(602) 404-8012

HIPAA

Home
» HIPAA

FYZICAL PHOENIX/DR

NOTICE OF PRIVACY PRACTICES

This Notice Describes How Medical Information About You May Be Used and Disclosed and How You Can Get Access to This Information.

Please Review This Document Carefully.

About Protected Health Information (PHI).

In this Notice, "we," "our," or "us" means FYZICAL Phoenix/DR and our workforce of employees, contractors, and volunteers; "you" and "your" refer to each of our patients who are entitled to a copy of this Notice.

We are required by federal and state law to protect the privacy of your health information. For example, federal health information privacy regulations require us to protect information about you in the manner that we describe here in this Notice. Certain types of health information may specifically identify you. Because we must protect this health information, we call this Protected Health Information---or "PHI." In this Notice, we tell you about:

  • How we use your PHI
  • When we may disclose  your PHI to others
  • Your privacy rights and how to use them
  • Our privacy duties
  • Who to contact for more information or a complaint

Some of the ways we use (within the organization) or disclose (outside of the organization) your Protected Health Information

We will use your PHI to treat you. We will use your PHI and disclose it to get paid for your care and related services. We use or disclose your PHI for certain activities that we call "healthcare operations." We will also use or disclose your PHI as required or permitted by law. We will give you examples of each of these to help explain them; space does not permit a complete list of all uses or disclosures; you can contact us if you have any questions.

  • Treatment

We use and disclose your PHI in the course of your treatment. For instance, once we have completed your evaluation or re-evaluation, we will send a copy or summary of our report to your referring physician. We also maintain records detailing the care and services you receive at our facility so that we can be accurate and consistent in carrying out that care in an optimal manner; that record also assists us in meeting specific legal requirements. These records may be used and/or disclosed by members of our workforce to ensure that proper and optimal care is rendered.

  • Payment Involving a Third-Party Payer

After we treat you, we will typically bill a third party for the services you receive. We will collect the treatment information, enter the data into our computer, and then process a claim either on paper or electronically. The claim form will detail your health problem and what treatments you received, and it will include other information such as your social security number, your insurance policy number, and other identifying pieces of information. The third-party payer may also ask to see the records of your care to make sure that the services are medically necessary. When we use and disclose your information in this way, it helps us get paid for your care and treatment.

  • Payment Exclusive of a Third Party Payer (fully self-pay)

If you choose to pay for your services in full without involving a third party (insurer, employer, etc.), you may request that we not disclose any information regarding your services for payment purposes.

  • Health Care Operations

We also use and disclose your PHI in our healthcare operations. For example, our therapists meet periodically to study clinical records and monitor the quality of care at our facility. Your records and PHI could be used in these quality assessments. Sometimes, we participate in student internship programs, and we use the PHI of actual patients to test them on their skills and knowledge. Other operational tasks may involve business planning and compliance monitoring or even the investigation and resolution of a complaint.

  • Special Uses 

We also use or disclose your PHI for purposes that involve your relationship with us as a patient. We may use or disclose your PHI to:

      • Update your workers' compensation case worker or employer
    • Remind you of appointments
    • Carry out follow-ups on home programs that you have been taught
    • Advise you of new or updated services or home supplies (you can choose to opt out of receiving any notices of this kind)
      • Release equipment and/or supplies to your designee
      • Carry out follow-ups on your home programs or discharge planning
      • Advise you of new or updated services or home supplies via telecommunication or via a newsletter  (you can choose to opt-out of receiving information of this nature from us)
      • Carry out research that does not directly identify you
    • Carry out marketing functions such as providing nominal promotional gifts (you can choose to opt out of receiving any marketing information or items from us)
    • Contact you regarding fundraising projects that we are engaged in (you can choose to opt-out of any fundraising project notification that we engage in)

Note:  If we receive direct or indirect financial remuneration from a third party for marketing a product or item or for any fundraising we are engaged in, we will offer you the opportunity to opt out of receiving any of these materials.

  • Uses & Disclosures Required or Permitted by Law

Many laws and regulations apply to us that affect your PHI; they may either require or permit us to use or disclose your PHI. Here is a list from the federal health information privacy regulations describing required or permitted uses and disclosures:

Permitted:

  • If you do not verbally object, we may share some of your PHI with a family member or friend if they are involved in your care.
  • We may use your PHI in an emergency if you are not able to express yourself.
  • If we receive certain assurance that protects your privacy, we may use or disclose your PHI for research; {{FACILITY_NAME}} will always obtain an authorization from you even though it is 'permitted' without one.

Required:

  • When required by law, for example, when ordered by a court to turn over certain types of your PHI, we must do so
  • For public health activities such as reporting a communicable disease or reporting an adverse reaction to the Food and Drug Administration
  • To report neglect, abuse, or domestic violence
  • To the government regulators or its agents to determine whether we comply with applicable rules and regulations
  • In judicial or administrative proceedings, such as a response to a valid subpoena
  • When properly requested by law enforcement officials or other legal requirements such as reporting gunshot wounds
  • To avert a health hazard or to respond to a threat to public safety, such as an imminent crime against another person
  • Deemed necessary by appropriate military command authorities if you are in the Armed Forces
  • In connection with certain types of organ donor programs

Stricter Requirements That We Follow

  • Some state regulations are more stringent than federal privacy regulations; we will comply with those laws.

  • Your Authorization May Be Required

In the situations noted above, we have the right to use and disclose your

      PHI. In some situations, however, we must ask for, and you must agree to,

      provide a written authorization that has specific instructions and limits on our

      use or disclosure of your PHI. If you change your mind at a later date, you

      may revoke your authorization.

  • Your Privacy Rights and How to Exercise Them

You have specific rights under our federally required privacy program. Each of them is summarized below:

    • Your Right to Request Limited Use or Disclosure

You have the right to request that we do not use or disclose your PHI in a particular way. However, we are not required to abide by your request. If we do agree to your request, we must abide by the agreement; we have the right to ask for that request to be in writing, and we will exercise that right.

    • Your Right to Confidential Communication

You have the right to receive confidential communications from us at a location or phone number that you specify. We have the right to ask for that request to be in writing, noting the other address or phone number and confirmation that it should not interfere with your method of payment; we will exercise the right to have your request in writing.

    • Your Right to Inspect and Copy Your PHI

You have the right to inspect and copy your PHI. If we maintain our records on paper, that will be the format utilized; however, if we maintain our records electronically, you have the right to review and/or have copies made in an electronic format. Should we decline, we must provide you with a resource person to assist you in reviewing our refusal decision. We must respond to your request within fifteen (15) days. We may charge reasonable fees for copying and labor time related to copying, and we may require an appointment for record inspection; we have the right to ask for your request in writing and will exercise that right.

    • Your Right to Revoke Your Authorization

If you have granted us an authorization to use or disclose your PHI, you may revoke it at any time in writing. Please understand that we relied on the authority of your authorization prior to the revocation and used or disclosed your PHI within its scope.

    • Your Right to Amend Your PHI

You have a right to request an amendment of your record. We have the right to ask for the request in writing, and we will exercise that right. We may deny that request if the record is accurate and/or if this facility did not create the record. If we accept the amendment, we must notify you and make an effort to notify others who have the original record.

    • Your Right to Know Who Else Sees Your PHI

You have the right to request an accounting of certain disclosures that we have made over the past six years. We do not have to account for all disclosures, including those made directly to you, those involving treatment, payment, health care operations, those to the family/friend involved with your care, and those involving national security. You have the right to request the accounting annually. We have the right to ask for the request in writing and to charge for any accounting requests that occur more than once per year; we must advise you of any charge, and you have the right to withdraw your request or pay to proceed.

    • You Have a Right to be Informed of a Breach of Your Protected Health Information

We are required to notify the patient by first class mail or by e-mail (if indicated a preference to receive information by e-mail) of any breaches of unsecured Protected Health Information as soon as possible, but in any event, no later than sixty (60) days following the discovery of the breach. "Unsecured Protected Health Information" is information that is not secured through the use of a technology or methodology identified by the Secretary of the U.S. Department of Health and Human Services to render the Protected Health Information unusable, unreadable and undecipherable to unauthorized users. The Notice is required to include the following information:

  • A description of the breach, including the date of the breach and the date of its discovery, if known
  • A description of the type of unsecured protected health information involved in the breach
  • Instructions regarding the measures the patient should take to protect him/her from potential harm resulting from the breach
  • Correction action FYZICAL Phoenix/DR has/will take to investigate the breach, mitigate losses, and protect the patient from further breaches
  • FYZICAL Phoenix/DR contact information, including a toll-free telephone number, e-mail address, Web site, or postal address to allow for additional questions

    • You Have a Right to Complain

You have the right to complain if you feel your privacy rights have been violated. You may complain directly to us by contacting our HIPAA officer, noted in Section 10, or to the following:

U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting  www.hhs.gov/ocr/privacy/hipaa/complaints/

We will not retaliate against you if you file a complaint about us. Your complaint should provide a reasonable amount of specific detail to enable us to investigate your concern.

    • The Patient Has the Right to Receive a Copy of the Privacy Notice

FYZICAL Phoenix/DR is obligated to provide the patient with a copy of its Notice of Privacy Practices and to post the Notice in a conspicuous place for patients to access, as well as on our website. We have the right to change the Notice to comply with policy, rules, or regulatory changes; we are obligated to give new notices to current and subsequent patients as changes are made. We are required to maintain each version of a Privacy Notice for a minimum of six (6) years.

  • Some of Our Privacy Obligations and How We Perform Them

    • We are required by law to maintain the privacy and security of your protected health information.
    • We will let you know promptly if a breach that may have compromised the privacy or security of your information.
    • We must follow the duties and privacy practices described in this Notice and give you a copy of it.
    • We will not use or share your information other than as described unless you tell us we can do so in writing. If you tell us we can, you may change your mind at any time. Let us know in writing if you change your mind.

If we change our Notice of Privacy Practices, we will provide our revised Notice to you when you seek treatment from us next.

Contact Information

  

If you have questions about this Notice, or if you have a complaint or      concern, please contact:

If you have questions about this Notice, or if you have a complaint or concern, please contact:

Name: FYZICAL Phoenix/DR

Attention: Allison Henry, HIPAA Officer

Address: 5410 E. HighStreet #107

    Phoenix, AZ 85054

                      Phone: 602-404-8012

   

Effective Date: This revised Notice takes effect on 4-02-2025

   

HIPAA Federal Standards

Patient Access Rights: Under the HIPAA Privacy Rule (45 CFR 164.524), covered entities must provide individuals access to their protected health information (PHI) within 30 days of a request, with a possible one-time extension of 30 additional days if the entity notifies the individual of the delay within the initial period.

Breach Notification: The HIPAA Breach Notification Rule (45 CFR 164.404) requires covered entities to notify affected individuals of a breach of unsecured PHI "without unreasonable delay" and no later than 60 calendar days from the discovery of the breach. For breaches affecting 500 or more individuals, notification to the U.S. Department of Health and Human Services (HHS) must also occur within 60 days, while smaller breaches can be reported annually.

States with More Stringent Timeframes

States can enact laws that shorten these timeframes, making them stricter than HIPAA. Based on available data and legal frameworks, here are states with more stringent requirements as of April 2, 2025:

Patient Access Rights (Shorter than 30 Days)

HIPAA's 30-day timeframe for providing access to medical records can be undercut by state laws requiring faster responses. A resource from healthinfolaw.org indicates that 13 states have stricter patient access laws than HIPAA, often with shorter deadlines. Examples include:

California: The California Health and Safety Code (§ 123110) requires healthcare providers to allow patients to inspect their records within 5 working days of a request and provide copies within 15 days—both shorter than HIPAA's 30-day standard.

New York: New York Public Health Law (§ 17) mandates that hospitals provide records within 10 days of a written request, significantly faster than HIPAA.

Texas: The Texas Health and Safety Code (§ 241.154) requires hospitals to provide records within 15 days, half of HIPAA's timeframe.

Colorado: Colorado Revised Statutes (§ 25-1-801) require access within 10 days for current patients, stricter than HIPAA's 30 days.

Maryland: Maryland law (Health-General § 4-304) mandates that providers furnish records within 21 days, tighter than HIPAA's 30-day limit.

Massachusetts: Massachusetts General Laws (Ch. 111, § 70) require hospitals to provide records within 10 days, outpacing HIPAA.

Minnesota: Minnesota Statutes (§ 144.292) stipulate that providers must furnish records within 10 business days, stricter than HIPAA's calendar-day count.

New Hampshire: New Hampshire Revised Statutes (§ 151:21) require access within 10 days, beating HIPAA's timeframe.

Oregon: Oregon Revised Statutes (§ 192.553) mandate access within 10 days, shorter than HIPAA.

Washington: Washington Revised Code (§ 70.02.080) requires access within 15 days, stricter than HIPAA's 30 days.

Additional states identified with shorter timeframes (often 10–20 days) include Connecticut, Louisiana, and Virginia, though specific statutes vary in application (e.g., applying to hospitals vs. all providers). These 13 states collectively demonstrate a trend of enhancing patient access rights beyond HIPAA.

Breach Notification (Shorter than 60 Days)

HIPAA's 60-day breach notification window can be superseded by state data breach laws that apply to PHI and require faster reporting. While HIPAA governs healthcare-specific breaches, state laws often cover broader personal information, including health data, and can impose tighter deadlines.

Examples include:

California: The California Confidentiality of Medical Information Act (CMIA, Civil Code § 56.101) and the California Consumer Privacy Act (CCPA) align with general breach laws requiring notification "in the most expedient time possible and without unreasonable delay," often interpreted as faster than 60 days. Case law and guidance suggest a 30-day practical expectation.

Texas: The Texas Medical Records Privacy Act (Health and Safety Code § 181.151) requires notification within 60 days but encourages faster reporting, and the general Texas breach law (§ 521.053) mandates notification "as quickly as possible," often enforced as 30 days or less.

Florida: Florida’s Information Protection Act (F.S. § 501.171) requires breach notification within 30 days, applying to PHI and overriding HIPAA’s 60-day limit when stricter.

Alaska: Alaska Statutes (§ 45.48.010) mandate notification within 45 days for breaches of personal information, including health data, stricter than HIPAA.

Colorado: Colorado Revised Statutes (§ 6-1-716) require notification within 30 days, applying to PHI and outpacing HIPAA.

Illinois: The Personal Information Protection Act (815 ILCS 530/10) mandates notification "in the most expedient time possible" and no later than 45 days, stricter than HIPAA’s 60 days.

Oregon: Oregon Revised Statutes (§ 646A.604) require notification within 45 days, applying to health information and beating HIPAA’s timeframe.

Washington: Washington Revised Code (§ 19.255.010) mandates notification within 30 days, covering PHI, and is stricter than HIPAA.

Other states like Connecticut (36a-701b, 45 days), Louisiana (51:3074, 45 days), and Maryland (14-3504, 45 days) also impose breach notification deadlines shorter than 60 days, often extending to health data under broader privacy laws.

Analysis and Count

Patient Access Rights: At least 13 states (e.g., CA, NY, TX, CO, MD, MA, MN, NH, OR, WA, CT, LA, VA) have laws requiring access in less than 30 days, with timeframes ranging from 5 to 21 days.

Breach Notification: At least 10 states (e.g., CA, TX, FL, AK, CO, IL, OR, WA, CT, MD) have deadlines shorter than 60 days, typically 30–45 days, with some pushing for "as soon as possible."

Some states overlap in both categories (e.g., California, Texas, Colorado, Oregon, Washington, Connecticut, and Maryland), reflecting a broader commitment to heightened privacy protections. However, the exact application depends on whether state laws specifically target PHI or apply generally to personal data, including health information.

We now offer Dry Needling! For more information and pricing please contact us!
See More
X