Your information, protected.

How patient information is used.

OneTreeHealth collects and maintains Protected Health Information (PHI) to provide you with safe, coordinated, and effective care. Below are the routine ways your information is used inside our practice — none of which require your separate written authorization, because they are permitted by the federal HIPAA Privacy Rule.

For treatment

Your information is shared among the clinicians who care for you — neurologists, neurosurgeons, pain management specialists, orthopedic surgeons, nurses, medical assistants, and consulting physicians — so we can coordinate diagnosis, develop your treatment plan, write prescriptions, and follow you through recovery.

For payment

We may use and disclose your PHI to obtain payment for the services we provide. This includes verifying insurance eligibility, submitting claims, providing diagnosis and procedure codes to your insurer, and coordinating with attorneys when care is provided under a medical lien.

For healthcare operations

We use your information internally to run our practice — quality assessment, staff training, accreditation, credentialing, care reviews, legal services, and business planning. We use only the minimum information necessary to perform these functions.

For appointment reminders and care communications

We may contact you by phone, text, email, or mail to confirm appointments, share follow-up instructions, deliver test results through the patient portal, or inform you of services that may benefit your care.

Storage and disclosure practices.

We take the protection of your records seriously. Your PHI is stored using industry-standard administrative, physical, and technical safeguards designed to keep it confidential, accurate, and available only to those who need it for your care.

How records are stored

• Electronic records are maintained in HIPAA-compliant systems with encryption at rest and in transit, role-based access controls, multi-factor authentication, and continuous audit logging.
• Paper records, where they exist, are kept in locked storage in access-controlled areas of our facility.
• Backups and disaster recovery systems are encrypted and tested regularly to safeguard against data loss.
• Workforce training on privacy and security is required for every team member annually, and on hire.

Disclosures that may be made without your authorization

The HIPAA Privacy Rule permits us — and sometimes requires us — to disclose your PHI in specific situations, including:

• Public health activities — reporting communicable disease, child abuse or neglect, and adverse events to the FDA.
• Health oversight — audits, investigations, and licensure activities by government agencies.
• Judicial and administrative proceedings — in response to a valid court order, subpoena, or discovery request.
• Law enforcement — under limited circumstances permitted by law, such as identifying a suspect or reporting a crime.
• To avert a serious threat to the health or safety of a person or the public.
• Workers' compensation — as required to comply with state workers' compensation laws.
• Coroners, medical examiners, and funeral directors — to carry out their duties.
• Military, national security, and correctional institutions — where required by federal law.
• Business associates — vendors that perform services on our behalf (billing, IT, legal) are bound by written agreements to safeguard your information.

Retention & disposal

We retain medical records in accordance with Tennessee state law and applicable federal requirements. When records are no longer required, they are destroyed using secure shredding (paper) or certified data destruction (electronic media) so that PHI cannot be reconstructed.

Your rights as a patient.

Under HIPAA, you have specific rights regarding the health information OneTreeHealth maintains about you. You may exercise any of these rights by submitting a written request to our Privacy Officer (see contact details below). We will respond within the timeframes required by federal law.

Breach notification.

In the unlikely event of a breach involving unsecured PHI, OneTreeHealth will notify affected patients in writing within 60 days of discovery, as required by the HIPAA Breach Notification Rule. Notice will describe what happened, the types of information involved, steps you can take to protect yourself, what we are doing to investigate and prevent recurrence, and how to contact us with questions.

For breaches affecting more than 500 individuals, we will also notify prominent media outlets and the U.S. Department of Health and Human Services within the timeframes required by law.

Changes to this notice.

We reserve the right to change the terms of this Notice and to make the revised Notice effective for all PHI we maintain, including information created or received before the change. When this Notice is materially revised, the new version will be posted in our office and on the OneTreeHealth website. The effective date appears at the top of this Notice.

You may request a copy of the current Notice at any visit, or by contacting our Privacy Officer.

Filing a complaint.

If you believe your privacy rights have been violated, you may file a complaint with OneTreeHealth by contacting our Privacy Officer (details in the contact section below). You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights:

• Mail: 200 Independence Avenue, S.W., Room 509F, HHH Building, Washington, D.C. 20201
• Phone: 1-877-696-6775
• Online: www.hhs.gov/ocr/privacy/hipaa/complaints/