Privacy Policy & Notice of Privacy Practices

EFFECTIVE DATE: JANUARY 1, 2026 · HIPAA-COMPLIANT NOTICE

Who We Are & Scope of This Notice

Norman Family Medicine P.C. ("the Practice," "we," "us," or "our") is a New Jersey–based physician-owned medical practice operating as a hybrid care model that includes telehealth services, Direct Primary Care (DPC) membership, cash-pay visits, and insurance-based care (pending credentialing). This Notice of Privacy Practices ("Notice") describes how we may use and disclose your Protected Health Information (PHI) and your rights regarding that information.

This Notice applies to all services provided by Norman Family Medicine P.C., including but not limited to virtual Telehealth consultations, in-person office visits (once our physical location opens), phone and secure messaging communications, and all administrative interactions such as scheduling, billing, and referrals.

1.    Information We Collect

We collect the following categories of information to provide you with care and manage our practice:

Health & Clinical Information

  • Medical history, diagnoses, conditions, symptoms, and clinical notes

  • Medications, allergies, immunizations, and laboratory/diagnostic results

  • Mental health and behavioral health information

  • Family medical history where clinically relevant

  • Telehealth session content including audio/video when applicable

Demographic & Contact Information

  • Full name, date of birth, gender identity, and contact details

  • Emergency contact information

  • Insurance information (where applicable)

  • Payment and billing data, including credit card or bank information for cash-pay and DPC membership fees

Technical & Device Information (Telehealth)

  • IP address, device type, and browser/app information used during telehealth visits

  • Date and time of telehealth sessions

  • Patient portal login activity and access logs

2.    How We Use Your Information

Treatment

We use and share your PHI to provide, coordinate, and manage your medical care, including sharing relevant information with specialists, pharmacies, laboratories, hospitals, or other health care providers involved in your care.

Payment

We may use or disclose your PHI to obtain payment for services, including verifying insurance eligibility (once credentialing is complete), submitting claims, processing DPC membership fees, and handling cash-pay billing and collections.

Health Care Operations

We may use your PHI for quality assessment, clinical audits, compliance reviews, staff training, and business planning necessary to maintain and improve our practice.

Uses & Disclosures Requiring Authorization

The following require your written authorization, and you may revoke that authorization at any time:

  • Marketing communications or sale of your PHI

  • Psychotherapy notes (if applicable and maintained separately)

  • Most disclosures of your PHI for purposes unrelated to your care

  • Disclosures to family, friends, or third parties unless you are incapacitated or it is necessary in an emergency

Disclosures Required or Permitted by Law (Without Authorization)

  • Public health reporting and disease surveillance to authorities State Department of Health

  • Reports of abuse, neglect, or domestic violence as required by State law

  • Health oversight activities by government agencies (e.g., CMS, OIG)

  • Judicial and administrative proceedings pursuant to a court order or subpoena

  • Law enforcement purposes as permitted under HIPAA

  • To avert a serious threat to health or safety

  • Workers' compensation where applicable

3.    Telehealth-Specific Privacy Practices

Norman Family Medicine P.C. provides telehealth services through HIPAA-compliant video conferencing and secure messaging platforms. The following practices govern the privacy and security of your telehealth visits:

  • All telehealth sessions are conducted through platforms with which we have a signed Business Associate Agreement (BAA) as required by HIPAA.

  • You are responsible for ensuring your own privacy during telehealth sessions (e.g., being in a private location). We are not responsible for any inadvertent disclosure of your information in your environment.

  • Secure patient messaging (e.g., through a patient portal) is the preferred method of non-urgent communication. Unencrypted email or standard SMS is NOT used for PHI transmission unless you have expressly acknowledged and accepted the associated risk in writing.

  • We may collect metadata associated with your telehealth sessions (e.g., connection duration, device type) solely for operational and billing purposes.

4. Payment Models & Financial Information

Norman Family Medicine P.C. operates under multiple payment models, each with distinct privacy implications:

Direct Primary Care (DPC) Membership

DPC membership fees are charged on a recurring basis and constitute a direct contractual relationship between you and the Practice. DPC billing does not involve submission of claims to your health insurance and therefore your insurer is not notified of individual services rendered under this arrangement. However, your PHI may still be shared as described under Treatment, Payment, and Operations.

Cash-Pay Services

For cash-pay visits and services, the Practice does not submit claims to any insurance company. However, upon your request, we will provide you with a superbill (itemized receipt with procedure and diagnosis codes) that you may submit to your insurer independently. We will note that by providing you this superbill, you are directing this disclosure.

Insurance Billing (Pending Credentialing)

Once the Practice is credentialed with health plans, insurance billing will involve sharing relevant PHI with your insurer, including diagnosis codes, procedure codes, referring provider information, and other information necessary to adjudicate claims. Your insurer's privacy practices are governed by their own Notice of Privacy Practices, which is separate from ours.

5. Your HIPAA Rights

You have the following rights with respect to your PHI. To exercise any of these rights, submit a written request to our Privacy Officer at the address below.

Right to Access & Copy

You have the right to inspect and receive a copy of your medical records, typically within 30 days of your request. We may charge a reasonable, cost-based fee. Electronic records must be provided in electronic format if requested.

Right to Amend

You may request that we amend PHI that you believe is inaccurate or incomplete. We may deny the request under certain circumstances and will notify you in writing of any denial.

Right to Request Restrictions

You may request restrictions on how we use or disclose your PHI. We are not required to agree to all restrictions, except that we must agree to restrict disclosures of PHI to your health plan if you are a cash-pay patient and the services relate only to items or services you paid for out-of-pocket in full.

Right to Confidential Communications

You may request that we communicate with you by alternative means or at an alternative location (e.g., call your cell phone only, not a home number). We will accommodate reasonable requests.

Right to a Paper Copy of This Notice

You may request a paper copy of this Notice at any time, even if you have agreed to receive it electronically.

6. Data Security & Technology Safeguards

Norman Family Medicine P.C. implements administrative, physical, and technical safeguards consistent with the HIPAA Security Rule to protect your electronic PHI (ePHI):

  • Encryption of ePHI in transit and at rest using industry-standard protocols

  • Multi-factor authentication required for staff access to patient records

  • Role-based access controls ensuring only authorized personnel can access PHI

  • Audit logging of all access to patient records

  • Signed Business Associate Agreements with all third-party vendors who handle ePHI

  • Annual security risk assessments and workforce training on HIPAA requirements

  • A documented breach notification policy consistent with HIPAA's Breach Notification Rule

In the event of a breach of unsecured PHI, we will notify you without unreasonable delay and within 60 days of discovery, consistent with applicable law.

7. Third-Party Business Associates

We engage third-party vendors ("Business Associates") to assist in operating our practice, including but not limited to electronic health record (EHR) systems, telehealth platforms, payment processors, billing services, and IT support. Each Business Associate is required to enter into a Business Associate Agreement with us, committing to protect your PHI in accordance with HIPAA. We remain responsible for ensuring these agreements are in place and that our Business Associates handle PHI appropriately.

8. Changes & Contact Information

We reserve the right to change this Notice at any time. Changes will apply to all PHI we maintain, including PHI created or received before the change. Updated Notices will be posted on our website and made available in our office. We will also notify DPC members of material changes by email.

Privacy Officer/Contact

Norman Family Medicine, P.C.
Privacy@normanfamilymedicine.com