Notice of Privacy Practices
This Notice of Privacy Practices applies to the following covered entities (collectively, "we," "us," or "our practice"), all of which are affiliates operating under the Holsman Healthcare organization:
New Jersey • New York • Indiana
holsmanpt.com
(855) 465-7626
Rockland County, NY • Tri-State Area
hometherapypt.com
(862) 250-6697 • (855) 465-7626
New Jersey service locations
(855) 465-7626
All entities listed above share the same privacy policies and procedures and form an Organized Health Care Arrangement (OHCA) for purposes of HIPAA. References to "we," "our," or "our practice" throughout this document apply to all entities listed above.
We understand that health information about you and your health is personal. We are committed to protecting the privacy of your health information. We create a record of the care and services you receive at our practice to provide you with quality care and to comply with certain legal requirements.
This notice tells you about the ways we may use and share health information about you and describes your rights and certain obligations we have regarding the use and disclosure of your health information. We are required by law to:
- Maintain the privacy of your Protected Health Information (PHI) as required by HIPAA and applicable state law;
- Give you this notice of our legal duties and privacy practices with respect to health information about you;
- Follow the terms of the notice currently in effect; and
- Notify you following a breach of your unsecured PHI, as required by 45 C.F.R. §§ 164.400–414.
Protected Health Information (PHI) is any individually identifiable health information we collect or maintain, including your name, address, date of birth, Social Security number, insurance information, dates of service, diagnoses, treatment records, and billing records.
The following categories describe the ways we use and disclose health information without requiring your written authorization. Not every use or disclosure in a category will be listed, but all the ways we are permitted or required to make will fall within one of these categories.
We may use your PHI to provide, coordinate, or manage your health care and any related services. For example, a physical therapist treating you will need information about your condition, prior medical history, and current medications. We may also disclose information to other health care providers involved in your care, such as your referring physician, specialist, or home health agency, to coordinate services on your behalf.
We may use and disclose PHI about you to bill and collect payment for the services we provide. For example, we may need to give your health plan information about the physical or occupational therapy you received so your plan will pay for it. We may also tell your health plan about a treatment or service you are going to receive in order to obtain prior approval or determine whether your plan will cover the treatment. We bill the following insurers: Medicare Part B, Veterans Administration (VA) / TRICARE, automobile no-fault, workers' compensation, and commercial PPO plans.
We may use and disclose PHI about you for our health care operations. These uses and disclosures are necessary to run our practice and ensure that all of our patients receive quality care. For example, we may use PHI to review the quality of care provided, train clinical staff, conduct compliance audits, or evaluate therapist performance. We may also disclose information to our Business Associates (such as billing services, electronic health record vendors, or legal advisors) who assist in our operations under written Business Associate Agreements that require them to protect your PHI.
We may also use or disclose your PHI without authorization for the following purposes when required or permitted under applicable federal or New Jersey/New York/Indiana state law:
- Public Health Activities: Reporting disease, injury, vital statistics, or certain conditions to authorized public health authorities.
- Health Oversight Activities: Disclosures to government agencies for oversight activities authorized by law, such as audits, investigations, and inspections (e.g., CMS, state licensing boards).
- Abuse, Neglect, or Domestic Violence: Reporting to appropriate authorities as required or permitted by law.
- Judicial and Administrative Proceedings: In response to a court order, subpoena, discovery request, or other lawful process, subject to applicable legal protections.
- Law Enforcement: For law enforcement purposes as required by law or in response to a valid law enforcement request.
- Decedents: Information about deceased individuals may be disclosed to coroners, medical examiners, and funeral directors.
- Organ and Tissue Donation: We may disclose PHI to organ procurement organizations as required.
- Research: Under certain conditions and with appropriate protections in place (e.g., waiver from an Institutional Review Board).
- Serious Threats to Health or Safety: To prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
- Specialized Government Functions: For military and veterans' activities, national security, intelligence, and protective services for the President.
- Workers' Compensation: As authorized and necessary to comply with workers' compensation laws.
- Inmates: If you are an inmate, we may release PHI to the correctional institution or law enforcement official as necessary for your health and safety.
We may make incidental uses and disclosures that occur as a by-product of an otherwise permitted use or disclosure, provided we have applied reasonable safeguards and used the minimum necessary standard.
We may share relevant PHI with a family member, friend, or other person you identify who is involved in your care or in payment for your care, unless you object. In an emergency, we will share information as needed to assist in care and will notify family members as appropriate. You have the right to restrict such disclosures by notifying our Privacy Officer in writing.
We may contact you to remind you about appointments or provide information about treatment alternatives or other health-related benefits and services that may be of interest to you.
Other uses and disclosures of PHI not covered by this notice or applicable law will only be made with your written authorization. The following categories of PHI require your prior written authorization in all circumstances:
- Marketing purposes — We will not use or disclose your PHI for marketing without your written authorization, except for face-to-face communications made by us or promotional gifts of nominal value.
- Sale of PHI — We will not sell your PHI without your written authorization.
- Most uses of psychotherapy notes — We will not disclose psychotherapy notes without your authorization except in very limited circumstances.
- Any other use or disclosure not described in this notice — Including uses by third parties for their own purposes.
If you provide us authorization to use or disclose PHI about you, you may revoke that authorization in writing at any time. If you revoke your authorization, we will no longer use or disclose PHI about you for the reasons described in your authorization. We are unable to undo disclosures we have already made in reliance on your authorization.
You have the following rights regarding PHI we maintain about you. To exercise any of these rights, please submit a written request to our Privacy Officer (contact information below).
You have the right to inspect and obtain a copy of your PHI in a designated record set. We may charge a reasonable, cost-based fee. Requests must be in writing and may be denied in certain limited circumstances.
You may request that we amend PHI we maintain about you. We may deny your request if the information was not created by us, is not part of our records, or is accurate and complete. Denied requests may be supplemented with a statement of disagreement.
You may request a list of certain disclosures of your PHI made in the past 6 years. This right does not apply to disclosures made for treatment, payment, health care operations, or disclosures made with your authorization.
You may request that we restrict certain uses or disclosures of your PHI. We are not legally required to agree to your request except: if you request we restrict disclosure to a health plan for services you have paid for out-of-pocket in full, we must comply.
You may request that we communicate with you in a specific way or at a specific location (e.g., home or work phone number only, or by mail to a particular address). We will honor reasonable requests.
You have the right to receive a paper copy of this notice at any time, even if you have agreed to receive it electronically. You may also request an electronic copy of this notice by contacting our Privacy Officer.
You have the right to receive notification in the event of a breach of your unsecured PHI, as required by 45 C.F.R. §§ 164.400–414 and applicable state law. Notification will be made without unreasonable delay and no later than 60 days after discovery.
If we ever conduct fundraising activities, you have the right to opt out of receiving fundraising communications. We will include opt-out instructions in any such communication.
When using, disclosing, or requesting PHI, we make reasonable efforts to limit the PHI to the minimum amount necessary to accomplish the intended purpose. This standard does not apply to disclosures to or requests by a healthcare provider for treatment purposes, disclosures to you about your own PHI, or disclosures made pursuant to your written authorization.
We maintain administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of your PHI consistent with 45 C.F.R. Part 164, Subpart C. These measures include:
- Restricted access to PHI on a need-to-know basis, with role-based access controls;
- Encryption of electronic PHI (ePHI) in transmission and at rest where feasible;
- Physical security measures at all clinic locations and for all portable devices;
- Regular workforce training on privacy and security policies;
- Business Associate Agreements with all vendors who access or process PHI on our behalf;
- Regular risk analysis and risk management in accordance with 45 C.F.R. § 164.308(a)(1).
Where state law provides greater privacy protections than HIPAA, we will comply with the stricter state standard. Applicable state laws include, but are not limited to:
- New Jersey: N.J.S.A. 26:2H-12.13 et seq. (Patient Privacy); N.J.A.C. 8:43G-4 (Hospital Licensing Standards); N.J.S.A. 56:8-166.1 (Data breach notification — 72-hour notice to NJ AG required);
- New York: N.Y. Pub. Health Law § 18 (Access to patient information); N.Y. General Business Law § 899-aa (Data breach notification — expedient notice required); NY Education Law § 6731 (Notice of Advice requirement for direct access PT);
- Indiana: Ind. Code § 16-39-5-3 (Patient access to records); IC 24-4.9 (Data breach notification);
- Any additional state-specific requirements applicable to workers' compensation, auto no-fault, or other insurance-funded services.
We are required by law to:
- Maintain the privacy of PHI as described in this notice;
- Abide by the terms of the notice currently in effect;
- Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery of a breach of unsecured PHI;
- Not retaliate against you for exercising any right described in this notice or for filing a complaint.
Changes to This Notice: We reserve the right to change this notice at any time and to make the changed notice effective for PHI we already maintain about you as well as any PHI we receive in the future. We will post a copy of the current notice on our websites (holsmanpt.com, hometherapypt.com, holsmanhealthcare.com). You may also request a current copy at any visit.
If you believe your privacy rights have been violated, you have the right to file a complaint with us or with the U.S. Secretary of Health and Human Services. We will not retaliate against you in any way for filing a complaint.
c/o Privacy Officer
New Jersey Corporate Office
You may also file a complaint directly with the HHS Office for Civil Rights (OCR):
Online: www.hhs.gov/ocr/privacy/hipaa/complaints/
Phone: 1-800-368-1019 | TDD: 1-800-537-7697
Mail: Office for Civil Rights, U.S. Department of Health and Human Services, 200 Independence Ave SW, Washington, DC 20201
By receiving services from Holsman Physical Therapy & Rehabilitation, P.C., Home Therapy PT Physical & Occupational Therapy LLC, or any affiliated entity, and/or by using our websites, you acknowledge that you have been provided with or had the opportunity to review this Notice of Privacy Practices.
You are not required to sign an acknowledgment form, but we may ask you to sign one for our records. Your refusal to sign does not affect the care we provide, but we will document that we presented the notice and that you declined to sign.
Effective Date: January 1, 2025 Last Revised: May 2025 Version: 4.0