Notice of Privacy Practices

Effective Date: April 10, 2026 Last Updated: April 10, 2026

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Who We Are

Vascular & Interventional Specialists (“VIS,” “we,” “us,” or “our”) is a multi-state interventional radiology and vascular care practice. We are a covered entity under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and are required by law to maintain the privacy of your protected health information (PHI), provide you with this Notice of our legal duties and privacy practices, and follow the terms of this Notice currently in effect.

Our locations:

  • Dakota Dunes, SD (Headquarters)
  • Omaha, NE
  • Kansas City, MO (including Olathe, KS and Lees Summit, MO)
  • Chicagoland, IL (Crystal Lake)
  • Iowa outreach locations
  • Nebraska outreach locations
  • Wisconsin outreach locations

What Is Protected Health Information (PHI)?

PHI is individually identifiable health information that relates to your past, present, or future physical or mental health condition, the provision of healthcare to you, or payment for healthcare services. PHI includes information in any form — verbal, written, or electronic.

How We May Use and Disclose Your PHI

Uses and Disclosures That Do Not Require Your Authorization

We may use and disclose your PHI without your written authorization for the following purposes:

Treatment — We may use your PHI to provide, coordinate, and manage your healthcare and related services. For example, we may share your PHI with other physicians, specialists, or facilities involved in your care, including referring providers, hospitals, imaging centers, and laboratories.

Payment — We may use and disclose your PHI to bill and collect payment for the services we provide to you. For example, we may send your PHI to your health insurance plan to obtain payment or pre-authorization for a procedure.

Healthcare Operations — We may use and disclose your PHI for our internal operations, including quality improvement, staff training, compliance auditing, and business planning. For example, we may use your PHI to evaluate provider performance or review the quality of care you received.

Appointment Reminders and Health-Related Communications — We may contact you to provide appointment reminders, information about treatment alternatives, or other health-related benefits and services that may interest you.

Business Associates — We may disclose your PHI to third-party vendors (“business associates”) who perform services on our behalf that require access to PHI. All business associates are required to sign a Business Associate Agreement (BAA) that obligates them to protect your PHI. Our current business associates include:

  • Jotform (HIPAA Gold) — appointment request form hosting with end-to-end encryption
  • HubSpot — patient relationship management and care coordination
  • CallRail — call tracking and call recording for quality assurance

As Required by Law — We may use or disclose your PHI when required by federal, state, or local law.

Public Health Activities — We may disclose your PHI for public health purposes, such as reporting communicable diseases, work-related illness or injury, or adverse events related to medications or medical devices.

Health Oversight Activities — We may disclose your PHI to health oversight agencies for activities authorized by law, including audits, investigations, inspections, and licensure.

Judicial and Administrative Proceedings — We may disclose your PHI in response to a court order or administrative tribunal order, or in response to a subpoena, discovery request, or other lawful process.

Law Enforcement — We may disclose your PHI to law enforcement officials under limited circumstances, such as in response to a court order, warrant, or subpoena; to identify or locate a suspect, fugitive, or missing person; or to report certain types of wounds or injuries.

Coroners, Medical Examiners, and Funeral Directors — We may disclose your PHI to coroners, medical examiners, and funeral directors as necessary to carry out their duties.

Organ and Tissue Donation — We may disclose your PHI to organizations that handle organ, eye, or tissue procurement or transplantation.

Research — We may use or disclose your PHI for research purposes under specific conditions approved by an Institutional Review Board or privacy board.

Serious Threats to Health or Safety — We may use or disclose your PHI when necessary to prevent or lessen a serious and imminent threat to your health or safety or the health or safety of the public.

Military and Veterans — If you are a member of the armed forces, we may disclose your PHI as required by military command authorities.

Workers’ Compensation — We may disclose your PHI to comply with workers’ compensation laws.

Inmates — If you are an inmate of a correctional institution, we may disclose your PHI to the institution or its agents when necessary for your health or the health and safety of others.

Uses and Disclosures That Require Your Written Authorization

For uses and disclosures not described above, we will obtain your written authorization before using or disclosing your PHI. This includes:

  • Marketing — We will not use your PHI for marketing purposes without your written authorization, except for face-to-face communications and promotional gifts of nominal value.
  • Sale of PHI — We will not sell your PHI without your written authorization.
  • Psychotherapy notes — If applicable, we will not disclose psychotherapy notes without your written authorization (except as permitted by law).

You may revoke any authorization you give us at any time by submitting a written request to our Privacy Officer. Revocation will not affect any uses or disclosures made in reliance on the authorization before it was revoked.

Your Rights Regarding Your PHI

You have the following rights regarding your PHI maintained by VIS:

Right to Access — You have the right to inspect and obtain a copy of your PHI maintained in your medical and billing records. To request access, submit a written request to our Privacy Officer. We may charge a reasonable fee for copying and mailing costs. We must respond to your request within 30 days (with one 30-day extension if needed).

Right to Amend — If you believe your PHI is incorrect or incomplete, you may request an amendment. Submit a written request to our Privacy Officer explaining the reason for the amendment. We may deny your request under certain circumstances (e.g., if the information was not created by us, is not part of your medical record, or is already accurate).

Right to an Accounting of Disclosures — You have the right to request a list of certain disclosures of your PHI that we have made. This does not include disclosures for treatment, payment, healthcare operations, or disclosures you authorized in writing. Submit a written request to our Privacy Officer. The first request in a 12-month period is free; we may charge a reasonable fee for additional requests.

Right to Request Restrictions — You have the right to request that we restrict how we use or disclose your PHI for treatment, payment, or healthcare operations. We are not required to agree to your request unless the disclosure is to a health plan for payment or healthcare operations, and the PHI relates solely to a service for which you paid out of pocket in full.

Right to Request Confidential Communications — You have the right to request that we communicate with you about your PHI in a specific way or at a specific location. For example, you may request that we contact you only by mail or at a specific phone number. We will accommodate reasonable requests.

Right to a Paper Copy of This Notice — You have the right to obtain a paper copy of this Notice at any time, even if you previously agreed to receive it electronically. Contact our Privacy Officer or request a copy at any of our office locations.

Right to Be Notified of a Breach — You have the right to be notified if we discover a breach of your unsecured PHI. We will notify you as required by law.

Our Responsibilities

We are required to:

  • Maintain the privacy of your PHI and provide you with this Notice of our legal duties and privacy practices.
  • Notify you if we are unable to agree to a requested restriction on how we use or disclose your PHI.
  • Abide by the terms of this Notice currently in effect.
  • Notify you if a breach of your unsecured PHI occurs.

We reserve the right to change our privacy practices and the terms of this Notice. Any revised Notice will apply to PHI we already have about you as well as any information we receive in the future. A revised Notice will be posted on our Website and available at our office locations.

How We Protect Your PHI

We implement administrative, technical, and physical safeguards to protect your PHI, including:

  • Encryption — PHI transmitted through our appointment request forms (Jotform HIPAA Gold) is encrypted in transit and at rest.
  • Access controls — Staff access to PHI is limited to those who need it to perform their job duties.
  • Business Associate Agreements — All vendors who handle PHI on our behalf are bound by BAAs requiring HIPAA-compliant data protection.
  • Call recording security — Call recordings containing PHI (via CallRail) are stored securely and access is restricted to authorized personnel.
  • Staff training — Our workforce members receive training on HIPAA privacy and security requirements.

Call Recording and PHI

When you call our offices through phone numbers displayed on our Website, your call may be recorded via CallRail for quality assurance and training purposes. If you discuss health information during the call, the recording becomes part of our records and is treated as PHI.

  • Call recordings are stored securely by CallRail under a Business Associate Agreement.
  • Access to recordings is restricted to authorized VIS staff.
  • Recordings are retained in accordance with applicable state medical record retention requirements.
  • You may request that your call not be recorded by informing the staff member at the beginning of the call.

Online Appointment Request Forms and PHI

When you submit an appointment request form on our Website, the information you provide (including your reason for visit, which may constitute PHI) is processed by Jotform under HIPAA-compliant conditions:

  • Jotform operates under a signed BAA with VIS.
  • Form data is encrypted end-to-end.
  • Staff notification emails do not contain your form submission data — staff must log in to the secure Jotform dashboard to view submissions.
  • Your form data is used solely for scheduling and care coordination purposes.

State-Specific Provisions

VIS operates in multiple states, and certain state laws provide additional protections:

South Dakota — South Dakota follows HIPAA requirements. Medical records must be retained for a minimum of 10 years.

Nebraska — Medical records must be retained for at least 10 years after the last date of service.

Missouri — Medical records must be retained for at least 7 years from the last date of service (10 years for minors from the date of majority).

Illinois — Illinois requires all-party consent for call recording under the Eavesdropping Act (720 ILCS 5/14). Call recording disclosures are provided at the start of all calls to our Illinois locations. Medical records must be retained for at least 10 years.

Iowa — Medical records must be retained for at least 7 years.

Kansas — Medical records must be retained for at least 10 years from the last date of service.

Wisconsin — Medical records must be retained for at least 5 years from the last date of service (patient records) or longer if required by specific regulations.

Complaints

If you believe your privacy rights have been violated, you may:

  1. File a complaint with VIS — Contact our Privacy Officer using the information below.
  2. File a complaint with the U.S. Department of Health and Human Services (HHS) — Office for Civil Rights, 200 Independence Avenue SW, Washington, DC 20201, or online at www.hhs.gov/ocr/privacy/hipaa/complaints.

We will not retaliate against you for filing a complaint.

Contact Our Privacy Officer

For questions about this Notice, to exercise your rights, or to file a complaint:

Vascular & Interventional Specialists — Privacy Officer 345 W. Steamboat Dr., Suite 601 Dakota Dunes, SD 57049 Phone: (605) 217-5617 Website: www.vascularcare.com/contact/