Notice of Privacy Practices

This notice applies to Dr. Rizvi Wound Care (the “practice,” “we,” or “us”), operated by Dr. Hina Rizvi, M.D, C.W.S, and to every member of our care team, including the nurse practitioners and clinical staff who work under Dr. Hina Rizvi's supervision.

It describes how we may use and share your protected health information (“PHI”) and your rights with respect to it under federal HIPAA rules and Texas state law, including the Texas Medical Records Privacy Act (Texas Health & Safety Code Chapter 181, also known as “HB 300”).

We are required by federal and Texas law to:

• Protect the privacy and security of your PHI.
• Give you this notice of our legal duties and privacy practices.
• Follow the terms of the notice currently in effect.
• Notify you in writing if a breach occurs that may have compromised the privacy or security of your PHI.
• Train every member of our team on these duties before they touch your PHI and on a recurring schedule.
• Limit any use or disclosure to the minimum information necessary to accomplish the purpose, except for treatment, your own request, or as required by law.

We use and share your PHI to provide, coordinate, and manage your wound care. For example:

• We share clinical findings, photographs of your wound, lab results, imaging, and progress notes with the other physicians and clinicians involved in your care, including your primary physician, vascular surgeon, podiatrist, infectious-disease specialist, hyperbaric clinician, and home-health nurses.
• We share information with the hospital where Dr. Hina Rizvi holds privileges, including Medical City Plano and other facilities, when your care is connected to admissions, surgery, or post-discharge follow-up.
• We share information with pharmacies that fill your prescriptions and with durable medical equipment (DME) suppliers who provide compression garments, negative pressure devices, or other items prescribed for your care.
• We share information with diagnostic services that perform vascular, imaging, microbiology, or pathology tests we order.

We use and share your PHI to bill and collect payment for the care we provide. For example, we share information with:

• Your health plan to verify benefits, request prior authorization, and submit claims.
• Medicare, Medicaid, workers' compensation carriers, and commercial insurers, including your employer's health plan.
• Companies that help us with claims appeals, denials, payment posting, and patient billing statements.
• Collection agencies if a balance becomes seriously delinquent (we follow Texas debt-collection rules and never disclose more information than is necessary).
• You or your guarantor, when we send you a bill, an Explanation of Benefits, or a statement of charges.

We use and share your PHI for the activities necessary to run our practice and improve the care we provide, including:

• Quality assessment and improvement, including review of your healing trajectory across visits.
• Training of staff, students, and clinicians under our supervision.
• Credentialing, peer review, and accreditation reviews.
• Compliance and risk-management activities, including communications with our medical-malpractice carrier (TMLT) for case review and education.
• Business management and planning for the practice.
• Customer service, including responses to your questions, complaints, and grievances.

We work with vendors who help us run the practice and who may need to handle your PHI to do their work. Examples include our electronic health record, our billing service, our secure email and messaging provider, our telemedicine platform, our IT and security service, our patient-engagement and recall platform, and our professional advisors (attorneys, accountants).

Each business associate signs a written Business Associate Agreement that requires them to protect your PHI to the same standards we do, to use it only for the purpose we have authorized, to report any breach to us, and to return or destroy your PHI when our relationship with them ends.

We may contact you to remind you of an appointment, to share follow-up instructions, to recommend that you fill a prescription you already use, or to tell you about a treatment alternative or other health-related service we offer. You can ask us to use a specific phone number, email, or mailing address, or to stop a particular type of communication, at any time.

With your permission, or when you have the chance to object and do not, we may share PHI with a family member, friend, or another person you identify when the information is directly relevant to that person's involvement in your care, payment, or wound-care logistics (for example, getting you to appointments or applying dressings at home).

In an emergency, or when you are not present and cannot agree, we will use professional judgment to share what is in your best interest. We may also share information with a person who is helping pay for your care, with you, or with disaster-relief organizations to coordinate notification of your family and location.

We may use or share PHI for the following public-health activities:

• Reporting communicable disease, vital events (births and deaths), and certain injuries to public-health authorities, including the Texas Department of State Health Services and the Centers for Disease Control and Prevention.
• Reporting reactions to medications, problems with products, and product recalls to the Food and Drug Administration.
• Notifying a person who may have been exposed to a disease.
• Reporting work-related injuries when an employer is legally required to receive them.

We may report adverse events involving prescription drugs, skin substitutes, wound-care biologics, durable medical equipment, and other regulated products to the manufacturer and to the Food and Drug Administration as required for tracking, recalls, and safety monitoring. The next section explains how this applies specifically to skin substitutes and devices used in your care.

Texas and federal law require us to report, even without your authorization, information related to:

• Suspected child abuse or neglect, under Texas Family Code §261.101.
• Suspected abuse, neglect, or exploitation of an elderly or disabled adult, under Texas Human Resources Code §48.051.
• Certain injuries, including some gunshot and stab wounds, under Texas Health & Safety Code §161.041.
• Communicable diseases that public-health authorities require to be reported.

We are required by law to make these reports and cannot agree to restrict them.

We may share PHI with agencies that audit, license, or investigate health care, including the Texas Medical Board, the Texas Department of State Health Services, the U.S. Department of Health and Human Services, and the Office of Inspector General. These agencies oversee how we deliver care, bill for it, and comply with the law.

• We may share PHI when a court order, subpoena, search warrant, summons, or other legal process requires it. We follow Texas law on what notice or protective order is required before responding.
• We may share PHI with law enforcement when the law authorizes us to: for example, to identify a suspect, victim, or missing person; to report a death we believe was caused by criminal conduct; or to report a crime that occurred on our premises.
• We may share PHI in response to administrative requests permitted by law.

If you have a work-related injury, we may share your PHI as authorized by and to the extent necessary to comply with the Texas Workers' Compensation Act. Examples include sharing information with your employer's workers' compensation insurance carrier and with the Texas Department of Insurance, Division of Workers' Compensation.

We may share your PHI with a coroner, medical examiner, or funeral director so they can carry out their duties under the law (for example, to identify a person, determine the cause of death, or arrange burial or cremation).

If you are a registered organ, eye, or tissue donor, we may share PHI with organ-procurement organizations, eye banks, and tissue banks to help with donation and transplantation.

We may share PHI when required for specialized government functions, including military activities, national security and intelligence work, protective services for the President and others, and the medical care of inmates in correctional institutions.

We may share PHI to prevent or reduce a serious and imminent threat to your safety or someone else's safety. We will share only the information necessary to address the threat and only with the people in a position to help.

Our practice does not currently participate in clinical research. If we do in the future, we will share PHI for research only with your written authorization or under a documented waiver granted by an Institutional Review Board or Privacy Board. Limited de-identified information may be used for quality-improvement projects within the practice.

We do not use your information for fundraising. If we ever begin a fundraising activity, we will tell you, give you a clear way to opt out, and honor your choice.

We will not use or share your PHI for marketing communications that promote another company's product or service, and we will not sell your PHI, without your written authorization. The HIPAA Privacy Rule allows two types of communication that are not considered marketing and that we may use without your authorization:

• Reminders that you fill a prescription you already use.
• Information about a service that is part of your current treatment plan.

You may revoke a marketing authorization at any time, in writing.

Texas and federal law give heightened protection to certain categories of information. When any of these apply, we follow the more protective rule:

• HIV and other sexually-transmitted-infection results: protected under Texas Health & Safety Code Chapter 81.
• Mental-health information and psychotherapy notes: protected under federal and Texas law. We do not maintain psychotherapy notes in our wound-care practice.
• Substance-use-disorder records: protected under 42 CFR Part 2 when they apply to information generated by a Part 2 program.
• Genetic information: protected under the federal Genetic Information Nondiscrimination Act (GINA). We do not use genetic information for underwriting.
• Information about a minor: see the Minors and personal representatives section below.

Wound photography is essential to wound care. We take clinical photographs of the wound and surrounding skin at most visits, and we use a three-tier consent model so the use of every photograph is clear:

• Tier 1 — Clinical record (covered by your treatment consent). Photographs taken for diagnosis, healing measurement, treatment planning, consultation with other clinicians involved in your care, and required documentation for insurers, durable medical equipment suppliers, or home health are part of your medical record and used the same way as the rest of your record.
• Tier 2 — Internal education and quality improvement (separate authorization). If we want to use a de-identified image for clinician or staff training, morbidity-and-mortality conferences, or quality-improvement projects within the practice, we will ask for a separate written authorization that you can revoke at any time.
• Tier 3 — Marketing, education outside the practice, or publication (separate authorization, with specific intended-use checkboxes). Use of an identifiable image (or any image with features that could identify you) for marketing, social media, conference posters, journal articles, patient testimonials, or anywhere outside the practice requires a separate written authorization scoped to the specific intended use. You can revoke this authorization at any time.

Photographs are stored in your medical record. We do not sell, rent, or license your photographs to third parties. If we ever use an artificial intelligence or machine-learning tool to assist with wound analysis, we will disclose the tool, what it does, and your choice about its use. You may ask to see your photographs, ask for copies, and ask us to stop using a particular image. We honor those requests.

We do not routinely record audio or video of in-person or telemedicine visits. If a recording is ever proposed (for example, for clinician training or to give you a copy of a complex teaching visit), we will get your written consent first and explain who will see the recording, how long we will keep it, and how to ask us to delete it.

Wound care often involves regulated products: skin substitutes (cellular and tissue-based products), wound-care biologics, negative-pressure devices, and specialty dressings. Federal law requires the manufacturer of certain products to track patients who receive them, in case the manufacturer needs to issue a recall or follow-up safety notice.

We may share the limited information needed for that tracking, including:

• Your name and contact information for tracked devices and certain biologics.
• Lot or serial numbers and the date the product was used.
• Adverse event reports submitted to the manufacturer or the Food and Drug Administration.

You can ask us to send the same information to you, your primary physician, or another clinician at any time.

Many of our patients use home-health nurses, wound-vac (negative-pressure) equipment, compression garments, and other DME. We share PHI with those providers and suppliers to:

• Coordinate dressing changes, equipment delivery, and home-visit scheduling.
• Provide written orders, prescriptions, and medical-necessity documentation needed by Medicare or your insurer.
• Report progress and equipment outcomes back to the practice.

You can request that we contact a particular home-health agency or DME supplier of your choice.

When you have a telemedicine visit, we use a secure two-way video and audio platform that complies with HIPAA, with the Texas Medical Board's telemedicine rules in 22 Texas Administrative Code Chapter 174, and with Texas Occupations Code Chapter 111. You will be asked to give written or verbal informed consent before the first telemedicine visit, and we will confirm your identity and your physical location at the start of every visit.

Telemedicine visits are documented in your medical record the same way as in-office visits. We do not record visits unless we have your written consent. If a video evaluation is not enough to safely diagnose or treat your wound, we will ask you to come into the clinic.

Texas allows physicians to share PHI through a Health Information Exchange to coordinate your care across providers. If we participate in an HIE that covers your records, you have the right to opt out of having your PHI shared through that HIE. To opt out, contact our Privacy Officer using the details below.

If you use a patient portal or secure messaging with us, that information is protected by the same HIPAA standards as the rest of your record. You are responsible for protecting your portal password and the privacy of any device you use. If you suspect your account has been compromised, call us immediately so we can lock it.

If you opt in to receive text messages or non-secure email from us, we will use them only for appointment reminders, follow-up, and similar care communications. We will not include your full medical information in a text message or non-secure email. Standard message and data rates from your carrier may apply. You can opt out at any time by replying STOP to a text or by clicking the unsubscribe link in an email.

For most care provided to a minor, the minor's parent or legal guardian controls the minor's PHI. Texas law gives minors the right to consent to certain types of care on their own (for example, certain pregnancy-related care or treatment for sexually-transmitted infections under Texas Family Code Chapter 32). When a minor consents to care on their own, we treat that information accordingly.

If you have a medical power of attorney or are a court-appointed guardian, you may exercise the rights of the patient you represent.

You have the following rights with respect to your PHI:

• Inspect and copy. You can ask to see and get a copy of your medical record, on paper or in a portable electronic format. Texas law requires us to respond within 15 business days for records kept electronically. We may charge a reasonable, cost-based fee for copies; the Texas Health & Safety Code §241.155 fee schedule sets the cap.
• Direct us to send a copy. You can ask us to send a copy of your record directly to another person or provider you name in writing.
• Request a correction. If you believe information in your record is wrong or incomplete, you can ask us to correct it. We will respond within 60 days, with one 30-day extension if we notify you in writing. If we deny the request, we will explain why and you can submit a written statement of disagreement that becomes part of your record.
• Get a list of disclosures. You can ask for an accounting of certain disclosures we have made of your PHI for the past six years. The accounting does not include disclosures for treatment, payment, or healthcare operations, or disclosures you authorized.
• Request a restriction. You can ask us to limit how we use or share your PHI for treatment, payment, or operations. We are not required to agree, with one exception: we must agree if you have paid in full out of pocket for a service and ask us not to share information about that service with your health plan.
• Request confidential communications. You can ask us to contact you a specific way (for example, by mobile phone only) or at a specific address.
• Receive a paper or electronic copy of this notice. You can ask for a paper copy any time, even if you have agreed to receive it electronically.
• Choose someone to act for you. If you have given someone medical power of attorney, or if someone is your legal guardian, that person can exercise your rights and make choices about your PHI.
• Revoke an authorization. If you have given us a written authorization to use or share your PHI for a specific purpose, you can revoke it in writing at any time, and we will stop, except for any use we have already made.
• File a complaint. You can file a complaint with us, with the U.S. Office for Civil Rights, or with the Texas Attorney General. We will not retaliate against you for filing a complaint.

We do not discriminate on the basis of race, color, national origin, age, disability, or sex (including pregnancy, sex stereotypes, sexual orientation, and gender identity). Free language assistance and aids for people with disabilities are available on request. See our Non-Discrimination Notice and our Accessibility Statement.

If a breach occurs that may have compromised the privacy or security of your unsecured PHI, we will notify you in writing without unreasonable delay and in no case later than 60 days from discovery, as required by federal law (45 CFR §164.404) and Texas Business & Commerce Code §521.053.

Texas law also requires additional notifications when a breach is large:

• If the breach affects at least 250 Texas residents, we notify the Texas Attorney General.
• If the breach affects 500 or more individuals, we notify the U.S. Department of Health and Human Services.
• If the breach affects 10,000 or more residents in any one state, we notify nationwide consumer reporting agencies.

Our notice will tell you what happened, what information was involved, what we are doing about it, what you can do to protect yourself, and how to reach us with questions.

We may revise this notice at any time, and a revised notice will apply to all PHI we maintain, including PHI we created before the change. The current notice is always posted at https://www.drrizviwoundcare.com/privacy. If we change the notice in a material way, we will post the new notice promptly, give you a copy at your next visit, and offer it to you on our patient portal.

Privacy Officer

Dr. Rizvi Wound Care

7709 San Jacinto Place, Suite 100, Plano, TX 75024

Get directions

• Apple Maps
• Google Maps
• Waze
• Copy address

Phone: 972-491-1200

Email: Info@DrRizviWoundCare.com

Compose email

• Default mail app
• Gmail
• Outlook
• Yahoo Mail
• Copy email

You can file a complaint with us by contacting our Privacy Officer above. You can also file with:

U.S. Department of Health and Human Services, Office for Civil Rights

• Online: ocrportal.hhs.gov
• By phone: 1-800-368-1019 (TTY: 1-800-537-7697)
• By mail (Texas Region VI office): Office for Civil Rights, U.S. Department of Health and Human Services, 1301 Young Street, Suite 1100, Dallas, TX 75202
• By mail (Headquarters): U.S. Department of Health and Human Services, 200 Independence Avenue SW, Room 509F, HHH Building, Washington, DC 20201

Texas Medical Board

• Online: tmb.state.tx.us
• By phone: 1-800-201-9353

Texas Attorney General — Consumer Protection (HB 300)

• Online: consumerprotection.texasattorneygeneral.gov

You will not be retaliated against for filing a complaint.

This notice is provided in compliance with 45 CFR §164.520, Texas Health & Safety Code Chapter 181, and applicable Texas Medical Board rules. It supplements, and does not replace, our Non-Discrimination & Accessibility Notice, our Good Faith Estimate notice, and our Terms of Use.