Privacy Practices for Health Information

Privacy Practices for Health Information

Public notice

This page explains the website, portal, and online-tool terms that apply when you use Simon Law Group's public and client-facing digital services.

Effective Date: 2026-05-04

About this notice

Simon Law Group, LLC ("SLG") is a New Jersey law firm. As a law firm, SLG is generally not a "covered entity" under the Health Insurance Portability and Accountability Act ("HIPAA"). However, in the course of representing clients in personal-injury, medical-malpractice, workers' compensation, disability, and similar matters, SLG routinely receives, stores, and transmits Protected Health Information ("PHI") under client authorizations and, in some matters, as a downstream business associate of a covered entity (e.g., a hospital, health plan, or healthcare provider).

This document describes the privacy practices SLG voluntarily applies to health information in our possession. It is not the statutory "Notice of Privacy Practices" required of covered entities under 45 C.F.R. § 164.520. Where SLG acts as a business associate under a Business Associate Agreement ("BAA"), the BAA controls. Where SLG holds health information under a client authorization, the authorization controls.

This document supplements our Privacy Policy, which controls in case of conflict.

1. Scope

This document applies whenever SLG holds health information about an individual, including:

  • medical records, billing records, treatment notes, imaging, and provider communications received in the course of representation;
  • expert medical reports and independent medical examinations;
  • health information conveyed by a client in the course of intake, communications, or proceedings; and
  • health information processed by our vendors on our behalf.

2. Uses and Disclosures Without Your Authorization

We may use or disclose PHI without further authorization to:

  • represent you in your matter, including communications with courts, opposing counsel, witnesses, experts, mediators, arbitrators, insurers, and co-counsel;
  • bill and collect for legal services;
  • comply with law, court order, lawful subpoena, or regulator demand;
  • avert a serious and imminent threat to health or safety;
  • report abuse, neglect, or domestic violence as required or permitted by law;
  • comply with the New Jersey Rules of Professional Conduct.

3. Uses and Disclosures Requiring Your Authorization

Other uses and disclosures of PHI — including marketing, sale of PHI, and most disclosures of psychotherapy notes — require your written authorization. You may revoke an authorization in writing, except to the extent we have already acted in reliance on it.

4. Your Rights

You have the right to:

  • Access and copy your PHI in our possession (with limited exceptions);
  • Request amendment of PHI you believe is inaccurate or incomplete;
  • Receive an accounting of certain disclosures we have made;
  • Request restriction on certain uses and disclosures (we will accommodate reasonable requests where required);
  • Request confidential communications at alternative locations or by alternative means;
  • Receive a paper copy of this Notice on request, even if you have agreed to electronic delivery; and
  • Complain to SLG or to the U.S. Department of Health and Human Services, Office for Civil Rights, without retaliation.

To exercise rights, contact our Privacy Officer (Section 8).

5. Breach Notification

If we discover a breach of unsecured PHI, we will notify you and, where required, the Department of Health and Human Services and the media, in accordance with the HIPAA Breach Notification Rule (45 C.F.R. Part 164 Subpart D), the New Jersey Identity Theft Prevention Act, and applicable state laws.

6. Vendors that may handle PHI

We use the following vendors to handle PHI under written agreements that include a HIPAA Business Associate Agreement where required:

  • Practice Penguin, LLC (software vendor, including SecureSign e-signature)
  • Google Workspace (Drive, Gmail, Calendar — under Google's BAA)
  • AFI.ai (Google Workspace backup)
  • Turso (database)
  • Render (hosting)
  • SendBlue (SMS/iMessage — limited PHI; do not send substantive medical detail by SMS)
  • OpenAI Realtime Voice (under enterprise terms with no-training and data-protection commitments)
  • SRFax (HIPAA-aligned fax)

A current BAA registry is available on request.

7. Substance-use-disorder records (42 C.F.R. Part 2)

Records relating to substance-use-disorder treatment from a Part 2 program receive heightened protection under 42 C.F.R. Part 2. SLG obtains specific written authorization compliant with Part 2 before requesting, receiving, or further disclosing such records, and includes a Part 2 redisclosure prohibition notice with any further disclosure.

8. Genetic information (GINA) and other heightened-protection categories

Where matter materials include genetic information protected by the Genetic Information Nondiscrimination Act, mental-health treatment notes, HIV/AIDS status, or other categories of information receiving heightened protection under federal or state law, SLG handles those records consistent with the more protective rule.

9. Changes to this Notice

We may change this Notice. The effective date will be updated and a copy will be available at https://www.simonattorneys.com/privacy/health-information and on request. We may apply changes to health information we already maintain, consistent with applicable law.

10. Contact / Privacy Officer

Privacy Officer: Christopher Tappan

Email: info@simonattorneys.com

Phone: (800) 709-1131

Address: 40 W. High St., Somerville, NJ 08876

To file a complaint with HHS: https://www.hhs.gov/ocr/complaints