Privacy Practices

Last Revised  October 19, 2020 (“Effective Date”)

THIS NOTICE OF PRIVACY PRACTICES DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW THIS NOTICE CAREFULLY.

DermDocs, P.C. is a California professional medical corporation which engages in the practice of medicine under the names DermDocs and Portrait, and provides Dermatology care and treatment to its patients, including but not limited to cosmetic dermatology, personalized skin care services, delivery of personalized dermatological products and telemedicine services (collectively, the “Services”). Portrait Health, Inc. provides certain administrative services to DermDocs, P.C. and owns and operates the website located at portraitspa.com and other related websites and mobile applications with links (collectively, the “Site”) to this Notice of Privacy Practices (“Notice”). For purposes of this Notice, the references to “we,” “us,” or “our” will refer as applicable to both DermDocs, P.C. and Portrait Health, Inc. and each of their respective Affiliates. The term “Affiliates” means any entity or person that controls, is controlled by, or under common control with, such as a subsidiary, parent company, agent, representative or employee.

DermDocs, P.C. and Portrait Health, Inc. understand that information about you and your health is personal and respects the privacy of each and every person, and is committed to protecting and maintaining the confidentiality of all of your personal and protected health information (“PHI”). We continuously seek to safeguard this information through administrative, physical, and technical means, and otherwise to abide by applicable federal and state data privacy and security guidelines.

This Notice describes how your PHI may be used and disclosed by us and how you can get access to this information. This Notice will serve as a summary of your privacy rights. We must provide you with this Notice and follow the terms of this Notice while it is in effect. Your use of the Services indicates your acceptance of the terms of this Notice. PLEASE REVIEW THIS NOTICE CAREFULLY.

Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), we are required by law to maintain the privacy of health information that identifies you, which is called protected health information (PHI), and to provide you with notice of our legal duties and privacy practices regarding PHI. We are committed to the protection of your PHI and will make reasonable efforts to ensure the confidentiality of your PHI as required by statute and regulation. We take this commitment seriously and will work with you to comply with your right to receive certain information under HIPAA.

What are our obligations regarding the privacy and confidentiality of your PHI?

We are required by law to maintain the privacy and confidentiality of your PHI and to provide you with this Notice of its legal duties and privacy practices with respect to your PHI.

How do we use and disclose your PHI?

The following categories explain the types of uses and disclosures of PHI that we are permitted to make under HIPAA. Some of the uses and disclosures may be limited or restricted by state laws or other legal requirements. Please contact us, using the information provided at the end of this Notice, for specific information regarding applicable state laws.

Treatment.We may use PHI to provide your medical care and treatment. We may disclose PHI to our employees and other health care professionals who are involved in coordinating or providing the care you need. For example, we may share your PHI with other physicians or other health care providers who will provide services that we do not provide. Or we may share this information with a pharmacist who needs it to dispense a prescription to you, or a laboratory that performs a test. We may also disclose PHI to members of your family or other authorized persons who can help you when you are sick or injured, or after you die.

Payment.We may use and disclose your PHI to bill and obtain payment for the services we provide. For example, we may provide your health plan the information it requires before it will pay us. We may also disclose information to other health care providers to assist them in obtaining payment for services they have provided to you or to coordinate health care or health benefits.

Health Care Operations.We may use and disclose your PHI for the operation of its medical practice. For example, we may use and disclose this information to review and improve the quality of care we provide, or the competence and qualifications of our professional staff. Or we may use and disclose this information to get your health plan to authorize services or referrals. We may also use and disclose this information as necessary for medical reviews, legal services and audits, including fraud and abuse detection and compliance programs and business planning and management. We may also share your medical information with our "business associates," such as our billing service, that perform administrative services for us. We have a written contract with each of these business associates that contains terms requiring them and their subcontractors to protect the confidentiality and security of your protected health information. We may also share your information with other health care providers, health care clearinghouses, or health plans that have a relationship with you. They may request this information to help them with their quality assessment and improvement activities, their patient-safety activities, their population-based efforts to improve health or reduce health care costs, their protocol development, case management or care- coordination activities, their review of competence, qualifications and performance of health care professionals, their training programs, their accreditation, certification or licensing activities, or their health care fraud and abuse detection and compliance efforts. We may also share your PHI with the other health care providers, health care clearinghouses and health plans that participate with us in "organized health care arrangements" (OHCAs) for any of the OHCAs' health care operations. OHCAs include hospitals, physician organizations, health plans, and other entities which collectively provide health care services. A listing of the OHCAs we participate in is available from our Privacy Officer.

Appointment Reminders.We may use and disclose PHI to contact and remind you about appointments. We may also use and disclose PHI to tell you about health- related benefits and services that may be of interest to you.

Notification of Individuals Involved in Your Care.We may disclose your PHI to a family member, your personal representative or another person responsible for your care. We may also notify your family or authorized person about your location , your general condition or, unless you have instructed us otherwise, in the event of your death. In the event of a disaster, we may disclose information to a relief organization so that they may coordinate these notification efforts. We may also disclose information to someone who is involved with your care or helps pay for your care. If you are able and available to agree or object, we will give you the opportunity to do so prior to making these disclosures. We may disclose this information in a disaster, even over your objection, if we believe it is necessary to respond to the emergency circumstances. If you are unable or unavailable to agree or object, our health professionals will use their best judgment in communication with your family and others.

Business Associates.We may disclose PHI to its business associates to perform certain business functions or provide certain business services to us. For example, we may use another company to perform billing services on our behalf. All of our business associates are required to maintain the privacy and confidentiality of your PHI. In addition, at the request of your health care providers or health plan, we may disclose PHI to their business associates for purposes of performing certain business functions or health care services on their behalf. For example, we may disclose PHI to a business associate of Medicare for purposes of medical necessity review and audit.

Marketing.Provided we do not receive any payment for making these communications, we may contact you to give you information about products or services related to your treatment, case management or care coordination, or to direct or recommend other treatments, therapies, health care providers or settings of care that may be of interest to you. We will not otherwise use or disclose your medical information for marketing purposes or accept any payment for other marketing communications without your prior written authorization. The authorization will disclose whether we receive any compensation for any marketing activity you authorize, and we will stop any future marketing activity to the extent you revoke that authorization.

Required by Law.We must disclose PHI if required to do so by federal, state or local law, but we will limit our use or disclosure to the relevant requirements of the law.

Public Health.We may, and sometimes are required by law, to disclose your PHI to public health authorities for purposes related to: preventing or controlling disease, injury or disability; reporting child, elder or dependent adult abuse or neglect; reporting domestic violence; reporting to the Food and Drug Administration problems with products and reactions to medications; and reporting disease or infection exposure. When we report suspected elder or dependent adult abuse or domestic violence, we will inform you or your personal representative promptly unless in our best professional judgment, we believe the notification would place you at risk of serious harm or would require informing a personal representative we believe irresponsible for the abuse or harm.

Health Oversight Activities.We may, and are sometimes required by law, to disclose your PHI to health oversight agencies during the course of audits, investigations, inspections, licensure and other proceedings, subject to the limitations imposed by law.
Coroners, Medical Examiners and Funeral Directors. We may disclose PHI to a coroner, medical examiner, or funeral director for the purpose of identifying a deceased person, determining cause of death, or for performing some other duty authorized by law.

Personal Representative.We may disclose PHI to your personal representative, as established under applicable law, or to an administrator, executor, or other authorized individual associated with your estate.

Correctional Institution.We may disclose the PHI of an inmate or other individual when requested by a correctional institution or law enforcement official for health, safety, and security purposes.

Serious Threat to Health or Safety.We may disclose PHI if necessary to prevent or lessen a serious and/or imminent threat to health or safety to a person or the public or for law enforcement authorities to identify or apprehend an individual.

Judicial and Administrative Proceedings.We may, and sometimes are required by law, to disclose your health information in the course of any administrative or judicial proceeding to the extent expressly authorized by a court or administrative order. We may also disclose information about you in response to a subpoena, discovery request or other lawful process if reasonable efforts have been made to notify you of the request and you have not objected, or if your objections have been resolved by a court or administrative order

Law Enforcement.We may, and sometimes are required by law, to disclose your PHI for law enforcement purposes, including reporting of certain types of wounds or physical injuries or in response to a court order, warrant, subpoena, summons or similar process authorized by law. We may also disclose PHI when the information is needed for identifying or locating a suspect, fugitive, material witness or missing person; about a victim of a crime; about an individual who has dies; in relation to criminal conduct on our premises; or in emergency circumstances to report a crime, the location of a crime, or victims, or the identity, description or location of a person who has committed a crime.

Workers' Compensation.We may disclose your PHI as necessary to comply with workers' compensation laws. For example, to the extent your care is covered by workers' compensation, we will make periodic reports to your employer about your condition. We are also required by law to report cases of occupational injury or occupational illness to the employer or workers' compensation insurer.

Change of Ownership.In the event that DermDocs, P.C. or Portrait Health, Inc. is sold or merged with another organization, your health information/record will become the property of the new owner, although you will maintain the right to request that copies of your health information be transferred to another physician or medical group.

Research.We may disclose your PHI for research purposes. Limited data or records may be viewed by researchers to identify patients who may qualify for their research project or for other similar purposes, so long as the researchers do not remove or copy any of the PHI. Before we use or disclose PHI for any other research activity, one of the following will happen: 1) a special committee will determine that the research activity poses minimal risk to privacy and that there is an adequate plan to safeguard PHI; 2) if the PHI relates to deceased individuals, the researchers give us assurances that the PHI is necessary for the research and will be used only as part of the research; or 3) the researcher will be provided only with information that does not identify you directly.

Government Functions.In certain situations, we may disclose the PHI of military personnel and veterans, including Armed Forces personnel, as required by military command authorities. Additionally, we may disclose PHI to authorized officials for national security purposes, such as protecting the President of the United States, conducting intelligence, counter-intelligence, other national security activities, and when requested by foreign military authorities. Disclosures will be made only in compliance with U.S. Law.

Fundraising.We may use or disclose your demographic information in order to contact you for our fundraising activities. If you do not want to receive these materials, notify the Privacy Officer listed at the top of this Notice of Privacy Practices and we will stop any further fundraising communications.

De-identified Information and Limited Data Sets.We may use and disclose health information that has been “de-identified” by removing certain identifiers making it unlikely that you could be identified. We also may disclose limited health information, contained in a “limited data set”. The limited data set does not contain any information that can directly identify you. For example, a limited data set may include your city, county and zip code, but not your name or street address.

Please note that in some cases, state law may require that we apply extra protections to some of your health information.

What are our responsibilities with respect to the security of your PHI?

The importance of security for all personal information including, but not limited to, PHI associated with you, is of utmost concern to us. We use reasonable and appropriate safeguards to protect the security and confidentiality of your PHI and other personal information. We take care to provide secure transmission of your PHI and other personal information from your PC or mobile device to our servers and/or the Site. PHI and other personal information collected by the Site is stored in secure operation environments that are not available to the public. Only those of our employees or agents who need access to your PHI and other personal information in order to do their jobs are allowed access, and only after they have been trained regarding our confidentiality obligations. Further, our password and authentication system is user specific to ensure that users can only see the specific information to which they have been granted access. Any employee or agent who violates our privacy and security policies is subject to disciplinary action, including possible termination and civil and/or criminal prosecution. You will be notified of any unauthorized access, use, or disclosure of your unsecured PHI as required by law.

What are my privacy rights with respect to my PHI?

We are required by law to maintain the privacy of your PHI and other personal information, to provide this Notice to you and to abide by the terms of this Notice, and to tell you if there has been a breach that compromises your PHI or other personal information.

What other rights do I have with respect to my PHI?

You have the following rights regarding the PHI that we maintain about you:

Right to Inspect and Receive Copies– With some exceptions, you have the right to inspect and receive copies of the PHI used to make decisions about your care, provided you submit a request in writing to do so. Typically this includes medical and/or billing records. We may deny your request to inspect such PHI in limited circumstances, but must inform you of the reason for such a denial and you have the right to request a review of the denial. We may charge a reasonable fee for the costs of processing your request. Please contact us atsupport@portraitspa.com to make such a request.

Right to Amend– If you believe we are maintaining PHI about you that is inaccurate or incomplete, you have the right to request an amendment to your record, provided you submit a request in writing and state a reason that supports your request. We may deny your request to amend your record if such a request is not submitted in writing and/or does not include a reason supporting your request. We also may deny your request if you ask us to amend information that we did not create (unless the person or entity that created the information is no longer available to make the amendment), is not part of the records used by us to make decisions about you, and/or is not part of the information you are permitted to inspect and to receive a copy of, or is accurate and/or complete. Please contact us atsupport@portraitspa.comto make such a request.

Right to an Accounting of Disclosures– You have the right to get a list of the disclosures made of your PHI. This list will not include all disclosures we have made; for example, this list will not include disclosures made for purposes of treatment, payment, or health care operations, or disclosures that you specifically approved. You can request this list to include disclosures for up to six years prior to the date of the request. The first request in a 12-month period is provided to you at no cost. There may be a charge for subsequent requests within the same 12- month period. To request this list, you must do so in writing and on the approved form, which will be provided to you upon request. Please contact us atsupport@portraitspa.com to make such a request.

Right to Request Restrictions– You have the right to request a restriction or limitation on the PHI that are used or disclosed for purposes of treatment, payment, or health care operations. You also have the right to request a limitation on the PHI that is used or disclosed to someone who is involved in your care (or in the payment for your care) (e.g., family, friend). Subject to certain exceptions, we are not required to comply with your request; however, if we agree to comply with your request, we will fulfill your request unless the information is needed to provide you with emergency treatment or if otherwise required by federal or state law. To request such restrictions or limitations, you must do so in writing and on the approved form, which will be provided to you upon request. Please contact us atsupport@portraitspa.com to make such a request.

Right to Request Confidential Communications– You have the right to request confidential communications of your PHI. You may request that we communicate with you through specific means or at a specific location. We will attempt to accommodate all reasonable requests. To request such confidential communications, you must do so in writing and on the approved form, which will be provided to you upon request. Please contact us atsupport@portraitspa.com to make such a request.

Right to a Paper Copy of This Notice– You may request that we provide you with a written copy of this Notice at any time. Even if you have agreed to receive this Notice electronically, you have a right to a paper copy of this Notice if you so desire. Please contact us atsupport@portraitspa.com to make such a request.

Right to Require Written Authorization– Any uses or disclosures of your PHI, other than those described above, will be made only with your advance written authorization, which you may grant or revoke at any time.

How do I exercise my rights under HIPAA?

To exercise any of your rights described in this Notice, you must send a written request to: Portrait Health, Inc., 8910 University Center Ln Ste 400, San Diego, CA 92122 or via e-mail tosupport@portraitspa.com. Patients may update insurance and/or billing information through the Site or by contacting the Patient Billing Department using the phone number indicated on the billing invoice.

How will I know about any changes made to the information in this Notice?

We reserve the right to make changes to this Notice and to our privacy policies from time to time. When changes are made, we will promptly update this Notice and post the information on the Site. Until such amendment is made, we will comply with the terms of the notice of our privacy policies currently in effect. After an amendment is made, the revised Notice will apply to all protected health information that we maintain, regardless of when it was created or received.

What if I need to make a complaint?

If you believe that your privacy has been violated, or that either DermDocs, P.C. or Portrait Health, Inc. has not followed its legal obligations under HIPAA, you may file a complaint with us or with the Secretary of the U.S. Department of Health and Human Services (“Secretary”). We will not retaliate or penalize you for filing a complaint with us or the Secretary.

To file a complaint with us or to receive more information contact:

E-mail Address:support@portraitspa.com
Mailing Address:8910 University Center Ln Ste 400
San Diego, CA 92122

To file a complaint with the Secretary of the U.S. Department of Health and Human Services, call (877) 696-6775 or write to:

Hubert H. Humphrey Building
200 Independence Ave., S.W.,
Washington, D.C. 20201

Who must abide by the terms of this Notice?

This Notice pertains to the actions to be taken by:

  • Any physician or other health care professional authorized by DermDocs, P.C. to access and/or enter information into your medical record (“Treating Provider”); 
  • All departments and units through which  the Services are provided; and 
  • All our affiliates and volunteers.

Your personal health care providers may have different policies or notices of privacy practices regarding the use and disclosure of your health information created in their offices.

Who may I contact with questions about this Notice?

For more information on our privacy policies or your rights under HIPAA, contact Praveen Ramineni atsupport@portraitspa.com.