Privacy Policy

NOTICE OF PRIVACY PRACTICES

Direct Pay Virtual Clinic

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

INTRODUCTION AND LEGAL DUTY

Direct Pay Virtual Clinic ("Clinic," "we," "us," or "our") is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 (collectively, "HIPAA"). We are required by law to:

•       Maintain the privacy and security of your protected health information ("PHI") as defined under 45 C.F.R. § 160.103;

•       Provide you with this Notice of our legal duties and privacy practices with respect to your PHI;

•       Notify you if a breach of your unsecured PHI occurs that meets the threshold requirements of 45 C.F.R. § 164.402;

•       Abide by the terms of the Notice currently in effect; and

•       Comply with all applicable Minnesota privacy laws, including the Minnesota Health Records Act (Minn. Stat. Ch. 144) and the Minnesota Consumer Data Privacy Act (MCDPA).

We are committed to protecting the privacy and security of your health information. We will not use or disclose your PHI except as described in this Notice or as otherwise permitted or required by applicable law. We reserve the right to change the terms of this Notice and to make the new Notice effective for all PHI we maintain. If we make a material change to this Notice, we will post the revised Notice on our Website and provide notice to you as required by law.

SECTION 1: KEY DEFINITIONS

The following definitions apply throughout this Notice:

•       "Protected Health Information" (PHI) means individually identifiable health information that is created, received, maintained, or transmitted by the Clinic in any form or medium, including electronic, paper, or oral. PHI includes, but is not limited to, your name, address, date of birth, Social Security number, diagnoses, treatment records, prescription history, billing records, and any other information that could be used to identify you and relates to your past, present, or future physical or mental health or condition.

•       "Electronic Protected Health Information" (ePHI) means PHI that is created, maintained, received, or transmitted in electronic form.

•       "Treatment" means the provision, coordination, or management of healthcare and related services by one or more healthcare providers.

•       "Payment" means activities undertaken by the Clinic to obtain or provide reimbursement for the provision of healthcare, including billing, claims management, and utilization review.

•       "Healthcare Operations" means certain administrative, financial, legal, and quality improvement activities of the Clinic necessary to run the practice and deliver quality care.

•       "Business Associate" means a person or entity that performs certain functions or activities on behalf of the Clinic that involve the use or disclosure of PHI, and with whom the Clinic must execute a Business Associate Agreement (BAA) pursuant to 45 C.F.R. § 164.308(b).

•       "Minimum Necessary" means the Clinic's obligation to make reasonable efforts to limit PHI use and disclosure to the minimum amount necessary to accomplish the intended purpose.

SECTION 2: PERMITTED USES AND DISCLOSURES WITHOUT YOUR WRITTEN AUTHORIZATION

Under HIPAA and applicable Minnesota law, we may use or disclose your PHI for the following purposes without your prior written authorization. In all cases, we will use or disclose only the minimum amount of PHI necessary to accomplish the stated purpose.

2.1 Treatment

We may use your PHI to provide, coordinate, and manage healthcare services and related treatment. Examples include:

•       Sharing your health history, diagnosis, and treatment information with other healthcare providers involved in your care (e.g., specialists, laboratories, imaging centers, pharmacies)

•       Consulting with other licensed providers regarding your care

•       Transmitting prescriptions electronically to your pharmacy of choice

•       Referring you to in-person healthcare providers when clinically appropriate and sharing relevant records to facilitate continuity of care

•       Reviewing your medical records to inform clinical decision-making during and after your visit

2.2 Payment

We may use or disclose your PHI to obtain payment for services rendered or to facilitate payment-related activities. Examples include:

•       Creating and transmitting itemized bills or superbills that include your diagnosis and treatment codes

•       Processing credit card or other payment transactions through our payment processor (subject to a Business Associate Agreement)

•       Responding to insurance carrier inquiries if you submit a superbill for potential reimbursement

•       Pursuing collection of unpaid balances, where applicable

•       Responding to audits or reviews related to payment

2.3 Healthcare Operations

We may use or disclose your PHI for healthcare operations activities necessary to operate and improve our practice. Examples include:

•       Quality assessment and improvement activities, including peer review of clinical decisions

•       Training and supervision of clinical staff and students, where applicable

•       Accreditation, certification, licensing, or credentialing activities

•       Conducting or arranging for legal, compliance, and risk management activities

•       Business management and general administrative activities

•       De-identified data analysis for quality improvement (note: de-identified data is not PHI and is not subject to HIPAA restrictions)

2.4 Required by Law

We will disclose your PHI when required to do so by applicable federal, state, or local law, including but not limited to:

•       Mandatory reporting of suspected child abuse, dependent adult abuse, or vulnerable adult abuse under Minn. Stat. §§ 626.556, 626.557

•       Reporting of certain communicable diseases to the Minnesota Department of Health pursuant to Minn. Stat. § 144.4804 and Minnesota Rules Ch. 4605

•       Compliance with court orders, subpoenas, or other lawful process

•       Compliance with workers' compensation laws (Minn. Stat. Ch. 176), where applicable

•       Response to valid law enforcement requests, subject to applicable legal requirements and limitations

2.5 Public Health and Safety

We may disclose your PHI to public health authorities authorized by law to collect or receive information for purposes such as:

•       Preventing or controlling disease, injury, or disability

•       Reporting births and deaths

•       Reporting adverse events related to medications or medical devices to the FDA

•       Conducting public health surveillance, investigations, and interventions

•       Averting a serious threat to the health or safety of a person or the public, when disclosure is necessary and consistent with applicable law and ethical standards (45 C.F.R. § 164.512(j))

2.6 Health Oversight Activities

We may disclose your PHI to a health oversight agency for activities authorized by law, such as audits, investigations, inspections, and licensure activities. Oversight agencies include the Minnesota Board of Nursing, the Minnesota Department of Health, and the U.S. Department of Health and Human Services.

2.7 Research

We may use or disclose your PHI for research purposes only under specific circumstances: (a) when you have provided written authorization; (b) when the research involves a waiver of authorization approved by an Institutional Review Board (IRB) or Privacy Board; (c) when the research involves only preparatory activities; or (d) when the information is de-identified in accordance with 45 C.F.R. § 164.514.

2.8 Decedents

We may disclose PHI to a coroner, medical examiner, or funeral director for purposes consistent with their lawful duties.

2.9 Organ and Tissue Donation

We may use or disclose PHI to organ procurement organizations or other entities engaged in procurement, banking, or transplantation of organs, eyes, or tissue for donation purposes, as authorized by law.

2.10 Judicial and Administrative Proceedings

We may disclose PHI in response to a court or administrative order, subpoena, discovery request, or other lawful process, subject to applicable requirements and conditions set forth in 45 C.F.R. § 164.512(e).

2.11 Law Enforcement

We may disclose PHI to law enforcement officials under specific limited circumstances as permitted by 45 C.F.R. § 164.512(f), including to comply with a court order, subpoena, or warrant; to identify or locate a suspect or missing person; and to report a crime occurring on our premises.

2.12 Military and Veterans

If you are or were a member of the armed forces, we may disclose PHI as required by military command authorities under 45 C.F.R. § 164.512(k).

2.13 Appointment Reminders and Treatment Alternatives

We may use or disclose your PHI to contact you regarding appointment reminders, to inform you of treatment alternatives, or to provide health-related benefits or services that may be of interest to you, subject to applicable law.

SECTION 3: USES AND DISCLOSURES REQUIRING YOUR WRITTEN AUTHORIZATION

3.1 General Authorization Requirements

Except as described in Section 2, we will not use or disclose your PHI without your prior written authorization. Under the Minnesota Health Records Act (Minn. Stat. § 144.293), written authorization is required for most disclosures of health records to third parties outside the treatment, payment, and operations context, which is a standard more protective than federal HIPAA requirements. We will comply with the more protective Minnesota standard.

A valid written authorization under Minnesota law and HIPAA must: identify the information to be disclosed; identify the person or entity authorized to make the disclosure; identify the person or class of persons to whom the disclosure may be made; state the purpose of the disclosure; specify an expiration date or event; and be signed and dated by you or your authorized representative.

3.2 Marketing

We will not use or disclose your PHI for marketing purposes without your prior written authorization, except as permitted by HIPAA (e.g., face-to-face communications, promotional gifts of nominal value). We will not accept payment in exchange for making marketing communications about third-party products or services without your authorization.

3.3 Sale of PHI

We will not sell your PHI to any third party without your prior written authorization. This prohibition applies even if the transfer involves only de-identified information if the de-identification does not meet the standards of 45 C.F.R. § 164.514.

3.4 Psychotherapy Notes

Psychotherapy notes (as defined under 45 C.F.R. § 164.501) are subject to heightened protections and will not be used or disclosed without your specific written authorization, with limited exceptions (e.g., treatment by the originating provider, training, or as required by law).

3.5 Other Sensitive Categories Under Minnesota Law

Consistent with Minn. Stat. § 144.293 and related statutes, the following categories of information are subject to heightened authorization requirements:

•       Mental health records and communications (Minn. Stat. §§ 144.291-144.298, 253B.03)

•       Alcohol and drug abuse treatment records (42 C.F.R. Part 2; Minn. Stat. § 254A.09)

•       HIV/AIDS test results and diagnoses (Minn. Stat. § 144.763)

•       Genetic information (Minn. Stat. Ch. 13, GINA - Genetic Information Nondiscrimination Act)

•       Sexual assault examination records (Minn. Stat. § 145.1475)

•       Reproductive health information

Disclosures of the above categories will not be made without specific, targeted written authorization, separate from general medical record authorization, unless otherwise required by law.

3.6 Revocation of Authorization

You have the right to revoke your authorization at any time by providing written notice to the Clinic. Revocation will be effective upon receipt by the Clinic. Revocation will not apply to uses or disclosures already made in reliance on your authorization prior to receipt of your revocation.

SECTION 4: YOUR RIGHTS REGARDING YOUR PROTECTED HEALTH INFORMATION

You have the following rights with respect to your PHI maintained by Direct Pay Virtual Clinic. To exercise any of these rights, please submit a written request to the Clinic using the contact information in Section 7.

4.1 Right to Access and Inspect Your Health Records

You have the right to inspect and receive a copy of PHI about you that is contained in a Designated Record Set (as defined in 45 C.F.R. § 164.501), including your medical records and billing records. This right is protected under 45 C.F.R. § 164.524 and Minn. Stat. § 144.292.

Requests must be submitted in writing. The Clinic will respond within thirty (30) days of receipt (or within ten (10) calendar days for records needed for ongoing care, pursuant to Minn. Stat. § 144.292, Subd. 6). If we need additional time, we will notify you in writing within the initial response period and explain the reason for the delay (a single thirty-day extension is permitted under HIPAA).

We may provide records in the format you request (e.g., electronic or paper). We may charge a reasonable, cost-based fee for copies as permitted by 45 C.F.R. § 164.524(c)(4) and Minn. Stat. § 144.292, Subd. 6. The Clinic may deny access to certain PHI in limited circumstances as permitted by law; you will be informed of any denial and provided information about how to request a review of the denial.

4.2 Right to Amend Your Health Records

You have the right to request that the Clinic amend PHI in your Designated Record Set if you believe the information is inaccurate or incomplete. This right is protected under 45 C.F.R. § 164.526 and Minn. Stat. § 144.2095.

Amendment requests must be submitted in writing and must state the reason for the requested amendment. The Clinic will respond within sixty (60) days. We may deny your request if we determine the PHI is accurate and complete; was not created by the Clinic; is not part of the Designated Record Set; or would not be available for inspection under applicable law. If we deny your request, you have the right to submit a written statement of disagreement, which will be attached to your record.

4.3 Right to an Accounting of Disclosures

You have the right to receive an accounting of certain disclosures of your PHI made by the Clinic for purposes other than treatment, payment, healthcare operations, or disclosures made pursuant to your authorization, during the six (6) years prior to the date of your request (or since the compliance date of this Notice, if shorter). This right is protected under 45 C.F.R. § 164.528.

The accounting will include the date, recipient, description, and purpose of each such disclosure. Requests must be submitted in writing. The first accounting in any twelve-month period is provided at no charge; subsequent requests may be subject to a reasonable, cost-based fee. We will respond within sixty (60) days of receipt.

4.4 Right to Request Restrictions on Use or Disclosure

You have the right to request that the Clinic restrict the use or disclosure of your PHI for treatment, payment, or healthcare operations purposes. This right is protected under 45 C.F.R. § 164.522(a). The Clinic is not generally required to agree to all requested restrictions; however, we will honor requests that are reasonable and do not interfere with your care.

Important exception: We are required to agree to a requested restriction if the disclosure is to a health plan for purposes of payment or healthcare operations (not treatment) and the PHI pertains solely to a healthcare item or service for which you have paid, or offered to pay, the full cost out-of-pocket and in full (45 C.F.R. § 164.522(a)(1)(vi)). Given our direct-pay model, this provision is particularly relevant to our patients.

4.5 Right to Request Confidential Communications

You have the right to request that the Clinic communicate with you about your PHI in a specific manner or at a specific location. For example, you may request that we contact you only by email, or only at a specific phone number. This right is protected under 45 C.F.R. § 164.522(b). We will accommodate reasonable requests and will not require you to explain the reason for your request.

4.6 Right to Receive a Paper Copy of This Notice

You have the right to receive a paper copy of this Notice of Privacy Practices upon request, even if you agreed to receive this Notice electronically. Please contact us using the information in Section 7 to request a paper copy.

4.7 Right to Be Notified of a Breach

You have the right to receive notification from the Clinic in the event of a breach of unsecured PHI that affects you. The Clinic will provide written notification to affected individuals without unreasonable delay and within sixty (60) days of discovering a breach that meets the threshold requirements of 45 C.F.R. § 164.402, in accordance with the HIPAA Breach Notification Rule (45 C.F.R. §§ 164.400-414) and applicable Minnesota breach notification law (Minn. Stat. § 325E.61).

4.8 Right to a Patient Advocate (Minnesota)

Consistent with Minn. Stat. § 144.651 (Minnesota Patients' Bill of Rights), you have the right to designate a patient advocate or support person who may assist you in understanding your rights and exercising them.

SECTION 5: MINNESOTA-SPECIFIC PRIVACY PROTECTIONS

Minnesota law provides privacy protections for health records that are in many respects more protective than federal HIPAA requirements. To the extent that Minnesota law is more protective of patient privacy, the Clinic will comply with the more stringent Minnesota standard.

5.1 Minnesota Health Records Act (Minn. Stat. Ch. 144)

The Minnesota Health Records Act governs the creation, maintenance, use, and disclosure of health records in Minnesota. Key provisions applicable to our practice include:

•       Minn. Stat. § 144.291: Establishes patients' rights regarding health records, including the right to access, inspect, and copy records

•       Minn. Stat. § 144.292: Requires healthcare providers to furnish health records upon request within specified timeframes

•       Minn. Stat. § 144.293: Prohibits disclosure of health records to third parties without written patient authorization, subject to enumerated exceptions more limited than those under HIPAA

•       Minn. Stat. § 144.294: Provides enhanced protections for mental health records and specifies requirements for authorization of such disclosures

•       Minn. Stat. § 144.295: Governs corrections to health records

•       Minn. Stat. § 144.298: Establishes civil penalties for unauthorized disclosure of health records

5.2 Minnesota Consumer Data Privacy Act (MCDPA)

The Minnesota Consumer Data Privacy Act, effective July 31, 2025, provides additional rights with respect to personal data, including health data not covered by HIPAA. To the extent MCDPA applies to data we collect and process, you have the following rights:

•       The right to confirm whether we process your personal data and to access that data

•       The right to correct inaccuracies in your personal data

•       The right to delete personal data you have provided or that we have collected about you

•       The right to obtain a portable copy of personal data you have provided to us

•       The right to opt out of the processing of your personal data for purposes of targeted advertising, sale, or profiling

To exercise rights under the MCDPA, please contact us using the information in Section 7. We will respond to verifiable consumer requests within forty-five (45) days, with a possible forty-five (45) day extension for complex requests.

5.3 Prohibition on Discrimination

We will not discriminate against you for exercising any of your privacy rights. We will not deny you treatment, charge you different prices, or provide a different level of service because you exercised a right under HIPAA, the Minnesota Health Records Act, or the MCDPA.

SECTION 6: SECURITY OF YOUR HEALTH INFORMATION

Direct Pay Virtual Clinic implements comprehensive administrative, physical, and technical safeguards to protect the security of your PHI, including ePHI, in accordance with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) and applicable Minnesota law. Our security program includes:

6.1 Administrative Safeguards

•       Designation of a Privacy Officer responsible for developing and implementing privacy policies

•       Written policies and procedures governing the use, disclosure, and protection of PHI

•       Regular workforce training on HIPAA privacy and security requirements

•       Workforce access controls ensuring that staff access PHI only on a need-to-know basis

•       Business Associate Agreements executed with all vendors and contractors who access, use, or disclose PHI on our behalf

•       Incident response and breach notification procedures

6.2 Physical Safeguards

•       Physical access controls to facilities where PHI is maintained

•       Secure disposal of PHI in paper and electronic form, consistent with NIST and HIPAA guidelines

•       Workstation security policies restricting access to devices used to create or access ePHI

6.3 Technical Safeguards

•       Encrypted transmission of all ePHI, including telehealth video sessions, using industry-standard encryption protocols (e.g., TLS 1.2 or higher)

•       Encrypted storage of ePHI at rest

•       Multi-factor authentication (MFA) for access to systems containing ePHI

•       Automatic session timeouts for systems containing ePHI

•       Audit logging of access to and disclosure of ePHI

•       Regular vulnerability assessments and security risk analyses as required by 45 C.F.R. § 164.308(a)(1)

•       HIPAA-compliant third-party telehealth and EHR platforms subject to Business Associate Agreements

SECTION 7: HOW TO EXERCISE YOUR RIGHTS AND FILE A COMPLAINT

7.1 Exercising Your Rights

To exercise any of the rights described in Section 4, or for any questions regarding this Notice, please contact our Privacy Officer:

•       Email: info@directpayvirtualclinic.org

•       Website Contact Form: directpayvirtualclinic.com

•       Mail: Direct Pay Virtual Clinic, Privacy Officer, [Minnesota Address]

Written requests are preferred for all formal rights exercises, including requests to access, amend, restrict, or obtain an accounting of disclosures of PHI. We will acknowledge receipt of your request and respond within the timeframes specified in this Notice.

7.2 Filing a Complaint

If you believe that your privacy rights have been violated by the Clinic, you have the right to file a complaint. You may file a complaint with:

•       Direct Pay Virtual Clinic Privacy Officer: info@directpayvirtualclinic.org

•       U.S. Department of Health and Human Services, Office for Civil Rights (OCR): www.hhs.gov/ocr or 1-800-368-1019

•       Minnesota Department of Health: www.health.state.mn.us or 651-201-5000

•       Minnesota Board of Nursing (for complaints regarding nursing practice): www.nursingboard.state.mn.us or 612-317-3000

All complaints must be filed in writing. The Clinic will not retaliate against you in any way for filing a complaint with the Clinic or with any government agency. Retaliation against a patient for exercising privacy rights is prohibited under HIPAA (45 C.F.R. § 164.530(g)) and Minn. Stat. § 144.298.

SECTION 8: RETENTION OF HEALTH RECORDS

Direct Pay Virtual Clinic retains health records in accordance with applicable law. Under Minnesota law (Minn. Stat. § 145.32), health records must be retained for a minimum period of:

•       Seven (7) years from the date of the last professional service for adult patients

•       Seven (7) years from the date the patient reaches the age of majority (age 18) for minor patients (i.e., records may be retained until the patient is at least 25 years old)

Records may be retained for longer periods for legal, clinical, or administrative purposes. Electronic health records are retained in a secure, encrypted EHR system. Paper records, if any, are stored securely and destroyed in accordance with HIPAA and Minnesota law upon expiration of the retention period.

Website usage analytics and non-clinical data are retained for a maximum of two (2) years, after which they are deleted or anonymized.

SECTION 9: CHANGES TO THIS NOTICE

The Clinic reserves the right to change this Notice of Privacy Practices at any time and to make the new Notice effective for all PHI we maintain, including PHI created or received before the effective date of the change. We will post the revised Notice on our Website and make it available at our practice. If we make a material change to this Notice, we will provide notice as required by applicable law. The effective date of the current Notice is displayed at the top of this document.

We encourage you to review this Notice periodically. Your continued use of our services after the effective date of any changes constitutes your acknowledgment of the revised Notice.