Notice of Privacy Practices

Collection of Information

We collect personal information from you when you fill out a member or guest liability form, register for any of our programs or coaching services, submit an informational form on our website, complete a physical therapy or massage therapy “consent for treatment” form, or book any of our massage therapy, physical therapy, personal training, and/or small group training services or group fitness classes. 

We may collect the following information:

  • Name, address, and phone numbers
  • Email addresses
  • Date of birth
  • Demographic information, including gender and marital status
  • Emergency contact information
  • Billing information
  • Insurance information
  • Primary and referring physician’s names
  • Health-related symptoms
  • Interests and preferences

Passive Collection of Information

We automatically collect information online, such as your IP address, the time of access, the pages that you visit, the site that you report having been referred from, your browser type, and your computer operating system. We store this information in a web server log. Your IP address may be used to gather broad demographic information.

We also collect information through “cookies.” A “cookie” is a small file containing a string of characteristics that is sent to your computer when you visit one of our websites. When you visit the website again, the cookie allows that site to recognize your browser and customize your experience. You can reset your browser to refuse all cookies or to indicate when a cookie is being sent. 

How We Use Your Information

If you provide us with your personal information, we may use that information to better service you and/or to send you news, announcements, and promotions related to our services. At any time, you may opt-out of receiving emails from us by simply clicking the “unsubscribe” link provided at the bottom of the email. 

Collection of Information From Children

If you are under 13, you should not provide us with any information without the permission or consent of a parent or guardian. 

We comply with the Children’s Online Privacy Protection Act and all other applicable laws and regulations concerning children and the internet. If the parent of guardian of a user, who is a minor, discovers that the user has submitted his or her information without the parent or guardian’s permission or consent, we will take responsible steps to remove that information from our possession at the parent or guardian's request. 

Third Parties

We do not rent, sell, or share personal information about you with other people or companies except in the following situations:

  • Law Enforcement. We comply with all reasonable requests for information from law enforcement. We reserve the right to report any unlawful activities or any information we reasonably believe may aid a law enforcement investigation. We may share your personal information with others as required by law, including in response to subpoenas, court orders, or other legal processes. 
  • Protected Health Information. We fully comply with the privacy regulations created as a result of the Health Insurance Portability and Accountability Act of 1996 (HIPPA). The following notice describes how health information about you (as a patient of our OnTrack practice) may be used and disclosed, and how you can get access to this information. Please review this notice carefully. If you have any questions about the notice, please contact our privacy contact, Brian Loeffler, at 802-865-2226.


This notice of Privacy Practices describes how we may use and disclose your protected health information to carry out treatment, payment or health care operations and for other purposes that are permitted or required by law. It also describes your rights to access and control your protected health information. “Protected health information” (PHI) is information about you, including demographic information, that may identify you and that relates to your past, present or future physical or mental health or condition and related health care services. Our practice is dedicated to maintaining the privacy of your protected health information.

We are required to abide by the terms of this Notice of Privacy Practices. We may revise or amend the terms of our notice, at any time. The new notice will be effective for all protected health information that we have at that time and for future information. We will post our current Notice in a visible location at all times and upon your request, we will provide you with any revised Notice.


1. Uses and Disclosures to carry out treatment, payment or health care operations: Under HIPAA regulations, we do not need to obtain permission to use health information for treatment, payment and health care operations. However, several Vermont state laws require patient consent before health information is used or disclosed by health care providers.

We may use and disclose your Protected Health Information (PHI) for the following reasons:

Treatment: We will use and disclose your PHI to provide, coordinate, or manage your health care related services. This includes the coordination or management of your health care with a third party. Many of the people who work for our practice – including, but not limited to, our massage therapists and physical therapy assistants – may use or disclose your PHI in order to treat your or to assist others in your treatment. Additionally, we may disclose your PHI to others who may assist in your care, such as your spouse, children or parents. Finally, we may also disclose your PHI to other healthcare providers for purposes related to your treatment.

Payment: Your PHI will be used, as needed, to obtain payment for your health care services. This may include certain activities that your health insurance plan may undertake before it approves or pays for the health care services we recommend for you such as; making a determination of eligibility or coverage for insurance benefits, reviewing services provided to you for medical necessity, and undertaking utilization review activities.

Health Operations: We may use or disclose, as needed, your PHI in order to support the business activities of this practice. These activities include, but are not limited to, quality assessment activities, employee review activities, training of students, licensing, and conducting or arranging other business activities.

2. Uses and disclosures that you can agree or object to

We may use and disclose your protected health information in the following instances, which you have the opportunity to object to.

Others involved in your healthcare: Unless you object, we may disclose to a member of your family, a relative, a close friend or any other person you identify, your PHI that directly relates to that person’s involvement in your health care.

Emergencies: We may use or disclose your PHI in an emergency treatment situation.

3. Uses and disclosures that we will obtain your written authorization for

Marketing: For most marketing purposes, we will obtain your written consent; exceptions include if the product or service is directly treatment related, discussed face-to-face or given as a promotional gift of nominal value.

4. Uses and disclosures for which authorization or opportunity to agree or object to is not required:

We may use or disclose your PHI in the following situations:

Required by law: We may use or disclose your PHI to the extent that the use or disclosure is required by law. The use or disclosure will be made in the compliance with the law and will be limited to the relevant requirements of law. You will be notified, as required by law, of any such uses or disclosures.

Public Health: We may use or disclose your PHI for Public health activities and purposes to a public health authority that is required or permitted by law to receive the information. The disclosure will be made for the purpose of controlling or reporting disease, injury or disability. We may also disclose your PHI, if directed by the public health authority, to a foreign government agency that is collaborating with the public health authority.

Abuse or Neglect: We may disclose your protected health information to a public health authority that is authorized by law to receive reports of child abuse or neglect.  In addition, we may disclose your protected health information if we believe that you have been a victim of abuse, neglect or domestic violence to the governmental entity or agency authorized to receive such information. In this case, the disclosure will be made consistent with the requirements of applicable federal and state laws.

Food and Drug Administration: We may disclose your PHI to a person or company required by the food and drug administration to report adverse events, product defects or problems, biologic product deviations, track products; to enable product recalls; to make repairs or replacements, or to conduct post marketing surveillance, as required.

Maintenance of Vital Records: We may report data such as births and deaths.

Health Oversight: We may disclose PHI to a health oversight agency for activities authorized by law, such as audits, investigations, and inspections. Oversight agencies seeking this information include government agencies that oversee the health care system, government benefit programs, other governmental regulatory programs and civil rights laws.

Legal Proceedings: We may disclose PHI in the course of any judicial or administrative proceeding, in response to an order of a court or administrative tribunal (to the extent such disclosure is expressly authorized), in certain conditions in response to a subpoena, discovery request or other lawful process.

Law Enforcement: We may also disclose PHI, so long as applicable legal requirements are met, for law enforcement purposes.  These law enforcement purposes include (1) legal processes and otherwise required by law, (2) limited information requests for identification and location purposes, (3) pertaining to victims of a crime, (4) suspicion that death has occurred as a result of criminal conduct, (5) in the event that a crime occurs on the premises of the practice, and (6) medical emergency (not on the practice’s premises) and it is likely that a crime has occurred.

Research: We may disclose your PHI to researchers when their research has been approved by an institutional review board that has reviewed the research proposal and established protocols to ensure the privacy of your PHI. Otherwise, we will ask for a written authorization from you.

Criminal Activity: Consistent with applicable federal and state laws, we may disclose your PHI, if we believe that the use or disclosure is necessary to prevent or lessen a serious imminent threat to the health and safety of a person or the public. We may also disclose PHI if it is necessary for law enforcement authorities to identify or apprehend an individual.

Military Activity and National Security: When the appropriate conditions apply, we may use or disclose PHI of individuals who are Armed Forces personnel (1) for activities deemed necessary by appropriate military command authorities; (2) for the purpose of a determination by the Department of Veterans Affairs of your eligibility for benefits, or (3) to foreign military authority if you are a member of that foreign military services. We may also disclose your PHI to authorized federal officials for conducting national security and intelligence activities, including for the provision of protected services to the president or others legally authorized. 

Workers’ Compensation: Your PHI may be disclosed by us as authorized to comply with workers’ compensation laws and other similar legally-established programs.

Required Uses and Disclosures: Under the law, we must make disclosures to you when required by the Secretary of the Department of Health and Human Services to investigate or determine our compliance with the requirements of section 164.500 et.seq.

Disclosures Required by Vermont State Law: Vermont Law requires reporting in the following cases: child abuse, neglect or exploitation, of vulnerable adults; fire-arm related injuries; communicable diseases; fetal deaths; cancer; lead poisoning; blood-alcohol reporting; duty to warn of harm cases. We will disclose information limited to relevant requirements of the law.

Your Rights

Following is a statement of your rights with respect to your PHI and a brief description of how you may exercise these rights.

You have the right to inspect and copy your PHI. This means you may inspect and obtain a copy  of PHI about you that is contained in a designated record set for as long as we maintain the PHI. A “designated record set” contains medical and billing records and any other records that your physician and the practice uses for making decisions about you. This may not include psychotherapy notes.

You must submit your request in writing to: On Track, Brian Loeffler, 802-865-2226, in order to inspect or obtain a copy of your IIHI. Our practice may charge a fee for costs of copying, mailing, labor and supplies associated with your request. Our practice may deny your request to inspect and/or copy in certain limited circumstances; however, you may request a review of our denial. Another licensed health care professional chosen by us will conduct reviews.

Please contact Brian Loeffler if you have any questions about access to your medical record.

You have the right to request a restriction of your PHI. This means you may ask not to use or disclose any part of your PHI for the purpose of treatment, payment or healthcare operations. You may also request that any part of your PHI not be disclosed to family members or friends who may be involved in your care or for notification purposes as described in this Notice of Privacy Practices. Your request must state the specific restriction requested and to whom you want the restriction to apply. Your physician is not required to agree to a restriction that you may request. If your physician believes it is in your best interest to permit use and disclosure of your PHI, your  PHI will not be restricted. If your physician does agree to the requested restriction, we may not use or disclose you PHI. In violation of that restriction unless it is needed to provide emergency treatment. With this in mind, please discuss any restriction you wish to request with your physician. You may request a restriction by sending a specific request to Brian Loeffler.

You have the right to request that our practice communicate with you about your health and related issues in a particular manner or at a certain location. For instance, you may ask that we contact you at home, rather than work. In order to request a type of confidential communication, you must make a written request to: Brian Loeffler, On Track, 802-865-2226, specifying the requested method of contact, or the location where you wish to be contacted. Our practice will accommodate reasonable requests. You do not need to give a reason for your request.

You may have the right to have your physician amend your PHI. This means you may request an amendment of  PHI about you in a designated record set for as long as we maintain this information. In certain cases, for example if we think the information is correct, or was not created by our practice, we may deny your request for an amendment. If we deny your request for amendment, you have the right to file a statement of disagreement with us and we may prepare a rebuttal to your statement and will provide you with a copy of any such rebuttal. Please contact our Privacy Contact to determine if you any questions about amending your medical record. To file an amendment, your request must be in writing and must be submitted to Brian Loeffler, 802-865-2226.  

You have the right to receive an accounting of certain disclosures we have made, if any, of your PHI. This right applies to disclosures for purposes other than treatment, payment or healthcare operations as described in this Notice of Privacy Practices. Accounting is not required for disclosures we may have made to you, incidental disclosures, disclosures you have authorized, disclosures for a facility directory, disclosures to family members or friends involved in your care, or disclosures made to carry out treatment, payment or healthcare operations. You have the right to receive specific information regarding disclosures that occurred after April 14, 2003 up to a six year timeframe. You may request a shorter timeframe. The right to receive this information is subject to certain exceptions, restrictions and limitations.

In order to obtain an accounting of disclosures, you must submit your request in writing to Brian Loeffler, 802-865-2226. The first list you request within a 12-month period is free of charge, but our practice may charge you for additional lists within the same 12-month period. Our practice will notify you of the cost involved with additional requests, and you may withdraw your request before you incur any costs.

You have the right to a paper copy of this notice. You are entitled to receive a copy of our notice of privacy practices even if you have agreed to receive an electronic copy of the notice. You may ask us to give you a copy of this notice at any time. To obtain a paper copy of this notice, contact: Brian Loeffler, 802-865-2226.

You have the right to file a complaint if you believe your privacy rights have been violated. You may file a complaint with our practice or with the Secretary of the Department of Health and Human Services. To file a complaint with our practice, contact Brian Loeffler at 802-865-2226.  

This notice was published and become effective on April 14, 2003.

Changes to This Policy

We reserve the right to revise or amend the terms of our notice, at any time. The new notice will be effective for all information that we have at that time and for future information. We will post our current Notice in a visible location at all times and upon your request, we will provide you with any revised Notice.

Contact Us

If you have any questions about this privacy policy, please contact Brian Loeffler, our privacy contact, at 802-865-2226 or