Notice of Privacy Practices

OUR PRIVACY COMMITMENT

Thank you for giving us the opportunity to serve you. In the normal course of doing business, Dua Health LLC, on behalf of Dua Health Group PLLC, creates, obtains, and/or maintains records about you and the services we provide. The information we collect is called protected health information (“PHI”). We take our obligation to keep your PHI secure and confidential very seriously.

We are required by federal and state law to protect the privacy of your PHI and to provide you with this Notice of Privacy Practices (“Notice”) describing how we safeguard and use your PHI, and how we will notify you following a breach of your unsecured PHI.

When we use or disclose your PHI, we are bound by the terms of this Notice. This Notice applies to all electronic or paper records we create, obtain, and/or maintain that contain your PHI.

THIS NOTICE DESCRIBES:

  • How we may use and disclose your PHI

  • Your rights to access and amend your PHI

WE ARE REQUIRED BY LAW TO:

  • Maintain the privacy of your PHI

  • Provide you with this Notice of our legal duties and privacy practices with respect to PHI

  • Abide by the terms of this Notice

HOW WE PROTECT YOUR PRIVACY

We understand the importance of protecting your PHI. We maintain technical, physical, and administrative safeguards to ensure the privacy and security of your information.

PERMITTED USES AND DISCLOSURES OF YOUR PHI

HOW WE MAY USE PHI WITHOUT YOUR AUTHORIZATION

Treatment – We may use and disclose your PHI to healthcare professionals or other third parties to provide, coordinate, and manage the delivery of healthcare. For example, behavioral health assessments and other PHI may be disclosed to your health insurer or your primary care provider to support the provision of behavioral health services.

Payment – We may use and disclose PHI about you to receive payment for our services, determine your insurance eligibility or coverage, manage your account, fulfill benefit plan responsibilities, and process claims for services rendered. For example, we may disclose PHI to your health plan or employer (or their designees) to verify eligibility or submit claims for reimbursement.

Healthcare Operations – We may use and disclose your PHI for our internal operations, such as quality assessment, staff training, auditing, utilization review, and other necessary administrative activities. For example, we may use your PHI to assess treatment outcomes, develop clinical protocols, or improve our services.

Disclosures to Your Employer as Sponsor of Your Health Plan – Where permitted by law, we may disclose your PHI to your employer or a vendor acting on its behalf to administer your employee health plan. Your employer may not use your PHI for any purpose other than plan administration. Please refer to your health plan documents for details on whether your employer receives PHI and, if so, who may access it.

Information That May Be of Interest to You – We may use or disclose your PHI to inform you about treatment options or other health-related services that may be of interest to you.

Individuals Involved in Your Care or Payment for Your Care – We may disclose PHI to a family member, friend, or other person involved in your care or payment for your care, unless you notify us in writing not to do so. We will request adequate verification of the individual’s authority to act on your behalf.

Legal Guardians – If you are under a legal guardianship, we may disclose your PHI to your legal guardian as required or permitted under federal or applicable state law.

Business Associates – We may share PHI with business associates who perform services on our behalf (e.g., billing, IT, analytics). Business associates are bound by contractual obligations to safeguard your PHI. If a business associate uses subcontractors, they must also enter into binding confidentiality agreements to ensure the continued protection of your information.

Research - Under certain circumstances, we may use and disclose PHI about you for research purposes. Before we use or disclose PHI for research, we will either remove personally identifying information, obtain your written authorization, or gain approval through an appropriate review process that ensures the protection of your privacy. In some cases, we may use your PHI to generate aggregate data (summarized data that does not personally identify you) to study outcomes, costs, or provider performance, or to help design benefits for employers or health plans. This aggregate data may be sold or disclosed to other organizations, but it will not personally identify you.

Abuse, Neglect, or Domestic Violence - We may disclose your PHI to a social services or protective agency or to another government authority if we believe you are a victim of abuse, neglect, or domestic violence. We will inform you of the disclosure unless doing so would place you at serious risk of harm.

Public Health - We may disclose your PHI for public health activities and purposes. These may include regulatory reporting, such as reporting adverse events, supporting vaccination efforts, preventing or controlling communicable diseases, or conducting post-marketing surveillance in connection with FDA mandates or product recalls.

We may receive payment from a third party for making certain public health-related disclosures.

Judicial and Administrative Proceedings - We may disclose your PHI in the course of any judicial or administrative proceeding if required by a court order, subpoena, or other lawful process—provided reasonable efforts have been made to notify you of the request or to obtain a protective order.

Law Enforcement - We may disclose your PHI as required by law in response to a subpoena, warrant, summons, or similar process. We may also provide information to assist law enforcement in identifying or locating a suspect, witness, or missing person; reporting a crime; providing details about a decedent; or when there is a concern for the safety of others.

Coroners and Medical Examiners - We may disclose PHI to a coroner or medical examiner to identify a deceased individual, determine cause of death, or perform other authorized duties.

Organ, Eye, and Tissue Donation - We may disclose PHI to organizations that facilitate organ, eye, or tissue donation and transplantation.

Workers’ Compensation - We may disclose your PHI to comply with workers’ compensation laws or similar programs that provide benefits for work-related injuries or illnesses.

Specialized Government Functions, Military, and Veterans - We may disclose your PHI to authorized federal officials to carry out lawful intelligence, counterintelligence, national security activities, or medical suitability determinations. If you are a member of the U.S. armed forces (or a foreign military), we may release your PHI as required by military command authorities or applicable law.

If you are incarcerated or in the custody of a law enforcement official, we may release your PHI if necessary for:

  • Providing health care services

  • Maintaining the health or safety of yourself or others

  • Ensuring the safety and security of the institution or its staff

As Otherwise Required by Law - We will disclose your PHI when required to do so by applicable federal, state, or local laws. If the law in your jurisdiction provides additional protections against the use or disclosure of PHI, we will follow those laws as applicable.

Health Oversight - We may disclose PHI to a health oversight agency for activities authorized by law, such as audits, investigations, licensure, or disciplinary actions. These agencies may oversee the healthcare system, public benefit programs, and compliance with civil rights laws.

Creation of De-Identified Health Information - We may use your PHI to create de-identified information by removing identifying details such as your name, address, and member ID. This de-identified data may be used for internal business purposes, such as generating summary reports or analyzing healthcare trends.

To Avert a Serious Threat to Health or Safety - We may disclose PHI if necessary to prevent or lessen a serious and imminent threat to your health or safety, or the health and safety of another person or the general public. Such disclosures will be made only to those who are reasonably able to prevent or reduce the threat.

OTHER USES AND DISCLOSURES OF PHI

Uses of PHI That Require Your Authorization

Most uses and disclosures of psychotherapy notes (where applicable), disclosures for marketing purposes, and disclosures that constitute a sale of PHI require your written authorization. These activities—and any other uses and disclosures of your PHI not otherwise described in this Notice—will be made only with your written authorization unless permitted by applicable law. You may revoke your authorization in writing at any time unless we have already acted in reliance on it.

Written revocation of authorization must be sent to the address listed at the end of this Notice.

Additional Protections for Certain Categories of PHI

Certain types of PHI may be subject to additional protections under federal or state law. This includes, but is not limited to:

  • Psychotherapy notes

  • PHI related to alcohol and drug use, diagnosis, and treatment

  • PHI concerning HIV/AIDS status, testing, or treatment

  • PHI related to venereal or other communicable diseases

  • PHI derived from genetic testing

Where applicable, we will comply with enhanced privacy protections as required by law.

YOUR RIGHTS WITH RESPECT TO YOUR PHI

You have the following rights regarding the PHI we maintain about you:

Right to Inspect and Copy

You may request to inspect and copy PHI that may be used to make decisions about your care, including records of enrollment, payment, claims adjudication, and case or medical management. If these records are maintained electronically, you may request them in electronic format. You may also request that we send your PHI to a third party, such as a Health Information Exchange (HIE). We may charge a reasonable fee to cover copying, mailing, or other associated costs. In certain circumstances, access may be denied as allowed by law.

Right to Amend

If you believe your PHI is incorrect or incomplete, you may request an amendment. You must provide a reason supporting your request. We may deny your request under certain conditions, and if we do, you may file a statement of disagreement. If the information was created by another provider or facility, we may refer you to them.

Right to an Accounting of Disclosures

You have the right to request an accounting of certain disclosures of your PHI made by us, excluding disclosures made:

  • To you

  • With your written authorization

  • For treatment, payment, or healthcare operations

  • Earlier than six years prior to the date of your request (or three years for electronic health records, if applicable)

  • As otherwise excluded by law

If you request more than one accounting in a 12-month period, we may charge a reasonable fee for each additional report.

Right to Request Restrictions

You may request limitations on how we use or disclose your PHI for treatment, payment, or healthcare operations. You may also request that we not share PHI with family members or friends involved in your care. We are not required to agree to your request, unless it relates to a disclosure to a health plan for payment or operations purposes (not treatment) and the PHI pertains to a service that you paid for entirely out-of-pocket.

Right to Confidential Communications

You may request that we communicate with you in an alternative way or at an alternative location to protect your confidentiality. Your request must include the method or location you prefer.

Right to Be Notified of a Breach

You have the right to be notified in the event of a breach of your unsecured PHI.

Right to a Paper Copy of This Notice

You have the right to request a paper copy of this Notice at any time, even if you have agreed to receive it electronically. To request a copy or obtain answers to frequently asked questions, please contact support@duahealth.co.

Right to File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services. We will not retaliate against you for filing a complaint.

To submit written requests or complaints, please contact:

Dua Health LLC
Attn: Privacy Office
5900 Balcones Drive, Suite 100
Austin, TX 78731
privacy@duahealth.co

Please include your name, mailing address, and any relevant identifiers.

ACKNOWLEDGEMENT OF NOTICE OF PRIVACY PRACTICES

The purpose of this form is to verify that you received this Notice of Privacy Practices. You are not required to sign or return the form.