Nivano Physicians, Inc.
Effective Date: August 7, 2025
Last Updated: March 12, 2026
Version: 2.0
Our Commitment
Nivano Physicians is committed to protecting the privacy and security of your Protected Health Information (PHI). As a HIPAA-covered entity, we are legally required to maintain the privacy of your health information, provide you with notice of our privacy practices, and abide by the terms of that notice.
This notice describes how medical information about you may be used and disclosed, and how you can access this information. Please review it carefully.
Regulatory Framework
| Authority | Requirement |
|---|---|
| 45 C.F.R. Part 164, Subparts A and E | HIPAA Privacy Rule |
| 45 C.F.R. Part 164, Subparts A and C | HIPAA Security Rule |
| HITECH Act (42 U.S.C. § 17921 et seq.) | Enhanced enforcement and breach notification |
| California Confidentiality of Medical Information Act (CMIA) | State-level protections exceeding federal HIPAA |
| OCR Guidance on Tracking Technologies (March 2024) | Digital tracking and PHI |
What Is Protected Health Information?
Protected Health Information (PHI) is any individually identifiable health information we create, receive, maintain, or transmit in any form — electronic, paper, or oral — that relates to your past, present, or future physical or mental health condition, the provision of healthcare to you, or the payment for healthcare services provided to you.
PHI includes medical records and clinical notes, laboratory results and diagnostic images, treatment plans and medication lists, billing and payment information, insurance and claims data, appointment scheduling information, and communications about your care.
How We May Use and Disclose Your PHI
Treatment, Payment, and Healthcare Operations (No Authorization Required)
We may use and disclose your PHI for treatment purposes (coordinating your care, consulting with specialists, providing referrals), for payment purposes (processing insurance claims, billing, verifying coverage, prior authorizations), and for healthcare operations (quality assessment, case management, provider credentialing, compliance, and fraud prevention) without your written authorization.
Disclosures That Require Your Written Authorization
We will obtain your written authorization before using or disclosing your PHI for marketing purposes (with limited exceptions), sale of PHI to third parties, most uses of psychotherapy notes, and research studies (unless a waiver has been approved by an Institutional Review Board).
Disclosures Permitted Without Authorization
In certain situations, we may use or disclose PHI without your authorization, including:
- As required by law — legal proceedings, court orders, law enforcement activities, government audits
- Public health activities — disease reporting, communicable disease prevention, vital statistics, product safety alerts, OSHA reporting
- Health oversight — government audits of healthcare programs, fraud investigations, licensing and certification activities
- Judicial and administrative proceedings — court orders, subpoenas, administrative hearings
- Law enforcement — criminal investigations authorized by law, missing persons, victims of crimes
- Specialized government functions — military personnel, national security, correctional institutions, workers’ compensation
Your Individual Rights Under HIPAA
Right of Access
You may inspect and obtain copies of your PHI from our designated record sets. Submit a written request to our Privacy Officer. Under California law, we must provide access within 15 days.
Right to Request Amendments
You may request amendments to PHI you believe is inaccurate or incomplete. We may deny the request if the information was not created by us, is not part of your designated record set, would not be available for inspection, or is accurate and complete.
Right to Request Restrictions
You may request restrictions on how we use or disclose your PHI for treatment, payment, or healthcare operations. We are required to honor your restriction when the disclosure is to a health plan for payment or operations purposes and you have paid for the service in full out of pocket.
Right to Confidential Communications
You may request that we communicate with you by alternative means or at an alternative location — for example, calling you at work rather than at home, or mailing to a specific address. We will accommodate reasonable requests.
Right to an Accounting of Disclosures
You may request an accounting of certain disclosures of your PHI made during the prior six years. This accounting does not include disclosures made for treatment, payment, or healthcare operations, or those made with your authorization.
Right to Notification of Breach
You have the right to be notified in writing within 60 days if your unsecured PHI is involved in a breach. Notification will describe the breach, the information involved, steps we have taken, and how to contact us with questions.
Minimum Necessary Standard
Except when disclosing PHI to a treating provider or to you directly, or when disclosure is made with your authorization or required by law, we limit our use, disclosure, and requests for PHI to the minimum amount necessary to accomplish the intended purpose.
Business Associates
We maintain written Business Associate Agreements (BAAs) with third-party service providers who perform functions on our behalf and may access your PHI — including IT and cloud hosting providers, billing companies, claims processors, legal counsel, transcription services, and quality audit firms. BAAs require these vendors to safeguard PHI, restrict its use to authorized purposes, report breaches, and return or destroy PHI when the contract ends.
Website and Digital Tracking
Under OCR guidance issued March 2024, tracking technologies on healthcare websites can collect PHI when IP addresses are combined with health-related page visits, when user navigation patterns suggest health conditions, or when activity occurs in authenticated patient portal areas. We maintain BAAs with our analytics and session replay vendors — see our Cookie Policy for full details. Patients may use browser privacy settings or contact us to limit tracking.
Filing a Privacy Complaint
If you believe your privacy rights have been violated, you may file a complaint with us or directly with the HHS Office for Civil Rights. We will not retaliate against you for filing a complaint or exercising any privacy right.
Nivano Physicians Privacy Officer
2554 Millcreek Dr., Suite 100, Sacramento, CA 95833
Phone: (916) 407-2000
Fax: (916) 471-0332
Email: compliance@nivanophysicians.com
HHS Office for Civil Rights
Phone: 1-800-368-1019 | TTY: 1-800-537-7697
Online: https://www.hhs.gov/civil-rights/filing-a-complaint/index.html
Changes to This Policy
We reserve the right to change the terms of this notice and to make any new provisions effective for all PHI we maintain. Revised notices will be posted on our website and in our offices and made available upon request.
Contact Information
Privacy Officer — Nivano Physicians, Inc.
2554 Millcreek Dr., Suite 100, Sacramento, CA 95833
Phone: (916) 407-2000
Email: compliance@nivanophysicians.com
Member Services
Phone: (916) 407-2000
Email: customerservice@nivanophysicians.com
Policy Review
This policy is reviewed at least every three years and updated as needed to reflect changes in HIPAA regulations, OCR guidance, California law, and organizational practices. The next scheduled review is August 7, 2028.
This policy was last updated on March 12, 2026.