Dr. Bertrand R. DesilvaSleep Medicine

Privacy Policy and Notice of Privacy Practices

Bertrand Desilva MD INC. d/b/a Dr. Bertrand R. Desilva Sleep Medicine

Last Updated: January 1, 2026 · Effective Date: January 1, 2026

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. IT ALSO DESCRIBES YOUR RIGHTS UNDER THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA), THE CALIFORNIA CONSUMER PRIVACY ACT AS AMENDED BY THE CALIFORNIA PRIVACY RIGHTS ACT (CCPA/CPRA), THE CALIFORNIA CONFIDENTIALITY OF MEDICAL INFORMATION ACT (CMIA), AND OTHER APPLICABLE FEDERAL AND STATE LAWS. PLEASE REVIEW IT CAREFULLY.

1. About Our Practice

Bertrand Desilva MD INC. (“we,” “us,” “our,” or the “Practice”) is a California medical corporation specializing in sleep medicine, including the diagnosis and treatment of sleep apnea, sleep-disordered breathing, and related conditions. Our services include, but may not be limited to, sleep apnea diagnosis, CPAP management, oral appliance therapy, sleep studies, telehealth consultations, dental sleep medicine, and follow-up care.

Our Practice is led by Dr. Bertrand R. Desilva, MD, FCCP, DABSM, who is board certified in Internal Medicine, Pulmonary Medicine, Critical Care Medicine, and Sleep Medicine. Clinical services may also be provided by nurse practitioners (NPs), physician assistants (PAs), and other licensed healthcare providers who practice under the supervision and authority of Dr. Desilva and Bertrand Desilva MD INC.. All providers operating under this Practice are bound by this Privacy Policy and Notice of Privacy Practices.

Our Practice operates primarily as a telehealth-based clinic, delivering care through secure, HIPAA-compliant virtual platforms. In-person consultations and services are also available at our physical office location. This Privacy Policy applies to all care delivered through both telehealth and in-person modalities.

2. Scope of This Policy

This document serves as both our Notice of Privacy Practices (NPP) required under the HIPAA Privacy Rule (45 CFR § 164.520) and our website Privacy Policy. It applies to:

  • All Protected Health Information (PHI) created, received, maintained, or transmitted by our Practice in any form (electronic, paper, or oral).
  • All personal information collected through our website, including browsing data, contact form submissions, and appointment requests.
  • All information collected during telehealth sessions, telephone calls, text messages, emails, and other electronic communications.
  • All information collected during in-person visits to our physical office.
  • All interactions with our artificial intelligence (AI) systems, automated phone systems, chatbots, or virtual assistants, if deployed.

This Policy applies regardless of whether you are a current patient, prospective patient, former patient, or website visitor.

3. Information We Collect

We may collect the following categories of information in connection with providing sleep medicine services, operating our Practice, and maintaining our website:

3.1 Protected Health Information (PHI)

  • Medical history, including prior diagnoses, medications, surgical history, and family health history.
  • Sleep study results (polysomnography, home sleep tests), diagnostic reports, and test interpretations.
  • Diagnoses, treatment plans, prescriptions, and clinical notes.
  • Dental and oral health records related to oral appliance therapy or dental sleep medicine.
  • Imaging, lab results, and referral documentation from other providers.
  • Progress notes, follow-up assessments, and outcome measurements.
  • Records of communications between you and your care team.

3.2 Contact and Demographic Information

  • Full legal name, preferred name, date of birth, age, sex, and gender identity.
  • Home address, mailing address, phone number(s), and email address(es).
  • Emergency contact information.
  • Preferred language and communication preferences.
  • Marital status and household information, where clinically relevant.

3.3 Insurance and Financial Information

  • Health insurance plan details, group numbers, policy numbers, and subscriber information.
  • Claims-related information, Explanation of Benefits (EOB) records, and pre-authorization details.
  • Credit card or debit card numbers, billing address, and transaction records necessary to process payments.
  • Information related to payment plans, outstanding balances, or collections activity.
  • Financial assistance or hardship documentation, if applicable.

3.4 Identification and Verification Information

  • Government-issued photo identification (driver's license, passport, state ID).
  • Social Security Number, where required by law for insurance billing or tax reporting purposes.
  • Signature (electronic or physical) for consent forms, treatment authorizations, and financial agreements.

3.5 Telehealth and Electronic Communication Data

  • Audio and video recordings of telehealth sessions, if recording is enabled (see Section 8).
  • Audio recordings of telephone calls, if recording is enabled (see Section 8).
  • Chat logs, secure messages, and text message (SMS/MMS) communications.
  • Technical connection data, including IP address, device type, operating system, browser type, and connection quality metrics.
  • Timestamps, session duration, and metadata associated with virtual visits.

3.6 Website and Digital Information

  • Cookies and similar tracking technologies (subject to the limitations described in Section 12).
  • Pages visited, time on site, referral sources, and click patterns.
  • Information submitted through website contact forms, appointment request forms, or newsletter sign-ups prior to establishing a patient relationship.
  • IP address and approximate geographic location derived from IP address.
  • Device identifiers, screen resolution, and browser configuration.

3.7 AI and Automated System Data

  • Voice recordings and transcriptions from interactions with AI-powered phone systems, virtual assistants, or automated scheduling tools, if deployed.
  • Chat logs from AI chatbots or automated messaging systems, if deployed.
  • Data inputs and outputs from any automated clinical decision support tools, if used.

We will clearly notify you when you are interacting with an AI or automated system rather than a human.

Any artificial intelligence or automated tools used by the Practice are intended to assist with data organization, analysis, or administrative tasks. All medical diagnoses, treatment decisions, and clinical recommendations are made solely by licensed healthcare providers.

4. How We Use Your Information

We may use and disclose your health information for the following purposes without your additional written authorization:

4.1 Treatment

To provide, coordinate, and manage your sleep medicine care. This includes sharing information with other healthcare providers involved in your treatment, such as your primary care physician, referring physicians, specialists, dentists providing oral appliance therapy, durable medical equipment (DME) suppliers, sleep testing facilities, and pharmacy providers. Treatment disclosures may occur via secure electronic health record (EHR) systems, fax, secure email, telephone, or mail.

4.2 Payment

To bill and collect payment for the services we provide. This includes submitting claims to your health insurance plan, verifying coverage and eligibility, processing pre-authorizations, processing co-payments, deductibles, and coinsurance, and communicating with third-party billing services, clearinghouses, or collection agencies as necessary.

4.3 Healthcare Operations

To support the day-to-day activities and management of our Practice, including but not limited to:

  • Quality assessment and improvement activities.
  • Staff training, credentialing, and competency evaluation.
  • Compliance audits, risk assessments, and internal investigations.
  • Business planning, management, and general administrative activities.
  • Customer service, appointment scheduling, and patient communications.
  • Review and improvement of AI or automated systems used in our Practice.

4.4 As Required or Permitted by Law

We may use or disclose your health information when required or permitted by federal, state, or local law, including but not limited to:

  • Public health activities, such as reporting communicable diseases, adverse events, or vital statistics.
  • Health oversight activities, including audits, investigations, and inspections by government agencies.
  • Judicial and administrative proceedings in response to lawful court orders, subpoenas, or discovery requests.
  • Law enforcement purposes, as authorized by law.
  • Coroners, medical examiners, and funeral directors, as authorized by law.
  • Organ and tissue donation organizations, if applicable.
  • Workers' compensation programs, as authorized by law.
  • National security and intelligence activities, as required by law.
  • Correctional institutions, if you are an inmate, as permitted by law.

4.5 Appointment Reminders and Health-Related Communications

To contact you with appointment reminders, treatment follow-ups, recall notices, treatment alternatives, health-related information, or other communications that may be of interest to you. These communications may include information about services offered by our Practice that may be relevant to your care. These communications may be delivered by phone, text message (SMS), email, postal mail, or through our patient portal. You may opt out of non-essential communications at any time by contacting our office.

4.6 Uses and Disclosures Requiring Your Written Authorization

Certain uses and disclosures of your health information require your prior written authorization. These include, but are not limited to:

  • Marketing communications (other than face-to-face communications and promotional gifts of nominal value).
  • Sale of your Protected Health Information.
  • Most uses and disclosures of psychotherapy notes, if any are maintained.
  • Disclosure to your employer for employment-related purposes (except as required for workers' compensation).
  • Any other use or disclosure not described in this Notice.

You may revoke any authorization in writing at any time. Revocation will not affect any actions we took in reliance on the authorization before receiving your revocation.

5. How We Protect Your Information

We are committed to protecting the security, confidentiality, and integrity of your personal and health information. Our safeguards include:

5.1 HIPAA Compliance

We comply fully with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (45 CFR Part 164, Subpart E) and Security Rule (45 CFR Part 164, Subpart C), including all applicable requirements for the protection of electronic Protected Health Information (ePHI). We also comply with the HITECH Act's provisions regarding breach notification, Business Associate oversight, and enhanced enforcement.

5.2 Administrative Safeguards

  • Designation of a Privacy Officer and a Security Officer responsible for policy development, training, and compliance.
  • Workforce training on HIPAA, privacy, and security policies, with annual refresher training and incident-specific education.
  • Regular risk assessments to identify and address potential vulnerabilities.
  • Sanction policies for workforce members who violate privacy or security policies.
  • Workforce access management based on the minimum necessary standard, ensuring employees access only the PHI needed for their job functions.

We limit access to Protected Health Information to the minimum necessary amount required for workforce members and business associates to perform their job functions.

5.3 Technical Safeguards

  • Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
  • Secure access controls, including unique user identification, automatic logoff, and multi-factor authentication where applicable.
  • Audit logging and monitoring of access to electronic PHI.
  • Use of HIPAA-compliant telehealth platforms, electronic health record (EHR) systems, and communication tools.
  • Firewall protection, intrusion detection, and regular security patching.
  • Secure backup and disaster recovery procedures.

5.4 Physical Safeguards

  • Secure storage of physical records in locked, access-controlled areas.
  • Restricted access to areas where PHI is stored or accessible.
  • Proper disposal and destruction of documents, electronic media, and hardware containing PHI (shredding, degaussing, or certified destruction).
  • Workstation and device security policies for all Practice personnel.

6. Telehealth Privacy and Security

Because our Practice operates primarily through telehealth, we want you to understand the specific privacy and security measures and inherent risks associated with virtual care.

6.1 Telehealth Platform Security

  • All telehealth consultations are conducted through HIPAA-compliant platforms that encrypt audio and video transmissions using end-to-end or transport-layer encryption.
  • Our telehealth platform vendor has executed a signed Business Associate Agreement (BAA) with our Practice.
  • Access to telehealth sessions requires authentication by both the provider and the patient.
  • Telehealth session data (including any recordings, if enabled) is stored on HIPAA-compliant, encrypted servers.

6.2 Inherent Risks of Telehealth

While we take all reasonable measures to protect your information during telehealth sessions, you should be aware of the following inherent risks:

  • Unauthorized access: Despite encryption and access controls, there is a residual risk that unauthorized individuals could intercept or access electronic communications.
  • Technical failures: Internet connectivity issues, software malfunctions, or hardware failures may disrupt a session. If a session is interrupted, we will attempt to reconnect or reschedule.
  • Environmental privacy: We cannot control who may be in your physical environment during a telehealth session. We recommend that you participate from a private location.
  • Device security: The security of your personal device (computer, phone, tablet) is your responsibility. We recommend keeping your device's operating system and applications updated and using secure, password-protected networks.

6.3 Cross-State Telehealth

If you are physically located in a state other than California at the time of your telehealth visit, please inform your provider. Different states have varying telehealth regulations, privacy laws, and provider licensing requirements. Our providers are licensed in California and may be licensed in additional states. We will verify that we are authorized to deliver care to you in your location before proceeding with a telehealth consultation. If we are unable to provide care due to licensing restrictions, we will inform you and, where possible, assist with referrals.

7. Telephone, Text, and Electronic Communication Privacy

7.1 Telephone Communications

Telephone calls to and from our Practice, including calls with our office staff, clinical team, and any automated or AI-powered phone systems, may be recorded for quality assurance, training, compliance, and documentation purposes. By calling our office or accepting our calls, you consent to the recording of those communications in accordance with California's two-party consent law (Cal. Penal Code § 632). If you do not wish to be recorded, please inform us at the start of the call, and we will accommodate your request.

7.2 Text Message (SMS/MMS) Communications

We may send you text messages for appointment reminders, scheduling confirmations, follow-up care instructions, and other health-related communications. Standard text messaging is not encrypted and carries inherent security risks. We will not transmit detailed PHI via standard text message unless you have provided written consent acknowledging these risks. You may opt out of text communications at any time by replying STOP or contacting our office.

7.2.1 SMS Opt-In Data and Information Sharing

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Information sharing to subcontractors in support services, such as customer service, is permitted. All other use case categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties, excluding aggregators and providers of the Text Message services.

Your phone number, SMS opt-in status, and the timestamp of your consent are collected solely for the purpose of delivering the message types you have agreed to receive. Your opt-in consent is retained for the duration of your messaging subscription plus four (4) years for compliance verification purposes.

7.3 Email Communications

We may communicate with you via email for scheduling, general inquiries, and non-urgent health-related information. Standard email is not a secure communication method and may be intercepted. We will not transmit detailed PHI via unencrypted email unless you have provided written consent acknowledging these risks. For secure communications containing PHI, we will use our patient portal or encrypted email systems.

7.4 Patient Portal

We may offer a secure, HIPAA-compliant patient portal for accessing your health records, communicating with your care team, viewing test results, and managing appointments. Portal access requires authentication credentials. You are responsible for maintaining the confidentiality of your login information. If you believe your portal account has been compromised, contact our office immediately.

8. Recording and Monitoring Practices

In accordance with California law (Cal. Penal Code § 632) and applicable federal regulations:

  • Telehealth Sessions: Telehealth consultations are generally not recorded. Clinical information from your visit will be documented in your electronic medical record. Recording will only occur when necessary for clinical or compliance purposes and with your explicit consent.
  • Telephone Calls: Inbound and outbound telephone calls may be recorded for quality assurance, training, compliance, dispute resolution, and documentation purposes. An automated or verbal notification will be provided at the beginning of calls that may be recorded.
  • AI and Automated Interactions: If we deploy AI-powered phone agents, chatbots, or virtual assistants, your interactions with these systems may be recorded, transcribed, and stored. You will be clearly notified when you are interacting with an AI or automated system.
  • Voicemail: Voicemail messages you leave with our Practice will be stored and may be accessed by authorized personnel for the purpose of responding to your inquiry.
  • In-Person Visits: Our physical office may utilize security cameras in common areas for safety purposes. Security cameras will not be placed in examination rooms or areas where clinical care is provided.

All recordings are stored securely, accessible only to authorized personnel, and retained in accordance with our data retention schedule (see Section 9). You may request to opt out of non-essential recordings where operationally feasible.

9. Data Retention and Disposal

We retain your information in accordance with applicable federal and state requirements:

9.1 Retention Periods

  • Adult Medical Records: A minimum of seven (7) years from the date of the last encounter, or longer if required by applicable law or contractual obligations, in compliance with California law (Cal. Bus. & Prof. Code § 2240.1) and HIPAA record retention requirements.
  • Minor Patient Medical Records: A minimum of seven (7) years from the date of the last encounter or until the patient reaches the age of nineteen (19), whichever is later, in compliance with California law.
  • HIPAA Administrative Records: A minimum of six (6) years from the date of creation or the date when the policy was last in effect, whichever is later, as required by 45 CFR § 164.530(j).
  • Billing and Financial Records: A minimum of seven (7) years, or longer as required by applicable tax, insurance, or regulatory requirements.
  • Telehealth and Call Recordings: Recordings that are part of the medical record are retained in accordance with medical record retention requirements above. Recordings made solely for quality assurance or training purposes are retained for a minimum of two (2) years unless otherwise required by law.
  • Website Data: Non-PHI data collected through website cookies and analytics is retained for a maximum of twenty-six (26) months unless a shorter period is required by applicable privacy law.
  • Consent Forms and Authorizations: Retained for a minimum of six (6) years from the date of signature or from the date the authorization expires, whichever is later.

9.2 Disposal

When retention periods expire, or when PHI is no longer needed for the purposes for which it was collected, we dispose of it using secure methods appropriate to the format:

  • Paper records: Cross-cut shredding or certified destruction services.
  • Electronic records: Secure deletion, degaussing, or certified destruction of storage media.
  • Electronic devices: Factory reset and certified data wiping before disposal or repurposing.

We maintain documentation of PHI disposal activities as required by HIPAA.

10. Your Rights Under HIPAA

Under the HIPAA Privacy Rule and applicable California law, you have the following rights regarding your health information. To protect your privacy and prevent unauthorized access to your information, we may require verification of your identity before releasing medical records or responding to requests involving your personal or health information. To exercise any of these rights, please contact our Privacy Officer using the information provided in Section 17.

10.1 Right to Access

You have the right to inspect and obtain a copy of your health information maintained by our Practice, including medical records, billing records, and other records used to make decisions about your care. We will respond to your request within thirty (30) days (or sixty (60) days if an extension is necessary with written notice). We may charge a reasonable, cost-based fee for labor, supplies, and postage, as permitted by HIPAA and California law. You may request records in electronic format if maintained electronically, and we will provide them in the format you request if readily producible.

10.2 Right to Amendment

You may request that we amend your health information if you believe it is inaccurate or incomplete. We will respond within sixty (60) days. We may deny your request if the information was not created by us, is not part of the record used for decisions about your care, or is accurate and complete. If denied, we will provide a written explanation and your right to submit a statement of disagreement.

10.3 Right to an Accounting of Disclosures

You have the right to request a list of certain disclosures we have made of your health information for purposes other than treatment, payment, healthcare operations, or disclosures you authorized in writing. The accounting covers disclosures made in the six (6) years prior to your request (or since the compliance date of this Practice, whichever is shorter). The first accounting in any twelve (12) month period is provided free of charge; subsequent requests may be subject to a reasonable fee.

10.4 Right to Request Restrictions

You may request restrictions on certain uses and disclosures of your health information for treatment, payment, or healthcare operations. We are not required to agree to all requests, but we must comply with your request to restrict disclosures to a health plan if: (a) the disclosure is for the purpose of payment or healthcare operations and is not otherwise required by law; and (b) the PHI pertains solely to a service for which you have paid out of pocket in full.

10.5 Right to Confidential Communications

You may request that we communicate with you about your health information using a specific method or at a specific location. For example, you may request that we only contact you by mail at a particular address or only by phone at a specific number. We will accommodate all reasonable requests.

10.6 Right to a Paper Copy of This Notice

You have the right to request and receive a paper copy of this Notice at any time, even if you have previously agreed to receive it electronically.

10.7 Right to Be Notified of a Breach

You have the right to be notified in the event of a breach of your unsecured PHI, as described in Section 14 of this Policy.

10.8 Right to File a Complaint

You have the right to file a complaint if you believe your privacy rights have been violated. See Section 18 for complaint procedures. We will not retaliate against you for filing a complaint.

11. Your California Privacy Rights (CCPA/CPRA and CMIA)

If you are a California resident, you have additional privacy rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”), and the California Confidentiality of Medical Information Act (“CMIA”). This section describes those rights and how to exercise them.

11.1 HIPAA Exemption

Protected Health Information (PHI) that we collect, use, or disclose as a HIPAA-covered entity in the course of providing healthcare services is generally exempt from the CCPA. However, personal information we collect outside of the treatment relationship — such as website browsing data, contact form submissions before you become a patient, marketing analytics, and similar non-PHI data — is subject to the CCPA.

11.2 Categories of Personal Information Collected

In the twelve (12) months preceding the effective date of this Policy, we may have collected the following categories of personal information (as defined by the CCPA) that are not covered by the HIPAA exemption:

  • Identifiers: Name, email address, phone number, and IP address collected through website forms and analytics.
  • Internet or Network Activity: Browsing history, search history, and information regarding your interaction with our website, including pages visited, time on site, and referral sources.
  • Geolocation Data: Approximate location derived from your IP address.
  • Inferences: Inferences drawn from the above categories to create a profile about you, such as your preferences and interests, for the purpose of improving our website and services.

11.3 Sources of Personal Information

We collect non-PHI personal information from the following sources:

  • Directly from you (e.g., website contact forms, email inquiries, phone calls).
  • Automatically from your devices when you visit our website (e.g., cookies, analytics tools).
  • From third-party analytics and advertising platforms, if applicable.

11.4 Purposes for Collection

We collect non-PHI personal information for the following business purposes:

  • Operating, maintaining, and improving our website.
  • Responding to inquiries and scheduling requests.
  • Analyzing website traffic and usage patterns.
  • Detecting and preventing fraud, security incidents, and illegal activity.
  • Compliance with legal obligations.

11.5 Sale and Sharing of Personal Information

We do not sell your personal information, including PHI and non-PHI, to third parties for monetary or other valuable consideration. We do not “share” your personal information (as defined by the CCPA) for cross-context behavioral advertising purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties, excluding aggregators and providers of the Text Message services.

11.6 Your Rights Under the CCPA

As a California resident, you have the following rights with respect to non-PHI personal information subject to the CCPA:

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share your information.
  • Right to Delete: You may request that we delete personal information we have collected from you, subject to certain exceptions permitted by law.
  • Right to Correct: You may request that we correct inaccurate personal information we maintain about you.
  • Right to Opt Out of Sale/Sharing: Although we do not sell or share personal information, you have the right to opt out. You may submit a request using the contact information in Section 17.
  • Right to Limit Use of Sensitive Personal Information: You may request that we limit our use and disclosure of sensitive personal information to only those purposes necessary to provide the services you requested.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. We will not deny you services, charge you different prices, or provide a different level or quality of services because you exercised a privacy right.

11.7 How to Exercise Your CCPA Rights

To exercise your CCPA rights, you may submit a verifiable consumer request by:

  • Calling us at (888) 886-2126.
  • Emailing us at info@bertranddesilvamd.com.
  • Submitting a request through our website contact form.

We will verify your identity before processing your request. For requests to know or delete personal information, we may require you to provide identifying information that matches our records. You may designate an authorized agent to submit requests on your behalf, provided the agent has your written authorization and we can verify your identity.

We will respond to verifiable consumer requests within forty-five (45) calendar days. If additional time is needed (up to ninety (90) days total), we will notify you in writing of the extension and the reason.

11.8 California Confidentiality of Medical Information Act (CMIA)

In addition to HIPAA, the CMIA (Cal. Civ. Code § 56 et seq.) provides California residents with additional protections for medical information. Under the CMIA:

  • We will not disclose your medical information without your prior written authorization except as permitted by law (e.g., for treatment, payment, healthcare operations, or as required by legal process).
  • Your authorization for disclosure of medical information must be on a specific form that complies with CMIA requirements.
  • You have the right to receive a copy of your medical records within fifteen (15) days of your written request (or as required by California law).
  • We are prohibited from sharing your medical information with your employer without your specific written authorization, except as required for workers' compensation.
  • Negligent or willful unauthorized disclosure of your medical information may subject us to liability under the CMIA.

11.9 Do Not Track / Global Privacy Control

Our website respects the Global Privacy Control (GPC) signal. If your browser sends a GPC signal, we will treat it as a valid opt-out request under the CCPA. We do not currently respond to “Do Not Track” (DNT) browser signals, as there is no industry-wide standard for DNT compliance.

11.10 Financial Incentive Programs

We do not offer financial incentive programs or price or service differences that require CCPA notice.

11.11 Shine the Light (California Civil Code § 1798.83)

California residents may request information about our disclosure of personal information to third parties for their direct marketing purposes. As stated above, we do not disclose personal information to third parties for their direct marketing purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties, excluding aggregators and providers of the Text Message services.

12. Website Information Collection and Tracking Technologies

12.1 Cookies and Tracking Technologies

When you visit our website, we may use cookies and similar technologies to enhance website functionality and understand usage patterns. Cookies are small text files placed on your device. We may use:

  • Essential Cookies: Required for core website functionality (e.g., security, session management). These cannot be disabled.
  • Analytics Cookies: Used to collect aggregate, anonymized data about website usage, including pages visited, time on site, and referral sources. We may use third-party analytics services such as Google Analytics or comparable platforms.
  • Preference Cookies: Used to remember your preferences and settings.

We do not use advertising, retargeting, or cross-site tracking cookies on our website.

12.2 HHS Online Tracking Compliance

Important: In accordance with the U.S. Department of Health and Human Services (HHS) guidance on the use of online tracking technologies by HIPAA-covered entities (updated 2024):

  • We do not deploy tracking technologies (including cookies, pixels, session replay tools, or fingerprinting technologies) on any pages that require user authentication.
  • We do not deploy tracking technologies on any pages used for booking or managing appointments.
  • We do not deploy tracking technologies on any pages where patients may input or view PHI.
  • No PHI is collected, transmitted, or disclosed to third parties through website tracking technologies.
  • Any analytics tools used on unauthenticated public-facing pages collect only aggregate, de-identified website usage data.

12.3 Managing Cookies

You may control or disable cookies through your browser settings. Please note that disabling essential cookies may affect website functionality. For information on how to manage cookies in your browser, visit your browser's help documentation.

13. Minors and Legal Guardians

Our Practice may provide sleep medicine services to patients under the age of eighteen (18). For minor patients:

  • A parent or legal guardian must provide consent for treatment and must consent to the collection, use, and disclosure of the minor's PHI.
  • A parent or legal guardian must be present during telehealth consultations for minor patients, unless otherwise permitted by California law.
  • A parent or legal guardian is responsible for completing intake forms, providing insurance information, and managing the minor's appointments.
  • The parent or legal guardian will serve as the primary point of contact for all communications regarding the minor patient's care.
  • In accordance with California law, minors twelve (12) years of age and older may consent to certain types of healthcare on their own. If applicable, we will honor these rights.
  • Parents and legal guardians may exercise HIPAA rights on behalf of minor patients, including the right to access, amend, and request restrictions on the minor's health information, subject to applicable state and federal law.

Our website is not directed to children under thirteen (13) years of age. We do not knowingly collect personal information from children under thirteen (13) through our website without verified parental consent, in compliance with the Children's Online Privacy Protection Act (COPPA). If we become aware that we have collected personal information from a child under thirteen (13) without parental consent, we will take steps to delete that information promptly.

14. Breach Notification

In the event of a breach of unsecured PHI, we will notify affected individuals, the U.S. Department of Health and Human Services (HHS), and, where required, the media, in compliance with HIPAA's Breach Notification Rule (45 CFR §§ 164.400–164.414) and the HITECH Act:

  • Individual Notice: We will notify affected individuals without unreasonable delay and no later than sixty (60) calendar days after discovery of the breach. Notification will be provided in writing by first-class mail (or email if the individual has agreed to electronic notice), and will include a description of the breach, the types of information involved, steps the individual should take to protect themselves, what we are doing to investigate and mitigate the breach, and contact information for further questions.
  • HHS Notice: If the breach affects 500 or more individuals, we will notify HHS contemporaneously with individual notice. If fewer than 500 individuals are affected, we will notify HHS through annual reporting.
  • Media Notice: If the breach affects 500 or more residents of a single state or jurisdiction, we will notify prominent local media outlets.
  • California Breach Notification: In addition to HIPAA requirements, we will comply with California's data breach notification law (Cal. Civ. Code § 1798.82), which may require notification of breaches involving certain categories of personal information, including Social Security numbers and financial account information.

15. Third-Party Services and Business Associates

We use certain third-party services to deliver care, process payments, and operate our Practice. We require all third-party service providers who create, receive, maintain, or transmit PHI on our behalf to execute Business Associate Agreements (BAAs) and comply with HIPAA requirements.

15.1 Categories of Third-Party Services

  • Telehealth Platform: We conduct virtual consultations through HIPAA-compliant telehealth platform(s) that encrypt audio and video transmissions and maintain signed BAAs with our Practice.
  • Electronic Health Record (EHR) System: Patient records are maintained in a HIPAA-compliant EHR system with a signed BAA.
  • Payment Processing: Payments are processed through PCI DSS-compliant payment processors. We do not store full credit card numbers on our systems.
  • Billing and Claims Processing: We may use third-party billing services or clearinghouses to submit insurance claims and manage billing. These entities operate under signed BAAs.
  • Appointment Scheduling: We may use third-party scheduling platforms to manage appointments. These platforms operate under signed BAAs where they process PHI.
  • Communication Platforms: We may use HIPAA-compliant messaging, email, or patient portal platforms to communicate with patients. These platforms maintain signed BAAs.
  • AI and Automation Services: If we deploy AI-powered phone agents, chatbots, or automation tools that process PHI, the vendors of those tools will have executed signed BAAs and will meet our security requirements.
  • Cloud Infrastructure: Electronic data may be stored on HIPAA-compliant cloud hosting services that maintain signed BAAs.
  • Analytics Services: Website analytics services used on unauthenticated pages do not receive PHI and do not require BAAs.

15.2 Business Associate Oversight

We monitor our Business Associates' compliance with HIPAA through contractual requirements, periodic assessments, and prompt investigation of any reported incidents. If a Business Associate materially breaches its BAA, we will take corrective action, which may include terminating the agreement if the breach is not cured.

16. De-Identification, Research, and Quality Improvement

16.1 De-Identified Data

We may use or disclose de-identified health information that can no longer reasonably identify you. De-identification is performed in accordance with HIPAA's standards (45 CFR § 164.514), using either the Expert Determination method or the Safe Harbor method. De-identified data is not subject to HIPAA restrictions and may be used for research, analytics, public health, or operational improvement.

16.2 Research

We will not use or disclose your PHI for research purposes without your written authorization unless the use has been approved by a qualified Institutional Review Board (IRB) or Privacy Board that has waived the authorization requirement, the research involves only de-identified data, or the use is limited to activities preparatory to research with no PHI leaving our Practice.

16.3 Quality Improvement

We may use your health information internally for quality improvement activities, clinical outcome tracking, and program evaluation. These uses are considered healthcare operations under HIPAA and do not require your additional authorization.

17. Contact Information

If you have any questions about this Privacy Policy and Notice of Privacy Practices, wish to exercise any of your rights under HIPAA, the CCPA, or other applicable laws, or need to report a privacy concern, please contact our Privacy Officer:

Privacy Officer

Bertrand Desilva MD INC.

3333 Michelson Drive, Suite 300, Office 37, Irvine, CA 92612

Phone: (888) 886-2126

Email: info@bertranddesilvamd.com

18. Complaints

If you believe your privacy rights have been violated, you may:

File a complaint with our Practice

Contact our Privacy Officer using the information in Section 17.

File a HIPAA complaint with HHS

U.S. Department of Health and Human Services

Office for Civil Rights

200 Independence Avenue, S.W.

Washington, D.C. 20201

Toll-Free: 1-877-696-6775

Website: https://www.hhs.gov/ocr/complaints/index.html

File a CCPA complaint with the California Attorney General

Office of the Attorney General

California Department of Justice

Attn: Public Inquiry Unit

P.O. Box 944255

Sacramento, CA 94244-2550

Phone: (916) 210-6276

Website: https://oag.ca.gov/privacy

File a complaint with the California Privacy Protection Agency (CPPA)

Website: https://cppa.ca.gov/

You will not be penalized, retaliated against, or treated differently for filing a complaint.

19. Changes to This Policy

We reserve the right to update or modify this Privacy Policy and Notice of Privacy Practices at any time. We will:

  • Post the revised Policy on our website with an updated “Last Updated” date.
  • Make the revised Policy available at our physical office.
  • Provide a copy of the revised Policy to any individual upon request.
  • Where required by HIPAA or applicable law, provide individual notice of material changes that affect how we use or disclose PHI.

Changes become effective upon posting unless a later date is specified. The revised Policy will apply to all PHI we maintain, regardless of when it was created or received. We encourage you to review this Policy periodically.

20. Additional Regulatory Compliance

20.1 ADA Compliance

We are committed to ensuring that our website and telehealth services are accessible to individuals with disabilities, in compliance with the Americans with Disabilities Act (ADA) and Section 508 of the Rehabilitation Act. If you experience accessibility barriers, please contact our office for assistance.

20.2 Non-Discrimination

We comply with applicable federal and state civil rights laws, including Title VI of the Civil Rights Act of 1964, Section 504 of the Rehabilitation Act of 1973, the Age Discrimination Act of 1975, Section 1557 of the Affordable Care Act, and the California Unruh Civil Rights Act. We do not discriminate on the basis of race, color, national origin, age, disability, sex, sexual orientation, gender identity, or any other characteristic protected by law.

20.3 Language Access

If you have limited English proficiency, you may be entitled to language assistance services, including qualified interpreters and translated documents. Please contact our office for assistance.

21. Emergency Disclaimer

If you are experiencing a medical emergency, call 911 immediately or go to the nearest emergency room. Do not use this website, email, telehealth services, patient portal, text messaging, or any other electronic communication method for medical emergencies. Our telehealth and electronic communication services are not designed or intended for emergency medical situations.

22. Governing Law

This Privacy Policy and Notice of Privacy Practices shall be governed by and construed in accordance with the laws of the State of California and applicable federal law, including HIPAA, the HITECH Act, the CCPA/CPRA, and the CMIA. In the event of any conflict between state and federal law, the more protective provision shall apply.

Acknowledgment of Receipt

By using our services, visiting our website, or providing us with your information, you acknowledge that you have received, read, and understood this Privacy Policy and Notice of Privacy Practices. For patients, a signed Acknowledgment of Receipt form will be maintained in your medical record.

© 2026 Bertrand Desilva MD INC. All rights reserved. Board Certified in Internal Medicine, Pulmonary Medicine, Critical Care Medicine & Sleep Medicine

📱 Book Telehealth Visit