Introduction

BehaCare is committed to protecting the privacy of your health information. This Notice of Privacy Practices (the "Notice") informs you about how we may use and disclose your protected health information (Protected Health Information, "PHI"), and describes your rights regarding that information.

PHI is information about you, including demographic data, that can identify you and that relates to your past, present, or future physical or mental health condition, the provision of health care services, or payment for such services.

We are required by law to maintain the privacy of your PHI, provide you with this Notice about our legal obligations and privacy practices, and comply with the terms of this Notice currently in effect. This Notice applies to all behavioral health and telehealth services that BehaCare provides to you.

Our Obligations

The law requires us to:

  • Maintain the privacy of your protected health information (PHI).
  • Provide you with this Notice detailing our legal obligations and privacy practices regarding your PHI.
  • Comply with the terms of the Notice currently in effect.
  • Notify you in the event of a security breach that compromises your unsecured PHI.

How We May Use and Disclose Your Health Information

The following describes the different ways we may use and disclose your PHI. Not every possible situation is covered, but the main categories of permitted or required uses and disclosures are included.

For Treatment

We may use and disclose your PHI to provide you with treatment and behavioral health services. This includes sharing information with other health professionals involved in your care, such as physicians, therapists, or specialists, always with your prior authorization when required. For example, if we need to coordinate your care with your primary care physician, we may share relevant information about your behavioral assessment to ensure comprehensive care.

For Health Care Operations

We may use and disclose your PHI for operational activities necessary for the functioning of our services. This includes quality improvement activities, staff competency reviews, training of professionals under supervision, audits, regulatory compliance activities, and other administrative functions related to the management of our health services.

With Your Authorization

Most uses and disclosures of your PHI not described in this Notice will only be made with your written authorization. These include, among others:

  • The disclosure of psychotherapy notes (if applicable).
  • The use of your PHI for marketing purposes.
  • The sale of your PHI.
  • Any other use or disclosure not described in this Notice.

You may revoke your authorization at any time in writing. However, the revocation will not affect disclosures that have already been made based on your prior authorization.

Without Your Authorization (When Permitted by Law)

In certain circumstances, the law permits or requires us to use or disclose your PHI without your authorization. These situations include:

  • When required by law: We will disclose your PHI when required by federal, state, or local law.
  • Public health: We may disclose your PHI to public health authorities to prevent or control diseases, injuries, or disabilities, and for other public health activities authorized by law.
  • Reports of abuse or neglect: We may disclose your PHI to appropriate government authorities if we reasonably believe you are a victim of abuse, neglect, or domestic violence.
  • Judicial and administrative proceedings: We may disclose your PHI in response to a court order or administrative subpoena, as permitted by applicable law.
  • Law enforcement: We may disclose your PHI to law enforcement officials for specific purposes permitted by law, such as identifying missing persons or reporting certain types of wounds.
  • To prevent a serious threat: We may use or disclose your PHI when necessary to prevent a serious and imminent threat to your health or safety, or to the health or safety of the public or another person.
  • Workers' compensation: We may disclose your PHI as authorized by workers' compensation laws.
  • Specialized government functions: We may disclose your PHI for national security activities, presidential protection services, or as required by applicable laws for military and veteran services.
  • Coroners and funeral directors: We may disclose PHI to a coroner or funeral director as permitted by law.

Your Rights Regarding Your Health Information

You have the following rights regarding your PHI. To exercise any of these rights, you must submit a written request to our Privacy Officer using the contact information provided at the end of this Notice.

Right to Inspect and Copy Your Records

You have the right to inspect and obtain a copy of your PHI contained in our medical and billing records. We must respond to your request within 30 days. We may charge a reasonable fee for copying, mailing, and preparation costs of a summary, if you request one. In certain limited circumstances, we may deny your request, and you will have the right to request a review of such denial.

Right to Request Corrections

If you believe the PHI we maintain about you is incorrect or incomplete, you may request that we correct or supplement it. You must submit your request in writing, indicating the reason you believe the information should be corrected. We may deny your request in certain circumstances, but we will inform you in writing of the reasons for the denial.

Right to an Accounting of Disclosures

You have the right to request a list of disclosures we have made of your PHI. This list will not include disclosures made for treatment, health care operations, those you authorized, or certain other disclosures. We can provide you with an accounting of disclosures for the last six years. The first request within a 12-month period will be free; for additional requests, we may charge a reasonable fee.

Right to Request Restrictions

You have the right to request that we limit the uses and disclosures of your PHI for treatment, operations, or payment activities. You may also request that we limit the information we share with individuals involved in your care. We are not required to agree to your request, except when the disclosure is to a health plan for payment or operations purposes and the PHI relates solely to a service you have paid for entirely out of pocket.

Right to Request Confidential Communications

You have the right to request that we communicate with you about health matters in a specific manner or at a specific location. For example, you may request that we contact you only at a specific phone number or send correspondence to an alternative address. We will accommodate all reasonable requests.

Right to Receive a Paper Copy of This Notice

You have the right to obtain a paper copy of this Notice at any time, even if you previously agreed to receive it electronically. You may request one by contacting our Privacy Officer.

Right to Be Notified of a Security Breach

You have the right to be notified in the event of a security breach involving your unsecured PHI. The notification will be made as required by federal law and will include a description of what occurred, the types of information involved, the steps you should take to protect yourself, the actions we are taking to investigate and mitigate the incident, and contact information for obtaining more details.

Electronic Health Information (ePHI)

BehaCare uses electronic systems to store, process, and transmit your protected health information. All electronic health information (electronic Protected Health Information, "ePHI") is subject to the technical, physical, and administrative safeguards required by the HIPAA Security Rule.

Our protective measures include:

  • Encryption of all ePHI data, both at rest and in transit.
  • Use of secure, HIPAA-compliant telehealth platforms for all clinical sessions.
  • Role-based access controls that limit access to your ePHI only to authorized personnel.
  • Audit logs that track access to and modifications of your information.
  • Regular backups and disaster recovery plans to protect the integrity and availability of your data.
  • Regular staff training in information security and HIPAA compliance.

Telehealth and Privacy

Since BehaCare delivers its services through telehealth, there are specific privacy considerations you should be aware of:

  • Secure video platforms: All our telehealth sessions are conducted through video conferencing platforms that comply with HIPAA security standards. These platforms use end-to-end encryption to protect the confidentiality of your communications.
  • Your responsibility for your environment: We strongly recommend that you participate in telehealth sessions from a private location where you cannot be overheard by unauthorized individuals. BehaCare is not responsible for privacy violations that occur due to the conditions of your physical environment during a session.
  • Recording policy: Telehealth sessions are not recorded by BehaCare unless your prior written consent is obtained. You must not record sessions without the mutual consent of all parties involved. Unauthorized recording may constitute a violation of privacy and applicable laws.
  • Secure messaging: All written communication containing PHI is conducted through secure and encrypted channels. We ask that you do not send sensitive health information through unencrypted email, conventional text messages, or other insecure communication methods.
  • Internet connection: We recommend using a secure and private internet connection (avoiding public Wi-Fi networks) during your telehealth sessions to protect the confidentiality of the communication.

Record Retention Period

BehaCare maintains your health records in accordance with applicable federal and state requirements. As a general rule, adult patient health records are maintained for a minimum of seven (7) years from the date of the last contact or service. Records of minor patients are maintained for a minimum of seven (7) years after the patient reaches the age of majority, or as required by applicable state law, whichever results in a longer period.

At the end of the applicable retention period, records are securely destroyed using methods that ensure the information cannot be reconstructed or recovered.

Changes to This Notice

BehaCare reserves the right to modify the terms of this Notice at any time. Any changes will apply to all PHI we maintain, regardless of when it was created or received. The updated version of this Notice will be posted on our website at behacare.com/hipaa and will be available at our facilities. We may provide you with a copy of the revised Notice upon your request.

The effective date of the Notice is indicated at the beginning of this document. We recommend reviewing this Notice periodically to stay informed about how we protect your PHI.

Complaints

If you believe your privacy rights have been violated, you have the right to file a complaint. You may do so in the following ways:

  • With BehaCare: Contact our Privacy Officer using the information provided in the contact section below. We will investigate your complaint and provide you with a response.
  • With the U.S. Department of Health and Human Services: You may file a complaint with the Office for Civil Rights (OCR) by visiting hhs.gov/ocr/complaints or calling 1-800-368-1019.

No retaliation. BehaCare will not retaliate against you in any way for filing a complaint with us or with the Office for Civil Rights. Your care and the quality of our services will not be affected by the filing of a complaint.

Privacy Officer Contact

If you have questions about this Notice, wish to exercise any of your rights, or need to file a complaint, you may contact our Privacy Officer:

To file a complaint with the Office for Civil Rights of the U.S. Department of Health and Human Services:

Effective date of this Notice: May 2026. This Notice applies to all services provided by BehaCare, including all behavioral health and dementia telehealth services delivered across the United States.