HIPAA Notice of Privacy Practices
This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.
Effective July 20, 2026
This Notice of Privacy Practices describes how RhodesMed PLLC (“RhodesMed,” “we,” “us,” or “our”) may use and disclose your protected health information, and the rights you have regarding that information. It applies to all care provided by RhodesMed, including care delivered under our Sippa by RhodesMed and RhodesMed MEN brands, and to Hair Restoration performed in person in St. George, Utah.
Protected health information, or PHI, is information about you, including demographic information, that can reasonably be used to identify you and that relates to your past, present, or future physical or mental health, the health care you receive, or the payment for that care.
We are required by law to maintain the privacy of your PHI, to give you this notice of our legal duties and privacy practices, and to follow the terms of the notice currently in effect.
1. Our Commitment
RhodesMed is committed to protecting your health information. We create a record of the care you receive so that we can provide you with quality care and comply with legal requirements. This notice applies to all records of your care generated by RhodesMed, whether created by a clinician or by support staff.
We will not use or disclose your PHI without your written authorization, except as described in this notice or as otherwise permitted or required by law.
2. Treatment, Payment, and Health Care Operations
We may use and disclose your PHI for the following purposes without your written authorization.
Treatment
We may use your PHI to provide, coordinate, or manage your care, and we may disclose it to other health care providers involved in your care. For example, your clinician may send a prescription to a pharmacy, order labs from an outside laboratory, or share your history with another clinician you have been referred to.
Payment
We may use and disclose your PHI to obtain payment for the care we provide. For example, we prepare an itemized superbill after each visit that describes the services you received, which you may choose to submit to your insurer. RhodesMed does not bill insurance directly.
Health care operations
We may use and disclose your PHI for our business operations. For example, we may review records to evaluate the quality of care, train staff, coordinate care, or conduct compliance activities.
Appointment reminders and treatment information
We may contact you to remind you of appointments, to tell you about treatment alternatives, or to describe health-related benefits and services that may interest you. These messages are sent through Healthie, our electronic health record and patient portal, or by email or text message.
Individuals involved in your care
We may disclose your PHI to a family member, friend, or other person you identify, to the extent the information is directly relevant to that person's involvement in your care or payment for your care. If you are present and able to make decisions, we will give you the opportunity to object before doing so.
3. Other Uses Permitted or Required by Law
We may use or disclose your PHI without your authorization in the following circumstances, subject to the conditions and limits federal and state law place on each:
- When required by federal, state, or local law
- For public health activities, including reporting disease, injury, vital events, and adverse events related to medications or products
- To report suspected abuse, neglect, or domestic violence, as permitted or required by law
- For health oversight activities, such as audits, investigations, licensure actions, and inspections
- In response to a court order, subpoena, discovery request, or other lawful process in a judicial or administrative proceeding
- For specified law enforcement purposes
- To coroners, medical examiners, and funeral directors
- For organ, eye, or tissue donation
- For research, when approved by an institutional review board or privacy board, or in other limited circumstances permitted by law
- To prevent a serious and imminent threat to your health or safety, or to the health or safety of the public or another person
- For specialized government functions, including military activities, national security, and protective services
- To comply with workers' compensation laws
RhodesMed does not provide emergency care. If you are experiencing a medical emergency, call 911 or go to the nearest emergency department.
4. Substance Use Disorder Records
Some health information about substance use disorder treatment receives protection under federal law that goes beyond the protections HIPAA provides. Those protections are found at 42 CFR Part 2.
If RhodesMed creates, receives, maintains, or transmits records that are protected under Part 2, the following apply:
- Those records are subject to heightened confidentiality protections and may follow different rules than other protected health information
- Those records generally may not be used or disclosed in any civil, criminal, administrative, or legislative proceeding against you without your written consent or a court order that meets the requirements of federal law
- Some disclosures that HIPAA would otherwise permit are not permitted for Part 2 protected records
- You may request a restriction on the disclosure of Part 2 protected records for treatment, payment, or health care operations
Unauthorized use or disclosure of substance use disorder records may be subject to civil or criminal penalties under federal law.
6. Marketing, Sale of Information, and Fundraising
We do not sell your protected health information.
We do not send marketing or promotional text messages. The only text messages we send relate to your care and your account. If you sign up for our emails or newsletters, we may send you educational or promotional emails, and you may unsubscribe at any time.
We will not use your protected health information to send you a marketing communication without your written authorization, except where federal law permits a communication about your own treatment, care coordination, or alternative treatments.
RhodesMed does not conduct fundraising and will not use your protected health information for fundraising purposes.
7. Redisclosure by Others
Information we disclose in accordance with this notice and applicable law may be redisclosed by the person or organization that receives it. Once that happens, the information may no longer be protected by HIPAA.
Records protected under 42 CFR Part 2 carry additional restrictions on redisclosure.
8. Your Rights
You have the following rights regarding the protected health information we maintain about you. To exercise any of them, contact our Privacy Officer using the information at the end of this notice.
Right to inspect and get a copy of your record
You may inspect and get a copy of your medical and billing records. We will provide the copy in the electronic form and format you request if the record is maintained electronically and we can readily produce it that way. We will act on your request within 30 days. We may charge a reasonable, cost-based fee.
Right to request an amendment
If you believe information in your record is incorrect or incomplete, you may ask us to amend it. We may deny your request in certain circumstances, and if we do, we will tell you why in writing and explain how you may respond.
Right to request restrictions
You may ask us to restrict how we use or disclose your PHI for treatment, payment, or health care operations, or to a person involved in your care. We are not required to agree to every request.
We are required to agree to one request. If you pay for a service in full, out of pocket, you may ask us not to disclose information about that service to a health plan, and we must honor that request unless the disclosure is otherwise required by law. Because RhodesMed is a cash pay practice and does not bill insurance directly, this right is available to you for every service you receive from us.
Right to request confidential communications
You may ask us to communicate with you about your health in a particular way or at a particular location. For example, you may ask that we contact you only through the patient portal, or only at a specific phone number. We will accommodate reasonable requests.
Right to an accounting of disclosures
You may request a list of the disclosures we made of your PHI, other than disclosures for treatment, payment, health care operations, and certain other exceptions. Your request may cover a period of up to six years before the date of the request.
Right to be notified of a breach
We will notify you if a breach occurs that may have compromised the privacy or security of your protected health information.
Right to a paper copy of this notice
You may ask for a paper copy of this notice at any time, even if you agreed to receive it electronically. We will give you one promptly.
Right to choose someone to act for you
If you have given someone medical power of attorney, or if someone is your legal guardian, that person can exercise your rights and make choices about your health information. We will verify that the person has authority before we act.
9. Our Responsibilities
- We are required by law to maintain the privacy and security of your protected health information
- We will let you know promptly if a breach occurs that may have compromised the privacy or security of your information
- We must follow the duties and privacy practices described in this notice, and we must give you a copy of it
- We will not use or share your information other than as described here unless you tell us we may, in writing. If you tell us we may, you may change your mind at any time by letting us know in writing
10. Changes to This Notice
We reserve the right to change this notice, and to make the revised notice effective for all protected health information we already have as well as any information we receive in the future.
The current notice will always be posted on our website and will show the effective date. You may request a paper copy at any time.
11. Complaints
If you believe your privacy rights have been violated, you may file a complaint with us, with the Secretary of the United States Department of Health and Human Services, or with both.
To file a complaint with us, contact our Privacy Officer using the information below. To file a complaint with the federal government, write to the Office for Civil Rights, U.S. Department of Health and Human Services, 200 Independence Avenue S.W., Washington, D.C. 20201, call 1-877-696-6775, or visit hhs.gov/hipaa/filing-a-complaint.
You will not be retaliated against, penalized, or denied care for filing a complaint.
12. Contact and Privacy Officer
If you have questions about this notice, want to exercise any of your rights, or want to file a complaint, contact our Privacy Officer.
Lisa Rhodes Webber, Privacy Officer [email protected]
Phone: [CONFIRM PHONE NUMBER]
Mail: [CONFIRM MAILING ADDRESS]
This notice should be read together with our Privacy Policy, Terms of Use, Medical Disclaimer, Telehealth Consent, and Patient Financial Policy. Where this notice and another RhodesMed policy conflict, this notice and our HIPAA obligations control.
Care is provided by RhodesMed PLLC. Administrative services may be supported by 146 Holdings LLC.
For medical emergencies, call 911 or go to the nearest emergency department.