Privacy Policy

1. Introduction

Heritage Health System ("we," "us," "our") is committed to protecting the privacy and security of your health information. This Privacy Policy describes how we collect, use, disclose, and safeguard your protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Massachusetts Health Care Privacy Laws (M.G.L. c. 111, § 70E and 105 CMR 130.000), and other applicable federal and state laws.

By using our services, you agree to the terms of this Privacy Policy. If you have any questions, please contact us at info@heritagehealthsystem.com.

2. Information We Collect

We collect various types of information to provide you with quality mental health care:

• Protected Health Information (PHI): Medical history, mental health diagnoses, treatment plans, medications, and other health-related information you provide during your care.
• Personal Information: Name, address, phone number, email address, date of birth, insurance information, and emergency contact details.
• Payment Information: Credit/debit card details, insurance claims, and billing records.
• Usage Information: Information about how you use our website, telehealth platform, and other digital services.

3. How We Use Your Information

We use your information for the following purposes:

• Treatment: To provide, coordinate, and manage your mental health care.
• Payment: To bill your insurance, process payments, and collect outstanding balances.
• Healthcare Operations: To improve our services, conduct quality assessments, train staff, and manage our practice.
• Communication: To send appointment reminders, follow-up messages, and important health information.
• Legal Compliance: To meet our legal and regulatory obligations.

4. When We Disclose Your Information

We may disclose your information in the following situations:

• As Required by Law: To comply with court orders, subpoenas, or government requests.
• Public Health and Safety: To prevent or lessen a serious threat to health or safety.
• Business Associates: With third parties who help us operate our practice (e.g., billing companies, telehealth providers) who are bound by HIPAA.
• With Your Authorization: When you give us written permission to share your information.
• For Treatment, Payment, or Healthcare Operations: As described in Section 3.

5. Your Rights Under HIPAA and Massachusetts Law

You have the right to:

• Access and request copies of your health records.
• Request amendments to your health records.
• Request restrictions on how we use or disclose your information.
• Request confidential communications.
• Receive an accounting of disclosures of your health information.
• Request a paper copy of this Privacy Policy.
• File a complaint if you believe your privacy rights have been violated.

To exercise these rights, please contact our Privacy Officer at info@heritagehealthsystem.com.

6. How We Protect Your Information

We implement appropriate administrative, physical, and technical safeguards to protect your health information from unauthorized access, use, disclosure, alteration, or destruction. These safeguards include:

• Secure electronic storage of health records with encryption.
• Limited access to PHI on a need-to-know basis.
• Staff training on HIPAA and privacy policies.
• Secure telehealth platforms that comply with HIPAA requirements.
• Regular security assessments and updates.

7. HIPAA Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Heritage Health System is required by law to maintain the privacy of your protected health information (PHI) and to provide you with this Notice of our legal duties and privacy practices. We are required to abide by the terms of this Notice as currently in effect.

Uses and Disclosures of PHI

We may use and disclose your PHI for the following purposes without your written authorization:

• Treatment: We may use your PHI to provide, coordinate, or manage your health care and related services.
• Payment: We may use and disclose your PHI to obtain payment for services we provide to you.
• Healthcare Operations: We may use and disclose your PHI for health care operations such as quality improvement, staff training, and business management.
• Appointment Reminders: We may use your PHI to contact you with appointment reminders or information about treatment alternatives.

Uses and Disclosures Requiring Authorization

Other uses and disclosures of your PHI will be made only with your written authorization, including:

• Most uses and disclosures of psychotherapy notes
• Uses and disclosures of PHI for marketing purposes
• Disclosures that constitute a sale of PHI
• Other uses and disclosures not described in this Notice

Your HIPAA Rights

You have the following rights regarding your PHI:

• Right to Access: You may inspect and obtain copies of your health records.
• Right to Amend: You may request corrections to your health records.
• Right to an Accounting: You may request a list of disclosures we have made of your PHI.
• Right to Request Restrictions: You may request restrictions on how we use or disclose your PHI.
• Right to Confidential Communications: You may request that we communicate with you in a certain way.
• Right to Request a Paper Copy: You may request a paper copy of this Notice at any time.

8. Data Privacy & Security

We take the security of your personal and health information seriously. Heritage Health System implements comprehensive technical, administrative, and physical safeguards to protect your data:

• Encryption: All data transmitted between your browser and our servers is encrypted using TLS/SSL protocols. Stored health records are encrypted at rest.
• Access Controls: Access to PHI is restricted to authorized personnel on a need-to-know basis. Multi-factor authentication is required for all system access.
• Audit Logs: All access to patient records is logged and regularly audited for unauthorized activity.
• Secure Telehealth: Our telehealth platform uses HIPAA-compliant, end-to-end encrypted video conferencing.
• Data Minimization: We collect only the information necessary to provide you with quality care.
• Breach Notification: In the event of a data breach affecting your PHI, we will notify you as required by HIPAA and applicable state law.
• Third-Party Vendors: All business associates who handle your PHI are contractually bound to comply with HIPAA security and privacy requirements.

We conduct regular security risk assessments, staff training, and policy reviews to ensure ongoing compliance with evolving privacy and security standards.

9. Children's Privacy

Our services are not intended for individuals under the age of 18 without parental or guardian consent. We do not knowingly collect personal information from children under 13 without verifiable parental consent in accordance with the Children's Online Privacy Protection Act (COPPA).

10. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy at any time. We will notify you of material changes by posting the updated policy on our website or sending you a direct communication. Your continued use of our services after such changes constitutes your acceptance of the revised policy.

11. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact:

10. Filing a Complaint

If you believe your privacy rights have been violated, you may file a complaint with:

• Heritage Health System at the contact information above.
• The U.S. Department of Health and Human Services Office for Civil Rights (OCR): www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.
• The Massachusetts Department of Public Health (DPH) Division of Health Care Quality: www.mass.gov/orgs/division-of-health-care-quality.
• The Massachusetts Attorney General's Office: www.mass.gov/ago.

We will not retaliate against you for filing a complaint.