HIPAA Privacy Policy

Our Commitment to Your Privacy

Nivano Physicians is committed to protecting the privacy and security of your Protected Health Information (PHI). As a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), we are required to maintain the privacy of your health information and provide you with this notice of our legal duties and privacy practices.

Legal Framework

This policy is established in compliance with:

• 45 CFR Part 164, Subparts A and E – HIPAA Privacy Rule
• 45 CFR Part 164, Subparts A and C – HIPAA Security Rule
• HITECH Act (42 USC 17921 et seq.)
• California Confidentiality of Medical Information Act (CMIA)
• OCR Guidance on Tracking Technologies (March 2024)

What is Protected Health Information (PHI)?

Protected Health Information (PHI) includes all individually identifiable health information that we create, receive, maintain, or transmit in any form (electronic, paper, or oral) that relates to:

• Your past, present, or future physical or mental health condition
• The provision of healthcare to you
• The payment for healthcare services provided to you

Examples of PHI Include:

• Medical records and clinical notes
• Laboratory results and diagnostic images
• Treatment plans and medication lists
• Billing and payment information
• Insurance and claims information
• Appointment scheduling information
• Communications about your care

How We May Use and Disclose Your PHI

Uses and Disclosures for Treatment, Payment, and Healthcare Operations

We may use and disclose your PHI without your authorization for:

Treatment

• Coordinating your care among healthcare providers
• Consulting with specialists and other healthcare professionals
• Sharing information with healthcare team members
• Providing referrals to other healthcare providers
• Emergency treatment when immediate care is needed

Example: We may share your medical information with a specialist to whom you have been referred for treatment.

Payment

• Processing insurance claims and prior authorizations
• Billing for services provided to you
• Collecting payment for services rendered
• Verifying insurance coverage and benefits
• Conducting utilization review and medical necessity determinations

Example: We may submit claims to your insurance company that include your diagnosis and treatment information.

Healthcare Operations

• Quality assessment and improvement activities
• Case management and care coordination
• Provider credentialing and performance evaluation
• Compliance and fraud prevention activities
• Business planning and administrative functions

Example: We may use your health information to evaluate the quality of care provided by our healthcare providers.

Uses and Disclosures That Require Your Authorization

We will obtain your written authorization before using or disclosing your PHI for:

• Marketing purposes (with limited exceptions)
• Sale of PHI to third parties
• Most uses of psychotherapy notes
• Research studies (unless waiver approved)
• Other purposes not covered by treatment, payment, or healthcare operations

Uses and Disclosures That May Be Made Without Your Authorization

In certain situations, we may use or disclose your PHI without your authorization, including:

Required by Law

• Legal proceedings and court orders
• Law enforcement activities and investigations
• Government audits and investigations
• Public health reporting requirements

Public Health Activities

• Disease reporting to public health authorities
• Communicable disease prevention and control
• Vital statistics reporting (births, deaths)
• Product recalls and safety alerts
• Workplace safety reporting to OSHA

Health Oversight Activities

• Government audits of healthcare programs
• Fraud investigations and compliance monitoring
• Licensing and certification activities
• Civil rights compliance reviews

Judicial and Administrative Proceedings

• Court orders and subpoenas
• Administrative hearings and depositions
• Discovery proceedings in litigation
• Arbitration and mediation proceedings

Law Enforcement

• Criminal investigations when authorized by law
• Missing persons and fugitive investigations
• Victims of crimes when required or permitted
• Suspicious deaths and coroner investigations

Specialized Government Functions

• Military personnel medical information
• National security and intelligence activities
• Correctional institutions for inmates
• Worker’s compensation claims processing

Your Individual Rights Under HIPAA

Right of Access

You have the right to inspect and obtain copies of your PHI in our designated record sets, which include:

• Medical records used for treatment decisions
• Billing and payment records
• Case management files
• Other records used to make decisions about you

How to Request: Submit written request to our Privacy Officer
Timeframe: We will respond within 30 days (60 days if records are off-site)
Fees: We may charge reasonable fees for copying and postage

Right to Request Amendments

You have the right to request amendments to your PHI if you believe it is inaccurate or incomplete.

How to Request: Submit written request with reason for amendment
Timeframe: We will respond within 60 days
We May Deny if the information:

• Was not created by us
• Is not part of your designated record set
• Would not be available for inspection
• Is accurate and complete

Right to Request Restrictions

You have the right to request restrictions on how we use or disclose your PHI for treatment, payment, or healthcare operations.

We Are Required to Agree to restrictions if:

• The disclosure is to a health plan for payment/operations
• The service was paid for out-of-pocket in full
• The restriction is not otherwise required by law

Other Restrictions: We are not required to agree but will consider your request

Right to Confidential Communications

You have the right to request alternative methods of communication or to receive communications at alternative locations.

Examples:

• Receiving calls at work instead of home
• Mailing information to a different address
• Using secure email for communications
• Receiving information in specific formats

Requirements: Request must be reasonable and specify how/where to contact you

Right to an Accounting of Disclosures

You have the right to receive an accounting of certain disclosures of your PHI made by us in the six years prior to your request.

Accounting Includes:

• Date of disclosure
• Name and address of recipient
• Description of information disclosed
• Purpose of disclosure

Exceptions: We do not account for disclosures for treatment, payment, healthcare operations, or made with your authorization.

Right to Notification of Breach

You have the right to be notified of breaches of your unsecured PHI.

Notification Timeline: Within 60 days of discovery
Notification Method: Written notice by mail or email
Content: Description of breach, information involved, steps taken, and contact information

Minimum Necessary Standard

We limit the use, disclosure, and request of PHI to the minimum necessary to accomplish the intended purpose, except when:

• Disclosing to healthcare providers for treatment purposes
• Disclosing to you or your personal representative
• Disclosures made with your authorization
• Disclosures required by law

Business Associate Relationships

We enter into Business Associate Agreements (BAAs) with third parties who perform services for us and may have access to your PHI, including:

Current Business Associates (Examples)

• IT service providers and cloud hosting companies
• Billing companies and claims processors
• Legal counsel and compliance consultants
• Transcription services and medical records companies
• Quality assurance and audit firms

BAA Requirements

• Written contract specifying permitted uses
• Requirement to safeguard PHI
• Prohibition on unauthorized use or disclosure
• Return or destruction of PHI when contract ends
• Incident reporting and breach notification

Website and Digital Privacy Practices

Tracking Technologies and PHI

Per OCR guidance (March 2024), tracking technologies on our website may collect PHI when:

• IP addresses are combined with health-related page visits
• User behavior indicates health conditions or treatments
• Authentication occurs in patient portal areas

Technologies We Use

• Google Analytics 4 (with BAA for PHI protection)
• Session management cookies for patient portal
• Security cookies for fraud prevention
• Functional cookies for website optimization

Your Choices

• Browser settings to control cookies
• Opt-out mechanisms for non-essential tracking
• Incognito/private browsing for additional privacy
• Contact us to limit tracking technologies

Complaints and Concerns

Filing a Complaint with Nivano Physicians

If you believe your privacy rights have been violated, you may file a complaint:

Privacy Officer

• Mail: Nivano Physicians Privacy Officer
  2554 Millcreek Drive, Suite 100
• Sacramento, CA 95833
• Email: compliance@nivanophysicians.com
• Phone: (916) 407-2000
• Fax: (916) 471-0332

Filing a Complaint with HHS

You may also file a complaint with the U.S. Department of Health and Human Services:

Office for Civil Rights (OCR)

• Phone: 1-800-368-1019
• TTY: 1-800-537-7697
• Online: https://www.hhs.gov/civil-rights/filing-a-complaint/index.html
• Mail: Office for Civil Rights
  U.S. Department of Health and Human Services
  200 Independence Avenue, S.W.
  Washington, D.C. 20201

No Retaliation

We will not retaliate against you for filing a complaint or exercising any of your privacy rights.

Changes to This Notice

We reserve the right to change the terms of this notice and make new provisions effective for all PHI we maintain. If we make material changes, we will:

• Post the revised notice in our offices and on our website
• Provide copies upon request
• Notify you of the changes if required by law

The effective date of this notice is located at the bottom of this document.

Contact Information

Privacy Officer

Title: Chief Privacy Officer
Email: compliance@nivanophysicians.com
Phone: (916) 407-2000
Mail: 2554 Millcreek Drive, Suite 100, Sacramento, CA 95833

General Information

Main Phone: (916) 407-2000
Website: www.nivanophysicians.com
Member Services: customerservice@nivanophysicians.com

Emergency Contact

24/7 Privacy Breach Hotline: (916) 407-2000
Emergency Email: customerservice@nivanophysicians.com

Acknowledgment

This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

By receiving services from Nivano Physicians, you acknowledge that you have been provided with this Notice of Privacy Practices and have been informed of your rights regarding your Protected Health Information.

---

Effective Date: August 7, 2025
Document Version: 1.0
Next Review Date: August 7, 2028
Board Approval: August 7, 2025

This Notice of Privacy Practices complies with the HIPAA Privacy Rule and California state privacy laws. We are committed to protecting your health information and respecting your privacy rights.