Tristan Cooper MD PLLC, DBA NextDayDoctor Medical Group
Effective Date: {{DATE_PUBLISHED}}
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Notice of Privacy Practices ("Notice") describes the privacy practices of Tristan Cooper MD PLLC, doing business as NextDayDoctor Medical Group ("the Practice," "we," "us," or "our"). This Notice applies to all Protected Health Information ("PHI") created, received, maintained, or transmitted by the Practice in connection with your care.
Administrative, technology, and operational services supporting this Practice are provided by NDD MSO LLC (operating as NextDayDoctor) under a Management Services Agreement, and by Strongwork LLC (the technology company that built and maintains the platform software and infrastructure, operating under a Technology License Agreement with NDD MSO LLC and separately licensed to use the NextDayDoctor brand in connection with platform operations) under a Technology License Agreement. This is a management services arrangement in which the clinical practice remains independently operated and controlled by a licensed physician. Both NDD MSO LLC and Strongwork LLC act as Business Associates of this Practice and are contractually bound to protect your PHI in accordance with HIPAA.
We are required by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations (45 CFR Parts 160 and 164) to:
We reserve the right to change the terms of this Notice. Any revised Notice will be effective for all PHI we maintain at that time. If we make material changes to this Notice, we will post the revised Notice on our website on the date the revised Notice takes effect. Where we have a current email address on file for you, we will also notify you by email at that address at the time the revised Notice is posted and takes effect. For patients with active accounts on the NextDayDoctor platform, material changes to this Notice will also be communicated through an in-app notification visible upon next login. Website posting constitutes notice to all patients regardless of whether email notification is sent or received. Material changes include, without limitation, the addition of a new Business Associate with access to your PHI, a change in how your PHI is used for health care operations, the deployment of patient-facing AI features through which you interact directly with AI systems, and any change that meaningfully affects your rights under this Notice.
Protected Health Information ("PHI") means individually identifiable health information that is created or received by this Practice or its Business Associates in the course of providing health care services to you, and that relates to: (a) your past, present, or future physical or mental health or condition; (b) the provision of health care to you; or (c) the past, present, or future payment for the provision of health care to you.
Telehealth Services means the delivery of health care services through electronic communications, including video conferencing, audio communications, and asynchronous store-and-forward technology, provided through the NextDayDoctor platform.
Business Associate means a person or entity that performs certain functions or activities on behalf of the Practice that involve the use or disclosure of PHI, pursuant to a written Business Associate Agreement.
Except as described in this Notice, we will not use or disclose your PHI without your written authorization. You may revoke an authorization in writing at any time, except to the extent that we have already taken action in reliance on it. We will not condition treatment on your providing an authorization except where permitted by law.
We may use and disclose your PHI to provide, coordinate, or manage your health care and related services. This includes consultations with other health care providers, referrals to specialists, prescription management, and coordination with pharmacies. For example, a provider treating you may need to know your medication history to prescribe appropriate treatment.
This Practice operates on a cash-pay basis only and does not bill health insurance. We may use your PHI to process your payment for services, including maintaining billing records. We do not submit insurance claims or assign benefits to third-party payers. Payment transactions are processed through a third-party payment processor. Payment processing is a financial transaction that occurs outside the HIPAA framework; the Practice does not transmit clinical PHI to the payment processor in connection with payment processing. Payment card and financial transaction data collected in the course of processing your payment is governed by the payment processor's own terms of service and applicable financial privacy law, including the Gramm-Leach-Bliley Act where applicable.
We may use and disclose your PHI for our health care operations, including quality assessment and improvement activities, reviewing provider performance, conducting training programs, business planning, compliance activities, and other administrative functions necessary to run the Practice.
We may also use de-identified information — information from which all individually identifying details have been removed in accordance with the HIPAA de-identification standards at 45 CFR § 164.514 — for platform improvement, analytics, and quality assessment activities. De-identified information is no longer PHI and is not subject to the protections described in this Notice.
We retain your PHI for a minimum of ten years from the date the information was created or the date it was last in effect, whichever is later, or for the period required by applicable state law if longer, whichever is greater. Applicable state law may require longer retention periods for certain categories of records, including but not limited to records relating to minors, mental health treatment, and substance use disorder treatment. Where state law imposes a retention period longer than ten years, we will comply with the longer period. After the applicable retention period has expired, your PHI will be disposed of in a manner that protects its confidentiality.
Certain platform features — including staff-facing administrative and clinical support tools — are assisted by artificial intelligence systems powered by AWS Bedrock, a service provided by Amazon Web Services, Inc. ("AWS"). AWS acts as a Business Associate of this Practice and is bound by a written Business Associate Agreement requiring AWS to protect your PHI and use it only as permitted by that agreement and applicable law. AI-mediated processing of your PHI through AWS Bedrock is used to support health care operations and the delivery of services through the platform.
The AI-assisted tools currently deployed through the NextDayDoctor platform are primarily staff-facing. Patients do not interact directly with AI systems through the platform interface. PHI that you have provided to the Practice — including health history, symptom information, and other clinical data — may be accessed and processed by AWS Bedrock in connection with health care operations, such as the preparation of clinical documentation and chart notes by Practice staff.
The processing described above occurs within the Practice's internal clinical workflows and is not visible to or interactive with patients through the platform. Separately, if the Practice deploys features through which patients interact directly with AI systems — for example, an AI-assisted intake tool or health information chatbot — we will update this Notice to describe that processing specifically, and such changes will be treated as material changes subject to the notification procedures described in the introductory section of this Notice. Such AI-mediated processing of your PHI occurs as part of the Practice's internal clinical workflow and is subject to the existing Business Associate Agreement with AWS. Your designated record set — which includes all clinical consultation notes, visit summaries, prescription records, intake questionnaires, and message threads and other electronic communications exchanged through the platform in connection with your care — is fully accessible to you under your right of access under 45 CFR § 164.524, and you may submit a written access request to the Privacy Officer identified in Section 7 at any time. Where AI-assisted staff tools contributed to the preparation of documentation that is part of your designated record set, the final records created and maintained by the Practice remain part of that designated record set and are equally available to you upon such a request.
You have the right to request a restriction on uses and disclosures of your PHI for AI-assisted processing that is not required for your treatment. Requests for such restrictions should be submitted in writing to the Privacy Officer identified in Section 7. We will evaluate your request in accordance with the restriction rights described in Section 3 of this Notice. We are not required to agree to all requested restrictions, but we will notify you of our determination and the basis for it. Where AI-assisted processing via AWS Bedrock is integral to delivering platform-based care or completing your patient intake — for example, where such processing is embedded in a clinical workflow through which your care is administered — we may be unable to honor a restriction request without disrupting care delivery. If that is the case, we will notify you of that limitation in writing consistent with the operational restriction framework described in Section 3 of this Notice, so that you can make an informed decision about how to proceed.
If you are present and able to make decisions, we may disclose PHI to a family member, friend, or other person you identify as being involved in your care, with your agreement. If you are unavailable or incapacitated, we may use professional judgment to determine whether disclosure is in your best interest.
We may disclose your PHI to our Business Associates that perform services on our behalf. Current Business Associates include NDD MSO LLC (platform operations), Strongwork LLC (infrastructure provider maintaining the database and document storage systems underlying the platform, operating as a subcontractor Business Associate of NDD MSO LLC under a Subcontractor Business Associate Agreement with NDD MSO LLC), and Amazon Web Services, Inc. (cloud infrastructure, communications, and AI processing via AWS Bedrock). All Business Associates are required by contract and applicable law to protect your PHI and use it only as permitted.
Amazon Web Services serves multiple functions in connection with the Practice's operations. AWS provides the general cloud infrastructure on which the NextDayDoctor platform is hosted, processes PHI through AWS Bedrock in support of health care operations, and provides communications services through AWS-based communications infrastructure, all pursuant to a single written Business Associate Agreement with AWS. Although patients do not interact directly with AI systems through the platform, PHI that you provide to the Practice — including health history, symptom information, and other clinical data — may be processed by AWS Bedrock to assist Practice staff in delivering care, preparing clinical documentation, and supporting other health care operations functions. For additional detail regarding AI-assisted processing of your PHI, see the AI-Assisted Services subsection of Section 2.
We may use or disclose your PHI without your authorization in the following circumstances:
Fundraising. The Practice does not use your PHI for fundraising purposes.
Marketing. We will not use or disclose your PHI for marketing purposes without your written authorization, except as permitted by law for face-to-face communications or items of nominal value.
You have the right to inspect and obtain a copy of your PHI maintained by us in a designated record set. For patients of this Practice, your designated record set typically includes clinical consultation notes, visit summaries, prescription records, intake questionnaires, asynchronous message threads and other electronic communications exchanged through the platform in connection with your care, and any other documentation created or used by your provider to make decisions about your care. Your request must be in writing. We will respond within 30 days. If we are unable to fulfill your request within 30 days, we may extend the response period by an additional 30 days. If we extend the deadline, we will notify you in writing before the initial 30-day period expires, explaining the reason for the delay and the new response date. We may charge a reasonable, cost-based fee for copies. We may deny your request in certain limited circumstances; if we do, we will explain the reason and inform you of your right to have the denial reviewed by a licensed health care professional designated by the Practice who was not involved in the original denial decision, and we will comply with the outcome of that review.
For electronic PHI maintained in an electronic designated record set, you have the right to receive a copy in electronic format. When fulfilling a request for an electronic copy of PHI maintained in an electronic designated record set, any fee we charge is limited to the reasonable labor costs directly associated with fulfilling the specific request. We may not charge fees for retrieval, infrastructure, overhead, or other costs not directly tied to the labor required to fulfill the specific request. We will not charge fees that are likely to impede your access to your PHI. This fee structure is consistent with the Office for Civil Rights guidance issued under the HIPAA right of access provisions.
You have the right to request that we amend your PHI if you believe it is incorrect or incomplete. Your request must be in writing and must explain the reason for the requested amendment. We will respond within 60 days. We may deny your request if the information was not created by us, is not part of the records we maintained, or is accurate and complete.
You have the right to receive an accounting of certain disclosures of your PHI made by us during the six years prior to your request. This accounting will not include disclosures made for treatment, payment, or health care operations, or disclosures you authorized in writing. The first accounting in any 12-month period is free; we may charge a reasonable fee for additional requests within the same period. To the extent that your PHI is maintained in an electronic health record system, you may also have the right to receive an access report identifying the persons who have accessed your electronic PHI, including accesses made for treatment, payment, and health care operations purposes, consistent with the requirements of the Health Information Technology for Economic and Clinical Health Act and applicable regulations.
You have the right to request restrictions on how we use or disclose your PHI for treatment, payment, or health care operations. We are not required to agree to most restrictions. However, if you request that we restrict disclosure to a health plan for services you paid for entirely out of pocket, and the disclosure is not otherwise required by law, we must honor that restriction. Even if we agree to a restriction, we may disclose PHI in emergency situations.
Because this Practice is cash-pay only, the mandatory restriction right is broadly applicable — if you pay out of pocket for a service, we will not disclose that service to any health plan upon your request. This mandatory restriction applies to disclosures to health plans only and does not automatically restrict the use of your PHI for any other purpose.
If you wish to request a restriction on AI-assisted processing of your PHI, that right is governed by a separate, discretionary process. We are not required to agree to such a restriction, but we will evaluate and respond to any request you submit. To submit a request, please refer to the AI-Assisted Services subsection of Section 2, which describes the applicable procedure.
Where we agree to a restriction — whether on AI-assisted processing or on any other use or disclosure of your PHI — we will implement reasonable technical and administrative measures to honor that restriction, including by directing our Business Associates to comply with the agreed restriction to the extent operationally practicable. Our current Business Associates, as identified in the Business Associates subsection of Section 2 of this Notice, may process or route your PHI in the ordinary course of delivering care and operating the platform, and certain restrictions may not be capable of being honored across all such systems without disrupting your access to care or core platform functions.
If you request a restriction that we determine cannot be fully implemented across our Business Associate infrastructure — for example, a restriction on disclosures to a specific Business Associate that is integral to the delivery of chat-based care — we will notify you of that limitation in writing so that you can make an informed decision about how to proceed. Implementing an agreed restriction requires that it propagate through the full chain through which your PHI flows: from this Practice to NDD MSO LLC (our direct Business Associate for platform operations), then through NDD MSO LLC to Strongwork LLC (Strongwork's subcontractor Business Associate relationship with NDD MSO LLC covers the database and document storage infrastructure on which your PHI resides), and further to Amazon Web Services, Inc. as the underlying cloud infrastructure provider. Because your PHI may be maintained across systems operated at multiple tiers of this chain — including the RDS database and S3 document storage infrastructure maintained by Strongwork LLC — certain restrictions may require coordinated implementation across all of these layers, which may not be operationally practicable in every case. A determination that a particular restriction cannot be implemented does not affect your right to receive care through the platform; it means only that we cannot commit to honoring that specific restriction in its requested form. Where we determine that a requested restriction cannot be implemented across our operational infrastructure in a manner we can reliably honor, we will inform you of that determination in writing and work with you to identify an alternative approach that addresses your underlying concern. We will not represent to you that a restriction has been agreed to unless we are confident we can implement it.
You have the right to request that we communicate with you about your PHI in a certain way or at a certain location. For example, you may request that we contact you only by email or at a specific phone number. We will accommodate reasonable requests that specify the alternative means or location.
You have the right to receive a paper copy of this Notice upon request at any time, even if you have agreed to receive it electronically.
We are required by law to notify you if we discover a breach of your unsecured PHI. We will notify you without unreasonable delay and in no case later than 60 days after discovery of the breach, consistent with 45 CFR § 164.404.
The Practice operates within a tiered Business Associate chain that affects how breach discovery at any level reaches you. When a breach originates at the infrastructure layer, the notification path flows as follows: Amazon Web Services, Inc. ("AWS"), which operates as a subcontractor Business Associate under a Subcontractor Business Associate Agreement with Strongwork LLC, notifies Strongwork LLC; Strongwork LLC, which operates as a subcontractor Business Associate of NDD MSO LLC under a Subcontractor Business Associate Agreement with NDD MSO LLC, notifies NDD MSO LLC; NDD MSO LLC, which is the Practice's direct Business Associate for platform operations, notifies the Practice; and the Practice then notifies you. Under 45 CFR § 164.410, the 60-day clock for notifying affected patients runs from the date the breach was first discovered at any tier of this chain. The Practice is committed to working with NDD MSO LLC, Strongwork LLC, and AWS to ensure that discovery of a breach at any tier is communicated upward through the chain without unreasonable delay, so that the Practice can meet its obligation to notify you within the required period. The notice will include:
In circumstances where we are unable to identify all affected individuals within the applicable notification period — for example, due to the nature, scope, or complexity of the breach — we may provide substitute notice as permitted under 45 CFR § 164.404(d). Substitute notice may include prominently posting the breach notification on our website for a period of 90 days, or providing notice through major print or broadcast media in the geographic areas where affected individuals are likely to reside. Where substitute notice is provided by website posting, the notice will include a toll-free phone number that remains active for at least 90 days through which individuals may inquire whether their PHI was involved in the breach.
If the breach affects 500 or more individuals in a state or jurisdiction, we will also notify prominent media outlets in that state or jurisdiction. All breaches are reported to the Secretary of HHS as required.
Some states have laws that provide greater privacy protections than HIPAA. Where applicable state law provides greater protection, we will comply with the more stringent requirements. This includes enhanced protections that may apply:
Enhanced state protections for these categories vary by jurisdiction. If you have questions about the specific protections that may apply to your records based on your state of residence or the nature of your care, please contact our Privacy Officer using the information provided in Section 7.
For patients who are minors, certain state laws may limit or grant rights of access to health records that differ from the general rules described in this Notice. Because minors cannot self-register on the NextDayDoctor platform, a parent or legal guardian who has booked a visit and consented on behalf of a minor patient may have the right to access that minor's records, subject to applicable state law limitations. Depending on your state, minors may have independent privacy rights with respect to certain categories of health information — including, where applicable, reproductive health, mental health, and substance use disorder records — that restrict or qualify a parent's or guardian's right of access. These limitations vary by jurisdiction and may also govern the minor's own right to access their records upon reaching the age of majority. If you have questions about access rights for minor patient records, please contact our Privacy Officer using the information provided in Section 7.
Where state law provides greater privacy protections than HIPAA, we will comply with those more stringent requirements. Many states have enacted laws specifically governing the collection, use, and sale of consumer health data, and the scope of these protections varies by jurisdiction and continues to evolve. Depending on your state of residence, you may have rights regarding how your health-related data is collected, shared, or sold outside of the HIPAA framework. If you have questions about the state-law protections that may apply to you, please contact our Privacy Officer using the information in Section 7.
The Practice provides services through both in-person visits and Telehealth Services, as defined in Section 1 of this Notice. Where services are delivered through electronic communications, the following additional privacy considerations apply.
Electronic Transmission of PHI. When you receive Telehealth Services, your PHI — including communications exchanged during video or audio consultations and information entered into the platform — is transmitted electronically using HIPAA-compliant encryption. No electronic system can guarantee absolute security. We implement technical safeguards designed to protect your PHI during transmission and storage. However, we encourage you to ensure that you are in a private location during any telehealth consultation, as we cannot control the privacy of your local environment.
Shared Devices and Networks. If you access Telehealth Services using a shared device, a public network, or a network you do not control, there may be local privacy risks that are outside the Practice's control. By using such devices or networks, you assume responsibility for any privacy risks arising from your local environment, including the possibility that others with access to the same device or network may be able to view information related to your session or account.
Cross-State Services and Applicable State Law. Telehealth Services may be provided to patients located in states other than the state in which the treating provider is licensed. Privacy laws vary by state, and additional state privacy protections may apply to your PHI depending on your location at the time services are delivered. The Practice will comply with applicable state law where it provides greater protection than HIPAA. If you have questions about the state privacy laws that may apply to your care, please contact our Privacy Officer using the information in Section 7.
Consumer Health Data Privacy Laws. In addition to HIPAA and the state-law protections described in Section 5, certain state consumer health data privacy statutes may apply to health-related information collected through the NextDayDoctor platform that falls outside HIPAA's definition of Protected Health Information. This category of information may include behavioral data generated by your interactions with the platform, inferred health-related characteristics derived from platform usage, and other health-related information that is not created or maintained by the Practice in its capacity as a HIPAA-covered entity.
At minimum, the following statutes may apply depending on your state of residence or the location from which you access the platform:
Washington My Health MY Data Act (Wash. Rev. Code § 70.372 et seq.): This law applies to consumer health data collected from Washington residents, including data that is not covered by HIPAA. It grants Washington residents the right to confirm whether their consumer health data is being collected, to access that data, to withdraw consent to its collection or sharing, to request deletion of their consumer health data, and to receive a list of third parties with whom their data has been shared. The law also restricts the sale of consumer health data and prohibits the use of geofencing around certain health care facilities for the purpose of collecting such data.
Nevada Senate Bill 370 (2023): This law imposes obligations on entities that collect consumer health data from Nevada residents outside of the HIPAA framework. It grants Nevada residents rights of access, correction, deletion, and the right to opt out of the sale of their consumer health data, and it requires covered entities to implement reasonable data security measures and to obtain consumer authorization prior to sharing consumer health data with third parties.
Other states have enacted or are in the process of enacting similar consumer health data privacy laws. The applicability of any particular statute depends on your state of residence, the nature of the data collected, and the specific activities of the platform. The scope of these laws continues to evolve, and this Notice will be updated as material changes occur.
Washington residents who wish to exercise their rights under the Washington My Health MY Data Act, including the right to confirm collection of their consumer health data, access that data, withdraw consent to its collection or sharing, or request its deletion, should contact the Privacy Officer directly using the information provided in Section 7.
Nevada residents who wish to exercise their rights under Nevada Senate Bill 370 (2023), including the right to access their consumer health data, request correction of inaccurate consumer health data, request deletion of their consumer health data, or opt out of the sale of their consumer health data, should contact the Privacy Officer directly using the information provided in Section 7.
Virginia residents who wish to inquire about or exercise their rights under the Virginia Consumer Data Protection Act with respect to health-related data not covered by HIPAA should contact the Privacy Officer directly using the information provided in Section 7.
Residents of any state that has enacted a comprehensive consumer privacy law or consumer health data statute applicable to health-related data should contact the Privacy Officer directly using the information provided in Section 7 to request a determination of the rights available to them under applicable law and to obtain instructions for exercising those rights.
This Notice is coordinated with the Practice's Privacy Policy, which provides additional detail regarding the categories of health-related data collected through the platform, the purposes for which that data is used, and the rights available to you under applicable law. Where this Notice and the Privacy Policy address the same subject matter, they should be read together. In the event of a conflict between the two documents with respect to HIPAA-covered PHI, this Notice controls.
If you have questions about which consumer health data privacy laws apply to you based on your state of residence, how your data is being collected or used, or how to exercise any of the rights described above, please contact our Privacy Officer using the information provided in Section 7.
These considerations apply only where services are delivered through electronic communications. Patients receiving in-person services are not subject to the electronic transmission or shared-device considerations described above, though cross-state law considerations may still apply in limited circumstances depending on the patient's state of residence.
If you believe your privacy rights have been violated, you may file a complaint with us or with the federal government. We will not retaliate against you for filing a complaint.
To file a complaint with us: Contact our Privacy Officer using the information in Section 7 below.
To file a complaint with the federal government:
Office for Civil Rights U.S. Department of Health and Human Services 200 Independence Avenue, S.W. Washington, D.C. 20201 Toll-free: 1-877-696-6775 Website: www.hhs.gov/ocr/privacy/hipaa/complaints/
For questions about this Notice, to exercise any of your rights, or to file a privacy complaint, please contact:
Privacy Officer, NextDayDoctor Medical Group Tristan Cooper MD PLLC, DBA NextDayDoctor Medical Group c/o NextDayDoctor 9205 West Russell Road, Suite 240 Las Vegas, Nevada 89148 Phone: (619) 639-8329 (ask for Privacy Officer) Email: privacy@nextdaydoctor.com
The current version of this Notice is always available on our website and upon request. Material changes to this Notice are communicated as described in the introductory section above.
