HIPAA Notice of Privacy Practices
Effective date: July 7, 2026
Who We Are
Green Wellness is a Washington State medical marijuana evaluation practice. We are a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and are required by law to maintain the privacy of your protected health information (PHI), provide you with this Notice, and follow the terms of this Notice.
Our Legal Duties
We are required by law to maintain the privacy and security of your protected health information, to give you this Notice of our legal duties and privacy practices with respect to your health information, and to follow the terms of the Notice currently in effect. We are also required by law to notify you if a breach occurs that may have compromised the privacy or security of your unsecured health information.
How We Use and Disclose Your Health Information
We use and disclose health information about you for the following purposes:
- Treatment: To provide, coordinate, or manage your healthcare and related services, including sharing information with providers involved in your care.
- Appointment communications: To send appointment reminders, confirmations, and follow-up messages via email and SMS (with your consent).
- Health records: To create and maintain your medical evaluation records in our electronic health records system (Practice Fusion).
- Required by law: When required by federal, state, or local law, including reporting to Washington State Department of Health for medical marijuana authorization records.
- Business operations: For internal operations, quality improvement, and administrative purposes, subject to HIPAA limitations.
Uses and Disclosures That Require Your Written Authorization
Certain uses and disclosures of your health information will be made only with your written authorization. These include:
- Psychotherapy notes, in the limited situations where we maintain them.
- Marketing: Most uses or disclosures of your health information for marketing purposes.
- Sale of your health information: Any disclosure that would constitute a sale of your protected health information.
Any other use or disclosure not described in this Notice will be made only with your written authorization. If you give us an authorization, you may revoke it at any time, in writing, and we will stop the use or disclosure going forward, except to the extent we have already relied on it.
Your Rights Regarding Your Health Information
- Access: You have the right to inspect and obtain a copy of your health information.
- Correction: You may request that we correct inaccurate or incomplete information about you.
- Accounting of disclosures: You may request a list of certain disclosures we have made of your health information.
- Restriction: You may request restrictions on how we use or disclose your health information.
- Restrict disclosures for services you pay for out of pocket: If you pay for a service in full, out of pocket, you have the right to ask us not to disclose information about that service to a health plan for payment or health care operations, and we must honor that request unless the disclosure is otherwise required by law.
- Confidential communications: You may request that we communicate with you about health matters in a certain way or at a certain location.
- Revoke consent: You may revoke your consent to SMS communications at any time by contacting us.
Washington Consumer Health Data (My Health My Data Act)
If you are a Washington State resident, the Washington My Health My Data Act (RCW 19.373, effective March 31, 2024) gives you specific rights over “consumer health data” we collect through this website — including your right to access it, delete it, and withdraw consent. Because the Act requires a dedicated policy, those disclosures and rights now live in our separate Consumer Health Data Privacy Policy.
To exercise a My Health My Data Act right, email admin@greenwellness.org with the subject line “MHMDA Request” or call 1-888-885-9949. Full details, including our identity-verification and appeal process, are in the Consumer Health Data Privacy Policy.
Cookies and Analytics
When you first visit our site, a banner at the bottom of the page lets you choose how cookies are used. You can:
- Accept all — essential cookies, analytics cookies, and any future marketing cookies are enabled.
- Reject non-essential — only essential cookies run; no analytics or marketing data is collected by our third-party providers.
- Manage choices — opt in or out of analytics and marketing categories individually.
Essential cookies always run because the site cannot function without them. These are limited to: your authenticated session (if you have a patient or staff account), the CSRF token that protects form submissions, and the record of your cookie-consent choice itself. None of these are shared with third parties; none are used for advertising.
Analytics cookies (Google Analytics) are loaded only after you opt in, and are NEVER loaded on our condition-specific telehealth pages — even if you have opted in. This is a defense-in-depth measure that goes beyond what the law requires: HHS December 2022 and March 2024 tracking-technology guidance for HIPAA-covered entities flags condition-indexed URLs as a high-risk surface, and we have chosen to suppress analytics on that surface categorically.
You can change your cookie choice at any time by clicking “Cookie preferences” in the site footer. Your choice is stored in your browser; if you use a different browser or device, or if you clear your browser storage, you will be asked again on your next visit.
How We Protect Your Information
We implement physical, technical, and administrative safeguards to protect your health information, including encryption of data in transit and at rest, access controls, and annual HIPAA training for all staff. We require a signed Business Associate Agreement (BAA) before authorizing any vendor to store or process protected health information on our behalf.
Third-Party Service Providers
We share PHI with the following Business Associates under signed BAAs, solely as necessary to provide our services:
- Microsoft 365 — secure patient email
- Amazon Web Services (AWS Bedrock) — AI-assisted patient communications
- Vercel — application hosting and secure file storage
- Neon — encrypted database storage
- Doxy.me — telehealth video visits
- Retell AI — automated phone and voicemail handling
- Practice Fusion (Veradigm) — electronic health records
We do not authorize a vendor to store or process your protected health information without a signed BAA; service providers that decline to sign one (such as certain web-analytics tools) are not used to handle your PHI. We add and remove Business Associates as our services change.
Changes to This Notice
We reserve the right to change this Notice. We will post a revised Notice on our website and make it available upon request. Changes will apply to health information we already hold as well as information we receive in the future.
Contact Us / File a Complaint
To exercise your rights, report a privacy concern, or request a paper copy of this Notice, contact our Privacy Officer:
Green Wellness Privacy Officer
Phone: 1-888-885-9949
Email: admin@greenwellness.org
You also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr. We will not retaliate against you for filing a complaint.