Legal Notice

Privacy Policy

Notice of Privacy Practices — Cortex Neurovascular

Effective Date: July 10, 2026

This Notice of Privacy Practices describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. Cortex Neurovascular is required by law to maintain the privacy of your protected health information and to provide you with this notice of our legal duties and privacy practices.

How We May Use and Disclose Your Health Information

We may use and disclose your protected health information for the following purposes:

For Treatment
We may use your health information to provide, coordinate, or manage your medical treatment. For example, we may share your information with specialists, hospitals, or other healthcare providers involved in your care to ensure that you receive appropriate and coordinated treatment.
For Payment
We may use and disclose your health information so that the treatment and services you receive may be billed to and payment collected from you, an insurance company, or a third party. For example, we may need to give your insurance plan information about your diagnosis or procedures so they will pay us for the services rendered.
For Healthcare Operations
We may use and disclose your health information for our practice operations. These uses are necessary to run our practice and ensure that all patients receive quality care. For example, we may use medical information to review our treatment and services and to evaluate the performance of our staff in caring for you.
As Required By Law
We may disclose your health information when required to do so by federal, state, or local law. We will also disclose your information when required by court order, subpoena, or other legal process.

Other Permitted and Required Uses and Disclosures

There are certain instances where we may use or disclose your health information without your written authorization, including:

Public health activities, such as reporting disease outbreaks and vital records
Health oversight activities, such as audits, investigations, and inspections
Reporting abuse, neglect, or domestic violence as required by law
Judicial and administrative proceedings, in response to a court or administrative order
Law enforcement purposes, such as identifying or locating a suspect or missing person
To avert a serious threat to the health or safety of any person
Workers' compensation claims related to a work-related injury or illness
Organ and tissue donation purposes, if you are an organ donor
Research purposes under limited circumstances with appropriate safeguards
Military, veterans, and national security activities
Coroners, medical examiners, and funeral directors, as necessary
To comply with other applicable laws and regulations

Uses and Disclosures Requiring Your Authorization

Any other uses and disclosures not described in this notice will be made only with your written authorization. If you provide authorization, you may revoke it at any time by submitting a written request to our Privacy Officer. Uses and disclosures that require your authorization include most uses and disclosures of psychotherapy notes, marketing purposes, and the sale of your health information.

Your Rights

Under the Health Insurance Portability and Accountability Act (HIPAA), you have the following rights regarding your health information:

Right to Access
You have the right to inspect and obtain a copy of your protected health information that we maintain. We may charge a reasonable fee for the cost of copying, mailing, or other supplies associated with your request. We may deny your request under limited circumstances, and you may request a review of that denial.
Right to Amend
If you believe that information in your records is incorrect or incomplete, you have the right to request an amendment. Your request must be in writing and include a reason that supports the request. We may deny your request if the information was not created by us, is not part of the records you are allowed to inspect, or is already accurate and complete.
Right to an Accounting of Disclosures
You have the right to request a list of certain disclosures we have made of your health information for purposes other than treatment, payment, and healthcare operations within the past six years. The first list you request in a 12-month period is free; we may charge a fee for subsequent lists within the same period.
Right to Request Restrictions
You have the right to request a restriction or limitation on the health information we use or disclose about you for treatment, payment, or healthcare operations. You also have the right to request a limit on the information we give to someone involved in your care or the payment for your care. We are not required to agree to your request, with certain exceptions.
Right to Request Confidential Communications
You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you may ask that we contact you only at work or by mail. We will accommodate all reasonable requests.
Right to a Paper Copy of This Notice
You have the right to receive a paper copy of this notice at any time, even if you have previously agreed to receive it electronically. Contact our Privacy Officer using the information provided below to obtain a copy.
Right to Breach Notification
You have the right to receive written notification if there is a breach of your unsecured protected health information, in accordance with applicable law.

Our Duties

We are required by law to maintain the privacy of your health information and to provide you with this notice of our privacy practices. We must follow the terms of this notice while it is in effect.

We reserve the right to change the terms of this notice at any time. Changes will become effective for all protected health information we maintain. If we make material changes to this notice, we will post the revised notice in our office and on our website, and we will offer you a copy of the revised notice at your next visit.

In the event of a breach of your unsecured protected health information, we will notify you as required by law.

Complaints & Contact Information

If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the Department of Health and Human Services. To file a complaint with us, contact our Privacy Officer at the information below. All complaints must be submitted in writing.

You will not be penalized for filing a complaint.

Privacy Officer — Cortex Neurovascular
Address: 2502 S Union Ave, Tacoma, WA 98405
Phone: (833) 4-CORTEX
Email: privacy@cortexneurovascular.com

Mobile App & Referral Platform Privacy

In addition to the HIPAA practices described above, the following sections describe how data is collected, stored, and protected in our mobile applications — the TEMMA Patient Companion App and the Cortex Referral platform.

Provider Information (Referral App)
When a healthcare provider creates an account on the Cortex Referral platform, we collect the provider's name, email address, phone number, and NPI number for verification. Account status (pending, approved, denied) is maintained in our system. Provider accounts can be deleted at any time upon request.
Patient Information (Referral App)
Referring providers enter patient information to submit referrals, including: name, date of birth, phone number, medical record number (MRN), reason for referral, medical history, current medications, allergies, insurance information (optional), and clinical notes. This data is transmitted to the clinical team at Cortex Neurovascular for patient coordination.
OCR (Photo Scan) Feature
When a provider uses the camera to scan a patient face sheet or document, the image is sent to Google Vertex AI for text extraction. Vertex AI is covered by Google's HIPAA Business Associate Agreement. The extracted text populates the referral form for provider review and editing before submission. Images are processed in transit and are not permanently stored on our servers.
Voice Transcription Feature
When a provider records a voice note for clinical context, the audio is sent to Google Vertex AI for transcription. The transcribed text is displayed for the provider to review and edit before submitting the referral. Audio data is processed in transit and is not permanently stored. Vertex AI is covered by Google's HIPAA Business Associate Agreement.
Authentication Data
Both the Referral App and the Patient App use email-based one-time codes for authentication. Codes are stored in the database and expire after 15 minutes. Firebase Authentication manages user sessions, with ID tokens validated on every API request. Authentication data is never shared with third parties.
Data Storage and Security
All app data is stored in Google Cloud SQL (PostgreSQL) in the us-west1 region, covered by Google’s HIPAA Business Associate Agreement. The application runs on Google Cloud Run with automatic scaling and HTTPS encryption. Firebase Authentication manages user identity and session tokens. All data in transit is encrypted via TLS/HTTPS. The database enforces server-side access controls with token-based authentication. All administrative actions are logged to an audit trail.
Data Retention (Apps)
Provider accounts are retained for the duration of the provider relationship and can be deleted on request. Referral records are retained as clinical business records per applicable state and federal regulations. Authentication codes expire after 15 minutes and are automatically deleted. Patient diary entries, survey responses, and profile data in the Patient App are synced between the device and the server, with the authoritative copy stored in Google Cloud SQL. Users can request deletion of their data at any time.
Data Sharing
Patient referral data is shared only with the clinical team at Cortex Neurovascular / Tacoma Radiology Associates for the purpose of coordinating patient care. We do not sell, rent, or share data with third parties or marketing organizations. De-identified, aggregate data may be used for research and quality improvement purposes.
Diary Sync (Patient App)
The TEMMA Patient Companion App synchronizes diary entries, survey responses, and profile data between the patient’s device and our secure server. When a patient edits a diary entry on their device and the server has a conflicting version, the device version takes precedence to preserve the patient’s most recent input. All other data follows a last-write-wins policy based on timestamp. Synced data is encrypted in transit via TLS/HTTPS and stored in Google Cloud SQL under our HIPAA Business Associate Agreement with Google.

This Notice of Privacy Practices is effective as of July 10, 2026. We are required to follow the terms of this notice, and we will promptly revise it if we make any material changes to our privacy practices. For the most current version of this notice, please visit our website or request a copy from our office.

Questions about your privacy?

Contact our Privacy Officer or call our office for more information about how we protect your health data.