Privacy policy

Notice of Privacy Practices and Website Privacy Policy

Effective: May 14, 2026  ·  Last updated: May 14, 2026

This Notice describes how Mt. Baker Medical, PLLC ("Mt. Baker Medical," "we," "us," or "our") collects, uses, discloses, and protects health information and other personal information about you, both in our clinical practice and through our website at mtbakermedical.com. We are a healthcare provider and a covered entity under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). We are also subject to Washington State's My Health My Data Act ("WA MHMDA"), and where applicable, the California Consumer Privacy Act ("CCPA"), the General Data Protection Regulation ("GDPR"), and other state and federal privacy laws. Please read this Notice carefully. If you have questions, contact us using the information in Section 10.

1. Introduction and scope

This Notice applies to:

• Personal information and health information you provide to us in the course of receiving medical care at Mt. Baker Medical, PLLC.
• Information collected through our website, mtbakermedical.com (the "Site"), including form submissions, scheduling requests, and analytics data.
• Information you provide when you contact us by phone, email, or text.

This Notice does not apply to information collected by third-party services we link to (such as our patient scheduling and billing platform, payment processors, or contracted laboratories). Those services maintain their own privacy policies, which we encourage you to review.

By using the Site or receiving care from Mt. Baker Medical, you acknowledge that you have read and understood this Notice. Receiving treatment from us constitutes your acknowledgment of the HIPAA-protected aspects of this Notice as required under 45 CFR 164.520.

2. Information we collect

Protected Health Information (PHI)

• Demographic information (name, date of birth, address, phone, email)
• Medical history, including conditions, medications, allergies, family history, and social history
• Symptom reports and clinical assessments
• Laboratory and diagnostic results, including body composition (InBody) and imaging
• Treatment plans, prescriptions, and clinical notes
• Payment, billing, and insurance information (when you submit insurance information for HSA/FSA documentation purposes)
• Records of communications with our practice (phone, email, secure messaging)

Information collected through the Site

• Information you submit through contact forms, consultation requests, or newsletter signups (name, email, phone, brief message)
• IP address, browser type, device information, pages visited, referring URL, and timestamps (collected automatically through standard web server logs and analytics tools)
• Cookies and similar tracking technologies (see Section 7)

Information from third parties

• Lab results from contracted laboratories
• Information from other healthcare providers when you authorize them to share records with us
• Information from your insurance carrier or HSA / FSA administrator when relevant to your account

We do not collect health information from third parties without your authorization, except as permitted by HIPAA (for example, in emergency treatment situations).

3. How we use your information

We use your protected health information for the purposes permitted by HIPAA, which include:

• Treatment. Providing, coordinating, and managing your healthcare and any related services. This includes communicating with other healthcare providers involved in your care, with your authorization where required.
• Payment. Billing and obtaining payment for the services we provide. Because Mt. Baker Medical operates on a direct-pay membership model, we generally do not submit claims to commercial insurance, but we may use your information to provide you with receipts, statements, or documentation you submit to your insurance, HSA, or FSA.
• Healthcare operations. Quality assessment, training, credentialing, accreditation, legal services, business management, and similar internal operations.
• As required or permitted by law. Including public health activities, reporting of certain diseases, judicial and administrative proceedings, law enforcement requests where legally required, and other circumstances authorized by HIPAA at 45 CFR 164.512.

We use information collected through the Site for:

• Responding to your inquiries and scheduling requests
• Sending you information you have requested (newsletters, appointment reminders, follow-up communications)
• Operating, securing, and improving the Site
• Understanding aggregate usage patterns (in de-identified form) to improve content and user experience
• Complying with our legal obligations

4. How we share your information

We share your information only as permitted by law or with your written authorization. Specifically, we may share:

• With other healthcare providers involved in your care — specialists, hospitals, laboratories, pharmacies, and other treating clinicians — when sharing is necessary for treatment.
• With business associates who provide services to our practice (electronic health records hosting, scheduling software, billing platforms, IT and security services). All business associates are required by contract (Business Associate Agreements) to safeguard your information and use it only for the purposes we authorize.
• With specifically engaged third-party services used to deliver care or operations, including Hint Health (membership management, scheduling, and payment processing at mtbakermedical.hint.com), our contracted clinical laboratory partners, compounding pharmacies that fill prescriptions we order on your behalf, and secure communication and messaging tools.
• As required by law. This may include public health reporting, court orders or subpoenas, mandated child or vulnerable-adult abuse reporting, controlled substance prescribing reports to state monitoring programs, and similar legal obligations.
• With your written authorization. For any purpose not described in this Notice, including most disclosures of psychotherapy notes, marketing communications where authorization is required, and any sale of PHI (which we do not engage in).

You have the right to revoke a written authorization at any time with respect to future disclosures. Revocation must be in writing.

5. How we protect your information

Mt. Baker Medical implements administrative, physical, and technical safeguards designed to protect your information against unauthorized access, alteration, disclosure, or destruction, as required by the HIPAA Security Rule (45 CFR Part 164, Subparts A and C). These safeguards include:

Administrative safeguards

Documented privacy and security policies; workforce training on HIPAA and applicable state privacy laws; role-based access controls limiting which workforce members can view which information; documented data-handling procedures; designated Privacy and Security Officers; and ongoing oversight of business associates.

Physical safeguards

Locked storage of physical records; restricted access to clinic areas where health information is handled; secure disposal of records that are no longer required to be retained; and physical security controls on workstations and devices that access protected health information.

Technical safeguards

Encryption of health information in transit and at rest; secure authentication for our electronic health record and scheduling systems; audit logs of access to patient records; automatic session timeouts on workstation and EHR access; multi-factor authentication where available; and periodic technical security assessments.

Vendor due diligence

All business associates and third-party service providers that handle protected health information on our behalf are required to sign Business Associate Agreements (BAAs) and to maintain HIPAA-compliant safeguards. We review BAAs and vendor security postures on a recurring basis.

6. Your rights and choices

You have several rights with respect to your information under HIPAA, the Washington My Health My Data Act, and other applicable laws. To exercise any of these rights, contact us using the information in Section 10. We will verify your identity before responding and will respond within the timeframes required by the applicable law (typically 30 to 60 days).

Rights under HIPAA

• Right to access. You may request to inspect or obtain a copy of your medical record. We will provide records within 30 days of a written request, in the format you request when reasonably feasible. We may charge a reasonable fee for paper copies as permitted by law.
• Right to amend. You may request an amendment to your medical record if you believe information is inaccurate or incomplete. We will respond to amendment requests within 60 days.
• Right to an accounting of disclosures. You may request a list of disclosures we have made of your protected health information for purposes other than treatment, payment, or healthcare operations.
• Right to request restrictions. You may request that we restrict how we use or disclose your information. We are not required to agree to all requested restrictions but will accommodate reasonable requests.
• Right to confidential communications. You may request that we communicate with you in a specific way or at a specific location (for example, by personal email rather than home phone).
• Right to a paper copy. You may request a paper copy of this Notice at any time.
• Right to be notified of breach. You will be notified of any breach of your unsecured protected health information as required by HIPAA.

Rights under the Washington My Health My Data Act (WA MHMDA)

• Right to confirm whether we are processing your consumer health data.
• Right to access the consumer health data we are processing about you.
• Right to deletion of your consumer health data, subject to legal retention requirements applicable to medical records.
• Right to withdraw consent previously given for the collection, sharing, or sale of consumer health data.

Rights under the California Consumer Privacy Act (CCPA), if applicable

• Right to know what personal information is collected, used, shared, or sold.
• Right to delete personal information, with exceptions for health information we are required to retain.
• Right to opt out of any sale or sharing of personal information. (We do not sell or share personal information for cross-context behavioral advertising.)
• Right to non-discrimination for exercising your rights under the CCPA.

Rights under the General Data Protection Regulation (GDPR), if applicable

• Rights to access, rectification, erasure, restriction of processing, data portability, and objection.
• Right to lodge a complaint with a supervisory authority in your jurisdiction.

How to exercise your rights

Submit requests in writing to the Privacy Officer at the contact information in Section 10. Include your name, date of birth, and a description of the request. We will verify your identity using information already in your medical record and respond within the timeframe required by the applicable law.

7. Cookies, analytics, and tracking technologies

Our Site uses cookies and similar technologies to operate, secure, and improve the Site.

Types of cookies we may use

• Strictly necessary cookies — required for the Site to function (for example, session management). These cannot be disabled.
• Analytics cookies — help us understand how visitors use the Site so we can improve it. These collect information in de-identified, aggregated form.
• Functionality cookies — remember preferences such as dismissed announcements or accessibility settings.

We do not currently use advertising cookies, retargeting pixels, third-party advertising trackers, or any cross-context behavioral advertising on the Site.

Analytics providers we may use include Google Analytics (with IP anonymization enabled where applicable) and website performance tools provided by our hosting platform.

You can control cookies through your browser settings. Disabling certain cookies may affect Site functionality. We honor the "Do Not Track" (DNT) signal sent by your browser where technically feasible.

8. Data retention, children's privacy, and policy updates

Retention

We retain protected health information for the length of time required by applicable law and our recordkeeping policies. In Washington State, adult medical records are generally retained for at least 10 years from the most recent encounter. Records of minor patients are retained until the patient reaches age 21 or 10 years past the most recent encounter, whichever is later. Some records may be retained longer where required by law — for example, certain controlled substance prescribing records.

Site-collected information that is not part of a medical record (analytics data, contact form submissions, newsletter subscriptions) is retained only as long as necessary for the purpose for which it was collected, typically no longer than 24 months unless required to be retained longer for legal compliance.

Children's privacy

The Site is not directed to children under 13, and we do not knowingly collect personal information from children under 13 through the Site. We provide medical care to minor patients only with the consent of a parent or legal guardian, and the privacy of minor patients' health information is protected in accordance with HIPAA and applicable Washington State law.

Updates to this Notice

We may update this Notice from time to time to reflect changes in our practices or applicable law. The "Effective date" at the top of this page indicates when the current version took effect. We will post any updates to this page, and where required by law, will notify you through other means. Continued use of the Site or our services after an update constitutes acknowledgment of the updated Notice.

9. Compliance with applicable law

Mt. Baker Medical maintains policies, training, and operational practices designed to comply with the following laws and standards:

• The Health Insurance Portability and Accountability Act of 1996 (HIPAA), including the Privacy Rule (45 CFR Part 164, Subpart E), the Security Rule (45 CFR Part 164, Subparts A and C), and the Breach Notification Rule (45 CFR Part 164, Subpart D).
• The Health Information Technology for Economic and Clinical Health Act (HITECH Act).
• The Washington My Health My Data Act (RCW 19.373), which provides additional protections for consumer health data beyond HIPAA.
• Washington State medical records and patient confidentiality requirements, including RCW 70.02.
• The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), where applicable to California residents.
• Other state consumer privacy laws (including Colorado, Virginia, Connecticut, Utah, and Texas), where applicable.
• The EU General Data Protection Regulation (GDPR) and the UK GDPR, where applicable to residents of the European Union or the United Kingdom.
• Federal and state laws governing controlled substance prescribing, including Drug Enforcement Administration (DEA) recordkeeping requirements.
• Federal and state laws governing telehealth, including informed consent and licensure requirements.
• LegitScript Healthcare Certification Standards, including Standard 6 (Privacy).

We conduct periodic privacy and security risk assessments, train our workforce on privacy obligations, maintain Business Associate Agreements with all third-party service providers that handle protected health information, and review and update our privacy practices on a recurring basis. Our compliance program is overseen by Dr. James Scribner, MD, FACEP, MPH, who serves as the practice's designated Privacy Officer.

If you believe Mt. Baker Medical has not complied with applicable privacy law or the terms of this Notice, you have the right to file a complaint with us (using the contact information in Section 10) and with the following authorities:

• U.S. Department of Health and Human Services, Office for Civil Rights (for HIPAA complaints) — www.hhs.gov/ocr or 1-800-368-1019.
• Washington State Attorney General's Office (for WA MHMDA and state privacy law complaints) — www.atg.wa.gov.
• The applicable supervisory authority in your jurisdiction (for GDPR or other international complaints).

We will not retaliate against you for filing a complaint.

10. Contact information

For questions about this Notice, to exercise any of your rights, to request a paper copy, or to file a complaint: