Flow Logo

FLOW PRACTICE LLC

NOTICE OF PRIVACY PRACTICES

Last Updated: March 2, 2026

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.


1. INTRODUCTION

Flow Practice LLC (the "Practice," "we," or "our") provides a range of health care and wellness services, including clinical treatment, preventive care, care coordination, and wellness programs. This Notice of Privacy Practices (the "Notice") describes how we may use and disclose your protected health information ("PHI") for purposes of treatment, payment, and health care operations, as well as for other purposes permitted or required by law. PHI is information about you, including demographic information, that may identify you and relates to your past, present, or future physical or mental health or condition, the provision of health care to you, or payment for your health care. This Notice also describes your rights with respect to your PHI and how you may exercise those rights.


We are required by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and other applicable federal and state laws, to maintain the privacy and security of your PHI, to provide you with this Notice of our legal duties and privacy practices, to comply with the terms of this Notice currently in effect, and to notify you in the event of a breach of your unsecured PHI, as further described in Section 6 of this Notice. We will make reasonable efforts to limit the use, disclosure, and requests for PHI to the minimum necessary to accomplish the intended purpose, except where the use or disclosure is made to you, for treatment purposes, or as otherwise permitted or required by law.


Certain categories of health information receive additional privacy protections under applicable state and federal laws beyond those provided by HIPAA. These categories include, but are not limited to: mental health and psychiatric records; substance use disorder ("SUD") treatment records (including records protected under 42 C.F.R. Part 2 and Section 397.501, Florida Statutes); HIV/AIDS test results and related records (including those protected under Section 381.004, Florida Statutes); genetic information; reproductive health information; sexually transmitted infection records; and records relating to care for which a minor has the independent legal right to consent. When these laws provide greater privacy protections than HIPAA, we will follow the more protective requirements, which may mean that your written authorization is required before certain sensitive information may be used or disclosed, even if HIPAA would otherwise permit disclosure without authorization. We also recognize that certain wellness-related information, including biometric screening results and health risk appraisal data, may be sensitive, and we apply appropriate safeguards to such information consistent with applicable law. If you have questions about how these protections apply to a specific type of your health information, please contact our Privacy Officer using the contact information provided in Section 9 of this Notice.


2. USES AND DISCLOSURES THAT DO NOT REQUIRE YOUR AUTHORIZATION

We may use or disclose your PHI in the following situations without your authorization. These situations are permitted or required by HIPAA and other applicable laws, and include:


A. Treatment. We use and disclose your PHI to provide treatment and other services to you, for example, to provide clinical or wellness services or to consult with your physician, wellness coach, or other health care or wellness professional about your care or program participation. We may use your information to direct or recommend alternative treatments, therapies, health care providers, or settings of care to you or to describe a health-related product or service. We may disclose PHI to other providers involved in your treatment. We may also use your PHI to contact you to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to you.


B. Payment. We may use and disclose your PHI to obtain payment for health care services that we provide to you, for example, disclosures to claim and obtain payment from you, your health insurer, or other company or program that arranges or pays the cost of your health care (“Your Payor”). Your Payor may include your employer, a wellness program sponsor, a membership or subscription administrator, or other entity responsible for arranging or paying for wellness services provided to you. We may also disclose PHI to your other health care providers when such PHI is required for them to receive payment for services they render to you. We may also use your PHI in connection with processing payments for services provided to you, including verifying your coverage and eligibility, submitting and adjudicating claims, and collecting outstanding balances owed for services rendered.


C. Health Care Operations. We may use and disclose your Protected Health Information for our health care operations, which include internal administration and planning and various activities that improve the quality and cost effectiveness of the care that we deliver to you. For example, we may use PHI to evaluate the quality and competence of our clinicians and other health care professionals, to conduct quality assessment and improvement activities, to manage and administer our business, to support customer service and patient support, to respond to complaints and inquiries, to conduct auditing and compliance activities, and to support care coordination and case management.


Business Associates. We may disclose PHI to our Business Associates that perform functions or services on our behalf (such as technology services, platform operations, analytics support, administrative services, payment support, customer service, and other operational services) as permitted by HIPAA. Our Business Associates are required by law and contract to protect the privacy and security of PHI and may use or disclose it only as permitted by HIPAA and their agreements with us.


Data aggregation and De-identification. As part of our health care operations and as permitted by law, we (and our Business Associates acting on our behalf) may create aggregated and/or de-identified information from PHI in accordance with applicable law, including HIPAA. De-identified information is not PHI under HIPAA. We may use and disclose aggregated and/or de-identified information for lawful purposes, including analytics, quality improvement, benchmarking, product and service development, and improving and operating our technology and services, and we may share such aggregated and/or de-identified information with third parties consistent with applicable law. We maintain reasonable safeguards designed to prevent re-identification of de-identified information, and we prohibit third parties from attempting to re-identify such information, as required by applicable law.


D. Disclosure to Relatives, Close Friends and Other Caregivers. We may use or disclose your PHI to a family member, other relative, a close personal friend or any other person identified by you when you are present, or otherwise available prior to, the disclosure, if: (1) we obtain your agreement or provide you with the opportunity to object to the disclosure and you do not object; or (2) we reasonably infer that you do not object to the disclosure. If you are not present for or unavailable prior to a disclosure (e.g., when we receive a telephone call from a family member or other caregiver), we may exercise our professional judgment to determine whether a disclosure is in your best interests. If we disclose information under such circumstances, we will disclose only information that is directly relevant to the person’s involvement with your care.


E. As Required by Law. We may use and disclose your PHI when required to do so by any applicable federal, state or local law.


F. Public Health Authorities. We may disclose your PHI: (1) to report health information to public health authorities for the purpose of preventing or controlling disease, injury or disability; (2) to report child abuse and neglect to a government authority authorized by law to receive such reports; (3) to report information about products under the jurisdiction of the U.S. Food and Drug Administration; (4) to alert a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition; and (5) to report information to your employer as required under laws addressing work-related illnesses and injuries or workplace medical surveillance.


G. Victims of Abuse, Neglect or Domestic Violence. We may disclose your PHI if we reasonably believe you are a victim of abuse, neglect or domestic violence to a government authority authorized by law to receive reports of such abuse, neglect, or domestic violence.


H. Health Oversight Activities. We may disclose your PHI to an agency that oversees the health care system and is charged with responsibility for ensuring compliance with the rules of government health programs.


I. Judicial and Administrative Proceedings. We may disclose your PHI in the course of a judicial or administrative proceeding in response to a legal order or other lawful process.


J. Law Enforcement Officials. We may disclose your PHI to the police or other law enforcement officials as required by law or in compliance with a court order.


K. Decedents. We may disclose your PHI to a coroner or medical examiner as authorized by law.


L. Organ and Tissue Procurement. We may disclose your PHI to organizations that facilitate organ, eye or tissue procurement, banking or transplantation.


M. Clinical Trials and Other Research Activities. We may use and disclose your PHI for research purposes pursuant to a valid authorization from you or when an institutional review board or privacy board has waived the authorization requirement. Under certain circumstances, your PHI may be disclosed without your authorization to researchers preparing to conduct a research project, for research on decedents or as part of a data set that omits your name and other information that can directly identify you.


N. Health or Safety. We may use or disclose your PHI to prevent or lessen a serious and imminent threat to a person’s or the public’s health or safety.


O. Specialized Government Functions. We may use and disclose your PHI to units of the government with special functions, such as the U.S. military or the U.S. Department of State under certain circumstances.


P. Workers’ Compensation. We may disclose your PHI as authorized by and to the extent necessary to comply with state law relating to workers’ compensation or other similar programs.


3. USE OF ARTIFICIAL INTELLIGENCE

The Practice may use artificial intelligence ("AI") tools to support clinical care and health care operations. These tools may be used to assist with analyzing health information, supporting clinical decision-making, improving the quality of services, detecting patterns in health data, and conducting quality improvement or research activities. All AI tools operate within a HIPAA-compliant environment and are subject to business associate agreements and appropriate technical, physical, and administrative safeguards. AI outputs are assistive in nature and are reviewed by qualified health care professionals; they do not replace clinician judgment, and all clinical decisions remain under the control and oversight of the Practice's licensed providers. Your PHI will not be used to train external AI models without your separate written authorization.


4. USES AND DISCLOSURES THAT REQUIRE YOUR WRITTEN AUTHORIZATION:

For any purpose other than the ones described above in Section 2, we only use or disclose your PHI when you give us your written authorization.


A. Marketing. We must obtain your written authorization prior to using your PHI for purposes that are marketing under the HIPAA privacy rules. For example, we will not accept any payments from other organizations or individuals in exchange for making communications to you about treatments, therapies, health care providers, settings of care, case management, care coordination, products or services unless you have given us your authorization to do so or the communication is permitted by law. We may provide refill reminders or communicate with you about a drug or biologic that is currently prescribed to you so long as any payment we receive for making the communication is reasonably related to our cost of making the communication. In addition, we may market to you in a face-to-face encounter and give you promotional gifts of nominal value without obtaining your written authorization.


B. Sale of PHI. We will not make any disclosure of PHI that is a sale of PHI without your written authorization.


C. Psychotherapy Notes. We will not use or disclose psychotherapy notes about you without your authorization except for use by the mental health professional who created the notes to provide treatment to you, for our mental health training programs or to defend ourselves in a legal action or other proceeding brought by you.


D. Other Uses and Disclosures. Any other use or disclosure of your PHI not described in this Notice will be made only with your written authorization.


E. Revocation of Your Authorization. You may revoke your authorization, except to the extent that we have taken action in reliance upon it, by delivering a written revocation statement to the Privacy Officer using the contact information provided in Section 9 of this Notice.


5. YOUR INDIVIDUAL RIGHTS:

Note Regarding Minor Patients. In general, a parent or legal guardian of a minor patient is considered the minor's personal representative under HIPAA and may exercise privacy rights on the minor's behalf, including the right to access and inspect the minor's PHI. However, applicable state and/or federal law may limit or restrict a parent's or legal guardian's access to a minor's records in certain circumstances, for example, where the minor has the independent legal right to consent to a particular category of care without parental consent, such as mental health counseling, substance use disorder treatment, reproductive health services, or treatment for sexually transmitted infections. In those circumstances, we will follow applicable state law to determine whether, and to what extent, a parent or legal guardian may access the minor's PHI related to that care. If you have questions about parental or guardian access rights with respect to a minor patient, please contact our Privacy Officer using the contact information provided in Section 9 of this Notice.


The following rights apply to you as a patient of Flow Practice LLC:


A. Right to File a Complaint; Additional Information. If you desire further information about your privacy rights, are concerned that we have violated your privacy rights, or disagree with a decision we made about access to your PHI, you may contact our Privacy Officer (see Section 9 for contact information). You also have the right to file a written complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, 200 Independence Avenue, S.W., Washington, D.C. 20201, by calling 1-877-696-6775, or by visiting www.hhs.gov/ocr/privacy/hipaa/complaints/. We will not retaliate against you for filing a complaint with us or with the Office for Civil Rights, and filing a complaint will not affect your care or treatment in any way.


B. Right to Access Your Protected Health Information. You have the right to inspect and obtain a copy of your PHI that we maintain in a designated record set, which includes your medical records, billing records, wellness assessments, health risk appraisals, and other records used to make decisions about your care or program participation, for as long as we maintain that information. Where your health information is maintained electronically, you may also access certain records directly through our secure patient portal. Use of the portal is voluntary, and you may request records through the standard process described below if you prefer. There is no fee for accessing records directly through the portal.


You may request that we provide your records in a specific format, including in electronic form where your records are maintained electronically, and we will accommodate reasonable requests. We will respond to your request within thirty (30) days. In certain limited circumstances, we may deny your request to access or copy your PHI. If we deny your request, we will provide you with a written explanation of the reason for the denial and, where applicable, inform you of your right to have the denial reviewed by a licensed health care professional designated by us who was not involved in the original denial decision. If you request copies of your PHI, we may charge you a reasonable, cost-based fee that may include labor costs for copying, supplies for creating the copy, and postage. We will not charge you for labor costs associated with searching for or retrieving your records. Electronic copies of your PHI, when available, may be provided at a reduced or no cost. To request access to your PHI, please submit your request in writing to our Privacy Officer using the contact information provided in Section 9 of this Notice.


C. Right to Be Notified of a Breach. You have the right to receive notification in the event of a breach of your unsecured PHI, as described in Section 6 of this Notice.


D. Right to Request Restrictions. You may request restrictions on our use and disclosure of your PHI (1) for treatment, payment and health care operations, (2) to individuals (such as a family member, other relative, close personal friend or any other person identified by you) involved with your care or with payment related to your care, or (3) to notify or assist in the notification of such individuals regarding your location and general condition. While we will consider all requests for restrictions carefully, we are generally not required to agree to a requested restriction. However, we are required by law to agree to your request to restrict disclosure of your PHI to a health plan for payment or health care operations purposes if: (1) the disclosure is not required by law; and (2) the PHI pertains solely to a health care item or service for which you, or someone other than the health plan on your behalf, have paid us in full out of pocket. For all other restriction requests, please submit your request in writing to our Privacy Office. We will respond in writing.


E. Right to Receive Communications by Alternative Means or at Alternative Locations. You may request, and we will accommodate, any reasonable written request for you to receive your PHI by alternative means of communication or at alternative locations.


F. Right to Amend Your Records. You have the right to request that we amend your PHI maintained in your medical record file or billing records. If you desire to amend your records, please obtain an amendment request form from the Privacy Office and submit the completed form to the Privacy Office. We will comply with your request unless we believe that the information that would be amended is accurate and complete or other special circumstances apply.


G. Right to Receive an Accounting of Disclosures. Upon request, you may obtain an accounting of certain disclosures of your PHI made by us during any period of time prior to the date of your request, provided such period does not exceed six years. This accounting right applies to disclosures from both paper and electronic records. However, disclosures made for treatment, payment, and health care operations are generally excluded from the accounting. If your PHI is maintained in an electronic health record, you may have expanded accounting rights under the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), including the right to receive an accounting of certain treatment, payment, and health care operations disclosures that would otherwise be excluded. If you would like more information about your accounting rights with respect to electronic health records, please contact our Privacy Officer using the contact information provided in Section 9 of this Notice. If you request an accounting more than once during a twelve (12) month period, we may charge you a reasonable fee for the accounting statement.


H. Right to Receive Paper Copy of this Notice. Upon request, you may obtain a paper copy of this Notice at any time, including at the time of your first service delivery, even if you agreed to receive this Notice electronically.


6. REVISIONS TO THIS NOTICE:

We may change the terms of this Notice at any time. If we change this Notice, we may make the new notice terms effective for all your PHI that we maintain, including any information created or received prior to issuing the new notice. You may obtain any new notice by contacting the Privacy Office. We will also promptly post any revised Notice on our website, if we maintain one, and will make it available in our office. The effective date of any revised Notice will appear on the first page of the Notice.


7. BREACH OF HEALTH INFORMATION:

We will notify you if a reportable breach of your unsecured PHI is discovered. Notification will be made to you no later than 60 days from the breach discovery and will include: (1) a brief description of how the breach occurred; (2) a description of the types of unsecured PHI involved in the breach; (3) steps you should take to protect yourself from potential harm resulting from the breach; (4) a description of what we are doing to investigate the breach, mitigate harm to individuals, and protect against future breaches; and (5) contact information for you to ask questions.


Notification will generally be provided by first-class mail, or electronically where you have agreed to electronic notice and the breach involves only electronic PHI. Where the situation is urgent, we may also notify you by telephone or other means. If we are unable to reach you using your contact information on file, we may provide substitute notice by posting notice on our website, if we maintain one, or through major media outlets serving your geographic area, as required by law. If a breach affects 500 or more individuals in a particular state or jurisdiction, we will also notify prominent media outlets serving that area, as required by applicable law.


We are also required to notify the U.S. Department of Health and Human Services of breaches of unsecured PHI in accordance with applicable law.


8. HEALTH INFORMATION EXCHANGE

We may participate in one or more health information exchanges ("HIEs"), networks or systems that allow health care providers, health plans, and other authorized participants to electronically share patient health information for purposes of treatment, care coordination, payment, and health care operations. Participation in an HIE enables us to access your medical history, medications, lab results, and other health information from other providers who have treated you, and to share your information with other providers involved in your care.


Your PHI shared through an HIE is subject to the same privacy protections described in this Notice and applicable federal and Florida law. Certain sensitive categories of information, including, but not limited to, HIV/AIDS records, substance use disorder treatment records, mental health records, and reproductive health information, may require your separate written authorization before being shared through an HIE, consistent with applicable federal and Florida law.


You may have the right to opt out of the sharing of your PHI through an HIE in certain circumstances. For more information about HIE participation, your rights regarding HIE data sharing, or to inquire about opting out, please contact our Privacy Officer using the contact information provided below in Section 9 of this Notice.


9. CONTACT INFORMATION:

If you have any questions about this Notice or about how we handle your PHI, please contact our Privacy Officer as noted below. We are required to follow the duties and privacy practices described in this Notice.


Eric Chiang, Privacy Officer

Flow Practice LLC

1170 Kane Concourse, Suite 300

Bay Harbor Islands, FL 33154

Email: [email protected]


For general inquiries or to request access to your medical records, please contact us at:

Email: [email protected]

Mailing Address:

Attn: Flow Practice LLC

1170 Kane Concourse, Suite 300

Bay Harbor Islands, FL 33154