NuBalance Health Medical Group Compliance Agreement on Privacy Practices
Effective Date: January 4, 2025
Prepared For: NuBalance Health, LLC
Contact Information:
Email: info@nubalance.health
Phone: 678-313-5106
Mailing Address: 10405 Old Alabama Rd Connector, Suite 201, Alpharetta, GA 30022
TABLE OF CONTENTS
Introduction
Definitions
Purpose and Scope
Legal Framework and Regulatory Compliance
Organizational Responsibilities
Protected Health Information (PHI) Management
Use and Disclosure of PHI
Minimum Necessary Standard
Patient Rights
Administrative Safeguards
Technical and Physical Safeguards
Workforce Responsibilities and Training
Business Associate Agreements
De-Identification and Limited Data Sets
Breach Notification Policy
Complaints and Dispute Resolution
Retention and Destruction of Records
Oversight, Audits, and Monitoring
Sanctions and Enforcement
Amendments and Revisions
Acknowledgment and Signature Page
NuBalance Health, LLC (hereinafter referred to as “NuBalance Health,” “we,” or “the Medical Group”) is committed to the protection and proper use of all patient data, with a specific emphasis on Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This Privacy Practices Compliance Agreement (hereafter “Agreement”) establishes the standard operating procedures, legal commitments, administrative protocols, and enforcement strategies NuBalance Health employs to comply with all federal and state privacy laws.
This document shall serve as a legally binding agreement for employees, contractors, clinicians, business associates, and all other relevant parties affiliated with NuBalance Health.
DEFINITIONS
Protected Health Information (PHI): Any individually identifiable health information, transmitted or maintained in any form or medium, including demographic data that relates to the individual’s physical or mental health condition, the provision of health care, or payment for the provision of health care.
Individually Identifiable Information: Includes any information that could identify the patient, such as name, address, birth date, Social Security Number, medical record number, or any other unique identifier.
HIPAA: The Health Insurance Portability and Accountability Act of 1996, including the Privacy Rule, Security Rule, and Breach Notification Rule.
HITECH Act: Health Information Technology for Economic and Clinical Health Act of 2009, an extension of HIPAA that enhances enforcement and broadens PHI protection.
Business Associate: A person or entity who performs certain functions or activities on behalf of NuBalance Health that involve the use or disclosure of PHI.
Minimum Necessary: A key HIPAA standard that mandates access to or disclosure of only the PHI needed to accomplish the intended purpose.
Covered Entity: As per HIPAA, NuBalance Health qualifies as a Covered Entity since it transmits health information electronically in connection with billing and treatment.
This Agreement outlines the framework for the following objectives:
To ensure consistent protection of PHI throughout all clinical, administrative, and technical processes.
To define the proper use, disclosure, and safeguarding of PHI.
To maintain a culture of compliance and ethical conduct within NuBalance Health.
To educate staff, partners, and vendors about their legal obligations concerning patient data.
To implement systematic procedures for identifying, managing, and resolving privacy-related incidents.
To delineate enforcement policies that apply in cases of non-compliance.
This Agreement applies to all workforce members including employees, contractors, licensed medical professionals, volunteers, and temporary staff. It also governs any third-party vendors, subcontractors, or partners that process, transmit, or access PHI.
NuBalance Health is committed to adhering to the following federal and state legal mandates:
HIPAA and HITECH Compliance
Full compliance with HIPAA Privacy Rule (45 CFR Parts 160 and 164)
HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164)
HIPAA Breach Notification Rule
HITECH Act provisions on breach enforcement and expanded patient rights
Additional Applicable Laws
42 CFR Part 2: Confidentiality of substance use disorder patient records
Americans with Disabilities Act (ADA) as it relates to health information
State-specific health privacy laws governing consent, record retention, and disclosures
Conflict of Law
Where federal and state regulations conflict, NuBalance Health will apply the law that offers greater privacy protections to the individual.
ORGANIZATIONAL RESPONSIBILITIES
NuBalance Health acknowledges the following responsibilities in its role as a covered entity:
Designate a Privacy Officer and Security Officer responsible for the implementation and enforcement of this Agreement.
Develop and maintain internal privacy policies and procedures that are compliant with applicable law and updated annually or as needed.
Train all workforce members upon hire and annually, with additional training upon changes in policy or job role.
Mitigate harmful effects resulting from use or disclosure of PHI in violation of this Agreement.
Issue and post a Notice of Privacy Practices (NPP) explaining how PHI may be used and disclosed and how patients may exercise their rights.
PROTECTED HEALTH INFORMATION (PHI) MANAGEMENT
PHI is collected during various stages of patient interaction including, but not limited to:
New patient registration
Clinical evaluations
Medical history documentation
Diagnostic procedures and lab results
Payment and insurance processing
Storage and Maintenance
All PHI will be stored using systems that ensure data integrity, confidentiality, and availability. Storage formats include electronic medical records (EMRs), physical charts (where applicable), and secure cloud platforms compliant with HIPAA.
Access Control
Access to PHI is restricted based on job function. NuBalance Health enforces role-based access controls and ensures that access is limited to the minimum necessary information required to perform assigned duties.
USE AND DISCLOSURE OF PHI
PHI may only be used or disclosed under the following permissible conditions:
Treatment
Information shared between medical professionals to provide appropriate care to the patient.
Payment
Includes billing, claims management, and collection activities with payers, clearinghouses, and financial institutions.
Health Care Operations
Used for quality assessment, training, licensing, auditing, and business management purposes.
Public Health Activities
Reporting communicable diseases, child abuse, neglect, domestic violence, and adverse drug reactions to authorized public health agencies.
Judicial and Administrative Proceedings
PHI may be disclosed pursuant to a valid court order, subpoena, or administrative request compliant with HIPAA standards.
Law Enforcement
Permitted for identifying or locating suspects, victims, or witnesses, provided appropriate safeguards are met.
Research Purposes
Only permissible under IRB approval or patient authorization unless criteria for waiver of authorization are met.
MINIMUM NECESSARY STANDARD
NuBalance Health enforces the principle of minimum necessary by ensuring:
Employees access only the information necessary for their job.
Internal policies define data access levels by department and role.
Routine disclosures are reviewed and reduced to the least amount of PHI required.
This principle applies in all circumstances except:
Disclosures to or requests by a healthcare provider for treatment
Disclosures to the individual who is the subject of the information
Uses or disclosures made pursuant to a valid authorization
Uses or disclosures required by law
Under HIPAA and the HITECH Act, NuBalance Health upholds the following patient rights:
Patients may inspect and obtain a copy of their health records, typically within 30 days of request.
Patients may request corrections to their PHI. NuBalance Health will act within 60 days and may deny if the information is accurate and complete.
Patients have the right to receive a record of when and why their PHI has been disclosed, excluding disclosures made for treatment, payment, or operations.
Patients may request limitations on the disclosure of their PHI. While NuBalance Health is not required to agree to all requests, restrictions agreed to in writing must be honored.
Patients may request communications be delivered to a specific location or in a particular manner (e.g., phone calls to mobile devices only).
Patients may lodge complaints directly with NuBalance Health’s Privacy Officer or the Office for Civil Rights without fear of retaliation.
ADMINISTRATIVE SAFEGUARDS
NuBalance Health implements comprehensive administrative safeguards designed to ensure compliance with privacy laws and to minimize the risk of unauthorized use or disclosure of PHI.
Conduct regular risk assessments to identify vulnerabilities.
Develop and implement risk management strategies to mitigate identified threats.
Document all assessments and remediation efforts annually.
Define user roles and responsibilities in terms of PHI access.
Establish onboarding and offboarding protocols to grant and revoke access efficiently.
Enforce disciplinary actions for violations, including termination where appropriate.
Apply role-based access control (RBAC) policies.
Assign access rights consistent with the “minimum necessary” standard.
Review user permissions quarterly.
Develop and maintain disaster recovery plans, including data backup and emergency mode operation protocols.
Test contingency plans at least annually.
Conduct mandatory HIPAA training for all workforce members at hire and annually.
Provide periodic updates on threats such as phishing, ransomware, and improper mobile device use.
TECHNICAL AND PHYSICAL SAFEGUARDS
NuBalance Health is committed to utilizing robust physical and digital measures to protect PHI.
Use encryption for data in transit (TLS/SSL) and at rest (AES-256 or stronger).
Require multi-factor authentication (MFA) for access to all systems handling PHI.
Employ audit controls and maintain logs of access to all PHI.
Implement automatic session timeouts and firewalls to detect and block unauthorized access.
Secure areas housing electronic systems with keycard access, surveillance, and restricted entry.
Store physical records in locked file cabinets in secure areas.
Implement clean desk policies and privacy screen filters for all visible workstations.
12. WORKFORCE RESPONSIBILITIES AND TRAINING
All members of the NuBalance Health workforce have specific obligations:
Maintain the confidentiality of PHI at all times.
Report privacy violations, suspected breaches, or security incidents immediately.
Adhere strictly to policies governing mobile device use, email, fax, and third-party communication.
Initial Training: New employees complete privacy and security modules within 30 days of hire.
Annual Refresher: All employees participate in annual privacy and security update training.
Role-Specific Modules: Specialized staff (e.g., IT, medical records) complete advanced compliance modules.
All employees and vendors must sign a confidentiality agreement as a condition of employment or partnerships
BUSINESS ASSOCIATE AGREEMENTS (BAAs)
NuBalance Health shall not share PHI with any third party unless a Business Associate Agreement is in place.
Each agreement shall:
Define permissible uses and disclosures of PHI.
Mandate compliance with HIPAA and HITECH regulations.
Require prompt notification of any data breach involving PHI.
Enforce data return or destruction upon termination of the agreement.
BAAs are reviewed and renewed every two years or upon regulatory change.
All vendors must undergo a security risk assessment prior to engagement.
NuBalance Health reserves the right to terminate agreements for non-compliance or breach.
DE-IDENTIFICATION AND LIMITED DATA SETS
In certain research or operational contexts, NuBalance Health may use de-identified information or limited data sets
De-identification of PHI must meet HIPAA criteria by:
Removing all 18 identifiers (e.g., name, address, SSN, date of birth).
Receiving documentation from a qualified statistician certifying the risk of re-identification is minimal.
May include certain indirect identifiers (e.g., dates, ZIP codes).
Must be governed by a Data Use Agreement (DUA) that prohibits re-identification and restricts use to specified purposes.
BREACH NOTIFICATION POLICY
In accordance with the HIPAA Breach Notification Rule, NuBalance Health will:
A “breach” is any impermissible use or disclosure of PHI that compromises the security or privacy of the information.
Each breach will be evaluated based on:
Nature and extent of PHI involved
Identity of unauthorized person who used or received the information
Whether the PHI was actually acquired or viewed
Mitigation measures taken
Patients: Notification within 60 days of discovery via first-class mail or electronic notice.
HHS: Notification via the HHS portal. Immediate reporting if breach affects 500+ individuals.
Media: If 500+ residents of a state or jurisdiction are affected, notify prominent media outlets.
NuBalance Health shall maintain documentation of:
Breach assessments
Notification records
Risk mitigation steps taken
COMPLAINTS AND DISPUTE RESOLUTION
NuBalance Health welcomes and protects the right of patients to report suspected violations.
Patients may file complaints with the Privacy Officer in person, via email, or by phone.
All complaints must be logged, investigated, and resolved within 30 business days.
Patients also retain the right to file complaints with:
U.S. Department of Health and Human Services (OCR)
State Attorney General or Licensing Boards
Under no circumstances will NuBalance Health retaliate against an individual for submitting a complaint.
RETENTION AND DESTRUCTION OF RECORDS
NuBalance Health will implement secure protocols for retaining and disposing of PHI.
PHI will be retained for a minimum of six (6) years, or longer as required by state law or specific medical regulations.
Paper Records: Cross-shredded or incinerated.
Electronic Records: Wiped using DoD 5220.22-M or NIST-compliant protocols.
Media (e.g., hard drives): Physically destroyed or securely erased.
Only authorized personnel may approve the destruction of PHI. All actions must be logged and verifiable.
OVERSIGHT, AUDITS, AND MONITORING
Conducted quarterly to assess compliance with access logs, privacy practices, and training completion.
Audit outcomes are submitted to executive leadership with corrective action plans where necessary.
An annual risk assessment shall be completed in accordance with NIST standards.
Documentation includes current threats, system vulnerabilities, and recommendations.
NuBalance Health will cooperate with regulatory agency audits and self-audit in anticipation of such reviews.
SANCTIONS AND ENFORCEMENT
NuBalance Health enforces strict accountability for noncompliance with privacy practices. All violations are investigated promptly and thoroughly by the Privacy Officer and/or Security Officer, with appropriate disciplinary action taken.
Violations are classified into three categories, each with corresponding consequences:
Category 1 – Unintentional Violations:
Examples: Mistakenly sending PHI to an incorrect internal recipient, forgetting to log out of a workstation.
Sanctions: Verbal warning, retraining.
Category 2 – Negligent Violations:
Examples: Leaving PHI in public areas, emailing PHI without encryption.
Sanctions: Written reprimand, mandatory retraining, possible probation.
Category 3 – Willful Violations or Repeated Negligence:
Examples: Accessing records without authorization, sharing PHI with media or unauthorized parties.
Sanctions: Suspension, termination, legal reporting.
Investigation Procedure
Upon discovery of a suspected violation:
Incident is reported to the Privacy or Security Officer.
An investigation is initiated within 48 hours.
Witnesses and evidence are collected and documented.
Root cause analysis is performed.
A corrective action plan (CAP) is issued if required.
Sanctions are imposed in accordance with the Violation Category.
All investigations and outcomes are documented and stored for a minimum of six years.
Legal Referral
NuBalance Health reserves the right to refer intentional HIPAA violations to the Department of Health and Human Services (HHS), the Office for Civil Rights (OCR), or local law enforcement if criminal activity is suspected.
AMENDMENTS AND REVISIONS
This Compliance Agreement may be amended at any time to reflect updates in federal or state regulations, technological advancements, or organizational restructuring.
Reviewed at least annually by the Compliance Committee and Privacy Officer.
Revised immediately upon discovery of noncompliance or new legislation (e.g., updates from OCR or CMS).
All affected personnel will be notified in writing of significant changes.
Updates will be incorporated into annual HIPAA refresher training.
Affected third-party vendors will receive updated BAAs or Data Use Agreements (DUAs) as appropriate.
Each revised version will contain:
Version number and effective date
Summary of changes
Authorization signature of executive leadership
Previous versions shall be archived and retained for historical audit trails.
Agreement Acceptance
All employees, contractors, and business associates are required to read, understand, and agree to the terms set forth in this Privacy Practices Compliance Agreement as a condition of employment or engagement with NuBalance Health.