HIPAA Notice of Privacy Practices (NPP)
Elite Med Spa
Notice of Privacy Practices
Effective Date: January 1, 2024
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
1. Who This Notice Applies To
This Notice of Privacy Practices ("Notice") describes the privacy practices of Elite Med Spa and its affiliated practice locations operating in Washington, Texas, and Nebraska (collectively, "we," "us," or "our Practice"). It applies to all workforce members and applies to all records of care created or received by our Practice.
Each location is a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and applicable state law. Washington locations are additionally subject to the Washington My Health My Data Act (MHMDA), RCW Chapter 70.372.
2. Our Commitment to Your Privacy
We understand that your health information is personal and sensitive. We are committed to protecting it. We maintain the privacy of your Protected Health Information (PHI) and are required by law to:
Keep your PHI private and confidential;
Provide you with this Notice of our legal duties and privacy practices with respect to your PHI;
Follow the terms of this Notice currently in effect;
Notify you if a breach of your unsecured PHI occurs; and
Comply with applicable federal and state privacy laws, including HIPAA and, for Washington patients, the My Health My Data Act.
3. How We May Use and Disclose Your Health Information
We use and disclose health information about you for the following purposes:
Treatment - We may use your PHI to provide, coordinate, or manage your treatment and related services. For example, we may share your medical history with a licensed provider who treats you at our practice, or refer you to another healthcare provider.
Payment - We may use or disclose your PHI to obtain payment for services we provide to you. For example, we may provide information to your payment processor, health insurer, or a third-party financing company (such as Cherry or PatientFi) for billing purposes.
Healthcare Operations - We may use or disclose your PHI for our internal operations, including quality assessment, staff training, compliance reviews, and business management activities. This includes use of de-identified or aggregated data for analytics.
Appointment Reminders and Treatment Alternatives - We may contact you to remind you of appointments or inform you of treatment options, products, or services that may be of interest to you. You have the right to request that we communicate with you in a specific way (e.g., by phone only, or at a specific number).
As Required by Law - We may disclose your PHI when required to do so by federal, state, or local law, including court orders, subpoenas, or administrative requests.
Public Health Activities - We may disclose your PHI to public health authorities for activities such as reporting communicable diseases, tracking adverse events, or responding to public health emergencies.
Health Oversight Activities - We may disclose your PHI to health oversight agencies for audits, investigations, or licensure proceedings as authorized by law.
Law Enforcement - We may disclose your PHI to law enforcement officials under limited circumstances permitted by law, such as to report certain types of wounds or to comply with court orders.
Coroners, Medical Examiners, and Funeral Directors - We may disclose PHI to coroners, medical examiners, or funeral directors as necessary to carry out their lawful duties.
Serious Threat to Health or Safety - We may use or disclose your PHI if we believe in good faith that doing so is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
Business Associates - We may share your PHI with third-party vendors or service providers ("Business Associates") who perform functions on our behalf, such as billing, IT services, scheduling platforms, or marketing services. We require all Business Associates to sign a Business Associate Agreement and to protect your PHI in accordance with HIPAA.
Workers’ Compensation - We may disclose your PHI as authorized by and to the extent necessary to comply with workers’ compensation or similar programs.
4. Uses and Disclosures That Require Your Written Authorization
For uses and disclosures not described in Section 3, we will ask for your written authorization. This includes:
Marketing communications that constitute a financial arrangement with a third party;
Sale of your PHI;
Most uses and disclosures of psychotherapy notes;
Use of before-and-after photographs for marketing or promotional purposes; and
Any other use or disclosure not permitted by law without your consent.
You have the right to revoke any authorization you have given us at any time, in writing. Revocation will not apply to actions we have already taken in reliance on your authorization.
5. Washington State: My Health My Data Act (MHMDA)
Patients treated at our Washington locations have additional rights under the Washington My Health My Data Act (MHMDA), RCW Chapter 70.372, effective 2024. The MHMDA protects "consumer health data," which includes information that identifies or is reasonably linkable to you and relates to your past, present, or future physical or mental health status, including:
Conditions, diagnoses, or treatment information;
Information derived from bodily functions or health-related products/services;
Inferences drawn from other data to identify health status; and
Precise geolocation data that could be used to infer a health visit.
Under MHMDA, we will:
Not collect, share, or sell your consumer health data without your express consent, except as permitted by law;
Provide you with a Consumer Health Data Privacy Policy upon request;
Maintain a dedicated data deletion mechanism for your consumer health data; and
Not use geofencing or location tracking to collect health data near healthcare facilities without your consent.
Note: Washington patients may have broader rights than those described in other sections of this Notice. In the event of a conflict between HIPAA and MHMDA, the more protective standard applies.
6. Your Rights Regarding Your Health Information
You have the following rights with respect to your PHI:
Right to Inspect and Copy - You have the right to inspect and receive a copy of your PHI used to make decisions about your care, including medical records and billing records. We may charge a reasonable fee for copying. We will respond to your request within 30 days (or as required by applicable state law).
Right to Request Correction - You have the right to request that we correct PHI that you believe is inaccurate or incomplete. We may deny your request under certain circumstances permitted by law, but will explain our reason in writing.
Right to an Accounting of Disclosures - You have the right to request a list of disclosures of your PHI we have made for purposes other than treatment, payment, or healthcare operations within the past six years (or the period permitted by state law).
Right to Request Restrictions - You have the right to request that we restrict certain uses or disclosures of your PHI. We are not required to agree to your request except in limited circumstances required by law (e.g., when you pay out-of-pocket in full and request we not disclose to a health insurer).
Right to Request Confidential Communications - You have the right to request that we communicate with you about your PHI in a specific way or at a specific location (e.g., by email only, or at a particular phone number). We will accommodate reasonable requests.
Right to a Paper Copy of This Notice - You have the right to receive a paper copy of this Notice at any time, even if you have agreed to receive it electronically. Contact us at any of our locations or via the contact information below.
Right to Opt Out of Fundraising or Marketing Communications - We may contact you for fundraising purposes. You have the right to opt out of receiving such communications at any time.
Right to Data Portability (Washington and Nebraska) - Patients in Washington and Nebraska have the right to request a portable copy of their personal and health data in a machine-readable format, to the extent technically feasible.
Right to Deletion (Washington and Nebraska) - Patients in Washington and Nebraska have the right to request deletion of certain personal or health data we hold about them, subject to legal retention requirements applicable to medical records.
7. State-Specific Privacy Rights
Washington
In addition to HIPAA rights and MHMDA rights described above, Washington patients are protected by the Washington Consumer Protection Act. Violations of the MHMDA constitute a per se violation of the CPA and may be enforced by the Washington Attorney General or through private action.
Texas
Texas patients are protected by the Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024. The TDPSA grants you the right to access, correct, delete, and obtain a portable copy of personal data we collect about you through our website and digital platforms. You may exercise these rights by contacting us using the information in Section 10 below.
Nebraska
Nebraska patients are protected by the Nebraska Data Privacy Act (NDPA), effective January 1, 2025. The NDPA grants similar rights to access, correct, delete, and port personal data. You may opt out of the processing of your personal data for targeted advertising or profiling at any time.
8. How We Protect Your Information
We maintain physical, technical, and administrative safeguards to protect your PHI from unauthorized access, use, or disclosure, including:
Encrypted electronic health records systems;
Restricted staff access to PHI based on job role;
HIPAA-compliant booking, communication, and billing platforms;
Annual HIPAA risk assessments; and
Staff training on HIPAA and applicable state privacy laws.
We require all Business Associates with access to PHI to maintain equivalent safeguards under a signed Business Associate Agreement.
9. Photography, Video, and Testimonials
We may photograph or record your treatment for medical documentation purposes. Use of your images or likeness for any marketing, social media, or promotional purpose requires your separate, signed written authorization. You may revoke such authorization at any time, but revocation will not affect materials already published in reliance on your prior authorization.
10. Breach Notification
We are required to notify you if there is a breach of your unsecured PHI. We will notify affected individuals without unreasonable delay and no later than 60 days after discovery of the breach (or as required by state law). If a breach affects 500 or more individuals in a state, we will also notify prominent media outlets in that state and the U.S. Department of Health and Human Services.
11. Changes to This Notice
We reserve the right to change this Notice at any time. We reserve the right to make any revised or changed Notice effective for PHI we already have about you as well as any information we receive in the future. We will post the current Notice on our website and will make it available at each of our locations. The effective date appears at the top of this Notice.
12. Complaints
If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services, Office for Civil Rights. We will not retaliate against you for filing a complaint.
To file a complaint with HHS OCR:
Phone: 1-800-368-1019
Washington patients may also contact the Washington Attorney General’s Office at www.atg.wa.gov
Texas patients may contact the Texas Attorney General’s Office at www.texasattorneygeneral.gov
Nebraska patients may contact the Nebraska Attorney General’s Office at ago.nebraska.gov
13. How to Exercise Your Rights or Contact Us
To exercise any of the rights described in this Notice, or to ask questions about our privacy practices, please contact:
Privacy Officer
Email: contact@amarahealth.us
Mailing Address: 30 Irving Pl, Fl 7, New York, NY 1003
This Notice is provided in compliance with the Health Insurance Portability and Accountability Act (HIPAA), 45 C.F.R. Parts 160 and 164; the Washington My Health My Data Act, RCW Chapter 70.372; the Texas Data Privacy and Security Act; and the Nebraska Data Privacy Act.