We are obligated by state and federal law to provide you with this notice about our privacy practices and your rights as a patient concerning your personal health information (PHI). In accordance with state and federal law, we are required to maintain the privacy of your health information. This notice took effect on April 14, 2003 and will remain in effect until we change or replace it. If such changes should occur, a new notice will be available and will apply to all health information under the supervision of CNM both previous to and after the new notice is created.


Any information that is identifiable to you is considered your PHI. We maintain personal health information related to your:
● Health condition and treatment information related to your health condition
● Identity, such as name, age, and address
● Insurance coverage


● Treatment: We may use or disclose your PHI to a physician or other health care provider who provides direct treatment to you, to a pharmacist for prescription services, to a laboratory for authorization of lab testing or to any other entity directly related to your care. Examples of platforms we utilize for information sharing include Athena Health, Sure Scripts, Klara messaging services, Oregon Prescription Drug Management Database, and the Oregon ALERT vaccines database.
● Payment: We may use and disclose your PHI to obtain payment for services we provide to you, such as reporting to your insurance company, our billing and bookkeeping services, or to a collection agency.
● Healthcare operations: We may use or disclose your PHI in relation to CNM’s healthcare operations. The term “healthcare operations” includes quality control and improvement activities, reviewing our healthcare professional’s competence and qualifications, evaluating provider performance, conducting training programs (including with naturopathic medical students and residents), accreditation, and certification, licensing, or credentialing activities.
● Family and friends: While we must disclose your PHI to you, we may disclose your information to a friend or family member to the extent necessary that it helps with your healthcare or payment. We will only do this if you agree that we may do so with your written consent.
● Other persons involved in your care: Should the need arise, we may use or disclose PHI to notify, or assist in notifying, a family member or another person responsible for your care, of your location, your general condition, or your death. If you are present, we will provide you with the opportunity to object or deny disclosure. However, in the event of an emergency or other incapacitation, we will use our professional judgment to make reasonable deductions in your best interest in allowing other persons to pick up prescriptions, supplements, imaging, or other similar forms of health information.
● Referrals and second opinions: We may use and disclose your PHI in order to refer you to another health care practitioner or in order to obtain the opinion of another health care practitioner regarding your treatment unless you have previously objected in writing to this release of information.
● Outside medical testing facilities: We may use and disclose your health information in order to obtain medical results from facilities such as outside laboratories and imaging facilities.
● Pharmacies: We may use and disclose your PHI in order to prescribe pharmaceuticals and other medically necessary substances and equipment.
● Naturopathic medical students: In accordance with our role as a naturopathic medical student training facility, we may use and disclose your PHI in order to further the training and experience of said students and residents functioning within our business. You may object to this release of information in writing on your consent for treatment and release of information.
● As required by law: We may use and disclose your PHI as law requires of us, such as in response to a subpoena, or to state or federal public health departments in specific circumstances to assist in contact tracing efforts.
● Abuse or neglect: We may disclose your PHI to appropriate authorities in the instance we believe you may be the victim of abuse, neglect, domestic violence, or other crimes. We will only release the minimum necessary information in order to protect you from threat to your or other’s health and safety.
● National security: Under specific circumstances, we may be required to disclose information to authorized federal officials the health information required for intelligence, counterintelligence, or other national security activities. We may disclose information of Armed Forces personnel to military authorities under certain circumstances.
● Appointment reminders: We may use or disclose your PHI to provide you with appointment reminders, such as voicemail messages, postcards, or letters.
● Marketing health related services: We will not distribute your health information for outside marketing communications without your written consent. We may use your PHI in order to communicate health events and services offered internally by CNM through voicemail, letters, postcards, or email.


● Personal access: You have the right to view and receive copies of your health information, with limited exceptions. If you request copies of your health information at a frequency greater than once yearly, we reserve the right to charge you $25 per request after the first one.
● Disclosure: You have the right to request an accounting of instances in which we or our business associates disclosed your PHI for purposes other than treatment, payment, healthcare operations, and certain other instances for the last six years. Requests occurring at a frequency of greater than once yearly may incur charges to be determined at the time.
● Restriction of disclosure: You may request in writing that we place additional restrictions on our use or disclosure of your PHI. We are not required to agree with your request, however in the instance that we do agree, we will honor our agreement, except in the case of emergency.
● Change in communication method: You may request in writing that our communications with you regarding your PHI be through other methods or to other locations, provided it is clearly written to which location and payment can be reasonably expected through these means.
● Health information amendments: You may request in writing that we amend your health information. We request a written explanation and reserve the right to deny your request in certain circumstances.
● Electronic notice: If you have reviewed this notice via our website or email, you may request a paper copy.


● Treating all the information we obtain as confidential
● Maintaining previous professional medical confidentiality standards
● Training employees in our confidentiality standards as well as disciplinary measures for
privacy violations
● Restricting access to your PHI to only those employees who need to know your information in order to complete their expected duties on your behalf, such as scheduling, maintaining medical charts, refilling prescriptions and answering medical questions initiated by you.
● Only disclosing the minimum necessary PHI as is needed for you to obtain adequate health care when it is requested from other health care providers.
● Maintaining adequate physical, electronic, and procedural safeguards compliant with state and federal regulations.
● Requesting signed contracts from any business associate who has access to your PHI, as outlined above, stating that they will honor privacy as required by law and as stated in our policies.

Please contact our privacy office, Stacie Wolfe ND, if you have any questions, concerns, or complaints regarding our privacy practices. . If you are concerned that we may have violated your privacy rights, you are in disagreement with any decisions made with respect to your access to your PHI, or you wish to amend or restrict your consent to use and disclose your PHI, please contact the privacy officer. You have the right to submit a written complaint to the US Department of Health and Human Services for any violation of this policy into effect April 14, 2003. We fully advocate a patient’s rights to privacy of personal health information.

Privacy Officer: Stacie Wolfe, ND
Telephone: 503-232-1100
Fax: 503-232-7751
Address: 1330 SE Cesar E Chavez Blvd, Portland, OR 97214


The HIPAA Privacy Rule allows covered providers and health plans to disclose protected health information to “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the privacy rule. Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.

General Provision
The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether inthe form of a contract or other agreement between the covered entity and the business associate.

“Business Associate” Defined

A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides service to, a covered entity.

  1. A member of the covered entity’s workforce is not a business associate
  2. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity

Some of the functions or activities, as well as the particular services that make an entity a “business associate” include payment or health care operations activities as well as other functions or activities regulated by the Administrative Simplification Rules.

  1. Business associate functions and activities include: claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing
  2. Business associate services are: legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial

Business Associate Contracts

A covered entity’s contract or other written arrangement with its business associate must contain the elements specified at 45 CFR 164.504(e). For example, the contract must:

  1. Describe the permitted and required uses of protected health information by the business associate
  2. Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law
  3. Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract

Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement. If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services Office for Civil Rights.