Privacy notice.

Overview

New York Comprehensive Wellness Management, LLC (NYCWM) operates as a HIPAA Business Associate under 45 CFR 164.502(e) and 164.504(e), and is subject to New York's Health Information Privacy Act. Discretion is our core value - we proactively guard all data and coordinate care between clients and clinicians without treating clients or managing clinicians directly. This Privacy Notice explains how we handle your Protected Health Information (PHI) strictly within our care coordination role.

Important Definitions

Under federal HIPAA regulations, a "Covered Entity" means healthcare providers, health plans, and healthcare clearinghouses that electronically transmit health information in connection with standard transactions. A "Business Associate" performs functions involving PHI use or disclosure on behalf of a Covered Entity. NYCWM exclusively serves as a Business Associate to healthcare providers who qualify as Covered Entities. "Protected Health Information" means individually identifiable health information held or transmitted by a Covered Entity or Business Associate. We use the term "Client" to refer to patients and "Clinician" to refer to medical providers and professionals involved in the client's treatment journey.

1. Protected Health Information We Collect

Under the HIPAA minimum necessary standard (45 CFR 164.502(b) and 164.514(d)), we collect only the minimum PHI required for care coordination. For clients: name, contact information (email, phone), and care coordination plans and notes. For clinicians: name, credentials, contact information, and care coordination communications. We never collect PHI unrelated to care coordination.

We do not collect, store, or maintain clinical notes, medical charts, diagnostic information, or other core clinical PHI. Clinicians store and maintain their own clinical data containing PHI in their own electronic health record systems. Clinicians only provide - and we only collect - PHI information specifically related to care coordination in our systems.

2. How We Use and Disclose PHI

Under 45 CFR 164.502 and our Business Associate Agreements, we use PHI exclusively for healthcare operations and care coordination. We coordinate care based on external clinical assessments performed by contractor clinicians. We do not treat clients or manage clinicians - we only coordinate care between them. Our permitted uses include:

  • Connecting clients with appropriate clinicians

  • Coordinating treatment plans between providers

  • Facilitating communication for care coordination

  • Maintaining records required for care coordination

3. HIPAA-Required Disclosures and Authorizations

Under 45 CFR 164.502, we only disclose PHI as permitted by law or authorized by you in writing. We never share information outside the client journey and our care coordination systems except when you explicitly authorize release per HIPAA requirements. Any such releases require explicit written authorization complying with 45 CFR 164.508 standards, including specific description of information, purpose, recipient, and expiration date.

4. HIPAA Security Rule Compliance

Under the HIPAA Security Rule (45 CFR Part 164, Subpart C), our enterprise systems implement administrative, physical, and technical safeguards to protect PHI confidentiality, integrity, and availability. This means data encryption in transit and at rest, role-based access controls, audit logging of all PHI access, regular security risk assessments, and comprehensive staff training on HIPAA requirements.

We maintain Business Associate Agreements with all Covered Entity partners per 45 CFR 164.504(e) requirements and ensure subcontractors meet identical HIPAA security standards. Our systems undergo regular security audits to maintain compliance with federal HIPAA requirements and New York State hospital cybersecurity regulations.

5. Cookies and Website Technologies

We use minimal tracking technologies necessary for website functionality and performance monitoring. We do not use cookies or tracking for marketing or advertising purposes.

6. Business Associate Obligations

Under 45 CFR 164.502(e) and 164.504(e), NYCWM operates exclusively as a Business Associate serving Covered Entities (clinician providers who meet HIPAA's definition). We maintain signed Business Associate Agreements specifying permitted PHI uses, minimum necessary access, safeguarding requirements, breach notification procedures, and termination protocols.

As a Business Associate, we are directly liable under HIPAA for privacy and security violations per the HITECH Act. We accept full responsibility for protecting PHI in our custody and ensuring compliance with federal HIPAA requirements and New York's Health Information Privacy Act where applicable.

7. Your Federal and State Privacy Rights

Under HIPAA (45 CFR 164.522-164.528) and New York law, you have specific rights regarding PHI we maintain. As a Business Associate, we coordinate with Covered Entities to honor these rights:

  • Right to access PHI under 45 CFR 164.524 (coordinated through your Covered Entity provider)

  • Right to request PHI amendments under 45 CFR 164.526

  • Right to request restrictions on PHI use or disclosure under 45 CFR 164.522

  • Right to accounting of PHI disclosures under 45 CFR 164.528 (six-year period)

  • Right to file HIPAA complaints with HHS Office for Civil Rights without retaliation

  • Right to request confidential communications through alternative means or locations

8. New York State Additional Protections

As a New York-formed entity, we comply with New York's Health Information Privacy Act (S929) and hospital cybersecurity regulations (10 NYCRR § 405.46) beyond federal HIPAA requirements. These laws provide additional protections for health-related information. Where we process regulated health information under New York law, we implement security measures that meet or exceed both federal and state standards for comprehensive data protection.

9. Changes to This Privacy Notice

We may update this Privacy Notice to reflect changes in our practices, federal HIPAA requirements, or New York State healthcare privacy laws. Material changes affecting PHI use or disclosure will be communicated in accordance with 45 CFR 164.520 notice requirements and posted prominently on our website.

10. Contact Us and Complaints

For questions about this Privacy Notice, your HIPAA rights, or our privacy practices, contact us through the information on our website. To file a HIPAA complaint, contact us directly or file with the U.S. Department of Health and Human Services, Office for Civil Rights. We do not retaliate against individuals for filing complaints or exercising HIPAA rights.

Last updated: September 2025