Legal / HIPAA
Notice of Privacy Practices
Effective date: May 1, 2026
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Who This Notice Applies To
This Notice of Privacy Practices applies to the Institute for Self-Determined Relationships, PLLC ("ISDR" or "the Practice") and all of its clinicians, staff, trainees, and contractors. It describes how we may use and disclose your Protected Health Information (PHI) — that is, any information about your health, mental health treatment, or payment for treatment that can be used to identify you.
We are required by law to maintain the privacy and security of your PHI, to provide you with this notice of our legal duties and privacy practices, and to follow the terms of this notice currently in effect.
How We May Use and Disclose Your Information
The categories below describe the ways we may use and disclose your PHI without your written authorization. Not every possible use or disclosure in a category is listed, but all of the ways we are permitted to use and disclose information will fall within one of these categories.
Emergencies
In the event of an urgent crisis, we may share PHI to address the immediate emergency you are facing.
Treatment
We may use your PHI to provide, coordinate, or manage your health care. For example, we may share relevant information with a psychiatrist, primary care physician, or other provider involved in your treatment, with your consent where required. We (or a business associate) may also email, text, or call you to remind you of appointments.
Payment
We may use and disclose your PHI to obtain payment for services. For example, we may submit a claim to your insurance company that includes information about your diagnosis and the services you received, or share information with Headway when processing in-network individual therapy claims through individual clinicians' Headway agreements.
Healthcare Operations
We may use and disclose your PHI for our internal operations, including quality assessment, training and supervision of clinical staff, compliance reviews, and business planning. We use the minimum amount of PHI necessary.
Business Associates
We may share your PHI with our business associates — third-party vendors and service providers that perform functions on our behalf, such as our electronic health record and telehealth platform (SimplePractice), the in-network billing platform used by individual clinicians (Headway), professional consultants, and IT support. All business associates are contractually required under a Business Associate Agreement (BAA) to protect your PHI in accordance with HIPAA.
Individuals Involved in Your Care
With your permission, or when you are present and do not object, we may share relevant PHI with a family member, close friend, or other person you have identified as being involved in your care. In an emergency situation where you are unable to provide consent, we may share limited PHI with such persons if, in our professional judgment, it is in your best interest.
As Required by Law
We may disclose your PHI when required by federal, state, or local law. Specific definitions and procedures vary by state, and we will follow the law of the state in which the client is physically located:
- Suspected abuse or neglect of a child. Mental health professionals are required to report known or reasonably suspected child abuse or neglect to the appropriate child protective authorities or law enforcement.
- Abuse, neglect, or exploitation of a vulnerable adult or elder. Mental health professionals are required to report known or reasonably suspected abuse, neglect, or exploitation of vulnerable adults or elders to Adult Protective Services or law enforcement, as defined by state law.
- Serious and imminent threat of harm to others. When a client communicates a credible threat of physical violence against a person, we may disclose information necessary to protect that person, including notifying law enforcement or the potential victim.
- Serious and imminent risk of harm to self. When, in our clinical judgment, a client poses a serious and imminent risk of self-harm, we may disclose information necessary to prevent that harm, including contacting emergency services, family members or emergency contacts, or initiating emergency mental health proceedings.
Public Health and Safety
We may disclose PHI to public health authorities for activities such as disease reporting, or to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
Health Oversight Activities
We may disclose PHI to government agencies authorized to oversee the healthcare system, including audits, investigations, inspections, and licensure proceedings conducted by agencies such as the relevant state licensing board or the U.S. Department of Health and Human Services.
Judicial and Administrative Proceedings
We may disclose PHI in response to a court or administrative order. We may also disclose PHI in response to a subpoena, discovery request, or other lawful process by someone else involved in a legal dispute. We will assert privilege on your behalf wherever possible.
Law Enforcement
Under limited circumstances permitted by law, we may disclose PHI to law enforcement officials — for example, to report certain wounds or injuries, in response to a court order, or to identify or locate a suspect, fugitive, material witness, or missing person. We may also disclose health information if a crime is committed on our premises or against our personnel, or if we believe there is someone who is in immediate danger.
Workers' Compensation
We may disclose PHI as authorized by, and to the extent necessary to comply with, workers' compensation or other similar programs.
Coroners, Medical Examiners, and Funeral Directors
We may disclose PHI to a coroner, medical examiner, or funeral director when such individuals are performing duties authorized by law.
Specialized Government Functions
We may disclose PHI for specialized government functions authorized by law (such as military, national security, and certain protective services).
Research
In certain circumstances, we may use and disclose health information for research. We may permit researchers to use de-identified data for approved research projects.
Health-Related Benefits and Services
We may send you information about our own services, educational content, and Practice news. You maintain the right to opt out of these communications and request the removal of your name from our distribution list at any time.
Uses That Require Your Written Authorization
Certain uses and disclosures of your PHI will be made only with your written authorization:
Psychotherapy Notes
ISDR clinicians keep psychotherapy notes as that term is defined in 45 CFR §164.501. Psychotherapy notes are a clinician's private notes documenting the contents and analysis of a counseling session. They are maintained separately from the rest of your medical record and receive the highest level of protection under HIPAA.
Any use or disclosure of psychotherapy notes requires your written authorization, except in the following circumstances:
- The originating clinician's own use in treating you
- Training or supervising mental health practitioners in counseling skills
- The originating clinician's use in defending against legal proceedings brought by you
- Use by the Secretary of HHS to investigate HIPAA compliance
- Required by law, limited to what the law requires
- Required by law for health oversight activities pertaining to the originating clinician
- Required by a coroner performing duties authorized by law
- Required to help avert a serious and imminent threat to the health or safety of a person or the public
In a group practice such as ISDR, another clinician's use of a colleague's psychotherapy notes about you may still require your written authorization.
Sale of PHI
We will not sell your PHI.
You may revoke a written authorization at any time by notifying us in writing. Revocation will not affect uses or disclosures already made in reliance on your prior authorization.
Reproductive Health Care Information
Under the 2024 amendments to the HIPAA Privacy Rule (45 CFR §§164.502, 164.509, 164.512), the Practice will not use or disclose your protected health information for the purpose of conducting a criminal, civil, or administrative investigation into, or imposing liability on, any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that was lawful where it was provided. This protection applies regardless of where you reside or where you sought care.
When we receive a request for PHI that potentially relates to reproductive health care, we will require a signed attestation from the requester confirming that the information will not be used for a prohibited purpose, as required by HIPAA. We will refuse requests that do not meet this standard.
Health Information Exchanges
A Health Information Exchange (HIE) is a network that allows healthcare providers to electronically share patient information across organizations. ISDR does not currently participate in any HIE. Your information is shared only as described elsewhere in this Notice. If our HIE participation status changes in the future, we will update this Notice and inform existing clients.
Substance Use Disorder Records
At ISDR, your records are protected by HIPAA. Because ISDR is a general relationship-focused practice and does not hold itself out as a specialized substance use disorder (SUD) treatment program, the specific regulations of 42 CFR Part 2 do not apply to the records we create or maintain.
However, if we receive records about your care from a Part 2 program (such as a residential treatment center or methadone clinic), those specific records retain their Part 2 protections. We will handle those records in accordance with applicable federal redisclosure requirements.
Your Rights
You have the following rights with respect to your PHI. To exercise any of these rights, please submit a written request to our Privacy Officer using the contact information at the end of this notice.
Right to access and obtain copies of your records
You have the right to inspect and obtain a copy of your PHI maintained in a designated record set, such as your medical and billing records. We may charge a reasonable, cost-based fee for copying. We will respond within the time required by HIPAA and state law, currently up to 30 days. In limited circumstances permitted by law — for example, if providing access would endanger the life or safety of you or another person — we may deny your request and will provide a written explanation.
Right to request amendments
If you believe PHI we hold about you is inaccurate or incomplete, you may request that we amend it. We may deny your request under certain circumstances, and you have the right to submit a statement of disagreement that becomes part of your record.
Right to an accounting of disclosures
You have the right to request a list of certain disclosures we have made of your PHI — specifically, disclosures that were not made for treatment, payment, or healthcare operations, and not pursuant to your authorization. This right applies to disclosures made in the six years prior to your request. The first accounting in any 12-month period is free; we may charge a reasonable fee for additional requests within the same period.
Right to request restrictions
You may request that we restrict how we use or disclose your PHI. We are not required to agree to all requests, but if we do agree we will comply with the restriction unless the information is needed to provide you emergency treatment. If you pay out of pocket in full for a service, you have the right to request that we not disclose information about that service to your health plan, and we will honor that request as required by law.
Right to request confidential communications
You may request that we contact you by a specific means or at a specific location — for example, that we contact you only by email rather than phone, or only at your work address. You must make this request in writing and it must specify the alternative means or location that you would like us to use to provide you information about your health care. We will make every attempt to accommodate reasonable requests.
Right to designate a personal representative
You may designate a personal representative — such as a legal guardian, healthcare proxy, or person holding a medical power of attorney — to exercise your privacy rights on your behalf. We may decline to treat a person as your personal representative if we reasonably believe doing so would endanger you.
Right to receive your records in electronic format
Because your PHI is maintained in an electronic health record (SimplePractice), you have the right to request an electronic copy of your records in a readable, accessible format. If certain medical records are not kept electronically, a readable hard copy may be used instead. We may charge a reasonable, cost-based fee.
Right to a paper copy of this notice
You have the right to receive a paper copy of this Notice of Privacy Practices upon request, even if you have agreed to receive it electronically.
Right to file a complaint
You have the right to file a complaint with ISDR or with the U.S. Department of Health and Human Services if you believe your privacy rights have been violated. We will not retaliate against you in any way for filing a complaint.
Our Legal Duties
We are required by law to: maintain the privacy and security of your PHI; provide you with this notice describing our legal duties and privacy practices; follow the terms of this notice currently in effect; and notify you in the event of a breach of unsecured PHI that may compromise the privacy or security of your information. Where more stringent state or federal law governs PHI, we will abide by the more stringent law.
We reserve the right to change the terms of this notice. If we change this notice, the new terms will apply to all PHI we maintain, including records created before the change. We will post the updated notice in our office and on our website, and provide a paper copy on request.
Records Retention
The Practice maintains clinical records for a minimum of seven (7) years following the final date of service, or for a more extensive period if mandated by the laws of the state in which care was rendered. For records concerning minor clients, the Practice adheres to a retention period of at least seven (7) years after the client attains the age of eighteen (18), or as otherwise required by applicable state law, whichever duration is longer.
How to File a Complaint with HHS
If you believe your privacy rights have been violated, you may file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights:
HHS Office for Civil Rights
Website: hhs.gov/ocr/privacy/hipaa/complaints
Phone: 1-800-368-1019 (TTY: 1-800-537-7697)
Mail: 200 Independence Avenue, S.W., Washington, D.C. 20201
You may also file a complaint with the licensing board of the state where your clinician is licensed. You will not be penalized or retaliated against for filing a complaint.
Contact Our Privacy Officer
For questions about this notice or to exercise your rights, please contact our Privacy Officer:
Privacy Officer: Dr. Brady Eisert
Practice: Institute for Self-Determined Relationships, PLLC
Email: [email protected]
Phone: (801) 648-9664
Effective date of this notice: May 1, 2026
Acknowledgment of Receipt
Under the Health Insurance Portability and Accountability Act (HIPAA), the Practice is required to make a good-faith effort to obtain your written acknowledgment that you have received this Notice of Privacy Practices.
At intake, clients sign an acknowledgment confirming receipt of this Notice.