Skip to main content

Legal · HIPAA Notice of Privacy Practices

How we use your medical information.

Under the federal Health Insurance Portability and Accountability Act, every covered entity owes you a written description of how your medical information may be used and disclosed, and how you can access it. Conceptual Healthcare Corporation, its flagship clinic, and its covered subsidiaries are the covered entities behind this notice. Please review it carefully — it controls what we can do with your record and what you can do to control it. Effective: April 2026.

1 · Our duty

What we owe you under law.

We are required by law to (a) maintain the privacy and security of your protected health information ("PHI"), (b) provide you this notice describing our legal duties and privacy practices with respect to PHI, (c) abide by the terms of the notice currently in effect, and (d) notify you if there is a breach affecting your unsecured PHI. Our internal SLA on breach notification is within one hour of confirmation — substantially faster than the 60-day statutory maximum.

2 · Permitted uses and disclosures

Treatment, payment, healthcare operations.

Without further authorization, we may use and disclose your PHI for:

  • Treatment. Sharing your record with the clinicians providing your care, including consulting specialists you authorize.
  • Payment. Submitting claims to your insurer or employer-sponsored plan, including the minimum-necessary clinical detail to substantiate the claim.
  • Healthcare operations. Internal quality review, accreditation, training, credentialing, and clinical-program improvement — never including marketing.

3 · Disclosures requiring authorization

These need your explicit, revocable consent.

We will not disclose your PHI for any of the following without a separate, written, revocable authorization signed from inside the patient app:

  • Marketing communications of any kind.
  • Sale of PHI to third parties — which we have committed never to do, irrespective of authorization (see Privacy Policy §4).
  • Most uses and disclosures of psychotherapy notes.
  • Research participation outside the patient's opt-in HCC pathway.

4 · Disclosures permitted without authorization

The narrow list. All audited. All logged.

Federal law permits disclosure without authorization for: public health activities, victim-of-abuse reporting, health oversight activities, judicial proceedings (with court order or qualified protective order), law enforcement with proper legal process, organ donation, threats to health or safety, specialized government functions, and workers' compensation as required by state law. Every such disclosure is logged in real time and visible to you in the patient-app audit log.

5 · Your rights

Six rights, all self-service in the app.

Access. See your record any time, in the app.
Amendment. Request corrections; we respond within ten business days per §164.526.
Accounting. See every disclosure of your PHI — the patient app shows it in real time per §164.528.
Restriction. Request limits on uses or disclosures; we honor the restriction or write a reasoned denial.
Confidential communication. Choose how we contact you (channel, phone, email, mailing address).
Paper copy. Receive this notice on paper on request, free of charge.

6 · Complaints

Two doors. Both real humans.

If you believe your privacy rights have been violated, you may file a complaint with us at privacy@conceptualhealth.com — the inbox is monitored by the Privacy Officer and you'll have an acknowledgement within two business days. You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services. We will not retaliate against you for filing either complaint.

Privacy Officer

Maria R. Lahti, MD

Email: privacy@conceptualhealth.com
Address: 720 Harbor Blvd, Destin, FL 32541