Notice of Privacy Practices

1. About This Notice

This Notice of Privacy Practices describes how Paula S. Gordy LISW, LLC ("we," "us," "our," or "the Practice") may use and disclose your protected health information (PHI) to carry out treatment, payment, and health care operations, as well as for other purposes permitted or required by law. It also describes your rights regarding the health information we maintain about you and how you may exercise those rights.

Please review this notice carefully. We understand that your health information is personal and private, and we are committed to protecting it. We are required by federal and state law to:

• Maintain the privacy of your protected health information
• Provide you with this notice of our legal duties and privacy practices with respect to your health information
• Abide by the terms of the notice currently in effect
• Notify you if there is a breach of your unsecured protected health information

This notice is provided to you in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, the HIPAA Privacy Rule (45 CFR Parts 160 and 164), and all applicable Iowa state laws governing the confidentiality of health information and mental health records.

2. Your Protected Health Information

What Is Protected Health Information (PHI)?

Protected health information is any individually identifiable health information that we create, receive, maintain, or transmit in any form (written, electronic, or oral) that relates to:

• Your past, present, or future physical or mental health condition
• The provision of health care services to you
• The past, present, or future payment for the provision of health care services to you

PHI includes information that can be used to identify you, such as your name, address, date of birth, Social Security number, phone number, email address, and any other information that could reasonably be used to identify you in connection with your health data.

What Constitutes Your Health Record?

Each time you visit our practice or receive services from us, a record of your visit is made. This record typically includes:

• Your symptoms, diagnoses, and treatment plans
• Assessment and evaluation results
• Progress notes documenting your treatment sessions
• Psychotherapy notes (maintained separately; see Section 4)
• Referral information and correspondence with other health care providers
• Insurance and billing information
• Signed consent forms and authorizations
• Communication records related to your care

How We Create and Maintain Records

We create and maintain your health record using secure electronic health record (EHR) systems that meet federal and state requirements for the protection of health information. Our records are stored on HIPAA-compliant platforms with appropriate administrative, physical, and technical safeguards. Paper records, if any, are stored in locked, secure locations with access restricted to authorized personnel only.

3. How We May Use and Disclose Your Health Information

The following categories describe the ways we may use and disclose your health information. Not every possible use or disclosure in a category is listed, but all of the ways we are permitted to use and disclose information will fall within one of the categories described below.

a) Treatment

We may use and disclose your health information to provide you with mental health treatment and services. This includes sharing information with other health care providers who are involved in your care. For example:

• Consulting with another therapist, psychiatrist, or physician about your treatment
• Referring you to another provider and sharing relevant clinical information to ensure continuity of care
• Coordinating your care with your primary care physician or other specialists
• Sharing information with another provider in the event of a crisis or emergency

b) Payment

We may use and disclose your health information to obtain payment for services we provide to you. This may include:

• Submitting claims to your health insurance company or other third-party payers
• Providing your insurance company with information about your diagnosis and treatment to obtain prior authorization or to determine whether your plan will cover the treatment
• Collecting amounts owed for services provided
• Providing billing information to a collection agency, if necessary

c) Health Care Operations

We may use and disclose your health information for our internal health care operations. These activities are necessary to run our practice and to ensure that all of our clients receive quality care. Health care operations include:

• Quality assessment and improvement activities
• Reviewing the competence and qualifications of our clinical staff
• Conducting or arranging for training programs and clinical supervision
• Accreditation, licensing, and credentialing activities
• Conducting audits and compliance reviews
• Business planning and development
• General administrative activities, including customer service and grievance resolution

d) With Your Written Authorization

For uses and disclosures of your health information that are not described in this notice or not otherwise permitted by law, we will obtain your written authorization before using or disclosing your information. You have the right to revoke your authorization at any time, in writing, except to the extent that we have already taken action in reliance on the authorization. Specific situations that require your written authorization include, but are not limited to:

• Disclosing your health information to your employer (unless related to a work-related injury or illness)
• Using or disclosing your health information for marketing purposes
• Selling your health information
• Most uses and disclosures of psychotherapy notes (see below)
• Disclosures to family members, friends, or other individuals you identify (unless you are incapacitated or in an emergency)

e) Psychotherapy Notes

Psychotherapy notes are notes recorded by your therapist during or after a counseling session that document or analyze the contents of the conversation during the session. These notes are kept separate from the rest of your medical record. We will not use or disclose your psychotherapy notes without your specific written authorization, except in the following limited circumstances:

• For use by the therapist who created the notes for your ongoing treatment
• For training programs in which students, trainees, or practitioners in mental health learn to practice or improve their skills under supervision
• To defend ourselves in a legal action or other proceeding brought by you
• When required by the U.S. Department of Health and Human Services (HHS) to investigate our compliance with HIPAA
• When required by law, such as mandatory reporting of child abuse or neglect
• To prevent or lessen a serious and imminent threat to the health or safety of a person or the public
• For health oversight activities of the originator of the psychotherapy notes
• For the lawful activities of a coroner or medical examiner

f) Uses and Disclosures That Do Not Require Your Authorization

In certain situations, federal and state law require or permit us to use or disclose your health information without your written authorization. The following describes those situations:

When Required by Law

We will disclose your health information when required to do so by federal, state, or local law. This includes mandatory reporting requirements under Iowa law.

Public Health Activities

We may disclose your health information for public health activities as permitted by law, including reporting to public health authorities to prevent or control disease, injury, or disability; reporting vital events such as births and deaths; and reporting adverse reactions to medications or products.

Victims of Abuse, Neglect, or Domestic Violence

We may disclose your health information to a government authority if we reasonably believe you have been a victim of abuse, neglect, or domestic violence. Iowa law requires mental health professionals to report suspected child abuse and dependent adult abuse to the Iowa Department of Human Services. We will make such reports when we have a reasonable belief that abuse or neglect has occurred, as mandated under Iowa Code Chapters 232 and 235B.

Health Oversight Activities

We may disclose your health information to a health oversight agency for activities authorized by law, such as audits, civil or criminal investigations, inspections, licensure activities, and other proceedings necessary for the government to monitor the health care system, government benefit programs, and compliance with civil rights laws.

Judicial and Administrative Proceedings

We may disclose your health information in the course of a judicial or administrative proceeding in response to a court order, subpoena, discovery request, or other lawful process. If a subpoena or discovery request is not accompanied by a court order, we will take reasonable steps to ensure that you have been notified of the request or that an effort has been made to obtain a protective order before disclosing your information.

Law Enforcement Purposes

We may disclose your health information to a law enforcement official for law enforcement purposes in certain limited circumstances, including:

• In response to a court order, warrant, subpoena, summons, or similar process
• To identify or locate a suspect, fugitive, material witness, or missing person (limited information only)
• Information about a victim of a crime under certain limited circumstances
• When we believe disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public
• To report information about a death we believe may have resulted from criminal conduct
• To report information about criminal conduct occurring on our premises

To Avert a Serious Threat to Health or Safety

We may use and disclose your health information when necessary to prevent or lessen a serious and imminent threat to the health or safety of you, another person, or the public. In such cases, we will disclose information only to someone who is able to help prevent or lessen the threat, including law enforcement personnel and family members when appropriate.

Military and Veterans

If you are a member of the armed forces, we may disclose your health information as required by military command authorities. We may also disclose health information about foreign military personnel to the appropriate foreign military authority.

Workers' Compensation

We may disclose your health information to the extent authorized by and to the extent necessary to comply with workers' compensation laws and other similar programs that provide benefits for work-related injuries or illness.

Deceased Persons

We may disclose your health information to coroners, medical examiners, and funeral directors so they can carry out their duties. We may also disclose information to the personal representative of the deceased individual's estate.

Organ and Tissue Donation

If you are an organ donor, we may disclose your health information to organizations that handle organ procurement, organ or tissue transplantation, or an organ donation bank as necessary to facilitate the donation and transplantation process.

Research

Under certain circumstances, we may use or disclose your health information for research purposes, provided that specific conditions are met, including approval of the research by an institutional review board (IRB) or a privacy board that has established protocols to ensure the privacy of your information.

Correctional Institutions

If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may disclose your health information to the institution or official. This release would be necessary for the institution to provide you with health care, to protect the health and safety of you or others, or for the safety and security of the correctional institution.

Required by the Secretary of HHS

We are required to disclose your health information to the U.S. Department of Health and Human Services (HHS) when HHS is investigating or determining our compliance with HIPAA privacy rules.

4. Special Protections for Mental Health Information

Because our practice provides mental health services, your records may receive additional protections beyond those provided by HIPAA. The following special protections apply:

Iowa State Protections for Mental Health Records

Iowa law provides additional protections for mental health records that may exceed the protections available under federal HIPAA regulations. Under Iowa Code Chapter 228, mental health information is subject to specific confidentiality requirements. Information about a patient's mental health treatment generally may not be disclosed without the patient's informed, written consent, except in circumstances specifically authorized by law, such as:

• When the patient presents an imminent danger to self or others
• When disclosure is necessary for treatment by another provider
• When required by a court order following an in-camera review
• When mandated by child abuse or dependent adult abuse reporting laws
• For emergency medical treatment when the patient is unable to consent

Where Iowa law provides greater protections than HIPAA, we follow the stricter standard.

Psychotherapy Notes

As described in Section 3(e), psychotherapy notes recorded by your therapist during or after counseling sessions receive heightened protection under both HIPAA and Iowa law. These notes are maintained separately from your general clinical record and are not included in disclosures of your medical record unless you provide specific, separate written authorization.

Substance Use Disorder Records

If you receive treatment for a substance use disorder, your records related to that treatment may be subject to additional federal protections under 42 CFR Part 2 (Confidentiality of Substance Use Disorder Patient Records). These regulations strictly limit the disclosure and use of substance use disorder treatment records and generally require your specific written consent before any disclosure, even for payment or health care operations. Violations of 42 CFR Part 2 may be subject to criminal penalties.

Minor's Rights in Iowa

Iowa law grants certain rights to minors regarding their mental health treatment. Under Iowa Code Section 228.2 and related provisions:

• Minors aged 14 and older may consent to outpatient mental health services on their own without parental consent
• When a minor consents to their own treatment, the minor's health information may be entitled to additional confidentiality protections, and parental access to records may be limited
• We will comply with applicable Iowa law regarding the balance between parental access rights and a minor's right to confidential mental health treatment
• If there is a conflict between a minor's right to privacy and a parent's right to access, we will follow Iowa law and exercise professional judgment to act in the best interest of the minor

Court-Ordered Treatment Disclosures

If you are receiving court-ordered mental health treatment, certain disclosures to the court may be required by law. These disclosures are generally limited to information about your attendance, compliance with treatment, and whether continued treatment is recommended. We will limit disclosures to the minimum information necessary to fulfill the requirements of the court order.

5. Your Rights Regarding Your Health Information

You have the following rights with respect to the protected health information we maintain about you. To exercise any of these rights, please contact our Privacy Officer using the information provided in Section 11.

a) Right to Inspect and Obtain a Copy of Your Health Information

You have the right to inspect and obtain a copy of your health information that we maintain in our records, including your clinical and billing records. To make a request, please submit your request in writing to our Privacy Officer. We may charge a reasonable, cost-based fee for providing copies.

• If your records are maintained electronically, you have the right to request a copy in electronic format. We will provide the records in the electronic form and format you request if it is readily producible, or in a mutually agreed-upon format if not.
• You may also direct us to transmit a copy of your health information directly to another person you designate, provided your request is in writing, signed by you, and clearly identifies the designated person and where to send the copy.
• In very limited circumstances, we may deny your request to inspect or copy your records. If we deny your request, we will provide you with a written explanation of the reasons and inform you of your right to request a review of the denial.
• We will respond to your request within 30 days. If we need additional time, we will notify you of the delay and the expected date of completion, not to exceed an additional 30 days.

b) Right to Request an Amendment

If you believe that the health information we maintain about you is incorrect or incomplete, you have the right to request that we amend the information. Your request must be in writing and must include the reason you believe the amendment is needed. We will respond to your request within 60 days.

• We may deny your request if the information was not created by us, if the information is not part of the records we maintain, if the information is not available for your inspection (for example, psychotherapy notes), or if the information is accurate and complete.
• If we deny your request, we will provide you with a written explanation and your right to submit a statement of disagreement.
• If we accept your amendment, we will make the amendment to your record, inform you that it has been made, and make reasonable efforts to inform others who have received the information and who may need the amendment.

c) Right to an Accounting of Disclosures

You have the right to request a list (accounting) of certain disclosures of your health information that we have made. This accounting will not include disclosures made for the following purposes:

• Treatment, payment, or health care operations
• Disclosures made to you or authorized by you
• Disclosures made for national security or intelligence purposes
• Disclosures made to correctional institutions or law enforcement officials
• Disclosures that occurred before April 14, 2003

Your request must be in writing and must specify a time period, which may not be longer than six years prior to the date of your request. We will provide one accounting per year at no charge. We may charge a reasonable, cost-based fee for additional accountings in the same 12-month period, and we will inform you of the cost before proceeding.

d) Right to Request Restrictions

You have the right to request that we limit the ways we use or disclose your health information for treatment, payment, or health care operations. You may also request limits on the health information we disclose to someone involved in your care or the payment for your care, such as a family member or friend.

• We are not required to agree to your request, except in one specific situation: if you pay for a service or item out-of-pocket in full and you request that we not disclose information about that service to your health plan, we are required to honor that request. This restriction applies only to disclosures to the health plan for the purpose of carrying out payment or health care operations, and does not apply if disclosure is required by law.
• If we do agree to a restriction, we will follow it unless the information is needed to provide you with emergency treatment.
• To request a restriction, please submit your request in writing to our Privacy Officer, specifying what information you want to limit, whether you want to limit our use, disclosure, or both, and to whom you want the limits to apply.

e) Right to Request Confidential Communications

You have the right to request that we communicate with you about your health information in a certain way or at a certain location. For example, you may ask that we contact you only at your work address or by a specific phone number. We will accommodate reasonable requests.

• You do not need to provide a reason for your request.
• Please submit your request in writing to our Privacy Officer, specifying how or where you want to be contacted.
• We will not ask you the reason for your request and will accommodate all reasonable requests.

f) Right to a Paper Copy of This Notice

You have the right to obtain a paper copy of this Notice of Privacy Practices at any time, even if you have agreed to receive it electronically. You may request a paper copy from our Privacy Officer or any member of our staff.

g) Right to Be Notified of a Breach

You have the right to be notified if there is a breach of your unsecured protected health information. A breach is an impermissible use or disclosure of PHI that compromises the security or privacy of your information. In the event of a breach, we will notify you as required by law, including:

• A description of the breach, including the date of the breach and the date of its discovery
• A description of the types of unsecured PHI involved in the breach
• Steps you should take to protect yourself from potential harm resulting from the breach
• A description of what we are doing to investigate the breach, mitigate the harm, and prevent future breaches
• Contact information for you to ask questions or receive additional information

We will provide notification without unreasonable delay and no later than 60 days after the discovery of the breach.

h) Right to Opt Out of Fundraising Communications

If our practice were to engage in fundraising activities, you would have the right to opt out of receiving fundraising communications from us. Any fundraising communication we send would include a clear and conspicuous description of how you may opt out. At this time, our practice does not engage in fundraising activities.

6. Our Responsibilities

Paula S. Gordy LISW, LLC is committed to the protection of your health information. We have the following responsibilities:

• We are required by law to maintain the privacy and security of your protected health information.
• We are required to provide you with a copy of this notice describing our privacy practices, our legal duties, and your rights concerning your health information.
• We will not use or disclose your health information without your written authorization, except as described in this notice or as otherwise permitted or required by law.
• We are required to notify you following a breach of your unsecured protected health information.
• We will not sell your protected health information.
• We will not use or disclose your protected health information for marketing purposes without your written authorization.
• We will apply the "minimum necessary" standard when using or disclosing your health information, meaning we will use, disclose, or request only the minimum amount of information needed to accomplish the intended purpose.
• We will train our workforce on HIPAA privacy policies and procedures and take appropriate corrective action against any workforce member who violates these policies.
• We will maintain appropriate administrative, technical, and physical safeguards to protect the privacy and security of your health information.

7. Changes to This Notice

We reserve the right to change the terms of this notice and to make the new notice provisions effective for all protected health information that we maintain, including information we created or received before we made the changes. If we make a material change to this notice, we will:

• Post the revised notice in our offices at all locations
• Make the revised notice available on our website at www.paulagordy.com
• Make copies of the revised notice available upon request
• Include the effective date on the first page of the notice

You are entitled to receive a copy of the most current Notice of Privacy Practices at any time. Please contact our Privacy Officer to request the latest version.

8. Website Privacy & Security

Our commitment to your privacy extends to our online presence. The following describes how we protect your information on our website.

Website Security

Our website uses SSL/TLS encryption (HTTPS) to protect information transmitted between your browser and our servers. This encryption helps ensure that data exchanged during your visit remains private and secure.

Contact Form Disclaimer

Client Portal

Our client portal is a HIPAA-compliant, encrypted platform that provides a secure way for current clients to communicate with our practice, access records, and manage appointments. The client portal uses industry-standard encryption and authentication measures to protect your health information. If you wish to communicate securely with our practice about clinical matters, please use the client portal.

Information Collected Through the Website

We do not collect protected health information through our website contact form or general website interactions. Information you voluntarily provide through the contact form (such as your name, phone number, and email address) is used solely for the purpose of responding to your inquiry.

Cookies and Tracking

Our website may use cookies and similar technologies to improve your browsing experience. These cookies may include:

• Essential cookies that are necessary for the website to function properly
• Analytics cookies that help us understand how visitors interact with our website (data is anonymized and aggregated; it does not include PHI)

We do not use cookies or tracking technologies to collect protected health information. Analytics data is anonymized and does not identify individual users.

Email Communications

Third-Party Links

Our website may contain links to external websites. We are not responsible for the privacy practices or content of those third-party websites. We encourage you to review the privacy policies of any website you visit.

9. Telehealth Privacy

Paula S. Gordy LISW, LLC offers telehealth (video and/or phone-based) counseling services. The same privacy protections described in this notice apply to services provided through telehealth.

HIPAA-Compliant Telehealth Platforms

We conduct telehealth sessions using HIPAA-compliant video conferencing platforms that provide end-to-end encryption and meet the requirements of federal and state privacy laws. We maintain Business Associate Agreements (BAAs) with all telehealth platform vendors, as required by HIPAA.

Privacy Protections During Telehealth

• All telehealth sessions are conducted with the same standards of confidentiality as in-person sessions
• Our therapists conduct telehealth sessions from private, secure locations
• Telehealth sessions are not recorded unless you provide specific written consent, and any recordings would be subject to the same protections as other PHI
• Technical safeguards are in place to protect the security and integrity of information transmitted during telehealth sessions

Your Responsibilities During Telehealth Sessions

To help protect your privacy during telehealth sessions, we ask that you:

• Participate from a private location where others cannot see or hear your session
• Use a personal device (computer, tablet, or phone) rather than a shared or public device whenever possible
• Use a secure, private internet connection (avoid public Wi-Fi networks)
• Ensure your device has current security updates and antivirus protection
• Use headphones or earbuds to further protect the privacy of your session
• Do not record your telehealth session without the prior written consent of your therapist

Limitations of Telehealth Privacy

While we take all reasonable precautions to protect the privacy and security of your telehealth sessions, please be aware that no technology is completely immune to security breaches. By participating in telehealth services, you acknowledge this inherent limitation. If you have concerns about the privacy of telehealth, please discuss them with your therapist, and we will work with you to identify the most appropriate care modality.

10. Complaints

If you believe your privacy rights have been violated or that we have not complied with the policies described in this notice, you have the right to file a complaint. You will not be retaliated against, penalized, or otherwise treated differently for filing a complaint.

File a Complaint With Our Practice

You may file a complaint directly with our Privacy Officer:

File a Complaint With the U.S. Department of Health and Human Services

You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services, Office for Civil Rights:

11. Contact Information

If you have any questions about this notice, our privacy practices, or your rights regarding your health information, please contact our Privacy Officer: