Notice of Privacy Practices — Stewart Foot & Ankle

01

Who We Are

Covered Entity & Privacy Officer

Stewart Foot & Ankle is a podiatric medical practice located in Olympia, Washington, operated by Dr. Benton Stewart, DPM. As a healthcare provider, we are a "covered entity" under HIPAA and are required to protect the privacy of your protected health information.

"Protected Health Information" (PHI) means any information we create or receive that relates to your past, present, or future physical or mental health condition, the provision of healthcare to you, or the payment for that healthcare — and that could reasonably identify you.

Privacy Officer

Dr. Benton Stewart serves as the Privacy Officer for this practice and is responsible for ensuring compliance with this Notice and applicable privacy laws. Questions or concerns may be directed to our office at (425) 842-3865 or by written request at 2008 Caton Way SW, Suite 203-B2, Olympia, WA 98502.

02

How We May Use & Disclose Your Health Information

Treatment, Payment & Healthcare Operations

The following describes the ways we may use and disclose your PHI without your written authorization. Not every use or disclosure will be listed, but all permitted uses and disclosures will fall within one of the following categories.

Treatment

We may use your PHI to provide, coordinate, and manage your healthcare and related services. For example, we may share your health information with other physicians or healthcare providers involved in your care, such as a specialist or hospital, if we refer you for additional treatment.

Diagnosing and treating foot and ankle conditions
Ordering diagnostic imaging, lab tests, or referrals to other providers
Coordinating care with other treating physicians, therapists, or facilities
Communicating with pharmacies regarding prescriptions
Providing follow-up reminders, care instructions, and post-treatment support

Payment

We may use and disclose your PHI to obtain payment for services we provide. This includes submitting claims to your insurance carrier, verifying benefits, and billing you or a third-party payer for services rendered.

Submitting claims to your insurance carrier (Aetna, Premera Blue Cross, Cigna, and others)
Verifying insurance benefits and prior authorization
Billing and collecting payment from you or a responsible party
Responding to coverage inquiries from your health plan
Processing HSA, FSA, or other health account transactions

Healthcare Operations

We may use and disclose your PHI for our internal healthcare operations. These activities are necessary to run our practice and ensure quality care for all patients.

Quality assessment, improvement, and patient satisfaction activities
Training and supervision of clinical and administrative staff
Business planning, practice management, and administration
Conducting audits, compliance reviews, and accreditation activities
Legal, risk management, and insurance functions

Appointment Reminders & Treatment Alternatives

We may use your PHI to contact you as a reminder that you have an appointment scheduled, or to provide information about treatment alternatives or other health-related services that may be of interest to you. You may request that we contact you by a specific method or at a specific location.

03

Other Permitted & Required Disclosures

When We May Share Without Your Authorization

In addition to treatment, payment, and healthcare operations, we may use or disclose your PHI in the following circumstances without your prior written authorization:

Required by Law

Court orders or administrative subpoenas
Lawful law enforcement requests
Mandatory public health reporting
Government oversight & audits

Public Health & Safety

Reporting communicable diseases
Preventing serious threats to health or safety
FDA safety reporting requirements
Workers' compensation claims

Research

IRB-approved research studies
De-identified or limited data sets
With appropriate privacy safeguards

Serious Threat

Imminent threat to your safety
Serious threat to the safety of others
Disaster relief and emergency operations

Business Associates

We may share your PHI with third-party "business associates" — companies or individuals who perform services on our behalf, such as billing companies, IT service providers, or our patient portal provider (YourHealthFile). We require all business associates to sign a Business Associate Agreement (BAA) committing them to protect your PHI in accordance with HIPAA.

Disclosures Requiring Your Written Authorization

For uses and disclosures beyond those described in this Notice, we will ask for your written authorization before sharing your information. This includes:

Marketing communications — we will not use your PHI to market products or services without your written consent
Sale of PHI — we do not sell your health information under any circumstances
Psychotherapy notes — require a separate, specific authorization
Most other disclosures not specifically described in this Notice

Revoking Authorization

You may revoke any written authorization you have given us at any time by submitting a written revocation to our office. We will honor your revocation except to the extent that we have already taken action in reliance upon it, or where the authorization was required as a condition of obtaining insurance coverage.

04

Special Protections for Certain Information

Sensitive Health Categories

Certain categories of health information are entitled to greater privacy protections under federal and Washington State law. We apply additional safeguards to the following types of information and will not disclose them without appropriate authorization or legal requirement:

Mental health and psychiatric records — subject to stricter disclosure rules under Washington law (RCW 71.05)
Substance use disorder treatment records — protected under federal 42 CFR Part 2 and Washington law (RCW 70.96A)
HIV/AIDS status and testing — special restrictions on disclosure under Washington law (RCW 70.24)
Genetic information — protected under the Genetic Information Nondiscrimination Act (GINA)
Reproductive health information — additional protections under the Washington My Health MY Data Act
Gender-affirming care information — additional protections under Washington State law
Minor patients — certain information about minors may be protected from disclosure even to parents or guardians, as required by applicable law

Washington My Health MY Data Act

Washington State's My Health MY Data Act (effective 2024) provides additional protections for consumer health data beyond HIPAA. This includes data related to reproductive health, gender-affirming care, mental health, precise geolocation data collected in connection with health services, and other sensitive health categories. We comply with all applicable provisions of this Act. See Section 9 for more details on Washington State law.

05

Your Rights Regarding Your Health Information

Patient Rights Under HIPAA & Washington Law

You have the following rights regarding your protected health information. To exercise any of these rights, please submit a written request to our Privacy Officer. We may charge a reasonable, cost-based fee for certain requests as permitted by law.

Right to Access & Copy

You have the right to inspect and obtain a copy of your medical records and other PHI that we maintain in a designated record set. We will respond within 30 days of your written request. You may request records in electronic format where available and feasible. We may deny access in limited circumstances permitted by law, and you may request a review of any denial.

Right to Amend

If you believe that health information we have about you is incorrect or incomplete, you may request that we amend it for as long as we maintain the information. We may deny your request if the information was not created by us, or if we determine the record is accurate and complete. If we deny your request, you have the right to submit a written statement of disagreement, which will be included in your record.

Right to an Accounting of Disclosures

You have the right to request a list of certain disclosures of your PHI that we have made during the past six years prior to the date of your request. This right does not include disclosures made for treatment, payment, or healthcare operations, disclosures made to you, or disclosures made with your written authorization.

Right to Request Restrictions

You may request that we restrict how we use or disclose your PHI for treatment, payment, or healthcare operations. We are not always required to agree to your request. However, we must agree to a restriction if you request that we not disclose PHI to a health plan for purposes of payment or healthcare operations, and the PHI pertains solely to a service for which you paid out-of-pocket in full.

Right to Confidential Communications

You may request that we communicate with you about your health matters in a certain way or at a certain location. For example, you may ask us to call only your cell phone, not your home number. You do not need to provide a reason for your request. We will accommodate all reasonable requests.

Right to a Paper Copy of This Notice

You have the right to obtain a paper copy of this Notice of Privacy Practices at any time, even if you previously agreed to receive it electronically. Please contact our office and we will provide you with a printed copy promptly.

Right to Notification of Breach

You have the right to be notified following a breach of your unsecured PHI. We will notify you without unreasonable delay and no later than 60 days following our discovery of a breach, as required by the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D).

Right to Non-Retaliation

We will not penalize you, refuse treatment, or retaliate against you in any way for exercising your rights under this Notice, for filing a complaint with us or with the government, or for refusing to sign an authorization.

06

Our Obligations

How We Safeguard Your Information

We are required by law to maintain the privacy of your protected health information, provide you with this Notice of our privacy practices, notify you following a breach of your unsecured PHI, and abide by the terms of this Notice currently in effect.

Administrative Safeguards

We have adopted comprehensive policies and procedures to protect your PHI. This includes designating a Privacy Officer, training all staff on privacy practices and their obligations, conducting regular risk assessments, and implementing sanctions for violations of our privacy policies.

Physical Safeguards

We control physical access to our office, equipment, and records to prevent unauthorized access to PHI. Paper records are stored securely, and access is limited to authorized personnel only. Workstations are positioned and locked to prevent unauthorized viewing of patient information.

Technical Safeguards

We use technical security measures to protect electronic PHI (ePHI), including access controls, audit controls, integrity controls, and transmission security. Our patient portal uses industry-standard encryption and authentication practices. Electronic communications containing PHI are transmitted using secure, encrypted channels.

Changes to This Notice

We reserve the right to change the terms of this Notice at any time. Any revised Notice will be effective for all PHI that we maintain at the time of the revision, including information created or received before the change. We will post the updated Notice in our office and on this website. A copy of the current Notice is always available upon request at our front desk.

07

How to File a Complaint

We Take Privacy Concerns Seriously

If you believe your privacy rights have been violated, or that we have not complied with our obligations under HIPAA or this Notice, you may file a complaint with our practice or with the U.S. Department of Health and Human Services. We will not retaliate against you in any way for filing a complaint.

File a Complaint With Our Practice

Contact our Privacy Officer in writing at the address listed in Section 10. We take all complaints seriously and will investigate promptly. We will respond to your complaint within a reasonable timeframe and notify you of our findings.

File a Complaint With the Federal Government

You may file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR):

Online: www.hhs.gov/hipaa/filing-a-complaint
Phone: 1-800-368-1019 | TDD: 1-800-537-7697
Mail: U.S. Department of Health and Human Services, 200 Independence Avenue SW, Washington, D.C. 20201

File a Complaint With Washington State

You may also contact the Washington State Department of Health or the Washington State Attorney General's Office regarding complaints about healthcare providers or consumer health data privacy:

WA Dept. of Health: www.doh.wa.gov | 1-800-525-0127
WA Attorney General (My Health MY Data Act): www.atg.wa.gov

08

Website & Digital Privacy

This Website, Patient Portal & Electronic Communications

Website Analytics & Cookies

Our website may use cookies and analytics tools (such as Google Analytics) to understand how visitors use the site and to improve the patient experience. This data is anonymized and aggregated and does not include your protected health information. You may disable cookies through your browser settings without affecting your ability to receive care at our office.

Patient Portal

Our patient portal is provided by YourHealthFile, a third-party platform. When you use the portal to book appointments, view records, or communicate with our office, that platform's own security practices and privacy policy also apply. We have a Business Associate Agreement (BAA) in place with our portal provider, requiring them to protect your PHI in accordance with HIPAA. We encourage you to review YourHealthFile's privacy policy at their website.

Electronic Communications

If you contact us by standard email or text message, please be aware that these channels are not fully encrypted and carry inherent privacy risks. We recommend using our secure patient portal for any communications that include your health information. By choosing to contact us via standard email or text, you acknowledge and accept the privacy risks of those communication methods.

Telehealth Services

Where telehealth visits are offered, they are conducted using HIPAA-compliant platforms with appropriate encryption and access controls. Your PHI transmitted during telehealth sessions is subject to the same protections described in this Notice.

Website Forms

Any information submitted through contact forms or appointment request forms on this website is transmitted securely via HTTPS. We do not use website form submissions for any purpose other than responding to your inquiry and scheduling your care.

09

Washington State Law

Additional State-Level Protections

Washington State provides additional health privacy protections in certain situations. Where Washington State law is more stringent than HIPAA, we follow Washington State law. The following state laws may apply to your health information:

RCW 70.02 — Washington Health Care Information Act: Governs the use and disclosure of health care information by providers in Washington, and establishes patient rights to access and control their health records
Washington My Health MY Data Act (SB 1155, eff. 2024): Provides additional consumer health data protections including reproductive health data, precise geolocation data in connection with health services, gender-affirming care, mental health data, and other sensitive categories
RCW 70.24 — Sexually Transmitted Infections: Strict restrictions on the disclosure of STI-related testing and treatment information without patient consent
RCW 70.96A — Substance Use Disorder: Additional confidentiality protections for records related to substance use disorder assessment and treatment
RCW 71.05 — Mental Health: Special protections governing the disclosure of mental health treatment records
RCW 70.46 — Home Health: Applicable confidentiality provisions for home health service records

Your Rights Under the Washington My Health MY Data Act

Under this Act, you have the right to: confirm whether we collect your consumer health data; access a list of all third parties with whom we have shared your consumer health data; withdraw consent to the collection or sharing of consumer health data; and request deletion of consumer health data we hold about you. To exercise these rights, please contact our Privacy Officer in writing at the address in Section 10.

10

Contact Us

Privacy Officer & Office Information

For questions about this Notice, to exercise your privacy rights, to request a paper copy of this Notice, or to submit a written complaint, please contact our Privacy Officer:

Stewart Foot & Ankle — Privacy Officer

Practice

Stewart Foot & Ankle
Dr. Benton Stewart, DPM
Privacy Officer

Mailing Address

2008 Caton Way SW, Suite 203-B2
Olympia, WA 98502

Phone (425) 842-3865

Office Hours

Monday – Friday
9:00 AM – 5:00 PM

Website stewartfootandankle.com

Secure Patient Portal Access Patient Portal →

Medical Disclaimer

Content on this website is for informational purposes only and does not constitute medical advice, diagnosis, or treatment. Always consult a qualified healthcare provider regarding any medical condition. If you are experiencing a medical emergency, call 911 immediately.