THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN ACCESS THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

This HIPAA Notice of Privacy Practices (“Notice”) will tell you about the ways in which we may use and disclose medical or billing or other health information we use to make decisions about you (“Protected Health Information” or “PHI”). We also describe your rights and certain obligations we have regarding the use and disclosure of your PHI. This Notice applies to Headlight Health Medical Group PLLC, Sokyahealth Medical Group, P.C. (CA), Sokyahealth Medical Group P.C. (OR), Sokyahealth, LLC, Shashita Inamdar M.D., Professional Corporation, and Achieve Medical Alaska, LLC (collectively, “Headlight”).

Last updated: July 2nd, 2024

Your Rights

When it comes to your health information, you have certain rights. Except as described in this Notice, we will not disclose PHI without your authorization. This section explains your rights and some of our responsibilities to help you.

Get an electronic or paper copy of your medical record

• You can ask to see or get an electronic or paper copy of your medical record and other health information we have about you. Ask us how to do this.

• We will provide a copy or a summary of your health information, usually within 30 days of your request. We may charge a reasonable, cost‐based fee.

Ask us to correct your medical record

• You can ask us to correct health information about you that you think is incorrect or incomplete. Ask us how to do this.

• We may say “no” to your request, but we’ll tell you why in writing within 60 days.

Request confidential communications

• You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address.

• We will say “yes” to all reasonable requests.

Ask us to limit what we use or share

• You can ask us not to use or share certain health information for treatment, payment, or our operations. We are not required to agree to your request, and we may say “no” if it would affect your care.

• If you pay for a service or health care item out‐of‐pocket in full, you can ask us not to share that information for the purpose of payment or our operations with your health insurer. We will say “yes” unless a law requires us to share that information.

Get a list of those with whom we’ve shared information

• You can ask for a list (accounting) of the times we’ve shared your health information for six years prior to the date you ask, who we shared it with, and why.

• We will include all the disclosures except for those about treatment, payment, and health care operations, and certain other disclosures (such as any you asked us to make). We’ll provide one accounting a year for free but will charge a reasonable, cost‐based fee if you ask for another one within 12 months.

Get a copy of this Notice

You can ask for a paper copy of this Notice at any time, even if you have agreed to receive the Notice electronically. We will provide you with a paper copy promptly.

Choose someone to act for you

• If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information.

• We will make sure the person has this authority and can act for you before we take any action.

File a complaint if you feel your rights are violated

• You can complain if you feel we have violated your rights by contacting us:

  Privacy and Security Officer

  5060 Shoreham Place, Suite 100

  San Diego, CA 92122

  privacy@headlight.health

• You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights. Upon request, we will provide the correct address to file a complaint with OCR.

• We will not retaliate against you for filing a complaint.

Your Choices

For certain health information, you can tell us your choices about what we share. If you have a clear preference for how we share your information in the situations described below, email us at privacy@headlight.health and let us know what you want us to do, and we will follow your instructions.

You have both the right and choice to tell us whether to share information with your family, close friends, or others involved in your care.

If you are not able to tell us your preference, for example if you are unconscious, we may go ahead and share your information if we believe it is in your best interest. We may also share your information when needed to lessen a serious and imminent threat to health or safety.

In these cases, we never share your information unless you give us written permission:

• Marketing purposes

• Sale of your information

• Psychotherapy notes, unless otherwise required by law

In the case of fundraising:

• We may contact you for fundraising efforts, but you can “opt out” or “unsubscribe” and we will not contact you again with this type of communication.

Uses and Disclosures Without Your Written Authorization

In certain situations, we must obtain your written authorization in order to use and/or disclose your PHI. However, unless the PHI is Highly Confidential Information (as defined in the next sentence) and the applicable law regulating such information imposes special restrictions on us, we may use and disclose your PHI without your written authorization for the purposes described below. “Highly Confidential Information” means certain health information that is given special privacy protection by federal and state law and may include substance use disorder (SUD) treatment program records, mental health records, reproductive health records, and other health information that is given special privacy protection under state or federal laws other than HIPAA. In order for us to disclose any Highly Confidential Information for a purpose other than those permitted by law, we must obtain your authorization.

PHI disclosed pursuant to HIPAA may be redisclosed and no longer protected by the HIPAA Privacy Regulations.

We may use or share your PHI without your authorization (except as otherwise described herein or prohibited by applicable law) in the following ways:

Treat you

We can use your PHI, including SUD information (defined below), and share it with other professionals who are treating you. Example: We may share information about  your behavioral health conditions with another one of your treating providers. 

Run our organization

We can use and share your PHI, including SUD information for our health care operations including to run our practice, improve your care, and contact you when necessary. Example: We use health information about you to manage your treatment and services.   

Bill for your services

We can use and share your PHI, including SUD information to bill and get payment from your insurance, health plan, or other entities responsible for paying for your health care.

Example: We give information about you to your health insurance plan so it will pay for your 

services.   

We participate in health information exchanges (HIEs) and similar services, and may use these services as a method to share, request, and receive electronic health information with other health care organizations for treatment, payment, health care operations, and public health. If you wish to opt-out of any health information exchange as it relates to your PHI, please contact Headlight as set forth at the end of this Notice.

In addition, we are allowed or required to share your PHI in other ways – usually in ways that contribute to the public good, such as public health and research. We must meet many conditions in the law before we can share your information for these purposes. For more information see: https://www.hhs.gov/hipaa/for-individuals/index.html. We may have your PHI that is not directly related to your application for or receipt of SUD treatment service. Rules about how we use and share your health information are different from and less restrictive than the rules about how we use and share your SUD information.

Help with public health and safety issues

We can share PHI, limited to the minimum necessary amount of PHI that is reasonably necessary, about you without authorization (except where indicated) for certain situations such as:

• Reporting suspected child abuse or neglect, and under certain circumstances, abuse, neglect or domestic violence involving adults

• Medical emergencies

• Care of a minor

• Incompetent and deceased patients

• Preventing or controlling disease, injury, or disability

• Alerting a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition

• Reporting information to your employer as required under las addressing work-related illnesses and injuries or workplace medical surveillance

• Helping with product recalls

• Reporting adverse reactions to medications

• Preventing or reducing a serious threat to anyone’s health or safety

Do research

We may use and disclose your PHI for research purposes pursuant to a valid authorization from you or when an institutional review board or privacy board has waived the authorization requirement. Under certain circumstances, your PHI may be disclosed without your authorization to researchers preparing to conduct a research project, for research on decedents, or as part of a data set that omits your name and other information that can directly identify you.

Comply with the law

We will share your PHI if state or federal laws require it, including with the Department of Health and Human Services if it wants to see that we’re complying with federal privacy law.

Work with a medical examiner or funeral director

• We can share your PHI and SUD information with a coroner, medical examiner, or funeral director when an individual dies as authorized by law.

• We may disclose your PHI to organizations that facilitate organ, eye, or tissue procurement, banking, or transplantation.

Address workers’ compensation, law enforcement, and other government requests

We can use or share your PHI:

• For workers’ compensation claims

• For law enforcement purposes or with a law enforcement official

  • For example: We may share your health information or SUD information with the police or other law enforcement officials if you commit a crime on the premises or against program personnel or threaten to commit such a crime. We cannot share information regarding illegal activities (e.g., selling drugs, prostitution, etc. unless it poses an imminent danger to someone).

• With health oversight agencies for activities authorized by law

• For special government functions such as military, national security, and presidential protective services

Respond to lawsuits and legal actions

We can generally share your PHI in response to a court or administrative order, or in response to a subpoena. However, certain information related to substance abuse treatment may be subject to special protections under federal regulations, and certain information regarding reproductive healthcare may require additional protections, as set forth in this Notice. We will only disclose information that is subject to such special protections, with respect to lawsuits and legal actions, pursuant to a court order that meets the requirements of such federal regulations.

Appointment Reminders

We may contact you to provide appointment reminders or information about treatment alternatives.

Disclosure to Relatives, Close Friends, and Other Caregivers

We may use or disclose your PHI to a family member, other relative, a close personal friend or any other person identified by you when you are present for, or otherwise available prior to, the disclosure, if: (1) we obtain your agreement or provide you with the opportunity to object to the disclosure and you do not object or (2) we reasonably infer that you do not object to the disclosure. If you are not present for or unavailable prior to a disclosure (e.g., when we receive a telephone call from a family member or other caregiver), we may exercise our professional judgment to determine whether a disclosure is in your best interests. If we disclose information under such circumstances, we would disclose only information that is directly relevant to the person’s involvement with your care.

Business Associates

Certain aspects and components of our services are performed through contracts with outside persons or organizations, such as auditing, outcomes data collection, information technology infrastructure, email communications, etc. At times it may be necessary for us to provide your PHI to one or more of these outside persons or organizations who assist us with our health care operations. In all cases, we require these associates to appropriately safeguard the privacy of your information.

Uses and Disclosures Requiring Your Written Authorization

Except for the purposes described above, we only use or disclose your PHI when you give us your written authorization. For example:

• Marketing. We must obtain your written authorization prior to using your PHI for purposes that are marketing under the HIPAA privacy rules. For example, we will not accept any payments from other organizations or individuals in exchange for making communications to you about treatments, therapies, health care providers, settings of care, case management, care coordination, products or services unless you have given us your authorization to do so or the communication is permitted by law. However, we may provide refill reminders or communicate with you about a drug or biologic that is currently prescribed to you so long as any payment we receive for making the communication is reasonably related to our cost of making the communication. In addition, we may market to you in a face-to-face encounter and give you promotional gifts of nominal value without obtaining your written authorization.

• Sale of Protected Health Information. We will not sell your PHI without your written authorization.

• Psychotherapy Notes. We will not use or disclose psychotherapy notes about you without your authorization except for use by the mental health professional who created the notes to provide treatment to you, for our mental health training programs or to defend ourselves in a legal action or other proceeding brought by you.

Our Responsibilities

• We are required by law to maintain the privacy and security of your Protected Health Information.

• Protected Health Information related to the substance use disorder services we provide:

  • Federal law (42 CFR Part 2) protects your health information if you are applying for or receiving services (including diagnosis or treatment, or referral) for a SUD (“SUD information”). Generally, if you are receiving services from us related to substance use disorder(s), we may not acknowledge to a third-party that you receive such services from us, except under certain circumstances that are described in this Notice. SUD Information may not be used or disclosed in a civil, criminal, administrative, or legislative proceeding against you without either your written consent or a valid court order accompanied by a subpoena or other legal requirement compelling disclosure.

• All Protected Health Information, including substance use disorder services:

  • The HIPAA Privacy Regulations (45 CFR Parts 160 and 164), also protect your health information. There may be differences in the way we may use and share this type of information than we use and share your SUD information. These differences are listed in this notice.

• Protected Health Information related to reproductive health:

  • We will not disclose your PHI potentially related to reproductive health care for health oversight activities, judicial and administrative proceedings, law enforcement purposes, or to coroners, medical examiners, or funeral directors without obtaining a valid attestation from the requestor, in accordance with HIPAA.

• We will let you know promptly if a breach occurs that may have compromised the privacy or security of your PHI.

• We must follow the duties and privacy practices described in the version of this Notice currently in effect and give you a copy of it.

• We will not use or share your PHI other than as described here unless you tell us we can in writing. If you tell us we can, you may change your mind at any time. Let us know in writing if you change your mind.

For more information see: https://www.hhs.gov/hipaa/for-individuals/index.html.

Changes to the Terms of this Notice

We can change the terms of this Notice at any time, and the changes will apply to all PHI that we maintain, including medical information we created or received prior to making such changes. If we change this Notice, we will post the new notice on our Internet site at https://my.headlight.health/consents/hipaa-notice. You may also obtain a new notice by contacting us using the contact information set forth below.

For questions about this Notice, please contact:

Privacy and Security Officer

5060 Shoreham Place, Suite 100

San Diego, CA 92122

866-657-6592

privacy@headlight.health