Notice of Privacy Practices (HIPAA)

Quality Time Institute for Mental Health

William Holloway, LCSW — Founder & Lead Clinician
2635 Camino Del Rio S., Suite 302 #3, San Diego, California 92108
Phone: (858) 348-7373 | Email: Join@qualitytimeinstitute.com

THIS NOTICE DESCRIBES HOW MEDICAL AND MENTAL HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. THIS NOTICE IS REQUIRED BY FEDERAL AND CALIFORNIA STATE LAW.

1. Introduction & Legal Basis

Quality Time Institute for Mental Health (“QTI”) is committed to protecting the privacy of your health and mental health information. This Notice of Privacy Practices (“NPP”) is required by:

• Health Insurance Portability and Accountability Act of 1996 (HIPAA) — 45 CFR Parts 160 and 164
• California Confidentiality of Medical Information Act (CMIA) — Cal. Civil Code § 56 et seq.
• Patient Access to Health Records Act (PAHRA) — Cal. Health & Safety Code § 123100 et seq.
• California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) — Cal. Civil Code § 1798.100 et seq.
• 42 CFR Part 2 — Confidentiality of Substance Use Disorder Patient Records (2024 Final Rule, effective Feb. 16, 2026)
• California SB 81 (2025) — Immigration Status Protections — Cal. Civil Code § 56.05; Health & Safety Code § 1249 et seq.
• California Civil Code § 56.104 — Outpatient Mental Health Records Protection
• Cal. Health & Safety Code § 1280.18 — Electronic Medical Information Security

Where California law provides greater protections than federal HIPAA, we apply the more protective California standard.

2. What is Protected Health Information (PHI)?

Protected Health Information (PHI) includes any individually identifiable information that:

• Relates to your past, present, or future physical or mental health or condition
• Relates to the provision of health care services to you
• Relates to past, present, or future payment for health care services
• Can be used to identify you individually

Under California CMIA (Cal. Civil Code § 56.05), “medical information” is defined broadly and is often more protective than federal HIPAA definitions.

California SB 81 (effective September 20, 2025): Your immigration status and place of birth, if known or collected, are classified as protected medical information under CMIA. We will not disclose this information for immigration enforcement purposes without a valid judicial search warrant or court order.

3. How We May Use and Disclose Your PHI Without Your Authorization

3.1 Treatment

We use and disclose your PHI to provide, coordinate, and manage your mental health care, including sharing information with other treating clinicians involved in your care with your knowledge.

3.2 Payment

We may use and disclose your PHI to obtain payment for services, including submitting insurance claims and providing insurance reimbursement support.

3.3 Health Care Operations

We may use PHI for internal operations such as quality assessment, clinical supervision, staff training, and practice management.

3.4 As Required by Law

We may disclose PHI when required by federal, state, or local law, including responding to court orders or subpoenas as permitted by applicable law.

3.5 Mandatory Reporting — California Law

As required by California law, we must report:

• Child abuse or neglect — Cal. Penal Code § 11164 et seq. (Mandated Reporter Law)
• Dependent adult or elder abuse — Cal. Welfare & Institutions Code § 15600 et seq.
• Tarasoff duty to protect — Cal. Civil Code § 43.92 (threat to identifiable third party)
• Communicable diseases — Cal. Health & Safety Code § 120130
• Gunshot wounds or injuries caused by violence — Cal. Penal Code § 11160

3.6 Serious Threat to Health or Safety

We may use or disclose PHI when necessary to prevent a serious and imminent threat to your health or safety, or that of another person (45 CFR § 164.512(j)).

3.7 Clinical Supervision and Consultation

Your therapist may consult with clinical supervisors or peer consultants using the minimum necessary information, in full compliance with HIPAA and California law.

3.8 Immigration Enforcement — SB 81 Protection

Under California SB 81 (effective September 20, 2025):

• We will NOT disclose your medical information — including immigration status — for immigration enforcement purposes
• We will NOT voluntarily cooperate with immigration enforcement requests
• Disclosure is only permitted if compelled by a valid judicial search warrant or court order

California is a safe healthcare state. All patients — regardless of immigration status — have the right to receive mental health care at QTI without fear of disclosure to immigration authorities.

4. Uses and Disclosures Requiring Your Written Authorization

The following disclosures require your signed written authorization:

• Psychotherapy notes (maintained separately per HIPAA — 45 CFR § 164.508(a)(2))
• Marketing or fundraising communications
• Sale of your PHI
• Disclosure to family members, friends, or any third party you identify
• Use of your PHI for research purposes
• Most uses and disclosures not described in this Notice

You have the right to revoke any authorization in writing at any time for future disclosures.

5. Special Protections Under California Law

5.1 Psychotherapy Notes & Outpatient Mental Health Records

HIPAA provides the highest level of protection for psychotherapy notes (45 CFR § 164.524). Under California Civil Code § 56.104, outpatient psychotherapy records require specific written authorization for most disclosures. We maintain psychotherapy notes separately from general health records.

5.2 Sensitive Services — CMIA Cal. Civil Code § 56.05 & § 56.30

California law prohibits disclosure of medical information related to the following sensitive services without express written authorization:

• Mental health treatment (including all therapy services provided by QTI)
• Sexual and reproductive health care
• Substance use disorder (SUD) treatment
• Gender-affirming care
• Intimate partner violence services

This protection applies even to minor patients — a minor’s parent or guardian cannot access these records without the minor’s written authorization, unless a specific exception applies.

5.3 Substance Use Disorder Records — 42 CFR Part 2 (2024 Final Rule)

SUD records receive special federal protections. Key protections include:

• SUD records may generally only be disclosed with your written consent
• Records may not be used against you in criminal, civil, or administrative proceedings without your consent or a court order
• A single patient consent can now authorize disclosure for treatment, payment, and healthcare operations (2024 update)

5.4 CMIA Private Right of Action

Unlike federal HIPAA, California CMIA (Cal. Civil Code § 56 et seq.) gives you the right to directly sue a healthcare provider for negligent, unauthorized disclosure of your medical information — even if the disclosure was unintentional.

5.5 Electronic Medical Information Security — Cal. Health & Safety Code § 1280.18

California law requires us to establish and maintain administrative, technical, and physical safeguards to protect the privacy and security of your electronic medical information at all times.

6. Your Rights Regarding Your PHI

6.1 Right to Access and Copy Your Records

You have the right to inspect and obtain copies of your PHI. Under California PAHRA (Cal. Health & Safety Code § 123111), we must provide records within 5 business days of your request — stricter than HIPAA’s 30-day rule. Submit requests in writing to our office.

6.2 Right to Request Amendment

If you believe your PHI is inaccurate or incomplete, you may request an amendment in writing. We will respond within 60 days.

6.3 Right to an Accounting of Disclosures

You have the right to receive a list of disclosures of your PHI we have made (other than for treatment, payment, health care operations, or authorized disclosures) for up to 6 years prior to your request.

6.4 Right to Request Restrictions

You may request restrictions on how we use or disclose your PHI. We MUST comply if you request that we not disclose PHI to your health plan for services you have paid for completely out-of-pocket (45 CFR § 164.522(a)).

6.5 Right to Confidential Communications

You have the right to request that we contact you in a specific way or at a specific location. We will honor all reasonable requests.

6.6 Right to a Paper Copy of This Notice

You have the right to request a paper copy of this Notice at any time by contacting our office.

6.7 Right to Be Notified of a Breach

You have the right to be notified without unreasonable delay, and within 60 days, if there is a breach of your unsecured PHI as required by the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414) and California law.

6.8 Right to Non-Discrimination

We will not discriminate against you or deny services for exercising any of your privacy rights under HIPAA, CMIA, or California law.

7. Telehealth and Electronic Communications

QTI provides telehealth services using HIPAA-compliant, encrypted platforms. We use TherapyPortal (therapyportal.com) for scheduling and client communication. We do not communicate PHI through unsecured email or SMS without your express consent and acknowledgment of risks.

Our telehealth services comply with Cal. Business & Professions Code § 2290.5 and all applicable telehealth standards.

8. Our Duties

Quality Time Institute for Mental Health is required by law to:

• Maintain the privacy and security of your PHI
• Provide you with this Notice of Privacy Practices
• Follow the terms of the Notice currently in effect
• Notify you promptly in the event of a breach of your unsecured PHI
• Apply the most protective standard when state and federal laws differ
• Protect your immigration status as protected medical information under SB 81

9. Legal References & Official Resources

Federal Law

• HIPAA Privacy Rule — HHS.gov
• HIPAA NPP Requirements — 45 CFR § 164.520
• HHS Model NPP (Revised February 2026)
• 42 CFR Part 2 — SUD Records 2024 Final Rule
• HIPAA Mental Health & Privacy Guidance (PDF)
• HHS OCR — File a HIPAA Complaint

California State Law

• CMIA — Cal. Civil Code § 56 et seq.
• PAHRA — Cal. Health & Safety Code § 123100
• Cal. Civil Code § 56.104 — Outpatient Mental Health Records
• Cal. Health & Safety Code § 1280.18 — Electronic PHI Security
• SB 81 (2025) — Immigration Status Protections
• CCPA/CPRA — Cal. Civil Code § 1798.100 et seq.
• California BBS — HIPAA for Behavioral Sciences

Complaint & Enforcement Agencies

• HHS OCR — HIPAA Complaints — Phone: 1-800-368-1019 / TDD: 1-800-537-7697
• California AG Privacy Enforcement
• California DHCS Privacy Office
• CA Medical Board — File a Complaint

10. How to Exercise Your Rights or File a Complaint

10.1 Contact Our Privacy Officer

To exercise any right described in this Notice, submit a written request to:

Privacy Officer: William Holloway, LCSW
Quality Time Institute for Mental Health
2635 Camino Del Rio S., Suite 302 #3
San Diego, California 92108
Phone: (858) 348-7373
Email: Join@qualitytimeinstitute.com

10.2 File a Complaint — You Will Not Be Penalized

If you believe your privacy rights have been violated, you may file a complaint with us or with:

• HHS Office for Civil Rights — Phone: 1-800-368-1019
• California Attorney General Privacy Office
• California Department of Health Care Services
• California Medical Board

You will not be penalized or retaliated against for filing a complaint.