Privacy Policy

Your privacy and the security of your health information are our priority

Effective Date: January 1, 2024
Last Updated: January 1, 2025

Arcadia Health ("we," "us," or "our") is committed to protecting the privacy and security of your personal information and protected health information (PHI). This Privacy Policy describes how we collect, use, disclose, and safeguard information obtained through our website at arcadia-health.com and through the cardiovascular healthcare services we provide at our practice located at 6025 Walnut Grove Road, Suite 310, Memphis, TN 38120.

1. HIPAA Compliance

As a cardiology practice, Arcadia Health is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, including the HIPAA Privacy Rule, the HIPAA Security Rule, and the HITECH Act. We are committed to full compliance with all applicable federal and state laws governing the privacy and security of protected health information.

This Privacy Policy supplements our Notice of Privacy Practices (NPP), which provides additional detail about how we may use and disclose your PHI for treatment, payment, and healthcare operations purposes. A copy of our Notice of Privacy Practices is available upon request at our office, through our patient portal, or by contacting us using the information provided below.

2. Information We Collect

Protected Health Information (PHI)

In the course of providing cardiovascular healthcare services, we collect and maintain PHI, which may include:

  • Your name, date of birth, address, phone number, and email address
  • Social Security number (when required for insurance billing)
  • Medical history, cardiac diagnoses, treatment plans, and clinical notes
  • Cardiac test results including echocardiograms, stress tests, catheterization reports, electrophysiology studies, and imaging reports
  • Electrocardiogram (ECG/EKG) recordings and Holter monitor data
  • Insurance information and billing records
  • Prescription and medication history, including anticoagulants, antiarrhythmics, and other cardiac medications
  • Device data from pacemakers, ICDs, and implantable loop recorders
  • Referral information from your primary care physician or other specialists

Website Information

When you visit our website, we may automatically collect certain non-identifying information, including:

  • Browser type and version
  • Operating system
  • Pages visited and time spent on our site
  • Referring website or search terms
  • IP address (anonymized for analytics purposes)

Appointment Request Information

When you submit a consultation request through our website contact form, we collect the information you provide, including your name, email address, phone number, reason for visit, referring physician, and any additional notes. This information is transmitted securely and used solely for the purpose of scheduling your cardiac consultation.

3. How We Use Your Information

We use your information for the following purposes:

  • Treatment: To provide, coordinate, and manage your cardiovascular care, including cardiac testing, procedures, consultations, referrals, prescriptions, and coordination with hospitals where we maintain admitting privileges (Baptist Memorial Hospital, Methodist Le Bonheur Healthcare).
  • Payment: To bill and collect payment for cardiology services, including verifying insurance coverage, submitting claims, obtaining prior authorizations for procedures, and processing patient payments.
  • Healthcare Operations: To support internal operations such as quality improvement, clinical auditing, staff training, compliance monitoring, and practice management.
  • Communication: To contact you regarding appointment reminders, test results, follow-up care instructions, device check reminders, and health-related information relevant to your cardiac treatment.
  • Patient Portal: To provide you with secure access to your cardiac test results, appointment history, and provider messaging through our electronic patient portal.
  • Website Improvement: To analyze website usage patterns and improve the functionality and content of our site.

4. How We Protect Your Information

We implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of your PHI, as required by the HIPAA Security Rule. These safeguards include:

  • Encryption of electronic PHI both in transit and at rest, including cardiac imaging files and device interrogation data
  • Secure access controls requiring unique user identification and authentication for all staff with access to patient records
  • Regular security risk assessments and vulnerability testing
  • Workforce training on HIPAA privacy and security requirements, conducted annually and upon hire
  • Physical security measures including locked record storage, restricted facility access, and secured areas for cardiac testing equipment
  • Business Associate Agreements (BAAs) with all third-party vendors who may access PHI, including our electronic health record vendor, device manufacturers, and billing services
  • Incident response procedures for investigating and mitigating potential breaches
  • Secure disposal of paper records and electronic media containing PHI

5. Disclosure of Your Information

We do not sell, rent, or trade your personal information or PHI. We may disclose your information in the following circumstances:

  • With your written authorization: We will obtain your written consent before disclosing PHI for purposes not covered by this policy or our Notice of Privacy Practices.
  • To other healthcare providers: When necessary for your treatment, such as sharing cardiac catheterization reports with your primary care physician, transmitting device data to manufacturers for analysis, or coordinating care with hospitals where procedures are performed.
  • To your health plan: For payment and coverage determination purposes, including prior authorization for cardiac procedures and diagnostic testing.
  • As required by law: In response to valid legal orders, subpoenas, or as otherwise required by federal or state law (e.g., mandatory public health reporting).
  • Business Associates: To third-party service providers who perform functions on our behalf and are bound by Business Associate Agreements to protect your PHI.

6. Your Rights Under HIPAA

As a patient, you have the following rights regarding your protected health information:

  • Right to Access: You may request access to your medical records, including cardiac test results, procedure reports, and clinical notes, and obtain copies of your PHI.
  • Right to Amend: You may request that we amend your medical records if you believe they contain an error.
  • Right to an Accounting of Disclosures: You may request a list of certain disclosures we have made of your PHI.
  • Right to Request Restrictions: You may request restrictions on certain uses and disclosures of your PHI, though we are not required to agree to all requests.
  • Right to Confidential Communications: You may request that we communicate with you about your health information through alternative means or at alternative locations.
  • Right to a Paper Copy: You may request a paper copy of our Notice of Privacy Practices at any time.
  • Right to Be Notified of a Breach: You have the right to be notified if a breach of your unsecured PHI occurs, as required by the HITECH Act.
  • Right to File a Complaint: If you believe your privacy rights have been violated, you may file a complaint with our Privacy Officer or with the U.S. Department of Health and Human Services Office for Civil Rights.

7. Cookies and Website Tracking

Our website uses cookies and similar tracking technologies to improve your browsing experience and to collect aggregate usage data for analytics purposes. Cookies are small text files stored on your device by your web browser. You may disable cookies through your browser settings; however, some website features may not function properly without them.

We do not use cookies or website tracking technologies to collect PHI. The information collected through our website analytics is non-identifying and is not linked to your medical records or patient portal account.

8. Third-Party Links

Our website may contain links to third-party websites, such as insurance provider portals, hospital websites, or heart health information resources. We are not responsible for the privacy practices or content of these external sites. We encourage you to review the privacy policies of any third-party sites you visit.

9. Children's Privacy

Our website is not directed to children under the age of 13, and we do not knowingly collect personal information from children through our website. PHI for minor patients requiring cardiac care is collected and managed in accordance with HIPAA and applicable Tennessee state laws governing minors' health information.

10. Changes to This Policy

We reserve the right to update this Privacy Policy at any time. When we make changes, we will update the "Last Updated" date at the top of this page. Material changes to how we handle PHI will be communicated in accordance with HIPAA requirements.

11. Contact Us

If you have questions about this Privacy Policy, wish to exercise your patient rights, or need to file a privacy complaint, please contact our Privacy Officer:

Arcadia Health — Privacy Officer
6025 Walnut Grove Road, Suite 310
Memphis, TN 38120
Phone: (901) 555-0180
Email: privacy@arcadia-health.com

You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at www.hhs.gov/ocr or by calling 1-877-696-6775.