Health & Medspa
(A DBA of Health and Psychiatrists Consultants LLC or applicable legal entity)
1. OVERVIEW AND COMMITMENT TO DATA PROTECTION
Health & Medspa (the “Company,” “we,” “us,” or “our”) recognizes that the protection of client and patient information—particularly sensitive medical, aesthetic, and biometric data—is fundamental to the safe, lawful, and ethical operation of its services.
As a provider of both aesthetic and medically supervised treatments, including injectables, laser procedures, IV therapy, hormone therapy, and medical weight loss programs, the Company is committed to maintaining a comprehensive data security and compliance framework designed to protect the confidentiality, integrity, and availability of all personal information and Protected Health Information (“PHI”).
This commitment extends across all operational domains, including clinical environments, digital systems, telehealth platforms, marketing practices, and third-party integrations.
2. HIPAA COMPLIANCE AND APPLICABILITY
The Company operates under a hybrid healthcare model and is subject to the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) where it creates, receives, maintains, or transmits PHI.
Medspas that provide medical treatments such as injectables, laser therapies, IV therapy, or hormone treatments are required to comply with HIPAA when handling identifiable patient data .
The Company’s compliance program is structured to address all core HIPAA requirements, including:
- The Privacy Rule governing use and disclosure of PHI
- The Security Rule governing protection of electronic PHI (“ePHI”)
- The Breach Notification Rule governing incident response and disclosure
The Company recognizes that PHI includes not only medical records but also identifiable images, appointment data, and treatment-related information .
3. ADMINISTRATIVE, PHYSICAL, AND TECHNICAL SAFEGUARDS
The Company implements a comprehensive safeguard framework consistent with HIPAA requirements, consisting of administrative, physical, and technical controls.
Administrative safeguards include internal policies governing data access, workforce training, risk assessments, and incident response procedures. Personnel are trained in confidentiality obligations and data handling practices, and compliance oversight is maintained through designated roles and internal governance structures.
Physical safeguards include the protection of facilities, devices, and treatment environments. Access to areas where sensitive information is stored is restricted, and measures are implemented to prevent unauthorized viewing or handling of records, including secure storage systems and controlled clinical environments.
Technical safeguards include the implementation of secure systems designed to protect electronic data. These include encryption of data in transit and at rest, authentication protocols, access controls, audit logging, and monitoring systems designed to detect unauthorized activity.
HIPAA specifically requires healthcare entities to implement these three categories of safeguards to protect ePHI .
4. DATA TYPES AND SENSITIVITY CLASSIFICATION
The Company processes multiple categories of sensitive data, including but not limited to:
- Medical and treatment records
- Hormone therapy and weight loss program data
- Injectable and aesthetic procedure records
- Clinical photographs and imaging
- Payment and billing information
Photographs, treatment notes, and identifiable aesthetic records are considered PHI when linked to an individual and must be protected accordingly .
The Company classifies such data based on sensitivity and applies appropriate controls to ensure restricted access and secure handling.
5. TELEHEALTH AND DIGITAL SERVICE SECURITY
The Company may provide certain services through telehealth technologies, including consultations for weight loss, hormone therapy, and follow-up care.
Telehealth delivery requires secure handling of PHI across communication systems, including video, messaging, and scheduling platforms. The Company implements systems designed to:
- Encrypt communications during transmission
- Restrict access to authorized participants
- Prevent unauthorized interception or disclosure
Despite these safeguards, the Company acknowledges that telehealth environments involve inherent risks associated with electronic communication.
6. BUSINESS ASSOCIATE AND VENDOR MANAGEMENT
The Company engages third-party vendors and service providers to support operations, including:
- Electronic medical record (EMR) systems
- Telehealth platforms
- Payment processors and financing providers
- Cloud storage and infrastructure services
Where such vendors have access to PHI, they are designated as Business Associates and are required to enter into Business Associate Agreements (“BAAs”) to ensure compliance with HIPAA.
Failure to properly manage third-party access to PHI is a recognized compliance risk, and the Company undertakes due diligence in vendor selection and monitoring .
7. PHOTOGRAPHY, MEDIA, AND IMAGE SECURITY
As part of aesthetic and medical treatments, the Company may capture photographic or visual records for clinical documentation and treatment planning.
Such images are treated as PHI when identifiable and are stored within secure systems with restricted access.
Use of images for marketing or promotional purposes is strictly controlled and requires separate written authorization from the individual.
8. ACCESS CONTROLS AND AUTHENTICATION
The Company implements role-based access controls to ensure that information is accessible only to authorized personnel based on their responsibilities.
Access control measures include:
- Unique user credentials
- Password protection and authentication protocols
- Session controls and inactivity timeouts
- Logging and monitoring of system access
These measures are designed to prevent unauthorized access and reduce the risk of internal or external data breaches.
9. RISK MANAGEMENT AND CONTINUOUS MONITORING
The Company conducts ongoing risk assessments and implements risk management strategies designed to identify, evaluate, and mitigate threats to data security.
Risk management activities include:
- Periodic security audits
- Vulnerability assessments
- Monitoring of systems and networks
- Incident detection and response protocols
HIPAA requires covered entities to conduct regular risk assessments as part of maintaining compliance .
10. INCIDENT RESPONSE AND BREACH MANAGEMENT
The Company maintains an incident response framework designed to promptly identify, contain, investigate, and remediate security incidents.
In the event of a breach involving unsecured PHI, the Company will provide notification in accordance with:
- HIPAA Breach Notification Rule
- Applicable state laws
- Federal regulatory requirements
Failure to properly respond to breaches can result in significant penalties and reputational damage .
11. DATA RETENTION AND SECURE DISPOSAL
The Company retains data, including PHI, for periods required by applicable laws, professional standards, and regulatory obligations.
Data that is no longer required is securely disposed of in a manner designed to prevent unauthorized access or reconstruction.
Retention and disposal practices are reviewed periodically to ensure compliance with evolving regulatory requirements.
12. WORKFORCE TRAINING AND COMPLIANCE CULTURE
All personnel who handle sensitive information are required to undergo training in privacy, security, and compliance practices.
Training programs are designed to ensure that staff understand:
- HIPAA requirements
- Confidentiality obligations
- Secure handling of patient data
- Incident reporting procedures
Human error is a significant source of data breaches, and workforce training is a critical component of compliance .
13. MARKETING AND ADVERTISING COMPLIANCE
The Company engages in marketing and promotional activities consistent with applicable laws and ethical standards.
Special care is taken to ensure that:
- PHI is not used for marketing without authorization
- Patient images are not disclosed without consent
- Advertising claims are not misleading or deceptive
Medspas must comply with both healthcare privacy laws and consumer protection regulations governing advertising and marketing practices .
14. REGULATORY COMPLIANCE AND LICENSURE
The Company operates in compliance with applicable federal, state, and local regulations governing medical spa operations, including licensing, scope of practice, and patient safety requirements.
Medical spa compliance encompasses not only privacy laws but also staffing, clinical protocols, and operational standards .
15. LIMITATIONS AND DISCLAIMER OF ABSOLUTE SECURITY
While the Company implements comprehensive safeguards, no system or technology can guarantee absolute security.
You acknowledge that:
- Electronic systems may be subject to cyber threats
- Unauthorized access may occur despite reasonable safeguards
- The Company cannot guarantee complete immunity from security incidents
The Company disclaims liability for breaches or unauthorized access resulting from circumstances beyond its reasonable control.
16. CONTINUOUS IMPROVEMENT AND EVOLVING STANDARDS
The Company is committed to continuously improving its data security and compliance practices in response to evolving regulatory requirements, technological advancements, and emerging threats.
Policies, procedures, and safeguards are reviewed and updated periodically to ensure ongoing compliance and effectiveness.
17. NO CERTIFICATION REPRESENTATION
The Company implements security practices aligned with industry standards; however, it does not represent or warrant that it holds any specific third-party certification (including but not limited to SOC 2) unless expressly stated.
18. CONTACT INFORMATION
For inquiries regarding data security, compliance, or privacy practices:
Health & Medspa
3919 Tampa Road, Oldsmar, FL 34677
Phone: +1 727 444 0995
Email: legal@healthandmedspa.com