In crisis?Call or text 988Text Line:HOME → 741741Crisis resources
Privacy Policy & HIPAA Notice
This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.
Effective date: April 15, 2026 · Northwest Psychiatry LLC
Notice of Privacy Practices (HIPAA)
Northwest Psychiatry LLC is required by law to maintain the privacy of Protected Health Information (PHI) and to provide you with this Notice of Privacy Practices. We are required to abide by the terms of this notice as currently in effect.
“Protected Health Information” (PHI) means individually identifiable health information — including demographic information, your medical history, mental health records, test results, insurance information, and other information about you — that is created, received, or maintained by this practice.
This practice is a covered entity under HIPAA.
As a psychiatric practice, we are bound by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act, which impose strict requirements on how we handle your health information.
How We Use & Disclose Your Health Information
We use and disclose your PHI only as permitted or required by law. Common uses and disclosures include:
Treatment
We use your PHI to provide psychiatric services — including diagnosis, medication management, therapy, and coordination of care with other providers (such as your primary care physician or specialists). We may share your information with other treating providers when clinically appropriate.
Payment
We may share your PHI with your health insurer, billing service (including Headway), or other payers to obtain payment for services rendered. This may include sharing diagnosis codes, treatment notes, and other clinical information required by your insurance plan.
Healthcare Operations
We may use your PHI for administrative purposes such as quality improvement, compliance audits, and practice management. These uses are limited to what is necessary to operate the practice responsibly.
As Required by Law
We may disclose PHI when required by federal, state, or local law — including mandatory reporting of suspected abuse or neglect, responses to court orders or subpoenas, and public health reporting obligations.
Safety & Emergency Situations
When necessary to prevent a serious and imminent threat to your health or safety, or the health or safety of the public or another person, we may disclose PHI to those reasonably able to prevent or lessen such threat — including emergency personnel.
Mental Health Confidentiality (42 CFR Part 2)
Records related to substance use disorder treatment are protected under additional federal confidentiality regulations (42 CFR Part 2), which are more restrictive than HIPAA. Such records will not be disclosed without your express written consent except in limited emergency circumstances.
All other uses and disclosures of your PHI — including marketing, research, and sharing with family members — require your written authorization, which you may revoke at any time.
Your Rights Under HIPAA
You have the following rights regarding your Protected Health Information. To exercise any of these rights, please contact us in writing at Nicholas.Eddy@northwestpsychiatry.org.
Right to Access Your Records
You have the right to inspect and request a copy of your medical records and have them transmitted to you or a designated third party. (45 CFR §164.524) We will respond within 30 calendar days (with one 30-day extension if needed). Under the HIPAA Right of Access Final Rule (effective April 2021), we may not charge a fee for electronic records provided through a certified portal — only cost-based fees apply for paper copies or alternative formats. You may also direct us to transmit your electronic PHI to a third party you designate (45 CFR §164.524(c)(3)). Psychotherapy notes (process notes maintained separately from the medical record) have heightened protection under 45 CFR §164.508(a)(2) and require separate written authorization to disclose.
Right to Request an Amendment
If you believe your health information is inaccurate or incomplete, you may request an amendment. We may deny the request if the record is accurate or not created by this practice.
Right to an Accounting of Disclosures
You may request a written list of certain disclosures of your PHI made by this practice over the past six years, excluding disclosures for treatment, payment, and routine health care operations. To submit a request, contact us in writing at the email address above. We will respond within 60 days. (45 CFR §164.528)
Right to Request Restrictions
You may request that we restrict how we use or disclose your PHI for treatment, payment, or health care operations. We are not required to agree to most restrictions, but we must honor a request to not share your PHI with your health plan for a service you paid for entirely out of pocket. (45 CFR §164.522)
Right to Confidential Communications
You may request that we communicate with you in a specific way or at a specific location (e.g., only contact you by email, or only at a certain phone number). We will accommodate reasonable requests.
Right to a Paper Copy of This Notice
You may request a paper copy of this Notice at any time. To request a copy, email us at the address above.
Website & Online Privacy
This section describes how Northwest Psychiatry LLC collects and uses information when you visit northwestpsychiatry.org.
Information We Collect Automatically
When you visit our website, we may automatically collect technical data such as your IP address, browser type, operating system, referring URLs, and pages visited. This data is used solely for website security, performance monitoring, and analytics. It is not linked to your medical records.
Forms & Contact Submissions
If you submit a contact form, waitlist request, or pre-appointment check-in through this website, the information you provide is stored securely and used only to respond to your inquiry or prepare for your appointment. We do not sell or share form submissions with third parties for marketing purposes.
Cookies & Tracking
Our website may use essential cookies to maintain functionality (such as session state). We do not use third-party advertising cookies or tracking pixels. Analytics data, if collected, is used in aggregate and is not tied to your identity.
Third-Party Links
This site contains links to third-party platforms including Headway (scheduling and billing), Doxy.me (telehealth), Psychology Today, and others. Once you leave our website, this Privacy Policy no longer applies. We encourage you to review the privacy policies of any third-party services you use.
Telehealth & Platform Security
All telehealth appointments are conducted via Doxy.me, a HIPAA-compliant, encrypted video platform. No appointment recordings are made or retained.
Scheduling and insurance billing are handled through Headway, a HIPAA-compliant platform. By scheduling through Headway, you agree to Headway’s own Privacy Policy.
Electronic prescriptions are transmitted through HIPAA-compliant e-prescribing systems directly to your pharmacy. Prescription data is never transmitted via unencrypted channels.
Security practices
- ✓HTTPS/TLS encryption on all web traffic
- ✓End-to-end encrypted database storage with role-based access controls
- ✓Multi-factor authentication required for all portal access
- ✓Automatic session timeout (30 minutes) with inactivity warning
- ✓Brute-force protection with progressive lockout on failed sign-in attempts
- ✓Login alert emails sent to clients on each new sign-in
- ✓Regular security reviews and vulnerability assessments
- ✓Incident response procedures per HIPAA Breach Notification Rule and HITECH
- ✓Audit logging of all PHI access events within the client portal
HIPAA Security Rule (2024 Final Rule)
Northwest Psychiatry LLC maintains administrative, physical, and technical safeguards consistent with the HIPAA Security Rule and its 2024 amendments. This includes written security policies and procedures, documented risk analysis and risk management plans, workforce security training, and designated Security Officer oversight. Electronic PHI (ePHI) is protected at rest and in transit using industry-standard encryption. Access to ePHI is limited to authorized personnel through unique user identification and multi-factor authentication.
Business Associates & Third-Party Vendors
Under HIPAA and the HITECH Act, Northwest Psychiatry LLC is required to enter into a Business Associate Agreement (BAA) with any vendor or service provider that creates, receives, maintains, or transmits Protected Health Information (PHI) on our behalf.
We have executed — or are in the process of executing — BAAs with all applicable third-party service providers. These agreements contractually obligate our vendors to safeguard PHI in compliance with HIPAA and HITECH, use PHI only for permitted purposes, and report any breach or security incident to us promptly.
Headway
Scheduling, insurance verification, and billing. Headway is a HIPAA Business Associate and operates under a BAA with this practice. Client data shared with Headway is governed by Headway's own Privacy Policy and BAA.
Doxy.me
HIPAA-compliant telehealth video platform used for all virtual appointments. Doxy.me is a HIPAA Business Associate with a signed BAA on file.
Download Doxy.me BAA (PDF)Convex (Database Infrastructure)
Secure cloud database infrastructure used to power the client portal and practice management tools. PHI stored in Convex is protected under a BAA and encrypted at rest and in transit.
Myndlift (Neurofeedback)
Myndlift is a remote neurofeedback platform used for clients enrolled in our neurofeedback program. Relevant clinical data shared with Myndlift is governed by a BAA and Myndlift's privacy and security policies.
Email Communications
Email notifications (appointment reminders, portal alerts) are transmitted through a HIPAA-compliant transactional email service operating under a BAA. Sensitive clinical information is not transmitted via email; clients are directed to the secure portal for clinical communications.
We do not sell PHI to any third party. We do not share PHI with marketing platforms, data brokers, or social media networks.
Minimum Necessary Standard & Workforce Training
Minimum Necessary Standard
Under HIPAA, Northwest Psychiatry LLC is required to make reasonable efforts to limit the use and disclosure of Protected Health Information to the minimum amount necessary to accomplish the intended purpose.
In practice, this means we do not access, use, or share more of your health information than is needed to treat you, bill for services, or fulfill a legal obligation. Staff members are only granted access to PHI that is relevant to their job function.
- ✓Routine disclosures rely on standard limited data sets whenever feasible
- ✓Non-routine disclosures are reviewed individually to determine minimum scope
- ✓Staff access to PHI is role-based and limited to what is clinically necessary
- ✓We do not share entire medical records when a summary or partial record will suffice
Workforce Training & Accountability
All members of the Northwest Psychiatry LLC workforce who handle Protected Health Information receive training on HIPAA Privacy and Security Rules as a condition of their role. Training is conducted at onboarding and periodically thereafter.
Privacy & Security Training
All workforce members are trained on HIPAA Privacy Rule requirements, including permissible uses and disclosures, client rights, and how to respond to privacy requests. Security training covers safeguarding PHI in electronic systems.
Sanctions Policy
Workforce members who violate this Privacy Policy or HIPAA regulations are subject to disciplinary action up to and including termination. Intentional or malicious violations may be reported to law enforcement.
Privacy Officer
Nicholas Eddy, PMHNP-BC serves as the Privacy and Security Officer for Northwest Psychiatry LLC, responsible for developing and implementing policies, receiving complaints, and ensuring ongoing HIPAA compliance.
Breach Notification (HITECH)
The HITECH Act strengthened the HIPAA Breach Notification Rule, requiring covered entities to notify affected individuals and, in certain cases, the government and media, following a breach of unsecured PHI.
What constitutes a breach?
A breach is an impermissible use or disclosure of PHI that compromises the security or privacy of that information. Not every impermissible use qualifies as a reportable breach — we conduct a four-factor risk assessment to determine whether notification is required.
Individual notification
If a breach affects your PHI, we will notify you in writing (by first-class mail, or email if you have provided consent) within 60 calendar days of discovering the breach. The notification will include a description of the breach, the types of information involved, steps you can take to protect yourself, and actions we are taking.
HHS and media notification
Breaches affecting 500 or more individuals require notification to the U.S. Department of Health and Human Services (HHS) and, if affecting 500+ individuals in a single state, to prominent media outlets in that state. Smaller breaches are logged and reported to HHS annually.
Business Associate breaches
Our BAAs require all Business Associates to report any discovered breach or security incident to Northwest Psychiatry LLC without unreasonable delay and within 60 days of discovery, so that we can fulfill our notification obligations to you.
To report a suspected privacy or security incident, please contact us immediately at Nicholas.Eddy@northwestpsychiatry.org or call (360) 342-6445.
Minor Clients
Northwest Psychiatry LLCprovides services to adolescent clients. For minor clients, a parent or legal guardian generally has the right to access the minor’s medical records. However, certain confidential services — as defined by Maine state law — may be accessed by a minor without parental consent, and the records for those services may be treated as confidential even from parents or guardians.
Under Maine Title 22 §1711-C(Maine’s medical privacy statute), minors may independently consent to — and have confidential records for — certain categories of care including mental health outpatient services, substance use treatment, family planning, and communicable disease treatment. Records for these services will not be disclosed to a parent or guardian without the minor’s consent, except as required by law (e.g., mandatory reporting of abuse or neglect, or an imminent threat to safety).
Specific questions about minor client privacy rights should be directed to our office.
Data Retention
Northwest Psychiatry LLC retains medical records and Protected Health Information in accordance with applicable federal and Maine state law.
Medical Records
Adult client records are retained for a minimum of seven (7) years from the date of the last client encounter, or longer if required by Maine state law or applicable regulations. Records for minor clients are retained until the client reaches age 18 plus seven years, or as otherwise required by law.
Client Portal & Electronic Data
Data stored in the client portal — including messages, mood tracking, and clinical forms — is retained for the same period as the underlying medical record. Inactive portal accounts are not automatically deleted.
Contact & Waitlist Submissions
General contact form submissions are retained for up to two (2) years or until the purpose for which they were collected has been fulfilled. Waitlist entries are retained until the client is scheduled, removed, or requests deletion.
Requesting Deletion
Clients may request deletion of non-clinical data (such as portal account data not required for legal or billing purposes) by contacting us in writing. We are not able to delete records that must be retained under HIPAA, Medicare/Medicaid regulations, or Maine state law.
Changes to This Notice
Northwest Psychiatry LLC reserves the right to change this Privacy Policy and Notice of Privacy Practices at any time. Changes will be effective upon posting to this page. The effective date at the top of this notice will be updated accordingly.
Material changes affecting your rights or how we use your PHI will be communicated to active clients by email or through the client portal.
Contact & Complaints
If you have questions about this notice or believe your privacy rights have been violated, please contact us:
Northwest Psychiatry LLC
Nicholas Eddy, PMHNP-BC, Privacy Contact
Right to File a Complaint
If you believe your privacy rights under HIPAA have been violated and are not satisfied with our response, you have the right to file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) at hhs.gov/hipaa/filing-a-complaint. You will not be retaliated against for filing a complaint.
Questions? We’re happy to help.