Privacy Policy

Last Updated: 8/22/2025

HIPAA Compliance

SpineZone Physical Therapy is committed to protecting your medical information in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and all applicable state and federal privacy laws.

Information We Collect

Protected Health Information (PHI)

  • Medical records and treatment history
  • Diagnostic information and test results
  • Insurance and billing information
  • Appointment and scheduling data
  • Progress notes and treatment plans

Personal Information

  • Name, date of birth, and contact information
  • Emergency contact details
  • Government-issued identification numbers
  • Demographic information

Website and Technical Data

  • IP addresses (stored in hashed format)
  • Browser and device information
  • Website usage patterns and analytics
  • Session information and login data
  • Form submission data (contact forms)

Your Rights Under HIPAA

As our patient, you have the following rights regarding your protected health information:

  • Right to Access: You may request copies of your medical records
  • Right to Amend: You may request corrections to your medical information
  • Right to Restrict: You may request limits on how we use your information
  • Right to Confidential Communication: You may request we contact you in a specific way
  • Right to Accounting: You may request a list of disclosures we have made
  • Right to File a Complaint: You may file complaints about our privacy practices

How We Protect Your Information

Technical Safeguards

  • 256-bit encryption for data transmission and storage
  • Secure user authentication with multi-factor options
  • Regular security audits and vulnerability assessments
  • Automatic session timeouts (15 minutes for patient portal)
  • Comprehensive audit logging of all data access

Administrative Safeguards

  • HIPAA training for all staff members
  • Regular privacy and security policy updates
  • Designated Privacy Officer and Security Officer
  • Business Associate Agreements with all vendors
  • Incident response and breach notification procedures

Physical Safeguards

  • Secured facilities with controlled access
  • Locked storage for physical records
  • Secure disposal of confidential information
  • Workstation security controls

Data Sharing and Disclosures

We may share your health information only:

  • With your written authorization
  • For treatment, payment, and healthcare operations
  • As required by law (court orders, public health reporting)
  • For health oversight activities
  • In emergency situations to protect your health
  • To business associates under signed agreements

We never sell your personal or health information to third parties.

Website Privacy

Our website uses privacy-compliant analytics to improve user experience:

  • IP addresses are anonymized and hashed before storage
  • No personally identifiable information is collected without consent
  • Session data is automatically expired after inactivity
  • Contact form submissions are encrypted and securely processed
  • We use essential cookies only; no tracking cookies

Data Retention

  • Medical Records: Retained for 7 years after last treatment date
  • Audit Logs: Retained for 7 years for compliance purposes
  • Website Analytics: Retained for 2 years maximum
  • Contact Form Data: Retained for 1 year unless ongoing correspondence

Breach Notification

In the unlikely event of a data breach involving your protected health information:

  • We will notify you within 60 days of discovering the breach
  • We will notify the Department of Health and Human Services
  • We will notify local media if the breach affects 500+ individuals
  • We will provide details about the breach and steps to protect yourself

Contact Information

For privacy concerns, to exercise your rights, or to request access to your medical records:

Privacy Officer

SpineZone Physical Therapy
HIPAA Privacy Officer
1234 Healing Way, Suite 200
San Diego, CA 92101
Phone: (858) 555-0123
Email: privacy@spinezone-sandiego.com
Fax: (858) 555-0124

File a Complaint

You have the right to file a complaint if you believe your privacy rights have been violated.

U.S. Department of Health and Human Services
Office for Civil Rights
Phone: 1-800-368-1019
Online: www.hhs.gov/hipaa/filing-a-complaint

Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or applicable laws. Any significant changes will be:

  • Posted on our website with the updated effective date
  • Provided to you in writing or electronically if required by law
  • Made available in our offices for your review

We will never reduce your rights under this policy without your written consent.

Acknowledgment

By using our services or website, you acknowledge that you have read and understand this Privacy Policy and our Notice of Privacy Practices. If you have questions about how your information is handled, please contact our Privacy Officer.