Last Updated: July 2025
Introduction
This notice thoroughly explains the various ways your Protected Health Information (PHI) may be used and disclosed, your rights to control your health information, and how you can access your personal health records. We encourage you to read this notice carefully to understand how your information is handled. For any questions, please contact us at privacy@tandemtelehealth.com.
For purposes of this Notice, “Tandem” and the pronouns “we,” “us” and “our” refer to Tandem Telehealth Inc., its subsidiaries and affiliates under common ownership or operational control, and its contracted or employed care providers that operate as a HIPAA single affiliated covered entity (Tandem Telehealth, Inc).
Our Responsibilities
At Tandem, your privacy is of utmost importance. Tandem uses and discloses health information about you for treatment, to obtain payment for treatment, for administrative purposes, to evaluate the quality of care that you receive, and for other purposes permitted by HIPAA and applicable law. We are required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to maintain the privacy of Protected Health Information, to provide individuals with notice of our legal duties and privacy practices with respect to Protected Health Information, and to notify affected individuals following a breach of unsecured Protected Health Information. HIPAA also requires us to make you aware of your privacy rights, including your ability to exercise your choice (i.e., “consent,” also referred to as an “authorization”) and provide your permission for us to collect, use, or share your PHI. We must follow the privacy practices that are described in this Notice while it is in effect.
If you are a patient insured by the United States Department of Veteran Affairs, you may be entitled to additional rights and restrictions regarding the use and disclosure of your protected health information other than as set forth in this Notice. At all times, we will comply with the applicable requirements of the Department of Veteran Affairs regarding the use and disclosure of your protected health information.
Scope of Notice
This Notice applies to all PHI created, received, or maintained by Tandem. Protected Health Information is any individually identifiable health information about your past, present, or future physical or mental health condition or payment for healthcare or about the provision of care to you. Protected Health Information may include information about your condition or treatment, diagnostic tests and images, and related health information.
How We May Use and Disclose Your Protected Health Information:
The following categories describe the different ways that we may use and disclose your Protected Health Information without your written authorization. Not every use or disclosure within a category will be listed. Your Protected Health Information may be stored in paper, electronic or other form and may be disclosed electronically and by other methods.
o How Tandem May Use or Share Your Health Information
In certain circumstances, Tandem may use or disclose your health information without needing your consent or written permission. The examples below illustrate ways we may handle your information as allowed or required by federal law. These disclosures may occur verbally, in written form, or electronically.
o For Treatment
Tandem may use and share your health data to provide mental health care or coordinate services related to your care. This can include collaboration with third-party providers. For instance, your counselor or another health professional may document your care in your file and share details with other providers involved in your treatment. These disclosures ensure continuity and quality of care.
o For Payment
We may utilize or release your information to secure payment for services you receive. For example, we may send a bill to you or a health insurance provider. This billing may include identifying information, your diagnosis, and the services rendered.
o For Health Care Operations
We may also use and share your health details as part of the internal operations of Tandem, such as quality assessments, staff training, licensing, and other administrative activities.
o Communications
Tandem might contact you to remind you of appointments or share information about treatment options or services you may find beneficial. Messages may be left on your voicemail or with someone who answers your phone. We may also provide you with brochures or materials, which may include content from third-party sources.
o When Required or Allowed by Law
There are instances where the law either requires or allows us to use or share your information. In those cases, any disclosure will be in accordance with the legal requirements and only to the extent necessary. You may be notified as required. Examples include:
o Public Health
We may use or release information for public health purposes, such as:
1. Assisting authorities in preventing or managing disease, injury, or disability
2. Reporting suspected child abuse or neglect to authorized agencies
3. Notifying individuals who may be exposed to or spreading a communicable disease, when allowed by law
o People Involved in Your Care
With your agreement—or if circumstances suggest you do not object—we may share your health information with a family member, friend, or caregiver involved in your treatment or payment for your care. If you pass away, we may also share relevant health details with someone involved in your care prior to your death, unless you previously expressed otherwise.
HIPAA permits us to share information from your health record with other providers for treatment, care coordination, and case management. Mental health data is generally treated the same as other medical data, though psychotherapy session notes—if kept separately—require your permission before being shared. Tandem follows all state-specific laws and ethical standards that may impose stricter rules on mental health information disclosures.
o Communicating with Family
If you're present and capable of making health decisions, your Tandem provider may discuss your care with others you designate, such as family or friends, provided you do not object. Your provider may seek your explicit permission, let you know the information will be shared (allowing you to object), or determine from the context that you are comfortable with the disclosure—such as if you invite a family member into a session.
o Oversight Agencies
We may disclose information to oversight bodies for activities like audits, inspections, investigations, or licensing reviews. These agencies may need access to ensure compliance with legal, health, or civil rights regulations.
o Threats to Health and Safety
If we believe disclosure is necessary to reduce or prevent a serious threat to the health or safety of an individual or the public, we may share your health information—so long as it's done in accordance with legal and ethical standards and the recipient is positioned to help prevent harm.
HIPAA also allows us to notify family members if there's an urgent or imminent threat to your safety or someone else’s and they can help mitigate it. If your provider determines that you are at risk of harming yourself or others, they may share that information with appropriate individuals or authorities in line with legal and ethical duties. Even when danger isn’t imminent, providers may still inform trusted individuals to help monitor or support your treatment plan—assuming you were given a chance to object and chose not to.
In cases where required, we may also assist law enforcement in identifying or apprehending someone who:
1. Confessed to involvement in a violent crime resulting in serious physical harm
2. Escaped lawful custody
3. Falls under state-mandated disclosure requirements
o Emergency and Disaster Notifications
We may use or share your information to notify your family, a personal representative, or someone responsible for your care about your location, general condition, or death. We may also provide this information to disaster relief agencies to assist with locating and updating loved ones.
o Deceased Individuals
We may share information with funeral homes, coroners, or medical examiners as needed to carry out their lawful responsibilities. After 50 years (or another legally defined period), your information may be used or disclosed without the limitations outlined in this policy.
o Government-Related Functions
We may disclose your health data in specific government-related situations, including military operations, national security activities, intelligence functions, and to protect certain public officials.
o Research Purposes
We may use or share your information for research when certain conditions are met. Research projects must undergo a review process to ensure compliance with privacy laws and ethical standards. We will not share your identifiable health data for research without proper approval, which may include:
• IRB (Institutional Review Board) or Privacy Officer oversight
• Your written consent, if legally necessary
• Privacy safeguards throughout the research process
In some instances, research may proceed without your written consent if the data is de-identified or included in a limited data set covered by an agreement
o Death-Related Disclosures
Your information may be shared with medical examiners or coroners to identify a deceased person or determine the cause of death. It may also be disclosed to funeral directors as needed for their duties.
o Organ and Tissue Donation
If you’re a donor, we may share relevant information with organizations involved in organ, eye, or tissue donation and transplantation, or related banks and registries, to facilitate the process.
o Workers’ Compensation
Your health information may be shared as needed to comply with laws relating to Workers’ Compensation or other job-related injury or illness programs.
o Legal Actions and Disputes
We may provide your information in response to legal proceedings, including court or administrative orders, subpoenas, warrants, or similar legal requests.
o Military and Veterans
If you're part of the military, your health data may be shared with command authorities or government officials, as legally required for domestic or foreign service members.
o National Security and Protective Services
We may share your data with authorized federal personnel for purposes like national security, intelligence, and protecting dignitaries or government leaders.
o Correctional Institutions
If you’re in a correctional facility or in law enforcement custody, we may disclose your information as necessary to provide health care, maintain your or others' safety, or ensure security at the facility.
o Business Associates
In the course of doing business, we may partner with third-party vendors (business associates) who perform services on our behalf. These associates must sign agreements promising to protect your privacy and adhere to security standards.
o Social Services
We may share your health details with certain social service agencies involved in your care without needing written consent, especially when those services are essential to your treatment—like assistance with housing or benefits. Only the minimum necessary information will be shared.
We may also use a signed authorization to share your information with multiple social services. For example, your consent may cover disclosure to various support providers for purposes such as job training, public aid, or therapy.
o Abuse or Neglect
If we suspect that you are a victim of abuse, neglect, or domestic violence, we may report this to appropriate authorities—including social services or law enforcement—if allowed by law.
o Emergencies
If you're unable to agree or object due to an emergency or incapacity, your provider may use their judgment to share relevant information with a friend or family member involved in your care or payment responsibilities when doing so is believed to be in your best interest.
When We Need Your Authorization
In all other circumstances not described above, we will ask for your written consent before using or disclosing your health information. You have the right to revoke this consent at any time—although any actions already taken based on your prior authorization will remain valid.
o Psychotherapy Notes
If your provider creates separate psychotherapy notes, we’ll need your written permission before we can share them—except:
• If the notes are being used by the provider who created them for your treatment
• For training purposes within our supervised mental health programs
• To defend against a legal action brought by you
Psychotherapy notes refer to detailed, personal reflections from your sessions, kept apart from the general medical record. They do not include medications, session times, treatment summaries, or clinical test results. If your provider believes releasing these notes would harm you, they may deny your request for access.
o Marketing
Our Privacy Policy outlines how we may reach out to you with educational, promotional, or marketing content. By agreeing to our Privacy Policy, you are authorizing this type of contact.
o No Sale of Your Health Data
We do not and will not sell your identifiable health data to any third parties.
Uses and Disclosures of Sensitive Health Information
Some laws provide added protection for certain kinds of health data. These include information about:
1. Psychotherapy sessions
2. Mental health or developmental disability services
3. Substance use diagnosis, treatment, or referrals
4. HIV/AIDS testing, diagnosis, or treatment
5. Sexually transmitted diseases
6. Genetic test results
7. Child abuse or neglect
8. Abuse of adults with disabilities
9. Sexual assault
Unless legally permitted or required, we will ask for your written authorization before sharing any of this highly confidential information.
Your Rights
You have significant control over your PHI, and Tandem respects and facilitates these rights:
o Request Restrictions: You have the right to request limits on how we use or disclose your PHI. For example, if you prefer certain treatment details not be disclosed to your insurer, you can request such a restriction if you pay out-of-pocket.
o Alternative Communications: You can specify preferred methods or locations for communication. We will accommodate reasonable requests and will notify you if we are unable to agree to your request. You must make your request in writing. Your request must specify the alternative means or location, and provide satisfactory explanation of how payments will be handled under the alternative means or location you request. We will accommodate all reasonable requests. However, if we are unable to contact you using the ways or locations you have requested we may contact you using the information we have.
o Access and Copies: You are entitled to inspect and obtain copies of your health records. This right applies to PHI used to make decisions about you or payment for your care, subject to limited exceptions. Requests should be made in writing. We may charge a nominal fee for copying and postage. In some cases, we have the right to deny you access to your records, such as if we reasonably conclude that it would be detrimental to you. If we deny your request, we will notify you in writing of the reason(s) for the denial and explain your right to have the denial reviewed.
o Amendments: You can request amendments to your PHI if you believe information is inaccurate or incomplete. Such requests must be submitted in writing, clearly stating the reason for amendment. We may deny your request and if we do, we will notify you in writing of the reason for the denial and your right to submit a statement disagreeing with the denial.
o Accounting of Disclosures: You have a right to receive an accounting of certain disclosures of your Protected Health Information. To request an accounting of disclosures of your health information, you must submit your request in writing. If you request more than one accounting of disclosures within any 12 month period, we reserve the right to charge you a reasonable, cost-based fee for each subsequent request.
o Notice Copies: You may request additional copies of this Notice at any time.
o Opt-Out of Information Exchange: You have the right to opt-out from electronic health information exchanges.
o If you have given another individual a medical power of attorney, if another individual is appointed as your legal guardian or if another individual is authorized by law to make healthcare decisions for you (such as your custodial parent) (known as a “personal representative”), that individual may exercise any of the above rights listed for you.
Protections in HIPAA for Psychotherapy Notes
Psychotherapy notes contain sensitive information recorded by a mental health professional during counseling sessions and are kept separate from your primary medical records. Due to their sensitive nature, HIPAA offers additional protections requiring your explicit written consent for disclosures, even for treatment purposes, unless mandated by law or required to defend against legal actions.
Substance Use Disorder Medical Records
Records related to substance use disorder (SUD) treatments receive special confidentiality protections under federal law. Disclosure of these records typically requires your explicit written consent. Exceptions include emergency medical situations, court orders, or for public health activities when records are de-identified. Unauthorized disclosure is prohibited, and breaches will be promptly addressed in compliance with applicable laws.
Health Information Exchange (HIE)
Tandem participates in secure health information exchanges (HIEs) that facilitate the electronic sharing of health records among providers for treatment coordination. Your participation is voluntary, and you have the right to opt-out. Information shared includes medical history, treatments, medications, and allergies. Specially protected information, such as substance abuse treatment records, is separately safeguarded and shared only in emergencies or with your explicit consent.
Complaints and Contact Information
We strive to meet high standards in protecting your health information, yet we understand concerns, or issues may occasionally arise. If you believe your privacy rights have been violated or you have concerns regarding how your PHI has been handled, we strongly encourage you to contact us directly to allow prompt resolution. You can file complaints confidentially and without fear of retaliation.
Contact our Privacy Officer directly for immediate assistance: Emily Furnari Email: privacy@tandemtelehealth.com Phone: (804) 332–6061
Additionally, you may file a formal complaint directly with the U.S. Department of Health and Human Services (HHS). Complaints filed with HHS are also confidential, and you will not experience retaliation for making a complaint:
U.S. Department of Health and Human Services Office for Civil Rights 200 Independence Avenue, S.W. Washington, D.C. 20201 Phone: (800) 368-1019 TDD: (800) 537-7697 Email: ocrprivacy@hhs.gov Website: https://ocrportal.hhs.gov/ocr
We commit to thoroughly investigating every concern raised, taking corrective actions as necessary, and continually improving our privacy practices based on your valuable feedback.
Changes to This Notice
We reserve the right to periodically update this Notice of Privacy Practices to reflect changes in our policies, procedures, legal requirements, or operational improvements. When changes are made, we will prominently update the effective date listed at the top of the notice. The updated notice will immediately be available on our website, prominently displayed within our secure Patient Portal, and provided to you upon request at any time.
We recommend periodically reviewing this notice to stay informed of how your information is protected and your rights under HIPAA. Tandem remains committed to transparently communicating any significant changes that affect how we manage and protect your PHI, ensuring you have current information about our privacy practices.
Citations
1. 45 CFR § 164.501, 45 CFR 164.508(a)(2) et seq
2. 45 CFR. § 164.524(a)(1)
3. 45 CFR 164.510(b)
4. 45 CFR 164.512(j)
5. 45 CFR 164.510(b)(2)
6. 445 CFR § 164.512(a).
7. 45 CFR § 164.512(c)
8. 45 CFR § 164.510(b)(3)
9. 45 CFR. § 164.524(a)(1)
