Privacy Policy
Privacy policy
Last Updated: (5/5/25)
Introduction: Six States Wellness PLLC (“Practice,” “we,” or “us”), operator of OffBenzos.com, is committed to protecting your privacy and safeguarding your personal information. This Privacy Policy describes how we collect, use, and disclose information through our website and in the course of providing psychiatric services. It also outlines your rights regarding your personal health information. We are required by law to maintain the privacy of your Protected Health Information (PHI) and to provide you with notice of our legal duties and privacy practices. By using our services or site, you acknowledge that you have read and agree to this Privacy Policy.
1. Information We Collect
Personal Information You Provide: When you use our website or services, you may provide personal information voluntarily. For example, when contacting us or filling out forms, you might provide your name, contact details, insurance information, or health information related to scheduling or care. If you are a patient, we will also collect information through intake forms and during treatment (such as medical history, diagnoses, and treatment plans), which becomes part of your medical record.
Protected Health Information (PHI): If you become a patient, most information you provide for treatment is considered PHI under the Health Insurance Portability and Accountability Act (HIPAA). This includes any information that identifies you and relates to your past, present, or future physical or mental health or condition and related healthcare services. We treat all such PHI with strict confidentiality in accordance with HIPAA and applicable state laws.
Automatic Website Data: Our website may automatically collect certain technical data when you visit, such as your IP address, browser type, pages viewed, and referring website. We may use cookies or similar tracking technologies to enhance your experience. Cookies are small text files placed on your device to help the site function and to analyze usage. For instance, we may use cookies to understand which pages are most frequently visited and to improve site performance. We do not use cookies to personally identify you, but to aggregate information about site traffic and site interactions. You can adjust your browser settings to refuse cookies; however, some site features might not function properly if cookies are disabled.
2. Use of Collected Information
Provision of Services: We use the personal information you provide to deliver our services. For patients, this means we use your health information to provide diagnosis, treatment, and medication management for ADHD and any other conditions we are treating. Your information is used to make clinical decisions, document your care, and coordinate services.
Scheduling and Communication: We use contact information (email, phone number) to schedule appointments (including telehealth sessions) and send you confirmations or reminders. We may also use it to communicate with you regarding treatment or to respond to inquiries you send us. For appointment reminders or follow-ups, we may use secure messaging through our electronic health record system or phone/text messages as appropriate (and in compliance with privacy laws).
Payment and Insurance: We may use and disclose necessary information to billing staff or insurance companies to obtain payment for services. For example, diagnosis codes and dates of service may be shared with your insurer or payer to process claims. We limit the information to the minimum necessary for these purposes.
Healthcare Operations: We may use your information for our internal operations to ensure quality care. This can include activities like quality improvement, peer review, training, auditing, or other administrative functions. For instance, we might review records to ensure we are following clinical protocols. If we use any PHI for training or operational analysis, it will be limited and handled under strict privacy standards.
Electronic Health Records (Osmind EHR): We store patient medical records in a secure cloud-based Electronic Health Record system called Osmind. Osmind is a HIPAA-compliant platform protected by end-to-end encryption. This means your clinical information is stored electronically in a way that meets or exceeds federal privacy and security requirements. Osmind has implemented robust security measures and undergoes independent compliance verification to safeguard your data. We have a Business Associate Agreement with the EHR provider, ensuring they also protect your health information in compliance with HIPAA. Access to your electronic record is restricted to authorized users (such as your treating clinician and essential staff), and each login is password-protected and secure. Osmind also provides a patient portal which you may use to view parts of your record or communicate with us; use of the portal is optional but encouraged for secure communication.
Telehealth Platform (Zoom for Healthcare): If you participate in telehealth appointments, we conduct these via Zoom for Healthcare, which is a version of Zoom that is HIPAA-compliant and secure. Zoom for Healthcare uses encryption and other security features to protect your privacy. No telehealth sessions are recorded by us without your consent (we do not record sessions in the ordinary course of practice). We ensure that telehealth sessions take place in a private setting on our end, and we advise you to do the same on your end (see Telehealth Consent section below for more details on privacy during telehealth). By using our telehealth services, you understand that certain data (like your name, email or phone for the meeting invite) may be used by the Zoom platform to facilitate the video session. We have a Business Associate Agreement with Zoom through Osmind’s integration, meaning Zoom also is obligated to keep any personal health information secure and confidential.
Cookies and Analytics: Information collected through cookies and site analytics (which is generally non-identifiable information) is used to improve our website’s design, functionality, and content. For example, we might analyze what topics users search for or which pages are most visited to ensure our site is meeting visitors’ needs. We may use third-party analytics services (such as Google Analytics) that deploy their own cookies or similar identifiers to collect aggregate information about website traffic. These third-party services only provide us aggregated data; they do not collect identifiable health information about you in this process. We use this data solely for improving our online services and marketing effectiveness. You can opt out of Google Analytics tracking by using a browser add-on if desired. We do not sell or rent any information collected via cookies or our website usage.
Legal Compliance and Public Safety: There are certain circumstances where we may use or disclose information because it is required or permitted by law, beyond the routine uses above. For example, we may disclose information as needed to comply with laws related to public health reporting, mandatory reporting of abuse or neglect, reporting certain injuries or threats (such as if you threaten to harm yourself or others, we may have to notify authorities or intended victims as required by law). We may also disclose information in response to a valid court order or subpoena, or to regulatory agencies for audits or investigations. If you are involved in a lawsuit and we receive a court order, we might have to release relevant information. Additionally, if necessary to prevent a serious threat to your health and safety or someone else’s, we may share information with persons who can help prevent the threat (consistent with ethical and legal duties to protect safety).
Other Uses with Authorization: Uses and disclosures of your PHI for purposes not described in this notice will be made only with your written Authorization. For instance, we would seek your authorization before using your information for marketing communications or if we ever wanted to release information to a third party not involved in your care. You have the right to refuse or revoke such authorizations at any time (which would not affect information already disclosed).
3. Protection of Your Information
We implement a combination of administrative, physical, and technical safeguards to protect your personal information. These measures include secure storage of records, training our staff on privacy obligations, and using encryption and secure networks for electronic data. Osmind (our EHR) and Zoom (telehealth) both employ high levels of security (including encryption and access controls) to keep your data safe. Our staff are trained to only access the minimum necessary information to perform their duties. We periodically review our privacy and security practices to adapt to new threats or regulations.
Despite our best efforts, please note that no system can be guaranteed 100% secure. There is always some risk inherent in transmitting information over the internet. We ask that you also take precautions, such as using strong passwords for our patient portal, keeping your portal login information private, and using secure networks when accessing telehealth. If we become aware of a breach of unsecured PHI, we will notify affected individuals and authorities as required by HIPAA and state law.
4. Patient Rights Under HIPAA
As a patient, you have specific rights regarding your Protected Health Information:
Right to Access and Copy: You have the right to see and get a copy of your health records that we maintain, with some limited exceptions. This includes medical and billing records. To request access, contact us (see Contact section below). We will provide a copy in the format you request if possible (paper or electronic). We may charge a reasonable cost-based fee as permitted by law for copies. In rare cases, we may deny your request (for example, if a provider believes seeing the record would endanger you or someone else), but you have the right to have such denials reviewed by another licensed professional.
Right to Request Amendment: If you believe the information in your record is incorrect or incomplete, you can request in writing that we amend your record. We may ask for a reason to support the request. We will either make the amendment or add a note of your disagreement, and we will inform you of our decision. (For example, if a date of birth is wrong, we’ll correct it; if you disagree with a medical opinion, we may note your statement but not change the original notes.)
Right to an Accounting of Disclosures: You have the right to request a list of certain disclosures we have made of your PHI outside of treatment, payment, or healthcare operations (for example, disclosures made due to a legal requirement). This accounting will include the date of disclosure, to whom it was disclosed, and a brief description of what was disclosed. This right covers disclosures made in the last 6 years (or a shorter period you specify). Note that routine disclosures to you or with your consent, or incidental disclosures, are not included in the accounting. To request this, please contact us.
Right to Request Restrictions: You have the right to request that we limit how we use or disclose your information for treatment, payment, or operations. For example, you might request we not share certain information with a particular family member. While we will consider all reasonable requests, we are not required to agree to a requested restriction in most cases. One exception: if you pay for a service in full out-of-pocket and you request that we not inform your insurance about that specific service, we must honor that request (except where required by law). If we do agree to a restriction, we will comply except in emergency situations or where the law requires otherwise.
Right to Confidential Communications: You have the right to request that we contact you in a certain way or at a certain location to preserve confidentiality. For instance, you may request that we only contact you by phone and not email, or that we send mail to a P.O. box instead of your home address. We will accommodate reasonable requests whenever feasible. Please ensure your contact preferences are provided to us in writing.
Right to a Copy of this Privacy Policy/Notice: You have a right to a paper copy of this Privacy Policy (our Notice of Privacy Practices) at any time, even if you have agreed to receive it electronically. You may also download or print it from our website. If you prefer a paper copy, please ask our staff and we will provide you one.
Right to Opt-Out of Communications: If we send any optional communications (such as a newsletter or announcement via email), you have the right to opt out of receiving those. This does not apply to communications directly related to your care (appointments, treatment plans, billing, etc., which we will continue to send as needed).
5. Telehealth and Recording
As noted, telehealth sessions are conducted via Zoom for Healthcare. We do not record video of sessions without your explicit consent. We also request that you (the patient) do not record sessions without informing us, to preserve mutual privacy and trust. New Hampshire regulations specifically state that telehealth sessions shall not be recorded without the patient’s consent. We abide by this requirement. If there is ever a need to record (for example, for a specific therapeutic exercise or if you request it), a separate consent for recording would be obtained and you have the right to refuse.
6. Website Visitors (Non-Patients)
If you are simply visiting our website and are not a patient receiving services, please know that HIPAA may not apply to the generic information collected (like cookies or basic contact info). However, we still value your privacy and will treat any personal data you provide (such as via a contact form) with care. We will use it only for the purpose for which you provided it (e.g., to respond to your inquiry or schedule an appointment). We will not add you to any mailing list without your consent, nor share your contact information with third parties for their own marketing. If you become a patient, any further information you provide will then be considered PHI and protected under HIPAA as described in this Policy.
Our website may include social media features (e.g., a Facebook or X (Twitter) link) – interacting with those features is governed by the privacy policy of the respective platform. We do not collect your social media account information, though those platforms might know you visited our site if you are logged in with them.
7. Changes to This Policy
We may update this Privacy Policy/Notice of Privacy Practices from time to time as needed to reflect changes in our practices or to comply with law. If we make significant changes, we will update the “Last Updated” date at the top of the policy. For patients, the current Notice of Privacy Practices will always be available on our website and offered at your visits. We encourage you to review this Policy periodically. Continued use of our website or services after changes are made to the Policy indicates your acceptance of the revised terms.
8. Questions or Complaints
If you have any questions about this Privacy Policy or our privacy practices, or if you believe your privacy rights have been violated, you may contact us to discuss your concerns. Contact: You can reach our Privacy Officer or clinic owner by calling our phone number or emailing us. We take all privacy concerns seriously and will not retaliate against you for asking questions or filing a complaint.
If we cannot resolve your concern, you also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights. You can visit hhs.gov/hipaa for information on how to submit a complaint. There will be no penalty or change in your care for filing a complaint with either us or HHS.
By using our services and site, you acknowledge that you have been informed of our privacy practices as detailed above. We are dedicated to protecting your privacy and providing you with high-quality care