Notice of Privacy Practices

    Notice of Privacy Practices of Four Oaks Family and Children’s Services

    Revised February 2026

    THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

    PLEASE REVIEW THIS INFORMATION CAREFULLY

    If you have questions about this notice, please contact Four Oaks’ Privacy Officer at 319-364-0259, by email at drocca@fouroaks.org or in writing at 

    5400 Kirkwood Boulevard SW, Cedar Rapids, Iowa 52404. 

    Who will follow this notice

    This notice describes the privacy practices of Four Oaks. All of our staff may have access to information in your chart for treatment, payment and health care operations, which are described below, and may use and disclose information as described in this Notice. This Notice also applies to any volunteer or trainee we allow to help you while seeking services from us.

    Our pledge regarding the privacy of your medical information

    Your medical information includes information about your physical and mental health. We understand that information about your physical and mental health is personal. We are committed to protecting medical information about you. We create a record of the care and services you receive from us. We need this record to provide you with quality care and services and to comply with certain legal requirements. This notice applies to any and all of the records of your care generated by us. This notice will tell you about the ways in which we may use and disclose medical information about you. We also describe your rights and certain obligations we have regarding the use and disclosure of medical information. 

    This notice is provided in compliance with federal law and applicable Iowa law. Where Iowa law is more stringent than federal law, we will follow the more stringent laws. 

    Our obligations to you

    We are required by law to:

    • make sure that medical information that identifies you is kept private except as otherwise provided by state or federal law;
    • give you this notice of our legal duties and privacy practices with respect to medical information about you; 
    • follow the terms of the notice that is currently in effect; and
    • inform you of any unauthorized access, use or disclosure of your unencrypted confidential information in the event its security or privacy is compromised (i.e., in the event that a reportable breach occurs as provided by federal law.) If a breach of unsecured protected health information occurs, we will notify you without unreasonable delay and in no case later than sixty (60) calendar days after we discover the breach. 

    How we may use and disclose medical information about you

    The following categories describe different ways that we may use and disclose medical information. For each category of uses or disclosures, we will explain what we mean and try to give some examples. Not every use or disclosure in a category will be listed. This notice covers treatment, payment, and what are called health care operations, as discussed below. It also covers other uses and disclosures for which a consent or authorization is not necessary. 

    Potential for Redisclosure. Information that we disclose pursuant to this Notice may be subject to redisclosure by the recipient and may no longer be protected by federal privacy regulations.

    For Treatment: We may use medical information about you to provide you with medical treatment or services without consent or authorization unless otherwise required by applicable state law. We may disclose medical information about you to doctors, pharmacists, laboratories, or other health care providers, or case managers, case coordinators, or other service providers who are involved in taking care of you, whether or not they are affiliated with us. 

    For example, we may disclose medical information concerning you to Mercy Hospital or St. Luke’s Hospital, or physicians or counselors who care for you, as well as to any other entity or health care provider that has provided or will provide care to you. During the course of your treatment, we may refer you to other health care providers with whom you may not have direct contact. These providers are called “indirect treatment 

    providers.” “Indirect treatment providers” are required to comply with the privacy requirements of state and federal law and keep your medical information confidential. These providers will be bound by the HIPAA privacy rule. 

    Additional examples of how we may use information for treatment purposes include: 

    Appointment Reminders: We may use and disclose medical information to contact you by mail, email, or phone to remind you that you have an appointment for treatment, unless you tell us otherwise in writing.

    Treatment Alternatives: We may use and disclose medical information to tell you about or recommend possible treatment options or alternatives that may be of interest to you. However, we will not use or disclose medical information to market other products and services, either ours or those of third parties, without your authorization. 

    Health-Related Benefits and Services: We may use and disclose medical information to tell you about health-related benefits or services that may be of interest to you.

    For Payment: We may use and disclose medical information about you without consent or authorization so that the treatment and services you receive from us may be billed to and payment may be collected from you, an insurance company, or a third party. For example, we may need to give your health plan information about treatment received so your health plan will pay us or reimburse you for the treatment unless you agree to pay in full for the treatment received, as described under “Right to Request Restrictions,” below. Unless you agree to pay for the treatment in full, we may also tell your payer about a treatment you are going to receive to obtain prior approval or to determine whether your plan will cover the treatment.

    For Health Care Operations: We may use and disclose medical information about you without consent or authorization for “health care operations”. These uses and disclosures are necessary to operate Four Oaks and make sure that all individuals receive quality care. 

    For example, we may use medical information or mental health treatment information to review our treatment and services and to evaluate the performance of our staff in caring for you. We may also disclose your protected health information to doctors, staff, or consultants for review and learning purposes. We may also use your protected health information in preparing for litigation. We may use artificial intelligence (AI) tools as part of health care operations, subject to the same privacy protections described herein.

    How else we use or share your information without a written authorization

    To Business Associates: Four Oaks, from time to time, will hire consultants called “business associates,” who render services to us using clients’ medical information. We may disclose your medical information to such business associates without your consent or authorization. Business associates are required to maintain and comply with the privacy requirements of state and federal law and keep your medical information confidential. Examples of “business associates” are accounting firms that we hire to perform audits of billing and payment information, and computer software vendors who assist us in maintaining and processing medical information.

    Individuals Involved in Your Care or Payment for Your Care: We may release medical information, including mental health information, about you to a family member who is involved in your medical care. We may also give medical information, including prescription information or information concerning your appointments, to other individuals who are involved in your care. We may also give such information to someone who helps pay for your care. In addition, we may disclose medical information about you to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status, and location. If Iowa law requires specific authorization for such disclosures, we will obtain an authorization from you prior to such disclosures.

    As Required by Law: We will disclose medical information about you when required to do so by federal, state, or local law without your consent or authorization. Where another law is more protective of your medical information than HIPAA, we will follow the more stringent law.

    Public Health Risks: We may disclose medical information about you for public health activities without your consent or authorization. These activities generally include the following:

    • to prevent or control disease, injury, or disability; 

    • to report reactions to medications or problems with products;

    • to notify people of recalls of products they may be using; 

    • to notify a person who may have been exposed to a disease or may be at risk for 

    contracting or spreading a disease or condition;

    Victims of abuse, neglect, or domestic violence:  We may notify the appropriate government authority if we believe an individual has been the victim of abuse, neglect, or domestic violence. We will only make this disclosure if you agree or when required or authorized by law.

    Health Oversight Activities: We may disclose medical information to a health oversight agency, such as the Department of Health and Human Services, for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.

    Lawsuits and Administrative Proceedings: If you are involved in a lawsuit or dispute as a party, we may disclose medical information about you in response to a court or administrative order. We may also disclose medical information about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute. Similarly, we may disclose medical information about you in proceedings where you are not a party, but only if efforts have been made to tell you or your attorney about the request or to obtain an order protecting the information requested. In addition, we may disclose medical information, including mental health treatment information, to the opposing party in any lawsuit or administrative proceeding where you have put your physical or mental condition at issue if you have signed a valid authorization.

    Law Enforcement: We may release medical information if asked to do so by a law enforcement official:

    • in response to a court order, subpoena, warrant, summons, or similar process; 

    • to identify or locate a suspect, fugitive, material witness, or missing person; 

    • about the victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement; 

    • about a death we believe may be the result of criminal conduct; 

    • about criminal conduct at Four Oaks; and 

    • in emergency circumstances to report a crime; the location of the crime or victims; or the identity, description, or location of the person who committed the crime. 

    Coroners, Medical Examiners, and Funeral Directors: We may release medical information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. 

    To Avert a Serious Threat to Health or Safety: We may disclose medical information about you when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.

    Military and Veterans: If you are a member of the armed forces, we may release medical information about you as required by military command authorities and as otherwise permitted by state and federal law. We may also release medical information about foreign military personnel to the appropriate foreign military authority. 

    National Security and Intelligence Activities: We may release medical information about you to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law. 

    Protective Services for the President and Others: We may disclose medical information about you to authorized federal officials so they may provide protection to the President, other authorized persons, or foreign heads of state or conduct special investigations. 

    Inmates: If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release medical information about you to the correctional institution or law enforcement official. This release would be necessary (1) for the institution to provide you with health care; (2) to protect your health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.

    Workers’ Compensation: We may release medical information about you for workers’ compensation or similar programs without consent or authorization. These programs provide benefits for work-related injuries or illnesses. For example, if you are injured on the job, we may release information regarding that specific injury. 

    We will obtain your authorization for uses and disclosures of your health information that are not described above.

    How we may use and disclose medical information about you with authorization

    Some uses and disclosures of your medical information can be made only with your written authorization, unless otherwise permitted or required by law. 
    Some examples of this include: 

    • Genetic information and AIDS or HIV-related information.

    • Substance use disorder treatment information. If we receive substance use disorder treatment records from a program subject to 42 CFR Part 2, those records will be maintained and disclosed in accordance with the heightened confidentiality protections required by Part 2, including restrictions on re-disclosure and a prohibition on using such records to investigate or prosecute you. 

    • Mental health information. Additionally, Four Oaks will disclose separately maintained psychotherapy notes only with a specific authorization signed by you or your legal representatives, and only in limited circumstances. 

    Examples of other uses and disclosures that may only be made with your written 
    authorization:

    • Four Oaks will not use or disclose your protected health information for marketing purposes without your authorization. Moreover, if we will receive any financial remuneration from a third party in connection with marketing, we will tell you that in the 
    authorization form. 

    • Four Oaks will not sell your protected health information to third parties without your authorization. Any such authorization will disclose that we will receive compensation in the transaction. 

    • Four Oaks will not use or disclose your protected health information for fundraising purposes without providing you with a clear and conspicuous opportunity to opt out of receiving such communications.

    If you provide us permission to use or disclose medical information about you, you may revoke that permission, in writing, at any time. If you revoke your permission, we will no longer use or disclose medical information about you for the reasons covered by your written authorization. You understand that we are unable to take back any disclosures we have already made with your permission, and that we are required to retain our records of the care that we provided to you.

    Your rights regarding medical information about you

    You or your personal representative have the following rights regarding medical information we maintain about you (when we say “you,” this also means your personal representative, which may be your parent or legal guardian or other individual who is authorized to care for you):

    Right to Inspect and Copy.

    You have the right to inspect and copy medical information that may be used to make decisions about your care. If we maintain your records electronically, you have the right to request an electronic copy of your protected health information in a form and format you request if it is readily producible, or in a readable electronic form and format as agreed to by you and Four Oaks. 

    You may also direct us to transmit a copy of your protected health information directly to another person you designate, provided your request is in writing, signed by you, and clearly identifies the designated recipient and where to send the information. If you wish to be provided a copy of medical information that may be used to make decisions about you, you must submit your request in writing to the Privacy Officer at Four Oaks. If you request a copy of the information, we may charge a reasonable cost-based fee for labor, supplies, and postage. 

    We may deny your request to inspect and/or obtain a copy in certain very limited circumstances. Under Iowa law, you have the right to inspect and copy your mental health records, except that a mental health professional may deny access if the professional determines that disclosure would be detrimental to your health. If access is denied on this basis, we will inform you of the reason for the denial and your right to seek review. If you are denied access to medical information, you may request that the denial be reviewed in certain circumstances; ask us how to do this. 

    Right to Request an Amendment.

    If you feel that the medical information we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by or for us. To request an amendment, your request must be made in writing and submitted to the Privacy Officer at Four Oaks. In addition, you must provide a reason that supports your request. We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that:

    • was not created by us, unless the person or entity that created the information is no longer available to make that amendment; 

    • is not part of the medical information kept by us; 

    • is not part of the information which you would be permitted to inspect and copy; or 

    • is accurate and complete.

    Right to an Accounting of Disclosures.

     You have the right to request an “accounting of disclosures,” with some limitations. This is a list of certain disclosures we made of medical information about you. The accounting does not include all disclosures made. To request an accounting of disclosures, you must submit your request in writing to the Privacy Officer at Four Oaks. Your request must state a time period, which may not be longer than six years prior to the date of the request (or three years for disclosures made through an electronic health record, as required by the HITECH Act). We will provide the accounting to you in writing, on paper, or electronically. The first accounting you request within any 12-month period will be provided free of charge. For additional requests within the same 12-month period, we may charge you a reasonable, cost-based fee. We will notify you of the cost involved in advance, and you may choose to withdraw or modify your request before any costs are incurred.

    Electronic Health Records. If we maintain your protected health information in an electronic health record, you may be entitled to receive an accounting of disclosures made for treatment, payment, and health care operations through the electronic health record for the three years prior to the date of your request, as required by the HITECH Act. We will update our practices as additional regulations are issued to implement the HITECH Act’s accounting requirements.

    Right to Request Restrictions.

    You have the right to request a restriction or limitation on the medical information we use or disclose about you for treatment, payment, or health care operations. You also have the right to request a limit on the medical information we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend. However, you will need to make alternative arrangements for payment if you restrict the access of individuals responsible for the payment of your care. 

    We are not required to agree to your request unless the disclosure is to a health plan or other payer for purposes of carrying out payment or health care operations, and you have paid for the services in full yourself, out-of-pocket. For all other requests for restrictions, if we do agree, we will comply with your request unless the information is needed to provide you with emergency treatment. To request restrictions, you must make your request in writing to the Privacy Officer at Four Oaks. In your request, you must tell us (1) what information you want to limit; (2) whether you want to limit our use, disclosure, or both; and (3) to whom you want the limits to apply, for example, disclosures to your spouse. 

    Right to Request Confidential Communications.

    You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail. To request confidential communications, you must make your request in writing to the Privacy Officer at Four Oaks. We will not ask the reason for your request. We will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted.

    Right to a Paper Copy of This Notice.

    You have the right to a paper copy of this notice. You may ask us to give you a copy of this notice at any time. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice. You may obtain a copy of this notice at our website. 

    Changes to this notice

    We reserve the right to revise or amend our notice of privacy practices. We will make the new notice provisions effective for all protected health information that we maintain, including information created or received before the revised notice is issued, without additional notice to you. Any revision or amendment to this notice will be effective for all of your records our practice has created or maintained in the past, and for any of your records we may create or maintain in the future. We will post a copy of our current notice in our offices in a prominent place and will post the notice on our website. If there are any revisions, the Notice will be updated on the website, in the offices, and distributed to patients.


    Complaints

    If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the Department of Health and Human Services. To file a complaint with us, submit your complaint in writing to the Privacy Officer at Four Oaks, 5400 Kirkwood Boulevard SW, Cedar Rapids, Iowa 52404, or by calling 319-364-0259. To file a complaint with the Secretary of the Department of Health and Human Services, you may write to: Office for Civil Rights, U.S. Department of Health and Human Services, 200 Independence Avenue, S.W., Washington, D.C. 20201, call 1-877-696-6775, or visit www.hhs.gov/ocr/privacy/hipaa/complaints/. 

    You will not retaliated against for filing a complaint.

    Other uses of medical information

    Other uses and disclosures of medical information not covered by this notice or the laws that apply to us will be made only with your written permission, as set out in an authorization signed by you. 

    In the case of fundraising, we may contact you for fundraising efforts, but you can tell us not to contact you again.