Privacy Policy

Last updated: October 24th, 2025

This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your information when You use the Service and tells You about Your privacy rights and how the law protects You.

We use Your Personal data to provide and improve the Service. By using the Service, You agree to the collection and use of information in accordance with this Privacy Policy.

PURPOSE:

To ensure that patients of InnovaCare Health owned and operated medical practices (Practice) are aware of their privacy rights, how the Practice uses and discloses Protected Health Information (PHI) in the course of doing business, and of the Practice’s legal duties with respect to protected health information (PHI).

POLICY:

Each Practice may obtain PHI from its patients in order to provide health care services and procedures to them. The Practice’s patients have the right to expect that their privacy will be protected and that their patient-specific information will only be released to properly authorized persons or entities. The Practice recognizes the sensitive nature of this information and is committed to maintaining confidentiality.

The Practice shall provide a formal notice to patients regarding the use and disclosure of protected health information. The Notice will provide an explanation of the patient’s rights with respect to their health information and the privacy practices of the Practice with respect to such information. The Practice shall require a signed acknowledgement that the patient has been provided a copy of the Practice’s Notice of Privacy Practices. If the patient refuses to sign the form, the Practice should document on the acknowledgement form that the patient refused to sign the form and the form should be scanned into the EMR.

SCOPE:

All InnovaCare Health owned and operated medical practices including but not limited to primary care, specialty care and urgent care facilities.

DEFINITIONS:

Authorization – A written document or form signed by an Individual or an Individual’s Personal Representative that authorizes the Covered Entity or Business Associate to Use or Disclose PHI for a purpose not otherwise permitted under the HIPAA Regulations.

Breach – An acquisition, access, Use, or Disclosure of Unsecured PHI not permitted under the HIPAA Privacy Rule, which compromises the security or privacy of such information. A Breach does not include the following:

• the unauthorized acquisition, access, or Use of PHI by a Workforce member if such acquisition, access, or Use was unintentional, made in good faith and within the course and scope of the employment or other professional relationship with the Covered Entity or Business Associate, and such information is not further acquired, accessed, Used or Disclosed without authorization;

• an inadvertent Disclosure by an individual who is authorized to access PHI at an entity operated by a Covered Entity or Business Associate to another similarly situated individual at the same entity, as long as the PHI is not further acquired, accessed, Used, or Disclosed without authorization; or

• a Disclosure of PHI where the Covered Entity or Business Associate has a good faith belief that an unauthorized person to whom the Disclosure was made would not reasonably have been able to retain such information.

Breach Notification Rule or the HIPAA Breach Notification Rule – The breach notification regulations promulgated pursuant to HITECH and codified at 45 C.F.R. Part 164, Subpart D, as may be amended from time to time.

Business Associate – A person or entity who, on behalf of a Covered Entity, but not in the capacity of a member of the Covered Entity’s Workforce, performs or assists in the performance of a function or activity involving the creation, receipt, maintenance, or transmission of PHI, or provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services involving Disclosure of PHI.

Covered Entity – A health plan, health care clearinghouse or health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.

De-identified Health Information – Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. De-Identified Health Information is not subject to the restrictions on Use and Disclosure which are applicable to PHI generally.

Designated Record Set – A group of records maintained by or for Practice that includes medical, billing, enrollment, payment, claims adjudication, and other records used by Practice, in whole or part, to make decisions about an Individual.

Disclosure – The act of releasing, transferring, divulging, or providing access to PHI to an organization or individual that is not the Covered Entity maintaining that information.

Discovered – The first day upon which a Breach is known, or by exercising reasonable diligence, should have been known.

HHS – The U.S. Department of Health and Human Services.

HHS Office for Civil Rights or “OCR” – HHS’ civil rights and health privacy rights law enforcement agency. OCR investigates complaints, enforces rights, promulgates regulations, develops policy, and provides technical assistance and public education to ensure understanding of and compliance with non-discrimination and health information privacy laws, including HIPAA.

Electronic Health Record or “EHR” – An electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care providers and staff.

Electronic Protected Health Information or “E-PHI,” “ePHI.” – PHI that is transmitted by electronic media or maintained in any electronic format or media.

Health Care – Care, services, and supplies relating to the health of an Individual, including preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, etc.

Health Care Operations – Activities normal to the business of providing health care; some examples include development of clinical guidelines, quality assessments, outcomes evaluations, clinical performance evaluations, business planning and development, providing customer/patient services, etc.

Health Care Provider – A provider of health care and any person or organization who furnishes, bills, or is paid for health care in the normal course of business.

Health Information – Any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearing house; and relates to the past, present, or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present, or future Payment for the provision of health care to an Individual.

HITECH – The Health Information Technology for Economic and Clinical Health Act, Title XIII, Subtitle D, of the American Reinvestment and Recovery Act of 2009.

Individual – The person who is the subject of PHI.

Individually Identifiable Health Information – A subset of Health Information that incorporates the previous definition of Health Information and includes demographic information, and either identifies the Individual or provides a reasonable basis for believing it can be used to identify the Individual.

Limited Data Set – Information that may be Individually Identifiable Health Information, and:

• That summarizes the claims history, claims, or type of claims experienced by Individuals; and

• From which all the identifiers listed have been eliminated except that the information in a Limited Data Set may include:

• the Individuals’ town, city, state and the last three (3) digits of an Individual’s zip

code; and

• elements of dates related to an Individual including birth date, admission date, discharge date, and date of death.

Marketing – Communications about a product or service that encourages the recipient of the communication to purchase or use the product or service. Marketing communications do not include any of the following:

• Communications to provide refill reminders or otherwise communicate about drug or biologic that is currently being prescribed for the individual, only if any financial remuneration received by the Covered Entity in exchange for making the communication is reasonably related to the Covered Entity’s cost of making the communication.

• Communication for the following Treatment and Health Care Operations purposes, except where the Covered Entity receives financial remuneration (direct or indirect payment from or on behalf of a third party whose product or service is being described) in exchange for making the communication:

• For Treatment of an Individual by a health care provider, including for case management or care coordination for the Individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the Individual;

• To describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the Covered Entity making the communication, including communications about:

1. The entities participating in a health care provider network or health plan network;
   1. Replacement of, or enhancements to, a health plan; and
   1. Health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits.

• Contacting of individuals with information about treatment alternatives, and related functions, to the extent these activities do not fall within the definition of Treatment.

Notice of Privacy Practices or “NOPP” – A document that Health Care Providers and health plans are required to provide to Individuals describing the individual rights under HIPAA and the manner in which the Covered Entity may Use or Disclose PHI. A Covered Entity that is in a direct Treatment relationship with the Individual is required to provide Individuals with a NOPP no later than the first service delivery date (or, in an emergency, as soon as reasonably practicable) and, if the Covered Entity maintains a physical service delivery site, have the NOPP available upon request and posted in a clear and prominent location. If a Covered Entity maintains a website, it must post the NOPP to its website.

Payment – Any activities such as billing, collection, and related actions taken by a Covered Entity and/or its Business Associates to obtain reimbursement for health care services rendered.

Personal Representative – A Personal Representative is a person with authority under state law to act on the Individual’s behalf on matters relating to health care. Generally, a parent of an Individual if the Individual is a minor; a person empowered under the Individual’s Power of Attorney (general or for health care); a legal guardian; or an executor or administrator of an Individual’s estate will be Personal Representatives. The HIPAA Privacy Rule permits an Individual’s Personal Representative to stand in the place of the Individual and exercise any rights the Individual may otherwise exercise pursuant to HIPAA.

Privacy Rule or the HIPAA Privacy Rule – The regulations regarding the privacy of certain health care information promulgated pursuant to HIPAA and codified at 45 C.F.R. Parts 160 and 164, Subparts A and E, as may be amended from time to time.

Protected Health Information or “PHI” – Protected Health Information (or “PHI”) is information about an Individual’s health care, created, received, or maintained by a Covered Entity, such as Practice, that identifies an Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual. PHI includes information related to the past, present or future physical or mental health or condition of an Individual; information about the provision of health care to an Individual; and information related to the past, present or future Payment for the provision of health care to an Individual.

The following are not considered PHI:

• employment records in the possession of an employer, including results of preemployment

or annual physicals and doctors’ notes for return to work following illness or injury and

• records regarding a person who has been deceased for more than 50 years.

Secretary – The Secretary of HHS or his/her designee.

Security Incident – The attempted or successful unauthorized access, Use, Disclosure, modification, or destruction of information or interference with system operations in an information system.

Security Rule or the HIPAA Security Rule – The federal security standards under HIPAA as contained in 45 C.F.R. Parts 160 and 164, Subparts A and C, as may be amended from time to time.

Subcontractor – A person or organization with which a Business Associate has contracted to perform services or activities on behalf of the Business Associate.

Treatment – The provision, coordination, or management of health care and related services that health care providers render to an Individual. Treatment includes management of health care with a third party, consultation between providers relating to an Individual, or the referral of an Individual for care or services to another provider. HIPAA permits Disclosure of PHI for purposes of providing Treatment without an Authorization or need for a Business Associate Agreement.

Unsecured PHI – PHI that is not secured through the use of a technology or methodology specified in guidance issued by the Secretary of the HHS detailing those technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals.

Use – The sharing, employment, application, use, examination, or analysis of PHI within an entity that maintains such information.

Workforce – Employees, volunteers, trainees, and other persons, including contractors and agents, whose conduct, in the performance of work for a Covered Entity or Business Associate, is under the direct control of such Covered Entity or Business Associate, whether or not they are paid by the Covered Entity or Business Associate

PROCEDURES:

1. The Notice of Privacy Practices will be written in plain language. Patients will only need to sign this one time. Note: If the Practice’s Notice of Privacy Practices has been updated/revised, a copy of the revised notice will be made available to the patients upon request.

• The Notice of Privacy Practices will contain the following information:

1. The notice must contain the following statement as a header prominently displayed: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY”.

• A description of at least one example of the types of uses and disclosures that the Practice is permitted by law to make for each of the following purposes: treatment, payment, and health care operations.

• A description of the types of uses and disclosures of physiotherapy notes, marketing, fundraising, genetic information, and sale of PHI.

• A description of each other purposes for which the Practice is permitted or required by HIPAA Act, to use or disclose protected health information without the patient’s written authorization including:
  • uses and disclosures required by law
  • uses and disclosures for public health activities
  • disclosures about victims of abuse, neglect, or domestic violence
  • uses and disclosures for health oversight activities
  • disclosures for judicial and administrative proceedings
  • disclosures for law enforcement purposes
  • uses and disclosures about decedents
  • uses and disclosures for cadaver organ, eye, or tissue donation purposesuses and disclosures for research purposes under limited circumstance’s (e.g., research for decedents, review preparatory for research)
  • disclosures to family, friends, or other persons involved in member’s health

care

• uses and disclosures to avert a serious threat to health or safety
  • uses and disclosures for specialized government functions
  • disclosures for workers compensation
  • disclosures to a school limited to immunization proof and
  • disclosures to the Secretary of Health and Human Services (HHS)

• Also, the Notice of Privacy Practices contains the following statements or information:
  • A statement indicating other uses and disclosures will be made only with the patient’s or an authorized representative’s written authorization and that the individual may revoke such authorization as permitted by the individual’s rights under HIPAA.

• A statement of the member’s rights with respect to protected health information and a

brief description of how the individual may exercise those rights:

• the right to request restrictions on certain uses and disclosures of protected
  • health information
  • a statement that the Practice is not required to agree to a requested restriction

• the member’s right to receive confidential communications of protected health information, as applicable
  • a statement and a brief description of how the member may exercise his/her right to inspect, copy, amend, and receive an accounting of disclosure of protected health information
  • a statement and a brief description of how the member may exercise his/her right to obtain a paper copy of the notice from the covered entity, even if the member has agreed to receive the notice electronically.

• A statement that the covered entity is required by law to maintain the privacy of protected health information and to provide members with notice of its legal duties and privacy practices with respect to protected health information.

• A statement that affected individuals has a right to be notified following a breach of unsecured PHI.

• A statement that the covered entity is required to abide by the terms of the notice that is currently in effect.

• A statement indicating that, for protected health information that it created or received prior to issuing a revised notice, Practice reserves the right to change the terms of its notice and to make the new notice provisions effective for all protected health information that it maintains.

• A statement that Practice will each promptly revise and distribute its notice whenever there is a material change to the uses or disclosures, the member’s rights, the covered entity’s legal duties, or other privacy practices stated in the notice, and how it will provide patients with the revised notice.

• A statement that members may complain to Practice and to the U.S. Department of Health and Human Services if they believe their privacy rights have been violated.

1. A brief description of how a member may file a complaint.

• A statement that Practice will not retaliate against the member for filing a complaint.

• The name, or title, and telephone number of a person or office to contact for further information concerning the notice of privacy practices. The date in which the notice is first in effect, which is not to be earlier than the date in which the notice is printed or otherwise published.

• The Notice of Privacy Practices will be provided at the same time an acknowledgement of receipt

of privacy notice form (“Acknowledgement Form”) is given to the patient. The acknowledgement

form simply “acknowledges” the patient’s receipt of being offered a copy of the Practice’s Notice of Privacy Practices. Each patient will be asked to sign the acknowledgement from. The form will be scanned in the patient’s medical record in the EMR.

• The Acknowledgement Form will include the patient’s or his/her legal Personal Representative’s

signature and the date of signature.

• The Acknowledgement Form should be reviewed, signed, and dated by the patient or Personal Representative before treatment/services are rendered.

• Even after the privacy practices have been explained to the patient, the patient or Personal Representative may still refuse to sign the acknowledgement form. When this happens, note the attempt to obtain signature on the Acknowledgement Form (including date, time, and your name) and scan the form into the EMR

• Treatment should never be conditioned on patient’s refusal to sign the Acknowledgement Form.

• The Notice of Privacy Practices will be posted in the waiting rooms or other conspicuous location in each Practice and will also be posted on Practice website. The Practice may provide the Notice of Privacy Practices upon request of the patient or authorized representative, including through electronic means (e.g., e-mail). When providing the notice to a patient by e-mail or another electronic means, the Practice:

1. ensures that the member has agreed to receive the notice electronically and such agreement has not been withdrawn; and

• provides a paper copy of the notice if Practice knows than an e-mail transmission of the electronic notice has failed.

Practice documents compliance with and maintains the notice as applicable, by retaining copies of the notice issued by the Practice for a period of at least six (6) years, from the date of its creation or the date when it was last in effect, whichever is sooner.

ATTACHMENTS:

Final InnovaCare health NOPP Revised 10/20/2025 v4

REFERENCES:

N/A

DISCLAIMER:

Innovacare Health follows all federal and state laws and regulations. This document is intended as a guideline. Situations may arise where professional judgement dictates process or actions which differ from the guideline. These variations should be noted and submitted to the appropriate business area for review. This policy supersedes all other policies, procedures, guidelines that

conflict with this policy. Innovacare Health has full and final discretionary authority for interpretation and application of this policy in its sole discretion. This policy may be amended or revised by InnovaCare Health at any time.

NON-COMPLIANCE:

Failure to comply with any part of Innovacare Health’s policies, procedures, guidelines and

standards may result in disciplinary action up to and including termination.

CONTACT US

If you have any questions about this Privacy Policy, You can contact us:

• By email: info@innovacarehealth.com
• By visiting this page on our website: https://innovacareinc.com/contact-us/
• By phone number: 833-780-3110