Notice of Privacy Practices
Effective Date: 02/16/2026
THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU (MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW THIS NOTICE CAREFULLY.
Our commitment to your privacy
BlueSprig Pediatrics, Inc. is dedicated to maintaining the privacy of your health information. In conducting our business, we will create records about you and the treatment and services we provide to you. We are required by law, including the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to maintain the confidentiality of health information that identifies you. This information is called Protected Health Information or “PHI.” We also are required by law to provide you with this Notice of Privacy Practices (“Notice”), which explains our legal duties and the privacy practices, as well as your rights, with respect to the PHI that we collect and maintain. We must follow the terms of this Notice.
We realize that these laws are complicated, but we must provide you with the following important information:
• How we may use and disclose your PHI
• Your privacy rights regarding your PHI
• Our obligations concerning the use and disclosure of your PHI
The terms of this Notice apply to all records containing your PHI that are created or retained by BlueSprig Pediatrics. We reserve the right to change the privacy practices described in this Notice. Any change to this Notice will be effective for all of your records that our practice has created or maintained in the past, and for any of your records that we may create or maintain in the future. BlueSprig will post a copy of our current Notice in our offices in a visible location at all times, and you may request a copy of our most current Notice at any time. You may also access this Notice on our website at https://www.bluesprigautism.com/.
How We May Use and Disclose Your PHI
We are permitted under federal law to use and disclose PHI, without your written authorization, for certain routine uses and disclosures, such as those made for treatment, payment, and the operation of our business. The following are examples of the types of routine uses and disclosures of PHI that we are permitted to make. While this list is not exhaustive, it should give you an idea of the routine uses and disclosures we are permitted to make.
• For Treatment. We will use and disclose your PHI to provide, coordinate, or manage your treatment. For example, we need to use PHI to provide you with healthcare services, or we may share your PHI with other healthcare providers who are involved in your care and need the information to provide you with care.
• For Health Care Operations. We will use or disclose your PHI in order to support our business activities and run our practice. These activities include, but are not limited to conducting quality assurance activities, such as for evaluating the quality and competence of physicians, nurses and other healthcare workers; to perform customer service activities, or for investigating complaints. We may use also your PHI to create de-identified information. This means that we remove information from your PHI so it can no longer identify you. De-identified information is not protected under HIPAA. We can use de-identified information without restriction.
• For Payment. Your PHI will be used and disclosed to bill for and obtain payment for the health care services we provide you. For example, we may share your PHI with your health plan so that they will pay for your treatment. We may use or disclose your PHI in the following situations without your authorization or by providing you with the opportunity to object.
• Required by the Secretary of Health and Human Services: We may be required to disclose your PHI to the Secretary of Health and Human Services to investigate or determine our compliance with the requirements of the final rule on Standards for Privacy of Individually Identifiable Health Information.
• Required By Law: We may use or disclose your PHI to the extent that the use or disclosure is otherwise required by federal, state or local law.
• Public Health: We may disclose your PHI for public health activities, such as disclosures to a public health authority or other government agency that is permitted by law to collect or receive the information (e.g., the Food and Drug Administration).
• Health Oversight: We may disclose PHI to a health oversight agency for activities authorized by law, such as audits, investigations, and inspections. Oversight agencies include government agencies that oversee the health care system, government benefit programs, other government regulatory programs and civil rights laws.
• Abuse or Neglect: If you have been a victim of abuse, neglect, or domestic violence, we may disclose your PHI to a government agency authorized to receive such information. In addition, we may disclose your PHI to a public health authority that is authorized by law to receive reports of child abuse or neglect.
• Judicial and Administrative Proceedings: We may disclose your PHI in response to an order of a court or administrative tribunal (to the extent such disclosure is expressly authorized), and, in certain conditions, in response to a subpoena, discovery request or other lawful process.
• Law Enforcement: We may disclose your PHI, so long as applicable legal requirements are met, for law enforcement purposes, such as providing information to the police about the victim of a crime.
• Coroners and Funeral Directors: We may disclose your PHI to a coroner, medical examiner, or funeral director if it is needed to perform their legally authorized duties.
• Organ Donation: If you are an organ donor, we may disclose your PHI to organ procurement organizations as necessary to facilitate organ donation or transplantation.
• Research: Under certain circumstances, we may disclose your PHI to researchers when their research has been approved by an institutional review board that has reviewed the research proposal and established protocols to ensure the privacy of your PHI.
• Serious Threat to Health or Safety: We may disclose your PHI if we believe it is necessary to prevent a serious and imminent threat to the public health or safety and it is to someone we reasonably believe is able to prevent or lessen the threat.
• Specialized Government Functions: When the appropriate conditions apply, we may disclose PHI for purposes related to military or national security concerns, such as for the purpose of a determination by the Department of Veterans Affairs of your eligibility for benefits.
• National Security and Intelligence Activities: We may disclose your PHI to authorized federal officials for intelligence, counterintelligence, protection of the President, other authorized persons or foreign heads of state, for purpose of determining your own security clearance and other national security activities authorized by law.
• Workers’ Compensation: We may disclose your PHI as necessary to comply with workers’ compensation laws and other similar programs.
• Inmates: We may use or disclose your PHI if you are an inmate of a correctional facility and we created or received your PHI in the course of providing care to you.
• Business Associates: We may disclose your PHI to people who perform functions, activities or services to us or on our behalf that require the use or disclosure of PHI. To protect your health information, we require the business associate to appropriately safeguard your information.
Unless you object, we may disclose to a member of your family, a relative, a close friend or any other person you identify, orally or in writing, your PHI that directly relates to that person’s involvement in your health care. If you are unable to agree or object to such disclosure, we may disclose such information as necessary if we determine that it is in your best interest based on our professional judgment. We may use or disclose your PHI to notify or assist in notifying a family member, personal representative or any other person that is responsible for your care of your location or general condition.
The following uses and disclosures of your PHI will be made only with your written authorization:
• Psychotherapy Notes: We must obtain your written authorization for most uses and disclosures of psychotherapy notes.
• Marketing: We must obtain your written authorization to use and disclose your PHI for most marketing purposes.
• Sale of PHI: We must obtain your written authorization for any disclosure of your PHI which constitutes a sale of PHI.
• Other Uses: Other uses and disclosures of your PHI, not described above, will be made only with your written authorization (unless otherwise permitted or required by law). You may revoke your authorization, at any time, in writing, except to the extent that we have acted in reliance on the authorization.
Special Privacy Protections for Substance Use Disorder (SUD) Records
Certain health information regarding substance use disorder (SUD) treatment is protected by federal law (42 CFR Part 2). These records have stricter confidentiality protections. If we create, receive, or maintain these records:
• We may not use or disclose these records for treatment, payment, or health care operations without your written consent, except as permitted by law.
• You have specific rights related to these records, including the right to limit disclosures and the right to revoke consent.
• We must follow the special confidentiality rules that apply to these records.
Records protected under 42 CFR Part 2 will not be used or disclosed in civil, criminal, administrative, or legislative proceedings unless:
• You provide written consent, or
• A court issues an order authorizing the disclosure after you have been given notice and an opportunity to be heard.
More Stringent Federal and State
Certain federal and state laws may be more stringent than HIPAA. We will continue to abide by these more stringent state and federal laws.
Notice of Potential Redisclosure
Information disclosed pursuant to this Notice may be redisclosed by the recipient and may no longer be protected by HIPAA, except where prohibited by law.
Fundraising Communications
If we use or disclose PHI for fundraising, you have the right to opt out of such communications. SUD records will not be used for fundraising without your written consent.
Your Rights
You have certain rights regarding your PHI, which are explained below. You may exercise these rights by submitting a request in writing to our Privacy Officer.
• You have the right to inspect and copy your PHI. If you would like to see or get an electronic or paper copy your PHI that is contained in a designated record set (e.g., medical and billing records), we are required to provide you access to such PHI for inspection and copying within 30 days after receipt of your request (with up to a 30-day extension if needed). We may charge you a reasonable fee to cover duplication, mailing and other costs incurred by us in complying with your request. In addition, there are situations where we may deny your request for access to your PHI. For example, we may deny your request if we believe the disclosure will endanger your life or that of another person. Depending on the circumstances of the denial, you may have a right to have this decision reviewed.
• You have the right to request a restriction of your PHI. This means you may ask us not to use or disclose any part of your PHI for purposes of treatment, payment or health care operations. You may also request that any part of your PHI not be disclosed to family members or friends who may be involved in your care or for notification purposes as described in this Notice. Your request must state the specific restriction requested and to whom you want the restriction to apply. We are not required to agree to a restriction that you may request, except we must agree not to disclose your PHI to your health plan if the disclosure (1) is for payment or health care operations and is not otherwise required by law, and (2) relates to a health care item or service which you paid for in full out of pocket. If we agree to the requested restriction, we may not use or disclose your PHI in violation of that restriction unless it is needed to provide emergency treatment.
• You have the right to request to receive confidential communications from us by alternative means or at an alternative location. You have the right to request that we communicate with you in a certain way or at a certain location. We will accommodate reasonable requests. We may also condition this accommodation by asking you for information as to how payment will be handled or specification of an alternative address or other method of contact.
• You have the right to amend your PHI. This means you may request an amendment of your PHI in our records that is contained in a designated record set (e.g., medical and billing records) for as long as we maintain the PHI. We will respond to your request within 60 days (with up to a 30-day extension if needed). We may deny your request if, for example, we determine that your PHI is accurate and complete. If we deny your request, we will send you a written explanation and allow you to submit a written statement of disagreement.
• You have the right to receive an accounting of certain disclosures that we have made of your PHI. You have the right to receive an accounting of certain disclosures we have made, if any, of your PHI. This right only applies to disclosures for purposes other than treatment, payment or health care operations as described in this Notice. It also excludes disclosures we may have made to you, your family members or friends involved in your care. The right to receive this information is subject to certain exceptions, restrictions and limitations. You must specify a time period, which may not be longer than 6 years. You may request a shorter timeframe. You have the right to one free request within any 12-month period, but we may charge you for any additional requests in the same 12-month period. We will notify you about any such charges, and you are free to withdraw or modify your request in writing before any charges are incurred. We will respond to your request within 60 days (with up to a 30-day extension if needed).
• You have the right to obtain a paper copy of this Notice from us.
• You have the right to be notified if you are affected by a breach of unsecured PHI.
• You have the right to opt out of receiving fundraising communications from us. We may contact you for fundraising purposes. You have the right to opt out of receiving these communications. SUD records will not be used for fundraising without your written consent.
• You have the right to file a complaint if you believe your privacy rights have been violated.
Filing a Complaint
You may file a complaint by contacting Blue Sprig Pediatrics, Inc. at (833) 227-0693, our Privacy Officer at (866) 221-4070, or [email protected].
You may also file a complaint with the U.S. Department of Health and Human Services via https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf or by sending written communication to:
Centralized Case Management Operations
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Room 509F HHH Bldg.
Washington, D.C. 20201
We will not retaliate against you for filing a complaint.