NOTICE OF PRIVACY PRACTICES
Effective Date: November 10, 2025
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION
PLEASE REVIEW IT CAREFULLY
WHO ARE WE
MedHarmony is a healthcare technology company that provides care coordination services including:
- Chronic Care Management (CCM)
- Remote Patient Monitoring (RPM)
- Behavioral Health Integration (BHI)
- Telehealth services
We work in collaboration with your primary care provider, specialists, and health plans. This Notice applies when MedHarmony provides healthcare services directly to you or performs functions on behalf of your healthcare provider that involve the use or disclosure of protected health information under HIPAA.
We are required by law to:
- Maintain the privacy and security of your protected health information (PHI)
- Provide you with this Notice explaining our legal duties and privacy practices
- Follow the terms of this Notice
- Notify you if we are unable to agree to a requested restriction on how we use or disclose your information
- Notify you following a breach of your unsecured PHI
This Notice does not apply to information collected or maintained outside of MedHarmony’s HIPAA-covered healthcare operations.
OUR COMMITMENT TO YOUR PRIVACY
- We will not use or disclose your health information without your authorization, except as described in this notice.
- We will not sell your health information without your written authorization.
- We will not use or disclose your health information for marketing purposes without your written authorization.
- We will not use or disclose psychotherapy notes about you without your written authorization, except for limited purposes permitted by law.
We reserve the right to change this NPP and make new provisions effective for all PHI. If we make material changes to this Notice, we will provide you with a revised Notice. You may also request a copy of our current Notice at any time by:
- Emailing us at privacy@medharmony.net
- Visiting our website at https://patients.medharmony.net/notice-of-privacy-practices
- Asking for a copy during your next appointment or contact with us.
HOW WE MAY USE AND DISCLOSE YOUR HEALTH INFORMATION
For Treatment
We use and disclose your health information to provide, coordinate, and manage your healthcare services.
Examples:
- Sharing your vital signs from remote monitoring devices with your doctor
- Sending behavioral health screening results to your primary care provider
- Contacting you with appointment reminders, care coordination outreach, or alerts from your remote monitoring devices.
For Payment
We use and disclose your health information to obtain payment for services we provide to you.
Examples:
- Billing Medicare, Medicaid, or your insurance company for services provided
- Verifying your insurance coverage and benefits and responding for information from your health plan
For Health Care Operations
We use and disclose your health information to operate our business and ensure you receive quality care.
Examples:
- Training our staff, quality improvement activities, and care coordination assessments
- Customer service and responding to your concerns
- Compliance with legal and regulatory requirements
- Data analysis to improve our services
Health Information Exchange
We may participate in health information exchanges (HIEs) to share your health information electronically with other healthcare providers, health plans, and healthcare clearinghouses for treatment, payment, and healthcare operations purposes.
Participation in an HIE is voluntary, limited to permitted purposes under HIPAA, and allows your healthcare providers to have access to your health information when and where it is needed for your care.
Substance Use Disorder Treatment Records (42 CFR Part 2)
If you receive substance use disorder treatment from a program covered by 42 CFR Part 2, those records are protected by federal law and generally cannot be shared without your written consent, except in specific situations allowed by law.
These records cannot be used in civil, criminal, administrative, or legislative proceedings unless you consent, or a court issues an order after giving you (or the program) a chance to be heard.
You have the right to receive notice about how your Part 2 records may be used or disclosed, and you may revoke your consent at any time (except where action has already been taken).
Violations of Part 2 protections are federal offenses and may be reported to the U.S. Attorney.
Other Permitted Uses and Disclosures
We may use or disclose your health information without your authorization when required or allowed by law, including:
Public Health and Safety: To public health authorities for preventing or controlling disease, reporting child abuse or neglect, reporting problems with FDA-regulated products, or notifying employers of work-related illness or injury.
Victims of Abuse or Neglect: To government authorities if we believe you are a victim of abuse, neglect, or domestic violence, as permitted by law.
Health Oversight: To oversight agencies for audits, inspections, investigations, licensure, and other activities authorized by law.
Legal Proceedings: In response to a court order, subpoena, or other lawful process.
Law Enforcement: To law enforcement when required, such as responding to legal requests, reporting certain crimes, or in emergencies.
Coroners, Medical Examiners, and Funeral Directors: To help them carry out their duties.
Organ and Tissue Donation: To organizations involved in procurement or transplantation.
Research: For approved research studies or when you have provided authorization.
Serious Threat to Health or Safety: To prevent or lessen a serious and imminent threat to you or others.
Specialized Government Functions: For military, national security, correctional, or other governmental programs as required.
Workers’ Compensation: To comply with workers’ compensation or similar laws.
Disaster Relief: To disaster relief organizations to help notify your family or others responsible for your care.
Required by Law: Whenever federal, state, or local law requires us to disclose information.
Additional Information:
For more information about your rights and protections under 42 CFR Part 2, please contact our Privacy Officer at the number listed at the end of this Notice.
USES AND DISCLOSURES THAT REQUIRE YOUR WRITTEN AUTHORIZATION
Marketing
We will not use or disclose your health information for marketing purposes without your written authorization.
We will not sell your health information without your written authorization.
Psychotherapy Notes
If we maintain psychotherapy notes about you, we will not use or disclose those notes without your written authorization, except for limited purposes permitted by law (such as treatment, training programs, or legal defense).
Other uses and disclosures of your health information not described in this Notice will be made only with your written authorization.
You may revoke your authorization at any time by submitting a written notice to our Privacy Officer.
The revocation will not affect uses or disclosures we made in reliance on your authorization before we received your revocation.
USES AND DISCLOSURES PROHIBITED UNDER INFORMATION BLOCKING RULES
We follow the 21st Century Cures Act and will not engage in any practice that unreasonably limits or delays access, exchange, or use of your electronic health information. We will only restrict access when required by law or when an approved exception applies.
We will not require additional consent from you to share your electronic health information with another healthcare provider when HIPAA already allows that sharing for treatment.
If you believe we have engaged in information blocking, you may file a complaint with the Office of the National Coordinator for Health Information Technology (ONC).
In simple terms: we will not make it hard for you or your authorized providers to access or use your electronic health information.
PATIENT RIGHTS
Right to Access
You have the right to inspect and obtain a copy of your health information that we maintain in your designated record set (your medical and billing records).
We will respond to your request within 30 days. In certain limited circumstances, we may deny your request. If we deny your request, we will provide you with a written explanation and information about your right to have the denial reviewed.
Right to Amend
If you believe your health information is incorrect or incomplete, you have the right to request that we amend it.
We will respond to your request within 60 days. We may deny your request if:
- The information was not created by us
- The information is not part of the designated record set
- The information is not available for inspection under HIPAA
- The information is accurate and complete
If we deny your request, we will provide you with a written explanation. You have the right to submit a written statement disagreeing with the denial, and we will include your statement with your health information.
Right to an Accounting
You have the right to request an ‘accounting of disclosures,’ which is a list of certain disclosures we made of your health information.
The accounting will not include:
- Disclosures made to you
- Disclosures made pursuant to your authorization
- Disclosures for national security or intelligence purposes
- Disclosures to correctional institutions or law enforcement officials
We will provide the first accounting you request within a 12-month period free of charge. We may charge a reasonable fee for additional requests within the same 12-month period.
Right to Restrict
You may ask us to place limits on how we use or disclose your health information for treatment, payment, or healthcare operations. You may also ask us to limit disclosures to family members or others involved in your care.
We are not required to agree to most restriction requests. However, we must agree if:
- You ask us not to share information with your health plan for payment or healthcare operations, and
- The information relates to a service that you (or someone on your behalf) paid for in full out-of-pocket.
If we agree to the restriction, we will honor it unless the information is needed to provide you with emergency treatment.
Right to Confidential Communications
You have the right to request that we communicate with you about your health information in a certain way or at a certain location.
We will accommodate reasonable requests and will not require you to explain the reason for your request.
Right to Receive Notification of a Breach
You have the right to be notified if we or one of our business associates discovers a breach of your unsecured health information.
We will notify you in writing following discovery of a breach of your unsecured health information without unreasonable delay and in no case later than 60 days after discovery of the breach.
Right to a Paper Copy of This Notice
You have the right to receive a paper copy of this Notice, even if you have agreed to receive it electronically. Contact our Privacy Officer at any time to request a paper copy.
HOW TO EXERCISE YOUR RIGHTS
Most rights require a written request submitted by mail or email to the Privacy Officer. Forms are available upon request, or you may submit a written request describing the right you wish to exercise. The Privacy Officer is available to assist you if needed:
Privacy Officer
MedHarmony
2677 West 12 Mile Road
Berkley MI 48072
Phone: 1 (866) 203-5701
Email: privacy@medharmony.net
HOW TO FILE A COMPLAINT
If you believe your privacy rights have been violated, you have the right to file a complaint. You may file a complaint with MedHarmony or with the Secretary of the Department of Health and Human Services.
You will not be retaliated against for filing a complaint.
To file a complaint with MedHarmony, submit in writing to:
Privacy Officer
MedHarmony
2677 West 12 Mile Road
Berkley MI 48072
Phone: 1 (866) 203-5701
Email: privacy@medharmony.net
To file a Complaint with HHS please contact:
Office for Civil Rights
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Washington, D.C. 20201
Phone: 1-877-696-6775
Website: www.hhs.gov/ocr/privacy/hipaa/complaints/
STATE-SPECIFIC PRIVACY PROTECTIONS
In addition to Federal HIPAA protections, your health information may be subject to additional privacy protections under state law.
Where state law provides stronger privacy protections than HIPAA, we will follow the more protective state law. Some states require your written permission before certain types of information—such as HIV status, mental health records, or substance use information—may be shared.
Louisiana: Louisiana law provides additional protections for mental health and substance use disorder treatment records. For more information, contact our Privacy Officer.
Maryland: Maryland’s Confidentiality of Medical Records Act (Md. Code Ann., Health-Gen. § 4-301 et seq.) provides additional protections for your health information. For more information, contact our Privacy Officer.
Michigan: Michigan law provides additional protections for mental health records and HIV/AIDS information. For more information, contact our Privacy Officer.
Texas: Texas law provides additional protections for mental health records and communicable disease information. For more information, contact our Privacy Officer.
QUESTIONS OR CONCERNS
If you have questions about this Notice or want more information about our privacy practices, please contact:
Privacy Officer
MedHarmony
2677 West 12 Mile Road
Berkley MI 48072
Phone: 1 (866) 203-5701
Email: privacy@medharmony.net
Website: https://patients.medharmony.net/notice-of-privacy-practices
END OF NOTICE OF PRIVACY PRACTICES
Effective Date: November 10, 2025
Version: 1.0
