NOTICE OF PRIVACY PRACTICES

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN OBTAIN ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Effective Date: August 4, 2025

INTRODUCTION

Mandeep Singh, MD, MBA, Professional Corporation (the “Practice” or “we”) respects your privacy and is required by law to maintain the privacy of protected health information under the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), and other federal and state laws. "Protected Health Information" (“PHI”) includes any identifiable information that we obtain from you or others, which we keep or transmit in electronic, oral, or written form, that relates to your past, present, or future physical or mental health or medical conditions, the health care you have received, or payment for your health care.

As required by law, this Notice of Privacy Practices (this “Notice”) provides you with information about your rights and our legal duties and privacy practices with respect to your PHI, including our duty to notify you following a data breach of your unsecured PHI, our permitted uses and disclosures of your PHI, and your rights regarding your PHI.

Changes to this Notice.  We may change the terms of our Notice at any time, and the new Notice will be effective for all PHI that we maintain at that time. We will provide you with any revised Notice at the time of your next appointment, and the new Notice will also be available upon request, in our office, and on our website.

Scope.  We create a record of the care and health services you receive, to provide your care, and to comply with certain legal requirements. This Notice applies to all the PHI that we generate.  We follow, and our employees and other workforce members follow, the duties and privacy practices that this Notice describes and any changes once they take effect.

Contact:  If you have any questions about this Notice, please contact our Practice at contact@mandeepsinghmd.com. 

PERMITTED USES AND DISCLOSURES

As provided by law, we are permitted to use or disclose your PHI for various reasons, including for purposes of treatment, payment, and our health care operations. Additionally, we have included some examples, but we have not listed every permissible use or disclosure. If you refuse to consent to such uses or disclosures, we do not have to provide you with non-emergency care.  Nonetheless, when using or disclosing PHI or requesting your PHI from another source, we will make reasonable efforts to limit our use, disclosure, or request about your PHI to the minimum necessary we need to accomplish our intended purpose.

• Treatment.  We may use or disclose your PHI with other professionals who are treating you or are involved in your care.  Treatment means the provision, coordination, or management of your health care, including consultations between health care providers regarding your care and referrals for health care from one health care provider to another. For example, your PHI may be provided to a physician who referred you to the Practice to ensure that the physician has all of your medically necessary information.

• Payment.  We may use or disclose your PHI to bill and get payment from third party payers or others.  Payment means activities we undertake to obtain reimbursement for the health care provided to you, including determinations of eligibility and coverage and utilization review activities. For example, prior to providing health care services, we may need to provide to your insurance company information about your medical condition to determine whether the proposed course of treatment will be covered. When we subsequently bill the insurance company for the services rendered to you, we can provide the insurance company with information regarding your care if necessary to obtain payment.

• Health Care Operations.  We may use and disclose your PHI to run our practice and improve your care. Health care operations means the support functions of our practice related to treatment and payment, such as quality assurance activities, case management, receiving and responding to patient complaints, physician reviews, compliance programs, audits, business planning, development, management, and administrative activities. For example, we may use your medical information to evaluate the performance of our staff when caring for you. We may also combine medical information about many patients to decide what additional services we should offer, what services are not needed, and whether certain new treatments are effective.

USES AND DISCLOSURES OF PHI THAT REQUIRE WRITTEN AUTHORIZATION

In these cases, we will only share your PHI if you give us your explicit written permission:

• Most sharing of a mental health care professional's notes (“psychotherapy notes”) from a private counseling session or a group, joint, or family counseling session.

  • I do keep psychotherapy notes as that term is defined in 45 CFR § 164.501, and any use or disclosure of such notes requires your authorization unless the use or disclosure is:

    • For my use in treating you;

    • For my use in training or supervising mental health practitioners to help them improve their skills in group, joint, family, or individual counseling or therapy;

    • For my use in defending myself in legal proceedings instituted by you;

    • Required by law;

    • Required to help avert a serious threat to the health and safety of others.

• Marketing our services.

• Selling or otherwise receiving compensation for disclosing your PHI.  Note, we do not sell your PHI.

• Certain research activities.

• Other uses and disclosures not described in this Notice.

You may revoke your authorization at any time, but it will not affect information that we already used and disclosed.

OTHER USES AND DISCLOSURES OF PHI 

We may contact you to provide appointment reminders or information about treatment alternatives or other health related benefits and services that may be of interest to you.

When we determine, in our professional judgement, that it is in your best interest, we may disclose your PHI to your family or friends when they are involved in your care or the payment of your care. We will only disclose the PHI directly relevant to their involvement in your care or payment. 

We will allow your family and friends to act on your behalf to pick up filled prescriptions, medical supplies, x-rays, and will disclose similar forms of PHI, when we determine, in our professional judgement, that it is in your best interest to make such disclosures.

Business Associates.  We may use and disclosure your PHI to outside persons or entities that perform services on our behalf, such as auditing, legal, or transcription services (“Business Associates”). Business Associates and their subcontractors are required by law to protect your PHI in the same way we do.  We also contractually require Business Associates and their subcontractors to use and disclose your PHI only as permitted and to appropriately safeguard your PHI.

We may use or disclose your PHI in the following situations without your consent or authorization. These situations include:

• Required By Law: We may use or disclose your PHI to the extent that law requires the use or disclosure. The use or disclosure will be made in compliance with the law and will be limited to the relevant requirements of the law. You will be notified, if permitted by law, of any such uses or disclosures.  For example, we will share your PHI if the U.S Department of Health and Human Services, Office for Civil Rights requires it when investigating our compliance with privacy laws.

• Public Health: We may disclose your PHI for public health activities and purposes to a public health authority that is permitted by law to collect or receive the information. The disclosure will be made for the purpose of reporting, preventing, and/or controlling disease, injury, and/or disability, and/or to avert a serious threat to public health or safety. We may also disclose your PHI, if directed by the public health authority, to a foreign government agency that is collaborating with the public health authority.

• Communicable Diseases: We may disclose your PHI, if authorized by law, to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading the disease or condition.

• Health Oversight: We may disclose PHI to a health oversight agency for activities authorized by law, such as audits, investigations, and inspections. Oversight agencies seeking this information include government agencies that oversee the health care system government benefit programs, other government regulatory programs and civil right laws.

• Abuse or Neglect: We may disclose your PHI to a public health authority that is authorized by law to receive reports of child abuse or neglect. In addition, we may disclose your PHI if we believe that you have been a victim of abuse, neglect or domestic violence to the governmental entity or agency authorized to receive such information. In this case, the disclosure will be made consistent with the requirements of applicable federal and state laws.

• Food and Drug Administration: We may disclose your PHI to a person or company required by the U.S. Food and Drug Administration to report adverse events, product defects or problems, biologic product deviations, track products to enable product recalls, make repairs or replacements, or to conduct post marketing surveillance as required. 

• Legal Proceedings: We may disclose PHI in the course of any judicial or administrative proceeding in response to an order of a court or administrative tribunal (to the extent such disclosure is expressly authorized), in certain conditions in response to a subpoena, discovery request, or other lawful process.

• Law Enforcement: We may also disclose PHI, so long as applicable legal requirements are met, for law enforcement purposes. These law enforcement purposes include:

  • Legal processes and as otherwise required by law.

  •  Limited information requests for identification and location purposes.

  • Pertaining to victims of a crime.

  • Suspicion that death has occurred as a result of criminal conduct.

  • In the event that a crime occurs on our premises.

  • Medical emergency (not on our premises) and it is likely that a crime has occurred.

Except for the general uses and disclosures described above, we will not use or disclose your PHI for any other purposes unless you provide a written authorization. You have the right to revoke that authorization at any time, provided that the revocation is in writing, except to the extent that we already have taken action in reliance on your authorization.

YOUR RIGHTS

When it comes to your health information, you have certain rights. This section explains your rights and some of our responsibilities to help you.  You have the right to:

• Inspect and Obtain a Copy of Your PHI.  Other than psychotherapy notes, you have the right to inspect and obtain an electronic or paper copy of the PHI that we maintain about you, including medical and billing records, and any other records the Practice uses for making decisions about you.  Alternatively, you may request a summary of your PHI or an explanation of your PHI; provided, however, if you request to receive a summary, within 30 days of receiving your written request, we may charge a reasonable, cost-based fee for doing so. We may deny your request for access in certain limited circumstances, however, if we deny your access request, we will provide a written denial with the basis for our decision and explain your rights to appeal or file a complaint.  We may charge a reasonable, cost-based fee for the costs of copying, mailing, or other supplies associated with your request, if permitted by applicable state and federal law.

• Make Amendments.  You may ask us to correct or amend PHI that we maintain about you that you think is incorrect or inaccurate. We may deny your request for an amendment if you ask us to amend PHI that is not part of our record, that we did not create, that is not part of a designated record set, or that is accurate and complete. If we deny your request, we will tell you why in writing.

• Request Additional Restrictions.  You have the right to ask us to limit what we use or share about your PHI.  For example, you may request that any part of your PHI not be disclosed to family members or friends that may be involved in your care.  You have the right to request restrictions on our uses and disclosures of your PHI for treatment, payment, and health care operations.  We will agree not to disclose information to a health plan for purposes of payment or health care operations if the requested restriction concerns a health care item or service for which you or another person, other than the health plan, paid in full out-of-pocket, unless it is otherwise required by law.  Notwithstanding the foregoing, we are not required to agree to your request.  Your request must be in writing and state the specific restriction requested and to whom you want the restriction to apply.

• Request an Accounting of Disclosures. You have the right to request an accounting of certain PHI disclosures that we have made.  We will include all the disclosures except for those about treatment, payment, and health care operations, and certain other disclosures, such as any you asked us to make.

• Request Confidential Communication.  You have the right to reasonably request to receive communications of PHI by alternative means or at alternative locations.  For example, you can ask that we only contact you at work or at a specific address.  For these requests, you must specify how or where you wish to be contacted and we will accommodate reasonable requests.

• You have the right to request and receive an electronic or paper copy of this Notice from us. 

DATA BREACH NOTIFICATION

We will promptly notify you if a data breach occurs that may have compromised the privacy or security of your PHI. We will notify you within the legally required time frame/no later than 60 days after we discover the breach.  Most of the time, we will notify you in writing by email if you have provided us with your current email address and have previously agreed to receive notices electronically.  Otherwise, we will notify you by first-class mail.  In some circumstances, our Business Associates, which are described in more detail above, may provide the notification. In limited circumstances when we have insufficient or out-of-date contact information, we may provide notice in a legally acceptable alternative form.

COMPLAINTS

If you believe that your privacy rights have been violated, you should immediately contact us at contact@mandeepsinghmd.com. We will not take action against you for filing a complaint. You may also file a complaint with the Secretary of Health and Human Services.  We will not retaliate against you for filing a complaint. You may either file a complaint:

• Directly with us by contacting the Practice at contact@mandeepsinghmd.com. All complaints must be submitted in writing; or

• With the Office for Civil Rights at the US Department of Health and Human Services. Visit https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf.