HIPAA Notice of Privacy Practices

PLEASE READ THIS NOTICE CAREFULLY

This Notice of Privacy Practices ("Notice") explains how HealthSpark Inc., HealthSpark Medical Group West PC, HealthSpark Medical Group PA (including its assumed name, HealthSpark Medical Group PC), and their licensed clinicians and business partners (collectively, "HealthSpark," "we," "our," or "us") may use and disclose your protected health information (PHI) to provide treatment, obtain payment, and conduct health‑care operations, as well as other uses permitted or required by law.

It also describes your rights to access and control your PHI.

HealthSpark operates as an organized health‑care arrangement. All covered entities and workforce members within HealthSpark agree to follow the terms of this Notice and may share PHI with one another for treatment, payment, and health‑care‑operations purposes. This Notice applies to the technology-enabled and in-person physical therapy services provided by HealthSpark.

Our Legal Duties

• Privacy & Security. We are required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to maintain the privacy and security of your PHI.
• Notice. We must give you this Notice and follow the terms currently in effect.
• Breach Notification. We will notify you promptly if a breach occurs that may have compromised the privacy or security of your PHI.
• Changes to This Notice. We may change this Notice at any time. Revised Notices apply to all PHI we maintain and will be posted on our website and made available upon request.
• Where any other state law provides greater privacy protection than HIPAA, we will follow that state law.

Your Rights

You have the right to:

1. Get an electronic or paper copy of your medical record.
2. Ask us to correct your record if you believe it is incomplete or inaccurate.
3. Request confidential communications (e.g., alternative address or phone).
4. Ask us to limit what we use or share—we may deny most requests, but we must grant a restriction on disclosures to a health plan if you pay in full out‑of‑pocket, unless disclosure is required by law.
5. Receive a list of certain disclosures we made in the six years prior to your request.
6. Choose a representative to act on your behalf (e.g., medical power of attorney).
7. Receive a paper copy of this Notice at any time, even if you agreed to receive it electronically.
8. File a complaint without retaliation if you feel we have violated your rights (see “Complaints” below).

To exercise any right listed above, email contact@joinhealthspark.com or mail a signed request to the Privacy Officer at the address below.

How We May Use & Disclose Your PHI

We use and disclose your health information for the normal business activities that the law sees as falling in the categories of treatment, payment, and healthcare operations. Generally, we do not need your permission for these disclosures under applicable laws. Below we provide examples of those activities, although not every use or disclosure falling within each category is listed:

1 Treatment

We keep a record of the health information you provide us. We use and share PHI to provide, coordinate, or manage your physical‑therapy and telehealth services. We may disclose this information to other health professionals who are treating you so that other doctors, nurses, and entities can meet your healthcare needs. For example, a HealthSpark therapist may consult with your referring physician and share evaluation notes or Plans of Care.

2 Payment

We document the services and supplies you receive when we are providing care to you so that you, your insurance company, or another third party can pay us. We may tell your health plan about upcoming treatment or services that require prior approval by your health plan. We use PHI to bill and collect payment from you, your health plan, Medicare, or other payers. This includes verifying coverage, obtaining prior authorization, and disclosing information required on CMS‑1500 claim forms.

3 Health‑Care Operations

Health information is used to run our practice, improve the services we provide, to train staff, for business management, quality assessment and improvement, in and for communications about our health related products and services, and for customer service. For example, we may use your health information to review our treatment and services and to evaluate the performance of our staff in caring for you.

Business Associates. We sometimes rely on third-party service providers—such as secure cloud-hosting platforms, claims-clearinghouses, electronic-prescription networks, telehealth infrastructure vendors, and analytics partners—to support our treatment, payment, and health-care-operations activities. These companies, known under HIPAA as Business Associates, may receive, create, or maintain your protected health information on our behalf only after signing a Business Associate Agreement (BAA) that contractually requires them to: (a) use or disclose PHI solely as permitted by us or as required by law; (b) implement appropriate administrative, physical, and technical safeguards to protect the information; (c) report any suspected or confirmed privacy or security breach to HealthSpark without unreasonable delay; and (d) ensure that any of their subcontractors who handle PHI are bound by the same protections. We share the minimum necessary information for them to perform their duties, and we monitor their compliance as part of our ongoing privacy-and-security program.

We may also use and disclose your health information to:

• Comply with federal, state or local laws that require disclosure.
• Assist in public health activities such as tracking diseases or medical devices.
• Inform authorities to protect victims of abuse or neglect.
• Comply with federal and state health oversight activities such as fraud investigations.
• Respond to law enforcement officials or to judicial orders, subpoenas or other processes.
• Inform coroners, medical examiners and funeral directors of information necessary for them to fulfill their duties.
• Facilitate organ and tissue donation or procurement.
• Conduct research following internal review protocols to ensure the balancing of privacy and research needs.
• Avert a serious threat to health or safety.
• Assist in specialized government functions such as national security, intelligence and protective services.
• Inform military and veteran authorities if you are an armed forces member (active or reserve).
• Inform a correctional institution if you are an inmate.
• Inform workers’ compensation carriers or your employer if you are injured at work.
• Recommend treatment alternatives.
• Tell you about health-related products and services.
• Communicate within our organization for treatment, payment, or healthcare operations.
• Communicate with other providers, health plans, or their related entities for their treatment or payment activities, or health care operations activities relating to quality assessment and improvement, care coordination and the qualifications and training of healthcare professionals.
• Provide information to other third parties with whom we do business, such as a record storage provider. However, you should know that in these situations, we require third parties to provide us with assurances that they will safeguard your information.
• We may also use or disclose your personal or health information for operational purposes. For example, we may communicate with individuals involved in your care or payment for that care, such as family or guardians and send appointment reminders.

All other uses and disclosures, not previously described, may only be done with your written authorization. We will also obtain your authorization before we:

• Use or disclose your health information for marketing purposes;
• Sell your information; or
• Share your physical therapy notes (in most cases).

You may revoke your authorization at any time by contacting us at the below address; however, this will not affect prior uses and disclosures. In some cases, state law may require that we apply extra protections to some of your health information.

‍

Our Responsibilities in Detail

• Maintain the privacy and security of your health information.
• Provide a copy of this Notice of our duties and privacy practices.
• Abide by the terms of the Notice currently in effect.
• Promptly tell you if there has been a breach that may have compromised the privacy or security of your health information.

We reserve the right to change this Notice and make the new practices effective for all the information we maintain. Revised notices will be posted on the Site.

Complaints & Contact Information

If you believe your privacy rights have been violated, you may file a complaint with:

HealthSpark Privacy Officer

1875 Mission St Ste 103San Francisco, CA 94103Email: contact@joinhealthspark.com

You may also file a complaint with the U.S. Department of Health & Human Services, Office for Civil Rights:200 Independence Ave SW, Washington DC 20201Phone: 1‑800‑537‑7697 | ocrportal.hhs.gov

We will not retaliate against you for filing a complaint.

Who Must Follow This Notice

• All licensed physical therapists and other clinicians providing care through HealthSpark.
• All HealthSpark employees, contractors, trainees, volunteers, and business associates.
• All entities under the HealthSpark organized health‑care arrangement.

‍