Privacy Policy for FlexAbility Therapy Solutions

Effective Date: July 17, 2025

This Privacy Policy outlines the commitment of FlexAbility Therapy Solutions ("Organization," "we," "us," or "our") to protecting the privacy and security of your protected health information (PHI) and personal information when you visit our online page and utilize our services. As an occupational therapy business operating primarily via telehealth, we understand the critical importance of safeguarding your data. This policy details our practices in compliance with the Health Information Portability and Accountability Act (HIPAA) and other applicable federal and state laws, including those specific to Massachusetts.

Our Commitment to Privacy and Security

FlexAbility Therapy Solutions is dedicated to:

1. Ensuring the confidentiality, integrity, and availability of all electronic Protected Health Information (e-PHI) that we create, receive, maintain, or transmit.

2. Protecting against reasonably anticipated threats or hazards to the security or integrity of such information.

3. Protecting against any reasonably anticipated uses or disclosures of such information that are not permitted or required by law.

4. Ensuring compliance with these policies and procedures by its workforce.

Information We Collect

We collect information necessary to provide you with occupational therapy services and to manage our online presence. This may include:

• Protected Health Information (PHI): This includes your name, contact information, date of birth, health history, diagnoses, treatment plans, progress notes, and billing information. This information is collected during your therapy sessions, through our patient intake forms, and via secure communication channels.

• Personal Information (Non-PHI): This may include information you provide when you interact with our website, such as email addresses for newsletter subscriptions, contact form submissions, or general inquiries that do not contain health-related data.

• Technical Data: When you visit our website, we may collect information about your device and Browse activity, such as your IP address, browser type, operating system, referring URLs, and pages viewed. This data is typically collected through standard website analytics tools and is used to improve our website's functionality and user experience.

How We Use Your Information

Your information is used for the following purposes:

• Providing Occupational Therapy Services: To assess, diagnose, treat, and manage your occupational therapy care.

• Communication: To communicate with you regarding appointments, treatment plans, billing, and other relevant service-related information.

• Administrative Operations: For billing, record-keeping, quality improvement, and internal business operations.

• Compliance: To comply with legal and regulatory requirements, including HIPAA.

• Website Improvement: To analyze website usage and improve our online content and services.

Disclosure and Use of e-PHI

FlexAbility Therapy Solutions uses and discloses e-PHI only as permitted by law or as authorized by you, as detailed in our Notice of Privacy Practices (NPP), which is provided to all patients.

We obtain and document satisfactory assurances from business associates (e.g., secure telehealth platforms, electronic health record systems, billing services) with whom we share e-PHI that such business associates will appropriately safeguard e-PHI in compliance with applicable law. Nevertheless, we cannot guarantee that business associates and other medical practitioners, insurers, and third parties with which we may share e-PHI, as permitted or required by law, are in compliance with HIPAA or other applicable laws.

Security Management Process

FlexAbility Therapy Solutions has completed a risk analysis and has implemented security measures detailed in this document. Our sanction policy, information system activity review, and periodic reviews of these security policies and procedures are detailed in the Recordkeeping and Notification provisions below, as well as the Applicability, Review, and Revision provision, to ensure ongoing security.

Assigned Security Responsibility

The Organization's designated security official(s) shall be responsible for the development and implementation of the policies and procedures in this document and required by law.

Workforce Security and Implementation Access Management

The Organization implements appropriate policies and procedures to ensure workforce security, including authorization and/or supervision, workforce clearance procedures, termination procedures, access authorization, and access establishment and modification, to protect e-PHI.

Security Awareness and Training

The Organization's workforce maintains security awareness and training by staying current with industry practice and standards as reasonable and appropriate. We maintain standard and up-to-date malicious software protection and password management, and periodically update security. Log-in monitoring is implemented to detect and respond to unauthorized access to workstations.

Security Incident Procedures

FlexAbility Therapy Solutions takes reasonable and appropriate steps to prevent and mitigate security incidents. In the event of a breach of unsecured PHI, we will provide notice to the Secretary of Health and Human Services and to affected individuals as required by 45 CFR § 164.400 et seq. and Massachusetts General Law (MGL) ch. 93H § 3.

We will notify without unreasonable delay each individual whose unsecured PHI has been, or is reasonably believed to have been, part of a breach, according to the notification specifications of 45 CFR § 164.404 and MGL ch. 93H § 3. We will notify the Secretary of Health and Human Services of such a breach according to the provisions of 45 CFR § 164.408. We will maintain records of suspected and known security incidents as required by law.

Contingency Plan

FlexAbility Therapy Solutions maintains measures to protect and restore data in the event of an emergency or disaster. This includes maintaining backups of e-PHI for the purposes of data backup, disaster recovery, and emergency operations. We periodically test and revise this plan. In an emergency affecting specific applications or data access, critical operations will be maintained through communication with patients and their healthcare providers. Our security contingency plan may involve consultation with legal and information technology support to the extent that it is reasonable and appropriate.

Facility Access Controls

As a wholly telehealth operation, facility access controls are neither reasonable nor appropriate for FlexAbility Therapy Solutions, as we do not maintain a physical facility for patient care.

Workstation Use and Security

The Organization maintains workstations at which all functions are performed and at which e-PHI is accessed. The workstation(s) are maintained in private and secure surroundings. Physical safeguards to restrict access to workstations primarily consist of standard physical barriers preventing access to a building, as well as password protection and other standard cybersecurity barriers.

Device and Media Controls

Hardware and electronic media are maintained under the custody of the Organization. E-PHI and/or hardware or electronic media on which it is stored will be disposed of when no longer in use and no longer required to be maintained by law, using reasonable and appropriate means including but not limited to using secure data erasure software. E-PHI will be fully erased from electronic media before the media are made available for re-use. The Organization maintains records of the movements of hardware and electronic media and the person responsible where reasonable and appropriate. Movement of equipment is minimized, and e-PHI is subject to secure data backup and storage.

Access Control and Audit Controls

Access to electronic information systems maintaining e-PHI is restricted by means of user identification and strong password policies. In an emergency, information may be accessed by authorized personnel through a substitute workstation and/or by accessing backed-up e-PHI. Automatic logoff, encryption, and decryption mechanisms are maintained as available through the Organization’s hardware and software. The Organization records and reviews as necessary any authorized or unauthorized access to information systems that contain or use e-PHI.

Integrity and Authentication

FlexAbility Therapy Solutions protects e-PHI from improper alteration or destruction by upholding the policies and procedures detailed in this document, including restricting physical access to hardware to unauthorized users, password protecting hardware, maintaining adequate and up-to-date threat protection software, and encrypting and backing up e-PHI. In the event of any indication of unauthorized access, data loss, or data degradation, we will check against backed up e-PHI, and corroborate with patients and their healthcare providers, as necessary, to confirm that e-PHI has not been altered or destroyed, and to restore e-PHI if necessary.

Person or Entity Authentication

Internal access to e-PHI is restricted to authorized members of the Organization's workforce. The identities of external persons and entities seeking access to e-PHI are verified by communication with patients and their representatives, and/or by communication with healthcare providers and business associates.

Transmission Security

FlexAbility Therapy Solutions strives to prevent unauthorized access to e-PHI being transmitted over an electronic communications network by using secure patient portals and other secure communications methods, as well as common-sense verification of identities and communication security measures. Improper modification of electronically transmitted e-PHI is prevented by communication with patients and health care providers to ensure veracity of information, as well as by the security measures described in this document. E-PHI is encrypted when reasonable and appropriate using the Organization’s software and other data services.

Business Associate Contracts

FlexAbility Therapy Solutions establishes with business associates and subcontractors satisfactory contractual assurances that business associates and subcontractors will appropriately safeguard e-PHI information in compliance with applicable law, including the provisions of 45 CFR § 164.314. Such contracts include provisions that business associates and subcontractors will report to FlexAbility Therapy Solutions any security incident of which they become aware, including breaches of unsecured PHI, that may affect FlexAbility Therapy Solutions or our patients.

Recordkeeping

FlexAbility Therapy Solutions maintains e-PHI as long as it is in use and as long as required by law, after which it will be disposed of according to the policies and procedures herein. We maintain records of material actions, activities, and assessments related to security, including of any security incidents or losses of data. We maintain this document and its versions, as well as records of security actions, activities, and assessments required by law for six years from the date of creation or the date when it last was in effect, whichever is later. Documentation is available to authorized workforce members responsible for implementing the policies and procedures herein.

Applicability, Review, and Revision

This document is not intended to be an exhaustive record of all security measures maintained by FlexAbility Therapy Solutions. These policies and procedures are periodically reviewed and updated by us to ensure compliance with law, adequacy, and relevance, and in response to environmental or operational changes affecting the security of FlexAbility Therapy Solutions and e-PHI. FlexAbility Therapy Solutions reserves the right to change this policy at any time, as is permitted by law.

Website Disclaimers and Terms of Use

In addition to the privacy policy, you'll want to have clear disclaimers and terms of use on your website to protect yourself and provide transparency to your visitors. These should ideally be separate pages linked from your privacy policy or footer.

Website Disclaimer

The information provided on the FlexAbility Therapy Solutions website (www.flexabilitytherapysolutions.com ) is for general informational purposes only and does not constitute medical advice, diagnosis, or treatment. It is not a substitute for professional medical or occupational therapy advice. Always seek the advice of a qualified healthcare provider for any questions you may have regarding a medical condition or treatment. Reliance on any information provided by FlexAbility Therapy Solutions, its employees, or others appearing on the website is solely at your own risk.

No Therapist-Patient Relationship: Visiting this website or submitting an inquiry through our contact form does not establish a therapist-patient relationship. A formal therapist-patient relationship is only established through a signed agreement after an initial consultation and assessment.

External Links: Our website may contain links to third-party websites. These links are provided for your convenience only and do not imply endorsement by FlexAbility Therapy Solutions. We are not responsible for the content or privacy practices of these external sites.

Terms of Use

By accessing or using the FlexAbility Therapy Solutions website (www.flexabilitytherapysolutions.com ), you agree to be bound by these Terms of Use. If you do not agree to these terms, please do not use our website.

Intellectual Property: All content on this website, including text, graphics, logos, images, and software, is the property of FlexAbility Therapy Solutions or its content suppliers and is protected by copyright and intellectual property laws. You may not reproduce, distribute, modify, or create derivative works from any content on this website without our express written permission.

Permitted Use: You may use this website for lawful purposes only. You agree not to use the website:

• In any way that violates any applicable federal, state, local, or international law or regulation.

• To transmit, or procure the sending of, any advertising or promotional material, including any "junk mail," "chain letter," "spam," or any other similar solicitation.

• To impersonate or attempt to impersonate FlexAbility Therapy Solutions, an employee, another user, or any other person or entity.

Limitation of Liability: FlexAbility Therapy Solutions, its practitioners, and affiliates will not be liable for any damages of any kind arising from the use of this website, including, but not limited to, direct, indirect, incidental, punitive, and consequential damages.

Changes to Terms: We reserve the right to revise and update these Terms of Use at any time. All changes are effective immediately when we post them and apply to all access to and use of the website thereafter. Your continued use of the website following the posting of revised Terms of Use means that you accept and agree to the changes.

Governing Law: These Terms of Use shall be governed by and construed in accordance with the laws of the Commonwealth of Massachusetts, without regard to its conflict of law provisions.