Effective Date: February 23, 2026
Last Updated: February 23, 2026
This Notice of Privacy Practices describes how medical information about you may be used and disclosed and how you can get access to this information. PLEASE REVIEW IT CAREFULLY.
This Notice of Privacy Practices applies to Bright Beehavior Health LLC, including all providers, staff, and business associates acting on our behalf.
-
WHO WE ARE
Bright Beehavior Health LLC is a psychiatric outpatient practice located in Alexandria, Virginia, providing mental health evaluation, medication management, and substance use disorder treatment services, including medication-assisted treatment (MAT). We are a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementation regulations.
Our Privacy Officer is responsible for ensuring compliance with this Notice and all applicable privacy laws. To contact our Privacy Officer:
Privacy Officer: Kedest Gebre, PMHNP-BC
50 S Pickett St, Suite 221
Alexandria, VA 22304
Phone: 703-621-1800
Email: kedest@brightbeehaviorhealth.com -
PROTECTED HEALTH INFORMATION (PHI)
Protected Health Information (PHI) includes any information we create or receive about your health, treatment, or payment for services that can be used to identify you. This includes:
- Your name, address, date of birth, Social Security number, and other identifiers
- Medical records, diagnoses, and treatment history
- Mental health and psychiatric records
- Substance use disorder treatment records
- Prescription and medication records
- Billing and insurance information
- Electronic communications and telehealth session records
SPECIAL PROTECTION FOR SUBSTANCE USE DISORDER RECORDS
Records related to your substance use disorder (SUD) treatment — including medication-assisted treatment (MAT) such as Suboxone/buprenorphine — are protected by both HIPAA and 42 CFR Part 2.
These records receive heightened protection and CANNOT be disclosed without your specific written consent, except in very limited circumstances (medical emergency, audit/evaluation, or court order).
We will never share your SUD treatment records with law enforcement, employers, or family members without your explicit written authorization.
-
HOW WE USE AND DISCLOSE YOUR HEALTH INFORMATION
We use and share your health information in the following ways. We may use or share your PHI without your written authorization for the following purposes:
3.1 Treatment
We use your PHI to provide, coordinate, and manage your psychiatric care. This includes sharing information with other healthcare providers involved in your treatment, such as your primary care physician, therapists, specialists, pharmacies, and laboratories. For example, we may share your medication list with your PCP or send a referral letter to a therapist.
3.2 Payment
We may use and share your PHI to bill and receive payment for services rendered. This includes submitting claims to your health insurance company, Medicare, or Medicaid, and responding to insurance inquiries about your care. For example, we may share your diagnosis and treatment information with your insurance carrier to process a claim.
3.3 Healthcare Operations
We may use and share your PHI for our normal business operations, including quality improvement activities, staff training, accreditation, licensing, auditing, and business planning. For example, we may review records to evaluate the quality of care provided.
3.4 Appointment Reminders and Treatment Alternatives
We may contact you to remind you of upcoming appointments or to inform you about treatment alternatives or other health-related services that may benefit you. We may contact you by phone, text message, email, or secure patient portal based on your stated preference.
3.5 As Required by Law
We will disclose your PHI when required to do so by federal, state, or local law, including court orders and subpoenas. We will make reasonable efforts to notify you of such disclosures when permitted by law.
3.6 Public Health Activities
We may share your PHI with public health authorities for activities such as reporting communicable diseases, injuries, or reactions to medications as required by law.
3.7 Health Oversight Activities
We may share your PHI with government agencies authorized to oversee the healthcare system, including audits, inspections, investigations, and licensure activities.
3.8 Serious Threats to Health or Safety
We may share your PHI if we believe it is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to someone we believe can help prevent or reduce the threat.
3.9 Law Enforcement
We may share your PHI with law enforcement officials in limited circumstances, such as in response to a court order, warrant, subpoena, or summons, or to identify or locate a suspect, fugitive, or missing person. We do NOT routinely share information with law enforcement.
3.10 Workers’ Compensation
We may share your PHI as authorized by and to the extent necessary to comply with workers’ compensation or similar programs established by law.
3.11 Coroners, Medical Examiners, and Funeral Directors
We may share PHI with a coroner or medical examiner when necessary to carry out their duties, or with funeral directors as necessary.
3.12 Research
We may use or disclose your PHI for research purposes only when a special approval process has been followed or when the research involves only limited information that is not directly identifiable.
-
USES AND DISCLOSURES REQUIRING YOUR WRITTEN AUTHORIZATION
For the following uses and disclosures, we MUST obtain your signed written authorization before sharing your PHI:
- Marketing purposes
- Sale of your PHI
- Most uses and disclosures of psychotherapy notes
- Substance use disorder (SUD) treatment records (protected under 42 CFR Part 2)
- Any disclosure not described in this Notice
You have the right to revoke your authorization at any time by submitting a written request to our Privacy Officer. Your revocation will not affect uses or disclosures already made in reliance on your authorization.
-
YOUR RIGHTS REGARDING YOUR HEALTH INFORMATION
You have the following rights with respect to your PHI. To exercise any of these rights, please submit a written request to our Privacy Officer at the contact information listed in Section 1.
5.1 Right to Access Your Records
You have the right to inspect and obtain a copy of your medical records and other PHI that we maintain about you, with limited exceptions. We may charge a reasonable cost-based fee for copies. We will respond to your request within 30 days.
5.2 Right to Request Amendment
If you believe that PHI we have about you is incorrect or incomplete, you may request that we correct or add to your records. We may deny your request in certain circumstances, and if we do, we will explain why in writing.
5.3 Right to an Accounting of Disclosures
You have the right to request a list of disclosures we have made of your PHI for purposes other than treatment, payment, healthcare operations, and certain other activities. We will provide this accounting for up to six years prior to the date of your request.
5.4 Right to Request Restrictions
You have the right to request restrictions on how we use or disclose your PHI. We are not required to agree to your request, except in one circumstance: if you request that we not disclose your PHI to your health plan for services you paid for out-of-pocket in full, we must agree to that restriction.
5.5 Right to Request Confidential Communications
You have the right to request that we communicate with you about your health information in a different way or at a different location. For example, you may ask us to contact you only by phone at a specific number, or only by email. We will accommodate reasonable requests.
5.6 Right to a Paper Copy of This Notice
You have the right to receive a paper copy of this Notice at any time, even if you agreed to receive it electronically. You may request a copy by contacting our office.
5.7 Right to Be Notified of a Breach
You have the right to be notified if there is a breach of your unsecured PHI. We will notify you by first-class mail or email (per your preference) within 60 days of discovering a breach that affects your PHI.
-
WEBSITE AND DIGITAL PRIVACY
This section applies to visitors to our website at www.brightbeehaviorhealth.com and any digital platforms we use.
6.1 Information We Collect Online
When you visit our website or contact us digitally, we may collect:
- Information you voluntarily provide through contact forms, appointment requests, or intake forms
- Usage data such as pages visited, time on site, and browser type (collected anonymously)
- IP address and general geographic location
- Cookies and similar tracking technologies (see Section 6.3)
6.2 Telehealth Services
We provide telehealth services through HIPAA-compliant platforms. All telehealth sessions are conducted through secure, encrypted video platforms. We do not record sessions without your explicit written consent. Telehealth communications are subject to the same privacy protections as in-person visits.
6.3 Cookies and Tracking Technologies
Our website may use cookies — small text files stored on your device — to improve your experience.
We use:
- Essential cookies: Required for the website to function properly
- Analytics cookies: To understand how visitors use our site (anonymized data only)
You may disable cookies in your browser settings. Disabling cookies may affect some website functionality. We do not use cookies to track your health information or share your browsing data with third parties for marketing purposes.
6.4 Online Contact Forms and Appointment Requests
Information submitted through our online contact forms or appointment request tools is transmitted securely and used solely to respond to your inquiry or schedule your appointment. Please do not submit sensitive health information through general contact forms — use our secure patient portal instead.
6.5 Email Communications
Standard email is not a fully secure communication method. If you communicate with us by email, please be aware that there is some risk that the email could be intercepted by a third party. For sensitive health information, please use our HIPAA-compliant patient portal (Spruce Health) or call our office directly.
-
BUSINESS ASSOCIATES
We work with third-party vendors and service providers (called Business Associates under HIPAA) who assist us in providing services. These may include:
- Electronic Health Record (Elation Health)
- Patient communication platforms (Spruce Health)
- Medical billing and claims processing services (ClaimMD)
- HIPAA-compliant intake form platforms (HIPAAtizer)
- Pharmacy and lab services
- Telehealth technology platforms
All Business Associates are required to sign a Business Associate Agreement (BAA) with us, committing to protect your PHI in accordance with HIPAA. We do not permit Business Associates to use your PHI for their own purposes.
-
DATA SECURITY
We take the security of your health information seriously. We maintain physical, technical, and administrative safeguards to protect your PHI, including:
- Encrypted electronic health records and communications
- Secure, password-protected systems with role-based access controls
- Staff training on HIPAA privacy and security requirements
- Regular security risk assessments
- Secure disposal of paper records containing PHI
- Multi-factor authentication for systems containing PHI
-
HOW LONG WE RETAIN YOUR RECORDS
We retain medical records for a minimum of 6 years from the date of creation or the date the record was last in effect, whichever is later, or longer if required by Virginia state law. Virginia law requires retention of adult medical records for at least 6 years from the date of service. Minors’ records are retained until the patient reaches age 18, plus 6 additional years.
Substance use disorder treatment records protected under 42 CFR Part 2 are subject to specific retention requirements. After the applicable retention period, records are destroyed in a secure manner that protects patient confidentiality.
-
CHANGES TO THIS NOTICE
We reserve the right to change this Notice of Privacy Practices at any time. We reserve the right to make the revised or changed Notice effective for PHI we already have about you as well as any information we receive in the future. We will post the current Notice on our website and make a copy available at our office. The effective date of the current Notice is listed at the top of this content.
-
COMPLAINTS
If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services (HHS). You will not be penalized or retaliated against for filing a complaint.
To file a complaint with Bright Beehavior Health LLC:
Contact our Privacy Officer in writing at the address listed in Section 1 of this Notice.To file a complaint with the U.S. Department of Health and Human Services:
Office for Civil Rights
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Washington, D.C. 20201
Phone: 1-877-696-6775
Website: https://www.hhs.gov/ocr/privacy/hipaa/complaints -
CONTACT US
If you have questions about this Notice or our privacy practices, please contact us
Bright Beehavior Health LLC
Attn: Privacy Officer — Kedest Gebre, PMHNP-BC
50 S Pickett St, Suite 221
Alexandria, VA 22304Phone: 703-539-5411
Fax: 703-621-1800
Email: kedest@brightbeehaviorhealth.com
Website: https://www.brightbeehaviorhealth.comThis notice complies with HIPAA (45 CFR Parts 160 and 164) and 42 CFR Part 2 (Substance Use Disorder Records).