Privacy policy

Section I | Purpose and Scope

1.1 Purpose

This HIPAA Privacy Policy establishes the policies and procedures of Brezia Healing with respect to the use and disclosure of Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, and all applicable implementing regulations found at 45 CFR Parts 160 and 164 (collectively, the "HIPAA Rules").

The purpose of this policy is to:

Protect the privacy and security of all client health information created, received, maintained, or transmitted by Brezia Healing;
Describe the circumstances under which PHI may be used or disclosed;
Enumerate the rights of clients with respect to their health information; and
Establish procedures for compliance with applicable federal and state privacy law.

1.2 Scope and Applicability

This policy applies to:

The sole practitioner: Heather Arculeo, Licensed Clinical Social Worker, who serves as the sole clinician and Privacy Officer of Brezia Healing;
Any future workforce members of Brezia Healing, whether full-time, part-time, volunteer, trainee, or otherwise under direct control of Brezia Healing, regardless of whether they are paid by the practice;
Business Associates of Brezia Healing who access, use, or disclose PHI on behalf of the practice pursuant to a signed Business Associate Agreement.

1.3 Information Covered

This policy covers all Protected Health Information (PHI) in every form, including:

Electronic PHI (ePHI): Health information transmitted or stored electronically (e.g., records in TheraNest EHR, encrypted email communications, telehealth session data);
Verbal PHI: Health information communicated orally, including statements made during telehealth sessions, phone consultations, and voicemail messages; and
Written PHI: Health information documented in paper form, including intake forms, authorizations, correspondence, and printed records.

1.4 Telehealth-Specific Notice

Telehealth Practice Notice

Brezia Healing operates exclusively as a telehealth-only practice. All clinical services are delivered via the TheraNest HIPAA-compliant telehealth platform, for which a signed Business Associate Agreement is in effect. No in-person office services are provided. All references to "services," "sessions," "appointments," and "clinical contact" within this policy refer exclusively to telehealth-delivered services unless otherwise specified.

Section II | Definitions

For purposes of this policy, the following terms shall have the meanings set forth below. These definitions are consistent with those established under 45 CFR Part 160 and Part 164.

Authorization: A client's written permission, meeting specific regulatory requirements under 45 CFR 164.508, allowing Brezia Healing to use or disclose PHI for purposes beyond treatment, payment, and healthcare operations. An authorization must describe the information to be used or disclosed, the persons authorized to make the disclosure, the recipients, the purpose, an expiration date or event, and the client's signature and date.

Business Associate (BA): A person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a Covered Entity. Examples include electronic health record vendors, billing clearinghouses, cloud storage providers, and telehealth platform vendors. Business Associates are required to enter into a Business Associate Agreement (BAA) with Brezia Healing.

Covered Entity: A health plan, health care clearinghouse, or health care provider that transmits health information in electronic form in connection with a transaction covered by HIPAA. Brezia Healing is a Covered Entity as a healthcare provider transmitting ePHI in connection with covered transactions.

Disclosure: The release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information. A disclosure occurs when PHI is shared with any person or organization that is not part of Brezia Healing's workforce.

Electronic Protected Health Information (ePHI): PHI that is created, received, maintained, or transmitted in electronic form. This includes records stored within TheraNest, electronic communications, and any digitally formatted health information.

Healthcare Operations: Certain administrative, financial, legal, and quality-improvement activities of a Covered Entity necessary to run the practice. Examples include quality assessment, competency assurance, training, licensing, business management, general administrative activities, and business planning. (See 45 CFR 164.501.)

Minimum Necessary: The principle that Covered Entities must make reasonable efforts to limit uses and disclosures of PHI, and requests for PHI, to the minimum amount necessary to accomplish the intended purpose. This standard is codified at 45 CFR 164.502(b) and 164.514(d).

Notice of Privacy Practices (NPP): A written notice provided to clients that describes Brezia Healing's privacy practices, the uses and disclosures it may make of PHI, client rights, and how clients may exercise those rights. Brezia Healing is required to provide a copy of the NPP to all clients and make it available upon request.

Payment: Activities undertaken by a Covered Entity to obtain or provide reimbursement for healthcare services. This includes billing, claims management, collection activities, medical necessity reviews, and coordination of benefits. (See 45 CFR 164.501.)

Protected Health Information (PHI): Individually identifiable health information that is created or received by a Covered Entity and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care. PHI includes information that identifies the individual or that could reasonably be used to identify the individual. (See 45 CFR 160.103.)

Psychotherapy Notes: Notes recorded by a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or group, joint, or family counseling session. Psychotherapy notes are held to a higher standard of protection under HIPAA and generally require separate, specific written authorization for disclosure. Psychotherapy notes do not include medication prescription and monitoring records, counseling session start and stop times, modalities and frequencies of treatment, clinical test results, summaries of diagnosis, prognosis, functional status, treatment plan, symptoms, or progress. (See 45 CFR 164.501.)

Treatment: The provision, coordination, or management of health care and related services by one or more healthcare providers, including consultation between providers regarding a patient and referrals to other providers. (See 45 CFR 164.501.)

Section III | Permitted Uses and Disclosures Without Authorization

Brezia Healing may use or disclose PHI without a client's written authorization in the following circumstances, each of which is authorized under 45 CFR 164.502 and related subparts.

3.1 Treatment, Payment, and Healthcare Operations (TPO)

Brezia Healing may use and disclose PHI without authorization for the following core purposes:

Treatment: To provide, coordinate, or manage a client's mental health care, including consultation with other healthcare providers involved in the client's care (e.g., a prescribing psychiatrist or primary care physician) and referrals to other treatment providers.

Payment: To obtain reimbursement for services rendered, including submitting claims to insurance companies or health plans, verifying coverage, and managing billing activities.

Healthcare Operations: To conduct practice management activities such as quality improvement, training, licensing, and business administration necessary to maintain the practice.

Plain-Language Summary

Brezia Healing may share your health information with other healthcare providers treating you, with your health insurance company to process payment for services, and for internal practice management — without needing your separate written permission.

3.2 As Required by Law

Brezia Healing will disclose PHI when required to do so by federal, state, or local law, to the extent and under the circumstances mandated by such law, including mandatory reporting obligations. (45 CFR 164.512(a).)

Plain-Language Summary

When the law requires Brezia Healing to share your information, we will do so — but only to the extent the law requires.

3.3 Public Health Activities

Brezia Healing may disclose PHI to authorized public health authorities for activities including the prevention or control of disease, injury, or disability; reporting births and deaths; reporting reactions to medications; and reporting to the FDA regarding products or activities under its jurisdiction. (45 CFR 164.512(b).)

Plain-Language Summary

In limited public health situations (such as a disease outbreak), Brezia Healing may share relevant health information with authorized government authorities.

3.4 Abuse, Neglect, or Domestic Violence Reporting

Brezia Healing is required by law to report suspected child abuse or neglect, elder abuse, and abuse, neglect, or domestic violence involving an adult to appropriate government authorities. Disclosures will be made to the extent required or authorized by law, and in compliance with applicable state mandatory reporting statutes. (45 CFR 164.512(c).)

Plain-Language Summary

If Brezia Healing reasonably suspects that a child, elder, or dependent adult is being abused or neglected, we are required by law to report that to the appropriate authorities. This is a legal obligation and does not require your permission.

3.5 Health Oversight Activities

Brezia Healing may disclose PHI to health oversight agencies (such as licensing boards, state insurance departments, or the HHS Office for Civil Rights) for oversight activities authorized by law, including audits, investigations, inspections, and licensure activities. (45 CFR 164.512(d).)

Plain-Language Summary

Government agencies that oversee healthcare systems may sometimes need access to health information as part of an official investigation or audit. Brezia Healing will cooperate with such authorized oversight activities.

3.6 Judicial and Administrative Proceedings

Brezia Healing may disclose PHI in response to a court order, subpoena, discovery request, or other lawful process in judicial or administrative proceedings, in accordance with the requirements of 45 CFR 164.512(e) and applicable state law. Brezia Healing will make reasonable efforts to notify the client or seek a protective order before responding to such requests, where permitted by law.

Plain-Language Summary

If a court orders Brezia Healing to release your records, or if your records are lawfully subpoenaed, we may be required to disclose certain information. Where possible, we will notify you before doing so.

3.7 Law Enforcement (Limited)

Brezia Healing may disclose PHI to law enforcement officials in limited circumstances, including responding to a court order or subpoena; identifying or locating a suspect, fugitive, material witness, or missing person; and reporting a crime in emergency circumstances. Disclosures will be limited to information expressly permitted by law. (45 CFR 164.512(f).)

Plain-Language Summary

Law enforcement access to your records is very limited. Brezia Healing will only disclose information to law enforcement when legally required or permitted, and only the information required in each specific situation.

3.8 Serious Threat to Health or Safety

Brezia Healing may use or disclose PHI if, in good faith, it believes such disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is made to a person or persons reasonably able to prevent or lessen the threat. (45 CFR 164.512(j).) This provision is consistent with applicable state duty-to-warn and duty-to-protect statutes.

Plain-Language Summary

If Brezia Healing has a good-faith belief that you or another person is in serious and imminent danger, we may share relevant information to prevent that harm — for example, contacting emergency services or a potential victim.

3.9 Workers' Compensation

Brezia Healing may disclose PHI to the extent necessary to comply with state workers' compensation laws and other similar programs that provide benefits for work-related injuries or illnesses without regard to fault. (45 CFR 164.512(l).)

Plain-Language Summary

If your treatment is related to a workplace injury, Brezia Healing may share relevant health information with workers' compensation programs as required by law.

Section IV | Uses and Disclosures Requiring Written Authorization

Except as described in Section 3 above, Brezia Healing will not use or disclose PHI without a valid written authorization signed by the client (or the client's personal representative). The following uses and disclosures always require written authorization.

4.1 Marketing

Brezia Healing will not use or disclose PHI for marketing purposes without a client's written authorization. Marketing means any communication about a product or service that encourages the recipient to purchase or use the product or service. This prohibition applies even when a third party pays for the communication. (45 CFR 164.514(e), 164.508(a)(3).)

4.2 Sale of PHI

Brezia Healing will not sell, exchange, transfer, or otherwise receive remuneration in exchange for a client's PHI without the client's written authorization. This prohibition applies regardless of the amount or form of compensation. (45 CFR 164.508(a)(4).)

4.3 Psychotherapy Notes

Psychotherapy notes receive heightened protection under HIPAA. Brezia Healing will not use or disclose a client's psychotherapy notes for any purpose — including treatment by another provider, payment, or healthcare operations — without a separate, specific written authorization from the client, except in the following narrow circumstances where no authorization is required:

Use by [Therapist Name] for treatment of the client who is the subject of the notes;
Training programs in which students, trainees, or practitioners learn under supervision;
Defending a legal action or other proceeding brought by the client;
HHS oversight investigations of Brezia Healing's compliance with HIPAA;
A coroner or medical examiner for the purpose of identifying a deceased person, determining cause of death, or required by law; or
Averting a serious and imminent threat to the health or safety of a person or the public.

4.4 Any Other Non-TPO Use or Disclosure

Any use or disclosure of PHI not described in Section 3 of this policy, and not falling within one of the exceptions described in this section, requires a valid written authorization from the client.

4.5 Authorization Requirements

A valid written authorization must include, at minimum, the following elements (45 CFR 164.508(c)):

A description of the PHI to be used or disclosed, identifying the information in a specific and meaningful manner;
The name or class of persons authorized to make the requested use or disclosure;
The name or class of persons to whom Brezia Healing may make the disclosure;
A description of each purpose of the requested use or disclosure;
An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure; and
The signature of the client (or personal representative) and the date, along with a description of the representative's authority if applicable.

4.6 Right to Revoke Authorization

A client may revoke a written authorization at any time, provided the revocation is submitted in writing to Brezia Healing. Revocation is not effective to the extent that Brezia Healing has already taken action in reliance on the authorization prior to receiving the written revocation. To revoke an authorization, clients should submit a written statement to [Email] or by mail to [Address]. (45 CFR 164.508(b)(5).)

Section V | Minimum Necessary Standard

5.1 Definition and Legal Basis

The Minimum Necessary Standard requires that Brezia Healing make reasonable efforts to limit the use and disclosure of PHI, and requests for PHI, to the minimum amount of information necessary to accomplish the intended purpose of the use, disclosure, or request. This standard is codified at 45 CFR 164.502(b) and 164.514(d) and applies to all uses and disclosures of PHI except those listed in Section 5.4 below.

5.2 Application in a Solo Telehealth Practice

As a solo telehealth practice, Brezia Healing applies the Minimum Necessary Standard in the following ways:

Only PHI that is necessary for each specific, identified purpose will be accessed, used, or disclosed. Brezia Healing will not use, access, or disclose more information than is needed to accomplish the stated purpose.
Access to TheraNest — the practice's electronic health record and telehealth platform — is limited solely to Heather Arculeo as the sole practitioner. No other individual has access to client records stored within TheraNest unless expressly authorized through a Business Associate Agreement or valid client authorization.
When responding to external requests for records (from other providers, insurance companies, legal entities, or others), Brezia Healing will release only the specific information requested and will verify the identity and authority of the requesting party before any disclosure.
Psychotherapy notes are held to a higher standard than general PHI and are subject to the separate written authorization requirement described in Section 4.3. Access to psychotherapy notes is strictly limited to the clinical provider who created them, except as otherwise permitted by law.
When communicating PHI via encrypted email or the TheraNest secure client portal, only the information necessary for the communication's purpose will be included in the message.

5.3 Routine and Non-Routine Disclosures

Routine Disclosures: For categories of disclosures that occur regularly (e.g., billing submissions to a health plan, coordination with a referring provider), Brezia Healing establishes standard protocols limiting the PHI shared to the minimum information consistent with the purpose of the disclosure.

Non-Routine Disclosures: For non-standard or one-time disclosure requests, Brezia Healing will review each request individually to determine whether the request is appropriate and to identify the minimum necessary PHI required to fulfill the request. The Privacy Officer (Heather Arculeo) will make this determination.

5.4 Exceptions to the Minimum Necessary Standard

The Minimum Necessary Standard does not apply to the following disclosures (45 CFR 164.502(b)(2)):

Disclosures to or requests by a healthcare provider for treatment purposes;
Disclosures to the individual who is the subject of the PHI;
Uses or disclosures made pursuant to a valid written authorization from the client;
Disclosures required for compliance with HIPAA's administrative requirements;
Uses or disclosures required by law; and
Uses or disclosures required for compliance with the HIPAA Privacy Rule's standard transactions.

5.5 Requests for PHI from Other Entities

When Brezia Healing requests PHI from another entity (e.g., a prior treating provider), the request will be limited to the minimum PHI necessary to accomplish the intended treatment, payment, or healthcare operations purpose. Requests will specify the information needed and will not solicit unnecessary PHI.

Section VI | Patient Rights

Clients of Brezia Healing have the following rights with respect to their PHI under HIPAA. To exercise any of these rights, clients should submit a written request to Brezia Healing via the TheraNest secure client portal, by email to breziahealing@gmail.com, or by mail to 128 Buckeye Ln, Milford, PA 18337. Brezia Healing will respond to all rights requests within the timeframes specified below.

6.1 Right to Access and Receive Copies of PHI

Description: Clients have the right to inspect and obtain a copy of their PHI that is maintained in a designated record set, which includes medical and billing records used to make decisions about their care. (45 CFR 164.524.)

How to Exercise: Submit a written request through the TheraNest secure client portal or in writing to [Email] or [Address]. Requests should specify the type of records requested and the preferred format.

Timeframe for Response: Brezia Healing will respond within 30 calendar days of receiving the request. One additional 30-day extension is permitted if Brezia Healing cannot meet the initial deadline, provided written notice of the delay and reason is given to the client within the original 30-day period.

Delivery Format: Records will be provided through the TheraNest secure client portal where available. Upon client request, records may be delivered via encrypted email or other secure, mutually agreed-upon method. Paper copies are available upon request.

Fees: Brezia Healing may charge a reasonable, cost-based fee for providing copies of PHI. Fees will reflect only the cost of labor for copying, supplies, and postage (if applicable), and will not include costs for searching or retrieving PHI. The fee schedule is available upon request.

Exceptions — Grounds for Denial: Brezia Healing may deny access to PHI in the following circumstances without the right to review:

PHI consists of psychotherapy notes;
PHI was compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; or
PHI was obtained from someone other than a healthcare provider under a promise of confidentiality, and access would reveal the source.

If a request is denied, Brezia Healing will provide written notice of the denial with the basis for the denial and information about how to file a complaint.

6.2 Right to Amend PHI

Description: Clients have the right to request that Brezia Healing amend PHI or a record about them in a designated record set for as long as the PHI is maintained. (45 CFR 164.526.)

How to Exercise: Submit a written request identifying the specific PHI to be amended and the reason the amendment is requested, through the TheraNest portal or in writing to breziahealing@gmail.com or 128 Buckeye Ln, Milford, PA 18337.

Timeframe for Response: Brezia Healing will act on a request to amend within 60 calendar days of receiving the request. A single 30-day extension is permitted with written notice to the client.

Grounds for Denial: Brezia Healing may deny a request for amendment if the PHI or record:

Was not created by Brezia Healing (unless the originating entity is no longer available);
Is not part of the designated record set maintained by Brezia Healing;
Would not be available to the client for inspection and copying; or
Is accurate and complete as determined by Brezia Healing.

Statement of Disagreement: If a request for amendment is denied, the client has the right to submit a written statement of disagreement, which will be appended to the relevant record. Brezia Healing may prepare a written rebuttal to the statement of disagreement, a copy of which will be provided to the client.

6.3 Right to an Accounting of Disclosures

Description: Clients have the right to receive an accounting of certain disclosures of their PHI made by Brezia Healing during the six (6) years prior to the date of the request. (45 CFR 164.528.)

Disclosures Not Included: The accounting does not include disclosures made:

For treatment, payment, or healthcare operations;
To the individual who is the subject of the PHI;
Pursuant to a valid written authorization from the client;
For national security or intelligence activities;
To correctional institutions or law enforcement officials under limited circumstances; or
That are incidental to otherwise permitted uses and disclosures.

How to Exercise: Submit a written request through the TheraNest portal or in writing to breziahealing@gmail.com or 128 Buckeye Ln, Milford, PA 18337. The request should specify the time period for which the accounting is requested (not to exceed 6 years).

Timeframe for Response: Brezia Healing will provide the accounting within 60 calendar days of receiving the request. A single 30-day extension is permitted with written notice to the client.

Format: The accounting will be provided in writing and will include, for each disclosure: the date of the disclosure, the name and address of the entity or person who received the PHI, a description of the PHI disclosed, and a brief statement of the purpose or a copy of the written request for the disclosure.

Fees: The first accounting in any 12-month period will be provided at no charge. For subsequent requests within the same 12-month period, Brezia Healing will inform the client of the applicable fee before processing the request.

6.4 Right to Request Restrictions on Use and Disclosure

Description: Clients have the right to request restrictions on how Brezia Healing uses or discloses PHI for treatment, payment, or healthcare operations purposes, or disclosures to persons involved in the client's care. (45 CFR 164.522(a).)

Mandatory Restriction — Out-of-Pocket Payments: If a client pays entirely out-of-pocket (i.e., without using health insurance) for a specific service, Brezia Healing must agree to the client's request to restrict disclosure of PHI related to that service to a health plan for payment or healthcare operations purposes, provided the disclosure is not required by law.

Other Restriction Requests: Brezia Healing will consider all other restriction requests in good faith but is not required by law to agree to every restriction. If Brezia Healing agrees to a restriction, the restriction will be documented and honored, except in emergency treatment situations where the restricted PHI is needed for care.

How to Exercise: Submit a written request through the TheraNest portal or in writing to breziahealing@gmail.com or 128 Buckeye Ln, Milford, PA 18337, specifying the type of restriction requested and the PHI to which the restriction should apply.

6.5 Right to Request Confidential Communications

Description: Clients have the right to request that Brezia Healing communicate with them by alternative means or at alternative locations. For example, a client may request that appointment reminders or billing communications be sent only to a specific email address or phone number. (45 CFR 164.522(b).)

How to Exercise: Submit a written request through the TheraNest secure client portal or in writing to [Email] or [Address]. Requests need not include a reason for the requested accommodation. Brezia Healing will accommodate all reasonable requests.

Timeframe for Response: Brezia Healing will implement approved confidential communication accommodations as promptly as practicable, and will confirm the accommodation to the client in writing.

6.6 Right to a Paper Copy of the Notice of Privacy Practices

Description: Clients have the right to receive a paper copy of Brezia Healing's Notice of Privacy Practices (NPP) at any time, even if the client has previously agreed to receive the NPP electronically. (45 CFR 164.520(c).)

How to Exercise: Request a paper copy by contacting Brezia Healing at breziahealing@gmail.com or (760) 484-0562. A copy will be mailed or delivered via a secure method within a reasonable timeframe.

6.7 Right to File a Complaint

Description: Clients have the right to file a complaint if they believe their privacy rights have been violated by Brezia Healing. Complaints may be filed directly with Brezia Healing or with the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR). (45 CFR 164.530(d).)

To File a Complaint with Brezia Healing:
Contact: Heather Arculeo, Privacy Officer
Email: breziahealing@gmail.com

Phone: (760) 484-0562
Mail: 128 Buckeye Ln, Milford, PA 18337

To File a Complaint with HHS Office for Civil Rights:
Website: www.hhs.gov/ocr
Phone: 1-800-368-1019 (TDD: 1-800-537-7697)
Complaints must be filed within 180 days of the date the complainant knew or should have known of the alleged violation.

Non-Retaliation Policy: Brezia Healing will not retaliate against any client for exercising their right to file a complaint. No client will be denied services, penalized, or treated adversely in any way as a result of filing a complaint with Brezia Healing or with HHS. Any act of retaliation is strictly prohibited and will be treated as a serious compliance violation.

Section VII| Disclosure Tracking / Accounting of Disclosures

7.1 Legal Basis

Brezia Healing maintains a Disclosure Log as required by 45 CFR 164.528. This log records certain disclosures of PHI made by Brezia Healing so that clients may request an accounting of disclosures as described in Section 6.3 of this policy.

7.2 Disclosures That Must Be Tracked

Brezia Healing must track all disclosures of PHI except the following categories, which are exempt from the accounting requirement:

Disclosures for treatment, payment, or healthcare operations (TPO);
Disclosures made to the individual who is the subject of the PHI;
Disclosures made pursuant to a valid written authorization from the client;
Incidental disclosures that occur as a by-product of an otherwise permitted disclosure;
Disclosures for national security or intelligence activities authorized under 45 CFR 164.512(k)(2);
Disclosures to correctional institutions or law enforcement officials in limited circumstances under 45 CFR 164.512(k)(5); and
Disclosures that are part of a limited data set for research, public health, or healthcare operations.

7.3 Disclosure Log Format

All trackable disclosures will be recorded in the Brezia Healing Disclosure Log. The log will include the following information for each disclosure:

Date of Disclosure

Name / Entity Disclosed To

Address / Contact of Recipient

Description of PHI Disclosed

Purpose of Disclosure

Requested By

[Date]

[Name or Organization]

[Address / Email / Phone]

[General description of PHI — e.g., "Treatment summary and diagnosis"]

[e.g., "Required by court order" / "Mandatory abuse report"]

[e.g., Client / Court / Agency]

7.4 Maintenance and Storage of the Disclosure Log

The Disclosure Log is maintained within TheraNest and/or as a separately secured, encrypted document stored on Heather Arculeo's encrypted device or cloud storage covered by a signed BAA. The log is accessible only to Heather Arculeo and will be produced upon a client's written request for an accounting.

7.5 Retention Period

The Disclosure Log will be retained for a minimum of six (6) years from the date of the disclosure or from the date the policy was in effect, whichever is later, consistent with 45 CFR 164.528(b)(2) and HIPAA's general documentation retention standard at 45 CFR 164.530(j).

7.6 Client Request for Accounting

A client wishing to receive an accounting of disclosures must submit a written request to Brezia Healing specifying the time period for which the accounting is requested (not to exceed six years prior to the date of the request). Requests may be submitted through the TheraNest portal or in writing to breziahealing@gmail.com or 128 Buckeye Ln., Milford, PA 18337. Brezia Healing will respond within 60 calendar days. The first accounting in any 12-month period is provided at no charge; subsequent requests in the same 12-month period may be subject to a reasonable cost-based fee, of which the client will be notified in advance.

Section VIII| Telehealth-Specific Privacy Provisions

Because Brezia Healing operates exclusively as a telehealth practice, the following provisions govern all clinical services and the handling of PHI in the telehealth environment.

8.1 HIPAA-Compliant Telehealth Platform

All telehealth sessions are conducted exclusively through TheraNest, a HIPAA-compliant electronic health record and telehealth platform. A Business Associate Agreement (BAA) is in place between Brezia Healing and TheraNest. No telehealth sessions will be conducted via non-HIPAA-compliant consumer video platforms (e.g., FaceTime, WhatsApp, Zoom personal accounts, Skype, or similar platforms) without a specific HIPAA-compliant configuration and corresponding BAA.

8.2 Client Responsibilities in the Telehealth Environment

While Brezia Healing maintains responsibility for its systems and safeguards, clients share responsibility for maintaining privacy within their own telehealth environment. Clients are encouraged to:

Conduct sessions from a private location where others cannot overhear the conversation;
Use a secure, password-protected internet connection (avoid public Wi-Fi networks when possible);
Use a personal device rather than a shared or public computer;
Ensure that any household members are not within hearing range during sessions; and
Log out of the TheraNest client portal after each use.

Brezia Healing is not responsible for breaches of confidentiality that occur within the client's own environment or as a result of the client's own devices, networks, or conduct.

8.3 Prohibition on Recording Sessions

Brezia Healing will not record any telehealth session without first obtaining the client's specific, advance written consent. The consent must describe the purpose of the recording, how the recording will be stored and protected, who will have access to it, and when it will be destroyed. Clients may withhold consent to recording without penalty and may revoke consent in writing at any time. Similarly, clients may not record sessions without the prior written consent of Heather Arculeo

8.4 Prohibition on Third-Party Observers

No third parties (e.g., supervisors, students, family members, or guests) may observe or participate in telehealth sessions without the client's prior written informed consent. If a client requests that a third party join a session, consent must be documented prior to the session in which the third party participates.

8.5 Screen Sharing Limitations

Screen sharing during telehealth sessions will be limited to clinically necessary content only. No PHI belonging to another client or individual will be visible during screen sharing activities. Heather Arculeo will take reasonable precautions (such as closing non-relevant applications and tabs) to prevent incidental disclosure of PHI prior to screen sharing.

8.6 Storage of Clinical Records

All session notes, clinical assessments, treatment plans, progress notes, and client-related documentation are stored exclusively within TheraNest. No unsecured physical or digital copies of session content will be maintained outside of TheraNest or other HIPAA-compliant, BAA-covered systems. Brezia Healing does not use unencrypted email, unencrypted cloud storage, or personal messaging applications to store or transmit PHI.

8.7 Technical Failures and Contingency Plans

In the event of a technical failure that interrupts a telehealth session, Heather Arculeo will contact the client via the pre-established backup contact method (e.g., phone call to the number on file). Discussions held during an interrupted session will be treated as PHI and will not be transmitted through non-secure means.

Section IX| Business Associate Agreements (BAAs)

9.1 Definition and Requirement

A Business Associate is any individual or entity that performs functions or activities on behalf of Brezia Healing that involve the creation, receipt, maintenance, or transmission of PHI, or that provides services to Brezia Healing that require the disclosure of PHI. (45 CFR 160.103.) HIPAA requires that Covered Entities enter into a written Business Associate Agreement (BAA) with each Business Associate prior to any disclosure of PHI to that entity. (45 CFR 164.504(e).)

9.2 BAA Requirement Policy

Brezia Healing requires a signed BAA with every vendor, contractor, subcontractor, or service provider who creates, receives, maintains, or transmits PHI on behalf of the practice. No PHI will be disclosed to a Business Associate without a fully executed BAA in place. The BAA must include, at minimum, the provisions required by 45 CFR 164.504(e)(2), including obligations regarding safeguarding PHI, permitted uses and disclosures, and requirements for breach notification.

9.3 Confirmed Business Associate Agreement

Vendor / Service Provider

Function

BAA Status

Date of BAA

TheraNest

Electronic Health Record (EHR) and HIPAA-compliant telehealth platform; storage of all clinical records, appointment scheduling, billing, and client portal

BAA in Place

[Date of BAA Execution]

9.4 Additional Vendor Categories Requiring BAAs

The following categories of vendors used or potentially used by Brezia Healing require signed BAAs before PHI may be disclosed to or processed by those vendors:

Billing clearinghouse: Any third-party clearinghouse used to submit or process insurance claims on behalf of Brezia Healing;
Email service provider: Any email platform used to transmit PHI or communications containing PHI (must support end-to-end encryption and provide a BAA — e.g., Google Workspace for Healthcare, Microsoft 365 for Healthcare);
E-signature platform: Any digital signature service used to execute client authorizations, consents, or other PHI-containing documents (e.g., DocuSign, Adobe Sign — healthcare-configured with BAA);
Cloud storage provider: Any cloud-based file storage service used to store or back up PHI (must be HIPAA-compliant and provide a signed BAA); and
Accounting or billing software: Any financial management software that processes client payment information in conjunction with health information.

9.5 Maintenance and Annual Review of BAAs

All executed Business Associate Agreements are maintained on file by [Therapist Name] in a secure, encrypted location. BAAs are reviewed at a minimum on an annual basis to ensure continued compliance with current HIPAA requirements and to verify that the scope of each BAA remains adequate for the current business relationship. Any vendor that cannot or will not execute a BAA will not be permitted to access, process, or store PHI on behalf of Brezia Healing.

Section X| Safeguards for PHI

Brezia Healing maintains administrative, technical, and physical safeguards to protect PHI from unauthorized access, use, or disclosure, consistent with the requirements of the HIPAA Privacy Rule (45 CFR 164.530(c)) and the HIPAA Security Rule (45 CFR Part 164, Subpart C).

10.1 Administrative Safeguards

Privacy Officer Designation: Heather Arculeo serves as the designated Privacy Officer responsible for developing, implementing, and enforcing this HIPAA Privacy Policy and all related privacy practices.
Workforce Training: Any current or future workforce member will receive HIPAA privacy and security training prior to accessing PHI, and will receive refresher training at least annually and whenever material changes to this policy or applicable law occur.
Risk Assessments: Brezia Healing will conduct an annual Security Risk Assessment to identify potential vulnerabilities to the confidentiality, integrity, and availability of ePHI, and will implement reasonable and appropriate measures to reduce identified risks.
Sanction Policy: Any workforce member who fails to comply with this policy or applicable HIPAA requirements will be subject to appropriate sanctions, up to and including termination of the working relationship and/or reporting to applicable licensing or regulatory authorities.
Privacy Complaint Procedures: Procedures are in place to receive and respond to privacy complaints as described in Section 12 of this policy.

10.2 Technical Safeguards

Encrypted EHR Platform: All PHI is stored within TheraNest, which provides encryption of data at rest and in transit, ensuring that PHI is not accessible to unauthorized individuals.
Multi-Factor Authentication (MFA): Access to TheraNest and other systems containing PHI requires multi-factor authentication. [Therapist Name] will maintain MFA on all accounts with access to PHI.
Encrypted Email: When PHI must be communicated via email, only HIPAA-compliant, encrypted email services covered by a signed BAA will be used. Unencrypted email will not be used to transmit PHI.
Automatic Session Logout: TheraNest and any other platform containing PHI will be configured to automatically time out after a period of inactivity to prevent unauthorized access.
Password Security: All accounts with access to PHI will use strong, unique passwords, which will be changed regularly and not shared with any other individual.
Device Security: All devices used to access PHI (computers, tablets, smartphones) will maintain current operating system and software updates, and will have active antivirus and firewall protection where applicable.

10.3 Physical Safeguards

Private Workspace: All telehealth sessions are conducted from a private, locked workspace that prevents unauthorized individuals from overhearing clinical conversations.
Screen Privacy: Computer screens used for telehealth sessions and documentation will be positioned to prevent viewing by unauthorized individuals. A privacy screen filter is recommended.
Workstation Security: When Heather Arculeo is away from a workstation, screens will be locked and sensitive materials will be secured.
Paper Records: Any paper PHI (e.g., signed authorizations, paper intake forms) will be stored in locked, secure storage and destroyed via cross-cut shredding when no longer needed or upon expiration of the applicable retention period.

10.4 Telehealth-Specific Safeguards

All telehealth sessions are conducted exclusively through TheraNest's HIPAA-compliant video platform;
No unsecured or consumer-grade video applications (e.g., FaceTime, personal Zoom, Google Meet without a BAA) will be used to conduct clinical sessions or communicate PHI;
PHI will not be transmitted via standard SMS text messaging or unencrypted messaging applications;
TheraNest session links will not be shared publicly or forwarded to unauthorized individuals; and
The secure client portal within TheraNest is the primary means of client communication for scheduling, document exchange, and clinical correspondence.

Section XI| Breach Notification Policy

11.1 Definition of a Breach

A "breach" is defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the PHI. (45 CFR 164.402.) Brezia Healing applies a presumption that any impermissible use or disclosure of PHI constitutes a breach, unless Brezia Healing demonstrates that there is a low probability that the PHI has been compromised based on the four-factor risk assessment described below.

11.2 Low-Probability of Compromise: Four-Factor Risk Assessment

To rebut the presumption of a breach, Brezia Healing will conduct a risk assessment considering the following four factors (45 CFR 164.402(2)):

The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
The identity of the unauthorized person who used or received the PHI, and whether the person was under an obligation to protect its privacy;
Whether the PHI was actually acquired or viewed, or whether only the opportunity for access existed; and
The extent to which the risk of compromise has been mitigated.

If all four factors indicate a low probability of compromise, the incident may be treated as a non-breach. Otherwise, the full breach notification process applies. The outcome of every risk assessment will be documented in the Breach Log.

11.3 Notification to Affected Clients

Following the discovery of a breach of unsecured PHI, Brezia Healing will provide written notification to each affected client without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. (45 CFR 164.404.)

The breach notification to clients will include, to the extent possible:

A brief description of the breach, including the date of the breach and the date of its discovery;
A description of the types of PHI involved in the breach;
Steps the client should take to protect themselves from potential harm;
A brief description of Brezia Healing's investigation, mitigation steps, and measures taken to prevent future breaches; and
Contact information for the client to ask questions or receive additional information (name, phone number, email address, and mailing address of the Privacy Officer).

11.4 Notification to HHS

Brezia Healing will notify the U.S. Department of Health and Human Services (HHS) of breaches as follows (45 CFR 164.408):

Breaches affecting fewer than 500 individuals: Brezia Healing will report such breaches to HHS on an annual basis using the HHS web portal, no later than 60 days after the end of each calendar year in which the breach was discovered.
Breaches affecting 500 or more individuals: Brezia Healing will report such breaches to HHS promptly and without unreasonable delay, and in no case later than 60 calendar days after discovery of the breach. Such breaches may also require notification to prominent media outlets serving the affected state or jurisdiction.

11.5 Breach Log Maintenance

Brezia Healing maintains a Breach Log that documents all identified incidents, including both confirmed breaches and incidents that were assessed and determined not to constitute a breach. For each incident, the log will record: the date of discovery, a description of the incident, the PHI involved, the number of individuals affected, the results of the four-factor risk assessment, actions taken in response, and dates and recipients of notifications. The Breach Log is retained for a minimum of six (6) years.

Section XII| Complaints and Non-Retaliation

12.1 Internal Complaint Submission

Any client, or any individual acting on behalf of a client, who believes that Brezia Healing has violated their HIPAA privacy rights or this policy may submit a written complaint to the Privacy Officer. Complaints should be submitted as follows:

Privacy Officer: Heather Arculeo
Email: breziahealing@gmail.com
Phone: (760) 484-0562
Mailing Address: 128 Buckeye Ln., Milford, PA 18337

Brezia Healing will acknowledge receipt of the complaint and investigate all complaints in good faith. The Privacy Officer will document the complaint, conduct a thorough review, and respond to the complainant in writing with the outcome of the investigation and any corrective actions taken, within a reasonable timeframe.

12.2 Complaints to HHS Office for Civil Rights

Clients also have the right to file a complaint directly with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), if they believe that Brezia Healing has violated their HIPAA rights. Complaints to OCR must be filed within 180 days of the date the complainant knew or should have known of the alleged violation (unless OCR grants a waiver of this time limit for good cause).

Website: www.hhs.gov/ocr
Phone: 1-800-368-1019
TDD: 1-800-537-7697
Mail: U.S. Department of Health and Human Services, Office for Civil Rights, 200 Independence Avenue, S.W., Washington, D.C. 20201

12.3 Absolute Non-Retaliation Policy

Brezia Healing strictly prohibits retaliation against any client, workforce member, or other individual who:

Files a complaint with Brezia Healing or with HHS regarding a perceived HIPAA violation;
Exercises any right granted under this policy or under HIPAA;
Participates in an investigation, compliance review, or proceeding related to HIPAA; or
Opposes any practice that the individual reasonably believes violates HIPAA.

No client will be denied services, disadvantaged, threatened, coerced, discriminated against, or subjected to any adverse action as a result of filing a complaint or exercising their rights. Any act of retaliation by a workforce member will be treated as a serious compliance violation and subject to immediate corrective action. (45 CFR 164.530(g).)

Section XIII| Policy Review and Updates

13.1 Annual Review Requirement

This HIPAA Privacy Policy will be reviewed at a minimum on an annual basis, consistent with the requirements of 45 CFR 164.530(i). The annual review will be conducted by [Therapist Name] as Privacy Officer and will assess whether the policy remains current, complete, and consistent with applicable law and the operational realities of Brezia Healing.

13.2 Grounds for Policy Update

In addition to the annual review, this policy will be updated whenever:

There are material changes in federal or state privacy law applicable to the practice;
There are changes in Brezia Healing's operations, technology systems, or vendor relationships that affect the handling of PHI;
New guidance is issued by HHS or OCR that materially affects compliance obligations;
A security incident, breach investigation, or compliance review reveals gaps or deficiencies in the policy; or
The practice expands, adds workforce members, or changes its services in ways that affect privacy practices.

Material changes to this policy that affect client rights or the practice's privacy practices will be reflected in an updated Notice of Privacy Practices, which will be distributed to clients and made available upon request.

13.3 Version History

Version

Effective Date

Description of Change

Reviewed / Approved By

1.0

5/31/2026

Initial policy adoption — comprehensive HIPAA Privacy Policy established for Brezia Healing telehealth practice.

Heather Arculeo, Privacy Officer

Section XIV| Acknowledgment and Adoption

By signing below, the Privacy Officer of Brezia Healing acknowledges that this HIPAA Privacy Policy has been reviewed, approved, and officially adopted as the binding privacy policy of Brezia Healing, effective as of the date stated on the cover page. The Privacy Officer affirms responsibility for the implementation, enforcement, and annual review of this policy.

Annual Review Acknowledgments

The Privacy Officer must sign below following each annual review of this policy to confirm the policy has been reviewed and, if applicable, updated.