HIPAA Notice of Privacy Practices

About This Notice

This notice applies to all protected health information (PHI) created, received, maintained, or transmitted by Baxter Cobb Shared Services, LLC (BCSS) on behalf of our healthcare practice clients.

BCSS operates as a Business Associate to the covered entity healthcare practices that use our Practisphere platform. Your healthcare provider (the practice) is the covered entity responsible for your care. BCSS provides administrative and technology services to support your provider's operations.

Our Commitment to Your Privacy

BCSS is committed to protecting your PHI. We are required by law to:

• Maintain the privacy of your PHI
• Provide you with this notice of our legal duties and privacy practices
• Follow the terms of this notice currently in effect
• Notify you if a breach of your unsecured PHI occurs

Uses and Disclosures Without Your Authorization

We may use and disclose your PHI for the following purposes without your written authorization:

• Treatment: To provide, coordinate, or manage your healthcare
• Payment: To bill and collect payment for your healthcare services
• Healthcare Operations: To support business activities including quality improvement, training, and compliance
• As Required by Law: When required by federal, state, or local law
• Public Health Activities: To report disease, injury, vital events, and conduct public health surveillance
• Health Oversight: For audits, investigations, and inspections by government agencies
• Judicial and Administrative Proceedings: In response to a court or administrative order, or a subpoena

Uses and Disclosures Requiring Your Authorization

The following uses and disclosures require your specific written authorization:

• Marketing: Using your PHI for marketing purposes
• Sale of PHI: Selling your PHI to third parties
• Psychotherapy Notes: Disclosing psychotherapy notes (with limited exceptions)
• Substance Use Disorder Records: Disclosing records protected under 42 CFR Part 2
• Other Uses: Any use or disclosure not described in this notice

We will not condition your treatment, payment, enrollment, or eligibility for benefits on your providing an authorization, except as permitted by law. You may revoke any authorization in writing at any time.

Your Rights Regarding Your PHI

Under HIPAA, you have the following rights:

• Right to Access: You may inspect and obtain a copy of your PHI. Submit a written request to the Privacy Officer. We will respond within 30 days.
• Right to Amend: You may request corrections to your PHI if you believe it is inaccurate or incomplete. Submit a written request explaining the reason. We may deny the request in certain circumstances and will provide a written explanation.
• Right to an Accounting of Disclosures: You may request a list of disclosures of your PHI made in the prior six years, excluding disclosures for treatment, payment, and healthcare operations.
• Right to Request Restrictions: You may request limits on how we use or disclose your PHI. We are not required to agree to your request, except for restrictions on disclosures to a health plan for services you paid out of pocket.
• Right to Confidential Communications: You may request that we communicate with you in a specific way or at a specific location.
• Right to a Paper Copy: You may obtain a paper copy of this notice at any time by contacting the Privacy Officer.
• Right to Breach Notification: You have the right to be notified if a breach of your unsecured PHI occurs.
• Right to File a Complaint: You may file a complaint with us or with the U.S. Department of Health and Human Services if you believe your privacy rights have been violated. You will not be retaliated against for filing a complaint.

To exercise any of these rights, contact our Privacy Officer using the information below.

Breach Notification

BCSS will notify the relevant healthcare practice (the covered entity) within 30 days of discovery of a breach of unsecured PHI. The practice will then notify affected individuals as required by applicable federal and state law.

Notification will include: a description of the breach, the types of information involved, steps you should take to protect yourself, what is being done to investigate and mitigate the breach, and contact information for further questions.

For breaches affecting 500 or more individuals, notification will also be provided to the HHS Secretary and prominent media outlets as required by law.

State-Specific Rights

Depending on your state of residence, you may have additional privacy rights under state law. These include but are not limited to:

• California residents: Additional rights under the CCPA/CPRA. See our Privacy Policy for details.
• New York residents: Additional protections under the NY SHIELD Act and Mental Hygiene Law.
• Connecticut residents: Rights under the CT Data Privacy Act.
• Virginia residents: Rights under the VA Consumer Data Protection Act.

Contact our Privacy Officer for state-specific information.

Changes to This Notice

We reserve the right to change this notice and make the new provisions effective for all PHI we maintain. A revised notice will be posted on this page with a new effective date.

Last updated: May 18, 2026

Contact Our Privacy Officer

For questions about this notice, to exercise your rights under HIPAA, or to file a complaint: