Notice of Privacy Practices 

Megan Hoch Psychotherapy 

1920 Hillhurst Ave #1403 

Los Angeles, CA, 90027 

megan@meganhochpsychotherapy.com 

(818) 273 - 5504 

EFFECTIVE DATE OF THIS NOTICE 

This notice went into effect on 10/01/2025 

NOTICE OF PRIVACY PRACTICES 

THIS NOTICE DESCRIBES HOW HEALTH INFORMATION MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. 

I. MY PLEDGE REGARDING HEALTH INFORMATION: 

I understand that health information about you and your health care is personal. I am committed to protecting health information about you. I create a record of the care and services you receive from me. I need this record to provide you with quality care and to comply with certain legal requirements. This notice applies to all of the records of your care generated by this mental health care practice. This notice will tell you about the ways in which I may use and disclose health information about you. PHI is disclosed when I release, transfer, give, or otherwise reveal it to a third party outside this practice. With some exceptions, I may not use or disclose more of your PHI than is necessary to accomplish the purpose for which the use or disclosure is made; however, I am always legally required to follow the privacy practices described in this Notice. I also describe your rights to the health information I keep about you, and describe certain obligations I have regarding the use and disclosure of your health information. I am required by law to: 

  • Make sure that protected health information (“PHI”) that identifies you is kept private. 

  • Give you this notice of my legal duties and privacy practices with respect to health information. 

  • Follow the terms of the notice that is currently in effect. 

To help clarify certain terms, here are some definitions: 

  • “PHI” or “Protected Health Information” refers to information in your health record that could identify you. This includes data about your past, present, or future health or condition, the provision of health care services to you, and the payment for such health care. Records may include: reasons you came for treatment; your history, such as things that happened to you throughout your life, your school and work experiences, and your relationships; diagnoses; records I get from others who treated you; information about medications you took or are taking; progress notes; and a treatment plan. 

  • “Treatment and Payment Options”: 

    • Treatment is when I provide or another healthcare provider diagnoses or treats you. An example of a disclosure related to treatment would be when I consult about you with another health care provider, such as your family physician or another psychologist, regarding your treatment. 

    • Payment is when I obtain reimbursement for your healthcare. Examples of payment are when I disclose your PHI to your health insurer to obtain reimbursement for your health care or to determine eligibility or coverage. 

  • “Health Care Operations” is when I disclose your PHI to your health care service plan (for example your health insurer), or to your other health care providers contracting with your plan, for administering the plan, such as case management and care coordination. 

  • “Use” applies only to activities within my clinic such as sharing, employing, applying, utilizing, examining and analyzing information that identifies you. 

  • “Disclosure” applies to activities outside of my office such as releasing, transferring, or providing access to information about you to other parties. 

  • “Authorization” means written permission for specific use or disclosures.

I can change the terms of this Notice and my privacy policies at any time as permitted by law, and such changes will apply to all information I have about you. The new Notice will be made available to you directly. If you have any questions, I am happy to help you understand my procedures and your rights.

ELECTRONIC RECORDS AND ELECTRONIC PROTECTED HEALTH INFORMATION (ePHI)

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information. The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information “electronic protected health information” (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing.

Electronic records are subject to similar concerns and requirements as paper records. I keep electronic medial records on each patient within the SimplePractice portal. The 2005 HIPAA Security Rule provides specific guidance on managing electronic protected health information. It applies to practitioners who must comply with HIPAA and who store or transmit such information. The rule requires that I take special care in maintaining electronic records and that I conduct a risk analysis of specified issues and security measures appropriate for the practice. SimplePractice takes reasonable efforts to maintain their service in a manner that includes appropriate administrative, technical and physical security measures designed to protect the confidentiality, availability and integrity of ePHI as required by HIPAA. For instance, the database is fully encrypted on secure severs that are monitored 24/7, strong passwords are required and changed frequently, and all actions are logged which offers a strong audit trail. For more information about how SimplePractice secures PHI, please visit their website.

I make reasonable and appropriate administrative, technical and physical safeguards for protecting ePHI. Including: (1): Ensuring the confidentiality, integrity, and availability of all e-PHI that I create, receive, maintain or transmit; (2) Identifying and protecting against reasonably anticipated threats to the security or integrity of the information; and (3) Protecting against reasonably anticipated, impermissible uses or disclosures.

WORKSTATION, DEVICE SECURITY, AND TECHNICAL SAFEGUARDS

I implement policies and procedures to specify proper use of and access to workstations and electronic media. Ihave policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensureappropriate protection of electronic protected health information. I also have several technical safeguards toprotect your health information including:

  • Access Control. I implement technical policies and procedures that allow only authorized persons to access electronic protected health information (ePHI).

  • Audit Controls: I implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use ePHI.

  • Integrity Controls. I implement policies and procedures to ensure that ePHI is not improperly altered or destroyed.

  • Transmission Security. I implement technical security measures that guard against unauthorized access toePHI that is being transmitted over an electronic network.

II. HOW I MAY USE AND DISCLOSE HEALTH INFORMATION ABOUT YOU:

The following categories describe different ways that I use and disclose health information. For each category of uses or disclosures I will explain what I mean and try to give some examples. Not every use or disclosure in a category will be listed. However, all of the ways I am permitted to use and disclose information will fall within one of the categories.

A. Uses and Disclosures Related to Treatment, Payment, or Health Care Operations Do Not Require Your Prior Written Consent. Federal privacy rules (regulations) allow health care providers who have direct treatment relationship with the patient/client to use or disclose the patient/client’s personal health information without the patient’s written authorization, to carry out the health care provider’s own treatment, payment or health care operations. 

  1. For treatment. I may also disclose your protected health information for the treatment activities of any healthcare provider. This too can be done without your written authorization. For example, if one of your health care providers were to consult with me about your condition, I would be permitted to use and disclose your personal health information, which is otherwise confidential, in order to assist the clinician in diagnosis and treatment of your mental health condition. Disclosures for treatment purposes are not limited to the minimum necessary standard. Because therapists and other health care providers need access to the full record and/or full and complete information in order to provide quality care. The word “treatment” includes, among other things, the coordination and management of health care providers with a third party, consultations between health care providers and referrals of a patient for health care from one health care provider to another. 

  2. For health care operations. I may disclose your PHI to facilitate the efficient and correct operation of this practice. For example, I may use your PHI in the evaluation of the quality of health care services that you have received. I may also provide your PHI to attorneys, accountants, consultants, and others to make sure that I am in compliance with applicable laws. 

  3. To obtain payment for treatment. I may use and disclose your PHI to bill and collect payment for the treatment and services I have provided to you. For example, I might send PHI to your insurance company (e.g., to file claims or complete treatment plans), claims processing companies, and others that process health care claims from my office.

B. Certain Other Uses and Disclosures Do Not Require Your Authorization. Subject to certain limitations in the law, I can use and disclose your PHI without your Authorization for the following reasons: 

  1. When disclosure is required by local, state, or federal law, and the use or disclosure complies with and is limited to the relevant requirements of such law. If you are involved in a lawsuit, I may disclose health information in response to a court or administrative order. I may also disclose health information about your child in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested. 

  2. To avoid harm. I may provide PHI to law enforcement personnel or persons able to prevent or mitigate a serious threat to the health or safety of a person or the public (i.e., adverse reaction to medications). Additionally, your consent is not required if you need emergency treatment provided that I attempt to get your consent after treatment is rendered. In the event I try to get your consent but you are unable to communicate with me (e.g., if you are unconscious or in severe pain), but I think you would consent to such treatment if you could, I may disclose your PHI. When I do share information in an emergency, I will tell you as soon as I can. If you do not approve, I will stop, as long as it is not against the law. The disclosure may also be compelled or permitted by the fact that you are in such mental or emotional condition as to be dangerous to yourself or the person or property of others, and if I determine that disclosure is necessary to prevent the threatened danger. 

  3. If disclosure is mandated by the California Child Abuse and Neglect Reporting law. For example, if I have a reasonable suspicion of child abuse or neglect. 

  4. If disclosure is mandated by the California Elder/Dependent Adult Abuse Reporting law. For example, if I have a reasonable suspicion of elder abuse or dependent adult abuse. 

  5. For public health activities. Example: In the event of your death, if a disclosure is permitted or compelled, I may need to give the county coroner or medical examiner information about you. 

  6. For health oversight activities. Example: I may be required to provide information to assist the government in the course of an investigation or inspection of a health care organization or provider. 

  7. For specific government functions. I may disclose PHI for national security purposes. 

  8. For research purposes. In certain circumstances, I may provide PHI in order to conduct medical research, such as studying and comparing the mental health of patients who received one form of therapy versus those who received another form of therapy for the same condition. 

  9. For WorkersCompensation purposes. Although my preference is to obtain an Authorization from you, I may provide your PHI in order to comply with workers’ compensation laws. 

  10. Appointment reminders and health related benefits or services. Examples: I may use PHI to provide appointment reminders. I may use PHI to give you information about alternative treatment options, or other health care services or benefits I offer. 

  11. If disclosure is required or permitted to a health oversight agency for oversight activities authorized bylaw. Example: When compelled by U.S. Secretary of Health and Human Services to investigate or assess our compliance with HIPAA regulations. 

  12. For law enforcement purposes, including reporting crimes occurring on my premises. 

  13. If disclosure is otherwise specifically required by law.

III. CERTAIN USES AND DISCLOSURES REQUIRE YOU TO HAVE THE OPPORTUNITY TO OBJECT: 

  1. Disclosures to family, friends, or others. I may provide your PHI to a family member, friend, or other person that you indicate is involved in your care or the payment for your health care, unless you object in whole or in part. The opportunity to consent may be obtained retroactively in emergency situations. 

IV. YOU HAVE THE FOLLOWING RIGHTS WITH RESPECT TO YOUR PHI: 

  1. The Right to Request Limits on Uses and Disclosures of Your PHI. You have the right to ask me not to use or disclose certain PHI for treatment, payment, or health care operations purposes. I am not required to agree to your request, and I may say “no” if I believe it would affect your health care. 

  2. The Right to Request Restrictions for Out-of-Pocket Expenses Paid for In Full. You have the right to request restrictions on disclosures of your PHI to health plans for payment or health care operations purposes if the PHI pertains solely to a health care item or a health care service that you have paid for out-of-pocket in full. 

  3. The Right to Choose How I Send PHI to You. You have the right to ask me to contact you in a specific way (for example, home or office phone) or to send mail to a different address, and I will agree to all reasonable requests. 

  4. The Right to See and Get Copies of Your PHI. You have the right to get an electronic or paper copy of your medical record and other information that I have about you. Under certain circumstances, I may feel that your request may be denied, but if I do, I will give you, in writing, the reasons for the denial. I will also explain your right to have our denial reviewed. Otherwise, I will provide you with a copy of your record, or a summary of it, if you agree to receive a summary, within 30 days of receiving your written request, and I may charge a reasonable, cost based fee for doing so, not more than $0.25 per page. 

  5. The Right to Get a List of the Disclosures I Have Made. You have the right to request a list of instances in which I have disclosed your PHI for purposes other than treatment, payment, or health care operations, or for which you provided me with an Authorization. I will respond to your request for an accounting of disclosures within 60 days of receiving your request. The list I will give you will include disclosures made in the last six years unless you request a shorter time. I will provide the list to you at no charge, but if you make more than one request in the same year, I will charge you a reasonable cost based fee for each additional request. 

  6. The Right to Correct or Update Your PHI. If you believe that there is a mistake in your PHI, or that a piece of important information is missing from your PHI, you have the right to request that I correct the existing information or add the missing information. I may say “no” to your request, but I will tell you why in writing within 60 days of receiving your request. 

  7. The Right to Get a Paper or Electronic Copy of this Notice. You have the right get a paper copy of this Notice, and you have the right to get a copy of this notice by e-mail. And, even if you have agreed to receive this Notice via e-mail, you also have the right to request a paper copy of it.

V. HOW TO COMPLAIN ABOUT MY PRIVACY PRACTICES

If, in your opinion, I may have violated your privacy rights or if you object to a decision I made about access to your PHI, you are entitled to file a complaint with Dr. Megan Hoch by calling (818) 273-5504 or emailing megan@meganhochpsychotherapy.com. You may also send a written complaint to the Secretary of the Department of Health and Human Services at 200 Independence Avenue S. W. Washington, D. C. 20201. If you file a complaint about my privacy practices, I will take no retaliatory action against you.

Acknowledgement of Receipt of Privacy Notice

Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), you have certain rights regarding the use and disclosure of your protected health information.