THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

 

PRACTICE INFORMATION

Practice Name: Vinestone Psychological Services, Inc.
Location: State of Ohio
Services Provided: Individual therapy for adults; psychological testing for adults
Effective Date: 07/13/25

 

YOUR HEALTH INFORMATION RIGHTS

As our client, you have the following rights regarding your protected health information (PHI):

Right to Request Restrictions: You may request restrictions on how we use and disclose your health information for treatment, payment, and healthcare operations. We are not required to agree to your request but will consider all reasonable requests.

Right to Access Your Records: You have the right to inspect and receive copies of your health records that we maintain about you. Requests must be made in writing through the CarePatron patient portal messaging system. We may charge a reasonable fee for copying costs.

Right to Request Amendments: If you believe information in your record is incorrect or incomplete, you may request amendments in writing through the patient portal. We may deny your request if the information was not created by us, is not part of our records, or is already accurate and complete.

Right to an Accounting of Disclosures: You may request a list of disclosures we have made of your health information for purposes other than treatment, payment, and healthcare operations.

Right to Request Alternative Communications: You may request that we communicate with you about your health matters in a certain way or at a certain location.

Right to File a Complaint: You may file a complaint with us or with the U.S. Department of Health and Human Services if you believe your privacy rights have been violated. We will not retaliate against you for filing a complaint.

HOW WE USE AND DISCLOSE YOUR HEALTH INFORMATION

For Treatment: We may use and disclose your health information to provide you with psychological services, coordinate your care, and consult with other healthcare providers involved in your treatment.

For Payment: We use your health information to obtain payment for services provided. This includes billing activities and collection efforts. Credit card information is securely stored through Stripe for payment processing at time of service.

For Healthcare Operations: We may use your health information for quality assurance, training, and other healthcare operations necessary to run our practice.

With Your Written Authorization: We will obtain your written authorization before using or disclosing your health information for purposes other than treatment, payment, healthcare operations, or as otherwise permitted by law.

Without Your Authorization (When Required or Permitted by Law): We may use or disclose your health information without your authorization in limited circumstances, including:

• Public Health Activities: To prevent or control disease, injury, or disability

• Health Oversight Activities: For audits, investigations, and inspections

• Judicial and Administrative Proceedings: In response to court orders or lawful subpoenas

• Law Enforcement: When required by law or court order

• To Avert Serious Threat: To prevent serious harm to you or others

• Specialized Government Functions: For military, national security, or correctional institution purposes

• Workers' Compensation: As required by workers' compensation laws

• Required by Law: When disclosure is mandated by federal, state, or local law

TECHNOLOGY AND SECURITY SAFEGUARDS

Electronic Health Records: All client records are maintained in CarePatron, a HIPAA-compliant electronic health record system that uses industry-standard encryption and security measures to protect your information.

Telehealth Services: Platform Security: We use CarePatron's telehealth platform for video sessions, which provides:

• End-to-end encryption for all video communications

• Secure, password-protected session access

• HIPAA-compliant infrastructure

• Automatic session recording deletion

Client Responsibilities for Telehealth:

• Ensure you are in a private location during sessions

• Use a secure internet connection

• Close other applications and programs during sessions

• Do not record sessions without written consent

• Log out completely after each session

Communication Security:

Patient Portal: All communication outside of sessions occurs through CarePatron's secure messaging system, which provides encrypted transmission and storage of messages.

Appointment Reminders: Automated appointment reminders are sent via text or email through CarePatron's secure system. These reminders contain only basic appointment information (date, time) without clinical details.

Payment Processing: Credit card payments are processed through Stripe, a PCI-DSS compliant payment processor. We do not store complete credit card numbers in our systems. Stripe maintains your payment information securely for future transactions.

Google Workspace Integration: We use Google Workspace Professional services under a Business Associate Agreement (BAA) primarily for administrative forms and documentation. All PHI processed through Google services is covered under HIPAA protections.

RECORD RETENTION AND DESTRUCTION

Retention Period: Client records are maintained for a minimum of seven (7) years after the last date of service, in accordance with Ohio state law and professional standards. For clients who were minors during treatment, records are retained for seven (7) years after the last service date or three (3) years after the client reaches age of majority (18), whichever is longer.

Secure Storage: All records are stored electronically in CarePatron's HIPAA-compliant servers with:

• Advanced encryption (AES-256)

• Multi-factor authentication access controls

• Regular security audits and monitoring

• Automatic data backup and disaster recovery systems

Record Destruction: After the required retention period expires, records are securely destroyed using:

• Secure deletion protocols for electronic records

• Certificate of destruction documentation

• Irreversible destruction methods that prevent data recovery

Backup and Recovery:

• All client data is automatically backed up to secure, encrypted servers

• Backup systems are geographically distributed for disaster recovery

• Recovery procedures are tested regularly to ensure data integrity

• All backup systems maintain the same security standards as primary systems

DATA BREACH NOTIFICATION PROCEDURES

Our Response to Breaches: In the event of a breach of your protected health information, we will:

1. Immediate Assessment: Conduct an immediate investigation to determine the scope and cause of the breach

2. Containment: Take immediate steps to contain the breach and prevent further unauthorized access

3. Risk Assessment: Evaluate the potential risk of harm to affected individuals

4. Documentation: Document all aspects of the breach and our response

Client Notification:

Timeline: If a breach poses a risk to your privacy or security, we will notify you:

• Within 60 days of discovery of the breach (as required by Ohio law, which is stricter than federal HIPAA requirements)

• Sooner if the risk assessment indicates immediate notification is warranted

Notification Method:

• Primary: Secure message through CarePatron patient portal

• Secondary: Written notice by first-class mail to your last known address

• If contact information is insufficient: Prominent posting on our website

Notification Content Will Include:

• Description of what happened and when

• Types of information involved

• Steps we have taken to investigate and address the breach

• Steps you can take to protect yourself

• Our contact information for questions

Regulatory Notification: We will notify appropriate authorities as required:

• U.S. Department of Health and Human Services within 60 days

• Ohio Attorney General as required by Ohio breach notification law

• Other regulatory bodies as applicable

EMERGENCY SITUATIONS

Limited Availability: Vinestone Psychological Services is not available 24/7 for emergency contact. In case of a mental health emergency, please:

• Call 911 for immediate assistance

• Go to your nearest emergency room

• Call the National Suicide Prevention Lifeline: 988

• Contact your local crisis intervention team

CHANGES TO THIS NOTICE

We reserve the right to change this notice and make the new provisions effective for all protected health information we maintain. If we make material changes, we will:

• Post the revised notice on our website

• Provide you with a copy of the revised notice at your next appointment

• Make the revised notice available upon request

CONTACT INFORMATION

Questions About This Notice: If you have questions about this notice or our privacy practices, please contact us through the CarePatron patient portal or by telephone.

Privacy Officer: Samantha L Haudenschield, PsyD, Licensed Psychologist
Email: admin.vinestonepsych.com

Filing Complaints:

• With Our Practice: Contact us directly using the information above

• With HHS: U.S. Department of Health and Human Services, Office for Civil Rights

  • Online: www.hhs.gov/ocr/privacy/hipaa/complaints

  • Phone: 1-877-696-6775

  • Mail: Office for Civil Rights, U.S. Department of Health and Human Services, 200 Independence Avenue, S.W., Room 509F, HHS Building, Washington, D.C. 20201

ACKNOWLEDGMENT

By continuing treatment with Vinestone Psychological Services, Inc., you acknowledge that you have received and reviewed this Notice of Privacy Practices and understand your rights regarding your protected health information.

 

This notice complies with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, Ohio state privacy laws, and professional psychology practice standards.