Note to Users
This notice is not the same as your health plan's Health Insurance Portability and Accountability Act of 1996 ("HIPAA") Notice of Privacy Practices, which describes in detail how your health plan uses and discloses your individually identifiable health information. Your health plan has its own Notice of Privacy Practices, which includes policies for use and disclosure of your information, including information that you provide to Lev Pediatrics. This is managed by your health plan, not by Lev Pediatrics, so we are not able to notify you of changes or updates. If you would like to read a copy of your health plan's Notice of Privacy Practices, please ask your provider for a copy.
The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other personal health information. It applies to health plans, health care clearinghouses, and health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including the right to examine and obtain a copy of their health records and to request corrections. The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164.
The following is a summary of key elements of the Privacy Rule and not a complete or comprehensive guide to compliance. Entities regulated by the Rule are obligated to comply with all applicable requirements and should not rely on this summary as a source of legal information or advice.
What Information Is Protected
The Privacy Rule protects all "individually identifiable health information" held or transmitted by Lev Pediatrics or its business associates, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information" (PHI). Individually identifiable health information is information, including demographic data, that relates to:
- The individual's past, present, or future physical or mental health or condition
- The provision of health care to the individual
- The past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual
Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
The Privacy Rule excludes from protected health information any employment records that Lev Pediatrics maintains in its capacity as an employer.
Basic Principle
A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual's protected health information may be used or disclosed by Lev Pediatrics. Lev Pediatrics must not use or disclose protected health information, except either:
- As the Privacy Rule permits or requires
- As the individual who is the subject of the information (or the individual's personal representative) authorizes in writing
Required Disclosures
Lev Pediatrics must disclose protected health information in only two situations:
- To individuals (or their personal representatives) when they request access to, or an accounting of disclosures of, their protected health information
- To the U.S. Department of Health and Human Services (HHS) when it is undertaking a compliance investigation, compliance review, or enforcement action
Permitted Uses and Disclosures
Lev Pediatrics is permitted, but not required, to use and disclose protected health information without an individual's authorization for the following purposes:
- To the individual (unless required for access or accounting of disclosures)
- Treatment, payment, and health care operations
- Opportunity to agree or object
- Incident to an otherwise permitted use and disclosure
- Public interest and benefit activities
- Limited data set for the purposes of research, public health, or health care operations
Examples of HIPAA Violations
- Accessing health information of coworkers, family members, politicians, or celebrities
- Disposing of PHI in regular trash — all PHI material must be placed in a secure shredder
- Sharing patient information with unauthorized persons
- Telling friends or relatives about patients who use Lev Pediatrics services
Penalties for Non-Compliance
Non-compliance with HIPAA regulations can result in civil and criminal penalties.
Civil Penalties
| Violation Type | Penalty Range | Annual Maximum |
|---|---|---|
| Unknowing | $100 – $50,000 per violation | $25,000 |
| Reasonable Cause | $1,000 – $50,000 per violation | $100,000 |
| Willful Neglect (corrected) | $10,000 – $50,000 per violation | $250,000 |
| Willful Neglect (not corrected) | $50,000 per violation | $1,500,000 |
Criminal Penalties
The Department of Justice handles criminal violations of HIPAA. There are different levels of severity:
- Knowingly obtaining or disclosing individually identifiable health information: fine up to $50,000 and imprisonment up to 1 year
- Offenses committed under false pretenses: fine up to $100,000 and imprisonment up to 5 years
- Offenses committed with intent to sell, transfer, or use information for commercial advantage, personal gain, or malicious harm: fine up to $250,000 and imprisonment up to 10 years
Reporting Violations
If any employee observes another staff member misusing PHI, the incident must be reported to Lev Pediatrics management immediately.
Security Rule
HIPAA regulations also include a Security Rule. The Security Rule sets the standard to ensure the privacy of electronic protected health information (ePHI). Lev Pediatrics has implemented the requirements of the Rule and continually monitors and manages the required security controls.
Questions About HIPAA?
Contact our Privacy Officer at hello@levpediatrics.com or call (305) 834-4185.
Last updated: March 6, 2026