HIPPA Privacy Policy
HIPAA NOTICE
We at 406 Health Consulting are required by law to maintain the privacy of and provide individuals with the attached notice of our legal duties and privacy practices with respect to protected health information. If you have any objections to the notice, please ask to speak with our HIPAA compliance officer in person or by phone at our main phone number. If you would like a copy of the notice, please ask.
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Notice of Privacy Practices (the “Notice”) describes how 406 Health Consulting (collectively “406 Health Consulting,” “we,” or “our”) may use and disclose your protected health information to carry out treatment, payment or business operations and for other purposes that are permitted or required by law. The members of 406 Health Consulting will share protected health information with each other for the treatment, payment, and health care operations of the 406 Health Consulting and as permitted by HIPAA and this Notice of Privacy Practices.
“Protected health information” or “PHI” is information about you, including demographic information, that may identify you and that relates to your past, present or future physical health or condition, treatment or payment for health care services. This Notice also describes your rights to access and control your protected health information.
USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION:
Your protected health information may be used and disclosed by our health care providers, our staff, and others outside of our office that are involved in your care and treatment for the purpose of providing health care services to you, to support our business operations, to obtain payment for your care, and any other use authorized or required by law.
TREATMENT:
In compliance with HIPAA, we will use and disclose your protected health information to provide, coordinate, or manage your health care and any related services. This includes the coordination or management of your health care with third party providers. For example, your protected health information may be provided to a health care provider to whom you have been referred to ensure the necessary information is accessible to diagnose or treat you.
PAYMENT:
Your protected health information may be used to bill or obtain payment for your health care services. This may include certain activities that your health insurance plan may undertake before it approves or pays for your services, such as: making a determination of eligibility or coverage for insurance benefits and reviewing services provided to you for medical necessity.
HEALTH CARE OPERATIONS:
We may use or disclose, as needed, your protected health information in order to support the business activities of this office. These activities include, but are not limited to, improving quality of care, providing information about treatment alternatives or other health-related benefits and services, developing or maintaining and supporting computer systems, legal services, and conducting audits and compliance programs, including fraud, waste and abuse investigations.
USES AND DISCLOSURES THAT DO NOT REQUIRE YOUR AUTHORIZATION:
We may use or disclose your protected health information in the following situations without your authorization. These situations include the following uses and disclosures: as required by law; for public health purposes; for health care oversight purposes; for abuse or neglect reporting; pursuant to Food and Drug Administration requirements; in connection with legal proceedings; for law enforcement purposes; to coroners, funeral directors, and organ donation agencies; for certain research purposes; for allegations of certain criminal activities; for certain military activity and national security purposes; for workers’ compensation reporting; relating to certain inmate reporting; and other required uses and disclosures. Under the law, we must make certain disclosures to you upon your request, and when required by the Secretary of the Department of Health and Human Services to investigate or determine our compliance with the requirements of HIPAA. State laws may further restrict these disclosures.
USES AND DISCLOSURES THAT REQUIRE YOUR AUTHORIZATION:
Other permitted and required uses and disclosures will be made only with your consent, authorization, or opportunity to object unless permitted or required by law. Without your authorization, we are expressly prohibited from using or disclosing your protected health information for marketing purposes. We may not sell your protected health information without your authorization. Your protected health information will not be used for fundraising. We will not use or disclose your psychotherapy notes without your authorization, except as permitted by law. If you provide us with an authorization for certain uses and disclosures of your information, you may revoke such authorization, at any time, in writing, except to the extent that we have taken an action in reliance on the use or disclosure indicated in the authorization.
YOUR RIGHTS WITH RESPECT TO YOUR PROTECTED HEALTH INFORMATION:
You have the right to request a restriction on the use or disclosure of your protected health information. Your request must be in writing and state the specific restriction requested and to whom you want the restriction to apply. We are not required to agree to a restriction that you may request, except if the requested restriction is on a disclosure to a health plan for a payment or health care operations purpose regarding a service that has been paid in full out-of-pocket.
You have the right to request to receive confidential communications from us by alternative means or at an alternate location. We will comply with all reasonable requests submitted in writing, which specify how or where you wish to receive these communications.
You have the right to request to access, inspect, and copy your protected health information.
You have the right to request an amendment of your protected health information. If we deny your request for amendment, you have the right to file a statement of disagreement with us. We may prepare a rebuttal to our statement and we will provide you with a copy of any such rebuttal.
You have the right to receive an accounting of certain disclosures of your protected health information that we have made, paper or electronic, except for certain disclosures which were pursuant to an authorization, for purposes of treatment, payment, or healthcare operations (unless the information is maintained in an electronic health record); or for certain other purposes.
You have the right to obtain a paper copy of this Notice, upon request, even if you have previously requested its receipt electronically by e-mail.
REVISIONS TO THIS NOTICE:
We reserve the right to revise this Notice and to make the revised Notice effective for protected health information we already have about you as well as any information we receive in the future. You are entitled to a copy of the Notice currently in effect. Any significant changes to this Notice will be posted on our website.
BREACH OF HEALTH INFORMATION:
We will notify you if a breach of your unsecured protected health information is discovered. Notification will be made to you no later than 60 days from the breach discovery and will include a brief description of how the breach occurred, the protected health information involved, and contact information for you to ask questions.
COMPLAINTS:
Complaints about this Notice or how we handle your protected health information can be directed to our HIPAA Privacy Officer/Office Manager at sarah@almalliwellness.org. You may also submit a formal complaint to the Department of Health and Human Services, Office for Civil Rights. We will not retaliate against you for filing a complaint.
We must follow the duties and privacy practices described in this Notice. If you have any questions about this Notice, please contact us at (406)-647-3000 and ask to speak with our HIPAA Privacy Officer.
-
406 Health Consulting
Policy: Confidentiality of Substance Use Disorder (SUD) Patient Records (42 CFR Part 2)Effective Date: February 16, 2026 (or upon adoption, whichever is later)
Policy Owner: Sarah Cruse, APRN, FNP-BC (Privacy & Security Official)
Approved By: Sarah Cruse, Owner/Provider
Review Frequency: Annually or upon regulatory changesPurpose
This policy ensures full compliance with 42 CFR Part 2 (Confidentiality of Substance Use Disorder Patient Records), as aligned with HIPAA through the 2024 Final Rule (effective April 16, 2024; full compliance required by February 16, 2026). Enforcement of Part 2 confidentiality provisions under HIPAA-like civil monetary penalties and oversight by the HHS Office for Civil Rights (OCR) began February 16, 2026.
The policy protects the heightened confidentiality of SUD records to reduce stigma, encourage treatment-seeking, and avoid discrimination or legal risks, while facilitating appropriate care coordination.
Scope & Applicability
This policy applies to all workforce members (including Sarah Cruse, Lynn Harper, RNs, PCCs, CBC, contractors, and business associates) at 406 Health Consulting.
Part 2 records include any information (written, electronic, or oral) that identifies a patient as having received SUD diagnosis, treatment, or referral for treatment from a federally assisted Part 2 program.
406 Health Consulting Applicability Determination:
As a small, independent NP-led practice focused on family medicine, integrative wellness, hormone optimization, weight management, and aesthetics (hybrid insurance/cash-pay model), 406 Health Consulting is not a designated "Part 2 program" under 42 CFR § 2.11 (i.e., it does not hold itself out as providing SUD treatment, nor is SUD diagnosis/treatment the primary function of any staff/unit).However, if the practice ever:
Receives, creates, maintains, or transmits SUD records (e.g., from referrals, patient history, or integrated care), or
Provides any SUD-related services (even occasionally),
then Part 2 protections apply to those specific records, and this policy governs their handling. All staff must screen for and flag potential Part 2 records.
Key Requirements & Procedures
Identification & Segregation of Part 2 Records
Staff must identify any incoming or generated SUD-related information (e.g., MAT history, detox referrals, substance use assessments).
Use EHR (Tebra) flags/tags or separate notes to indicate Part 2 status (no mandatory physical segregation required post-2024 rule, but clear labeling is required for compliance).
Document applicability assessment in patient chart.
Patient Notice Requirements
Update Notice of Privacy Practices (NPP) by February 16, 2026 (or upon policy adoption), to include Part 2-specific language per HHS model notices (revised February 2026).
NPP must describe:
How Part 2 records may be used/disclosed (with stricter consent rules).
Limitations on uses/disclosures for civil/criminal proceedings.
Patient rights (access, restrictions, complaints to OCR).
SUD counseling notes protections (if applicable).
Provide NPP to new patients at first visit; post on website; offer upon request.
For Part 2 programs (if applicable in future): Provide separate or integrated Part 2 patient notice per § 2.22.
Consent & Authorization for Uses/Disclosures
General Rule: Written patient consent required for most uses/disclosures of Part 2 records.
Single Consent Option (post-2024 alignment): One written consent suffices for future TPO (treatment, payment, health care operations) disclosures, including to other providers.
Consent form must include: patient name, disclosing entity, recipient(s), purpose, information type/amount, expiration/revocation, re-disclosure notice.
Separate Consent Required for:
Civil/criminal/administrative proceedings against the patient.
SUD counseling notes (if separately maintained).
Revocation: Patients may revoke consent in writing; honor immediately (except for actions already taken in reliance).
Redisclosure: Permitted for TPO under HIPAA rules (with notice to patient).
Permitted Disclosures Without Consent (Limited)
Medical emergencies.
Court orders (with patient notice and opportunity to respond).
Research/audits/program evaluation (specific conditions).
Crimes on premises or against personnel.
De-identified info to public health (using HIPAA standards).
No routine disclosures without consent.
Breach Notification & Incident Response
Treat Part 2 breaches as HIPAA breaches: Notify affected individuals, HHS/OCR (if threshold met), and potentially media.
Report suspected breaches to Privacy Official immediately.
Follow practice Incident Response Plan.
Enforcement & Penalties
OCR enforces Part 2 (delegated August 2025).
Violations subject to HIPAA-tiered civil monetary penalties (up to ~$2.1M+ per year, inflation-adjusted) and potential criminal penalties.
Complaints: Patients may file with OCR starting February 16, 2026.
Training & Oversight
Annual training for all staff on Part 2 (integrated with HIPAA training).
Role-specific: Front desk screens for SUD history; clinical staff flags records; billing avoids improper claims.
Privacy Official (Sarah Cruse) conducts risk assessments including Part 2.
Business Associates
Require BAAs covering Part 2 if vendors handle SUD records (e.g., Tebra, Spruce—confirm current BAAs).
Monitoring & Updates
Annual review/audit of Part 2 applicability and compliance.
Update policy/NPP upon regulatory changes (monitor HHS/OCR/SAMHSA).
Document all trainings, consents, disclosures, and assessments.
Non-Compliance Consequences: Violations may result in OCR investigations, corrective action plans, civil monetary penalties, reputational harm, or license risks. All staff must report concerns confidentially to the Privacy Official.
For questions, contact Sarah Cruse (Privacy & Security Official). This policy supplements the general HIPAA Privacy Policy. Consult healthcare legal counsel for practice-specific application.
References: 42 CFR Part 2 (eCFR); HHS 2024 Final Rule Fact Sheet (updated Jan 2026); OCR guidance (Feb 2026).