Notice of Privacy Practices

Effective Date: January 6, 2026

Cara Erkut MD PLLC and its employees are dedicated to maintaining the privacy of your personal health information (“PHI”), as required by applicable federal and state laws. These laws require us to provide you with this Notice of Privacy Practices, and to inform you of your rights and our obligations concerning Protected Health Information.

1. Why You Need This Notice

This Notice of Privacy Practices describes how we may use and disclose your medical information. It also describes your rights to access and control your medical information.

We are committed to maintaining the privacy of your protected health information (PHI). Your PHI includes medical information about you such as your medical record and the care and services that you have received from us. We need this information to provide you with the appropriate level of care and also to comply with certain legal obligations.

We are required by law to provide you with this Notice of our legal duties and privacy practices with respect to your PHI that we maintain. The following laws govern how we handle your information:

• HIPAA: The Health Insurance Portability and Accountability Act of 1996
• HITECH: The Health Information Technology for Economic and Clinical Health Act
• Washington State Law: RCW 70.02 governing health care information
• Professional Standards: American Psychiatric Association ethical guidelines

Under these laws, we may not disclose any information to anyone outside our practice that would, directly or indirectly, identify you as having received mental health services, except as permitted by law. We take this obligation and your privacy seriously.

2. Uses and Disclosures That Do NOT Require Your Authorization

We are permitted by law to use and disclose your PHI without your written authorization for the following purposes:

Treatment

We will use and disclose your PHI to provide you with psychiatric treatment and services. We will record your PHI in an electronic medical record to determine the best course of treatment for you. For example, we may disclose medical information about you to physicians, pharmacists, or other licensed health care providers who are involved in your care.

Payment

We may use and disclose PHI about you for payment activities as permitted by law. This includes determining eligibility under a health plan, billing and collection activities, and submitting claims to your insurance company.

Health Care Operations

We may use and disclose your PHI in connection with our health care operations, including quality assessment activities, reviewing the competence of health care professionals, evaluating provider performance, and other business operations.

As Required by Law

We may disclose your PHI when required by federal, state, or local law, including:

• Public Health Activities: Reporting communicable diseases as well as known or suspected child abuse or neglect to appropriate authorities
• Victims of Abuse or Neglect: Releasing PHI to the Washington Department of Children, Youth, and Families or other appropriate authority in connection with investigations of abuse or neglect
• Court Orders: When ordered by a judge to release PHI in response to a court order
• Duty to Warn: When there is a legal duty to warn or protect; if you make serious threats to an individual, notification may be made to that individual or authorities
• Law Enforcement: Certain PHI may be released where directly relevant to crimes or threats committed on our premises or against our personnel

Serious Threat to Health or Safety

We may disclose your PHI if we believe it is necessary to prevent or lessen a serious and imminent threat to the health and safety of you or the public.

Individuals Involved in Your Care

We may release non-specific PHI about you to a friend, family member, or legal guardian who is involved in your medical care if you do not object. In an emergency, we may disclose PHI about you to an entity assisting in a disaster relief effort so that your family can be notified about your condition and location.

3. Uses and Disclosures That REQUIRE Your Written Authorization

We will seek your specific written authorization for the following types of information:

Psychotherapy Notes

Psychotherapy notes are notes prepared by your psychiatrist referencing your private counseling sessions that are maintained separate from the rest of your clinical records. These notes receive special protection under HIPAA. We must receive your written authorization to disclose psychotherapy notes unless otherwise required by law.

Marketing and Sale of PHI

We must receive your written authorization for any disclosure of PHI for marketing purposes or for any disclosure which is a sale of PHI.

Other Sensitive Information

Depending on circumstances, we may need your specific authorization to disclose:

• HIV/AIDS related information
• Substance abuse treatment records (if applicable)
• Genetic information

If you provide us with authorization to use or disclose your PHI, you may revoke the authorization in writing at any time. If you revoke your authorization, we will not use or disclose your PHI for the reasons covered by your authorization, except to the extent that action has already been taken.

4. Your Rights

You have the following rights regarding the PHI that we maintain about you:

Right to Receive a Paper Copy of This Notice

You have the right to receive a paper copy of this Notice upon request.

Right to Access Your PHI

You have the right to inspect and copy your PHI for as long as we maintain your medical record. You must make a written request for access. We may charge a reasonable fee for the processing and copying of your medical record consistent with Washington State law. In certain limited circumstances, we may deny your request to access your PHI, and you may request that we reconsider our denial.

Right to Request Restrictions

You have the right to request a restriction or limitation on the use or disclosure of your PHI for the purpose of treatment, payment, or health care operations. However, we are not legally required to agree to such a restriction. You have the right to restrict the disclosure of your PHI to a health plan if the PHI pertains to health care services for which you paid in full directly to us.

Right to Request Amendment

You have the right to request that we amend your PHI if you believe it is incorrect or incomplete. You must provide a reason that supports your amendment request. We may deny your request if we did not create the PHI, it is not part of the PHI that we maintain, or we determine that the PHI is accurate and complete.

Right to an Accounting of Disclosures

You have the right to request a list of certain disclosures of your PHI (other than those made for treatment, payment, or health care operations) made within three years from the date of your request.

Right to Confidential Communications

You have the right to request that we communicate with you about your PHI by certain means or at certain locations. For example, you may request that we call you only at your home phone number, and not at your work number.

Right to Notice of Breach

We are required by law to protect the privacy and security of your PHI through appropriate safeguards. We will notify you if a breach occurs involving your unsecured PHI.

5. Our Duties

We are required by law to:

• Maintain the privacy of your PHI
• Provide you with this Notice of our legal duties and privacy practices
• Follow the terms of this Notice currently in effect
• Notify you if we cannot agree to a requested restriction
• Accommodate reasonable requests to communicate health information by alternative means or locations

We reserve the right to change our privacy practices and to make the new provisions effective for all PHI we maintain. If we make a material change to this Notice, we will post the revised Notice on our website and make copies available at our office.

---

6. Website Privacy Policy

This section describes how we collect and use information when you visit our website (caraerkutmd.com).

Information We Collect

When you visit our website, we may automatically collect certain information including:

• Your device’s Internet Protocol (IP) address
• Browser type and operating system
• Pages visited and time spent on our website
• Referring website
• General geographic location

If you submit a contact form, appointment request, or other inquiry through our website, we collect the information you provide.

Cookies and Tracking Technologies

Our website uses cookies and similar technologies to enhance your experience and analyze website traffic. Cookies are small files stored on your device that help us understand how visitors use our site.

We may use:

• Essential cookies: Required for basic website functionality
• Analytics cookies: Help us understand how visitors interact with our site (e.g., Google Analytics)
• Functional cookies: Remember your preferences

You can control cookies through your browser settings. Note that disabling cookies may affect website functionality. Our website does not respond to “Do Not Track” signals.

Third-Party Services

Our website and practice may use third-party services, including:

• Website hosting (Squarespace)
• Electronic health records (Valant)
• Payment processing (Square)
• Website analytics (Google Analytics)

These providers are contractually obligated to protect your information. Where applicable, we maintain Business Associate Agreements as required by HIPAA.

Links to Other Websites

Our website may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to review the privacy policy of any website you visit.

Data Security

We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access, including encryption and firewalls. However, no security system is impenetrable, and we cannot guarantee the security of information transmitted over the Internet.

Children’s Privacy

Our website is not intended for children under 13. We do not knowingly collect personally identifiable information from children under 13 through our website. Our clinical services for adolescents are provided with appropriate parental or guardian consent as required by law.

Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on our website with an updated effective date.

---

7. Questions and Complaints

If you have questions about this Notice of Privacy Practices or our privacy policies, or if you believe your privacy rights have been violated, please contact us:

You may also file a complaint with the U.S. Department of Health and Human Services:

Or with the Washington State Office of the Attorney General:

---

© 2026 Cara Erkut MD PLLC. All rights reserved.
7525 SE 24th St #400, Mercer Island, WA 98040