Privacy Policy

 This notice describes how protected health information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

If you have any questions about this Notice please contact:

Mindful Oasis LLC Privacy Officer Mariam Bouanane smith at 757-720-1040

3500 Virginia Beach Blvd, Suite 202, Virginia Beach, VA 23452

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

It is the policy of Mindful Oasis LLC to provide you with a privacy notice that explains how your healthcare information is being used or disclosed. We are required by law to maintain the privacy of your protected health information and to provide a notice of our legal duties and privacy practices with respect to protected health information. This Notice of Privacy Practices describes how Mindful Oasis LLC may use and disclose your protected health information to carry out treatment, payment, or healthcare operations and for other purposes permitted or required by state or federal law. It also describes your rights to access and control your protected health information. “Protected health information” refers to information related to your past, present, or future physical or mental health or condition and related healthcare services, including demographic details that may identify you. We are required to abide by the terms of this Notice of Privacy Practices currently in effect. We may change the terms of our notice at any time, and the new notice will be effective for all protected health information that we maintain at that time. The updated notice will be posted at our office. Upon request, we will provide you with a revised Notice of Privacy Practices. You may request a copy by calling (757) 720-1040, and we will mail you the updated notice.

IT IS MY LEGAL DUTY TO SAFEGUARD YOUR PROTECTED HEALTH INFORMATION (PHI).

By law, I am required to ensure that your PHI is kept private. The PHI constitutes information created or noted by me that can be used to identify you. It contains data about your past, present, or future health or condition, the provision of health care services to you, or the payment for such health care. I am required to provide you with this Notice about my privacy procedures. This Notice must explain when, why, and how I would use and/or disclose your PHI. Use of PHI means when I share, apply, utilize, examine, or analyze information within my practice; PHI is disclosed when I release, transfer, give, or otherwise reveal it to a third party outside my practice. With some exceptions, I may not use or disclose more of your PHI than is necessary to accomplish the purpose for which the use or disclosure is made; however, I am always legally required to follow the privacy practices described in this Notice.

Please note that I reserve the right to change the terms of this Notice and my privacy policies at any time as permitted by law. Any changes will apply to PHI already on file with me. Before I make any important changes to my policies, I will immediately change this Notice and post a new copy of it in my office and on my website, https://mindfuloasisva.com/, You may also request a copy of this Notice from me, or you can view a copy of it in my office or on my website, which is located at https://mindfuloasisva.com/

III. HOW I WILL USE AND DISCLOSE YOUR PHI.

I will use and disclose your PHI for many different reasons. Some of the uses or disclosures will require your prior written authorization; others, however, will not. Below you will find the different categories of my uses and disclosures, with some examples.

1. Uses and Disclosures Related to Treatment, Payment, or Health Care Operations Do Not Require Your Prior Written Consent.

1. For treatment. I can use your PHI within my practice to provide you with mental health treatment, including discussing or sharing your PHI with my trainees and interns. I may disclose your PHI to physicians, psychiatrists, psychologists, pharmacists and other licensed health care providers who provide you with health care services or are otherwise involved in your care. Example: If a psychiatrist is treating you, I may disclose your PHI to her/him in order to coordinate your care.
2. For health care operations. I may disclose your PHI to facilitate the efficient and correct operation of my practice. Examples: Quality control – I might use your PHI in the evaluation of the quality of health care services that you have received or to evaluate the performance of the health care professionals who provided you with these services. I may also provide your PHI to my attorneys, accountants, consultants, and others to make sure that I am in compliance with applicable laws.
3. To obtain payment for treatment. I may use and disclose your PHI to bill and collect payment for the treatment and services I provided you. Example: I might send your PHI to your insurance company or health plan in order to get payment for the health care services that I have provided to you. I could also provide your PHI to business associates, such as billing companies, claims processing companies, and others that process health care claims for my office.
4. Other disclosures. Examples: Your consent isn’t required if you need emergency treatment provided that I attempt to get your consent after treatment is rendered. In the event that I try to get your consent but you are unable to communicate with me (for example, if you are unconscious or in severe pain) but I think that you would consent to such treatment if you could, I may disclose your PHI.
5. Certain Other Uses and Disclosures Do Not Require Your Consent.

We may use or disclose your protected health information in the following situations without your consent or authorization:

Required By Law: We may use or disclose your protected health information to the extent that the use or disclosure is required by law. The use or disclosure will be made in compliance with the law and will be limited to the relevant requirements of the law. You will be notified, as required by law, of any such uses or disclosures.

Emergencies: We may use or disclose your protected health information in an emergency case or situation where it is impractical to obtain your written authorization.  If this happens your health care provider shall try to obtain  your oral authorization for a health care provider or health plan to discuss your health records with a third party specified by you.

Public Health: We may disclose your protected health information for public health activities and purposes to a public health authority that is permitted by law to collect or receive the information. The disclosure will be made for the purpose of controlling disease, injury or disability. We may also disclose your protected health information, if directed by the public health authority, to a foreign government agency that is collaborating with the public health authority.

Communicable Diseases: We may disclose your protected health information, if authorized by law, to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading the disease or condition.

Health Oversight:We may disclose protected health information to a health oversight agency for activities authorized by law, such as audits, investigations, and inspections. Oversight agencies seeking this information include government agencies that oversee the health care system, government benefit programs, other government regulatory programs and civil rights laws.

Abuse or Neglect: We may disclose your protected health information to a public health authority that is authorized by law to receive reports of child abuse or neglect. In addition, we may disclose your protected health information if we believe that you have been a victim of abuse, neglect or domestic violence to the governmental entity or agency authorized to receive such information. In this case, the disclosure will be made consistent with the requirements of applicable federal and state laws.

Food and Drug Administration: We may disclose your protected health information to a person or company required by the Food and Drug Administration to report adverse events, biologic product deviations, product defects or problems; to track products; to enable product recalls; to make repairs or replacements; or to conduct post marketing surveillance, as required by law.

Legal Proceedings: We may disclose protected health information in the course of any judicial or administrative proceeding in response to an order of a court or administrative tribunal (to the extent such disclosure is expressly authorized), and in certain conditions in response to a subpoena, search warrant, discovery request or other lawful process.

Law Enforcement: We may also disclose protected health information, so long as applicable federal and state legal requirements are met, for law enforcement purposes. These law enforcement purposes include (1) legal processes and purposes otherwise required by law, (2) limited information requests for identification and location purposes, (3) evidence of a crime committed on our premises, and (4) suspicion that death has occurred as a result of criminal conduct.

Criminal Activity:Consistent with applicable federal and state laws, we may disclose your protected health information if you have communicated to your provider a specific and immediate threat to cause serious bodily injury or death to an identifiable person or persons, and your provider believes you have the intent and ability to carry out that threat imminently. 

Coroners, Funeral Directors, and Organ Donation: We may disclose protected health information to a coroner or medical examiner for identification purposes, cause of death determinations or for the coroner or medical examiner to perform other duties authorized by law. We may also disclose protected health information to funeral directors, as authorized by law, in order to carry out funeral-related duties. We may disclose such information in reasonable anticipation of death. Protected health information may be used and disclosed for cadaveric organ, eye or tissue donation purposes.

Research: We may disclose your protected health information to researchers when an institutional review board that has reviewed the research proposal and established protocols to ensure the privacy of your protected health information has approved their research.

Military Activity and National Security: We may use or disclose protected health information as required or authorized by law of individuals who are Armed Forces personnel (1) for activities deemed necessary by appropriate military command authorities; (2) for the purpose of a determination by the Department of Veterans Affairs of your eligibility for benefits; or (3) to foreign military authority if you are a member of the foreign military services.  We may also disclose your protected health information to authorized federal officials for conducting national security and intelligence activities, including for the provision of protective services to the President or others legally authorized. 

Workers’ Compensation: We may disclose your protected health information as authorized to comply with workers’ compensation laws and other similar legally established programs that provides benefits for work-related injuries or illnesses.

Inmates: We may disclose your protected health information to a correctional institution or in other law enforcement custodial situations if it is necessary for your care, or if the disclosure is required by state or federal law.

Immunization Registry:We may disclose your immunization history with the Virginia Immunization Information System to help prevent you from receiving unnecessary vaccinations.  The Virginia Immunization Information System may disclosure child immunization proof to schools.

Business Associates:Some of our services are provided through contracts or agreement with other public and private entities and some of these contracts or agreements requires that health information be disclosed to the contractor. These contractors are known as “business associates.” Examples include physician consultants, laboratories, dentists and lawyers from the Office of the Attorney General. We may disclose your health information to these people so they can perform the job we have asked them to do.  Whenever an arrangement between our office and a business associate involves the use or disclosure of your protected health information, we will have a written contract that contains terms that will protect the privacy of your protected health information. 

Appointment reminders and health related benefits or services. Examples: I may use PHI to provide appointment reminders. I may use PHI to give you information about alternative treatment options, or other health care services or benefits I offer.

 If an arbitrator or arbitration panel compels disclosure, when arbitration is lawfully requested by either party, pursuant to subpoena duces tectum (e.g., a subpoena for mental health records) or any other provision authorizing disclosure in a proceeding before an arbitrator or arbitration panel.

 If disclosure is required or permitted to a health oversight agency for oversight activities authorized by law. Example: When compelled by U.S. Secretary of Health and Human Services to investigate or assess my compliance with HIPAA regulations.

 If disclosure is otherwise specifically required by law.

Certain Uses and Disclosures Require You to Have the Opportunity to Object

Disclosures to Family, Friends, or Others. I may provide your PHI to a family member, friend, or other individual who you indicate is involved in your care or responsible for the payment for your health care, unless you object in whole or in part. Retroactive consent may be obtained in emergency situations

Other Uses and Disclosures Require Your Prior Written Authorization.

In any other situation not described in Sections IIIA, IIIB, and IIIC above, I will request your written authorization before using or disclosing any of your PHI. Even if you have signed an authorization to disclose your PHI, you may later revoke that authorization, in writing, to stop any future uses and disclosures (assuming that I haven’t taken any action subsequent to the original authorization) of your PHI by me.

WHAT RIGHTS YOU HAVE REGARDING YOUR PHI

These are your rights with respect to your PHI:

The Right to See and Get Copies of Your PHI. In general, you have the right to see your PHI that is in my possession, or to get copies of it; however, you must request it in writing. If I do not have your PHI, but I know who does, I will advise you how you can get it. You will receive a response from me within 30 days of my receiving your written request. Under certain circumstances, I may feel I must deny your request, but if I do, I will give you, in writing, the reasons for the denial. I will also explain your right to have my denial reviewed. If you ask for copies of your PHI, I will charge you not more than $.25 per page. I may see fit to provide you with a summary or explanation of the PHI, but only if you agree to it, as well as to the cost, in advance.

The Right to Request Limits on Uses and Disclosures of Your PHI. You have the right to ask that I limit how I use and disclose your PHI. While I will consider your request, I am not legally bound to agree. If I do agree to your request, I will put those limits in writing and abide by them except in emergency situations. You do not have the right to limit the uses and disclosures that I am legally required or permitted to make.

The Right to Choose How I Send Your PHI to You. It is your right to ask that your PHI be sent to you at an alternate address (for example, sending information to your work address rather than your home address) or by an alternate method (for example, via e-mail instead of by regular mail). I am obliged to agree to your request providing that I can give you the PHI, in the format you requested, without undue inconvenience. I may not require an explanation from you as to the basis of your request as a condition of providing communications on a confidential basis.

The Right to Get a List of the Disclosures I Have Made. You are entitled to a list of disclosures of your PHI that I have made. The list will not include uses or disclosures to which you have already consented, i.e., those for treatment, payment, or health care operations, sent directly to you, or to your family; neither will the list include disclosures made for national security purposes, to corrections or law enforcement personnel, or disclosures made before April 15, 2003. After April 15, 2003, disclosure records will be held for six years. I will respond to your request for an accounting of disclosures within 60 days of receiving your request. The list I give you will include disclosures made in the previous six years unless you indicate a shorter period. The list will include the date of the disclosure, to whom PHI was disclosed (including their address, if known), a description of the information disclosed, and the reason for the disclosure. I will provide the list to you at no cost, unless you make more than one request in the same year, in which case I will charge you a reasonable sum based on a set fee for each additional request.

The Right to Amend Your PHI. If you believe that there is some error in your PHI or that important information has been omitted, it is your right to request that I correct the existing information or add the missing information. Your request and the reason for the request must be made in writing. You will receive a response within 60 days of my receipt of your request. I may deny your request, in writing, if I find that: the PHI is (a) correct and complete, (b) forbidden to be disclosed, (c) not part of my records, or (d) written by someone other than me. My denial must be in writing and must state the reasons for the denial. It must also explain your right to file a written statement objecting to the denial. If you do not file a written objection, you still have the right to ask that your request and my denial be attached to any future disclosures of your PHI. If I approve your request, I will make the change(s) to your PHI. Additionally, I will tell you that the changes have been made, and I will advise all others who need to know about the change(s) to your PHI.

The Right to Get This Notice by E-mail. You have the right to get this notice by e-mail. You have the right to request a paper copy of it, as well.

HOW TO COMPLAIN ABOUT MY PRIVACY PRACTICES

If, in your opinion, I may have violated your privacy rights, or if you object to a decision I made about access to your PHI, you are entitled to file a complaint with the person listed in Section VI below. You may also send a written complaint to the Secretary of the Department of Health and Human Services at 200 Independence Avenue S.W. Washington, D.C. 20201. If you file a complaint about my privacy practices, I will take no retaliatory action against you.

PERSON TO CONTACT FOR INFORMATION ABOUT THIS NOTICE OR TO COMPLAIN ABOUT MY PRIVACY PRACTICES

If you have any questions about this notice or any complaints about my privacy practices, or would like to know how to file a complaint with the Secretary of the Department of Health and Human Services, please contact me at:

Mariam Bouanane Smith, PMHNP
Mindful Oasis LLC 3500 Virginia Beach Blvd, Suite 202, Virginia Beach, VA 23452

Phone: 757-720-1040

[email protected]

VII. NOTIFICATIONS OF BREACHES

In the case of a breach, Mindful Oasis, LLC requires to notify each affected individual whose unsecured PHI has been compromised. Even if such a breach was caused by a business associate, Mindful Oasis, LLC is ultimately responsible for providing the notification directly or via the business associate. If the breach involves more than 500 persons, OCR must be notified in accordance with instructions posted on its website. Mindful Oasis, LLC bears the ultimate burden of proof to demonstrate that all notifications were given or that the impermissible use or disclosure of PHI did not constitute a breach and must maintain supporting documentation, including documentation pertaining to the risk assessment.

VIII. PHI AFTER DEATH

Generally, PHI excludes any health information of a person who has been deceased for more than 50 years after the date of death. Mindful Oasis, LLC may disclose deceased individuals’ PHI to non-family members, as well as family members, who were involved in the care or payment for healthcare of the decedent prior to death; however, the disclosure must be limited to PHI relevant to such care or payment and cannot be inconsistent with any prior expressed preference of the deceased individual.

INDIVIDUALS’ RIGHT TO RESTRICT DISCLOSURES; RIGHT OF ACCESS

 To implement the 2013 HITECH Act, the Privacy Rule is amended. Mindful Oasis, LLC is required to restrict the disclosure of PHI about you, the patient, to a health plan, upon request, if the disclosure is for the purpose of carrying out payment or healthcare operations and is not otherwise required by law. The PHI must pertain solely to a healthcare item or service for which you have paid the covered entity in full. (OCR clarifies that the adopted provisions do not require that covered healthcare providers create separate medical records or otherwise segregate PHI subject to a restrict healthcare item or service; rather, providers need to employ a method to flag or note restrictions of PHI to ensure that such PHI is not inadvertently sent or made accessible to a health plan.)The 2013 Amendments also adopt the proposal in the interim rule requiring Mindful Oasis, LLC, to provide you, the patient, a copy of PHI if you, the patient, requests it in electronic form. The electronic format must be provided to you if it is readily producible. OCR clarifies that Mindful Oasis, LLC must provide you only with an electronic copy of their PHI, not direct access to their electronic health record systems. The 2013 Amendments also give you the right to direct Mindful Oasis, LLC to transmit an electronic copy of PHI to an entity or person designated by you. Furthermore, the amendments restrict the fees that Mindful Oasis, LLC may charge you for handling and reproduction of PHI, which must be reasonable, cost-based and identify separately the labor for copying PHI (if any). Finally, the 2013 Amendments modify the timeliness requirement for right of access, from up to 90 days currently permitted to 30 days, with a one-time extension of 30 additional days.

NPP

Mindful Oasis, LLC NPP must contain a statement indicating that most uses and disclosures of psychotherapy notes, marketing disclosures and sale of PHI do require prior authorization by you, and you have the right to be notified in case of a breach of unsecured PHI.

EFFECTIVE DATE OF THIS NOTICE

This notice went into effect on Jan. 31, 2025

For more information, please see: www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/noticepp.html