Privacy Policy

1. Purpose and Scope

This policy applies to all PHI collected, processed, stored, or transmitted by BlackLeviathan in any form (electronic, paper, or verbal). PHI includes any information that can be used to identify an individual and relates to their past, present, or future physical or mental health condition, healthcare services received, or payment for such services.

2. Collection of PHI

We collect PHI directly from patients, healthcare providers, insurers, and authorized representatives for purposes including but not limited to:

Treatment and care coordination

Processing payments for medical services

Healthcare operations, including quality assessments and compliance reviews

Appointment scheduling and reminders

Compliance with legal and regulatory obligations

We may collect PHI through electronic records, written documents, telephone conversations, or face-to-face interactions.

3. Use and Disclosure of PHI

We use and disclose PHI only as permitted by HIPAA, including:

A. Permitted Uses and Disclosures

Treatment – Sharing PHI with healthcare providers to coordinate care.

Payment – Using PHI for billing, claims processing, and payment collection.

Healthcare Operations – Using PHI for quality improvement, training, and regulatory compliance.

Public Health Activities – Reporting PHI to public health authorities for disease control and prevention.

Law Enforcement – Providing PHI to law enforcement when required by law or court order.

Health Oversight Activities – Disclosing PHI to government agencies for audits and investigations.

Judicial and Administrative Proceedings – Releasing PHI when legally required by subpoenas or court orders.

Research – Using PHI for research purposes in accordance with HIPAA requirements.

B. Uses and Disclosures Requiring Authorization

For all other uses, including:

Marketing communications

Sale of PHI

Use of psychotherapy notes

Any other disclosures not listed under permitted uses

We will obtain written authorization before using or disclosing PHI. You may revoke this authorization at any time in writing.

4. Patient Rights Regarding PHI

Under HIPAA, you have the following rights:

A. Right to Access

You may request a copy of your PHI in electronic or paper format. We will provide access within 30 days unless an extension is required.

B. Right to Amend

If you believe your PHI is incorrect or incomplete, you may request an amendment. We may deny the request if the information is accurate and complete.

C. Right to an Accounting of Disclosures

You may request a list of PHI disclosures made in the past six years, excluding disclosures for treatment, payment, and healthcare operations.

D. Right to Request Restrictions

You may request restrictions on the use or disclosure of your PHI. We are not required to agree, except in cases where the disclosure is for payment purposes and you have paid in full out-of-pocket.

E. Right to Request Confidential Communications

You may request communications by alternative means or at alternative locations.

F. Right to File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with us or the U.S. Department of Health and Human Services (HHS). We will not retaliate against you for filing a complaint.

5. Safeguarding PHI

We implement strict security measures to protect PHI from unauthorized access, disclosure, alteration, or destruction. These include:

Encryption of electronic PHI (ePHI)

Role-based access controls

Secure physical storage of paper records

Regular audits and risk assessments

Employee training on HIPAA compliance

6. Data Breach Notification

In the event of a breach affecting your PHI, we will:

Notify you within 60 days of discovery

Report the breach to the HHS Office for Civil Rights if required

Take corrective measures to prevent future breaches

7. Third-Party Business Associates

We may share PHI with third-party vendors, known as Business Associates, who assist with healthcare operations. These Business Associates must sign a HIPAA-compliant Business Associate Agreement (BAA) to ensure PHI is protected.

8. Retention and Disposal of PHI

PHI is retained according to legal and regulatory requirements. Upon expiration of the retention period, we securely dispose of PHI through:

Shredding paper documents

Secure deletion of electronic records

9. Changes to This Privacy Policy

We may update this Privacy Policy periodically. Any changes will be posted on our website, and material changes will be communicated to you as required by law.

This Privacy Policy is designed to ensure compliance with HIPAA regulations while safeguarding patient information. Please consult with legal counsel to ensure all provisions meet your specific operational requirements.