HIPAA Compliance & Notice of Privacy Practices
How CEREVITY Health, Inc. safeguards your protected health information (PHI) and your rights under the Health Insurance Portability and Accountability Act (HIPAA).
In Plain English
HIPAA is the federal law that protects your medical information. CEREVITY is a HIPAA-covered entity, which means we are legally required to keep your protected health information ("PHI") confidential, give you specific rights over your information, and notify you if there is ever a breach. The "Notice of Privacy Practices" beginning in Section 5 describes those rights and obligations in detail, as required by law.
Our HIPAA Commitment
CEREVITY Health, Inc. ("CEREVITY") is committed to protecting the privacy and security of your protected health information (PHI). We comply with the HIPAA Privacy Rule (45 CFR Part 164, Subpart E), the HIPAA Security Rule (45 CFR Part 164, Subpart C), and the HITECH Act, including breach notification requirements.
Covered Entity & Workforce
CEREVITY Health, Inc. operates as a HIPAA-covered entity for purposes of administering services through our nationwide network. Independent licensed clinicians who deliver care through our network function as members of CEREVITY's HIPAA workforce for purposes of HIPAA compliance, regardless of their independent contractor status, and are bound by CEREVITY's privacy and security policies as a condition of network participation.
Safeguards & Security
Administrative Safeguards
Designated Privacy and Security Officers, written policies and procedures, workforce training, role-based access controls, and ongoing risk analysis.
Technical Safeguards
Encryption of PHI in transit and at rest where applicable, unique user authentication, audit logging, automatic session timeout, and HIPAA-compliant telehealth and electronic health record systems.
Physical Safeguards
Restricted access to facilities and devices that store or transmit PHI, secure disposal of media, and workstation security policies.
Organizational Safeguards
Business Associate Agreements with vendors, ongoing monitoring, sanctions for workforce non-compliance, and an incident response plan.
Business Associates
We engage trusted vendors ("Business Associates") to help deliver and support our services. Each Business Associate is bound by a written Business Associate Agreement requiring them to safeguard PHI in accordance with HIPAA and to use it only for permitted purposes. Categories include electronic health records, telehealth platforms, secure messaging and communication, payment processing, IT and hosting, and administrative support.
Notice of Privacy Practices
This Notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.
Effective Date: May 3, 2026
This Notice of Privacy Practices is provided by CEREVITY Health, Inc. as required by 45 CFR § 164.520. It describes the privacy practices applicable to PHI created or maintained by CEREVITY and the independent licensed clinicians within our network.
Uses & Disclosures of PHI
Uses & Disclosures Without Your Authorization
We may use and disclose your PHI without your specific authorization for the following purposes, as permitted by HIPAA:
- Treatment: coordinating and providing care, consulting with other clinicians, and referrals
- Payment: billing, processing payments, and verifying coverage
- Health Care Operations: quality improvement, training, credentialing, audits, compliance, and business management
- Required by Law: when disclosure is required by federal, state, or local law
- Public Health Activities: reporting to public health authorities for disease prevention and control
- Health Oversight Activities: for licensure, audits, investigations, and regulatory inspections
- Judicial & Administrative Proceedings: in response to a valid subpoena, court order, or legal process
- Law Enforcement: as permitted by law for limited law-enforcement purposes
- Serious Threat to Health or Safety: to prevent a serious and imminent threat to you or others, including mandatory reporting obligations
- Workers' Compensation: as authorized by workers' compensation laws
- Coroners, Medical Examiners, Funeral Directors: as required by law
- Abuse, Neglect, or Domestic Violence: reporting as required by mandatory reporting statutes
Uses & Disclosures Requiring Your Written Authorization
We will obtain your written authorization before using or disclosing your PHI for purposes other than those described above, including:
- Most uses and disclosures of psychotherapy notes
- Marketing communications (other than face-to-face communications or promotional gifts of nominal value)
- Sale of PHI
You may revoke a written authorization at any time, in writing, except to the extent we have already acted in reliance on it.
Your HIPAA Rights
Under HIPAA, you have the following rights with respect to your PHI:
To exercise any of these rights, contact our Privacy Officer using the information in Section 11. Most requests will be addressed within thirty (30) days.
Our Duties
CEREVITY is required by law to:
- Maintain the privacy and security of your PHI
- Provide you with this Notice describing our legal duties and privacy practices regarding your PHI
- Notify you if a breach of unsecured PHI occurs
- Abide by the terms of the Notice currently in effect
We reserve the right to change this Notice and to make the revised Notice effective for all PHI we maintain. We will post the current Notice on our website and provide a copy upon request.
Filing a Complaint
If you believe your privacy rights have been violated, you may file a complaint with us using the contact information in Section 11, or with the Secretary of the U.S. Department of Health and Human Services:
- Online: hhs.gov/hipaa/filing-a-complaint
- Mail: U.S. Department of Health and Human Services, Office for Civil Rights, 200 Independence Avenue S.W., Room 509F HHH Bldg., Washington, D.C. 20201
- Phone: 1-877-696-6775
You will not be retaliated against for filing a complaint.
Breach Notification
In the event of a breach of unsecured PHI, CEREVITY will provide notification in accordance with HIPAA's Breach Notification Rule (45 CFR Part 164, Subpart D), including notice to affected individuals without unreasonable delay and within 60 days of discovery, notice to the Secretary of HHS, and where required, notice to prominent media outlets.
Contact Us
To exercise any HIPAA right, ask a question, or file a complaint, contact our Privacy Officer:
CEREVITY Health, Inc. — Privacy Officer
HIPAA-related inquiries are addressed within 30 days.
Suite 319
Lakewood, CA 90712
Attn: Privacy Officer
⚠️ Crisis Resources
If you are experiencing a mental health crisis or having thoughts of suicide, please reach out immediately:
988 Suicide & Crisis Lifeline: Call or text 988
Crisis Text Line: Text HOME to 741741
National Alliance on Mental Illness (NAMI): 1-800-950-NAMI (6264)
Version History
| Version | Date | Summary |
|---|---|---|
| 1.0 | May 3, 2026 | Initial publication of HIPAA Compliance with merged Notice of Privacy Practices. |
