Notice of Privacy Policy

Download a printable version: Mirror Health & Wellness | Notice of Privacy Policy.pdf

Effective: April 10, 2025

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN ACCESS THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

I. Who We Are

In this notice, the terms "we," "our," and "us" refer to Mirror Health Specialists, a Professional Corporation, doing business as Mirror Health & Wellness, including its staff, healthcare providers, employees, and affiliated administrative entities.

Mirror Health & Wellness, LLC serves as a Business Associate, providing administrative, marketing, compliance, legal consultation, and other support services for the Professional Corporation.

Other independent third-party service providers, such as medical billing companies, credentialing services, insurance management providers, and Management Services Organizations, may also access protected health information (PHI) strictly under Business Associate Agreements (BAAs) that require full compliance with HIPAA security and privacy standards.

II. What is Protected Health Information (PHI)?

Your Protected Health Information (PHI) is your individually identifiable health information about your past, present, or future physical or mental health condition. PHI includes your demographic information, past, present, or future healthcare services provided to you, and payment for these services. PHI includes but is not limited to:

  • Name, address, date of birth, Social Security number

  • Race/ethnicity, language, gender identity, sexual orientation, and pronoun data

  • Medical records, test results, clinical evaluations

  • Health plan and insurance information

  • Claims records, including enrollment or disenrollment information

  • Information related to payment and billing processes

  • Communications about your care between you and your healthcare provider

PHI may be transmitted or communicated via oral, written, or electronic forms.

If your PHI is de-identified according to HIPAA standards, it is no longer considered PHI.

III. Our Responsibilities to Protect Your PHI

By law, Mirror Health Specialists must:

  • Maintain privacy and confidentiality of your PHI.

  • Inform you of your rights regarding your PHI.

  • Inform you of our legal duties regarding your PHI.

  • Notify you in case of a breach involving your unsecured PHI.

  • Notify you of our privacy practices.

  • Comply with the terms described in this current NPP.

We take our responsibility seriously and employ administrative, physical, and technical safeguards including, but not limited to, employee training on security awareness, policies and procedures; data encryption and password protections; secured storage and restricted access to protect your PHI.

We are committed to continue taking appropriate steps to safeguard the privacy of your PHI.

IV. Your Rights Regarding Your PHI

This section tells you about your rights regarding your PHI and describes how you can exercise them. These rights include:

Access, Review, and Request Amendments to your PHI

Except under certain circumstances, you have the right to view or receive a copy of your PHI that we maintain in our records related to your care, or decisions about your care of payment for your care. Requests for these records must be made in writing, except in certain instances. We may charge you a reasonable fee for requesting copies, summary, or explanation of your PHI based on our incurred costs to produce these documents.

In case we do not have the PHI records you are asking for but we know who does, we will inform you the right persons or organizations to contact to obtain your PHI. In limited situations, we may deny some or all of your request for your PHI records, but if we do, we will provide you an explanation in writing and your rights, if any, to have our denial reviewed.

If you believe that important information is missing or that there is a mistake in your PHI, you may request that we correct the record accordingly. Requests to amend PHI in our record must be made in writing, must specify what corrections or additions you are requesting, and why these corrections or additions are necessary. We will respond in writing in a timely manner after reviewing your request. If we approve your request, we will make the correction or addition to your PHI. If we deny your request, we will provide you with an explanation as to the denial and explain your rights to file a written statement of disagreement. You must clearly indicate in writing if you wish for us to include your statement of disagreement in future disclosures of that part of your record. We may instead include a summary of your statement.

All written requests must be submitted to our Chief Legal and Compliance Officer using the information provided in Section X below.

Choose How your PHI is Sent

You may request that we send your PHI to a different address (such as your workplace or alternative mailing address), or through alternative communication methods (e.g., fax, email, patient portal).

If your PHI is stored electronically, you may request electronic copies of these records in a format we provide. Additionally, upon your specific written request, we can directly transmit your PHI electronically to a third party you designate. We may apply a reasonable fee for providing these electronic copies based on our actual incurred costs.

Receive Confidential Communications

You have the right to request that communications regarding your healthcare be made confidentially to an alternative address, email address, or telephone number other than the one we have on file.

Specifically, California law allows you to designate an alternative confidential address or communication method for sensitive services such as mental or behavioral health treatment, substance abuse treatment, reproductive health care, sexually transmitted infections, gender-affirming care, or care related to intimate partner violence.

Unless you provide us an alternative address, communications regarding sensitive services will be directed to your primary contact information on file.

Communications covered by this right include but are not limited to:

  • Billing statements and payment collection notices.

  • Notices regarding coverage determinations.

  • Explanation of Benefits (EOB) statements.

  • Requests from your health plan for additional claim information.

  • Notices of contested claims.

  • Provider names, addresses, dates, and details of healthcare visits.

  • Any communication from a health insurer containing your protected health information.

To submit a confidential communication request, clearly indicate your preferred confidential contact details in writing and send your request directly to our Chief Legal and Compliance Officer.

Accounting of PHI Disclosures

You have the right to request a list of instances when we disclosed your PHI to third parties outside of routine treatment, payment, or healthcare operations.

Upon your request, we will provide one accounting of such disclosures free of charge every 12 months. Any additional requests within the same 12-month period may incur a reasonable cost-based fee.

An accounting will not include disclosures made:

  • For your treatment, billing, or healthcare operations.

  • Directly to you.

  • To individuals involved in your care, authorized family members, or emergency contacts.

  • Under signed patient authorization.

  • For disaster relief purposes.

  • From facility directories or disclosures exempt under applicable law.

Restrictions on PHI Use or Disclosure

You may ask us to restrict how we use or disclose your PHI for treatment, payment, or healthcare operations. While we will carefully consider your request, we are not required by law to agree to all requested restrictions.

We are required to comply with your request only if you specifically request that we not disclose your PHI to your health plan regarding healthcare services you have paid in full out-of-pocket. Please clearly request such restrictions in advance of receiving services.

We will notify you in writing if we are unable to accommodate your request.

Your Right to a Paper Copy of This Privacy Notice

You have the right to obtain a paper copy of our Notice of Privacy Practices upon request at any time, even if you've previously agreed to electronic delivery.

To request a paper copy, please contact us at the contact information provided below.

To exercise these rights, contact us using the information provided in Section X below.

V. Possible Use and Disclose of Your PHI Without Your Written Authorization

We may use or disclose your Protected Health Information (PHI) for certain purposes without your written permission, as allowed or required by federal and California law. These uses are described below:

  • Treatment: We may use and share your PHI with healthcare providers involved in your care. This includes doctors, nurses, pharmacists, lab technicians, and other professionals who help coordinate and deliver your treatment—both within our practice and with outside providers when necessary.

  • Payment: We may use your PHI to bill and collect payment for the healthcare services you receive. This may include sharing information with your health insurance company, Medicare, or another payer.

  • Healthcare Operations: We may use your PHI to operate and improve our medical practice. This includes quality assurance, administrative tasks, staff training, legal compliance, audits, and other necessary activities.

  • Appointment Reminders: We may use your contact information to send appointment reminders or information about your treatment, follow-up care, or other health-related services that may benefit your health.

  • Identity Verification: For your protection and accurate medical recordkeeping, we may request photo identification or take a photograph, which will be stored in your medical record for identity verification purposes.

  • Business Associates: We may share your PHI with external vendors or service providers (called Business Associates) who perform services on our behalf—such as billing companies, credentialing providers, and administrative consultants. These Business Associates are contractually required to safeguard your PHI in compliance with HIPAA and California privacy laws.

  • Mandatory Reporting: Public health reporting, reporting of abuse or neglect, law enforcement requests, judicial orders, or other legally mandated disclosures.

  • Health Oversight Activities: We may disclose your PHI to federal or state agencies responsible for monitoring the healthcare system, such as licensing boards, government audits, or compliance inspections.

  • Legal and Law Enforcement Purposes: We may disclose your PHI:

    • When required by a court order, subpoena, or administrative proceeding

    • To comply with laws regarding criminal conduct or threats to public safety

    • To law enforcement officials when necessary (e.g., locating a suspect, reporting a crime on our premises)

  • Organ and Tissue Donation: We may disclose your PHI to organizations that handle organ procurement or transplantation, as required to support organ or tissue donation efforts.

  • Research: In limited circumstances, we may use or disclose your PHI for research purposes without your written consent—only if an Institutional Review Board or Privacy Board approves the project and ensures that your privacy is protected.

  • Workers’ Compensation: We may release your PHI as authorized by workers' compensation laws or similar programs that provide benefits for work-related injuries or illnesses.

  • To Avert a Serious Threat to Health or Safety: We may use or disclose your PHI when necessary to prevent or reduce a serious and imminent threat to your health or safety or that of the public or another person. Disclosures will be made only to individuals or organizations reasonably able to prevent or lessen the threat.

  • For Specialized Government Functions: We may disclose PHI to authorized federal officials for national security, military, or protective services purposes as required by law.

  • For Coroners, Medical Examiners, and Funeral Directors: We may release PHI to identify a deceased person, determine cause of death, or allow funeral directors to perform their duties.

  • For Disaster Relief: We may share your general location, condition, or identity with emergency response organizations (e.g., Red Cross) during a disaster, unless you object.

  • For Use in Facility Directories (If Applicable): If you are ever treated in a facility we operate, we may include limited information (e.g., name, location, general condition) in a patient directory unless you object. This is generally for visitors, clergy, or emergency personnel.

  • Limited Use of De-Identified Information: We may use or share de-identified data (data that does not include your name or identifiable details) for approved operational or analytical purposes.

  • Other Uses Permitted or Required by Law: In some situations, we are required by federal or California law to share your PHI, such as:

    • With the Department of Health and Human Services during HIPAA compliance reviews

    • In response to health insurance or Medi-Cal audits

    • When required to report certain injuries or conditions (e.g., gunshot wounds)

·       Internal Program Evaluation Using De-Identified Data: We may use de-identified health information—information that has been stripped of direct personal identifiers in accordance with HIPAA guidelines—for purposes of evaluating the effectiveness of our programs, including grant-funded projects aimed at improving care coordination, health outcomes, and patient engagement.

Specifically, we may analyze de-identified data as part of our participation in external programs or initiatives, to track progress, identify trends, and report non-identifiable outcomes to grant administrators or partners. These activities do not require your written authorization or Institutional Review Board (IRB) approval because the information used cannot reasonably identify you.

These uses are strictly for internal quality improvement, reporting, or program monitoring purposes, and not for external research or commercial sale.

VI. Situations Requiring Your Explicit Authorization

There are certain uses and disclosures of your Protected Health Information (PHI) that we will not make unless you provide us with your prior written authorization. If a situation falls outside the uses and disclosures described in this Notice, your explicit permission is required. Below are common examples of when we may request your authorization:

  • Marketing purposes: We will obtain your written authorization before using or disclosing your PHI for marketing purposes. Marketing generally includes communication that encourages you to purchase or use a product or service unrelated to your treatment or care.

Marketing does not include:

o    Communication with you about treatment alternatives or health-related services offered by Mirror Health & Wellness or Mirror Health Specialists.

o    Face-to-face conversations between you and your provider.

o    Communications regarding services available only to existing patients (such as wellness program updates or reminders).

  • Sale of PHI (We do not sell PHI): We will not sell your PHI to third parties unless you provide us with written authorization. A “sale” means the exchange of PHI for direct or indirect payment. If we ever intend to sell your PHI, you will be informed of the purpose and must consent in writing before we proceed.

·       Use of Psychotherapy Notes (If Applicable): If we maintain any psychotherapy notes (as defined under HIPAA)—which are notes recorded by a mental health provider during private or group therapy sessions and kept separate from your standard medical record—we will not use or disclose those notes without your written authorization, except in limited circumstances permitted by law.

Note: At this time, Mirror Health Specialists does not maintain psychotherapy notes, but if that ever changes, your rights will be fully protected.

  • Any other disclosure not described in this notice: If we wish to use or disclose your PHI for any other reason not described in this Notice, we will first obtain your written authorization.

You may revoke your authorization in writing at any time.

VII. Special Privacy Protections Under California Law (CMIA)

In addition to federal protections under HIPAA, your health information is also protected under the California Confidentiality of Medical Information Act (CMIA). California law provides extra safeguards for certain types of sensitive medical information, including but not limited to:

  • HIV/AIDS status and testing results

  • Mental or behavioral health services

  • Substance use disorder treatment and recovery records

  • Sexual and reproductive health care

  • Developmental disability services

  • Genetic testing results

  • Domestic or intimate partner violence-related care

For these categories of sensitive information, specific written authorization is typically required before we can disclose them to anyone, including family members, caregivers, insurers, or other providers—even for treatment or payment purposes—unless such disclosure is otherwise permitted or required by law.

Mirror Health Specialists complies with all applicable federal and California privacy regulations when handling this type of sensitive information. You may revoke your written authorization for such disclosures at any time by submitting a written request.

VIII. California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide California residents with additional rights concerning the use of their personal information (PI).

However, health information that is already protected by HIPAA and the California CMIA is exempt from most CCPA/CPRA provisions. This includes the health and medical data you provide or that we generate in the course of providing medical care.

PHI and medical information collected for healthcare purposes are regulated by HIPAA and CMIA. These laws take precedence over consumer privacy laws when applicable.

That said, non-health personal information we collect (such as information collected through our website, for marketing, communication, or account management) may still fall under CCPA/CPRA protections. For this information, you have the following rights:

  • The Right to Know what categories of personal information we collect, use, or disclose

  • The Right to Access and receive a copy of your personal information

  • The Right to Correct inaccurate personal information

  • The Right to Request Deletion of personal information we maintain about you (with some exceptions)

  • The Right to Limit the Use and Disclosure of Sensitive Personal Information, if applicable

  • The Right to Non-Discrimination for exercising your privacy rights

We do not sell your personal information to third parties.

To exercise your CCPA/CPRA rights related to personal information not governed by HIPAA or CMIA, you may contact us at:

Email: support@mymirrorhealth.com
Mail: Mirror Health Specialists, Attn: Privacy Officer
5750 Downey Ave., Ste. 303, Lakewood, CA 90712

We are committed to protecting your privacy in accordance with both federal and California state law.

IX. Changes to This Notice

We reserve the right to revise our privacy practices and this notice at any time, with updates posted clearly on our website. Except for changes required by law, no material changes to our privacy practices will be implemented before we revise this notice.

X. Questions, Requests, and Complaints

For any written requests related to your PHI, including:

  • Accessing or requesting copies of your PHI

  • Amending or correcting your PHI records

  • Requesting confidential or alternative communications

  • Requesting an accounting of disclosures

  • Requesting restrictions on how we use or disclose your PHI

  • Obtaining a paper copy of this Notice

  • General inquiries, concerns, or complaints about our privacy practices

Please contact our Chief Legal and Compliance Officer directly:

Mailing Address:
Mirror Health Specialists
Attn: Chief Legal and Compliance Officer
5750 Downey Ave., Ste. 303
Lakewood, CA 90712

Email: joyce.mymirrorhealth@gmail.com
Phone: (657) 708-0074

We encourage you to submit requests clearly in writing, specifying your name, contact information, and details of your request. We will respond promptly and in accordance with applicable federal and California law.

If you prefer, you may also submit a complaint directly to the U.S. Department of Health and Human Services at:

Office for Civil Rights
U.S. Department of Health and Human Services
200 Independence Avenue SW
Washington, DC 20201
Phone: 1-877-696-6775
Website: www.hhs.gov/ocr/privacy/hipaa/complaints

We will never retaliate against you for exercising your rights or filing a complaint.

XI. Effective Date

This Notice of Privacy Practices is effective as of April 10, 2025.
It applies to all health information that we maintain about you, including information we create or receive in the future, unless replaced or amended by an updated version.

We reserve the right to change our privacy practices and the terms of this notice at any time, consistent with applicable federal and state laws. If we do make material changes, we will update this notice and make the revised version available to you in our office, online, and upon request.

XII. Patient Acknowledgment

You are encouraged to review this Notice carefully and keep a copy for your records. As part of our intake process, you will be asked to acknowledge receipt or access to this Notice of Privacy Practices by signing our general patient consent form.

If you have any questions about this Notice or your privacy rights, please contact us using the information provided in Section X of this Notice.