Policies

Privacy policy & Notice of Privacy Practices (HIPAA)

Effective Date: [DATE] | Last Updated: [DATE]
Applicable to patients in Virginia, Maryland, and the District of Columbia


Introduction

Nairi Health, LLC ("Nairi Health," "we," "us," or "our") is a telehealth-based women's hormonal health practice serving patients in Virginia, Maryland, and the District of Columbia. We are committed to protecting the privacy of your health information and your personal data, and to complying with all applicable federal and state privacy laws.

This document serves two purposes:

  • Notice of Privacy Practices (NPP): A federally required document under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) explaining how we use and disclose your Protected Health Information (PHI).

  • Website & Services Privacy Policy: An explanation of how we collect and use personal information through our website and telehealth services platform.

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. This statement is required by federal law (45 CFR § 164.520).


Part I: HIPAA Notice of Privacy Practices

Who We Are

Nāiri Health, LLC is a HIPAA-covered entity operating as a healthcare provider. Our clinical services are provided by licensed medical professionals. This Notice applies to all clinical staff, contractors, and business associates acting on our behalf in the delivery of healthcare services.

⚠ ATTORNEY NOTE

[VERIFY] Confirm covered entity status and whether you are operating as a single covered entity or as part of an organized healthcare arrangement with any wellness partners. If any wellness partners (pelvic floor, acupuncture, fitness, nutrition) have access to patient PHI, they likely need Business Associate Agreements (BAAs) on file before this notice is published.

Your Protected Health Information (PHI)

Protected Health Information (PHI) is individually identifiable information about your past, present, or future physical or mental health condition, the healthcare services you receive, or payment for those services. This includes information such as your name, address, diagnosis, treatment notes, lab results, and billing records.

How We May Use and Disclose Your PHI

We use and disclose your PHI for the following purposes. Except where noted, we do not require your separate authorization for these uses.

Treatment

We use your PHI to provide, coordinate, and manage your healthcare. For example, your provider may use your health history and hormonal lab results to develop a treatment plan. We may also share your PHI with other healthcare providers involved in your care, such as specialists, laboratories, or pharmacies, when clinically necessary.

Payment

We may use and disclose your PHI to obtain payment for services we provide. For example, we may submit billing information to your insurance carrier or to a patient financing service, or contact you regarding outstanding balances.

Healthcare Operations

We may use and disclose your PHI for internal operations necessary to run our practice, including quality improvement activities, staff training, compliance audits, and administrative functions. For example, we may use de-identified aggregate data from patient records to evaluate the effectiveness of our care protocols.


Required by Law

We will use and disclose your PHI when required to do so by federal, state, or local law. This includes mandatory reporting obligations such as public health reporting, reporting of abuse or neglect, and responses to court orders or subpoenas.

Public Health and Safety Activities

We may disclose PHI to public health authorities authorized to collect information for the purpose of preventing or controlling disease, injury, or disability. We may also disclose PHI to avert a serious threat to health or safety.

Health Oversight Activities

We may disclose PHI to government agencies authorized to conduct audits, investigations, and inspections of healthcare providers, such as the Virginia Department of Health, the Maryland Board of Physicians, or the DC Department of Health.

Business Associates

We share your PHI with certain vendors and service providers who perform functions on our behalf, such as our electronic health record (EHR) platform, our telehealth platform, billing services, and IT security providers. These parties are required to sign Business Associate Agreements (BAAs) committing them to protect your PHI under HIPAA standards.

Uses Requiring Your Written Authorization

The following uses and disclosures require your written authorization, which you may revoke at any time:

  • Most uses of psychotherapy notes (if applicable)

  • Use of PHI for marketing purposes

  • Sale of your PHI

  • Any other use not described in this Notice


Your Rights Regarding Your PHI

You have the following rights with respect to your PHI. To exercise any of these rights, please contact us at the information provided at the end of this document.

Right to Access and Inspect Your PHI

You have the right to inspect and obtain a copy of your PHI that we maintain in a designated record set, including your medical record and billing records. We will respond to requests within 30 days (or such shorter period as required by applicable state law). We may charge a reasonable, cost-based fee for copies.

Right to Request Amendment

You have the right to request that we amend your PHI if you believe it is inaccurate or incomplete. We may deny your request under certain circumstances, and if we do, we will provide you with a written explanation.

Right to an Accounting of Disclosures

You have the right to request a list of certain disclosures we have made of your PHI during the six years prior to your request. This right does not apply to disclosures made for treatment, payment, or healthcare operations purposes.

Right to Request Restrictions

You have the right to request that we restrict our use or disclosure of your PHI for treatment, payment, or operations purposes. We are not required to agree to your request, except in one circumstance: if you pay out-of-pocket in full for a service, you may request that we not disclose PHI about that service to your health insurer, and we must honor that request.

Right to Confidential Communications

You have the right to request that we communicate with you about your PHI in a specific way or at a specific location. For example, you may request that we contact you only by email and not by phone. We will accommodate reasonable requests.

Right to a Paper Copy of This Notice

You have the right to receive a paper copy of this Notice upon request, even if you have previously agreed to receive notices electronically.

Right to Be Notified of a Breach

In the event of a breach of your unsecured PHI, we will notify you in accordance with HIPAA's Breach Notification Rule and applicable state breach notification laws.


Our Duties

Nāiri Health is required by law to:

  • Maintain the privacy and security of your PHI;

  • Provide you with this Notice of Privacy Practices;

  • Notify you following a breach of your unsecured PHI;

  • Abide by the terms of this Notice currently in effect.

We reserve the right to change this Notice at any time. Any changes will apply to PHI we already have about you as well as PHI we receive in the future. We will post the updated Notice on our website and make it available upon request.


How to File a HIPAA Complaint

If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR):

  • By mail: Hubert H. Humphrey Building, 200 Independence Avenue S.W., Room 509F, HHH Building, Washington, D.C. 20201

  • Online: https://www.hhs.gov/hipaa/filing-a-complaint

  • By phone: 1-800-368-1019 (TDD: 1-800-537-7697)

You will not be retaliated against for filing a complaint.


Part II: State-Specific Privacy Provisions

Nāiri Health operates as a telehealth practice serving patients in Virginia, Maryland, and the District of Columbia. The following provisions supplement the HIPAA Notice above and reflect your additional rights under applicable state law.

Virginia Patients — Virginia Consumer Data Protection Act (VCDPA)

If you are a Virginia resident, you have the following additional rights under the Virginia Consumer Data Protection Act (Va. Code § 59.1-571 et seq.):

  • Right to Know: You have the right to confirm whether we are processing your personal data and to access that data.

  • Right to Correct: You have the right to correct inaccuracies in your personal data.

  • Right to Delete: You have the right to request deletion of personal data you have provided to us.

  • Right to Portability: You have the right to obtain a copy of your personal data in a portable format.

  • Right to Opt Out: You have the right to opt out of the processing of your personal data for purposes of targeted advertising or the sale of personal data.

  • Right to Appeal: If we decline to act on your request, you have the right to appeal that decision. You may do so by contacting us at privacy@nairihealth.com.

Virginia also maintains specific health records laws under Va. Code § 32.1-127.1:03 governing patient access to medical records. In cases of conflict, the more protective provision applies.

Maryland Patients

If you are a Maryland resident, the following Maryland laws provide additional protections:

Maryland Personal Information Protection Act (MPIPA)

Maryland law requires us to implement reasonable security measures to protect your personal information and to notify you promptly in the event of a data breach affecting your personal information.

Maryland Confidentiality of Medical Records Act

Maryland law (Md. Code, Health-Gen. § 4-301 et seq.) governs the confidentiality of medical records and provides specific protections for sensitive health information, including mental health and substance use records. Medical records may not be disclosed without your written authorization except as permitted by law.

District of Columbia Patients

If you are a DC resident, the following DC laws provide additional protections:

DC Consumer Protection Procedures Act

The DC Consumer Protection Procedures Act (D.C. Code § 28-3901 et seq.) provides broad consumer protections, including protections against unfair or deceptive practices related to personal data handling.

DC Health Records Privacy Act

DC law provides specific protections for health records and limits the disclosure of identifiable health information without patient authorization.


Part III: Website & Telehealth Services Privacy Policy

Information We Collect

Information You Provide Directly

We collect personal information that you voluntarily provide when you:

  • Complete our intake forms or health questionnaires

  • Create an account on our patient portal

  • Schedule a telehealth appointment

  • Contact us by email, phone, or through our website

  • Subscribe to our newsletter or educational content

This information may include your name, date of birth, contact information, health history, insurance information (if applicable), and payment information.

Information Collected Automatically

When you visit our website, we may automatically collect certain technical information, including your IP address, browser type, device type, referring URL, pages visited, and time spent on the site. This information is collected through cookies and similar technologies.

Information from Our Telehealth Platform

We use Healthie as our electronic health record and telehealth platform. When you use Healthie's patient portal or participate in a telehealth visit, Healthie processes your information as a HIPAA Business Associate. Please review Healthie's privacy policy for additional information about their data practices.

How We Use Your Information

We use the information we collect for the following purposes:

  • To provide, coordinate, and manage your clinical care

  • To communicate with you about your appointments, test results, and treatment plan

  • To process payments and manage your account

  • To send educational and wellness content you have requested or consented to receive

  • To improve our website and services through aggregate, de-identified analytics

  • To comply with our legal and regulatory obligations

Telehealth-Specific Privacy Considerations

Nāiri Health delivers clinical services exclusively via telehealth. You should be aware of the following privacy considerations specific to telehealth:

  • Secure Platform: All telehealth visits are conducted through a HIPAA-compliant platform. We do not use non-HIPAA-compliant video tools (such as standard consumer video apps) for clinical visits.

  • Location Privacy: You are responsible for ensuring you are in a private location during your telehealth visit. We recommend using headphones and a secure internet connection.

  • Electronic Communications: When you communicate with us via the patient portal, email, or secure messaging, please be aware that standard (non-encrypted) email may not be fully secure. We recommend using our patient portal for sensitive health communications.

Cookies and Tracking Technologies

We use cookies and similar technologies on our website to improve functionality and analyze site usage. You can manage your cookie preferences through your browser settings. Please note that disabling certain cookies may affect the functionality of our website.

We do not use advertising tracking pixels or behavioral retargeting tools on pages where patients access clinical services or enter health information.

Data Retention

We retain medical records for the minimum period required by applicable law. In Virginia, medical records for adult patients must be retained for a minimum of five years from the date of service or the date the patient was last seen. For minor patients, records must be retained until the patient reaches the age of majority plus the applicable retention period.

Data Security

We implement administrative, technical, and physical safeguards to protect your PHI and personal information in accordance with HIPAA's Security Rule and applicable state security standards. These measures include:

  • Encryption of data in transit and at rest

  • Access controls limiting PHI access to authorized personnel

  • Regular security training for clinical and administrative staff

  • Business Associate Agreements with all vendors who handle PHI


Ready to get the care you deserve?

Book a free consultation to speak with a member of our care team and discuss your goals.

Book my free consultation

Close-up of a dark green leaf showing its textured surface and central vein against a muted background.
Smiling young woman with long hair standing against a dark green background, holding a finger to her chin.
Close-up of a dark green leaf showing its textured surface and central vein against a muted background.
A smiling woman with her arms crossed, standing against a dark green background. She has long, dark hair.
Close-up of a dark green leaf showing its textured surface and central vein against a muted background.
Smiling young man with short hair poses against a dark background, wearing a green button-up shirt.
Close-up of a tree stump showing growth rings and a textured brown wood surface.
A smiling young man with crossed arms, wearing a plaid shirt and white t-shirt, poses against a dark background.
Close-up of a tree stump showing growth rings and a textured brown wood surface.

Ready to get the care you deserve?

Book a free consultation to speak with a member of our care team and discuss your goals.

Book my free consultation

Close-up of a dark green leaf showing its textured surface and central vein against a muted background.
Smiling young woman with long hair standing against a dark green background, holding a finger to her chin.
Close-up of a dark green leaf showing its textured surface and central vein against a muted background.
A smiling woman with her arms crossed, standing against a dark green background. She has long, dark hair.
Close-up of a dark green leaf showing its textured surface and central vein against a muted background.
Smiling young man with short hair poses against a dark background, wearing a green button-up shirt.
Close-up of a tree stump showing growth rings and a textured brown wood surface.
A smiling young man with crossed arms, wearing a plaid shirt and white t-shirt, poses against a dark background.
Close-up of a tree stump showing growth rings and a textured brown wood surface.

Ready to get the care you deserve?

Book a free consultation to speak with a member of our care team and discuss your goals.

Book my free consultation

Close-up of a dark green leaf showing its textured surface and central vein against a muted background.
Smiling young woman with long hair standing against a dark green background, holding a finger to her chin.
Close-up of a dark green leaf showing its textured surface and central vein against a muted background.
A smiling woman with her arms crossed, standing against a dark green background. She has long, dark hair.
Close-up of a dark green leaf showing its textured surface and central vein against a muted background.
Smiling young man with short hair poses against a dark background, wearing a green button-up shirt.
Close-up of a tree stump showing growth rings and a textured brown wood surface.
A smiling young man with crossed arms, wearing a plaid shirt and white t-shirt, poses against a dark background.
Close-up of a tree stump showing growth rings and a textured brown wood surface.