Notice of Privacy Practices 

Last Updated April 2025 

Cortica is committed to protecting the privacy and confidentiality of medical, mental health, and personal information regarding you and your family. As a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and pursuant to applicable state laws (including California’s Confidentiality of Medical Information Act (“CMIA”)), we are required by law to: 

  1. Ensure the privacy of your Protected Health Information (“PHI”)

  2. Provide you with this Notice explaining our legal duties and privacy practices. 

  3. Inform you of your rights concerning your PHI, including how we may use and disclose it to other entities and persons. 

PHI refers to information that identifies you and relates to your past, present, or future physical or mental health or condition, the provision of health care to you, or payment for such health care. 

Your Rights

 You (or your personal representative) have the right to: 

  1. Acquire a copy of your paper or electronic medical record. 

  2. Request amendments (corrections) of your paper or electronic medical record if you believe it is incorrect or incomplete. 

  3. Request confidential communications (e.g., ask us to contact you in a specific way or at a specific location). 

  4. Ask us to limit the information we share (though we may not always be able to comply if the law permits or requires otherwise). 

  5. Obtain a list (accounting) of those with whom we’ve shared your information (for certain disclosures, excluding some routine or legally exempt ones). 

  6. Get a copy of this Notice at any time, either on paper or electronically. 

  7. Choose someone to act for you, if you have given someone medical power of attorney or if someone is your legal guardian. 

  8. File a complaint if you believe your privacy rights have been violated. We will not retaliate against you for filing a complaint. 

  9. Right to Breach Notification: If a breach of unsecured PHI occurs, we will notify you in writing in accordance with HIPAA and applicable state law. 

How We May Use and Disclose Health Information 

Below is a list of ways we may use and share your PHI without your written permission, consistent with HIPAA and state law requirements. Where state law is more protective, we will follow the more stringent requirement. 

  1. For Treatment: We may use PHI to provide medical, therapeutic, or other services and disclose PHI to doctors, therapists, nurses, technicians, or other Cortica personnel involved in your care or that of a family member (e.g., your children). 

  2. For Payment: We may use or disclose PHI to bill for treatments and services you receive and to collect payment from you, your insurance company, or another third party. 

  3. For Health Care Operations: We may use or disclose PHI for administrative, educational, quality assurance, and internal management activities. These operations include quality assessment, staff performance reviews, and training programs. 

  4. Business Associates: We may share PHI with our “business associates,” who must agree to protect PHI as required by HIPAA. Examples: billing services, IT support, consultants. 

  5. Appointment Reminders: We may use your PHI to remind you of upcoming appointments or follow-up care. Methods can include emails, SMS (text), phone calls, or other messaging services. Message/data rates may apply for SMS; reply STOP to opt out, or HELP for assistance. 

  6. Research: Cortica may participate in research studies, but we will obtain your authorization or ensure an appropriate waiver by an Institutional Review Board (IRB) unless HIPAA permits otherwise (e.g., preparatory research). All research projects involving patient data undergo an approval process to ensure privacy safeguards. We will only disclose the minimum necessary PHI. 

  7. As Required by Law: We will disclose PHI when federal or state law requires it, such as reporting abuse or neglect, responding to court orders, or fulfilling public health obligations. 

  8. Public Health and Safety:  We may disclose PHI to avert a serious threat to the health or safety of you, another person, or the public.  We may disclose PHI to report communicable diseases, vital events (births, deaths), or to notify a person exposed to a disease. 

  9. Workers’ Compensation, Law Enforcement, and Other Government Requests: 

    1. Workers’ Compensation: We may disclose PHI for workers’ compensation or similar programs. 

    2. Law Enforcement: We may disclose PHI to law enforcement as permitted by law or in compliance with a subpoena, court order, or similar process. 

    3. Government Functions: We may disclose PHI for specialized government functions, like military or national security operations. 

  10. Lawsuits and Disputes: We may disclose PHI in response to a court order or administrative order, subpoena, discovery request, or other lawful processes, provided that certain legal requirements are met. 

  11. Psychotherapy Notes: Psychotherapy notes have additional protections under HIPAA. Most uses or disclosures of such notes (beyond treatment, payment, or health care operations) require your written authorization

  12. Sale of PHI and Marketing: We do not sell your PHI.  We do not share PHI for cross-context behavioral advertising. 

  13. Other Uses and Disclosures: For any use or disclosure not described in this Notice, we will obtain your written authorization. You may revoke such an authorization at any time in writing, but revocation will not affect any information already disclosed in reliance on your prior authorization. 

Your Choices 

In certain circumstances, you have additional privacy choices. For instance, you can request restrictions on disclosure to a health plan if you have paid in full out-of-pocket for a specific health service. We may honor or decline your request depending on the circumstances, but if we agree, we will comply unless disclosure is otherwise required by law. State-Specific Provisions Because we operate in California: 

  • California Confidentiality of Medical Information Act (CMIA) may provide additional protections or require additional written authorizations for certain disclosures of PHI. We comply with CMIA where it imposes stricter requirements than HIPAA. 

  • CCPA/CPRA: Protected Health Information (PHI) used or disclosed by a HIPAA-covered entity is generally exempt from the CCPA/CPRA. However, any personal information we collect that is not PHI may be subject to these California privacy laws. For more information on how we handle non-PHI personal information, please see our Privacy Notice at: https://www.corticacare.com/privacy-policy. 

Changes to Cortica’s Privacy Practices 

We reserve the right to modify or amend this Notice at any time. The revised Notice will apply to all PHI we maintain, even if it was obtained before the changes. You may request a copy of our current Notice at any time. The “Effective Date” at the top indicates when this Notice was last revised. Complaints or Questions If you believe your privacy rights have been violated, you may contact us or file a complaint with the Secretary of the U.S. Department of Health and Human Services

  • Cortica: privacy@corticacare.com 

  • U.S. Department of Health and Human Services: 200 Independence Avenue, S.W., Washington, D.C. 20201; (877) 696-6775; or visit www.hhs.gov/ocr/privacy

We will not retaliate against you for filing a complaint or exercising any of your HIPAA rights. Contact Information For questions about this Notice or for more information on our privacy practices, please contact: 

Email: privacy@corticacare.com 

-or- 

Privacy Officer 

Cortica, Inc. 6160 Cornerstone Court East, Suite 100 San Diego, CA 92121 

End of Notice