Legal · Privacy
Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
1. Who this notice covers
This Notice describes the privacy practices of Practiclear PLLC ("Practiclear," "we," "us," or "our"), a Virginia professional limited liability company (Organization NPI 1972448322) providing direct-pay telehealth screening-lab ordering, result review, and documentation support services to adults located in Virginia. Andrew Overbey, FNP-BC, ENP-C (Individual NPI 1104220367; Virginia APRN License 0024172132) is the responsible clinician.
Practiclear is a "covered entity" under the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA, 45 CFR Parts 160 and 164).
2. Our duties under HIPAA
We are required by law to:
- Maintain the privacy of your protected health information ("PHI");
- Implement administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of electronic PHI as required by the HIPAA Security Rule (45 CFR 164.302–164.318) — including access controls, encryption in transit and at rest, audit logging, workforce training, and a documented risk analysis;
- Provide you with this Notice describing our legal duties and privacy practices regarding your PHI;
- Abide by the terms of the Notice currently in effect;
- Notify you in the event of a breach of unsecured PHI as required by 45 CFR 164.404, and where applicable provide notification under Virginia's personal-information breach notification law (Va. Code § 18.2-186.6); and
- Not use or disclose your PHI for purposes other than those described in this Notice without your written authorization, except as otherwise permitted or required by law.
3. What is protected health information?
Protected health information ("PHI") means individually identifiable health information about you that we create, receive, or maintain. For Practiclear specifically, PHI typically includes your name, date of birth, contact information, government-issued photo ID, vaccination history, lab requisition information, lab results (TB QuantiFERON; MMR, Varicella, and Hepatitis B Surface Antibody titers), and any clearance letter we issue on your behalf.
4. How we use and disclose your PHI without your authorization
HIPAA permits us to use and disclose your PHI without your authorization for the following purposes (45 CFR 164.502, 164.506, 164.512):
Treatment
We use your PHI to provide and coordinate your care. For example: we use the medical history you complete in our intake form to determine whether asynchronous lab review is clinically appropriate; we transmit lab requisitions through our routing partner (intended MVP workflow: Evexia Diagnostics with Labcorp as performing lab / Patient Service Center draw path) so the laboratory can correctly identify your specimen; we review the results returned to us and prepare screening documentation that documents your reviewed result. If we refer you to a primary care provider, infectious-disease specialist, or local health department for follow-up of an abnormal result, we may share relevant PHI with that provider.
Payment
We use limited information to process your payment for services. Practiclear does not bill insurance. Payments are processed by Stripe, Inc. Stripe receives only payment method, transaction amount, and minimal non-PHI reconciliation metadata. Stripe does not receive your medical history, date of birth, photo ID, lab results, or clearance letter. Stripe is used as a payment processor for non-clinical payment information in the public checkout flow.
Health care operations
We use your PHI to operate the practice — for example, internal quality review, recordkeeping, provider credentialing, security incident review, and compliance audits.
Business associates
Some functions of our practice are provided by outside vendors that need access to PHI to perform their services. Active PHI workflows must be supported by written Business Associate Agreements requiring the vendor to safeguard your PHI consistent with HIPAA (45 CFR 164.502(e); 45 CFR 164.504(e)). Pending workflows are identified in §10 and must not receive PHI until the required configuration and agreement evidence is complete.
Required by law
We will disclose PHI when federal, state, or local law requires disclosure — for example, reportable communicable disease reporting to the Virginia Department of Health under 12 VAC 5-90-80 (active tuberculosis is a reportable condition), child or adult protective services reports, court orders, valid subpoenas with appropriate notice, or law enforcement requests that meet HIPAA's requirements.
Public health activities
We may disclose PHI to public health authorities authorized to collect or receive such information for the purpose of preventing or controlling disease or for public health surveillance, investigations, or interventions (45 CFR 164.512(b)).
Health oversight activities
We may disclose PHI to agencies authorized by law to oversee the health care system — for example, the Virginia Board of Nursing, the U.S. Department of Health and Human Services, or accrediting organizations.
To avert a serious threat to health or safety
We may disclose PHI when necessary to prevent or lessen a serious and imminent threat to your health or safety, or the health or safety of the public.
Workers' compensation
To the extent authorized by and necessary to comply with workers' compensation or similar laws.
Specialized government functions
For military, national security, protective services, or correctional purposes where applicable.
5. Uses and disclosures that require your written authorization
We will obtain your written authorization before using or disclosing your PHI for any purpose not described above. In particular, we will obtain your authorization for:
- Most uses and disclosures of psychotherapy notes (we do not maintain such notes; this is included for completeness);
- Marketing communications, except where permitted by HIPAA;
- The sale of your PHI; and
- Disclosure of your clearance letter or lab results to a school, employer, or third party. Typically you will deliver the letter yourself, but if you ask us to send it directly to your school or employer, we will obtain your written authorization first.
You may revoke any authorization in writing at any time, except to the extent we have already acted in reliance on it.
6. Special protections for substance use disorder records (42 CFR Part 2)
Some of the health information we maintain may relate to a substance use disorder ("SUD") diagnosis, treatment, or referral. This information may be subject to additional federal confidentiality protections under 42 CFR Part 2, which provides greater privacy protections than HIPAA for these records.
When these additional protections apply:
- We may be more limited in how we use or disclose this information, even for treatment, payment, or health care operations, unless you provide written consent or another legal exception applies.
- Part 2 records, or any testimony relaying their content, will not be used or disclosed in civil, criminal, administrative, or legislative proceedings against you without your specific written consent or a court order issued after notice and an opportunity to be heard.
- If we use Part 2 records for fundraising purposes, we will provide you a clear and conspicuous opportunity to opt out before doing so. (Practiclear does not currently engage in fundraising.)
If you have questions about whether a specific record is treated as a Part 2 record, please contact us using the information at the end of this Notice.
7. Notice about redisclosure
Information disclosed by Practiclear pursuant to this Notice may be redisclosed by the recipient and may no longer be protected by the HIPAA Privacy Rule. We encourage you to think carefully before authorizing disclosures to recipients who are not themselves covered by HIPAA — for example, employers, schools, or family members.
8. Your rights regarding your PHI
You have the following rights with respect to PHI we maintain about you. To exercise any of them, contact us using the information at the end of this Notice. Most requests must be in writing.
Right to inspect and copy
You may inspect and receive a copy of your PHI in our designated record set, including your clearance letter, lab results, and chart notes. We will provide copies in the form and format you request if readily producible, including electronic copies. We may charge a reasonable, cost-based fee (45 CFR 164.524; Va. Code § 32.1-127.1:03). We will respond within 30 days.
Right to amend
You may ask us to amend PHI you believe is incorrect or incomplete. We may deny the request in limited circumstances permitted by law (for example, if the information was not created by us, or if the existing record is accurate and complete). If we deny, we will tell you why and explain your right to submit a written statement of disagreement (45 CFR 164.526).
Right to an accounting of disclosures
You may request a list of certain disclosures of your PHI we have made in the prior six years (excluding disclosures for treatment, payment, health care operations, and a few others) (45 CFR 164.528). The first accounting in any 12-month period is free; we may charge a reasonable fee for additional requests.
Right to request restrictions
You may ask us to restrict certain uses or disclosures. We are not required to agree, except in one case: if you pay in full, out of pocket, for an item or service and request that we not disclose information about that item or service to a health plan, we must honor that request unless disclosure is required by law (45 CFR 164.522(a)(1)(vi)). Because Practiclear is direct-pay only and does not bill any health plan, this protection applies to every Practiclear visit by default.
Right to confidential communications
You may request that we communicate with you about your PHI by alternative means or at an alternative location — for example, a specific email address or phone number. We will accommodate reasonable requests (45 CFR 164.522(b)).
Right to a paper copy of this Notice
You may request a paper copy at any time, even if you have agreed to receive it electronically.
Right to be notified of a breach
You will be notified, in writing, if a breach of your unsecured PHI occurs, as required by 45 CFR 164.404.
Right to file a complaint
If you believe your privacy rights have been violated, you may file a complaint with us using the contact information below, or with the U.S. Department of Health and Human Services, Office for Civil Rights:
Online: hhs.gov/hipaa/filing-a-complaint
By mail: 200 Independence Avenue SW, Washington, D.C. 20201
By phone: 1-877-696-6775
We will not retaliate against you for filing a complaint.
9. Acknowledgment for new patients
By using Practiclear's services, you acknowledge that this Notice has been made available to you. We obtain your written acknowledgment of receipt of this Notice as part of your eligibility check at /start/, before any payment or clinical intake.
10. Who handles your PHI — the named-vendor list
Practiclear keeps the list of vendors who can touch your PHI deliberately short. Vendors marked as active Business Associates must be bound by written Business Associate Agreements before they handle PHI for Practiclear. Pending workflows are identified separately below and must not receive PHI until the required evidence and agreements are complete. We will update this list when it changes.
Active PHI workflows and pending workflows
| Vendor / workflow | Function | Type of PHI |
|---|---|---|
| Paubox Forms | Secure patient intake and file-upload channel — collects medical history, photo ID, vaccination records, intake authorizations, and clinical detail after payment. Jotform is not part of the MVP PHI intake workflow. | All intake PHI |
| Paubox Email Suite | Encrypted PHI-containing email communications — documentation-letter delivery, result explanations, and secure correspondence. | Patient name, email, letter content, result discussion |
| Google LLC (Google Workspace) | Intended practitioner inbox, Drive-based chart storage, internal calendar, and documentation. PHI use requires current HIPAA configuration and Business Associate Agreement evidence before launch. | Pending PHI workflow if launched |
| Evexia Diagnostics / Labcorp | Manual lab-ordering and result workflow after clinician review, with Labcorp as performing lab / Patient Service Center draw path for eligible orders. | Demographics, lab requisitions, lab results for eligible orders |
Vendors that support Practiclear but are NOT Business Associates (no PHI received)
| Vendor | Function | PHI boundary |
|---|---|---|
| Stripe, Inc. | Payment processing | Receives payment method, amount, and minimal non-PHI reconciliation metadata for payment processing. Receives no medical history, no DOB, no clinical detail, no lab results. |
| Cloudflare, Inc. | Public website hosting and edge delivery | The public website does not host patient charts, intake data, results, or uploaded files. |
| Formspree | Pre-payment eligibility form at /start/ | The eligibility form intentionally collects no PHI — no medical questions, no DOB, no chart link. Only test selection, non-PHI eligibility attestations, age attestation, and consent acknowledgments. |
If we add or change a vendor in a way that changes the categories above (for example, if we adopt an SMS provider that carries PHI), we will execute a BAA with that vendor and update this list.
What vendors are NOT in our stack
Practiclear does not use a centralized EHR system or web-based patient access portal. Your record set is composed of the items each named Business Associate maintains plus the locally-generated PDF clearance letter and audit log we keep on Practiclear's secured workstation. This architectural choice minimizes the number of places your PHI lives.
11. Text messaging (SMS)
Text messaging is optional. If you opt in by providing your mobile number and consenting on the eligibility form, your number is used only to send transactional messages about your order — for example, that your letter is ready, or that your provider has a brief follow-up question. Mobile number information and SMS consent records are not shared with third-party marketers and are not used to send marketing.
Because SMS is not an encrypted channel, we do not place sensitive clinical detail in a text — anything more than a brief notification goes through encrypted email via Paubox. Reply STOP to any Practiclear text to opt out at any time. Full SMS terms are at /legal/terms/#sms.
12. How long we keep your records
Practiclear retains clinical records (your medical history intake, lab orders, lab results, and the clearance letter we issued) for at least six (6) years from the date of your last encounter, consistent with HIPAA's documentation-retention requirement (45 CFR 164.530(j)) and the expectations of the Virginia Board of Nursing. Where Virginia law or another applicable rule requires a longer retention period (for example, records for minors are typically retained until the age of majority plus the standard retention period), we follow the longer requirement.
Pre-clinical records — such as the eligibility-gate form submission (which contains no PHI) and ordinary website logs — are retained only as long as needed for ordinary business purposes and security.
13. Cookies and online tracking
Practiclear deliberately keeps online tracking to the minimum required to operate the Site. We do not use Google Analytics, Meta/Facebook Pixel, advertising trackers, or behavioral-profiling tools on this Site. The U.S. Department of Health and Human Services has cautioned that such technologies on a covered entity's web pages can constitute an impermissible disclosure of PHI; we have chosen to avoid them.
The cookies that may be set when you use the Site are limited to those strictly necessary to deliver the service you requested:
- Cloudflare sets a bot-management cookie
(
__cf_bm) to distinguish humans from automated traffic. This is classified as strictly necessary and does not track you across sites. - Stripe sets cookies on its own checkout pages when you make a payment, to process the transaction and detect fraud. These are strictly necessary for the transaction you requested.
- Formspree processes the pre-payment eligibility form and does not receive PHI.
- Paubox Forms may set strictly necessary session cookies when you complete the secure intake form.
Because all of the above are strictly necessary for the service you requested, no cookie consent banner is presented. If we add any non-essential analytics in the future, we will choose a privacy-preserving, cookieless option and update this Notice accordingly.
14. Virginia-specific protections
Virginia health-records law (Va. Code § 32.1-127.1:03) provides additional protections for health records held by Virginia practitioners. Where Virginia law is more protective of your privacy than HIPAA, we follow Virginia law. Where HIPAA is more protective, we follow HIPAA.
15. Related documents
This Notice is one of several documents that govern your relationship with Practiclear. The others are linked together for convenience:
- Telehealth Informed Consent — what telehealth care from Practiclear involves and the standards it meets.
- Terms of Service — the agreement that applies when you use this Site or order a service.
- Refund Policy — when refunds are issued, including provider-declined orders.
- Good Faith Estimate — your No Surprises Act right to a written estimate.
16. Changes to this Notice
We may change this Notice and make the new Notice's terms effective for all PHI we maintain, including PHI we created or received before the change. The current Notice will always be available at this URL with the effective date shown at the top. We will post a notice of material changes prominently on our homepage for a reasonable period.
17. Contact us
Practiclear's Privacy Officer is the supervising provider, Andrew Overbey, FNP-BC, ENP-C.
- Email: andrew@practiclear.com