How We Protect Your Health Information
This page explains how your health information may be used and shared when your healthcare provider works with us. Please review it carefully.
About Us and This Page
Baxter Cobb Shared Services, LLC (BCSS) provides administrative services — such as billing, scheduling, and reception — to behavioral health practices. We are a Business Associate under HIPAA, which means we handle health information on behalf of your healthcare provider.
Your healthcare provider (the practice where you receive care) is the Covered Entity. They are responsible for your treatment and for giving you their own Notice of Privacy Practices.
This page explains how BCSS may use or share your health information while providing administrative services to your provider. It is not a substitute for your provider's own privacy notice.
Our Commitment to Your Privacy
We take protecting your health information seriously. The law requires us to:
- Keep your health information private
- Tell you about our privacy practices
- Follow the practices described on this page
- Let you know if there is a breach of your health information
When Your Information May Be Used Without Your Written Permission
Your healthcare provider may direct us to use or share your health information for these purposes without your written permission:
- Treatment: To help coordinate your care (for example, scheduling appointments or sending referral information to another provider)
- Payment: To bill your insurance and collect payment for services you received
- Healthcare operations: To support your provider's business activities, such as quality improvement and compliance
- When required by law: When a federal, state, or local law requires it
- Public health activities: To report disease, injury, or other events as required by public health authorities
- Oversight activities: For audits, investigations, or inspections by government agencies
- Legal proceedings: In response to a court order or subpoena
When Your Written Permission Is Required
The following require your specific written permission before your information can be used or shared:
- Marketing: Using your health information for marketing purposes
- Selling your information: We will never sell your health information
- Psychotherapy notes: Sharing a therapist's private session notes (with limited exceptions allowed by law)
- Any other use: Anything not described on this page
You can take back your written permission at any time by notifying your healthcare provider in writing. Your treatment and benefits will not be affected by whether you give permission.
Extra Protections for Substance Use Disorder Records
If your provider treats substance use disorders, those records receive extra protection under federal law (42 CFR Part 2).
Under the 2024 updates to this law, once you provide initial consent for sharing your substance use disorder records, those records may be shared for treatment, payment, and healthcare operations purposes following standard HIPAA rules. Your provider can explain what this means for your specific situation.
These records still cannot be used against you in court without your permission or a specific court order, and they cannot be shared for employment, housing, or other non-healthcare purposes without your written permission.
Extra Protections for Behavioral Health Records (New York)
If you receive behavioral health services from a New York provider, your clinical records receive additional protections under New York Mental Hygiene Law Section 33.13.
Under this law:
- Clinical records maintained by mental health providers are confidential and may only be shared with your written permission or as specifically authorized by law
- Your provider must inform you about who may have access to your records
- You have the right to object to certain disclosures
Contact your healthcare provider directly for more information about how New York law applies to your records.
Your Rights
Because BCSS is a Business Associate (not your healthcare provider), you should contact your healthcare provider directly to exercise the rights described below. We will assist your provider in fulfilling your requests as needed.
Under HIPAA, you have the right to:
- See and get a copy of your health information. Ask your provider for access to your records. They will respond within 30 days.
- Ask for corrections. If you believe something in your records is wrong or incomplete, you can ask your provider to fix it.
- Get a list of who we shared your information with. You can ask your provider for a list of times your information was shared in the past six years (not including sharing for treatment, payment, or healthcare operations).
- Ask for limits on sharing. You can ask your provider to limit how your information is used or shared. Your provider is not required to agree, except when you pay out of pocket in full and ask that your information not be shared with your health plan for that service.
- Choose how we contact you. You can ask your provider to reach you in a specific way or at a specific location.
- Get a paper copy of this page. Contact our Privacy Officer for a printed version.
- Be notified of a breach. If your health information is involved in a breach, you will be notified.
- File a complaint. If you believe your privacy rights have been violated, you may file a complaint with your provider, with us, or with the U.S. Department of Health and Human Services. You will not be penalized for filing a complaint.
What Happens If There Is a Breach
If we discover that your health information has been accessed or shared in a way that was not authorized, we will notify your healthcare provider within 60 days of discovering the breach, as required by federal law (45 CFR 164.410). Your provider will then notify you as required by applicable federal and state law.
The notification will include: what happened, what information was involved, steps you can take to protect yourself, what we are doing about it, and how to reach us with questions.
If the breach affects 500 or more people, we will also notify the HHS Secretary and prominent media outlets as required by law.
State-Specific Rights
BCSS works with healthcare practices in multiple states. Depending on where you live, you may have additional privacy rights under your state's laws. These include but are not limited to:
- California residents: Additional rights under the California Consumer Privacy Act and California Privacy Rights Act. See our Privacy Policy for details.
- New York residents: Additional protections under New York privacy and data security laws, including Mental Hygiene Law Section 33.13 for behavioral health records.
- Connecticut residents: Rights under the Connecticut Data Privacy Act.
- Virginia residents: Rights under the Virginia Consumer Data Protection Act.
Contact your healthcare provider or our Privacy Officer for state-specific information.
Changes to This Page
We may update this page from time to time. When we do, we will post the revised version here with a new effective date.
Last updated: May 28, 2026
Contact Our Privacy Officer
For questions about this page or our privacy practices:
Privacy Officer: Matthew N. CobbBaxter Cobb Shared Services, LLC
Phone: (718) 687-1980
Contact Form
File a Complaint with HHS
If you believe your privacy rights have been violated, you may also file a complaint with the U.S. Department of Health and Human Services:
Office for Civil RightsU.S. Department of Health and Human Services
200 Independence Avenue SW
Washington, DC 20201
Phone: 1-877-696-6775
hhs.gov/ocr/complaints
You will not be penalized for filing a complaint.