Privacy Policy & Notice of Privacy Practices

Effective Date: 04/16/2026
Last Updated: 04/16/2026

This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. 

INTRODUCTION

This is a notice by Sunvista Diagnostics, LLC (the “Practice”). The Practice is affiliated with several entities, whose relationship allows the Practice to delegate certain operational functions to these entities. These operational functions may include, without limitation, quality improvement, risk management, financial and billing services, health information exchanges, and clinical research management.
You understand and acknowledge that the Practice will disclose information in accordance with HIPAA laws to our delegated entities for the purposes of creating a population health care delivery model with goals of improving quality of health care and outcomes, reducing costs of health care, and increasing savings to patients.

This notice uses the words “protected health information (PHI)” or “health information.” Those words are defined in the HIPAA regulations. In simple terms, your “protected health information” is information about you and your healthcare that we use and disclose for your treatment and payment for your care, and for our healthcare operational purposes. It includes basic identifying information like your name, address, age, race, phone number, as well as information in your medical records and billing records. PHI can be oral, or in paper or electronic formats.

WHO MUST FOLLOW THIS NOTICE?

We provide you, the patient, with health care by working with doctors and many other health care providers (referred to as we, our, or us). This is a notice of our information privacy practices. The following people or groups will follow this notice:
• All Practice employees.
• Any health care provider who comes to our locations to care for you. These professionals include doctors, nurses, technicians, physician assistants, and others.
• All departments and units of our organization.
• Offices and affiliates performing duties for the Practice.

OUR PLEDGE TO YOU

We understand that your protected health information is private and personal. We are committed to protecting it. Practice employees and other staff members make a record each time you visit. This notice applies to all the records of your care at the Practice, whether created by staff members or your doctor. We will gladly explain this notice to you or your family member.

We are required by law to:
• Keep your protected health information private.
• Give you this notice describing our legal duties and privacy practices for your protected health information.
• Notify you as outlined in state and federal law if a breach of your unsecured protected health information has occurred. Follow the terms of the notice that is currently in effect.

HOW WE MAY USE AND SHARE YOUR PROTECTED HEALTH INFORMATION

This section of our notice tells how we may use and share your protected health information, including sharing electronically. In situations not covered by this notice or otherwise allowed by law and regulation, we will get a separate written permission from you before we use or share your protected health information. You can later cancel your permission by notifying us in writing. We will protect your protected health information as much as we can under the law. Sometimes state law gives more protection to your information than federal law. Sometimes federal law gives more protection than state law. In each case, we will apply the laws that protect your information the most.

Treatment: We will use and share your protected health information, both internally and externally, to provide you with health care treatment and to coordinate or manage your treatment with other health care providers. An example is sending medical information about you to another specialist as part of a referral. We may also share your information with other types of health care providers after you leave our Practice, such as pharmacies, home health agencies, specialty hospitals, or long-term care facilities.

Payment: We will use and share your protected health information so we can be paid for treating you. An example is giving information about you to your health plan or to Medicare. We may also need to give information to your health plan to get approval for certain services or to find out if your plan will pay for certain treatment. We may also share your health information with other health care providers involved in your healthcare, such as your personal physician, anesthesiologist, ambulance services, so that they may receive payment for their services. We may also give your healthcare information to individuals who are responsible for payment for your health care, such as the named insured on your health insurance policy. For example, the person named may receive a copy of an explanation of benefits (EOB) related to your care.

Health Care Operations: We will use and share your medical information for our health care operations. A few examples are using information about you for:
• Improving the quality of care we give you.
• Disease management, wellness management, or population health programs.
• Patient surveys.
• Training students.
• Business planning and administration.
• Resolving patient complaints.
• Getting or keeping our accreditation.
• Compliance and legal services.
• For participation in Clinical Research studies.

We may also share your protected health information with people or companies (called business associates) we use to help us with our operations.

Family Members, Personal Representatives, and Others Involved in Your Care: Unless you tell us otherwise, we may share your protected health information with your friends, family members, or others you have named who help with your care or who can make decisions on your behalf about your health care. Also, if you cannot agree due to an emergency, we may share needed protected health information about you with your family or friends who are involved in your care, based on professional judgment of what is in your best interest. In rare instances, even without your permission, we may share your information with others if the physician or health care provider feels it is in your best interest.

Electronic Sharing and Pooling of Your Information: We may take part in or make possible the electronic sharing or pooling of healthcare information. The most common way we do this is through local or regional health information exchanges (HIEs). Two other types of HIEs we participate in are described in the next two sections. HIEs help doctors, hospitals and other healthcare providers within a geographic area or community provide quality care to you. If you travel and need medical treatment, HIEs allow other doctors or hospitals to electronically contact us about you. All of this helps us manage your care when more than one doctor is involved. It also helps us to keep your health bills lower (avoid repeating lab tests). And finally, it helps us to improve the overall quality of care provided to you and others. We are involved in national health reform efforts and may use and share information as permitted to achieve regional or national goals, including regional or nationally approved population health management or wellness initiatives.

State-Based Health Information Exchange: These facilities may participate in statewide internet-based HIE. As permitted by law, your health information will be shared through the HIE to provide faster access, better coordination of care and to assist healthcare providers, health plans, and public health officials in making more informed decisions. To opt in or out of the HIE, you must notify the HIE yourself.

Research: We may use and share your protected health information for research projects, such as studying the effectiveness of a treatment you received. We will usually get your written permission to use or share your information for research. Under certain circumstances, we may share your protected health information without your written permission. These research projects, however, will be approved by a special committee that protects the confidentiality of your medical information.

Substance Use: Substance Use and Substance Use Disorder records are treated like any other protected health information. They may be used or disclosed in accordance with HIPAA regulations. However, Substance Use records may not be used or disclosed to initiate or substantiate criminal, civil, or administrative actions against a patient. Patients have the right to request restrictions on uses and disclosures, revoke consent (with limits), receive an accounting of disclosures, including for treatment, payment, and healthcare operations. Patients may file a complaint with the practice or the Office for Civil Rights (OCR). Substance use records may be used and disclosed for treatment, payment, and healthcare operations purposes.

Appointment Reminders: We may contact you by phone, email, or text messaging with appointment reminders.

Internet Based Products and Services: Working with third parties, we may share your health information so we can offer you internet-based products or services. Using the products or services, you can:
• Schedule appointments.
• Reduce wait times in our emergency rooms.
• Find a physician or get access to your medical information through a portal.

Treatment Options and Health-Related Benefits and Services: We may contact you about possible treatment options, health-related benefits, or services that we offer.

Health Education and Health Programs: We may send you newsletters or brochures or contact you about health-related information, disease management programs, wellness programs, or other local programs that you might want.

INFORMATION SHARING THAT IS REQUIRED OR PERMITTED BY LAW

We are required or permitted by federal, state, or local law to report or share your health information for various purposes. Some of these required or permitted purposes are:

Public Health Activities: We may share your protected health information as required or permitted by law to public health authorities or government agencies whose official activities include preventing or controlling disease, injury, or disability. For example, we must report certain information about births, deaths, and various diseases to government agencies. We may use your health information in order to report to monitoring agencies any reactions to medications or problems with medical devices. We may also share, when requested, your protected health information with public health agencies that track opioid usage, contagious diseases, or that are involved with preventing epidemics.

Required by Law: We are sometimes required by law to report certain information. For example, we must report child and elder abuse and neglect, and in some states, spouse abuse or neglect. We are required to report certain types of injuries, such as injuries caused by firearms. We also must give information to your employer about work-related illness, injury, or workplace-related medical surveillance. Another example is that we must share information about tumors with state tumor registries.

Public Safety: We may, and sometimes must, share your health information in order to prevent or lessen a serious threat to you or to the health or safety of a particular person or the general public.

Health Oversight Activities: We may share your health information with a health oversight agency when allowed by law for health oversight activities. Health oversight agencies include the agencies that run Medicare and Medicaid, and state medical or nursing licensing boards. Health oversight activities include audits, investigations, or inspections. The activities are necessary so the government can monitor health care treatment and spending, government programs, and also compliance with civil rights laws.

Coroners, Medical Examiners and Funeral Directors: We may share health information about deceased patients with coroners, medical examiners, and funeral directors to identify a deceased person, determine the cause of death, or other duties as permitted.

Military, Veterans, National Security and Other Government Agencies: We may use or share your health information for national security purposes, intelligence activities, or for protective services for the President or certain other persons as allowed by law. We may share your health information with the military for military command purposes when you are a member of the armed forces. We may share medical information with the Secretary of the Department of Health and Human Services for investigating or determining our compliance with HIPAA.

Judicial or Administrative Proceedings: We may use or share your health information in response to court orders or subpoenas only when we have followed procedures required by law.

Law Enforcement: We may share your health information if law enforcement officials ask us to or if we have a legal obligation to notify the appropriate law enforcement or other agencies:
• In response to a court order, subpoena, warrant, summons or similar legal process.
• Regarding a victim or death of a victim of a crime in limited circumstances.
• In emergency circumstances to report a crime, the location or victims of a crime, or the identity, description or location of a person who is alleged to have committed a crime, including crimes that may occur at our facility, such as theft, drug diversion, or attempts to obtain drugs illegally.

Disaster Relief Purposes: We may use or share your health information with public or private disaster organizations, like the American Red Cross, so that your family can be told of your location and condition in case of disaster or emergency. We may also use it to help in coordination of disaster relief efforts.

Workers’ Compensation: We may share your health information for workers’ compensation benefits or similar programs that provide benefits for work- related injuries or illnesses if you tell us that workers’ compensation is the payer for your visit(s). Your employer or workers’ compensation carrier may request the entire medical record for your workers’ compensation claim. This medical record may include details regarding your health history, current medications you are taking, and treatments.

Inmates: If you are an inmate of a correctional institution or in the custody of a law enforcement official, we may share your health information with the institution or law enforcement official. We may do this for the institution to provide you with health care, to protect your health and safety or the health and safety of others, or for the safety and security of the correctional institution.

OTHER USES AND DISCLOSURES OF YOUR HEALTH INFORMATION

Apart from what we say in this Notice, we will not use or share your health information unless we get your written permission. Under HIPAA, this permission is called an “authorization.” If you give us written permission to use or disclose your health information, you may revoke (take back) that permission in writing at any time. If you revoke your permission, we will no longer use or disclose your health information for the purpose involved. However, we cannot retrieve any disclosures that we already made based on your prior permission.

We will get your written permission to use and disclose your health information for these specific purposes when required by law:

Marketing:

Marketing means to make a communication about a product or service that you may be interested in buying. If we send a marketing communication to you about a service or product unrelated to the Practice, or if we receive payment from a third party in order for us to promote a product or service to you, then we are required to get your written permission before we can use or disclose your health information.

We are not required to get your written permission to talk with you in person or send you information about the following:
• Health care treatment options.
• Health-related products and services that are provided by the Practice.
• Case management or care coordination services.
• Recommended alternative treatments, therapies, providers, or settings of care.
• Samples or promotional gifts of nominal value.

You have the right to revoke (take back) your marketing permission and we will honor the revocation. To find out who to contact for opting out of these communications, please contact the Privacy Officer.

Sensitive Medical Information: We may obtain a written permission from you, when required by state and federal laws, to use or share sensitive medical information, such as mental health, substance abuse, or genetic testing information.

Sale of Health Information: We will obtain your authorization for any disclosure of your identifiable health information if we directly or indirectly receive remuneration (money or other valuable things) in exchange for the health information.

THIS NOTICE DOES NOT APPLY TO THE FOLLOWING HEALTH RELATED ACTIVITIES

Some activities may not be covered by this notice and are referred to as Hybrid activities under HIPAA. If you participate in research activities conducted by academic institutions after your information has been legitimately sent to them, or obtain direct access lab services, this notice and HIPAA do not apply.

YOUR RIGHTS REGARDING YOUR HEALTH INFORMATION

Your rights are listed below. Some of the rights require a written request form. You can get the appropriate written request form from the departments outlined below.

Requesting Your Information (Access or Copy): In most cases, when you ask in writing, you can look at or get a copy of your protected health information in your medical records or applicable parts of your billing record in paper or electronic format. You may also request that we send electronic copies directly to a person or entity chosen by you. We will give you a form to fill out to make the request. You can look at medical information about you for free. If you request paper or electronic copies of the information, we may charge a fee to cover the cost of copying, mailing, and supplies. To request a copy of your information, contact the Practice Manager.

If we say no to your request to look at the information or get a copy of it, we will tell you why in writing. Also, you may ask us in writing to review that decision. A health care professional will review your request and the decision. The person who makes the review will not be the same person who said no to your request. We will follow the outcome of the review.

Correcting Your Information (Amendment): If you believe that information about you is wrong or not complete, you can ask us in writing to correct the records (make an amendment). We will give you a form to fill out to make the request. We may say no to your request to correct a record if the information was not created or kept by us or if we believe the record is complete and correct. If we say no to your request, you can ask us in writing to review that denial.

Obtaining a List of Certain Disclosures (Accounting of Disclosures): You can ask to receive a list of certain disclosures we have made of your protected health information during the last six years. To get the list, ask for the Accounting of Disclosures Form from the Practice Manager or the Privacy Officer. Your request must be in writing and state the time period (up to six years) for the listing. The first request in a 12-month period is free. We will charge you for any additional requests for our cost of producing the list. We will give you an estimate of the cost when you request the additional list.

Right to Ask for Confidential Communications: You have the right to ask us to communicate with you about health care matters in a certain way or at a certain address. For example, you can ask that we only contact you at a different location from your home address, such as work, or only contact you by mail instead of by phone. Your request must tell how or where you want to be contacted. We do not require a reason. We will agree to all reasonable requests.

Right to Ask for a Restriction: You can ask in writing that we limit our use or sharing of your protected health information for treatment, payment, and operational purposes. We are not required to agree to most requests. Any time you make a written request, we will consider the request and tell you in writing of our decision to accept or deny your request. We are legally required to agree to only one type of restriction request: if you have paid us in full for a health procedure or item for which we would normally bill your health plan, we must agree to your request not to share information about that procedure or item with your health plan. For example, if you saw a counselor and paid in full for the services rather than submitting the expenses to your health plan, you may ask that your health information related to the counseling not be shared with your health plan.

Right to Receive Notice of a Privacy Breach: We will tell you if we discover a breach of your health information. Breach means that your health information was disclosed or shared in an unintended way and there is more than a low probability that it has been compromised. The notice will tell you about the breach, about steps we have taken to lessen any possible harm from the breach, and actions that you may need to take in response to the breach.

Right to a Paper Copy of This Notice: You have the right to a paper copy of this notice. If you have received this notice electronically, you still can have a paper copy of this notice. You may ask us to give you a copy of this notice at any time.

To ask questions about any of these rights, or to obtain a paper copy of this notice, contact the Privacy Officer. You may also obtain a copy of this notice at our website.

OUR COMMITMENT TO SECURITY OF YOUR HEALTH INFORMATION

In addition to the privacy protections described above, we are required by the HIPAA Security Rule to implement reasonable and appropriate safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI) that we create, receive, maintain, or transmit. The Security Rule requires us to implement three categories of safeguards: Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Each of these is described below.

ADMINISTRATIVE SAFEGUARDS

We have designated a HIPAA Security Officer who is responsible for the development and implementation of all policies and procedures necessary to protect the confidentiality, integrity, and availability of our information systems and ePHI. Our Security Officer oversees a formal Security Management Process that includes conducting regular risk analyses to identify threats and vulnerabilities to our systems, implementing security measures to reduce those risks to reasonable and appropriate levels, and reviewing information system activity on an ongoing basis.

Access to information systems containing ePHI is authorized only for workforce members who have a legitimate need for specific information in order to accomplish their job responsibilities. We conduct appropriate background and verification checks on workforce members whose roles involve access to ePHI. When employment ends, information system access privileges are disabled no later than the time of departure. If a workforce member is terminated immediately, access is removed before they are notified.

We provide all workforce members with regular security awareness training and reminders about information security risks and how to comply with our security policies. All workforce members must comply with our applicable security policies and procedures; failure to do so may result in disciplinary action commensurate with the severity of the non-compliance. Workforce members are encouraged to report suspected or known security incidents and will not be retaliated against for doing so in good faith.

PHYSICAL SAFEGUARDS

We maintain physical safeguards to prevent unauthorized access to, tampering with, or theft of our equipment and facilities that contain ePHI. Our information systems containing ePHI are physically located in areas where unauthorized access is minimized. Workstations containing ePHI are positioned to prevent viewing by unauthorized individuals, such as persons in waiting areas or public spaces. Employees must activate workstation locking software whenever they leave their workstation unattended and must log off or lock their workstations at the end of their shifts.

We maintain documented procedures for the proper disposal and re-use of electronic media and hardware containing ePHI. All electronic media containing ePHI must be properly disposed of when no longer needed, and any media that is to be re-used must have all ePHI completely removed before re-use. In the event of a disaster or emergency, we have contingency procedures to allow authorized personnel to access our facilities and information systems as necessary to continue critical operations and protect ePHI.

TECHNICAL SAFEGUARDS

We implement technical safeguards to control access to, and protect the integrity of, ePHI maintained on our information systems. Access to our information systems containing ePHI is granted only to authorized workforce members and approved software programs with a legitimate need to access specific information. Each user is assigned a unique identifier so that system activity can be traced back to a specific individual. We maintain audit controls that record and examine activity on information systems containing ePHI, and those audit logs are reviewed on a regular basis.

Passwords used to access information systems containing ePHI must not be shared with or disclosed to others, and must not be displayed in open view. Workforce members must not ask another employee to reveal their password. All attempts to log in to our information systems containing ePHI are monitored for discrepancies in order to identify any unauthorized access attempts. We also implement technical measures to guard against, detect, and report malicious software that poses a risk to our information systems. Employees must not bypass or disable anti-virus or other security software without proper authorization.

We protect the confidentiality, integrity, and availability of ePHI transmitted over electronic communications networks by implementing appropriate encryption and integrity controls. When risk analysis indicates it is necessary, ePHI transmitted electronically is sent in encrypted form. We maintain regular data backups of all ePHI, and those backup copies are stored in a secure off-site location. Restoration procedures are tested regularly to ensure they are effective.

SECURITY INCIDENT RESPONSE AND BREACH NOTIFICATION

We have formal procedures for responding to and recovering from security incidents. Workforce members must report any suspected or known security incidents as quickly as possible to our HIPAA Security Officer, who is authorized to investigate potential violations of our security policies, take action to mitigate any harm, and apply sanctions as warranted. A workforce member must not prevent another member from reporting a security incident.

In addition to the privacy breach notification obligations described in the section titled “Right to Receive Notice of a Privacy Breach,” the HIPAA Security Rule requires us to identify, document, and respond to security incidents affecting ePHI. When a breach of unsecured PHI occurs, we will provide notification to affected individuals, to the Secretary of the U.S. Department of Health and Human Services, and, where applicable, to prominent media outlets, in accordance with the timelines and requirements described in the Breach Notification section of this Notice.

CONTINGENCY PLANNING

We maintain a Contingency Plan designed to reduce the disruption to our information systems and to protect ePHI in the event of a disaster or emergency. This plan includes a Data Backup Plan ensuring regular backup copies of all ePHI, a Disaster Recovery Plan to restore any loss of ePHI following a disaster, and an Emergency Mode Operation Plan establishing procedures to continue critical business processes and protect ePHI while operating in emergency mode. Our contingency plans are tested at least annually and revised as necessary to address any gaps identified during testing.

CHANGES TO THIS NOTICE

We may change our privacy practices from time to time. Changes will apply to current medical information, as well as new information after the change occurs. If we make an important change, we will change this notice. We will also post the new notice in our facilities and on our website. You can ask in writing for a copy of this notice at any time by contacting the facility’s Practice Manager or Privacy Officer. If our notice has materially changed, we will give you a copy of the notice the next time you register for treatment.

DO YOU HAVE CONCERNS OR COMPLAINTS?

If you think your privacy rights may have been violated, you may contact us at [email protected] or call (555) 555-5555, or contact the facility’s Privacy Officer. You may also send a written complaint to the U.S. Department of Health and Human Services, Office of Civil Rights at [email protected] or Centralized Case Management Operations, U.S. Department of Health and Human Services, 200 Independence Avenue, S.W., Room 509F HHH Bldg., Washington, D.C. 20201. We will not take any action against you or change our treatment of you for filing a complaint.

CONTACT INFORMATION

[email protected] (555) 555-5555

Acknowledgement of Receipt of Notice of Privacy Practices

I acknowledge that I have received a copy of this office's Notice of Privacy Practices that outlines how patient confidential information will be used, disclosed and protected.