Thirty Madison KMG Notice of Privacy Practices

Notice of Privacy Practices

KMG Medical Group

Effective: December 1, 2022 Last Updated: July 12, 2024

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

This Notice of Privacy Practices (the “Notice”) describes how the KMG Medical Group affiliates listed below1 (called the “Affiliates,” “we,” or “our” in this Notice) may use and disclose your protected health information (also called "PHI"). PHI is information about you that identifies you and relates to your past, present or future physical health or condition, treatment, or payment for health care services. PHI may be received from you directly or through a third party, such as a non-Affiliate medical provider or pharmacy. This Notice also describes your rights related to your own PHI.

The Affiliates provide medical services to customers of Thirty Madison, Inc. d/b/a Keeps, Cove, Nurx, and Facet. Thirty Madison manages the Affiliates and will follow this Notice for all of your PHI. Thirty Madison also provides non-medical services to its customers. A different privacy policy describes the Thirty Madison privacy practices for non-medical services, which can be found here.

USES AND DISCLOSURES OF PHI:

TREATMENT: We may use your PHI to provide, coordinate, and manage your health care and any related services. We may also disclose your PHI to others who need that information to treat you, or that assist in the coordination or management of your health care. For example, we may provide your PHI to a health care provider to whom you have been referred.

PAYMENT: We may use and disclose your PHI to get paid for the services we provided to you. For example, your health plan or health insurance company may ask to see parts of your medical record before they will pay us for your treatment.

HEALTH CARE OPERATIONS: We may use or disclose your PHI to support our business activities. For example, we may use your PHI to conduct quality improvement activities, to obtain audit, accounting or legal services, or to conduct business management and planning.

The Affiliates send prescriptions to and share PHI with pharmacies, including but not limited to those that are managed by Thirty Madison, called AFA Pharmacy, LLC, Propel Pharmacy, LLC, and Propel Pharmacy Ohio, LLC (together, the “Pharmacies”). Because Thirty Madison manages the Affiliates and the Pharmacies, your PHI will be used for joint activities between the Affiliates and the Pharmacies, such as quality improvement.

USES AND DISCLOSURES THAT DO NOT REQUIRE YOUR AUTHORIZATION: We may use or disclose your PHI in other situations without your authorization: as required by law; for public health purposes (such as communicable disease reporting or reporting adverse drug events to the FDA); for health care oversight purposes (such as medical board licensure); for reporting suspected abuse, neglect, or domestic violence; to prevent or lessen a serious and imminent threat to health or safety; in connection with legal and administrative proceedings (such as responding to subpoenas and court orders); for public safety and law enforcement purposes (such as responding to search warrants and grand jury subpoenas); to coroners, medical examiners, funeral directors and organ donation agencies; for certain public health and research purposes (such as identifying individuals who may want to participate in a clinical trial); to report adverse reactions to medications; help with product recalls; for certain military, veterans, and national security purposes; and for workers’ compensation reporting.

State law may place additional limitations on the disclosure of your PHI. For example, some types of sensitive health information such as HIV information, genetic information, alcohol and/or substance abuse records and mental health records may be subject to additional confidentiality protections under state law. We will abide by any applicable state privacy laws when using and disclosing your PHI.

USES AND DISCLOSURES THAT REQUIRE YOUR AUTHORIZATION: We will not use or disclose your PHI for a purpose not described in this Notice unless we have your written authorization or unless we are legally permitted to do so. For example, without your authorization, we will not sell your PHI.

If you provide us with an authorization for certain uses and disclosures of your information, you may take back that authorization any time, unless we have already relied on your permission to use or disclose your information. If you want to take back your authorization, please send a written request to the Privacy Officer at the contact information at the end of this Notice.

YOUR RIGHTS WITH RESPECT TO YOUR PHI:

RIGHT TO REQUEST YOUR PHI: You have the right to look at your own PHI and to get a copy of that information (the law requires us to keep the original record.) This includes your medical record, your billing record, and other records we use to make decisions about your care. If you request a paper copy of your information, we may charge you for our costs to copy the information, but we will tell you in advance what this copying will cost. If you want an electronic copy of your information, we will not charge you for that, unless you request a copy on CD. You can look at your record at no cost.

RIGHT TO REQUEST AMENDMENT OF PHI: If you look at your information and believe that some of the information is wrong or incomplete, you may ask us to amend your record. We may say “no” to your request, but we’ll tell you why in writing within 60 days.

RIGHT TO GET A LIST OF CERTAIN DISCLOSURES OF YOUR PHI: You can ask for a list (accounting) of the times we’ve shared your health information for six years prior to the date you ask, who we shared it with, and why. We will include all the disclosures except for those about treatment, payment, and health care operations, and certain other disclosures (such as any you asked us to make). We’ll provide one accounting a year for free but will charge a reasonable, cost-based fee if you ask for another one within 12 months.

RIGHT TO REQUEST RESTRICTIONS ON HOW WE USE OR DISCLOSE YOUR PHI FOR TREATMENT, PAYMENT, OR HEALTH CARE OPERATIONS: You have the right to ask us not to make uses or disclosures of your PHI for treatment, payment or health care operations (which are described in the Notice above). At your request, we are required to agree not to disclose PHI to your health plan if the PHI deals solely with a health care item or service for which you (or someone else on your behalf) have paid in full out of pocket. We are not required to agree to other requests, but if we do agree, we will comply with that agreement. Your request must be in writing and detail the restriction you request.

RIGHT TO REQUEST CONFIDENTIAL COMMUNICATIONS: You have the right to ask us to communicate with you in a way you feel is more confidential. Please note if you ask us to communicate with you by email or text, those communications may not be secure.

You may exercise any of these rights by sending a written request to the Privacy Officer at the contact information listed at the end of this Notice.

SOCIAL MEDIA ACCOUNT SIGN ON: To the extent that you choose to use a social media account application (such as Google, Meta/Facebook, or Apple) to create your online account with Thirty Madison, you understand that if another person has access to your social media account, they will also have access to your account on the Thirty Madison site. That means that another person could access PHI in your account. It’s your decision about whether to give another person access to your social media account and whether to use that account to sign on to Thirty Madison.

RIGHT TO CHOOSE SOMEONE TO ACT FOR YOU: If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information if they have the proper authority to do so. We will ask that the person confirm they have the proper authority to act for you before we take any action.

REVISIONS TO THIS NOTICE: From time to time, we may change our practices concerning how we use or disclose PHI, or how we will implement patient rights. We reserve the right to revise this Notice and to make the revised Notice effective for PHI we already have about you and any PHI we receive in the future. Any changes to this Notice will be posted on the Thirty Madison and KMG websites.

COPY OF THIS NOTICE: You are entitled to a paper copy of the Notice currently in effect.

QUESTIONS OR COMPLAINTS: We are committed to maintaining the privacy of your protected health information. If you have any questions or complaints about this Notice or how we handle your PHI, please contact our HIPAA Privacy Officer at 844-990-0267 or via email at privacy@thirtymadison.com.

Or write us by U.S. postal mail at the following address:

82 Nassau St., #61392 New York, NY 10038

You may also file a complaint with the U.S. Department of Health and Human Services, Office of Civil Rights. We will not penalize you or retaliate against you in any way for filing such a complaint.

We are required by law to give you this Notice and to follow the term of the Notice that is currently in effect. We are also required to notify you if there is a breach of your unsecured PHI.


The KMG Medical Group affiliates include the following legal entities:

  • KMG Medical Group MO, P.C.
  • KMG Medical Group KS, P.A.
  • KMG Medical Group, NJ, P.A.
  • KMG Medical Group, TX., P.A.
  • Michael Karagas, M.D., P.C. d/b/a KMG Medical Group
  • Hudson NYC Medical, P.C.