Hipaa Privacy

Revision date: 01/26/2026 • 15 pages

1.000: HIPAA Program (the Program) Guidances

1.001: Use, Disclosure, Authorization & Release of PHI

1.002: HIPAA Authorization for Release of Protected Health Information

1.003: Protected Health Information (PHI) & Patient Rights under HIPAA

1.004: Electronic Communication: Computer, Internet & E-mail Utilization

1.005: Record, Electronic Media & Device Retention &/or Disposal Guidelines

1.007: PHI-EPHI & Proprietary Data: Confidentiality, Use, Disclosure & Access

1.008: Video Surveillance

1.009: Security Risk Management: Risk Analysis, Risk Mitigation & Program Evaluation &
Assessment

1.011: Contingency & Disaster Recovery Planning

1.013: System Maintenance & Control Logs

1.015: Security Incident Management

1.017: Remote Use of/Access to E-PHI

1.019: Business Associates & Business Associate Agreements

1.021: Breach Notification Requirements

1.024: Electronic Signature Authentication

1.025: Identity Theft Detection, Prevention & Mitigation Program (Red Flag Rule)

1.027: HIPAA Performance Feedback

1.029: HIPAA Positive Corrective Action & Sanctions

1.030: HIPAA Complaint Process

1.031: Court Ordered Subpoena & Legal Counsel Request for Records

1.033: Regulatory Inspections & Surveys Relating to HIPAA

1.035: Consent for the Use and Disclosure of Images, Videos, Voice and/or Written
Testimonials

1.037 Use or Disclosure of Reproductive Healthcare Privacy Protected Health Information

Effective/Revision Date: January 26, 2026

Policy Classification(s): HIPAA

Accelerate Therapy and Performance will comply with all Federal, State, and professional
standards and regulations relating to the use and disclosure of protected health information,
regardless of the medium in which it exists. We have a Notice of Privacy Practices that details
our procedures in complying with legal and ethical mandates that guide us.

Business Associate (BA): A business associate is a person or entity that performs certain
functions or services for or on behalf of a HIPAA-covered entity (e.g., healthcare provider, health
plan, or healthcare clearinghouse) that involves the use or disclosure of Protected Health
Information (PHI).

Covered Entity (CE): A covered entity is:

1. Health Plan
2. Provider
3. Clearinghouse

Disclosure: Disclosure means the release, transfer, provision of access to, or divulging in any
manner of information outside the entity holding the information.

Electronic Protected Health Information (EPHI): EPHI is PHI maintained (at rest) or transmitted
(in transit) in electronic form. Examples of EPHI at rest include patient information stored on
magnetic tapes, optical discs, hard drives (both internal and external), DVDs, USB thumb drives,
and servers. EPHI transmission occurs when EPHI is being sent between computer systems.
The risks are generally more significant when EPHI is being transmitted outside of an
organization’s internal network, including Internet and extranet technology, leased lines, and
private networks; however, insiders pose significant risks, and study results show that most
breaches (confidentiality breaches) are from authorized users.

Notice of Privacy Practices (NPP)

The NPP is a document provided by healthcare providers, health plans, or other entities
covered under the Health Insurance Portability and Accountability Act (HIPAA). It informs
patients or clients about how their protected health information (PHI) may be used, disclosed,
and safeguarded, as well as their rights regarding their health information.

Protected Health Information (PHI): This means individually identifiable information
about health status, provision of health care, or payment for health care that is created or
collected by a “Covered Entity” (or a Business Associate of a Covered Entity) that can be linked
to a specific individual.

PHI does not include educational records covered by the Family Educational Rights and Privacy
Act, employment records held by a covered entity in its role as an employer, and information
regarding a person who has been deceased for more than fifty (50) years.

Treatment, Payment & Operations (T-P-O): Treatment, Payment, and Healthcare Operations
(TPO) are key categories that describe permissible uses and disclosures of Protected Health
Information (PHI) by covered entities (e.g., healthcare providers, health plans, and healthcare
clearinghouses) without requiring patient authorization.

1. Treatment: The provision, coordination, or management of healthcare and related services
for an individual, including consultations and referrals between providers.

2. Payment: Activities undertaken by a healthcare provider or health plan to obtain payment or
be reimbursed for services or to determine eligibility for coverage.

3. Healthcare Operations: Administrative, financial, legal, and quality improvement activities
necessary to run a covered entity’s business and support treatment and payment functions.

Use: Means, with respect to individually identifiable health information, the sharing,
employment, application, utilization, examination, or analysis of such information within an entity
that maintains such information.

Workforce: Means employees, volunteers, trainees, and other persons whose conduct, in the
performance of work for a covered entity or business associate, is under the direct control of
such covered entity or business associate, whether or not the covered entity or business
associate pays them.

We are required by federal and state laws, as well as ethical standards, to protect the privacy of
our patients’ health information. For example, federal health information privacy regulations
require us to protect patient information in the manner described in our Privacy Notice. Certain
types of health information may specifically identify the patient. Because we must protect this
health information, we refer to it as Protected Health Information—or “PHI.” In our Privacy

Notice, we describe:

1. How we use PHI.

2. When we may disclose protected health information (PHI) to others.

3. The Patient’s Privacy Rights and How to Exercise Them.

4. Our privacy duties.

5. Who to contact for more information and/or complaints.

Accelerate Therapy and Performance Uses, Discloses, and Releases Protected Health
Information in the following manner and under the following conditions:

1. Use and Disclosures for Treatment, Payment & Healthcare Operations

a. Treatment

We use and disclose PHI in the course of a patient’s treatment. For instance, once we
have completed an evaluation or re-evaluation, we send a copy or summary of our report
to the patient’s referring practitioner, if applicable. We also maintain records detailing the
care and services that patients receive at our facility, ensuring accuracy and consistency
in the delivery of that care in an optimal manner. That record also helps us meet certain
other professional and legal requirements. These records may be used and/or disclosed
by members of our workforce to ensure that proper care is rendered. Accelerate Therapy
and Performance will adhere to the ‘minimal necessary’ stipulations as noted in
PHI-E-PHI & Proprietary Data: Confidentiality, Use, Disclosure & Access, HIPAA Policy
1.007.

b. Payment

After treating a patient, we typically bill a third party for the services provided. We will
collect the treatment information, enter the data into our computer system, and then
process the claim either on paper or electronically. The claim will note the patient’s
health problem and the treatments rendered, and it will include other relevant
information, such as the patient’s social security number, insurance policy number, and
other identifying details. The third-party payer may request a copy of the patient’s
treatment records to help determine that the services were medically necessary.

c. Health Care Operations

We also use and disclose PHI in our healthcare operations. For example, our therapists
meet periodically to review clinical records and monitor the quality of care at our facility.
Patient records and PHI could be part of these quality assessments. Sometimes, we
offer student internship programs and utilize the PHI of actual patients to assess their
skills and knowledge. Other healthcare data (PHI) may be involved in business planning,
compliance monitoring, or even the investigation and/or resolution of a complaint.

d. Special Uses and Disclosures

We may also use or disclose PHI to assist us in carrying out specific responsibilities to
our patients, such as:

i.Remind patients of appointments

ii.Release equipment and/or supplies to a patient’s designee

iii. Carry out follow-ups on home programs or discharge planning

iv. Advise patients of new or updated services or home supplies via telecommunication
or a newsletter

v. Update the patient’s workers’ compensation case worker or employer

vi. Carry out research that does not directly identify the patient

vii. Carry out marketing functions, such as providing nominal promotional gifts

viii. Notify the patient of fundraising functions

Prior to implementing any of the above Special Uses and Disclosures, this facility will provide
the patient with the opportunity to decline our implementation of all of the above, with the
exception of V (Update patient’s workers’ compensation case worker or employer).

2. Uses and Disclosures that are Permitted and/or Required

Many laws and regulations govern our interactions with patients, affecting the disclosure of their
PHI; they may either require or permit us to disclose it. The following is a list from the federal
health information privacy regulations describing required or permitted uses and disclosures:

a. Permitted:

i.We may share PHI with a family member or friend if he/she is clearly involved with
the patient’s care and if the patient does or has not objected (verbally);

ii.We may use PHI in an emergency if the patient is unable to express him or herself;

iii. We may use or disclose a patient’s PHI for research if we receive specific
assurances that protect the privacy of the individual;

iv. We may update the patient’s workers’ compensation case worker or employer.
b. Required:

i.We must release PHI when required by law, i.e., ordered by a court;

ii.We must report communicable diseases or adverse reactions to drugs to the
appropriate public health, federal department, or agency;

iii. We must report neglect, abuse, or domestic violence;

iv. We must allow access to and disclosure of PHI to government regulators for
compliance audits and surveys;

v. We must allow access to or provide PHI as a response to a judicial or administrative
proceeding, such as a valid subpoena or protective order;

vi. We must report and/or respond to legal requests of law enforcement officials or
other legal entities relating to criminal activities, such as gunshot wounds;

vii. We must disclose PHI to avert a health hazard or to respond to a public health
threat, such as an imminent crime against another person;

viii. We must release the PHI of a member of the armed forces upon request of the
appropriate military command authorities;

ix. We must release PHI in connection with certain types of organ donor programs;

x. We must comply with state regulations that are more stringent than federal laws;

Note: The Reproductive Healthcare Rule per Purl v HHS declared major
portions of the 2024 RHC Rule to be unlawful, and it vacated those provisions. Under the Administrative Procedure Act (5 U.S.C. § 706(2)), when a court “sets
aside” an unlawful agency action, the regulation ceases to exist, with OCR
treating the RHC Rule and attestation requirements as void.

Unless a state passes legislation that is more stringent than HIPAA’s Use and
Disclosure provisions, providers are not required to comply with the 2024
RHC Rule unless reinstated on appeal or by new rulemaking. Providers
should apply HIPAA Privacy Rule standards for Use and Disclosure as
stipulated above.

3. Authorization for the Release of Protected Health Information

Only under the conditions noted above (Sections 1 & 2) do we have the right to use and
disclose a patient’s protected health information without a patient’s authorization. If a patient
desires to provide access to his/her PHI, for instance, to his/her PHI to designees or participate
in a research project, we will provide an authorization form for his/her completion.

In certain circumstances, this facility may need or desire to use and/or disclose a patient’s PHI.
In such situations, we must obtain the patient’s permission and provide him/her with an
authorization form for completion to ensure his/her consent. An example is that an authorization
would be required by law to allow Accelerate Therapy and Performance to directly or indirectly
receive compensation in exchange for disclosing a patient’s PHI.

Accelerate Therapy and Performance has a HIPAA compliant Authorization for Release of
PHI Form HIPAA-143, which we provide to our patients. A patient may revoke his/her
authorization at any time with a written notice (see Protected Health Information (PHI) & Patient
Rights under HIPAA, HIPAA Policy 1.003) using the Authorization Revocation Request Form
HIPAA-152, or its equivalent.

4. Procedure for Authorization and Release of Information

When a patient, or legal representative of the patient, registers on his/her first visit he/she will be
given the Release of PHI Authorization Form HIPAA-143 form to review and complete if they
agree and desire to do it at that point.

Patients will be provided with the Release of PHI Authorization Form, HIPAA 143, when use
or disclosure requires an authorization.

a. The Business Office staff will be the first-line source for answering questions about the
Authorization Form; however, the HIPAA Officer will be the individual to handle
non-routine questions and/or complaints.

b. Once the patient fills out the authorization form, he/she will give it to the business office
staff member, who will review it for completion. If the form is complete, the Business
Office staff member will make one copy of the form, the original form will be placed in the
patient’s chart, and the copy will be provided to the patient.

c. If an incidental request for access (e.g., a request to speak to or give a message to a
patient) is received by the Business Office, the person accepting the request will check
the patient’s chart for the requestor’s authorized access and then will proceed to validate
the identity of the requestor. The Business Office staff member will then release or
decline to release the information based on the authorization permits and identity
validation. Authorized disclosures of PHI are exempt from disclosure accounting.

d. If a request is mailed or faxed to the Business Office, the staff designee will verify the
patient’s chart for the requestor’s authorized access, validate the person’s identity, and
release or decline to release the information based on their findings. If the release is
permitted and/or required per “HIPAA’s Required Listed noted in 2b (i-ix) and HIPAA
Policy 1.002 and is substantiated as ‘required’ the subject, date, and purpose of the
release will be logged on the Accounting for Disclosures Log Form HIPAA 155, or its
equivalent and the release of the PHI will occur.

e. All validated requests for the release of PHI are subject to reproduction and labor cost
fees, with the exception of those from healthcare providers, workers’ compensation case
workers/employers, etc., schools, and not-for-profit organizations.

f.All requests for release of PHI, in any medium, will be honored within thirty (30) days of
receipt of a valid authorization from the patient and a written request from the requesting
party.

g. If a requestor is denied access to any PHI, including but not limited to the presence of
the patient in the clinic, the requestor will be told that Accelerate Therapy and
Performance is restricted from releasing any information without proper authorization.
He/she will be advised to contact the patient directly to obtain that authorization.

Effective/Revision Date: January 26, 2026

Policy Classification(s): HIPAA

Implementation Specifications: These are specifications that provide direction as to how
Security Standards should be executed.

Required Implementation Specifications: These are specifications that “must” be
implemented, i.e., they are not optional procedures.

Addressable Implementation Specifications: These are specifications that must be
implemented as stated in the rule or in an alternative manner that better meets the
organization’s needs while still adhering to the intent of the implementation specification.
Addressable implementation offers some flexibility to organizations in implementing the
standard; however, the standards are not optional, and all must be addressed. Organizations
must maintain formal documentation about why and how the implementation specification in the
security rule was implemented. The decision can be based on a variety of factors, such as the
entity’s risk analysis, risk mitigation strategy, existing security measures, and the cost of
implementation.

Accelerate Therapy and Performance will comply to the fullest extent with all provisions of the
Healthcare Insurance Portability & Accountability Act (HIPAA) relating to Transaction & Code
Sets Standards, Privacy and Security Rules, and Health Information Technology for Economic
and Clinical Health (HITECH) as per the American Recovery and Reinvestment Act (ARRA).
The security rules ‘required’ implementation specifications will be carried out as stipulated, and
the ‘addressable’ implementation specifications will be continually reviewed and implemented
using ‘sizable’ procedures and processes.

Accelerate Therapy and Performance’s Notice of Privacy Practices (NPP) serves as the
foundation for privacy behavior within the facility, guiding the day-to-day management of
Protected Health Information (PHI) and serving as a communication vehicle with its patients.
The Patient Rights, mandated by HIPAA and reiterated in the NPP, have been thoroughly
reviewed by { Accelerate Therapy and Performance’s workforce. HIPAA education is provided
upon hiring, and updates will be provided as needed and/or when new regulations and/or
guidelines are published.

Patient Rights as reflected in Accelerate Therapy and Performance’s Notice of Privacy Practices
and as required by HIPAA and HITECH are summarized below:

1. The Patient Has the Right to Request Limited Use or Disclosure

The patient has the right to request that we not use or disclose his/her PHI in a particular
way, and we will grant that request whenever possible. However, we are not required to
abide by his/her request if the use or disclosure is permitted or required by law. If we agree
to his/her request, we must comply with the agreement. We have the right to request that
the request be in writing, and we will exercise that right, preferably the Request for
Confidential Communication Form HIPAA 150. Unless otherwise directed by the patient
or his/her representative, Accelerate Therapy and Performance will disclose PHI to:

a. Remind patients of appointments;

b. Release equipment and/or supplies to the patient’s designated representative;

c. Carry out follow-ups on home programs or discharge planning;

d. Advise patients of new or updated services or home supplies via telecommunication or a
newsletter;

e. Update the patient’s workers’ compensation case worker or employer;

f.Carry out research that does not directly identify the patient;

g. Carry out marketing functions such as providing nominal promotional gifts;

h. Notify the patient of fundraising events.

Note: A patient may opt out of notification and/or engagement in all of the above, with the
exception of letter (e) above.

2. Objection and Exception:

a. An objection to release or a request to limit PHI for payment purposes will not be honored
by this facility if a third party makes a payment. We will promptly advise the patient of this
rejection. Accelerate Therapy and Performance reserves the legal right to decline to
provide treatment should the patient persist in restricting the release of PHI for payment
when a third party is utilized for payment.

b. Exception: Requests to restrict disclosure for items and/or services received that are
personally paid for (no third-party payment) will be honored for all situations outside of
treatment, which will not have restrictions other than under the ‘minimal necessary’
provision. This Patient Right does not supersede Medicare’s Mandatory Claim
Submission requirements unless the provider is enrolled in Medicare, the provision was
requested by the patient, and the covered entity did not initiate it. Cash-based payments
to Medicare & Non-Medicare Patients, BOM-207 should be utilized, and the patient’s
signature should be obtained.

3. The Patient Has the Right to Confidential Communication

The patient has the right to receive confidential communications from us at a location or
phone number that he/she specifies. We reserve the right to request that the request be
submitted in writing. We will exercise that right, preferably on the Request for Confidential
Communication Form HIPAA 150. Compliance with this request will include the stipulation
that this alternative mode of communication should not hinder or defer payment or collection
notices.

a. Procedure: A request may be submitted in person, by mail, or by e-mail

i.Mailed requests should be addressed to:

Accelerate Therapy and Performance
c/o Christie Wood
1508 W Innes St.
Salisbury, NC 28144

ii.Faxed requests should be addressed to:

Accelerate Therapy and Performance
c/o Christie Wood
704-630-9658
christie@accelerate-pt.com

b. Procedure: If the patient requests confidential communication, he/she will be asked to
put it in writing, preferably on the Request for Confidential Communication Form
HIPAA 150, with the following information:

i.The type of information being managed confidentially includes specific conditions,
treatments, dates of services, and other relevant details.

ii.The period for which the request applies
iii. The manner in which the patient wishes to receive confidential communications

iv. The manner in which payment will be received if the confidential communication
involves an alternate address

c. Procedure: If the patient requests an alternate phone number, contact Accelerate
Therapy and Performance will note it as the primary/preferred number and record the
other phone number as an emergency number. The data screen and/or intake form
should be flagged/highlighted to emphasize the preferred phone number.

d. Procedure: If the patient requests an alternate address for statement mailing, Accelerate
Therapy and Performance will first confirm and obtain assurance that payment consent
will not be compromised. This facility will enter the alternate address as the
primary/preferred mailing address and record the home address as the emergency
contact site. The data screen and/or intake form should be flagged/highlighted to
emphasize the preferred address.

4. The Patient Has the Right to Inspect and Copy

The patient has the right to inspect and copy his/her PHI. Should we decline, we must
provide him/her with a resource person to assist in reviewing our refusal decision. We must
respond to the patient’s request within thirty (30) days. We may charge reasonable fees for
supervised inspection time, copying, and/or labor time related to copying. We reserve the
right to require an appointment for record inspection. We also reserve the right to request
written confirmation of the patient’s request and will exercise this right, preferably using the
Request for Access to PHI Form HIPAA 193.

Types of Access:

a. Inspect: Patients may inspect/read their clinical and billing records and associated
documents under the supervision of a staff member (an inspection fee may be charged if
the access is more frequent than once annually or if the inspection duration exceeds thirty
(30) minutes.

b. Copy: Patients may obtain a copy of all or a portion of their clinical and billing records and
associated documents in paper or electronic media (if such records are maintained
electronically). A copying/duplication fee, including labor costs, will be charged.

5. Patient Access to PHI

Procedure for Patients

Patients may request access to their PHI by submitting a request in writing to Accelerate
Therapy and Performance’s HIPAA Officer. The patient will be asked to use the Request for
Access to PHI Form HIPAA-193, if possible. The form specifies that access will be granted
within thirty (30) days of its receipt unless otherwise notified. It identifies the fees that will be
charged for the supervised inspection, copying, or summarizing of the record, and it details
the access requirements listed below, requiring that the patient:

a. State the type of access request (inspection, copy of all or specified records, or a
summary of the records);

b. Specify the dates and specific information;

c. Sign and date the request and provide proper identification upon accessing the records.

Procedure: Business Office Staff

a. The Business Office staff member refers all Access Requests to the HIPAA Officer after
verifying the request, confirming that all of the prerequisite information has been
provided by the patient, including, but not limited to, an authentic signature;

b. If the request is incomplete, the Business Office staff designee will forward the request to
the patient, noting any deficiencies. If the request is complete but the records have
deficiencies, the chart will be forwarded to the appropriate person(s) for completion when
necessary and in accordance with the law. If the request and the chart are complete and
the patient has requested a PHI inspection, the Business Office designee will set an
appointment for the patient with the HIPAA Officer or his/her designee, who will be
present during the inspection. The patient will not be allowed to remove any documents
from the file or make any entries;

c. If the patient wishes to amend the record, he/she will be advised of the amendment
procedure;

d. If the patient has questions about billing information, the HIPAA Officer may address
them during the inspection appointment or at a later date if further research is required;

e. If the patient has a question about his/her clinical record, he/she will need to make an
appointment to meet with the appropriate therapist;

f.If the request form and chart are complete and the patient has requested PHI copying,
then the Business Office staff designee will make the specified copies and distribute
them to the patient according to their written specifications (paper or electronic media);

g. If there is a delay in allowing access, the patient will be provided with a written extension
statement specifying an access date, not to exceed an additional thirty (30) days;

h. If the HIPAA Officer has preliminarily denied access, it must be based on either
Unreviewable Grounds (e.g., civil, criminal, or administrative action or proceedings) or
Reviewable Grounds (e.g., safety or life endangerment). The HIPAA Officer will forward
all potential denials to the owner or designee;

i.The HIPAA Officer will review the request and approve or deny the access based on all
of the above conditions;

j.The Authorization for Release of PHI Form HIPAA-143 and all supporting data will be
filed in the patient’s clinical file;

k. Any requests made by patients for records that are not from Accelerate Therapy and
Performance must be returned to the patient; if the location of the requested information
is known, it should be included in the communication to the patient.

6. The Patient Has the Right to Revoke His/Her Authorization

If the patient has authorized us to use or disclose his/her PHI, he/she may revoke it at any
time in writing. The patient must understand that we relied on the authority of his/her
authorization prior to the revocation and used or disclosed his/her PHI within its scope.

a. Procedure: The Business Office designee forwards any patient request to revoke
authorization to the HIPAA Officer. The HIPAA Officer will carry out the revocation if the
request is in writing and provides sufficient information to facilitate the revocation. The
HIPAA Officer will sign off on the revocation and inform the designated Business Office
staff member; the designated Business Office staff member will document the change
and insert the signed revocation in the patient’s chart. The HIPAA Officer will contact the
patient if the requested revocation is incomplete and will initiate the proper procedures to
facilitate the revocation for the patient;

b. The Patient Has the Right to Amend His/Her PHI;

The patient has the right to request an amendment of his/her record. We reserve the
right to request the request in writing. We will exercise that right, Accelerate Therapy and
Performance prefers that its Request To Amend the Designated Record Set (DRS)
Amendment Request Form HIPAA 153 be utilized. We may deny that request if the
record is accurate and/or if the record was not created by Accelerate Therapy and
Performance If we accept the amendment, we must notify the patient and make an effort
to inform others who have the original record.

7. The Patient Has the Right to Know Who Else Sees His/Her PHI (Hardcopy)

The patient has the right to request an accounting of certain disclosures that we or our
business associates have made over the previous six years. We do not have to account for
all disclosures, including those made directly to the patient, those involving treatment,
payment, or healthcare operations, those to family/friends involved in their care, and those
involving national security. The patient has the right to request an accounting annually; we
have the right to ask for the request in writing and to charge for any accounting requests that
occur more than once per year; we must advise the patient of any charge, and the patient
has the right to withdraw his/her request or to pay to proceed. Accelerate Therapy and
Performance prefers that the Disclosure Accounting Request Form HIPAA 154 be
utilized, if possible.

8. The Patient Has a Right to be Informed of a Breach of His/Her Privacy

We are required to notify the patient by first-class mail or by e-mail (if indicated a preference
to receive information by email) of any breaches of unsecured Protected Health Information
as soon as possible, but in any event, no later than sixty (60) days following the discovery of
the breach, unless otherwise required by state law. “Unsecured Protected Health
Information” is information that is not secured through the use of a technology or
methodology identified by the Secretary of the U.S. Department of Health and Human
Services to render the Protected Health Information unusable, unreadable, and
undecipherable to unauthorized users. The notice is required to include the following
information:

a. A description of the breach, including the date of the breach and the date of its
discovery, if known;

b. A description of the type of unsecured protected health information involved in the
breach;

c.Instructions regarding the measures the patient should take to protect him/her from
potential harm resulting from the breach;

d. Correction action Accelerate Therapy and Performance has/will take to investigate the
breach, mitigate losses, and protect the patient from further breaches;

e. Accelerate Therapy and Performance’s contact information, including a toll-free
telephone number, email address, website, or postal address, to facilitate additional
questions. (See Breach Notification Requirements, HIPAA Policy 1.021 for full details).

9. The Patient Has the Right to Complain

The patient has the right to complain if he/she feel his/her privacy rights have been violated.
The patient may complain directly to us or the Secretary of Health and Human
Services/Office of Civil Rights (OCR). We will not retaliate against a patient if he/she file a
complaint about us. All complainants should provide a reasonable amount of detail to enable
us to investigate the concern. Accelerate Therapy and Performance prefers that the HIPAA
Complaint Form, HIPAA 156, be utilized, if possible. To file a complaint with us, the patient
should contact:

Name:  Delaine Fowler
Address:  1508 W Innes St.
                   Salisbury, NC 28144
Phone:  704-630-9656
Fax:       704-630-9658 
Email:   delaine@accelrate-pt.com 

Note: In order for the Office of Civil Rights to investigate a complaint, it must be filed within one
hundred and eight days (180) of the violation.

10. The Patient Has the Right to Receive a Copy of the Privacy Notice (NOTICE)

Accelerate Therapy and Performance is obligated to provide patients with a copy of its
Notice of Privacy Practices and to post the Notice in a conspicuous place for patients to
access, as well as on its website. We reserve the right to modify the Notice to comply with
policy, rules, or regulatory changes. We are obligated to provide new notices to current and
subsequent patients as changes are made. We are required to maintain each version of a
Privacy Notice for a minimum of six (6) years. The Accelerate Therapy and Performance
provides each patient with the Privacy Notice Receipt Acknowledgement Form
HIPAA-144 to sign as an attestation of receipt of the Privacy Notice. The patient is not
required to sign the form; if the patient declines to sign the Privacy Notice Receipt
Acknowledgement Form HIPAA-144, it will be noted and validated by a staff witness.

11. The Patient Has the Right to Expect Protection of Any Substance Use Disorder or
Treatment Records According to 42 CFR Part 2 (Substance Use Disorder Records)

Accelerate Therapy and Performance is required by federal law to protect the privacy of
your substance use disorder (SUD) treatment records. These records are protected
by 42 CFR Part 2, which provides additional confidentiality safeguards beyond those
required by HIPAA. Part 2 protects any information that identifies you as having a
substance use disorder or receiving SUD treatment services from us, including your
diagnosis, treatment, medications for SUD, appointment information, billing records,
and any other information that could identify you as a patient of a SUD program. We
may not use or disclose your SUD treatment records without your written consent,
unless federal law allows it. Part 2 permits disclosure without your consent only in
limited situations, such as:

a. Medical emergencies

b. Scientific research under strict safeguards

c. Audits or program evaluations

d. Court orders that meet specific legal requirements

e. Reporting suspected child abuse or neglect as required by law

f.Crimes committed on program premises or against program staff

You may authorize us to disclose your SUD treatment information to others, including
for treatment, payment, or healthcare operations. Your authorization must meet the
requirements of 42 CFR Part 2. You may revoke your authorization at any time unless
we have already acted on it.

Any recipient of your SUD treatment information is prohibited from redisclosing it
unless you give written permission or the disclosure is otherwise permitted by Part 2.
Federal law does not protect information if you voluntarily disclose it to others who
are not bound by Part 2. You have the right to:

a. Request restrictions on how your SUD information is used or disclosed.

b. Request an accounting of disclosures of your Part 2–protected information.

c. Receive a copy of this notice and any updates.

d. File a complaint if you believe your privacy rights have been violated, and we are
prohibited from retaliation against you for filing a complaint.

Note: The Reproductive Healthcare Rule per Purl v HHS declared major portions of the
2024 RHC Rule to be unlawful, and it vacated those provisions. Under the Administrative
Procedure Act (5 U.S.C. § 706(2)), when a court “sets aside” an unlawful agency action,
the regulation ceases to exist, with OCR treating the RHC Rule and attestation
requirements as void.

Unless a state passes legislation that is more stringent than HIPAA’s Use and Disclosure
provisions, providers are not required to comply with the 2024 RHC Rule unless
reinstated on appeal or by new rulemaking. Providers should apply HIPAA Privacy Rule
standards for Use and Disclosure as stipulated above.