Ignite Health Systems Logo
IGNITE Health Systems
DRAFT — pending HIPAA attorney review. Not yet effective. Do not distribute to patients.
HIPAA Notice

Notice of Privacy Practices

This notice describes how protected health information about you may be used and disclosed, and how you can access this information. Please review it carefully.

Effective Date: [EFFECTIVE DATE — TBD: INSERT BEFORE PUBLICATION]

Who We Are and Who This Notice Covers

  • This Notice of Privacy Practices ("Notice") is provided by IGNITE Health Systems LLC ("IGNITE," "we," "our," or "us"), operating the MEDFlow clinical platform at ignitehealthpartnership.com.
  • IGNITE acts as a Business Associate under HIPAA when processing protected health information (PHI) on behalf of healthcare providers who use MEDFlow in Practice Mode.
  • This Notice applies to the PHI we process in connection with MEDFlow: patient records, appointments, medications, prescriptions, allergies, lab results, and visit notes stored in the MEDFlow system.
  • The educational platform at ignitehealthsystems.com generally does not process PHI. This Notice does not apply to non-PHI data collected on that platform; see our Privacy Policy for that information.
  • [PLACEHOLDER: Identify any affiliated covered entities or organized health care arrangement (OHCA) members, if applicable, before finalizing this notice.]

How We May Use and Disclose Your Health Information

The following uses and disclosures may be made without your written authorization, as permitted by HIPAA (45 CFR 164.506, 164.510, 164.512):

Treatment

  • We may use and disclose your PHI to facilitate the treatment and healthcare services provided by your physician through MEDFlow.
  • Examples: sharing visit notes with a consulting specialist; transmitting a prescription to a pharmacy; sharing lab results with your treating provider.

Payment

  • We may use and disclose your PHI so your provider can bill and receive payment for services rendered.
  • Examples: submitting claims to payers; verifying insurance coverage; processing direct-pay membership fees.

Health Care Operations

  • We may use and disclose your PHI for activities necessary to operate the platform, including quality improvement, compliance monitoring, training, and system security audits.
  • We do not use individually identifiable PHI for AI model training; any analytics uses de-identified or aggregated data meeting HIPAA Safe Harbor or Expert Determination standards.

Other Permitted Disclosures

  • Public Health Activities: reporting to public health authorities as required by law (e.g., communicable disease reporting, vital statistics).
  • Health Oversight Activities: disclosures to government agencies for audits, investigations, or licensure activities.
  • Judicial and Administrative Proceedings: disclosures pursuant to a court order, subpoena, or other lawful process.
  • Law Enforcement: limited disclosures to law enforcement officials as required by law or pursuant to legal process.
  • Serious Threats to Health or Safety: disclosures necessary to prevent or lessen a serious and imminent threat to a person or the public.
  • As Required by Law: any other uses or disclosures specifically required by applicable federal, state, or local law.
  • [PLACEHOLDER: Add any state-specific permitted disclosures required in the jurisdiction(s) where the covered entity operates.]

Uses and Disclosures That Require Your Written Authorization

  • Most uses and disclosures of PHI not described above require your written authorization, including: marketing communications, sale of PHI, and most uses of psychotherapy notes.
  • You may revoke an authorization at any time in writing; revocation does not affect disclosures already made in reliance on the authorization.
  • To authorize a disclosure or revoke an existing authorization, contact: [email protected]

Your Rights Regarding Your Health Information

You have the following rights under HIPAA (45 CFR 164.522–164.528). To exercise any right, submit a written request to [email protected].

Right to Access (45 CFR 164.524)

  • You have the right to inspect and obtain a copy of your PHI maintained in a designated record set.
  • Requests will be fulfilled within 30 days (one 30-day extension is permitted with written notice).
  • We may charge a reasonable, cost-based fee for copies. We will not charge for electronic copies to the individual.
  • [PLACEHOLDER: Specify the fee schedule for copies before finalizing.]

Right to Amend (45 CFR 164.526)

  • You have the right to request an amendment of your PHI if you believe it is incorrect or incomplete.
  • We may deny the request if we determine the PHI is accurate and complete, or if the information was not created by us.
  • If denied, you may submit a written statement of disagreement, which we will include with the disputed record.

Right to an Accounting of Disclosures (45 CFR 164.528)

  • You have the right to request an accounting of disclosures of your PHI made during the six years prior to the date of your request.
  • This right does not apply to disclosures made for treatment, payment, or health care operations, or to disclosures made pursuant to your authorization.

Right to Request Restrictions (45 CFR 164.522(a))

  • You have the right to request restrictions on how we use or disclose your PHI for treatment, payment, or health care operations.
  • We are not required to agree to a requested restriction except: we must agree to restrict disclosure to a health plan if you pay out-of-pocket in full for a service and request that the service not be disclosed to the plan.

Right to Confidential Communications (45 CFR 164.522(b))

  • You have the right to request that we communicate with you about health matters through a specific means or at a specific location.
  • Example: you may request that appointment reminders be sent only to a specific phone number or email address.
  • Reasonable requests will be accommodated.

Right to a Paper Copy of This Notice

  • You have the right to receive a paper copy of this Notice at any time, even if you have agreed to receive the Notice electronically.
  • Contact [email protected] to request a paper copy.

Breach Notification (45 CFR 164.400–414)

  • We are required by law to notify you if there is a breach of your unsecured PHI.
  • Notification will be provided without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.
  • Notification will be provided by first-class mail (or by email if you have agreed to receive electronic communications). If contact information is insufficient or out-of-date, we will substitute notice via prominent posting on our website or, if required, media notification.
  • The breach notification will include: a brief description of the breach and the PHI involved; the steps you should take to protect yourself; steps we are taking to investigate and mitigate the breach; and contact information for questions.

Our Duties

  • We are required by law to maintain the privacy and security of your PHI.
  • We are required to provide you with this Notice of our legal duties and privacy practices with respect to PHI.
  • We are required to follow the terms of this Notice currently in effect.
  • We reserve the right to change the terms of this Notice and to make the new provisions effective for all PHI we maintain. Revised Notices will be posted on our website and made available to you upon request.
  • We will not use or disclose your PHI except as described in this Notice or as otherwise required or permitted by applicable law.
  • Technical safeguards: all PHI is encrypted at rest using AES-256-GCM and in transit using TLS 1.3. Access is controlled by role-based authentication and subject to HIPAA-compliant audit logging.

How to File a Complaint

If you believe your privacy rights have been violated, you have the right to file a complaint with us or with the Secretary of the U.S. Department of Health and Human Services. You will not be retaliated against for filing a complaint.

  • To file a complaint with IGNITE: contact our Privacy Officer at [email protected]. Describe the concern in writing; we will respond within 30 days.
  • To file a complaint with the HHS Office for Civil Rights (OCR): visit hhs.gov/hipaa/filing-a-complaint or call 1-800-368-1019 (TDD: 1-800-537-7697). OCR accepts complaints up to 180 days after the alleged violation (or up to 1 year if good cause is shown).
  • IGNITE's designated Privacy Officer and Security Officer is Bhaven Murji (Founder), reachable at [email protected].

Contact Us

For questions about this Notice or to exercise your rights: