Privacy Policy

Introduction

Your privacy is important to us. This Privacy Policy describes how NXT Rugby ("we," or "us") collects, uses, and protects your personal, health, and fitness information. We are committed to safeguarding your information in compliance with the Health Insurance Portability and Accountability Act (HIPAA) and applicable Connecticut state privacy laws. All our services are provided in person at our facility - we do not offer telehealth or remote coaching, which means no telemedicine sessions or remote training are conducted. Any data we collect through our mobile apps or intake forms is used solely to support your in-person training and care.

By using our services (including our mobile application and filling out intake forms), you consent to the practices described in this Privacy Policy. If you are under 18 years old, your parent or legal guardian must review and consent to this Policy on your behalf, as described below.

Information We Collect

We collect both personal information and health/fitness information from patients and program participants (both minors and adults) to provide our services. This information is collected through our intake forms, mobile app, and during in-person visits. The types of information we may collect include:

Personal Identification Details: Name, date of birth, address, phone number, email, and emergency contact information. For minors (ages 14-17), we also collect parent/guardian contact information and authorization signatures.

Health and Medical Information: Medical history, current medications, allergies, injuries, diagnoses, treatment records, and any relevant medical reports or clearances. This is considered Protected Health Information (PHI) under HIPAA.

Fitness and Performance Data: Training logs, exercise programs, progress metrics, strength and conditioning assessments, nutrition logs, and similar data related to your athletic performance or rehabilitation.

Insurance and Payment Information: Health insurance provider, policy number, and billing details if we will be submitting claims for services (applicable for adults and minors, typically provided by the parent/guardian for minor patients).

App and Device Information: If you use our mobile application, we may collect technical data such as device type, operating system, and app usage statistics. We do not collect precise geolocation data from minors via the app without explicit consent, and our app is designed not to expose minors to any online risks (no social networking features, no direct messaging with unknown adults, etc., in line with Connecticut's online privacy protections for minors).

Why we collect this information: We collect the above information to ensure we design safe and effective training programs, address any health concerns, communicate with you (and parents/guardians of minors) about appointments or changes, and comply with legal and insurance requirements.

How We Use Your Information

We use the collected information to provide and improve our in-person sports training and clinical services. Uses of your information include:

Providing Services and Treatment: We use health and fitness information to develop personalized training or rehabilitation plans, monitor progress, and provide appropriate medical or therapeutic interventions. For example, our coaches and medical staff review your injury history to tailor your training safely.

Coordination of Care: We may use your health information to coordinate care with other professionals involved in your health. For instance, if you are seeing a physician or physical therapist, we might communicate relevant information to them for treatment continuity.

Appointment Scheduling and Reminders: Contact information (email, phone) is used to schedule sessions, send appointment reminders, and notify you of any schedule changes or important updates.

Payment and Insurance Claims: We use personal and health information to bill for our services. If you use health insurance, we will disclose the necessary information to your insurance company to verify coverage and submit claims. This can include diagnosis codes, dates of service, and treatment provided, as required for payment.

Clinic Operations and Safety: Information is used for our internal operations such as quality improvement, staff training, and ensuring participant safety. For example, knowing participants' medical conditions helps us ensure the facility is prepared for emergencies. We also may use data analytics (de-identified where possible) to improve our programs.

Legal Compliance: If required by law or regulations, we will use or disclose information to comply with such obligations. For instance, we may use data to fulfill public health reporting requirements or other legal duties (see Information Sharing below for more details).

We will only use or disclose your protected health information as permitted by HIPAA or with your written authorization. We do not use personal data for any unrelated purposes, and we do not use your (or your child's) information for targeted advertising or marketing without consent, especially in the case of minors.

Minors' Privacy and Parental Consent (Ages 14-17)

Protecting the privacy of our younger athletes is a priority. If you are under 18, parental/guardian consent is required for you to receive services and for us to collect and use your data:

Parental Consent for Services and Data Collection: A parent or legal guardian must sign our intake forms and consent forms for any client between 14 and 17 years old. This includes consent to collect and use the minor's health and personal information as described in this policy. We will not provide services to minors without this signed consent.

Parental Access and Control: Under HIPAA, parents or legal guardians generally act as the "personal representative" for minors and exercise the child's privacy rights on their behalf. This means that in most cases, the parent/guardian can access the minor's medical and training records and make decisions about the use and disclosure of the minor's information. For example, HIPAA requires that we give our Notice of Privacy Practices and related information to the parent or guardian, rather than directly to an unemancipated minor.

Exceptions: In certain special cases defined by law, minors have the right to consent to specific types of treatment without parental involvement (for example, certain mental health services or other sensitive care under Connecticut law). The Clinic's services (athletic training, sports performance, and related injury care) typically do not fall under those exceptions, so parental consent and involvement are required for all our minor patients. If an exception does apply, we will follow the law in protecting that minor's privacy accordingly.

Communication with Minors and Parents: We primarily communicate with the parent/guardian regarding a minor's scheduling, progress, and any health or safety issues. We may also speak with the minor directly about their training or care, but when it comes to legal consent or privacy rights, the parent/guardian is our point of contact. We encourage open communication within the family about the minor's program. If a minor reaches the age of 18 while still in our program, we will at that time transition privacy rights and decision-making directly to the young adult (while still involving parents as appropriate if the now-adult consents).

Online and App Usage by Minors: Our mobile app and any online services are intended to be safe for minors. We do not knowingly allow features that could put minors at risk (such as public profiles or private messaging with strangers). We also do not collect certain data from minors without consent, such as precise GPS location, consistent with Connecticut's online privacy protections. Parents of minors should monitor and guide their child's use of our app and services. Any data collected from minors online (e.g. through the app) is treated with the same care and confidentiality as data collected during in-person sessions.

Information Sharing and Disclosure

We treat your information as confidential. We will share personal and health information only in the following circumstances:

With Clinic Staff (Coaches and Medical Professionals): Your information will be shared internally with the certified coaches, athletic trainers, physical therapists, or other professionals on our team who need it to provide you with services. All staff are trained in privacy and bound by confidentiality rules. For example, a performance coach may be told of a teen athlete's knee injury limitations so they can adjust the training plan.

With Other Healthcare Providers (Treatment Purposes): If we need to coordinate your care with other healthcare providers (such as your doctor, specialist, or physical therapist), we may share relevant health information with them to support your treatment. This could include sending injury reports or receiving medical clearances. Such disclosures will only be what is necessary for your care and are allowed under HIPAA as part of treatment coordination.

With Parents or Guardians of Minors: If the client is under 18, we will share information about the minor's progress, injuries, or health with their parent or legal guardian. Parents/guardians have the right to know about their child's care (except in rare cases where the law grants the minor exclusive privacy, as noted above). We involve minors in discussions about their care as appropriate, but parents will be kept informed and are required to be part of the decision-making for minors.

With Insurance Companies (Payment Purposes): We share necessary information with your health insurer or other payors to process claims and obtain payment for services. This may include diagnosis codes, treatment provided, and personal details like name and date of birth. We only share the minimum necessary information required for billing. If you (or your parent) pay out-of-pocket in full and request that we not inform your insurer, we will honor that request for confidentiality as required by law.

With Business Associates: We may share information with third-party service providers who perform functions for us under strict contracts, such as electronic health record providers, billing services, or our mobile app platform provider. These entities are business associates under HIPAA and are legally required to safeguard your information and use it only for the contracted purposes.

As Required or Permitted by Law: We will disclose information when we are legally required to do so. For example, we might share information in response to a valid court order or subpoena, to report child abuse or neglect, to address a public health concern, or to comply with a health oversight audit. We will only disclose what the law requires, and when possible, we will inform you of such disclosures. If a situation arises involving a serious threat to health or safety, we may share information with authorities or persons who can help prevent the harm, consistent with legal and ethical obligations.

With Your Authorization: For any purpose not described above, we will only disclose your information if you give us explicit written authorization. For instance, if you want us to share your training progress with a school coach or send records to a college recruiter or any other third party not involved in your care, we would obtain your (or your parent's) written permission first. You have the right to revoke any such authorization at any time, in writing, to stop future disclosures.

No Sale or Marketing Use of Data: We do not sell your personal information to anyone. We also do not disclose your information for marketing purposes without your consent. Connecticut law specifically prohibits selling health data without consent and bans targeted advertising to minors without opt-in consent, and we fully comply with these requirements. You will not receive marketing communications from us about third-party products, and we will not exploit your data for advertising. Any educational or promotional material about our own services will be provided in accordance with privacy laws and, in the case of minors, to their parents/guardians.

Data Security and Protection

We take the security of your personal and health information seriously. The Clinic has implemented administrative, physical, and technical safeguards to protect your data from unauthorized access, use, or disclosure. These measures include:

Secure Storage: All paper records (such as intake forms or signed consent forms) are stored in locked files accessible only to authorized personnel. Electronic records (including data collected via our mobile app or electronic health records) are stored on secure, encrypted systems. We use HIPAA-compliant software and databases with strong access controls.

Access Controls: Clinic staff and any business associates can only access your information on a need-to-know basis. Each staff member has unique login credentials for systems, and their access is limited to what they require to perform their duties. We train our employees and contractors on confidentiality and sign agreements binding them to protect your privacy.

Encryption and Transmission Security: Whenever we transmit sensitive information (for example, sending records to another provider or communicating with an insurance company electronically), we use encryption and secure channels to protect the data in transit. Our mobile application employs encryption for any personal data transmitted between your device and our servers.

Regular Training and Audits: We regularly train our team on privacy and data security protocols. We also monitor our systems for any unusual activity and conduct periodic audits to ensure compliance with privacy regulations. In the event of any suspected security issue, we act promptly to investigate and mitigate it.

No Unnecessary Data Collection: We adhere to principles of data minimization. We only collect data that is relevant for your training or care. We do not activate device features like your microphone, camera, or location services through our app without your knowledge and consent, and then only if it directly supports your use of our services.

Despite our strong security measures, no system can be 100% secure. However, we strive to exceed industry standards in protecting your information. If a data breach were ever to occur that compromises your unsecured PHI, we will follow HIPAA and Connecticut laws in notifying you and taking necessary steps.

Data Retention

We retain your personal and health information for as long as necessary to fulfill the purposes outlined in this Policy and as required by law. Medical record retention laws mandate minimum periods for keeping health records, and we comply with those requirements. In Connecticut, healthcare providers are generally required to keep medical records for at least 7 years from the date of the last treatment. Accordingly:

Adults: We will retain health records for a minimum of 7 years from your last date of service. In many cases, we may keep records longer if needed (for example, if required by other laws or if we choose to maintain them for continuity of care).

Minors (Age 14-17): For minors, we retain records at least until the minor reaches age 18, and then for at least the standard 7 years thereafter (which would be until at least age 25, and often longer). This ensures that an underage patient's records are available for an appropriate period into adulthood. We do this in alignment with common medical record practices to protect minors' continuity of care, even though Connecticut's specific retention regulation (7 years) applies universally.

Legal Holds: If any information is subject to an investigation, audit, or legal request (such as a claim or lawsuit), we will retain the data as long as necessary to comply with those requirements, even if it extends beyond the normal retention period.

Disposition of Records: When records are no longer required to be retained and are eligible for disposal, we will destroy or de-identify the information in a secure manner (shredding physical documents, permanently deleting electronic files) to prevent any unauthorized access.

Please note that health information cannot be deleted on demand the same way some consumer data can, due to legal requirements. We cannot honor requests to purge medical records earlier than the law allows. However, we continually evaluate what data we store and strive not to keep personal data longer than needed.

Your Privacy Rights

You have certain rights regarding your personal and health information. We are dedicated to respecting and upholding these rights, and have processes in place for you to exercise them. Your key rights include:

Right to Access Your Information: You have the right to see and get a copy of your health records and other personal information we have about you. This generally includes the right for you (or your parent/guardian if you are a minor) to inspect or receive a copy of the medical and training records we maintain. To request access, contact us using the information in the Contact section. We will provide the records in a timely manner as required by law. In rare cases, we may deny access to certain parts of the record (for example, if disclosing it could cause harm), but you have the right to have such denials reviewed by an independent professional.

Right to Request Corrections/Amendments: If you believe any information in your records is incorrect or incomplete, you have the right to request an amendment. For example, if your date of birth or medical history is recorded inaccurately, you can ask us to correct it. We will review your request and either make the correction or add your statement to the record if we deny the correction (with an explanation. We strive to keep all information accurate and will typically accommodate reasonable correction requests.

Right to Request Restrictions: You can request that we limit the use or disclosure of your information for certain purposes. For instance, you might ask that we not share a particular piece of information with a certain person or organization. We will consider all requests for additional restrictions seriously. While we are not required by HIPAA to agree to all requested restrictions, we will do our best to accommodate when possible. Important: If you pay for a service in full out-of-pocket and you request that we do not bill your insurance for that service, we must comply with that restriction under HIPAA (meaning we won't disclose that information to your insurer) as long as it's not otherwise required by law.

Right to Confidential Communications: You have the right to request that we communicate with you in a certain way or at a certain location to preserve your privacy. For example, an adult patient may request that we contact them at a personal cell number instead of a home phone, or send mail to a P.O. Box instead of a home address. We will accommodate reasonable requests. For minors, communications will generally include the parent/guardian, but if a minor has the legal right to a confidential service, they can request private communication for that situation.

Right to an Accounting of Disclosures: You can ask for a list (an "accounting") of certain disclosures of your health information that we have made outside of our organization. This would include, for example, any non-routine disclosures made for public health reporting, law enforcement, or other purposes as required by law (but excluding disclosures made for treatment, payment, and routine healthcare operations, as those are not required to be listed). We will provide this accounting for the period you request (up to the last 6 years) as permitted by law.

Right under Connecticut Law (CTDPA): In addition to HIPAA rights, Connecticut's data privacy laws grant consumers rights regarding personal data. To the extent these apply to our Clinic (for example, in contexts outside of direct healthcare), you may have the right to know what personal data we have about you, the right to delete personal data you provided (if it's not part of an official medical record that we must retain), the right to correct inaccuracies in your personal data, and the right to opt-out of certain data processing like sales or targeted advertising. We have already stated that we do not sell personal data or use it for targeted advertising, so there is no such activity to opt out of in our case. If you have any request concerning your personal data under state law, please contact us and we will address it consistent with our legal obligations.

Right to a Copy of This Policy/Notice: You can request a paper or electronic copy of this Privacy Policy (or our detailed HIPAA Notice of Privacy Practices) at any time, even if you have agreed to receive it electronically. We will promptly provide you a copy. For new patients, we will ask you (or your parent/guardian) to sign an acknowledgment that you received this notice, as required by law.

To exercise any of these rights, please use the contact information in the next section. We may need to verify your identity (and, if you are a parent making a request for your child, your relationship to the minor) before fulfilling the request. There may be limited situations where we cannot fulfill a request (for example, if a law prohibits us from deleting certain data), but we will explain any such situation to you. We will not charge you for making a request, though for very large record copies we might charge a reasonable, cost-based fee (we'll let you know in advance).

Contact for Privacy Questions or Requests:

If you have any questions about this Privacy Policy, or want to exercise your privacy rights, please contact our Privacy Officer at: contact@nxt.rugby

You may also speak to any of our staff at the clinics, who will direct you to the appropriate person to handle your inquiry. We are here to help and will gladly explain our practices or assist you in making a request.

Complaint Process:

If you believe your privacy rights have been violated or you have a concern about how we handle your information, you have the right to file a complaint. You can submit your complaint to us directly by contacting the Privacy Officer (using the contact information above). We take all complaints seriously and will investigate the matter. We will respond to let you know the outcome or steps we will take to address your concerns.

We are committed to resolving any issues internally, but you also have the right to file a complaint externally. Specifically, you can file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), which oversees HIPAA compliance. You can find information on how to submit a HIPAA complaint on the HHS website or by contacting:

Office for Civil Rights - U.S. Department of Health & Human Services (Region I - New England)

J.F. Kennedy Federal Building - Room 1875

Boston, MA 02203

Customer Response Center: (800) 368-1019

TDD: (800) 537-7697

Email: OCRComplaint@hhs.gov

Online: https://www.hhs.gov/hipaa/filing-a-complaint/

There is no retaliation for filing a complaint. We will not penalize you, refuse you services, or otherwise retaliate against you for raising a privacy concern or filing a complaint with us or with government regulators. In fact, HIPAA and state law protect your right to complain. Our primary goal is to ensure your information is protected and to address any problems, not to blame anyone who voices a concern.

Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or to comply with new laws and regulations. If we make significant changes, we will notify patients (and parents of minor patients) by posting the updated policy on our website and, when required, providing a direct notice (for example, via email or at your next appointment). The effective date at the top will be updated accordingly. We encourage you to review this Policy periodically to stay informed of how we are protecting your information.

By continuing to use our services after any updates become effective, you agree to the revised Privacy Policy. However, we will not make any retroactive material changes to how we handle previously collected PHI without your consent or as required by law.

Contact information:

If you would like to contact us to understand more about this Policy or wish to contact us concerning any matter relating to individual rights and your Personal Information, you may send an email to contact@nxt.rugby