change this Notice, and the changes will apply to all PHI we maintain. The updated Notice will be available on our website and upon request.


7) QUESTIONS / REQUESTS
To exercise your HIPAA rights (records request, amendments, restrictions, confidential communications) contact our Privacy Officer using the information above. We may ask you to submit requests in writing and may require identity verification.