Notice of Privacy Practices

USR Holdings, LLC (“USR”) as a representative (“Business Associate”) of the Covered Entities to which it provides serves has a responsibility to protect the privacy and confidentiality of your Protected Health Information (“PHI”).

Your PHI is protected under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended, including, without limitation, amendments by the Health Information Technology for Economic and Clinical Health (HITECH) Act (collectively, “HIPAA/HITECH”).

In addition, if a Covered Entity to whom we provide services provides substance use disorder treatment, your PHI is also protected under 42 CFR Part 2, The Confidentiality of Substance Use Disorder Patient Record (“42 CFR Part 2”).

In the course of providing you with services, we may obtain confidential PHI that is subject to the terms of a Business Associate and/or Qualified Service Organization Agreement (“Service Agreement(s)”) that USR has entered to with each Covered Entity it represents.

This Notice of Privacy Practices is provided to help you better understand how we use, disclose, and protect PHI in accordance with HIPAA/HITECH/42 CFR Part 2, and our Service Agreements.

Definitions

“Business Associate” (“BA”) means an entity that performs functions or activities on behalf of a HIPAA/HITECH Covered Entity when those services involve access to, or the use or disclosure of, PHI.
“Business Associate Agreement” (“BAA”) means a formal written contract between a BA and a Covered Entity that requires the BA to comply with specific requirements related to HIPAA/HITECH.
“Covered Entity” means a health plan, healthcare provider, or healthcare clearinghouse that must comply with the HIPAA/HITECH.
“Qualified Service Organization” (“QSO”) means an entity that performs functions or activities on behalf of a 42 CFR Part 2 entity when those services involve access to, or the use or disclosure of, PHI.
Qualified Services Organization Agreement” (“QSOA”) means a formal written contract between a QSO and a Covered Entity that requires a QSOA to comply with specific requirements related to PHI.
“Protected Health Information” (“PHI”) means all “individually identifiable health information” that is transmitted or maintained in any form or medium by a Covered Entity. Individually identifiable health information is any information that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment, or in relation to the payment for the provision of health care services, including “patient identifying information” under 42 CFR Part 2.

Use and Disclosure of PHI

We may use or disclose PHI on behalf of, or to provide services to, Covered Entities for purposes of performing our obligations under a Service Agreements with one or more Covered Entities, provided that such use or disclosure is permitted or required by the applicable Service Agreement and would not violate HIPAA/HITECH/42 CFR Part 2.
We may use PHI internally for our own internal management, administration, data aggregation and legal obligations, but only to the extent such use of PHI is permitted or required by the applicable Service Agreement and would not violate HIPAA/HITECH/42 CFR Part 2.
We may disclose PHI for law enforcement purposes as required by law or in response to a valid subpoena.
We may disclose PHI to downstream subcontractors or agents that provide supporting services to us. Such services shall comply with HIPAA/HITECH/42 CFR Part 2.
Other uses and disclosures not described in this Notice of Privacy Practices will be made only with your express written authorization.

Revocation of Your Consent to Use and Disclose PHI

Many permitted uses and disclosures of PHI are only possible with your express consent. Your written authorization is required for any use or disclosure of PHI that is not for treatment, payment or health care operations, or otherwise permitted or required by HIPAA/HITECH/42 CFR Part 2.

You may revoke your consent to use and disclose your PHI at any time by sending written revocation of your consent to the processing of your PHI to us at privacyofficer@usrholdings.com.

All PHI processed before we receive your revocation of consent will be considered legally processed with your consent. In addition, you may request that all of your PHI be removed from our systems and processes by sending written request for removal and destruction of all your data to us at privacyofficer@usrholdings.com.
Upon receipt of your request, we will take all steps necessary to remove all of your PHI completely and permanently unless we are unable to do so for legal, compliance, or other legitimate reasons.

Your Rights

You may request information about:

The purpose of our use and disclosure of your PHI;
The legal basis for our your and disclosure of your PHI;
The categories of PHI and the subject concerned;
Information on the type or identity of third parties to which your PHI may be disclosed to and the protection provided;
The source of the PHI (if you didn’t provide it directly to us); and
How long it will be stored.

You have a right to:

Access your PHI;
Have inaccurate PHI corrected;
Request erasure of PHI;
Restrict the processing of your PHI;
Object to the processing of your PHI;
Data portability;
Opt out of PHI being transferred to a third party, unless there is a legal reason to do so; and
Opt out of direct marketing.

To exercise your rights, you can write to our HIPAA Privacy Officer at privacyofficer@usrholdings.com.

Requests Regarding PHI

Requests for access to your PHI, requests to amend your PHI, or requests for an accounting of disclosures of your PHI shall be in writing to our HIPAA Privacy Officer at privacyofficer@usrholdings.com.

We will act on your request no later than thirty (30) calendar days after we receive your request. If we are not able to act within this timeframe, we will provide you with a written statement of the reasons for the delay and the date by which we will complete our action on your request, which date will be no more than an additional thirty (30) calendar days from the original thirty (30) days. In the event that we deny any request, the response will include an explanation as to why access was denied.

Access to PHI

As provided in our Service Agreement, we will make available to each Covered Entity information necessary for the Covered Entity to give individuals their rights of access, amendment, and accounting in accordance with HIPAA/HITECH/42 CFR Part 2.

Upon request, we will make our internal practices, books, and records, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by us on behalf of a Covered Entity, available to the Covered Entity or the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with the terms of the Service Agreement(s) and HIPAA/HITECH/42 CFR Part 2

Our Responsibilities

As a Business Associate and/or Qualified Service Organization, we have a number of legal responsibilities. They include the responsibility to enter into a written Service Agreement with Covered Entities that requires us to maintain the privacy of PHI, limit our use or disclosure of PHI to those purposes authorized by the Covered Entities, and assist Covered Entities in responding to your requests concerning your PHI; the responsibility to amend PHI relating to you when requested by a Covered Entity; the responsibility to make certain disclosures available to a Covered Entity in order for the Covered Entity to fulfill its obligation to you to provide accountings of certain disclosures to you; the responsibility to enter into a Service Agreement with each of our subcontractors who may have access to your PHI; the responsibility to comply with HIPAA/HITECH/42 CFR Part 2 provisions, including rules governing the uses and disclosure of PHI and your rights concerning your PHI; the responsibility to perform a HIPAA Security Rule risk analysis; the responsibility to implement HIPAA Security Rule safeguards; the responsibility to train personnel concerning the HIPAA Privacy and Security Rules; the responsibility to respond immediately to any security violation or breach; the responsibility to timely report security incidents and breaches; and the responsibility to maintain required documentation.

Safeguards

We use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for in a Service Agreement. We have implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that we create, receive, maintain, or transmit on behalf of a Covered Entity.

Such safeguards include:

Maintaining appropriate clearance procedures and providing supervision to assure that our workforce follows appropriate security procedures;
Providing appropriate training for our staff to assure that our staff complies with our security policies;
Making use of appropriate encryption when transmitting PHI over the Internet;
Utilizing appropriate storage, backup, disposal, and reuse procedures to protect PHI;
Utilizing appropriate authentication and access controls to safeguard PHI;
Utilizing appropriate security incident procedures and providing training to our staff sufficient to detect and analyze security incidents; and
Maintaining a current contingency plan and emergency access plan in case of an emergency to assure that the PHI we hold on behalf of a Covered Entity is available when needed.

Mitigation of Harm

In the event of a use or disclosure of PHI that is in violation of the requirements of a Service Agreement, we will mitigate, to the extent practicable, any harmful effect resulting from the violation. Such mitigation will include:

Reporting any use or disclosure of PHI not provided for by the Service Agreement and any security incident of which we become aware to the Covered Entity; and
Documenting such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosure of PHI in accordance with HIPAA and/or 42 CFR Part 2.

Changes to Our Notice of Privacy Practices

From time to time, we may change or update our Notice of Privacy Practices. We reserve the right to make changes or updates at any time.

How to Contact Us

If you have any questions regarding this Notice of Privacy Practices, please contact our Compliance Officer at:

HIPAA Privacy Officer
USR Holdings, LLC
10521 SW Village Center Drive, Ste. 202
Port St. Lucie, Florida 34987
Email: privacyofficer@usrholdings.com
Telephone: 888-547-4129 Ext. 3

Last Updated 2/22/2025