Effective Date: Jan 31, 2025
THIS NOTICE DESCRIBES HOW YOUR MEDICAL INFORMATION MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Notice of Privacy Practices is mandated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). It describes how we may use and disclose your protected health information (PHI) to carry out treatment, payment, or healthcare operations, and for other purposes that are permitted or required by law. It also describes your rights to access and control your protected health information. “Protected health information” is information about you, including demographic information, that may identify you and that relates to your past, present, or future physical or mental health or condition, related health care services, or related to the past, present, or future payment for the provision of health care to you.
We are required to abide by the terms of this Notice of Privacy Practices. We may change the terms of our notice at any time. Any such new notice will be effective for all protected health information that we maintain at that time. Upon your request, you may obtain any revised Notice of Privacy Practices by calling us and requesting that a revised copy be sent to you in the mail or by asking for one during your next telehealth consultation. You acknowledge receipt of this notice by accepting the Terms & Conditions for using the services provided by Sleep Reset.
USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION BASED UPON YOUR WRITTEN CONSENT
Your protected health information may be used and disclosed by Sleep Reset and its affiliates (collectively, "Sleep Reset") and others involved in your care and treatment for the purpose of providing healthcare services to you. Your PHI may also be used and disclosed as necessary to pay healthcare bills and to support the operation of Sleep Reset.
Set forth below are examples of the types of uses and disclosures of your PHI that Sleep Reset is permitted to make. These examples are not meant to be exhaustive but are provided to describe the types of uses and disclosures that may be made by Sleep Reset:
Payment:
Your protected health information may be used, as needed, to obtain payment for your healthcare services. For example, obtaining approval for telehealth services may require that your relevant PHI be disclosed to our health plan to obtain approval for treatment.
Healthcare Operations:
We may use or disclose, as needed, your protected health information to support the normal business activities of Sleep Reset. These activities include, but are not limited to, quality assessment activities, employee review activities, training, licensing, and conducting or arranging for other business activities.
We may also need to share your PHI with certain of our “business associates” or third parties that perform various activities (e.g., billing, care coordination, telehealth consultation scheduling) for Sleep Reset. Whenever an arrangement between Sleep Reset and a business associate involves the use or disclosure of your PHI, we will have in place the legally required safeguards to protect the privacy of your health information.
Data Analytics and Quality Improvement: We may use or disclose de-identified health information derived from PHI for research, quality assessment, product development, and business intelligence purposes. This may include:
ARTIFICIAL INTELLIGENCE AND MACHINE LEARNING SAFEGUARDS
AI Processing of PHI:
When using AI or machine learning with your PHI:
- All AI processing requires explicit patient authorization
- AI models are trained only on properly de-identified data
- Human oversight is maintained for all AI-generated insights
- AI recommendations do not replace clinical judgment
Automated Decision-Making Protections:
- You have the right to know when AI is used in your care
- You may request human review of AI-assisted decisions
- We maintain audit trails of all automated processing
- AI systems undergo regular bias and accuracy testing
Machine Learning Data Governance:
- PHI used for ML training is subject to enhanced security
- AI models are regularly tested for re-identification risks
- We maintain detailed records of all AI/ML data usage
- Patient data is never sold or shared for commercial AI training
Technology and Platform Operations: Your PHI may be processed through our telehealth platform, mobile applications, and associated technologies. This processing may include:
TELEHEALTH-SPECIFIC USES AND DISCLOSURES
For telehealth services delivered through our platform, additional uses and disclosures may occur:
Platform Operations: Your PHI may be processed through our secure telehealth technology platform, including:
- Real-time audio and video transmission during consultations
- Electronic health record integration and synchronization
- Automated appointment scheduling and care coordination
- Technical support and quality assurance monitoring
All platform processing is conducted under strict HIPAA compliance with appropriate technical safeguards.
Emergency Protocols: In telehealth emergency situations, we may disclose your PHI to:
- Emergency services (911) when you cannot communicate directly
- Local healthcare providers when immediate in-person care is required
- Family members or emergency contacts when you are incapacitated during a session
Telehealth Emergency Response Procedures:
During medical emergencies in telehealth sessions:
- Immediate activation of emergency services coordination
- Automatic documentation of emergency PHI disclosures
- Real-time communication with local emergency responders
- Post-emergency review of all PHI access and sharing
Emergency Contact and Notification:
- Pre-authorized emergency contact information on file
- Immediate notification to emergency contacts when appropriate
- Documentation of all emergency-related PHI disclosures
- Follow-up with patients after emergency situations resolved
Telehealth Research and Analytics: We may use de-identified PHI derived from telehealth sessions for:
- Clinical outcomes research and quality improvement studies
- Technology platform optimization and security enhancement
- Population health analytics for sleep disorder management
- Provider training and education programs
All research uses comply with HIPAA de-identification standards.
TELEHEALTH INFORMED CONSENT REQUIREMENTS
Enhanced Consent for Telehealth Services:
Before providing telehealth services, we obtain specific informed consent including:
- Acknowledgment of telehealth limitations compared to in-person care
- Understanding of technology risks and potential failures
- Agreement to environmental responsibilities during sessions
- Consent to emergency override procedures when necessary
Ongoing Consent Management:
- Consent verification at the beginning of each telehealth session
- Right to modify consent preferences between sessions
- Re-consent requirements for new telehealth technologies
- Documentation of all consent modifications in medical records
USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION BASED UPON YOUR WRITTEN AUTHORIZATION
Other uses and disclosures of your PHI will be made only with your written authorization, unless otherwise permitted or required by law. You may revoke your authorization at any time in writing, except to the extent that Sleep Reset has already relied on the use or disclosure as indicated in the authorization.
OTHER USES AND DISCLOSURES THAT MAY BE MADE AND TO WHICH YOU MAY AGREE OR OBJECT
In the circumstances listed below, you may agree or object to the use or disclosure of your PHI in the manner described. If you do not object, Sleep Reset may determine, using professional judgment, whether disclosing health information is in your best interest. If such a determination is made, only the PHI relevant to your care will be disclosed.BUSINESS CONTINUITY AND CORPORATE TRANSACTIONS In the event of a merger, acquisition, or other corporate reorganization, your PHI may be transferred as part of the transaction, subject to the same protections and restrictions outlined in this policy. We may also transfer your PHI in connection with the sale of assets or similar corporate transaction, with appropriate safeguards in place.
Others Involved in Your Healthcare:
Unless you object, we may disclose to a family member, relative, close friend, or any other person you identify, your PHI that directly relates to that person’s involvement in your healthcare. If you are unable to agree or object to such a disclosure, we may disclose such information as necessary if we determine it is in your best interests based on our professional judgment. We may also disclose PHI to assist in notifying a family member or personal representative of your location, general condition, or death.
BUSINESS ASSOCIATES AND SUBCONTRACTORS
Sleep Reset works with various business associates to provide telehealth services. All business associates are required to:
Primary Business Associates:
- Execute HIPAA-compliant Business Associate Agreements (BAAs)
- Implement equivalent privacy and security safeguards
- Report any PHI breaches within required timeframes
- Provide regular compliance certifications
Subcontractor Protections:
- All subcontractors handling PHI must meet the same HIPAA standards
- Multi-tier business associate agreements extend protections throughout the service chain
- We conduct regular audits of business associate compliance
- We maintain ultimate responsibility for all PHI protection regardless of delegation
Technology Partners:
Our telehealth platform may involve multiple technology partners, including:
- Cloud hosting and data storage providers
- Video conferencing and communication platforms
- Electronic health record integration partners
- Billing and payment processing services
Each technology partner maintains HIPAA certification and executes appropriate BAAs.
Emergencies:
In an emergency treatment situation, we may use or disclose your PHI without your prior consent. If this happens, Sleep Reset will make reasonable efforts to obtain your consent as soon as possible after treatment. If we are unable to obtain consent, we may still use or disclose your PHI to treat you.
Set forth below is a statement of your rights with respect to your PHI and a brief description of how you may exercise these rights.
You may contact us at help@thesleepreset.com for any inquiries or to communicate with us electronically. However, we advise that email communication may not be encrypted and could potentially be intercepted. By communicating with us via email, you acknowledge the risk associated with email communication and agree to those risks.
Our telehealth platform and mobile applications employ industry-standard encryption and security measures to protect your PHI. While we maintain appropriate technical safeguards, no electronic transmission system is guaranteed to be 100% secure. By using our services, you acknowledge:
We maintain PHI in accordance with applicable laws and regulations. Unless otherwise required by law:
TELEHEALTH PLATFORM SECURITY AND COMMUNICATIONS
Secure Communication Standards:
Our telehealth platform implements:
- End-to-end encryption for all video and audio communications
- Multi-factor authentication for provider and patient access
- Automatic session termination and timeout protections
- Real-time security monitoring and threat detection
Patient Environment Responsibilities:
When participating in telehealth sessions, you are responsible for:
- Ensuring a private, secure location for consultations
- Using secure internet connections (avoiding public Wi-Fi)
- Confirming your identity at the beginning of each session
- Reporting any technical issues or security concerns immediately
Session Recording and Documentation:
- Telehealth sessions are not recorded without explicit written consent
- Session notes and summaries are documented in your medical record
- You may request copies of all session documentation
- Technical metadata (connection quality, duration) may be retained for quality purposes
Technology Failure Protocols:
In the event of technology failures during telehealth sessions:
- Sessions may be resumed via secure alternative methods
- Critical information will be documented regardless of technical issues
- Emergency situations will be escalated to appropriate in-person care
- You will be notified of any potential PHI security implications
Data Transmission and Storage:
- All PHI transmission uses HIPAA-compliant encryption standards
- Data is stored in secure, geographically distributed cloud environments
- Backup and disaster recovery procedures protect against data loss
- International data transfers (if any) comply with applicable privacy laws
ENHANCED BREACH NOTIFICATION AND RESPONSE
Breach Definition and Assessment:
A breach is any impermissible use or disclosure of PHI that compromises security or privacy. We conduct immediate risk assessments for all potential incidents.
Notification Timelines (2025 Requirements):
For confirmed breaches involving your PHI:
- Individual notification: Within 60 days of breach discovery
- HHS Office for Civil Rights: Within 60 days of discovery
- Media notification: Within 60 days if breach affects 500+ individuals
- Business associate notification: Without unreasonable delay
Enhanced Notification Content:
Breach notifications will include:
- Clear description of what information was involved
- Steps taken to mitigate harm and prevent recurrence
- Contact information for questions and assistance
- Resources for identity monitoring when appropriate
- Timeline of discovery and response actions
Telehealth-Specific Breach Protections:
For breaches involving telehealth sessions:
- Immediate suspension of affected technology systems
- Review of all recent telehealth communications
- Enhanced monitoring of related patient accounts
- Coordination with technology partners for comprehensive response
Patient Support Services:
Following any breach affecting your information:
- Dedicated privacy officer contact for questions
- Free identity monitoring services when appropriate
- Assistance with credit report monitoring
- Support for reporting potential fraud or misuse
If we expand services internationally, your PHI may be transferred to, stored, or processed in other countries, subject to appropriate safeguards and agreements to maintain HIPAA compliance and protect your privacy rights. Any international data transfers will comply with applicable laws and regulations.
Cross-Border PHI Safeguards:
If we expand services internationally, we implement enhanced protections:
- Adequacy determinations for destination countries
- Standard contractual clauses for international data transfers
- Regular assessment of foreign privacy law compliance
- Enhanced encryption for international transmissions
Specific International Frameworks:
- EU GDPR Article 49 derogations for health data transfers
- Canada PIPEDA cross-border health information requirements
- UK Data Protection Act post-Brexit healthcare provisions
- Australia Privacy Act health record transfer safeguards
Patient Notification for International Transfers:
We will notify you when your PHI may be:
- Processed in countries with different healthcare privacy standards
- Subject to foreign government access under local laws
- Transferred to international business associates or subcontractors
- Stored in overseas data centers or cloud facilities
We may update our technology, platforms, and services over time. Any substantial changes affecting PHI handling will be reflected in updates to this policy. Changes may include:
We will maintain appropriate safeguards and compliance through any such changes.
If you believe your privacy rights have been violated, you may file a complaint with Sleep Reset or the Secretary of Health and Human Services. Complaints should be directed to our Privacy Officer. We will not retaliate against you for filing a complaint. You can contact our Privacy Officer at:
Sleep Reset, Inc.
Attention: Privacy
2261 Market Street #4408
San Francisco, CA 94114
Email: help@thesleepreset.com
No Retaliation Policy:
We will not retaliate against you for:
- Filing privacy complaints with any authority
- Exercising your privacy rights under this policy
- Reporting suspected HIPAA violations
- Participating in compliance investigations
Complaint Response Procedures:
- Initial acknowledgment within 5 business days
- Investigation completion within 30 days
- Written response with findings and corrective actions
- Follow-up to ensure resolution effectiveness
2025 HIPAA Compliance:
This policy incorporates all current HIPAA requirements, including:
- Updated Privacy Rule requirements effective 2025
- Enhanced Security Rule cybersecurity standards
- New reproductive health privacy protections
- Strengthened business associate compliance requirements
Ongoing Regulatory Monitoring:
We continuously monitor regulatory developments including:
- HHS Office for Civil Rights guidance updates
- State-specific privacy law requirements
- FTC health data enforcement actions
- Industry cybersecurity standards evolution
Policy Update Procedures:
- Annual review of all privacy practices and procedures
- Immediate updates for regulatory changes affecting patient rights
- 30-day notice for material policy changes
- Automatic distribution of updated policies to active patients
Audit and Compliance Verification:
We maintain comprehensive compliance programs including:
- Annual HIPAA Security Rule risk assessments
- Regular business associate compliance audits
- Continuous security monitoring and threat assessment
- Staff training and compliance certification programs
Last Updated: Jan 31, 2025
Start Sleeping
Better Today!
