Terms & Conditions

As a licensed healthcare clinic and HIPAA-covered entity, NuBalance Health is legally and ethically responsible for protecting the privacy, security, and integrity of our patients’ Protected Health Information (PHI). This document details our clinic’s clinical responsibilities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and applicable state and federal privacy regulations.

We recognize that our patients trust us with their most sensitive health data. We uphold that trust by following strict protocols designed to maintain confidentiality in all areas of clinical care, telehealth, administration, and technology use.

2. What Is Protected Health Information (PHI)?

PHI includes any information, whether oral, written, or electronic, that:

  • Identifies a patient (e.g., name, date of birth, phone number, address)

  • Relates to a patient’s health history, condition, treatment, or prognosis

  • Is created or received by a covered entity in the course of providing care

Examples:

  • Medical records

  • Diagnostic imaging results

  • Lab test results

  • Treatment plans and progress notes

  • Email or text communications with patients about their care

3. Clinical Responsibilities Under HIPAA

A. Maintain Patient Confidentiality

Clinicians must:

  • Only access patient records when necessary for treatment or care coordination

  • Never share patient information with unauthorized individuals (e.g., friends, family, media)

  • Use privacy screens or discretion when discussing cases in shared spaces

B. Limit Access

Access to patient information must follow the Minimum Necessary Rule—staff may only view or use the data required for their specific duties.

C. Follow the Clinic’s HIPAA Policies

All staff must follow NuBalance Health’s internal policies covering:

  • Documentation

  • Secure messaging

  • Electronic Medical Record (EMR) access

  • Patient communications

  • Information sharing with insurance companies or referring providers

4. Administrative Safeguards

A. Privacy Officer Oversight

NuBalance Health has appointed a Privacy Officer responsible for:

  • Policy development

  • Monitoring compliance

  • Investigating breaches

  • Coordinating with state and federal authorities when required

B. Training Requirements

All clinical staff must:

  • Complete HIPAA training within 30 days of hire

  • Participate in annual privacy training and updates

  • Acknowledge their duty to uphold HIPAA rules by signing a Confidentiality Agreement

C. Sanction Policy

Failure to comply with HIPAA regulations may result in:

  • Disciplinary action

  • Termination

  • Reporting to licensing boards

  • Legal consequences including fines

5. Technical Safeguards in Clinical Practice

A. Electronic Health Records (EHR) Security

  • Only approved systems may be used for documentation

  • All logins must require strong passwords and timeouts

  • Access is granted based on staff role (e.g., clinicians, admin)

B. Secure Communication

  • No PHI may be sent through personal email or text

  • Staff must use HIPAA-compliant platforms for telehealth and patient messaging

  • Voicemail and text reminders must be generic (e.g., “You have an appointment tomorrow”)

C. Device Management

  • Mobile devices used for patient care must have encryption

  • Lost or stolen devices must be reported immediately

  • Personal devices should not be used unless approved and secured

6. Physical Safeguards

A. Clinic Layout

  • Medical records should not be visible at the front desk or in shared areas

  • Whiteboards and computers must use screen shields if visible to unauthorized individuals

B. File Security

  • Paper records (if used) must be stored in locked cabinets or rooms

  • Records must not be left unattended in open spaces

  • Printed documents must be picked up promptly from printers

C. Visitor Management

  • Visitors should be escorted if entering treatment or admin areas

  • Unauthorized personnel are not allowed to handle or view PHI

7. Clinical Workflow Protocols

A. Intake & Documentation

  • Staff should confirm the identity of the patient before any consultation

  • Records should be updated promptly and accurately after each visit

  • Lab results and notes must be securely uploaded into the EHR

B. Patient Discussions

  • All clinical conversations should occur in private exam rooms

  • Reception and check-in staff should avoid discussing patient details aloud

  • Calls should be taken in private or low-traffic areas

C. Sharing Information

Information may only be shared with:

  • The patient (after identity verification)

  • Authorized representatives (with signed consent)

  • Insurance providers (only the data necessary for payment)

  • Referring physicians or specialists (as part of care coordination)

8. Data Breach Protocol

If a staff member suspects a breach (e.g., data emailed to the wrong person, unauthorized access), they must:

  1. Report the incident to the Privacy Officer immediately

  2. Document what occurred

  3. Assist with the internal investigation

  4. Follow patient notification procedures (if PHI was compromised)

NuBalance Health is required by law to:

  • Notify the patient within 60 days of breach discovery

  • Report certain breaches to the Department of Health and Human Services (HHS)

  • Maintain documentation of all security incidents

9. Telehealth Considerations

Clinicians must ensure privacy when conducting telehealth services:

  • Use HIPAA-compliant video platforms only

  • Conduct sessions in a quiet, private space

  • Confirm patient identity at the beginning of each session

  • Do not record sessions unless legally permitted and patient has consented

10. Business Associate Agreements (BAAs)

NuBalance Health works with third-party vendors (e.g., billing companies, EHR providers) who may access PHI. All vendors must:

  • Sign a Business Associate Agreement (BAA)

  • Agree to comply with HIPAA security rules

  • Allow for security audits upon request

11. Data Retention and Destruction

Records must be retained for a minimum of 6 years, or longer depending on state law.

Destruction procedures:

  • Paper records: Cross-shredded or incinerated

  • Electronic records: Permanently deleted using certified tools

  • Devices: Wiped before disposal or reuse

12. Reporting and Enforcement

All clinic staff are encouraged to report suspected violations without fear of retaliation.

Reports may be made:

  • To the NuBalance Health Privacy Officer

  • Anonymously via internal reporting forms

  • Directly to the U.S. Department of Health and Human Services

Failure to report known violations may result in disciplinary action.

13. Summary of Clinical Responsibilities

Every NuBalance Health team member must:

Know what constitutes PHI

Use and disclose information only when permitted

Protect paper and electronic records

Communicate securely

Log out of systems when not in use

Report security incidents

Participate in required training

14. Contact for Privacy-Related Concerns

NuBalance Health Privacy Officer

info@nubalance.health

678-313-5106