Haven OBGYN — Notice of Privacy Practices (HIPAA)

This Notice of Privacy Practices ("Notice") describes how Haven OBGYN ("Haven," "we," "our") may use and disclose your Protected Health Information ("PHI") and explains your rights and our legal duties under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and applicable state privacy laws.

This Notice applies to health information in your medical record, including information maintained in our electronic health record (Epic). It is separate from our Website Privacy Policy, which describes data collected through our public website and forms.

1) Our responsibilities

• Maintain the privacy and security of your PHI.
• Provide you with this Notice describing our privacy practices.
• Follow the terms of the Notice currently in effect.
• Notify you following a breach of unsecured PHI.
• Comply with stricter state laws that may offer greater protection (e.g., reproductive and sexual health, mental health, substance use disorder records, HIV status, genetic data, and certain information for minors).

We may change this Notice at any time. If we do, the updated Notice will apply to existing and future PHI, and we will post the new Notice on our website and make copies available upon request.

2) How we may use and disclose your PHI without your written authorization

A. Treatment

To provide, coordinate, or manage your care and related services.

Examples: Sharing information with physicians, nurses, midwives, pharmacists, labs, imaging centers, hospitals, or other providers involved in your care; sending referrals and consult notes; e-prescribing; care coordination and follow-up; telehealth visits.

B. Payment

To bill and obtain payment for services.

Examples: Submitting claims to your health plan; verifying benefits and prior authorizations; billing, collections, reimbursement activities; providing information to a plan about a visit so it will pay us.

Right to restrict disclosure to health plans: If you (or someone on your behalf) pay out-of-pocket in full for a service, you may request that we not disclose PHI about that service to your health plan, unless disclosure is required by law. See Section 5 for how to request this restriction.

C. Health Care Operations

For activities that support running our practice, improving care, and ensuring quality.

Examples: Quality assessment and improvement; patient safety and outcomes measurement; clinician training; accreditation; licensing; legal and auditing functions; business planning and management.

D. Appointment reminders & treatment alternatives

We may use your contact information to send appointment reminders and to inform you about treatment alternatives or health-related benefits and services that may be of interest to you. These communications are not marketing under HIPAA.

E. Individuals involved in your care & disaster relief

With your permission—or when you are given the opportunity to agree or object—we may share limited PHI with a family member, friend, or personal representative involved in your care or payment. If you are not available or unable to agree (e.g., incapacitated), we may share information in your best interests using our professional judgment. We may also disclose PHI to disaster relief organizations to help notify family about your location, condition, or death, consistent with applicable law.

F. Business Associates

We may disclose PHI to Business Associates—vendors that perform services for us and must safeguard your PHI under a written Business Associate Agreement (BAA).

Examples: Our electronic health record vendor (Epic); secure cloud and communication services (e.g., Microsoft 365); messaging platforms; IT and cybersecurity providers; our website development and digital operations partner Healthsight (acting solely on our instructions under a BAA); billing services; document storage and shredding.

G. Public Health and Safety

• Reporting certain diseases, births/deaths, and adverse events to public health authorities.
• Reporting suspected abuse, neglect, or domestic violence as required or permitted by law.
• Preventing or reducing a serious and imminent threat to health or safety.
• Product recalls and reporting problems with medications or devices.

3) Uses and disclosures that require your written authorization

We will obtain your written authorization before using or disclosing PHI for purposes not described in this Notice or as otherwise required by law. In particular, we will not use or disclose your PHI for:

• Marketing communications (except permitted face-to-face communications or nominal-value promotional gifts).
• Sale of PHI (we do not sell PHI).
• Most uses of psychotherapy notes (if any).
• Other non-routine purposes not described in Section 2.

You may revoke an authorization at any time in writing, except to the extent we have already relied on it.

4) Additional protections for sensitive information

Certain types of information may have extra protections under state or federal law (e.g., reproductive and sexual health services, mental health, substance use disorder treatment records, HIV/AIDS, genetic testing/results, and some minor consent services). We will follow stricter laws where they apply and will obtain your specific written permission when required.

5) Your rights regarding your PHI

To exercise any right, contact our Privacy Office at contact@haven-obgyn.com or (916) 269-8865. We will verify your identity and respond within the timeframes required by law.

A. Right to Inspect and Obtain a Copy

You may request to inspect or obtain a paper or electronic copy of your PHI in our designated record set (including your medical and billing records). We will provide access or a copy usually within 30 days (with one 30-day extension if needed) and may charge a reasonable, cost-based fee as permitted by law.

B. Right to Request an Amendment

If you believe information is incorrect or incomplete, you may request that we amend your record. We may deny your request in certain cases (e.g., if we did not create the information, or it is accurate and complete). If denied, you can submit a statement of disagreement to be included in your record.

C. Right to an Accounting of Disclosures

You may request an accounting of disclosures of your PHI made by us during the six years prior to your request, excluding disclosures for treatment, payment, and health care operations and certain other disclosures (e.g., those you authorized).

D. Right to Request Restrictions

You may request restrictions on how we use or disclose your PHI for treatment, payment, or health care operations. We are not required to agree, except we must agree to your request to not disclose PHI to a health plan about a service for which you (or someone on your behalf) paid out-of-pocket in full, unless disclosure is required by law.

E. Right to Request Confidential Communications

You may request that we contact you in a specific way (e.g., at a different address or phone number). We will accommodate reasonable requests.

F. Right to Receive Notice of a Breach

You have the right to receive written notification if a breach of your unsecured PHI occurs.

G. Right to a Paper Copy of this Notice

You may request a paper copy of this Notice at any time, even if you agreed to receive it electronically.

8) Reproductive health & law enforcement requests

We are committed to protecting the privacy of patients seeking reproductive health care. We will not disclose PHI for law enforcement or government inquiries unless required by law and only after careful review of the request. Where state or federal law provides additional protections, we will follow the more protective standard.

10) Questions, concerns, or complaints

If you have questions about this Notice, or believe your privacy rights have been violated, please contact:

You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR):

• Online: https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf
• Mail: U.S. Department of Health & Human Services, 200 Independence Avenue, S.W., Room 509F, HHH Building, Washington, D.C. 20201
• Phone: (800) 368-1019 • TDD: (800) 537-7697

We will not retaliate against you for filing a complaint.

12) How this Notice works with other documents

• This Notice (HIPAA) governs PHI in your medical record.
• The Website Privacy Policy governs website/form data collected on our public site.
• The Electronic Communications & Texting Policy describes how we use text, email, and portal messages and how you can opt out.
• Business Associate Agreements (BAAs): We require BAAs with vendors who handle PHI on our behalf, including Healthsight (website/digital operations) and Microsoft (cloud services).

Version 1.0 — Effective November 1, 2025