17045 Chatsworth St Granada Hills, CA 91344

+1 (818) 918-9564
Get Help Now
Fortify Wellness Logo green
Call (818) 918-9564

HIPAA & 42 CFR Part 2 · Combined Notice

Privacy Statement

This notice describes how medical information about you may be used and disclosed, and how you can get access to this information. It also describes the additional federal protections that apply to your substance use disorder records. Please review it carefully.

Effective date: 17 June 2026  ·  Applies to: Fortify Wellness PHP & IOP, San Fernando Valley, California

SECTION 01: About this notice & who it covers

Fortify Wellness (“Fortify,” “we,” “us,” or “our”) is a licensed behavioral health treatment provider offering Partial Hospitalization (PHP) and Intensive Outpatient (IOP) programming, with a focus on co-occurring substance use and mental health disorders, in the San Fernando Valley, California. We are required by law to protect the privacy of your health information, to give you this notice of our legal duties and privacy practices, and to follow the terms of the notice currently in effect.

The health information we create and keep about you is called protected health information, or “PHI.” Because Fortify provides substance use disorder treatment, much of your record is also a “Part 2 record”, information that receives an extra layer of federal protection described in Section 02. Where any law that applies to us, including 42 CFR Part 2 or California law, is more protective of your information than HIPAA, we follow the stricter rule.

This is a single, combined notice issued under both the HIPAA Privacy Rule (45 CFR 164.520) and the federal Confidentiality of Substance Use Disorder Patient Records regulation (42 CFR Part 2, including 42 CFR 2.22). It applies to all care you receive at Fortify and to everyone who is part of our workforce.

SECTION 02: Special protection for your substance use disorder records

Records of your substance use disorder diagnosis, treatment, or referral for treatment that we create or receive are protected under federal law 42 CFR Part 2, which is stricter than HIPAA. The purpose of these rules is to make sure that fear of disclosure, discrimination, or legal consequences does not keep people from seeking treatment.

What Part 2 means for you

In most cases, we may not tell anyone outside Fortify that you attend our program or share your SUD records without your written consent, except in the limited situations described in this notice. This protection is broader than HIPAA: it generally applies even to disclosures that HIPAA alone would permit. You decide who may receive your SUD information, and you may take that permission back at any time.

You may give us a single written consent that authorizes us to use and disclose your records for your future treatment, payment, and our health care operations. If you give that consent, a HIPAA-covered provider or plan that receives your records under it may then handle them under HIPAA’s rules. You may revoke this consent at any time, in writing, except to the extent we have already acted on it.

Notes from your counseling sessions

If one of our clinicians keeps separate notes analyzing what was discussed in an individual counseling session (“SUD counseling notes,” similar to psychotherapy notes), those notes receive special protection. We will not use or disclose them based on a general treatment, payment, or operations consent, they require your separate, specific written consent, except in narrow circumstances the law allows.

SECTION 03: How we may use and disclose your health information

The following describes the ways we may use and disclose your information. For your SUD records, these uses generally require the consent described in Section 02.

For treatment

We use your information to provide, coordinate, and manage your care, for example, so that your therapist, prescriber, case manager, and group facilitators can work together on your treatment plan, and so we can coordinate with other providers involved in your care when you have consented.

For payment

We use and disclose your information to obtain authorization for treatment, to bill and collect payment from your health plan, and to confirm benefits and medical necessity. For example, our utilization review staff may share clinical information with your insurer to obtain approval for a level of care.

For health care operations

We use your information to run our program safely and effectively, for example, quality and outcomes review, staff training and supervision, licensing and accreditation activities, compliance and audit functions, and care coordination.

People involved in your care

With your agreement, we may share relevant information with a family member, friend, or other person you identify who is involved in your care or payment for your care. Because of Part 2, we will confirm your consent before sharing your SUD information with family or others.

Appointment reminders & program communications

We may contact you with appointment reminders and information about your treatment. We will use the contact method and level of detail you tell us is safe for you.

SECTION 04: Uses and disclosures that require your written authorization

Other than the uses described above, we will not use or disclose your information without your written authorization or consent. This includes:

  • Marketing that promotes a product or service, where we would receive payment for the communication.
  • Any sale of your information.
  • Disclosure of SUD counseling notes (see Section 02).
  • Use or disclosure of your SUD records in legal proceedings against you (see Section 06).
  • Most other uses and disclosures not described in this notice.

You may revoke an authorization or consent in writing at any time. The revocation will apply going forward and will not affect actions we already took while it was in effect. When we make a disclosure based on your consent, we will include either a copy of the consent or a clear explanation of its scope.

SECTION 05: Disclosures we may make without your authorization

The law permits or requires us to use or disclose information without your authorization in certain limited situations. For your SUD records, Part 2 restricts most of these further, so where a situation below would normally apply under HIPAA, we make the disclosure only to the extent Part 2 also allows it.

  • When required by law, where a federal, state, or local law requires the use or disclosure.
  • Medical emergencies, to medical personnel treating you in a bona fide medical emergency.
  • To prevent a serious threat, to lessen a serious and imminent threat to your health or safety or that of others, consistent with Part 2’s limits.
  • Abuse, neglect, or domestic violence reporting, to appropriate authorities as required or permitted by law.
  • Public health, to public health authorities, where Part 2 records are de-identified under the HIPAA standard before disclosure.
  • Health oversight and audits / program evaluation, to agencies that oversee our program, under Part 2’s audit and evaluation rules.
  • Qualified Service Organizations, to vendors that provide services to us (such as billing or lab services) under a written agreement that binds them to Part 2.
  • Coroners and medical examiners, as permitted by Part 2 in connection with a death.
  • Research, under safeguards that meet Part 2 and HIPAA requirements.
  • Court orders & law enforcement, only as specifically permitted by Part 2 (see Section 06). A standard subpoena or general law-enforcement request is not enough to release your SUD records.
  • Workers’ compensation, as authorized by and to the extent necessary to comply with workers’ compensation laws.

California law may give you additional protections beyond those described here, including under the Confidentiality of Medical Information Act and California’s mental health confidentiality laws. Where California law is more protective, we follow it.

SECTION 06: Legal proceedings and limits on redisclosure

Your SUD records carry two protections that are stronger than HIPAA and that we want you to understand clearly.

Use in legal proceedings against you

Required statement, 42 CFR Part 2Substance use disorder records received from a program subject to 42 CFR Part 2, or testimony relaying the content of such records, will not be used or disclosed in civil, criminal, administrative, or legislative proceedings against you unless based on your written consent, or a court order issued after you (or the holder of the record) have been given notice and an opportunity to be heard, as provided in 42 CFR Part 2. A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested record is used or disclosed.

Limits on redisclosure by people who receive your records

When we share your SUD information with someone you have authorized, we attach a notice telling them they may not pass it on. In substance:

Prohibition on redisclosure, 42 CFR 2.32Information disclosed from these records is protected by federal confidentiality rules (42 CFR Part 2). The federal rules prohibit a recipient from making any further disclosure of information that identifies a patient as having or having had a substance use disorder, whether directly, by reference to publicly available information, or through verification by another person, unless that further disclosure is expressly permitted by the patient’s written consent or is otherwise permitted by 42 CFR Part 2. A general authorization for the release of medical or other information is not sufficient for this purpose. The federal rules restrict any use of the information to investigate or prosecute any patient with a substance use disorder, except as permitted under 42 CFR Part 2.

SECTION 07: Your rights

You have the following rights regarding the information we keep about you. To exercise any of them, contact our Privacy Officer (Section 11).

Inspect and copy

You may inspect and request a copy of the information used to make decisions about your care, in the form and format you request when readily producible. We may charge a reasonable, cost-based fee for copies.

Request an amendment

If you believe information in your record is incorrect or incomplete, you may ask us to amend it. We may deny the request in certain cases and will tell you why in writing.

An accounting of disclosures

You may request a list of certain disclosures we have made of your information, including your Part 2 records, other than those for treatment, payment, and operations or those you authorized. (The federal compliance date for the Part 2 accounting requirement follows the corresponding HIPAA Privacy Rule update; we will provide accountings as those requirements take effect.)

Request restrictions

You may ask us to restrict how we use or disclose your information for treatment, payment, or operations, or to people involved in your care. We will consider every request, though we are not required to agree to all of them.

Confidential communications

You may ask us to contact you in a specific way or at a specific location, for example, only by a certain phone number or address. We will accommodate reasonable requests.

Revoke your consent or authorization

You may revoke a consent or authorization in writing at any time, except to the extent we have already acted on it.

Opt out of fundraising

If we ever contact you for fundraising purposes, you have the right to opt out of receiving those communications.

Notice of a breach

You have the right to be notified if a breach occurs that may have compromised the privacy or security of your information, including your Part 2 records.

A paper copy of this notice

You may request a paper copy of this notice at any time, even if you agreed to receive it electronically.

SECTION 08: Our legal duties

We are required by law to maintain the privacy of your information, including the heightened confidentiality of your SUD records; to provide you this notice of our legal duties and privacy practices; to follow the terms of the notice currently in effect; and to notify you following a breach of unsecured protected health information. We may not retaliate against you for exercising any right described here or for filing a complaint.

SECTION 09: Changes to this notice

We may change this notice and make the new terms apply to all information we maintain. If we make a material change, we will post the revised notice in our facility and on our website, and provide it to you on request. Each notice will show its effective date.

SECTION 10: Complaints

If you believe your privacy rights have been violated, you may file a complaint with our Privacy Officer (Section 11). You may also file a complaint directly with the U.S. Department of Health and Human Services, Office for Civil Rights, which enforces both HIPAA and 42 CFR Part 2. You will not be penalized or retaliated against in any way for filing a complaint.

U.S. Department of Health and Human Services
Office for Civil Rights · 200 Independence Avenue, S.W., Washington, D.C. 20201
Toll-free: 1-877-696-6775 · www.hhs.gov/ocr/privacy/hipaa/complaints/

SECTION 11: Who to contact

For questions about this notice, to exercise any of your rights, or to file a complaint with us, contact our Privacy Officer:

Fortify Wellness, Privacy Officer

Name / title: Henry Hsu
Address: 17045 Chatsworth St Granada Hills, CA 91344
Phone: 818-918-9564
Email: henry@fortifywx.com