Notice of Privacy Practices

We understand that your health information is personal and private. We are required by law to maintain the privacy and security of your protected health information (PHI), to provide you with this Notice of our legal duties and privacy practices regarding your health information, and to notify you following a breach of your unsecured health information.

We must follow the duties and privacy practices described in this Notice and give you a copy of it. We will not use or share your information other than as described here unless you tell us we can in writing. If you tell us we can, you may change your mind at any time by contacting us in writing.

The following categories describe different ways we typically use and disclose health information. Not every use or disclosure in a category is listed — but all of the ways we are permitted to use and disclose information fall within one of the categories.

For Treatment

We may use your health information to provide and coordinate your lactation care. For example, we may share your feeding assessment and care plan with your pediatrician, OB/GYN, or midwife to ensure coordinated care for you and your baby.

For Payment

We may use and disclose your health information to bill and collect payment for services provided. For example, we may send a claim containing your diagnosis code (ICD-10) and procedure code (CPT) to your health insurance plan for reimbursement of a lactation consultation.

For Health Care Operations

We may use and disclose your health information for practice operations necessary to run our practice and ensure quality care. This includes quality improvement, training, compliance auditing, and business management.

AI-Assisted Documentation

When enabled with your explicit consent, we may use AI technology to transcribe and summarize clinical encounters. Audio is processed in real time and is not stored after transcription. The AI-generated clinical notes are reviewed and approved by your provider before being saved to your record. You may decline AI-assisted documentation at any time without affecting your care.

Telehealth Services

When you receive care via video consultation, your audio and video streams are transmitted using encrypted, HIPAA-compliant infrastructure (AWS Chime SDK). Video and audio are transmitted in real time and are not recorded or stored. Session metadata (start time, duration) is recorded in your clinical record.

We may also use or disclose your health information without your authorization for the following purposes:

• As required by law — We will share information about you if state or federal laws require it, including to the Department of Health and Human Services if it wants to see that we are complying with federal privacy law.
• Public health activities — We can share health information for public health activities such as preventing disease, reporting births and deaths, and reporting child abuse or neglect.
• Health and safety — We can share health information about you in certain situations such as preventing a serious threat to the health or safety of you, your baby, or the public.
• Judicial and administrative proceedings — We may disclose PHI in response to a court or administrative order, or in response to a subpoena or discovery request accompanied by appropriate safeguards.
• Law enforcement — We can share health information for law enforcement purposes as required or permitted by law, including to comply with a court order or warrant.
• Workers' compensation — We can use or share health information for workers' compensation claims.
• Coroners, funeral directors, and organ donation — We can share health information with a coroner, medical examiner, funeral director, or organ procurement organization as permitted by law.
• Research — We can use or share your information for health research, subject to specific protections required by law.
• Military, veterans, and other special uses — We can use health information about members of the armed forces, for national security or intelligence activities, or for protective services for the President as required by law.
• Inmates — If you are an inmate, we may share your health information with the correctional institution or a law enforcement official as required by law.

We will not use or disclose your health information for the following purposes without your explicit written authorization:

• Marketing purposes (we do not market to patients using PHI)
• Sale of your health information (we never sell PHI)
• Sharing psychotherapy notes (if applicable)
• Sharing your records with a third party not involved in your care (e.g., attorney, employer, family member)
• Sharing photographs or images from your clinical visit for educational, research, or publication purposes

You may revoke an authorization in writing at any time. Your revocation will not affect any use or disclosure already made in reliance on the prior authorization.

You have the following rights regarding the health information we maintain about you:

Right to Access

You have the right to see and obtain a copy of your health information, including clinical notes, billing records, and other records used to make decisions about your care. You may request an electronic copy if records are maintained electronically. We may charge a reasonable, cost-based fee. We will respond within 30 days of your request.

Right to Request Correction (Amendment)

You may request that we correct health information that you believe is inaccurate or incomplete. We may deny your request in certain circumstances (e.g., if we did not create the information or if we believe it is accurate). You may submit a statement of disagreement if your request is denied.

Right to an Accounting of Disclosures

You may request a list of the times we have shared your health information for purposes other than treatment, payment, or health care operations, and certain other activities, for the previous six years. We will include all disclosures except those you asked us to make.

Right to Request Restrictions

You may request that we restrict how we use or disclose your health information for treatment, payment, or health care operations. We are not required to agree to your request, but if we do, we will comply with that agreement except in an emergency. We must agree to restrict disclosure to a health plan if you pay out of pocket in full for a service and the disclosure is solely for payment purposes.

Right to Request Confidential Communications

You may request that we communicate with you about health matters in a certain way or at a certain location. For example, you may ask that we contact you only by email or only at your work phone number. We will accommodate all reasonable requests.

Right to a Paper Copy of This Notice

You may request a paper copy of this Notice at any time, even if you have agreed to receive the Notice electronically.

Right to Data Portability

You may request an export of your health information in a commonly used electronic format. We will provide this within 30 days of your request.

Right to Restrict Processing (GDPR / PIPEDA)

If you are located in the European Economic Area or Canada, you have additional rights under the GDPR or PIPEDA, including the right to restrict processing, the right to data erasure, and the right to withdraw consent. See our Privacy Policy for details.

• We are required by law to maintain the privacy and security of your PHI.
• We will notify you promptly if a breach occurs that may have compromised the privacy or security of your information.
• We must follow the duties and privacy practices described in this Notice.
• We will not use or share your information other than as described here unless you tell us we can in writing.

When using or disclosing PHI or when requesting PHI from another entity, we will make reasonable efforts to limit the information to the minimum necessary to accomplish the intended purpose. This standard does not apply to disclosures for treatment purposes, disclosures to you, disclosures authorized by you, or disclosures required by law.

We protect your health information using the following measures:

• All data is encrypted in transit (TLS 1.2+) and at rest (AES-256-GCM)
• Role-based access controls limit who can view your records
• Automatic session timeout after 15 minutes of inactivity
• Comprehensive audit logging of all access to health information
• Infrastructure hosted on AWS with HIPAA BAA in place
• Regular security assessments and vulnerability scanning

We retain your health information in accordance with applicable law:

• Clinical records: 7 years from last encounter (HIPAA minimum; longer if required by state law)
• Billing records: 7 years (IRS and insurance audit requirements)
• Minor patients: Records retained until the minor reaches age 21, or 7 years from last encounter, whichever is longer
• Messages: 3 years

After the retention period, records are securely destroyed. You may request early deletion subject to legal retention requirements.

In the event of a breach of your unsecured PHI, we will notify you without unreasonable delay and in no case later than 60 calendar days following discovery of the breach, as required by 45 CFR § 164.404. The notification will include:

• A description of what happened, including the date of the breach and the date of discovery
• The types of unsecured PHI involved
• Steps you should take to protect yourself from potential harm
• What we are doing to investigate, mitigate losses, and prevent future breaches
• Contact information for you to ask questions or learn more

If the breach affects 500 or more individuals, we will also notify the U.S. Department of Health and Human Services and prominent media outlets as required by law.

We reserve the right to change this Notice and make the revised or changed Notice effective for health information we already have about you as well as any information we receive in the future. The current Notice will always be posted on our website at lactaroute.com/legal/npp and available in our office.

If you believe your privacy rights have been violated, you may:

• Contact our Privacy Officer: privacy@rootedmaternalwellness.com
• File a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/hipaa/filing-a-complaint

We will not retaliate against you for filing a complaint.

For questions about this Notice or to exercise any of your rights, contact: