Privacy Policy - Beauty Therapy

Effective Date: August 1 ,2024
At Beauty Therapy, we are committed to protecting the privacy and security of your personal and health information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information in compliance with the Health Insurance Portability and Accountability Act (HIPAA), the Telephone Consumer Protection Act (TCPA), and other applicable laws. It also outlines your rights regarding your information and how to contact us with questions or concerns.

1. Who We Are
Beauty Therapy is a med spa and boutique located at 142 SW 134th St, Unit B Oklahoma City, OK 73170, offering aesthetic treatments, as well as curated boutique products. We are a covered entity under HIPAA because we provide healthcare services and transmit protected health information (PHI) electronically in connection with transactions like billing. We also partner with third-party services, such as Cherry Financing, to offer flexible payment options.

2. Information We Collect
We collect the following types of information:
a. Protected Health Information (PHI)
PHI is individually identifiable health information we create, receive, maintain, or transmit related to your past, present, or future health, treatment, or payment for services. Examples include:
• Name, address, phone number, email address, and date of birth.
• Medical history, treatment records, and appointment notes.
• Billing and payment information.
b. Non-PHI Personal Information
We may collect non-health-related information, such as:
• Payment details for boutique purchases (e.g., credit card information).
• Preferences for products or services.
• Communication preferences for marketing or appointment reminders.
c. Automatically Collected Information
When you visit our website or interact with our digital platforms, we may collect:
• IP address, browser type, and device information.
• Website usage data via cookies (see Section 8 for details).

3. How We Use Your Information
We use your information for the following purposes, in compliance with HIPAA and TCPA:
a. Treatment
• To provide and coordinate your beauty therapy services (e.g., scheduling brow or lash lift appointments).
• To document treatment plans and outcomes.
b. Payment
• To process payments for services and boutique purchases, including through Cherry Financing.
• To bill insurance (if applicable) or coordinate with third-party payers.
c. Healthcare Operations
• To improve our services, train staff, and conduct quality assessments.
• To manage appointments and maintain client records.
d. Communications
• To send appointment reminders, treatment follow-ups, or service updates via text, email, or phone, in compliance with TCPA (see Section 7).
• To provide promotional offers or boutique product updates, only with your prior express consent where required.
e. Other Uses
• To comply with legal obligations, such as reporting to public health authorities.
• To respond to your requests, such as providing copies of your records.
We adhere to the HIPAA Minimum Necessary Standard, ensuring that we use or disclose only the minimum PHI necessary to accomplish the intended purpose, except in cases like treatment or disclosures to you.

4. How We Disclose Your Information
We may disclose your PHI or personal information in the following circumstances, as permitted or required by HIPAA:
a. Without Your Authorization
• Treatment: To coordinate care with other providers (e.g., a dermatologist, if relevant).
• Payment: To process payments through Cherry Financing.
• Legal Requirements: To comply with court orders, subpoenas, or public health mandates.
• HHS Investigations: To the U.S. Department of Health and Human Services (HHS) for HIPAA compliance reviews.
• Public Safety: To prevent or lessen a serious and imminent threat to health or safety.
b. With Your Authorization
• For marketing purposes (e.g., sharing your testimonial or before/after photos).
• For disclosures to third parties not involved in treatment, payment, or operations (e.g., sharing PHI with a family member).
• A HIPAA-compliant authorization form will be provided, specifying the information, purpose, and recipient. You may revoke authorization in writing at any time, except to the extent we have already acted on it.

5. Your Rights Under HIPAA
As a client, you have the following rights regarding your PHI:
a. Access
• Request a copy of your PHI (electronic or paper) within 30 days. We may charge a reasonable, cost-based fee for copies.
b. Amendment
• Request corrections to inaccurate or incomplete PHI. We may deny requests in certain cases (e.g., if the information is accurate) and will provide a written explanation.
c. Accounting of Disclosures
• Request a list of disclosures of your PHI made in the past six years, excluding disclosures for treatment, payment, operations, or those you authorized.
d. Confidential Communications
• Request alternative communication methods (e.g., receiving appointment reminders via email instead of text). We will accommodate reasonable requests.

6. Security of Your Information
We comply with the HIPAA Security Rule to protect electronic PHI (ePHI) through:
a. Administrative Safeguards
• Conducting regular risk assessments to identify and mitigate threats to ePHI.
• Training staff annually on HIPAA policies and procedures.
• Designating a Privacy Officer and Security Officer to oversee compliance.
b. Physical Safeguards
• Securing our facility with access controls (e.g., locked file cabinets, restricted areas).
• Ensuring workstations are logged off and PHI is not left unattended.
c. Technical Safeguards
• Using encryption for ePHI in transit and at rest (e.g., secure email and cloud storage).
• Implementing access controls to limit ePHI to authorized staff.
• Maintaining audit logs to monitor ePHI access.
d. Breach Notification
If a breach of unsecured PHI occurs, we will notify affected individuals, HHS, and, if required, the media, per the HIPAA Breach Notification Rule. Notifications will be sent within 60 days of discovery and include steps to mitigate harm.

7. TCPA Compliance for Communications
We may contact you via phone, text, or email for appointment reminders, treatment follow-ups, or promotional offers. To comply with the TCPA and its healthcare exemption:
a. Consent
• Non-Marketing Communications: We may send health-related messages (e.g., appointment reminders) to the phone number you provide without prior express written consent, as allowed under the TCPA healthcare exemption, provided they comply with HIPAA and the conditions below.
• Marketing Communications: For promotional messages (e.g., boutique sales or new services), we will obtain your prior express written consent. You may revoke consent at any time (see below).
b. Conditions for Health-Related Messages
• Messages are strictly health-related (e.g., post-treatment care instructions) and do not include promotional or financial solicitations.
• Messages include our name and contact information.
• Messages are concise (text messages under 160 characters; voice messages under 1 minute).
• Frequency is limited to one message per day and three per week.
• Messages include an easy opt-out option (e.g., replying “STOP” to texts).
c. Opt-Out
• You may opt out of receiving communications by replying “STOP” to texts, clicking “unsubscribe” in emails, or contacting us directly (see Section 11). We will honor opt-out requests promptly and maintain a do-not-contact list.
• You may also register your phone number on the National Do-Not-Call Registry at www.donotcall.gov.
d. Cherry Financing Communications
• If you use Cherry Financing, they may contact you regarding your payment plan. These communications are subject to Cherry’s TCPA-compliant policies, and you may opt out directly with them.

8. Website and Cookies
Our website http://www.beautytherapyok.com & http://www.shopbeautytherapy.com may use cookies and similar technologies to enhance your experience, analyze usage, and personalize content. We do not collect PHI through cookies. You can manage cookie preferences via your browser settings.

9. Business Associates
We work with business associates (e.g., Cherry Financing, billing services, IT vendors) who may access PHI. All business associates sign a Business Associate Agreement ensuring they:
• Protect PHI per HIPAA standards.
• Use PHI only for the agreed purpose (e.g., processing payments).
• Report breaches to us promptly.

10. Data Retention and Disposal
• We retain PHI for at least six years, as required by HIPAA, or longer if mandated by state law (e.g., Oklahoma may require longer retention for medical records).
• Non-PHI personal information (e.g., boutique purchase records) is retained per our business needs and applicable laws.
• When disposing of PHI, we use secure methods (e.g., shredding paper records, wiping electronic media) to prevent unauthorized access.

11. Contact Information
For questions, requests, or complaints about this Privacy Policy:
Beauty Therapy
142 SW 134th St Unit B Oklahoma City, OK 73170
405-856-3231
Beautytherapyok@gmail.com

Acknowledgment
By receiving services or making purchases at Beauty Thearpy, you acknowledge that you have received and understand this Privacy Policy and our Notice of Privacy Practices. Please sign our acknowledgment form at your first visit. If you have questions, contact us..