Privacy Policy & Notice of Privacy Practices

Section 1

Who We Are

University Urology, PC ("University Urology," "we," "us," or "our") is a physician-owned urologic specialty practice located at 1928 Alcoa Highway, Building B, Suite 222, Knoxville, Tennessee 37920. We operate 11 clinic locations across East Tennessee and are affiliated with the University of Tennessee Medical Center.

University Urology is a "covered entity" under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations. This Notice of Privacy Practices applies to all locations, departments, and providers operating under University Urology, PC.

Section 2

What Is Protected Health Information

Protected Health Information (PHI) is information about you — including demographic information — that may identify you and that relates to your past, present, or future physical or mental health condition; the provision of health care to you; or the past, present, or future payment for the provision of health care to you.

PHI includes information in many forms: spoken, written, electronic, and photographic. Examples include your name, address, date of birth, diagnosis, test results, visit notes, billing records, and insurance information when associated with your health care.

Section 3

How We Use and Disclose Your PHI

The following describes the ways we may use and disclose your PHI. Not every use or disclosure in a category will be listed, but all of the ways we are permitted to use and disclose information will fall within one of the following categories.

Treatment

We may use your PHI to provide, coordinate, or manage your health care and related services. We may disclose your PHI to physicians, nurses, APPs, and other health care professionals involved in your care — including specialists, referring providers, hospitals, laboratories, and imaging facilities. For example, we may share your records with a radiation oncologist or medical oncologist who is coordinating cancer treatment with us.

Payment

We may use and disclose your PHI to obtain payment for your health care services. This includes billing your insurance company, verifying coverage and eligibility, submitting claims, and responding to coverage disputes or audits. For example, we may send a claim to your insurance company that includes diagnosis codes, procedure codes, and other relevant clinical information.

Health Care Operations

We may use and disclose your PHI for our internal operations. This includes quality improvement activities, provider credentialing, training of staff, practice management, compliance audits, and accreditation activities. For example, we may review your care records as part of a quality review process to improve our clinical protocols.

Appointment Reminders and Care Communication

We may contact you — by phone, text, or secure message — to remind you of upcoming appointments, share instructions related to your procedure or visit, and communicate results and follow-up information. We use Klara, a HIPAA-compliant secure messaging platform, as our primary channel for patient communication. You may request that we use an alternative method of communication.

Health Information Exchanges

We may participate in health information exchanges (HIEs) or electronic health record networks that allow your providers to share and access clinical information for purposes of treatment, care coordination, and public health reporting.

Section 4

Other Uses and Disclosures

In certain circumstances, we may use or disclose your PHI without your specific authorization:

As Required by Law

We will disclose your PHI when required to do so by federal, state, or local law, including mandatory reporting requirements.

Public Health Activities

We may disclose your PHI to public health authorities for activities including disease prevention and control, reporting adverse events related to medications or devices, and reporting communicable diseases.

Abuse, Neglect, and Domestic Violence

We may disclose your PHI to appropriate government authorities when we reasonably believe you may be a victim of abuse, neglect, or domestic violence, as required or permitted by law.

Health Oversight Activities

We may disclose your PHI to health oversight agencies for activities such as audits, investigations, and inspections authorized by law, including those related to government benefit programs like Medicare and Medicaid.

Judicial and Administrative Proceedings

We may disclose your PHI in response to a court order, subpoena, or other lawful process. We will attempt to notify you when required by law or when appropriate.

Law Enforcement

We may disclose your PHI to law enforcement officials for limited purposes, including reporting certain types of wounds or injuries, identifying or locating a suspect or missing person, or complying with a court order or warrant.

Serious Threat to Health or Safety

We may use or disclose your PHI to prevent or lessen a serious and imminent threat to the health or safety of you or another person.

Research

We may use or disclose your PHI for research purposes, subject to approval by an Institutional Review Board (IRB) or Privacy Board, or when limited data sets are used under a data use agreement.

Workers' Compensation

We may disclose your PHI to the extent necessary to comply with workers' compensation or similar programs established by law.

Coroners, Medical Examiners, and Funeral Directors

We may disclose PHI to a coroner, medical examiner, or funeral director as authorized by law.

Uses Requiring Your Written Authorization

The following uses and disclosures require your written authorization: most disclosures of psychotherapy notes; uses and disclosures of PHI for marketing purposes; sales of PHI; and any other use or disclosure not described in this notice. You may revoke a written authorization at any time by submitting a written request to our Privacy Officer. Revocation does not apply to uses or disclosures already made in reliance on the authorization.

Section 5

Your Rights Regarding Your PHI

You have the following rights with respect to your PHI. To exercise any of these rights, please submit a written request to our Privacy Officer using the contact information at the end of this notice.

To request access to your medical records, submit FMLA documentation, or process disability forms, please use our authorized third-party records partner ShareCare. Our office does not process these requests internally. Contact information for the ShareCare portal is available at any of our clinic locations.

Section 6

Website and Digital Privacy

This section describes how we collect and use information through our website at universityuro.com and our digital communication tools.

Information We Collect Automatically

When you visit universityuro.com, our hosting and analytics tools may automatically collect certain non-personally identifiable information, including your IP address, browser type and version, operating system, referring URL, pages visited, and time and date of visit. This information is used to improve site performance, understand how visitors use our site, and troubleshoot technical issues.

Cookies and Similar Technologies

Our website may use cookies — small text files stored on your device — to improve your browsing experience. We use functional cookies necessary for basic site operation, and may use analytics cookies to understand site usage. We do not use cookies to collect PHI, and we do not sell your data to advertisers. You may disable cookies in your browser settings; however, some site features may not function as intended.

Appointment Request and Contact Forms

Our appointment request portal is hosted at referrals.universityuro.com, a HIPAA-compliant subdomain separate from our marketing website. Information submitted through this portal — including your name, date of birth, contact information, insurance information, and reason for visit — is transmitted over encrypted HTTPS connections and used only to schedule your care. This information is PHI and is subject to the full protections of this notice.

AI Chat Assistant

Our website features an AI-powered chat assistant designed to answer general questions about our services, procedures, locations, and policies. This assistant does not access your medical records, does not store your personal health information, and is not a substitute for clinical advice. Do not share sensitive personal health information through the chat widget. For clinical questions or secure communication, please use Klara or call our office.

Analytics

We may use third-party analytics services (such as Google Analytics) to understand how our website is used. These services may collect information about your browsing behavior using cookies or similar technologies. Analytics data is aggregated and does not identify individual users. You may opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on at tools.google.com/dlpage/gaoptout.

Section 7

Third-Party Services

University Urology uses the following HIPAA-compliant third-party platforms to deliver patient care and communication. Each of these vendors has executed a Business Associate Agreement (BAA) with University Urology as required under HIPAA.

Klara (Patient Messaging)

Klara is our HIPAA-compliant secure messaging platform for non-urgent patient communication, including appointment messaging, prescription refill requests, and record submission. Klara stores and transmits communications using encryption. Accessible at patient.klara.com. Klara's own privacy policy is available on their website.

ModMed (Patient Portal and EHR)

ModMed is our electronic health record (EHR) and patient portal platform. Your medical records, visit notes, lab results, imaging reports, and billing information are stored in ModMed. The patient portal is accessible at universityuro.modmedapp.com.

ShareCare (Medical Records and Documentation)

ShareCare is our authorized third-party partner for processing medical records requests, FMLA documentation, and disability forms. University Urology does not process these requests internally. Please contact ShareCare directly for all records and documentation requests.

Referral Portal

Our appointment request and provider referral portal at referrals.universityuro.com is operated on a HIPAA-compliant platform using encrypted HTTPS transmission. Information submitted through this portal is treated as PHI.

Section 8

Minor Patients

For patients under the age of 18, a parent or legal guardian generally has the right to access the minor's PHI and act as the minor's personal representative. Exceptions may apply under state law, including situations where a minor has the legal right to consent to certain types of care independently. In such cases, we will follow applicable state and federal law in determining what access a parent or guardian may have.

Our website and digital tools are not directed at children under the age of 13. We do not knowingly collect personal information from children under 13 through our website or chat assistant.

Section 9

How We Protect Your Information

University Urology implements administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of your PHI, as required under HIPAA's Security Rule. These safeguards include:

• Encryption of electronic PHI in transit and at rest
• Access controls limiting PHI access to authorized personnel
• Staff training on privacy and security policies
• Secure disposal of paper and electronic records
• Regular risk assessments and security evaluations
• Business Associate Agreements with all HIPAA-covered vendors

Despite our efforts, no method of transmission over the internet or electronic storage is 100% secure. If you have reason to believe your information has been compromised, please contact our Privacy Officer immediately.

Section 10

Changes to This Notice

University Urology reserves the right to change this Notice of Privacy Practices at any time, and to make the new notice provisions effective for all PHI we maintain — including PHI created or received before the effective date of the revised notice. When we make a material change to this notice, we will post the updated notice at universityuro.com/privacy-policy, update the "Last Updated" date at the top of this notice, and make copies available at all clinic locations.

We will not retroactively change our privacy practices in ways that materially reduce your rights without your consent.

Section 11

Questions and Complaints

If you have questions about this notice, wish to exercise your privacy rights, or believe your privacy rights have been violated, please contact our Privacy Officer.

University Urology is required by law to comply with the terms of this notice and to notify affected individuals following a breach of unsecured PHI. We are committed to protecting your health information and to maintaining your trust.