Mobile IV Therapy in Zen Med Spa

HIPAA Compliance Statement

Effective Date: October 30, 2025

Last Updated: October 30, 2025

At Zen Med Spa, we are fully committed to protecting the privacy and security of your health information in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its related regulations. This HIPAA Compliance Statement outlines how we safeguard your protected health information (PHI) and ensure compliance with federal standards.

1. Understanding HIPAA

1.1 What is HIPAA?

HIPAA is a federal law that establishes national standards for the protection of sensitive patient health information. It mandates the safeguarding of electronic, written, and oral forms of protected health information (PHI) to ensure confidentiality and security.

1.2 What is Protected Health Information (PHI)?

PHI includes any information about your health status, healthcare treatment, or payment for healthcare that can identify you. Examples of PHI include:

Name, address, phone number, and email address
Social Security number and medical record number
Health insurance information
Medical history, diagnoses, and treatment plans
Lab results and prescription information
Billing and payment records
Photographs and any other identifying information

2. Our Commitment to HIPAA Compliance

Zen Med Spa is dedicated to maintaining the confidentiality and security of your PHI. We implement stringent safeguards and policies to ensure compliance with HIPAA standards, including:

2.1 Administrative Safeguards

Privacy Officer: We have designated a Privacy Officer responsible for overseeing HIPAA compliance and addressing privacy concerns.
Staff Training: All employees receive comprehensive HIPAA training to understand their responsibilities in protecting PHI.
Policies and Procedures: We maintain written policies and procedures governing the use, disclosure, and protection of PHI.
Risk Assessment: Regular risk assessments are conducted to identify and mitigate potential vulnerabilities in our systems and processes.

2.2 Physical Safeguards

Secure Facilities: Physical access to areas where PHI is stored is restricted to authorized personnel only.
Device Security: Mobile devices and equipment used to access or store PHI are secured with passwords and encryption.
Disposal Protocols: PHI is securely destroyed when no longer needed, using methods such as shredding or secure digital deletion.

2.3 Technical Safeguards

Encryption: Electronic PHI is encrypted during transmission and storage to prevent unauthorized access.
Access Controls: Only authorized personnel have access to PHI, and access is granted based on job responsibilities.
Audit Trails: We maintain logs of access to electronic PHI to monitor and detect unauthorized activity.
Secure Communication: We use secure, HIPAA-compliant platforms for electronic communication containing PHI.

3. How We Use and Disclose Your PHI

We may use and disclose your PHI only for purposes permitted under HIPAA, including:

3.1 Treatment

To provide and coordinate your healthcare, we may share your PHI with licensed medical professionals involved in your care, including our registered nurses and nurse practitioners.

3.2 Payment

Your PHI may be used to process payments for services rendered and shared with your health insurance provider, if applicable.

3.3 Healthcare Operations

We may use PHI for administrative purposes, such as quality assurance, staff training, compliance monitoring, and improving our services.

3.4 As Required by Law

We may disclose PHI when required by law, such as for public health reporting, legal proceedings, law enforcement purposes, or to prevent serious threats to health or safety.

3.5 With Your Authorization

We will not use or disclose your PHI for purposes other than treatment, payment, or healthcare operations without your written authorization. You may revoke your authorization at any time in writing.

4. Your Rights Under HIPAA

Under HIPAA, you have the following rights regarding your PHI:

4.1 Right to Access

You have the right to access and obtain a copy of your health records upon request. We will provide copies within 30 days of your request.

4.2 Right to Amend

If you believe your PHI is inaccurate or incomplete, you have the right to request an amendment to your records. We will review your request and respond within 60 days.

4.3 Right to Restrict Use and Disclosure

You may request limitations on how we use or disclose your PHI, though certain restrictions may not be possible due to legal or operational requirements. We will accommodate reasonable requests when possible.

4.4 Right to Confidential Communications

You can request that we communicate with you through specific methods or at specific locations to maintain your privacy. For example, you may request that we contact you only by phone or at a particular address.

4.5 Right to an Accounting of Disclosures

You have the right to request a list of certain disclosures of your PHI made by us within the past six years, excluding those made for treatment, payment, and healthcare operations.

4.6 Right to a Paper Copy of This Notice

You have the right to receive a paper copy of this HIPAA Compliance Statement at any time, even if you previously agreed to receive it electronically.

5. Breach Notification

5.1 Commitment to Transparency

In the event of a breach of unsecured PHI, we will:

Notify affected individuals without unreasonable delay, but no later than 60 days after discovery of the breach
Provide information about the breach, including what happened, what information was involved, and steps you can take to protect yourself
Report the breach to the U.S. Department of Health and Human Services (HHS) as required by law
Notify prominent media outlets if the breach affects more than 500 individuals in a state or jurisdiction

5.2 Prevention Measures

We continuously monitor our systems and processes to identify and address vulnerabilities, reducing the risk of unauthorized access or data breaches.

6. Business Associates

We may work with third-party service providers, known as Business Associates, who assist in delivering our services (e.g., payment processing, IT support, scheduling platforms). These Business Associates are required to sign Business Associate Agreements ensuring they adhere to HIPAA regulations and safeguard your PHI.

7. Confidentiality and Security Measures

Zen Med Spa employs industry-standard practices to protect your PHI, including:

Secure, encrypted electronic health record (EHR) systems
Password-protected devices and networks
Regular security audits and vulnerability assessments
Restricted access to PHI based on role and necessity
Secure disposal of physical and electronic records
Staff confidentiality agreements and ongoing training

8. Reporting HIPAA Concerns

If you believe your privacy rights have been violated, you may file a complaint with:

Zen Med Spa Privacy Officer

Phone: 332-239-2005

Email: privacy@thezenmedspa.com

U.S. Department of Health and Human Services (HHS)

Office for Civil Rights

Website: www.hhs.gov/ocr/privacy/hipaa/complaints

Phone: 1-877-696-6775

We take all complaints seriously and will investigate and resolve any concerns promptly. You will not face retaliation for filing a complaint.

9. Updates to This HIPAA Compliance Statement

We reserve the right to update this HIPAA Compliance Statement to reflect changes in our practices or legal requirements. Any updates will be posted on our website with an updated “Effective Date.” We will also provide you with a copy of the revised notice upon request.

10. Contact Us

If you have any questions or concerns about this HIPAA Compliance Statement, your privacy rights, or how we handle your PHI, please contact us:

Zen Med Spa