HIPPA Notice of Privacy Practices

(NPP)

Jerald Cook, MD, MS, FACOEM

Lifestyle & Functional Medicine Physician

Founder, Med Fit Culture

Med Fit Culture is a physician-led practice focused on lifestyle medicine, functional medicine, and performance coaching. We help motivated people improve metabolic health, fitness, and resilience through evidence-based care and structured coaching.

Dr. Cook is a retired Navy physician and lifelong endurance athlete. He began coaching Ironman athletes in 2011 and has since guided a broader community—athletes and non-athletes alike—toward sustainable health change. His approach blends clinical training with real-world experience to meet you where you are and move you forward, step by step.

Who We Are

Med Fit Culture is the operating name of Jerald Cook, MD, PC. This Notice applies to our physician, employees, contractors, and business associates who support our clinical services (e.g., Practice Better, DrFirst, and limited billing vendors).

Where medical care is offered: Clinical services are provided only to patients located in California or Nevada at the time of a telehealth visit. Health coaching is available nationwide and is not medical care; website tracking and non‑PHI data are covered by our separate Website Privacy Policy.

Our Duties

Maintain the privacy and security of your Protected Health Information (PHI).

Provide you this Notice and follow it.

Notify you if a breach compromises the privacy or security of your PHI.

Abide by more protective state laws where they apply (e.g., California’s CMIA).

How We Typically Use and Disclose PHI

(Without Your Written Authorization)

Treatment

To provide, coordinate, or manage your care (telehealth visits, consultations, referrals, e‑prescribing via DrFirst, reviewing labs/imaging).

Payment

To bill and collect payment for services, verify coverage/eligibility, or obtain prior authorization. We share only the minimum necessary information.

Healthcare Operations

Quality improvement, licensing, audits, training, customer service, and care coordination. De‑identification for analytics and operations (not PHI).

Business Associates

Vendors who help us operate (e.g., Practice Better for EHR/portal; DrFirst for e‑prescribing; limited billing processors). All such vendors are bound by Business Associate Agreements (BAAs) to protect PHI.

Appointment Reminders & Care Communications

We may contact you about appointments, results availability, portal messages, and care options. We use the secure patient portal for PHI whenever possible.

Other Uses and Disclosures Permitted or Required by Law

We may also use or disclose PHI without your authorization for: public health and safety; abuse/neglect; health oversight; law enforcement and legal proceedings; coroners/medical examiners; organ/tissue donation where allowed; averting a serious threat; workers’ compensation; research under privacy safeguards; and other purposes allowed by law. Certain records (e.g., some mental health, HIV/STD, genetic, reproductive health, substance use disorder) may have additional protections; we follow the stricter rules.

Uses and Disclosures Requiring Your Written Authorization

We will not use or disclose your PHI for these purposes without your signed authorization: marketing communications not permitted by law; sale of PHI; most disclosures of psychotherapy notes (if created); and any use/disclosure not described in this Notice. You may revoke an authorization at any time in writing, except to the extent we have already acted.

Your Rights

Access

Get an electronic or paper copy of your medical record. Request via the secure patient portal or in writing. We may charge a reasonable, cost‑based fee.

Amend

Ask us to correct your record if you think it’s inaccurate or incomplete. If we deny, we’ll explain why and note your statement of disagreement.

Confidential Communications

Request that we contact you in a specific way (e.g., portal only) or at a different address/phone. We will accommodate reasonable requests.

Restrictions

Ask us not to use/share certain PHI for treatment, payment, or operations. We may deny some requests; however, if you pay in full out‑of‑pocket, you can require us not to disclose that service to your health plan unless required by law.

Accounting of Disclosures

Request a list of certain disclosures of your PHI for the six years prior to your request (excludes TPO and routine disclosures).

Choose a Representative

If you have given someone medical power of attorney or a legal guardian is appointed, that person can exercise your rights after we verify authority.

Paper Copy

Request a paper copy of this Notice at any time.

File a Complaint

If you believe your privacy rights have been violated, you may complain to us or to the U.S. Department of Health & Human Services, Office for Civil Rights (HHS OCR). We will not retaliate for filing a complaint.

Our Practices

• Electronic systems & vendors
We use HIPAA‑compliant systems to deliver care and manage records. Our primary electronic health record and patient portal is Practice Better; e‑prescribing is conducted through DrFirst. We maintain BAAs with PHI‑handling vendors, use role‑based access with least‑privilege, and require multi‑factor authentication. PHI is exchanged using secure, encrypted connections; we avoid unencrypted email/SMS for PHI.

• About Practice Better’s security
According to Practice Better’s published materials, their program includes encryption in transit and at rest, strict access controls (minimum‑necessary by default), audited activity logs, routine vulnerability scanning, and regular encrypted backups retained for a defined period. For current details, see:
https://help.practicebetter.io/hc/en-us/articles/234814027-Privacy-and-Security-on-Practice-Better
Last reviewed by Med Fit Culture: [Month Day, 2025].

• Payments
Payments may be processed via Stripe and/or QuickBooks Online (Intuit). We do not store your full card number on our systems. These processors maintain PCI compliance. See Stripe’s and Intuit’s security documentation for details.

• Telehealth
We verify identity and location at each visit and obtain telehealth consent. Online questionnaires are not used alone to establish a physician‑patient relationship.

• Prescriptions & pharmacies
Prescriptions are sent electronically to your pharmacy of choice. We do not dispense medications. Controlled substances, when clinically appropriate and lawful, follow federal/state rules (including PDMP checks and EPCS).

Changes to This Notice

We may change this Notice and the changes will apply to PHI we already have and to new PHI from that point forward. The current Notice will be posted on our website with the effective date at the top.

Contact Us

(Privacy Office)

Privacy Officer: Jerald Cook, MD

Phone: 858-848-9052 (leave a voicemail)

Email (for privacy requests): [email protected]

Mailing Address: PO Box 7076, Stateline, NV 89449

To file a complaint with HHS OCR, we can provide current contact details upon request or you may use the HHS OCR online portal. There will be no retaliation for filing a complaint.

Acknowledgment of Receipt
You may be asked to acknowledge receipt of this Notice. Your care will not be conditioned on providing that acknowledgment.

Reminder: This HIPAA Notice covers medical information (PHI).

For website cookies, analytics, and non‑PHI data, see our Website Privacy Policy.

© Copyrights by Med Fit Culture. The information on this site is not medical advice.

By using this site or booking services, you agree to our Privacy Policy and Terms of Use.