Cumberland Vitality (“we,” “us,” or “our”) is committed to protecting the privacy and security of our clients’ Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, including the Privacy Rule, Security Rule, and Breach Notification Rule. This HIPAA Compliance Statement outlines our practices for handling PHI for clients engaging in our therapy services through our website www.cumberlandvitality.com (the “Website”) or in-person sessions.

1. Scope of HIPAA Compliance

This statement applies to our therapy services, which involve the collection, use, storage, and disclosure of PHI. PHI includes any individually identifiable health information, such as medical history, mental health records, treatment plans, or payment details related to health services. Our health coaching services, which do not involve medical diagnosis or treatment, are not subject to HIPAA unless they involve PHI.

2. Collection and Use of PHI

We collect PHI only with your explicit consent and as necessary to provide therapy services. Examples include:

• Personal details (e.g., name, contact information).

• Health information (e.g., medical or mental health history, session notes).

• Billing information (e.g., insurance or payment details).

We use PHI to:

• Provide and coordinate therapy services.

• Communicate with you about appointments or treatment plans.

• Process payments or insurance claims.

• Comply with legal obligations, such as mandatory reporting or audits.

3. Safeguards for PHI

We implement administrative, technical, and physical safeguards to protect PHI, including:

• Administrative Safeguards: Policies and procedures to limit access to PHI to authorized personnel only, staff training on HIPAA compliance, and regular risk assessments.

• Technical Safeguards: Encryption of PHI during transmission and storage, secure authentication for access to electronic PHI (ePHI), and use of HIPAA-compliant software for telehealth and recordkeeping.

• Physical Safeguards: Secure storage of physical records and restricted access to facilities where PHI is stored.

4. Disclosure of PHI

We may disclose PHI only as permitted by HIPAA, including:

• To You: You have the right to access your PHI upon request.

• For Treatment, Payment, or Operations: To coordinate care with other healthcare providers, process payments, or manage our practice (e.g., scheduling, quality improvement).

• With Authorization: With your written consent for specific purposes (e.g., sharing with a third-party provider).

• As Required by Law: For mandatory reporting (e.g., abuse, public health threats) or in response to a court order.

We enter into Business Associate Agreements (BAAs) with third-party service providers (e.g., telehealth platforms, payment processors) to ensure they comply with HIPAA when handling PHI.

5. Your Rights Under HIPAA

As a client, you have the following rights regarding your PHI:

• Access: Request a copy of your PHI, typically within 30 days.

• Amendment: Request corrections to inaccurate or incomplete PHI.

• Accounting of Disclosures: Request a list of non-routine disclosures of your PHI.

• Restrictions: Request limits on how we use or disclose your PHI (though we may not always be able to comply).

• Confidential Communications: Request alternative methods of communication (e.g., a specific email or phone number).

• Complaint: File a complaint with us or the U.S. Department of Health and Human Services (HHS) if you believe your HIPAA rights have been violated.

To exercise these rights, contact us at infor@cumberlandvitality.com

6. Data Breach Notification

In the event of a breach of unsecured PHI, we will notify affected clients, HHS, and, if required, the media, in accordance with HIPAA’s Breach Notification Rule. We will take steps to mitigate harm and prevent future breaches.

7. Third-Party Services

We use HIPAA-compliant third-party services for telehealth, scheduling, and payment processing. These providers are bound by BAAs to protect your PHI. We are not responsible for the privacy practices of non-HIPAA-covered entities (e.g., fitness apps you choose to sync with our health coaching services).

8. Retention of PHI

We retain PHI for the period required by law (e.g., typically 7 years for therapy records, or longer as mandated by state regulations). After this period, PHI is securely destroyed.

9. Updates to This Statement

We may update this HIPAA Compliance Statement to reflect changes in our practices or legal requirements. Updates will be posted on our Website with a revised “Last Updated” date.

10. Contact Us

For questions, concerns, or to exercise your HIPAA rights, contact our HIPAA Privacy Officer at:

• Email: info@cumberlandvitality.com

You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, at www.hhs.gov/ocr.