Privacy Practices

Last Revised  October 19, 2020 (“Effective Date”)

THIS NOTICE OF PRIVACY PRACTICES DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW THIS NOTICE CAREFULLY.

DermDocs, P.C. is a California professional medical corporation which engages in the practice of medicine under the names DermDocs and Portrait, and provides Dermatology care and treatment to its patients, including but not limited to cosmetic dermatology, personalized skin care services, delivery of personalized dermatological products and telemedicine services (collectively, the “Services”). Portrait Health, Inc. provides certain administrative services to DermDocs, P.C. and owns and operates the website located at portraitspa.com and other related websites and mobile applications with links (collectively, the “Site”) to this Notice of Privacy Practices (“Notice”). For purposes of this Notice, the references to “we,” “us,” or “our” will refer as applicable to both DermDocs, P.C. and Portrait Health, Inc. and each of their respective Affiliates. The term “Affiliates” means any entity or person that controls, is controlled by, or under common control with, such as a subsidiary, parent company, agent, representative or employee.

DermDocs, P.C. and Portrait Health, Inc. understand that information about you and your health is personal and respects the privacy of each and every person, and is committed to protecting and maintaining the confidentiality of all of your personal and protected health information (“PHI”). We continuously seek to safeguard this information through administrative, physical, and technical means, and otherwise to abide by applicable federal and state data privacy and security guidelines.

This Notice describes how your PHI may be used and disclosed by us and how you can get access to this information. This Notice will serve as a summary of your privacy rights. We must provide you with this Notice and follow the terms of this Notice while it is in effect. Your use of the Services indicates your acceptance of the terms of this Notice. PLEASE REVIEW THIS NOTICE CAREFULLY.

Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), we are required by law to maintain the privacy of health information that identifies you, which is called protected health information (PHI), and to provide you with notice of our legal duties and privacy practices regarding PHI. We are committed to the protection of your PHI and will make reasonable efforts to ensure the confidentiality of your PHI as required by statute and regulation. We take this commitment seriously and will work with you to comply with your right to receive certain information under HIPAA.

What are our obligations regarding the privacy and confidentiality of your PHI?

We are required by law to maintain the privacy and confidentiality of your PHI and to provide you with this Notice of its legal duties and privacy practices with respect to your PHI.

How do we use and disclose your PHI?

The following categories explain the types of uses and disclosures of PHI that we are permitted to make under HIPAA. Some of the uses and disclosures may be limited or restricted by state laws or other legal requirements. Please contact us, using the information provided at the end of this Notice, for specific information regarding applicable state laws.

Treatment.

We may use PHI to provide your medical care and treatment. We may disclose PHI to our employees and other health care professionals who are involved in coordinating or providing the care you need. For example, we may share your PHI with other physicians or other health care providers who will provide services that we do not provide. Or we may share this information with a pharmacist who needs it to dispense a prescription to you, or a laboratory that performs a test. We may also disclose PHI to members of your family or other authorized persons who can help you when you are sick or injured, or after you die.

Payment.

We may use and disclose your PHI to bill and obtain payment for the services we provide. For example, we may provide your health plan the information it requires before it will pay us. We may also disclose information to other health care providers to assist them in obtaining payment for services they have provided to you or to coordinate health care or health benefits.

Health Care Operations.

This Site is not directed to children and children are not eligible to use the Services. We will not knowingly collect information from Site users under the age of eighteen (18). If you are under age 18, please do not attempt to use the Site or any of the Services or provide any Personal Information about yourself to us. If we learn that we have collected Personal Information from a child under 18, we will delete that information as quickly as possible. If you believe a person who is underage has signed up for an account, please contact us via e-mail at support@portraitspa.com.

Appointment Reminders.

We may use and disclose PHI to contact and remind you about appointments. We may also use and disclose PHI to tell you about health- related benefits and services that may be of interest to you.

Notification of Individuals Involved in Your Care.

We may disclose your PHI to a family member, your personal representative or another person responsible for your care. We may also notify your family or authorized person about your location , your general condition or, unless you have instructed us otherwise, in the event of your death. In the event of a disaster, we may disclose information to a relief organization so that they may coordinate these notification efforts. We may also disclose information to someone who is involved with your care or helps pay for your care. If you are able and available to agree or object, we will give you the opportunity to do so prior to making these disclosures. We may disclose this information in a disaster, even over your objection, if we believe it is necessary to respond to the emergency circumstances. If you are unable or unavailable to agree or object, our health professionals will use their best judgment in communication with your family and others.

Business Associates.

We may disclose PHI to its business associates to perform certain business functions or provide certain business services to us. For example, we may use another company to perform billing services on our behalf. All of our business associates are required to maintain the privacy and confidentiality of your PHI. In addition, at the request of your health care providers or health plan, we may disclose PHI to their business associates for purposes of performing certain business functions or health care services on their behalf. For example, we may disclose PHI to a business associate of Medicare for purposes of medical necessity review and audit.

Marketing.

Provided we do not receive any payment for making these communications, we may contact you to give you information about products or services related to your treatment, case management or care coordination, or to direct or recommend other treatments, therapies, health care providers or settings of care that may be of interest to you. We will not otherwise use or disclose your medical information for marketing purposes or accept any payment for other marketing communications without your prior written authorization. The authorization will disclose whether we receive any compensation for any marketing activity you authorize, and we will stop any future marketing activity to the extent you revoke that authorization.

Required by Law.

We must disclose PHI if required to do so by federal, state or local law, but we will limit our use or disclosure to the relevant requirements of the law.

Public Health.

We may, and sometimes are required by law, to disclose your PHI to public health authorities for purposes related to: preventing or controlling disease, injury or disability; reporting child, elder or dependent adult abuse or neglect; reporting domestic violence; reporting to the Food and Drug Administration problems with products and reactions to medications; and reporting disease or infection exposure. When we report suspected elder or dependent adult abuse or domestic violence, we will inform you or your personal representative promptly unless in our best professional judgment, we believe the notification would place you at risk of serious harm or would require informing a personal representative we believe irresponsible for the abuse or harm.

Health Oversight Activities.

We may, and are sometimes required by law, to disclose your PHI to health oversight agencies during the course of audits, investigations, inspections, licensure and other proceedings, subject to the limitations imposed by law.

Coroners, Medical Examiners and Funeral Directors. We may disclose PHI to a coroner, medical examiner, or funeral director for the purpose of identifying a deceased person, determining cause of death, or for performing some other duty authorized by law.

Personal Representative.

We may disclose PHI to your personal representative, as established under applicable law, or to an administrator, executor, or other authorized individual associated with your estate.

Correctional Institution.

We may disclose the PHI of an inmate or other individual when requested by a correctional institution or law enforcement official for health, safety, and security purposes.

Serious Threat to Health or Safety.

We may disclose PHI if necessary to prevent or lessen a serious and/or imminent threat to health or safety to a person or the public or for law enforcement authorities to identify or apprehend an individual.

Judicial and Administrative Proceedings.

We may, and sometimes are required by law, to disclose your health information in the course of any administrative or judicial proceeding to the extent expressly authorized by a court or administrative order. We may also disclose information about you in response to a subpoena, discovery request or other lawful process if reasonable efforts have been made to notify you of the request and you have not objected, or if your objections have been resolved by a court or administrative order.

Law Enforcement.

We may, and sometimes are required by law, to disclose your PHI for law enforcement purposes, including reporting of certain types of wounds or physical injuries or in response to a court order, warrant, subpoena, summons or similar process authorized by law. We may also disclose PHI when the information is needed for identifying or locating a suspect, fugitive, material witness or missing person; about a victim of a crime; about an individual who has dies; in relation to criminal conduct on our premises; or in emergency circumstances to report a crime, the location of a crime, or victims, or the identity, description or location of a person who has committed a crime.

Workers' Compensation.

We may disclose your PHI as necessary to comply with workers' compensation laws. For example, to the extent your care is covered by workers' compensation, we will make periodic reports to your employer about your condition. We are also required by law to report cases of occupational injury or occupational illness to the employer or workers' compensation insurer.

Change of Ownership.

In the event that DermDocs, P.C. or Portrait Health, Inc. is sold or merged with another organization, your health information/record will become the property of the new owner, although you will maintain the right to request that copies of your health information be transferred to another physician or medical group.

Research.

We may disclose your PHI for research purposes. Limited data or records may be viewed by researchers to identify patients who may qualify for their research project or for other similar purposes, so long as the researchers do not remove or copy any of the PHI. Before we use or disclose PHI for any other research activity, one of the following will happen: 1) a special committee will determine that the research activity poses minimal risk to privacy and that there is an adequate plan to safeguard PHI; 2) if the PHI relates to deceased individuals, the researchers give us assurances that the PHI is necessary for the research and will be used only as part of the research; or 3) the researcher will be provided only with information that does not identify you directly.

Government Functions.

In certain situations, we may disclose the PHI of military personnel and veterans, including Armed Forces personnel, as required by military command authorities. Additionally, we may disclose PHI to authorized officials for national security purposes, such as protecting the President of the United States, conducting intelligence, counter-intelligence, other national security activities, and when requested by foreign military authorities. Disclosures will be made only in compliance with U.S. Law.

Fundraising.

We may use or disclose your demographic information in order to contact you for our fundraising activities. If you do not want to receive these materials, notify the Privacy Officer listed at the top of this Notice of Privacy Practices and we will stop any further fundraising communications.

De-identified Information and Limited Data Sets.

We may use and disclose health information that has been “de-identified” by removing certain identifiers making it unlikely that you could be identified. We also may disclose limited health information, contained in a “limited data set”. The limited data set does not contain any information that can directly identify you. For example, a limited data set may include your city, county and zip code, but not your name or street address.

Please note that in some cases, state law may require that we apply extra protections to some of your health information.

What are our responsibilities with respect to the security of your PHI?

The importance of security for all personal information including, but not limited to, PHI associated with you, is of utmost concern to us. We use reasonable and appropriate safeguards to protect the security and confidentiality of your PHI and other personal information. We take care to provide secure transmission of your PHI and other personal information from your PC or mobile device to our servers and/or the Site. PHI and other personal information collected by the Site is stored in secure operation environments that are not available to the public. Only those of our employees or agents who need access to your PHI and other personal information in order to do their jobs are allowed access, and only after they have been trained regarding our confidentiality obligations. Further, our password and authentication system is user specific to ensure that users can only see the specific information to which they have been granted access. Any employee or agent who violates our privacy and security policies is subject to disciplinary action, including possible termination and civil and/or criminal prosecution. You will be notified of any unauthorized access, use, or disclosure of your unsecured PHI as required by law.

What are my privacy rights with respect to my PHI?

We are required by law to maintain the privacy of your PHI and other personal information, to provide this Notice to you and to abide by the terms of this Notice, and to tell you if there has been a breach that compromises your PHI or other personal information.

What other rights do I have with respect to my PHI?

You have the following rights regarding the PHI that we maintain about you: