HIPAA NOTICE OF PRIVACY PRACTICES

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

1. WHO WE ARE

Black Forest MD of Florida, PLLC, a Florida Professional Limited Liability Company (the “Practice”), is a Covered Entity under the Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), and is committed to protecting the privacy of your Protected Health Information (“PHI”).

The Practice operates the telehealth medical service available at blackforestmd.com. Black Forest Management Services LLC, a Delaware limited liability company (“BFMS”), performs only non-clinical functions on behalf of the Practice (technology platform, marketing, billing administration, scheduling, and customer support) as a HIPAA Business Associate of the Practice, pursuant to a Business Associate Agreement. BFMS does not provide medical care and is not a Covered Entity. The Practice may also affiliate with other state-specific medical practices (each, a “Practice Affiliate”) to provide care to patients in their respective states; each Practice Affiliate is independently a Covered Entity.

This Notice describes how the Practice (and BFMS, in its role as a Business Associate) may use and disclose your PHI, and your rights regarding your PHI.

2. WHAT IS PROTECTED HEALTH INFORMATION?

PHI is health information that identifies you and relates to your past, present, or future physical or mental health, the health care you receive, or payment for that care. PHI includes information transmitted or maintained in any form (electronic, written, oral).

3. HOW WE MAY USE AND DISCLOSE YOUR PHI

3.1 Treatment

We may use and disclose PHI to provide medical care to you, including:

  • Sharing PHI with your treating clinician
  • Sharing PHI with the compounding pharmacy that fills your prescriptions
  • Coordinating care with Practice Affiliates in your state
  • Documenting your care in our electronic health record (Canvas Medical)

3.2 Payment

We may use and disclose PHI to obtain payment for services, including:

  • Billing your payment method on file
  • Processing subscription payments
  • Confirming prescription fulfillment with the pharmacy

We are a cash-pay practice and do not bill insurance.

3.3 Health Care Operations

We may use and disclose PHI for our operational activities, including:

  • Quality assurance
  • Provider training and credentialing
  • Compliance audits
  • Business management and planning
  • De-identification of PHI for analytics and research, using the HIPAA Safe Harbor method (45 CFR § 164.514(b)(2)) — i.e., the removal of all 18 specified identifiers — so that the de-identified data is no longer PHI

3.4 Disclosures Required by Law

We may use and disclose PHI when required by law, including:

  • Public health activities (e.g., reporting communicable diseases, adverse drug events to FDA’s MedWatch)
  • Health oversight activities (e.g., audits, investigations by HHS, state medical boards, FDA)
  • Judicial and administrative proceedings (e.g., subpoenas, court orders)
  • Law enforcement (in specified limited circumstances)
  • Coroners, medical examiners, funeral directors (as legally required)
  • Workers’ compensation (where applicable)
  • National security and intelligence activities (as legally required)

3.5 Reproductive Health Care — Special Protections

Effective February 16, 2026, in accordance with the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (45 CFR § 164.502(a)(5)(iii)), we will not use or disclose your PHI for any of the following purposes:

  • To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where that care was lawful in the state where it was provided; or
  • To identify any person for purposes of such an investigation or proceeding.

When PHI potentially related to reproductive health care is requested for health-oversight, judicial, administrative, law-enforcement, or coroner/medical-examiner purposes (Sections 3.4 above), we will require the requester to sign a written attestation that the PHI will not be used or disclosed for any of the prohibited purposes above.

3.6 Other Permitted Uses and Disclosures

We may use and disclose PHI:

  • To you, when you request your own PHI
  • To family members, friends, or others involved in your care, but only when you agree
  • To a personal representative legally authorized to make health care decisions on your behalf (e.g., a parent of a minor, a healthcare surrogate, or a holder of a healthcare power of attorney), to the extent permitted by applicable law
  • For appointment reminders, treatment alternatives that we offer ourselves and for which we do not receive financial remuneration from a third party, or health-related benefits and services
  • For business associates that perform functions on our behalf
  • For emergencies (limited to what is necessary)

3.7 Uses and Disclosures Requiring Your Written Authorization

The following uses and disclosures require your written authorization:

  • Most uses and disclosures of psychotherapy notes
  • Uses and disclosures of PHI for marketing (other than face-to-face communication or promotional gifts of nominal value)
  • Sale of PHI
  • Uses and disclosures of PHI subject to stricter protection under state or federal law (see Sections 3.8 and 5.11)

We do not sell your PHI. We do not use your PHI for advertising. We do not share your PHI with advertising platforms (including Meta, Google, TikTok, LinkedIn, or any other third-party advertising network).

3.8 Substance Use Disorder Records

The Practice does not currently provide substance use disorder treatment. Records of any such treatment, if ever provided through the Practice, would be subject to the additional federal confidentiality protections of 42 CFR Part 2, which require specific written consent for most disclosures.

3.9 Catchall — All Other Uses Require Authorization

Any use or disclosure of your PHI not described in this Notice will be made only with your prior written authorization. You may revoke that authorization at any time in writing, except to the extent we have already taken action in reliance on it.

4. WHO ELSE WE DO NOT DISCLOSE YOUR PHI TO

To make this absolutely clear: we do not disclose your PHI to:

  • Meta (Facebook, Instagram, WhatsApp)
  • Google (including Google Analytics, Google Ads, YouTube)
  • TikTok
  • LinkedIn
  • Other social media platforms
  • Advertising networks or data brokers
  • Marketing analytics platforms that are not HIPAA-eligible
  • Any other entity for marketing or advertising purposes

For operational analytics, we use HIPAA-eligible tools (such as Freshpaint) that strip PHI before any data is transmitted to third parties. Advertising platforms receive only sanitized, de-identified conversion data — never PHI.

5. YOUR RIGHTS REGARDING YOUR PHI

5.1 Right to Access — Including Electronic Format

You have the right to inspect and obtain a copy of your PHI maintained in a designated record set. If we maintain your PHI electronically (which we do, in our electronic health record), you may request that copy in electronic format, and we will provide it in the form and format you request if readily producible, or in a readable electronic form and format as agreed.

We will respond within 30 days of your written request. We may charge a reasonable, cost-based fee that includes only labor for copying, supplies (such as paper or portable media), postage if mailed, and (if you specifically request) preparing an explanation or summary.

5.2 Right to Request Amendment

You may request that we amend PHI you believe is inaccurate or incomplete. We may deny the request if we did not create the information, the information is not part of the designated record set, or we determine the information is accurate and complete. If we deny your request, you have the right to submit a statement of disagreement.

5.3 Right to an Accounting of Disclosures

You have the right to receive an accounting of certain disclosures of your PHI made in the six years prior to your request (other than disclosures for treatment, payment, health care operations, or as specifically permitted). One accounting per 12-month period is free; additional accountings may be subject to a reasonable cost-based fee.

5.4 Right to Request Restrictions

You may request restrictions on certain uses or disclosures of your PHI. We are not required to agree to your request, except for disclosures to health plans for items or services you have paid for in full out of pocket.

5.5 Right to Confidential Communications

You may request that we communicate with you about medical matters by alternative means or at alternative locations (e.g., a different phone number or address). We will accommodate reasonable requests.

5.6 Right to a Paper Copy of This Notice

You have the right to obtain a paper copy of this Notice, even if you have agreed to receive it electronically. Request a copy by emailing [email protected].

5.7 Right to Be Notified of a Breach

You have the right to be notified following a breach of unsecured PHI affecting you. For Florida residents, we will notify you within 30 days of our determination of a breach, in accordance with the Florida Information Protection Act (Fla. Stat. § 501.171). HIPAA permits up to 60 days; we apply the shorter Florida standard for Florida residents. For non-Florida residents, we will notify you within the shorter of (a) the federal HIPAA 60-day standard or (b) the shorter standard required by your state of residence.

5.8 Right to Revoke Authorization

If you have given us a written authorization to use or disclose your PHI for purposes other than treatment, payment, or health care operations, you may revoke that authorization at any time in writing. Revocation does not affect uses or disclosures already made in reliance on the authorization.

5.9 Florida Patient Records Rights (Fla. Stat. § 456.057)

If you are a Florida resident, you have additional rights under Florida law to access copies of your medical records, including:

  • The right to obtain a complete copy of your medical records upon written request to the Practice
  • The right to receive the records within a reasonable time after request
  • The right to receive copies for a reasonable cost-based fee
  • The right to authorize disclosure of your records to other healthcare providers or third parties of your choosing
  • The right to refuse certain disclosures, subject to exceptions required by Florida law

Florida law (Fla. Stat. § 456.057) also restricts disclosure of patient records absent the patient’s written authorization, subject to enumerated exceptions (including emergency care, court order, and statutorily-required disclosures).

5.10 Right to Direct Your PHI to a Third Party

Under the federal HITECH Act (42 U.S.C. § 17935(e)) and the 21st Century Cures Act information-sharing rules, you may request that we transmit your PHI in electronic format directly to a third party of your choosing — such as another healthcare provider, a personal health-data application, or a family member you designate. The request must be in writing, signed by you, and clearly identify the third-party recipient and the destination (email address, mailing address, or system identifier).

5.11 Stricter Protections for Sensitive Florida Information

Certain categories of health information are subject to stricter protection under Florida law than under HIPAA. These categories will not be disclosed without your specific written authorization, except in the narrow circumstances enumerated by the applicable Florida statute:

  • HIV / AIDS test results and related records — Fla. Stat. § 381.004
  • Mental health treatment records — Fla. Stat. § 394.4615 (and the federal Baker Act framework where applicable)
  • Genetic information — Fla. Stat. § 760.40, as well as the federal Genetic Information Nondiscrimination Act (“GINA”)

Reproductive health care information is additionally protected under Section 3.5 of this Notice.

6. OUR DUTIES

We are required by law to:

  • Maintain the privacy of your PHI
  • Provide you with this Notice and abide by its terms
  • Notify you in the event of a breach of unsecured PHI

We reserve the right to change this Notice. Any changes will apply to PHI we already have about you as well as PHI we receive in the future. We will post the updated Notice on the Site and provide a paper or electronic copy on request. The Effective Date and Version at the top of this Notice will be updated each time.

7. LANGUAGES AND ACCESSIBILITY

This Notice is available in English. Upon request, we will provide this Notice in Spanish and, where reasonably available, in other languages. Patients with limited English proficiency or with disabilities affecting reading, vision, or comprehension may request language assistance services or reasonable accommodation (including large-print or alternative-format copies) at no cost by emailing [email protected].

8. COMPLAINTS

If you believe your privacy rights have been violated, you may file a complaint with us at:

Privacy Officer
Black Forest MD of Florida, PLLC
3196 N Federal Hwy a, Boca Raton, FL 33431, United States
Email: [email protected]

9. ACKNOWLEDGMENT OF RECEIPT

By accepting the Terms of Service during account creation, or by signing an acknowledgment form provided by the Practice, you provide written electronic acknowledgment of receipt of this Notice in accordance with 45 CFR § 164.520(c)(2)(ii).

If we are unable to obtain your written acknowledgment of receipt, we will document our good-faith effort to obtain it and the reason it could not be obtained, as required by HIPAA. The absence of an acknowledgment does not affect the lawfulness of any use or disclosure of your PHI consistent with this Notice and applicable law.