1. What is Protected Health Information (PHI)?

Protected Health Information (PHI) is any information about your health status, provision of healthcare, or payment for healthcare that can be linked to you as an individual. This includes information in your medical records, conversations between your Provider and care team about your treatment, billing information, and any other health information that identifies you.

Arrow Health and its affiliated Providers are required by law to maintain the privacy and security of your PHI, provide you with this notice of our legal duties and privacy practices, and notify you following a breach of your unsecured PHI.

2. How We May Use and Disclose Your PHI

Treatment

We may use and disclose your PHI to provide, coordinate, or manage your healthcare and any related services. This includes sharing PHI with other Providers involved in your care, such as specialists, pharmacies, and laboratories.

Payment

We may use and disclose your PHI to obtain payment for services we provide to you — for example, submitting claims to insurance companies or processing payment through our platform.

Healthcare Operations

We may use and disclose your PHI for our operational activities including quality assessment, Provider training, accreditation, and business management activities necessary to run our practice.

As Required by Law

We will disclose your PHI when required to do so by federal, state, or local law, including for public health activities, abuse reporting, health oversight activities, judicial proceedings, law enforcement, and national security purposes.

Business Associates

We may share your PHI with third-party service providers ("Business Associates") who perform services on our behalf, such as billing companies, IT providers, and telehealth platform operators. All Business Associates are contractually required to protect your PHI in accordance with HIPAA.

3. Uses and Disclosures Requiring Your Authorization

Other uses and disclosures of your PHI not described in this notice will be made only with your written authorization, including:

  • Most uses and disclosures of psychotherapy notes
  • Uses and disclosures of PHI for marketing purposes
  • Sales of PHI
  • Disclosures of PHI that constitute a sale

You may revoke any authorization at any time in writing, except to the extent that we have already taken action in reliance on that authorization.

Special Protections for Sensitive Information: Arrow Health provides care involving hormone therapy, sexual health, and gender-affirming care. We apply heightened protections to information related to your sexual orientation, gender identity, and related health information, consistent with applicable state and federal law. We will not disclose this information without your explicit authorization except as required by law.

4. Your Rights Regarding Your PHI

Right to Access

You have the right to inspect and obtain a copy of your PHI maintained in our records. We will provide access within 30 days of your request.

Right to Amend

You have the right to request that we amend your PHI if you believe it is incorrect or incomplete. We may deny the request in certain circumstances.

Right to an Accounting

You have the right to request a list of certain disclosures we have made of your PHI for purposes other than treatment, payment, or operations.

Right to Restrictions

You have the right to request restrictions on how we use or disclose your PHI. We are not required to agree, but if we do, we are bound by our agreement.

Right to Confidential Communications

You may request that we communicate with you about your health matters in a certain way or at a certain location (e.g., only via email, not phone).

Right to a Paper Copy

You have the right to obtain a paper copy of this notice upon request, even if you agreed to receive it electronically.

To exercise any of these rights, please contact us at [email protected].

5. Our Duties

Arrow Health is required by law to:

  • Maintain the privacy and security of your PHI
  • Provide you with notice of our legal duties and privacy practices
  • Abide by the terms of the notice currently in effect
  • Notify you if a breach occurs that may have compromised the privacy or security of your PHI

We reserve the right to change our privacy practices and this notice. Any revised notice will be effective for all PHI we maintain. The current version will always be available on our website.

6. Breach Notification

In the event of a breach of unsecured PHI, we will notify you in accordance with HIPAA's Breach Notification Rule. Notification will be provided without unreasonable delay and no later than 60 days following the discovery of the breach. Notification will include a description of the breach, the types of PHI involved, steps you should take to protect yourself, what we are doing to investigate and mitigate the breach, and contact procedures.

7. Complaints

If you believe your privacy rights have been violated, you may file a complaint with Arrow Health or with the U.S. Department of Health and Human Services Office for Civil Rights. We will not retaliate against you for filing a complaint.

To file a complaint with HHS OCR, visit: www.hhs.gov/hipaa/filing-a-complaint

To file a complaint with Arrow Health, contact us at [email protected].

8. Contact Us

For questions about this notice or to exercise your rights, contact our Privacy Officer:

Arrow Health Privacy Officer
Email: [email protected]
Website: