HIPAA Notice of Privacy Practices

⚠️ DRAFT — PENDING ATTORNEY REVIEW. This document has not been reviewed by a licensed healthcare attorney. 45 CFR 164.520 requires specific elements — attorney must verify all required elements are present and accurate. Subject to material changes.

Effective Date: [TO BE SET AT GO-LIVE] Version: 0.1-DRAFT

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

1. Who this Notice applies to

This Notice describes the privacy practices of BodyEnhance ("we," "our") acting as a Business Associate under HIPAA on behalf of the physicians, practices, and other healthcare providers who use our platform ("Providers") to deliver telehealth consultations to patients like you.

It applies to all Protected Health Information ("PHI") we create, receive, maintain, or transmit on behalf of a Provider in connection with your use of BodyEnhance services.

Each Provider is an independent Covered Entity under HIPAA and has their own Notice of Privacy Practices, which governs their direct use of your PHI outside the BodyEnhance platform. This Notice governs our use of your PHI on the platform.

2. What is PHI?

Protected Health Information includes, but is not limited to:

• Your name, date of birth, address, email, phone number
• Medical history, medications, allergies, prior procedures
• Current medical conditions, measurements (height, weight)
• Your stated goals, procedures of interest, and timeline
• Photographs you upload as part of the medical intake
• Video calls conducted through the platform (not recorded during MVP)
• Post-consult summaries and recommendations written by the Provider
• Any communications between you and the Provider through the platform

3. How we may use and disclose your PHI

3.1 Treatment, Payment, and Healthcare Operations (TPO)

We use and disclose PHI without your written authorization for the following purposes:

• Treatment: Sharing PHI with your Provider before, during, and after the Consult so they can provide appropriate care.
• Payment: Processing the consultation fee you pay (though payment data does not include medical content), reconciling provider payouts, and handling billing inquiries.
• Healthcare Operations: Internal activities such as quality improvement, provider performance review, security operations, and auditing.

3.2 Other permitted uses

We may use or disclose PHI without your written authorization where required or permitted by law, including:

• When required by law (subpoenas, court orders, etc.)
• For public health activities (e.g., reporting to public health authorities)
• To report abuse, neglect, or domestic violence
• For health oversight activities (audits, investigations, inspections)
• In connection with judicial and administrative proceedings
• For law enforcement purposes, where legally required
• To avert a serious threat to health or safety
• For specialized government functions (e.g., military)
• For workers' compensation (if applicable)

3.3 Uses and disclosures requiring your authorization

We will not use or disclose your PHI for the following purposes without your separate, express written authorization:

• Marketing: We will not use your PHI to send you marketing communications or sell your information to third parties.
• Sale of PHI: We will never sell your PHI.
• Psychotherapy notes: We do not currently maintain psychotherapy notes, but if that ever changes, disclosure would require authorization.
• Photography in portfolios: Your intake photos will never be used in before/after portfolios, marketing, or training without a separate, written photo-use authorization.

You may revoke any authorization in writing at any time, except to the extent we have already relied on it.

3.4 Our subprocessors

We share PHI with the following vendors under Business Associate Agreements ("BAAs") strictly as needed to provide the platform:

We do not share PHI with Stripe (payments) or Resend (email) — those systems only receive non-PHI metadata (booking ID, patient first name, appointment time).

4. Your rights under HIPAA

You have the following rights regarding your PHI:

4.1 Right to access

You may request to inspect and obtain a copy of your PHI that we maintain, in either paper or electronic form, at your choice. We will respond within 30 days (60 days if extended, with written notice). We may charge a reasonable, cost-based fee for copies.

4.2 Right to amend

If you believe PHI we maintain is inaccurate or incomplete, you may request an amendment. We must respond within 60 days. We may deny your request in specified circumstances; if we do, we will explain why in writing and you may file a statement of disagreement.

4.3 Right to an accounting of disclosures

You may request a list of certain disclosures of your PHI that we have made in the past six years, excluding disclosures for treatment, payment, healthcare operations, and a few others. We will provide one accounting per 12-month period at no charge.

4.4 Right to request restrictions

You may request that we limit how we use or disclose your PHI for treatment, payment, or healthcare operations. We are generally not required to agree, but if we do, we will comply with your request (subject to exceptions like emergencies).

4.5 Right to request confidential communications

You may request that we communicate with you about your PHI in a specific way (e.g., email only, not phone) or at a specific location. We will accommodate reasonable requests.

4.6 Right to a paper copy of this Notice

Even if you have agreed to receive this Notice electronically, you may request a paper copy at any time.

4.7 Right to notification of a breach

We will notify you in writing if an unsecured breach of your PHI occurs, within the timeframes required by law (generally within 60 days of discovery).

5. How to exercise your rights

To exercise any of the rights above, or to ask questions about this Notice:

• Email: privacy@bodyenhance.co
• Mail: [TBD — business mailing address to be added before publishing]
• Online: Log in and use the "Request my data" link in account settings (feature pending)

6. How to file a complaint

If you believe your privacy rights have been violated, you may file a complaint with us (contact above) or with the Secretary of the U.S. Department of Health and Human Services:

• Online: https://www.hhs.gov/hipaa/filing-a-complaint/
• Mail: Office for Civil Rights, U.S. Department of Health & Human Services, 200 Independence Avenue, S.W., Washington, D.C. 20201
• Toll-Free: 1-800-368-1019

We will not retaliate against you for filing a complaint.

7. Changes to this Notice

We reserve the right to change the terms of this Notice at any time. Changes will apply to PHI we already have about you, as well as any information we create or receive in the future. The new Notice will be made available on bodyenhance.co/privacy and its effective date will be posted. For material changes, we will notify existing users via email with at least 30 days' advance notice.

8. Data retention

We retain PHI for the duration required by applicable state and federal law. At a minimum:

• Intake forms and related Consult records: 7 years from the date of the Consult (consistent with medical-record retention standards in Florida)
• Intake photos: automatically deleted 90 days after the Consult, unless you have booked a procedure, in which case photos are retained for the medical-record retention period (7 years)
• Communications: 7 years
• Video calls: not recorded

You may request earlier deletion of your PHI by contacting us at privacy@bodyenhance.co, subject to the Provider's obligation to maintain medical records for legally required periods.

9. Acknowledgment of receipt

By checking the "HIPAA acknowledgment" box during intake, you confirm you have received and read this Notice. This is not a waiver of any right under HIPAA.

Revision history