Effective April 2026 — This notice describes how medical information about you may be used and disclosed and how you can get access to this information.
Preamble
Bidwell Health ("we," "us," or "our"), is committed to protecting the privacy and security of your protected health information (PHI) as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, including the HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) and the HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164). This Notice describes how we may use and disclose your PHI, and your rights regarding that information.
Protected Health Information
Protected Health Information (PHI) is individually identifiable health information that relates to your past, present, or future physical or mental health condition, the provision of healthcare to you, or the past, present, or future payment for healthcare services. PHI that we may collect, create, maintain, or transmit includes:
Identifying Information: Your name, date of birth, email address, phone number, and mailing address
Medical History: Your medical history, current symptoms, and responses to intake questionnaires
Clinical Information: Diagnosis, treatment plans, and clinical notes from your provider visits
Payment & Billing Records: Transaction history, billing details, and payment method information
Provider Communications: Messages, correspondence, and records of communications between you and your provider
How We May Use and Disclose Your PHI
A. Treatment, Payment, and Healthcare Operations
Treatment: We may use and disclose your PHI to provide, coordinate, or manage your healthcare and related services. This includes sharing your intake information, medical history, and clinical data with the licensed provider reviewing and treating your visit, as well as transmitting prescription orders electronically to your selected pharmacy
Payment: We may use and disclose your PHI to obtain payment for healthcare services provided to you. This includes processing your visit fee through our payment processor, submitting claims or invoices, and conducting billing and collection activities
Healthcare Operations: We may use and disclose your PHI for our internal operations, including quality assessment and improvement activities, provider credentialing and competency review, compliance auditing, business planning, and administrative functions necessary to run our practice
B. Disclosures Without Your Authorization
We may use or disclose your PHI without your authorization in the following circumstances:
As Required by Law: When federal, state, or local law mandates the disclosure of your PHI
Public Health Activities: To public health authorities for the purpose of preventing or controlling disease, injury, or disability; reporting births, deaths, and vital statistics; or conducting public health surveillance, investigations, and interventions
Health Oversight Activities: To a health oversight agency for activities authorized by law, such as audits, civil or criminal investigations, inspections, licensure actions, and other proceedings necessary for oversight of the healthcare system
Judicial and Administrative Proceedings: In response to a court order, subpoena, discovery request, or other lawful process, subject to applicable legal requirements and protections
Law Enforcement Purposes: To law enforcement officials for certain law enforcement purposes, including reporting certain types of wounds or injuries, complying with court orders or warrants, or assisting in the identification or location of a suspect, fugitive, or missing person
Serious Threat to Health or Safety: To prevent or lessen a serious and imminent threat to the health or safety of a person or the public, consistent with applicable law and ethical standards
Workers’ Compensation: As authorized by and to the extent necessary to comply with laws relating to workers' compensation or similar programs
Coroners, Medical Examiners, and Funeral Directors: To coroners, medical examiners, or funeral directors as necessary to carry out their duties under applicable law
C. Disclosures Requiring Your Written Authorization
We will not use or disclose your PHI without your written authorization for the following purposes:
Sale of PHI: Any disclosure of your PHI where we receive direct or indirect remuneration in exchange for the information
Psychotherapy Notes: Most uses and disclosures of psychotherapy notes, if applicable
Marketing: Use or disclosure of your PHI for marketing purposes, where we receive financial remuneration for making the communication
Other Uses: Any other use or disclosure of your PHI not described in this Notice
You may revoke an authorization at any time by submitting a written request to privacy@bidwellhealth.com. Revocation will not affect any actions we took in reliance on the authorization before we received your revocation.
Your Rights Regarding Your PHI
You have the following rights with respect to your Protected Health Information:
Right to Access: You may request to inspect and obtain a copy of your PHI maintained by Bidwell Health. We will provide the requested information within 30 days of your written request. We may charge a reasonable, cost-based fee for copying, mailing, or other supplies associated with your request
Right to Amend: You may request that we amend your PHI if you believe it is incorrect or incomplete. We may deny your request under certain circumstances as permitted by HIPAA, and we will provide a written explanation of the denial along with your right to submit a statement of disagreement
Right to an Accounting of Disclosures: You may request a list of certain disclosures of your PHI that we have made. This accounting will not include disclosures made for treatment, payment, or healthcare operations, or disclosures made with your authorization
Right to Request Restrictions: You may request restrictions on how we use or disclose your PHI for treatment, payment, or healthcare operations. We are not required to agree to your request; however, if you have paid for a service or item out of pocket in full, we must agree to your request to restrict disclosure of that PHI to a health plan for purposes of payment or healthcare operations
Right to Confidential Communications: You may request that we communicate with you about health matters using a specific method or at a specific location. For example, you may ask that we contact you only at a particular email address or phone number
Right to a Paper Copy of This Notice: You may request a paper copy of this Notice at any time, even if you previously agreed to receive it electronically
Right to Be Notified of a Breach: Under the Health Information Technology for Economic and Clinical Health (HITECH) Act, you have the right to be notified in the event that a breach of your unsecured PHI is discovered. We will notify you without unreasonable delay and no later than 60 days following the discovery of a breach
Maintain the privacy and security of your Protected Health Information using appropriate administrative, technical, and physical safeguards
Provide you with this Notice of our legal duties and privacy practices with respect to your PHI
Abide by the terms of the Notice currently in effect
Notify you promptly if a breach occurs that may have compromised the privacy or security of your unsecured PHI, as required under the HITECH Act and the Breach Notification Rule (45 CFR Part 164, Subpart D)
Telehealth-Specific Considerations
Because Bidwell Health provides care through a telehealth platform, your PHI is transmitted and stored electronically. The following considerations apply:
Electronic Transmission & Storage: Your health information is transmitted and stored using encryption protocols (TLS in transit, AES-256 at rest) to protect against unauthorized access
Infrastructure Partners: We use Supabase for secure data storage with row-level security policies, and Stripe for PCI DSS Level 1 compliant payment processing. These partners maintain their own security and compliance programs
Electronic Prescribing: Prescription orders are transmitted electronically to your selected pharmacy through secure, HIPAA-compliant channels
Inherent Risks: While we implement comprehensive safeguards to protect your information, no method of electronic transmission or storage is 100% secure. We continually evaluate and improve our security measures to minimize risk
Changes to This Notice
We reserve the right to change the terms of this Notice at any time. Any changes will apply to all PHI we maintain, including information created or received before the changes took effect. If we make material changes to this Notice, we will post the revised version on our website and update the effective date. The current version of this Notice is always available at bidwellhealth.com/hipaa-notice.