Last Updated: March 2025
Our Commitment to HIPAA
Health recognizes that access to medical information is deeply personal. We are fully committed to complying with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. Our policies, procedures, and technical systems are continuously audited and updated to ensure your health data remains confidential, accurate, and secure.
Core Principle: We only use or disclose your Protected Health Information (PHI) when permitted by law, when you authorize us, or when necessary to provide you with high-quality healthcare.
How We Safeguard Your Information
We implement comprehensive administrative, physical, and technical safeguards to protect PHI from unauthorized access, alteration, transmission, or destruction.
Technical Safeguards
AES-256 encryption for data at rest and in transit, multi-factor authentication, role-based access controls, automatic session timeouts, and continuous network monitoring.
Physical Safeguards
Controlled facility access, secure server rooms, workstation privacy screens, paper shredding protocols, and restricted access to printed medical records.
Administrative Safeguards
Mandatory HIPAA training for all staff, regular security risk assessments, documented incident response plans, and strict workforce confidentiality agreements.
Your Rights Under HIPAA
Federal law grants you specific rights regarding your health information. Health respects and facilitates these rights:
- Right to Access: You may request and obtain copies of your medical records and billing information within 30 days of your request.
- Right to Amend: If you believe information in your record is incorrect or incomplete, you may request a correction.
- Right to Request Restrictions: You may ask us to limit how we use or share your PHI for treatment, payment, or healthcare operations.
- Right to an Accounting of Disclosures: You may request a list of certain disclosures we made of your PHI in the past six years.
- Right to Confidential Communications: You may request that we contact you in a specific way or at a particular location (e.g., home vs. work).
- Right to a Paper Copy: You may receive a paper copy of our Notice of Privacy Practices upon request.
Business Associate Agreements (BAA)
When we engage third-party vendors that may access, process, or store your PHI (such as cloud hosting providers, billing processors, or telehealth platforms), we execute legally binding Business Associate Agreements. These contracts require our partners to implement the same rigorous safeguards and comply with all applicable HIPAA regulations.
Data Breach Notification
In the unlikely event of a security incident involving PHI, Health will follow a strict breach response protocol. We are committed to notifying affected individuals, the Department of Health and Human Services (HHS), and, when required, media outlets, within the timelines mandated by the HITECH Act and HIPAA Breach Notification Rule. Our incident response team conducts immediate containment, forensic analysis, and remediation to prevent further unauthorized access.
How to File a Complaint or Exercise Your Rights
If you believe your privacy rights have been violated, or if you wish to exercise any of the rights described above, please contact our designated Privacy Officer. You will never face retaliation for filing a complaint.
📬 Health Privacy & Compliance Office
123 Health Avenue, Suite 400
New York, NY 10001
You may also file a complaint directly with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) at www.hhs.gov/ocr.
Policy Updates
HIPAA regulations and industry best practices evolve over time. Health reserves the right to update this compliance page to reflect changes in federal law, technology, or our internal security infrastructure. Patients will be notified of material changes through secure patient portal messages, mailed notices, or updates to our Notice of Privacy Practices.