Privacy Policy & HIPAA Notice of Privacy Practices
Swan Primary Care (“Swan Primary Care,” “we,” “us,” or “our”) is committed to protecting the privacy of our patients, website visitors, and any individuals who interact with our digital and offline services. This combined Privacy Policy and HIPAA Notice of Privacy Practices explains how we collect, use, share, disclose, and protect information obtained through our website at swanprimarycare.com (the “Site”), our text messaging programs, our online forms, our patient communications, and our in-office services.
By accessing the Site, submitting information through any of our forms, opting in to text messaging, or otherwise interacting with Swan Primary Care, you acknowledge that you have read and understood this Privacy Policy.
Website Privacy Policy
1. Information We Collect:
We collect information in three primary ways: (a) information you provide directly to us, (b) information collected automatically when you use the Site, and (c) information from third-party sources.
When you contact us, request an appointment, complete a contact or intake form, opt in to SMS communications, pay online, or otherwise communicate with us, we may collect:
- Identifiers — full name, date of birth, mailing address, email address, and telephone (mobile) number.
- Health-related information — reason for visit, symptoms, medical history, insurance details, prescription details, and any other protected health information (PHI) you choose to share. PHI is governed by Part 2 (HIPAA Notice of Privacy Practices) below.
- Insurance and billing information — insurance carrier, policy and group numbers, subscriber information, and (for online payments) payment card details processed by our PCI-compliant payment processor.
- Communication preferences — including your consent to receive SMS text messages, email newsletters, or appointment reminders.
- Correspondence — content of emails, forms, voicemails, chat messages, and other communications you send to us.
When you visit the Site, certain information is collected automatically through cookies, pixels, server logs, and similar technologies:
- Device and browser data — IP address, browser type and version, operating system, device identifiers, and screen resolution.
- Usage data — pages viewed, links clicked, time spent on pages, referring URL, search queries that brought you to the Site, and approximate geographic location derived from IP.
- Cookies and tracking technologies — including strictly necessary cookies, analytics cookies (e.g., Google Analytics / Google Tag Manager), and performance cookies. You may turn off non-essential cookies through your browser settings.
We may receive information about you from third parties, including referring physicians, insurance carriers, laboratories, hospitals, scheduling platforms (e.g., Zocdoc), our patient portal vendor, and our SMS/voice provider (RingCentral). This information is used to provide care, verify coverage, schedule appointments, and communicate with you.
2. How We Use Your Information
We use the information described above for the following purposes:
- To provide, schedule, and coordinate medical care, including telemedicine and in-office visits.
- To verify insurance eligibility, process payments, and bill for services rendered.
- To send appointment reminders, follow-up messages, lab results notifications, and care-related communications by phone, email, or SMS where you have provided the appropriate consent.
- To respond to inquiries submitted through contact forms, email, or telephone.
- To operate, maintain, secure, and improve the Site, including diagnosing technical problems and analyzing aggregate usage.
- To comply with applicable federal and state laws, including HIPAA, HITECH, and other healthcare regulations.
- To detect, prevent, and respond to fraud, security incidents, or unlawful activity.
- With your express written authorization, for any other purpose disclosed at the time of collection.
We do not use your information for behavioral advertising, and we do not sell your personal information.
3. How We Share Your Information
Swan Primary Care does not sell, rent, or trade your personal information. We share information only as described below and only to the extent necessary:
- Healthcare providers and business associates — with physicians, specialists, laboratories, pharmacies, hospitals, and other clinical partners involved in your care. HIPAA-compliant agreements bind all business associates.
- Service providers and vendors — with vendors that support our operations, such as our electronic health record (EHR) provider, scheduling platform, payment processor, IT and hosting providers, email/SMS communication providers (RingCentral), and analytics providers. These vendors are contractually obligated to protect your information and to use it only for the purposes we authorize.
- Insurance and payment partners — with your health plan, third-party administrators, and collection agencies (where necessary) to process claims and obtain payment.
- Legal and regulatory disclosures — when required by law, court order, subpoena, or in response to lawful requests by public authorities, including for public health, law enforcement, and national security purposes as described in Part 2.
- Business transfers — in the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction, subject to the same protections described in this policy.
- With your consent, any other sharing not described in this policy will only occur with your prior written authorization.
SMS opt-in and phone numbers collected for SMS communication purposes will not be shared with any third party or affiliates for marketing purposes.
This disclosure is provided in compliance with messaging-platform requirements. Mobile phone numbers and SMS consent records are used solely to deliver messages you have opted in to receive (such as appointment reminders) and are shared only with the SMS service provider that transmits them on our behalf. They are never sold, rented, or shared with third parties or affiliates for marketing or promotional purposes.
4. SMS / Text Messaging Communications
Swan Primary Care offers SMS text messaging to support patient communications, including appointment reminders. Participation in our SMS program is entirely voluntary.
By opting in to SMS through any web form or other medium offered by Swan Primary Care, you acknowledge and agree to the following:
By opting into SMS from a web form or other medium, you are agreeing to receive SMS messages from Swan Primary Care. This includes SMS messages for Appointment Reminders. Message frequency varies. Message and data rates may apply. See privacy policy. Message HELP for help. Reply STOP to any message to opt out.
- Appointment reminders, confirmations, and rescheduling notifications.
- Care-related follow-ups initiated by your provider or the practice (where you have consented).
- Operational messages such as office closures or important practice updates.
- We will not send marketing or promotional SMS messages without separate, explicit consent.
- Message frequency varies based on your appointments and care needs.
- Message and data rates may apply, depending on your wireless carrier plan.
- Reply HELP at any time to receive assistance, or contact us at (630) 931-2929.
- Reply STOP to any message at any time to immediately opt out. Once you opt out, you will no longer receive SMS messages from us, although you may continue to receive transactional communications through other channels (phone or email) where applicable.
Carriers (including but not limited to AT&T, Verizon, T-Mobile, and Sprint) are not liable for delayed or undelivered messages.
5. Cookies, Analytics, and Tracking Technologies
The Site uses cookies and similar technologies to operate properly and to understand how visitors interact with our content.
- Strictly necessary cookies are required for core website functionality (such as page navigation and form submission) and cannot be disabled.
- Analytics cookies (e.g., Google Analytics, Google Tag Manager) help us understand aggregate Site usage so we can improve content and performance.
- Third-party platform cookies may be set by embedded services such as Zocdoc booking, Google Maps, or social media buttons.
You can control or turn off cookies through your browser settings. Turning off certain cookies may affect Site functionality. We honor browser-based “Do Not Track” signals where technically feasible.
6. Third-Party Links and Services
The Site may include links to third-party websites and services (for example, our online scheduling provider, online payment portal, social media pages, and Google Maps). This Privacy Policy does not apply to those third-party sites. We encourage you to review their privacy policies before submitting any information.
7. Data Security
Swan Primary Care implements administrative, physical, and technical safeguards designed to protect your information against unauthorized access, disclosure, alteration, or destruction. These safeguards include encryption in transit, access controls, workforce training, secure hosting, and HIPAA-compliant business associate agreements with our vendors. However, no method of transmission over the Internet or electronic storage is completely secure, and we cannot guarantee absolute security.
8. Data Retention
We retain personal information and PHI for the period required to provide services, comply with our legal obligations (including federal and Illinois state medical record retention laws), resolve disputes, and enforce our agreements. When information is no longer required, it is securely destroyed or de-identified.
9. Your Rights and Choices
Subject to applicable law and the HIPAA provisions in Part 2, you may:
- Request access to, or copies of, the personal information we hold about you.
- Request correction of inaccurate or incomplete information.
- Request restrictions on certain uses or disclosures of your information.
- Withdraw consent for SMS messaging at any time by replying STOP.
- Unsubscribe from email communications using the unsubscribe link in any marketing email.
- File a complaint regarding our privacy practices, as described in Part 2. To exercise any of these rights, please contact our Privacy Officer using the information at the end of this policy.
10. Children's Privacy
The Site is not directed to children under 13, and we do not knowingly collect personal information online from children under 13 without verifiable parental consent. We do, of course, provide medical care to minor patients in compliance with applicable law; in those cases, information is collected directly from the patient's parent or legal guardian during the in-office or telemedicine intake process. If you believe a child has provided us with personal information through the Site without parental consent, please contact our Privacy Officer so we can delete it.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The "Last Updated" date at the top of this policy will indicate when changes were made. Material changes will be communicated by posting a prominent notice on the Site or by other appropriate means.
12. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact:
Swan Primary Care
HIPAA Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, HOW YOU CAN GET ACCESS TO THIS INFORMATION, YOUR RIGHTS CONCERNING YOUR HEALTH INFORMATION, AND OUR RESPONSIBILITIES TO PROTECT YOUR HEALTH INFORMATION. PLEASE REVIEW IT CAREFULLY.
State and Federal laws require us to maintain the privacy of your health information and to inform you about our privacy practices by providing you with this Notice. We are required to abide by the terms of this Notice of Privacy Practices. This Notice was effective on 01/01/2023 and will remain in effect until it is amended or replaced by us.
We reserve the right to change our privacy practices, provided the law permits the changes. Before we make a significant change, this Notice will be amended to reflect the changes, and we will make the new Notice available upon request. We reserve the right to make any changes to our privacy practices and to the new terms of our Notice, effective for all health information maintained, created, and/or received by us before the date the changes were made.
You may request a copy of our Privacy Notice at any time. Information on how to contact us can be found at the end of this Notice.
Permitted Uses and Disclosures of Health Information
We will keep your health information confidential and use or disclose it only for the purposes described below.
Treatment
While we provide you with health care services, we may share your protected health information (PHI), including electronic protected health information (ePHI), with other health care providers, business associates, and their subcontractors, or with individuals involved in your treatment, billing, administrative support, or data analysis. These business associates and subcontractors are required by Federal law and signed contracts to protect your health information. We have established "minimum necessary" or "need to know" standards that limit staff access to your health information according to job function. All staff are required to sign a confidentiality statement.
Payment
We may use and disclose your health information to seek payment for services we provide to you. This involves our business office staff and may include insurance organizations, collection agencies, or other third parties responsible for such costs, including family members.
Disclosure
We may disclose and/or share PHI, including electronic disclosure, with other health care professionals who provide treatment or service to you. These professionals will have a privacy and confidentiality policy similar to ours. Your information may also be disclosed to your family, friends, or other persons you choose to involve in your care, only if you agree we may do so. As of March 26, 2013, immunization records for students may be released without authorization (limited to proof of immunization). If an individual is deceased, PHI may be disclosed to a family member or person involved in care or payment before death. Psychotherapy notes will not be used or disclosed without your written authorization. The Genetic Information Nondiscrimination Act (GINA) prohibits health plans from using or disclosing genetic information for underwriting purposes. Uses and disclosures not described in this Notice will be made only with your signed authorization.
Right to an Accounting of Disclosures
You have the right to request an "accounting of disclosures" of your PHI for disclosures made for purposes other than treatment, payment, or business operations. Under the HITECH Act, you may request a copy of your health information in electronic form if we store your information electronically. Disclosures can be requested for the 6 years preceding your request, and for electronic health information, the 3 years preceding the date the accounting is requested. If we are unable to provide an electronic format, a readable hard copy will be provided. To request this list, submit your request in writing to our Privacy Officer.
Right to Request Restriction of PHI
If you pay in full out of pocket for your treatment, you can instruct us not to share information about that treatment with your health plan, unless the disclosure is required by law. Effective March 26, 2013, the Omnibus Rule restricts a provider's refusal of an individual's request not to disclose PHI.
Non-Routine Disclosures
You have the right to receive a list of non-routine disclosures we have made of your health information. You can request non-routine disclosures going back 6 years, starting on April 14, 2003.
Emergencies
We may use or disclose your health information to notify, or assist in the notification of, a family member or anyone responsible for your care in case of an emergency involving your care, location, general condition, or death. If possible, we will provide you with an opportunity to object. Under emergency conditions or if you are incapacitated, we will use professional judgment to disclose only that information directly relevant to your care. We will also use our judgment to allow someone to pick up filled prescriptions, x-rays, or similar items unless you have advised us otherwise.
Healthcare Operations
We will use and disclose your health information to keep our practice operable. Personnel who may have access include, but are not limited to, our medical records staff, insurance operations staff, health care clearinghouses, and individuals performing similar activities.
Required by Law
We may use or disclose your health information when required by law (e.g., court or administrative orders, subpoenas, discovery requests, or other lawful process). We will use and disclose your information when requested by national security, intelligence, and other state and federal officials, and/or if you are an inmate or otherwise under the custody of law enforcement.
National Security
The health information of Armed Forces personnel may be disclosed to military authorities under certain circumstances. If the information is required for lawful intelligence, counterintelligence, or other national security activities, we may disclose it to authorized federal officials.
Abuse or Neglect
We may disclose your health information to appropriate authorities if we reasonably believe you are a possible victim of abuse, neglect, domestic violence, or other crimes. This information will be disclosed only to the extent necessary to prevent a serious threat to your health or safety or that of others.
Public Health Responsibilities
We will disclose your health information to report problems with products, reactions to medications, product recalls, and exposure to diseases/infections, and to prevent and control disease, injury, and/or disability.
Marketing Health-Related Services
We will not use your health information for marketing purposes unless we have your written authorization to do so. Effective March 26, 2013, we are required to obtain authorization for marketing if we make a communication about a product or service and receive financial remuneration in exchange. No authorization is required for face-to-face communication or for promotional gifts.
Fundraising
We may use certain information (name, address, telephone number, email, age, date of birth, gender, health insurance status, dates of service, department of service, treating physician, or outcome) to contact you for fundraising purposes. You will have the right to opt out with each solicitation. Effective March 26, 2013, PHI requiring written patient authorization before fundraising includes diagnosis, nature of services, and treatment. If you opt out, we are prohibited from making fundraising communications to you under the HIPAA Privacy Rule.
Sale of PHI
We are prohibited from disclosing PHI without an authorization if it constitutes remuneration. "Sale of PHI" does not include disclosures for public health, certain research purposes, treatment and payment, and other purposes permitted by the Privacy Rule, where the only remuneration received is a reasonable cost-based fee or a fee otherwise expressly permitted by law. Corporate transactions (sales, transfers, mergers, and consolidations) are also excluded from the definition of "sale."
Appointment Reminders
We may use your health records to remind you of recommended services, treatment, or scheduled appointments. Reminders may be delivered by phone, email, mail, or — if you have opted in — SMS text message.
Access
Upon written request, you have the right to inspect and obtain copies of your health information (and that of an individual for whom you are a legal guardian). We will provide access in the form/format you request, with limited exceptions. Contact our Privacy Officer for the appropriate request form, or send a written request to the address below. Once approved, an appointment can be made to review your records. Postage may be charged for mailed copies. Access in electronic form may be obtained where readily producible; otherwise, a readable hardcopy will be provided. A summary or explanation of your information may be provided for a fee — contact our Privacy Officer for our fee structure.
Amendment
You have the right to amend your health information if you feel it is inaccurate or incomplete. Your request must be in writing and must include an explanation of why the information should be amended. Under certain circumstances, your request may be denied.
Breach Notification
It is presumed that any acquisition, access, use, or disclosure of PHI not permitted under HIPAA regulations is a breach. We are required to complete a risk assessment, inform HHS if necessary, and take other steps required by law. You will be notified of the situation and any steps you should take to protect yourself from harm resulting from the breach.
Questions and Complaints
You have the right to file a complaint with us if you feel we have not complied with our Privacy Policies. Direct your complaint to our Privacy Officer. If you feel we may have violated your privacy rights, or if you disagree with a decision regarding access to your health information, you can complain to us in writing. Request a Complaint Form from our Privacy Officer. We support your right to privacy and will not retaliate in any way if you choose to file a complaint with us or with the U.S. Department of Health and Human Services.
