Privacy Policy
Privacy Policy & HIPAA Notice of Privacy Practices
Effective Date: [10/17/25]
This Privacy Policy (“Policy”) describes how Dr. V’s Queens Med-Spa (“we,” “us,” or “our”) collects, uses, discloses, and protects your personal and health information when you use our website, schedule services, or receive medical / aesthetic treatments. It also describes your rights under HIPAA and state law regarding your Protected Health Information (PHI).
By using our website (mymdspa.com), booking services, or receiving treatments, you consent to the terms of this Policy.
1. Definitions & Scope
Protected Health Information (PHI): Individually identifiable health information about your past, present, or future physical or mental health condition, treatment, or payment for health care that we create, receive, or transmit in any form (electronic, paper, or oral).
Personal Information / Non-PHI: Basic contact or demographic information (name, address, email, phone) and technical data (IP address, device, cookies).
Covered Entity / Business Associate: Under HIPAA, we (as a provider of health / medical services) are a “covered entity.” Practice Fusion, or any third party storing or processing PHI on our behalf, is a “business associate” and must sign a Business Associate Agreement (BAA) with us.
2. Information We Collect
a) Personal & Non-Health Information
Name, email, phone number, address
Payment / billing information (via WooCommerce)
Website usage, IP address, browser type, referring URLs, cookies, analytics
b) Health & Medical Information
Medical history, conditions, allergies, contraindications
Treatment notes, lab data, assessments
Records of services rendered (IV drips, injectables, etc.)
3. How We Use & Disclose Your Information
We use and disclose your information (including PHI) for the following purposes:
| Purpose | Description / Example |
|---|---|
| Treatment | To provide, coordinate, or manage your care. E.g., our providers consult, adjust treatment plans. |
| Payment | To bill, process payments, verify eligibility, submit claims. |
| Health Care Operations | For quality assessments, internal audits, compliance, provider training, and business functions. |
| Appointment Reminders | To send reminders via email, SMS, or phone. |
| Business Associates / Service Providers | We may share PHI with third parties (Practice Fusion, labs, billing services) under contract and BAA. |
| Required by Law | E.g., to respond to legal processes, public health reporting, audits, law enforcement. |
| With Your Authorization | For uses beyond the scope above (e.g. marketing, photography, research), we will obtain your written authorization. |
We will disclose the minimum amount of PHI necessary for each permitted purpose.
4. Use of WooCommerce, Payment Gateways & Third-Party Services
Our website uses WooCommerce for e-commerce transactions (booking fees, deposits).
Payment card information is processed by third-party payment gateways (e.g. Cardknox) and is not stored on our servers.
Personal / billing data necessary to process transactions may be shared with payment processors, under encryption and contractual safeguards.
For medical or appointment data, we use Practice Fusion (a HIPAA-compliant EHR / scheduling platform). Your medical and booking information is securely stored and processed there, under BAA.
5. Your Rights Regarding PHI & Other Data
Under HIPAA and applicable state law, you have rights regarding your PHI:
Access / Copy: You may request access to or copies of your PHI (electronic or paper) within 30 days (or an allowed extension).
Amendment: You can request corrections to PHI you believe is incorrect or incomplete.
Accounting of Disclosures: You can request a list of disclosures we made of your PHI (other than for treatment, payment, operations) over the past 6 years.
Restriction: You may request restrictions on certain uses/disclosures of PHI (we may or may not grant).
Confidential Communications: You can ask us to contact you via alternative means (e.g. mailing address vs home phone) if standard communication poses risk to you.
Revoke Authorization: If you authorized uses/disclosures for other purposes (e.g. marketing), you may revoke that authorization in writing (except where action already taken).
Right to a Paper Copy: Even if you accept this policy electronically, you may request a paper copy.
To exercise any of these rights, contact us as indicated in the “Contact” section below.
6. Data Security & Breach Notification
We implement administrative, physical, and technical safeguards (access controls, encryption, secure servers, role-based access) to protect your PHI.
Practice Fusion and other business associates are required to maintain equivalent safeguards under BAA.
In the event of a breach of unsecured PHI, we will notify you and relevant authorities in compliance with HIPAA Breach Notification rules and state law (e.g. New York State).
We may combine, aggregate, or de-identify data for analytics and research; such de-identified data is no longer subject to HIPAA protections.
7. Retention & Disposal of Records
We retain medical, billing, and patient records in accordance with applicable New York / New Jersey law and professional standards.
When records are no longer required, we dispose of them securely (shredding, secure deletion).
8. Marketing & Communications
With your explicit written authorization, we may send you promotional materials, offers, or newsletters.
You have the right to opt-out or revoke marketing authorization at any time.
Appointment reminders or service-related communications (transactional) may be sent without separate authorization (considered part of treatment / operations).
9. Children & Minors
Our site and services are not intended for individuals under age 18 without parental consent. We do not knowingly collect PHI from minors under 18 without appropriate legal guardian authorization.
10. Changes to This Policy
We may modify this Policy periodically. We will post the updated version with its effective date on our website. Continued use or engagement after modifications indicates your acceptance.
11. Contact
If you have questions, want to exercise your rights, or request further information, contact our Privacy Officer:
Dr. V’s Queens Med-Spa
Email: info@mymdspa.com
Phone: (917) 789-6963
Address: [Insert your facility address]