Notice of Privacy Practices.

Cynthia Boxrud, MD ("we," "the practice") is committed to protecting the privacy of your protected health information ("PHI"). We are required by federal and California law to:

• Maintain the privacy and security of your PHI.
• Provide you with this notice of our legal duties and privacy practices.
• Notify you promptly if a breach occurs that compromises the privacy or security of your unsecured PHI.
• Follow the terms of the notice currently in effect.
• Abide by both HIPAA and any state law (including California's CMIA) that is more protective of your PHI.

The following categories describe the ways we may use and disclose your PHI without your separate written authorization. Not every permitted use is listed, but the examples reflect the most common situations.

For treatment

We use PHI to provide, coordinate, and manage your medical care. For example, we may share information with another physician involved in your care, such as your dermatologist, ophthalmologist, or anesthesiologist; with a referring physician; or with a pharmacy.

For payment

We may use and disclose PHI to obtain payment for services. For example, we may submit information to your insurance carrier to confirm coverage, obtain prior authorization, or bill for a procedure.

For healthcare operations

We may use PHI for activities necessary to operate the practice. Examples include quality assessment, staff training, accreditation, licensure activities, and reviewing the competence and qualifications of healthcare professionals.

For appointment reminders and treatment alternatives

We may use your contact information to remind you of upcoming appointments and to inform you about treatment alternatives, health-related benefits, or services that may be of interest.

To individuals involved in your care or payment for your care

Unless you object, we may disclose PHI to a family member, close personal friend, or other person you identify, to the extent the information is directly relevant to that person's involvement in your care or payment for your care.

Business associates

We may disclose PHI to business associates that perform services for us (such as IT support, billing, or transcription services). Business associates are bound by a written agreement to protect PHI to the same extent we do.

The following uses or disclosures of your PHI require your separate written authorization, which you may revoke at any time in writing:

• Marketing. Most uses or disclosures of PHI for marketing purposes.
• Sale of PHI. We do not sell PHI; any sale would require your authorization.
• Psychotherapy notes. Most disclosures of psychotherapy notes (if any) require authorization, with limited exceptions.
• Genetic information. Disclosure of genetic information for underwriting purposes is prohibited by the Genetic Information Nondiscrimination Act of 2008 ("GINA").
• Other purposes not described in this notice. Any other use or disclosure not described here will be made only with your written authorization.

In limited circumstances, we may use or disclose PHI without your written authorization, including:

• As required by law, including state mandatory reporting laws.
• For public health activities, such as reporting disease, vital statistics, child or elder abuse, and product safety.
• For health oversight activities, such as audits, investigations, inspections, and licensure proceedings.
• For judicial and administrative proceedings, in response to a court order, subpoena, or other lawful process.
• For law enforcement purposes, as required or permitted by law.
• To coroners, medical examiners, and funeral directors, as necessary for them to perform their duties.
• For organ and tissue donation, when applicable.
• For research, only when approved by an Institutional Review Board ("IRB") with appropriate privacy safeguards.
• To avert a serious threat to health or safety of an individual or the public.
• For specialized government functions, including military, veterans, intelligence, and national security activities.
• For workers' compensation claims as authorized by law.
• For decedents, for purposes of identification or determining cause of death.

California's Confidentiality of Medical Information Act provides protections in addition to those required by HIPAA. Where California law is more protective of your medical information than HIPAA, we will follow California law. This includes restrictions on disclosing certain categories of sensitive information (including HIV/AIDS, genetic testing, mental-health, and substance-use disorder treatment) without specific authorization.

Right to inspect and copy

You have the right to inspect and obtain a copy of PHI we maintain in a designated record set, with limited exceptions. We will respond within 30 days (with one possible 30-day extension). You may request the copy in electronic form. A reasonable cost-based fee for copying, labor, and postage may apply, consistent with HIPAA and California law.

Right to request amendment

If you believe information in your record is incorrect or incomplete, you may request an amendment in writing with a reason for the request. We may deny your request in certain circumstances. If denied, you may submit a written statement of disagreement, which will be included in your record.

Right to an accounting of disclosures

You have the right to request a list of certain disclosures of your PHI we have made in the six years prior to the request. Certain disclosures (including those for treatment, payment, healthcare operations, and those you authorized) are excluded. The first accounting in any 12-month period is provided at no charge.

Right to request restrictions

You may request that we limit how we use or disclose PHI for treatment, payment, or healthcare operations, or to certain individuals. We are required to agree to a restriction if you (or someone on your behalf) pay out of pocket in full for a healthcare item or service and request that we not disclose information about that item or service to your health plan (as required by the HITECH Act). Otherwise, we are not required to agree to a restriction.

Right to request confidential communications

You have the right to request that we communicate with you about medical matters in a particular way or at a particular location (for example, by mail at a P.O. Box rather than by phone). We will accommodate reasonable requests.

Right to a paper copy of this notice

You have the right to a paper copy of this notice at any time upon request, even if you have agreed to receive it electronically.

Right to be notified of a breach

You have the right to be notified following a breach of your unsecured PHI, as required by the HITECH Act.

Right to opt out of fundraising

If we conduct fundraising communications that include PHI, you have the right to opt out of those communications.

• We are required by law to maintain the privacy and security of your PHI.
• We will notify you promptly if a breach occurs that may have compromised the privacy or security of your PHI.
• We will abide by the terms of the notice currently in effect.
• We will not use or disclose your PHI other than as described in this notice or as you authorize in writing. You may revoke an authorization at any time, in writing, except where we have already acted in reliance on it.
• We will follow California law where it is more protective of your information than HIPAA.

We reserve the right to change this notice and to make the revised notice effective for PHI we already have about you, as well as any information we receive in the future. A copy of the current notice is available in the office and posted on this website. The "Effective date" at the top of this notice reflects the latest version.

If you believe your privacy rights have been violated, you may file a complaint with our practice (see Section 10) or with the federal government. You will not be retaliated against for filing a complaint.

You may also file a complaint with the California Attorney General's Office or the California Department of Public Health.

To file a complaint with our practice, request an amendment, accounting, or restriction, or to ask any question about this notice or your rights, please contact our Privacy Officer:

Cynthia Boxrud, MD — Privacy Officer
2021 Santa Monica Blvd, Suite 408E
Santa Monica, CA 90404
(310) 829-9060