PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES

EFFECTIVE OCTOBER 1, 2015

THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY

In the event that Minnesota State Regulations pertaining to privacy are stricter than Federal Regulations, this Practice will follow the Minnesota State Regulations. If you have any questions about this notice, please contact our Privacy Officer. We are required by law to maintain the privacy of protected health information and to tell you of our legal duties. Disclosures of your protected health information without authorization is strictly limited to defined situations that include emergency care, quality assurance activities, public health, research, and law enforcement activities. We use and disclose your information for the purposes of treatment, payment and healthcare operations and for other purposes that are permitted or required by law. This Notice also describes your rights to access and control your protected health information. “Protected health information” is information about you, including demographic information, that may identify you and that relates to your past, present or future physical or mental health or condition and related health care services.

Unless you give us an additional written authorization, we cannot use or disclose your health information for any reason except as described in this Notice. You may request a copy of our Notice at any time. We reserve the right to change our privacy practices and the terms of this Notice at any time, provided such changes are permitted by applicable law. The new notice will be effective for all protected health information that we maintain at that time. Upon your request, we will provide you with any revised Notice of Privacy Practices by accessing our website; or by calling the office and requesting that a revised copy be sent to you in the mail; or asking for one at the time of your next appointment.

USES AND DISCLOSURES OF HEALTH INFORMATION

TREATMENT: We may use or disclose your health information to a physician or other healthcare provider providing treatment to you.

PAYMENT: We may use and disclose health information about you so that the treatment and services you receive from us may be billed to and payment collected from you, an insurance company, or a third party.

HEALTHCARE OPERATIONS: We may use and disclose your health information in connection with our healthcare operations. Healthcare operations include quality assessment and improvement activities, reviewing the competence or qualifications of healthcare professionals, evaluating practitioner and provider performance, conducting training programs, accreditation, certification, licensing or credentialing activities. We may share your protected health information with third party “business associates” that perform various activities (e.g., billing, transcription services) for the practice. Whenever an arrangement between our office and a business associate involves the use or disclosure of your protected health information, we will have a written contract (Business Associate Agreement) that contains terms that will protect the privacy of your protected health information. Effective March 31, 2013, our Business Associate Agreements have been amended to provide that all of the HIPAA

security administrative safeguards, physical safeguards, technical safeguards and security policies, procedures, and documentation requirements apply directly to the business associate and their subcontractors.

We may use or disclose your protected health information, as necessary, to provide you with information about treatment alternatives or other health-related benefits and services that may be of interest to you. We may also use and disclose your protected health information for other marketing activities as allowed by the regulations. We will receive your authorization for all treatment and health care operations communications where we receive financial remuneration for making the communications from a third party whose product or service is being marketed. For example, your name and address may be used to send you a newsletter about our practice and the services we offer.

OTHER PERMITTED AND REQUIRED USES AND DISCLOSURES THAT MAY BE MADE WITH YOUR CONSENT, AUTHORIZATION OR OPPORTUNITY TO OBJECT

We may use and disclose your protected health information in the following instances. You have the opportunity to agree or object to the use or disclosure of all or part of your protected health information. If you are not present or able to agree or object to the use or disclosure of the protected health information, then your provider may, using professional judgment, determine whether the disclosure is in your best interest. In this case, only the protected health information that is relevant to your health care will be disclosed.

YOUR AUTHORIZATION: In addition to our use of your health information for treatment, payment or healthcare operations, you may give us written authorization to use your health information or to disclose it to anyone for any purpose. If you give us an authorization, you may revoke it in writing at any time. Disclosures to other providers within health care entities when necessary for current treatment do not require an Authorization.

TO YOUR FAMILY AND FRIENDS: We must disclose your health information to you, as described in the Patient Rights section of this Notice. We may disclose your health information to a family member, friend or other person to the extent necessary to help with your healthcare or with payment for your healthcare.

PERSONS INVOLVED IN CARE: We may use or disclose health information to notify, or assist in the notification of (including identifying or locating) a family member, your personal representative or another person responsible for your care, of your location, your general condition, or death. If you are present, then prior to use or disclosure of your health information, we will provide you with an opportunity to object to such uses or disclosures. In the event of your incapacity or emergency circumstances, we will disclose health information based on a determination using our professional judgment disclosing only health information that is directly relevant to the person’s involvement in your healthcare. We will also use our professional judgment and experience with common practice to make reasonable inferences of your best interest in allowing a person to pick up filled prescriptions, medical supplies, x-rays or other similar forms of health information.

MARKETING HEALTH-RELATED SERVICES: We will not use your health information for marketing communications to third parties without your prior written authorization. We will receive your authorization for all treatment and health care operations communications where we receive financial remuneration for making the communications from a third party whose product or service is being marketed.

FUNDRAISING ACTIVITIES: If we engage in any fundraising activities, you have a right to opt out of receiving further fundraising communications.

REQUIRED BY LAW: We may use or disclose your health information when we are required to do so by law.

ABUSE OR NEGLECT: We may disclose your health information to appropriate authorities if we reasonably believe that you are a possible victim of abuse, neglect, or domestic violence or the possible victim of other crimes. We may disclose your health information to the extent necessary to avert a serious threat to your health or safety or the health or safety of others.

NATIONAL SECURITY: We may disclose to military authorities the health information of Armed Forces personnel under certain circumstances. We may disclose to authorized federal officials health information required for lawful intelligence, counterintelligence, and other national security activities. We may disclose to a correctional institution or a law enforcement official having lawful custody of protected health information of an inmate or patient under certain circumstances.

APPOINTMENT REMINDERS: We may use or disclose your health information to provide you with appointment reminders such as voicemail, messages, postcards, or letters.

PATIENT RIGHTS

ACCESS: You have the right to look at or get copies of your health information with limited exceptions. You may request that we provide copies in a format other than photocopies. We will use the format you request unless we cannot practicably do so. (You must make a request in writing to obtain access to your health information. You may obtain a form to request access by using the contact information listed at the end of this Notice. We will charge you a reasonable cost-based fee for expenses such as copies and staff time. You may also request access by sending us a letter to the address at the end of this Notice. We may charge you a fee for each page and fee for staff time to locate and copy your health information and postage if you want the copies mailed to you. If you request an alternative format, we will charge a cost-based fee for providing your health information in that format. If you prefer, we will prepare a summary or an explanation of your health information for a fee. Contact us using the information listed at the end of this Notice for a full explanation of our fee structure.)

DISCLOSURE ACCOUNTING: You have the right to receive an accounting of certain disclosures we have made, if any, of your protected health information. This right applies to disclosures for purposes other than treatment, payment or healthcare operations as described in the Notice of Privacy Practices. It excludes disclosures we may have made to you, to family members or friends involved in your care, or for notification purposes. You have the right to receive specific information regarding these disclosures that occurred after April 14, 2003. If you request this accounting more than once in a 12 month period, we may charge you a reasonable cost-based fee for responding to these additional requests.

USES AND DISCLOSURES. Uses and disclosures of PHI will be made only with prior written authorization from the individual. Disclosures that constitute a sale of PHI will only be made with prior written authorization from the individual. Other uses and disclosures not described in the Notice of Privacy Practices will be made only with prior written authorization from the individual.

RESTRICTION: You have the right to request that we place additional restrictions on our use or disclosure of your health information. We are not required to agree to these additional restrictions, but if we do, we will abide by our agreement except in an emergency. You have the right to restrict information given to your third party payer or health plan if you fully pay for the services out of your pocket.

ALTERNATIVE COMMUNICATION: You have the right to request that we communicate with you about your health information by alternative means or to alternative locations. (You must make your request in writing.) Your request must specify the alternative means or location, and provide satisfactory explanation how payments will be handled under the alternative means or location you request.

AMENDMENT: You have the right to request that we amend your health information. (Your request must be in writing), and it must explain why the information should be amended. We may deny your request under certain circumstances.

SECURITY BREACH: You have a right to or will receive notification of breaches of your unsecured protected health information. The notification will occur by first class mail within 60 days of the event. A breach occurs when there has been an unauthorized use or disclosure under HIPAA that compromises the privacy or security of protected health information. There are three exceptions to the definition of what a breach is. An impermissible use or disclosure of PHI is presumed to be a breach unless we can demonstrate that there is a low probability that the PHI has been compromised. The notification requirements under this section apply only if it does not fall into one of the three exceptions or if we cannot demonstrate that there is a low probability that the PHI has been compromised. If we are required to provide notice to you, the notice will contain the following information: (1) a brief description of what happened, including the date of the breach and the date of the discovery of the breach; (2) the steps you should take to protect yourself from potential harm resulting from the breach; and (3) a brief description of what we are doing to investigate the breach, mitigate losses, and to protect against further breaches. Not every impermissible use or disclosure of protected health information constitutes a reportable breach. The determination of whether an impermissible breach is reportable hinges on whether there is a low probability that the PHI has been compromised. In order to determine whether there is a low probability that your PHI has been compromised, we will conduct a risk assessment using the four factor analysis outlined in the Omnibus Final Rule that became effective March 26, 2013. For example, if a laptop computer was stolen and later recovered and a forensic analysis shows that the PHI on the computer was never accessed, viewed, acquired, transferred, or otherwise compromised, we could determine that the information was not actually acquired by an unauthorized individual even though the opportunity existed, and, therefore, you would not need to be notified of the breach. The key to determining whether you will need to be notified of an unauthorized use or disclosure of your PHI is whether there is a low probability that your PHI has been compromised.

ELECTRONIC NOTICE: If you receive this Notice on our website or by electronic mail (e-mail), you are entitled to receive this Notice in written form.

TELEPHONE, TEXT, EMAIL COMMUNICATIONS: Upon receiving your consent, the Practice or its service provider may contact you to provide health care information such as appointment reminders about treatment, payment, insurance, your account, using prerecorded or artificial prerecorded voice or telephone equipment that may be capable of automatic dialing.

COMPLAINTS

If you are concerned that we may have violated your privacy rights, or you disagree with a decision we made about access to your health information or in response to a request you made to amend or restrict the use or disclosure of your health information or to have us communicate with you by alternative means or at alternative locations, you may complain to us using the contact information listed at the end of this Notice. You may also submit a written complaint to the U.S. Department of Health and Human Services. We will provide you with the address to file your complaint with the U.S. Department of Health and Human Services upon request. We support your right

to the privacy of your health information. We will not retaliate in any way if you choose to file a complaint with U.S. Department of Health and Human Services.

Submit complaints to:

Privacy Officer

6053 Nicollet Ave S.

Minneapolis, MN 55419