Legal

Privacy Policy & HIPAA Notice of Privacy Practices

Effective date: May 1, 2026

Your health information is protected. Plastic Surgery of Palm Beach and the Palm Beach Metabolic Care program comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This notice describes how medical information about you may be used and disclosed, and how you can get access to this information.

1. Who We Are

Plastic Surgery of Palm Beach ("PSPB," "we," "us," or "our") operates the Palm Beach Metabolic Care program and the associated patient portal at pspbwellness.com. We are a covered entity under HIPAA.

2. Information We Collect

We collect the following categories of information: • Identity information: Name, date of birth, sex at birth, phone number, address, and emergency contact. • Health information (Protected Health Information / PHI): Medical history, current conditions, medications, allergies, lab results, weight logs, symptom logs, injection logs, progress photos, and weekly check-in responses. • Account information: Email address, hashed password (we never store plaintext passwords). • Usage data: Login timestamps, page access events, and audit log entries. • Payment information: Stripe processes your payment card data. We do not store payment card numbers on our servers.

3. How We Use Your Information

We use your information for the following purposes: • Treatment: To provide physician-supervised medical care, manage your program, and coordinate your prescription. • Care coordination: To share your health information with other members of your clinical care team at PSPB. • Operations: To audit access to your records, manage your account, and improve the platform. • Billing: To process your $99/month membership fee via Stripe. No PHI is transmitted to Stripe. • Communications: To send you care-related notifications. We do not send marketing emails without your explicit consent.

4. How We Protect Your Information

• All data is stored in encrypted databases hosted on infrastructure that meets SOC 2 Type II standards. • All data in transit is encrypted via TLS 1.2 or higher. • Progress photos are stripped of all EXIF metadata before storage. • Access to your PHI within the portal is logged in an immutable audit trail. • Signed URLs for documents and photos expire within 1 hour of generation. • Our team members access PHI only for treatment and care coordination purposes, and every access is logged.

5. Your HIPAA Rights

Under HIPAA, you have the right to: • Access: Request a copy of your health information in your records. • Amendment: Request correction of inaccurate health information. • Accounting of disclosures: Request a list of disclosures we have made of your PHI. • Restriction: Request restrictions on certain uses or disclosures of your PHI. • Confidential communications: Request we communicate with you in a specific way. • Complaint: File a complaint with us or with the U.S. Department of Health & Human Services (HHS) if you believe your rights have been violated. To exercise any of these rights, contact our Privacy Officer at the address below.

6. Disclosures of Your Information

We may disclose your PHI in the following circumstances: • As required by law: Including court orders, subpoenas, or public health reporting requirements. • For treatment: To other providers involved in your care, if you are transferred to another clinical setting. • To business associates: Service providers (e.g., Supabase, Stripe, hosting providers) with whom we have Business Associate Agreements (BAAs) in place. • With your authorization: Any other disclosure requires your written authorization. We do not sell your health information. We do not use your PHI for advertising purposes.

7. Data Retention

We retain your health information for a minimum of 7 years from the date of your last clinical interaction, consistent with Florida medical records requirements. You may request deletion of non-clinical account data at any time by contacting us.

8. Cookies and Analytics

The patient portal uses session cookies necessary for authentication. We do not use third-party tracking cookies, advertising pixels, or behavioral analytics tools within the authenticated portal.

9. Changes to This Notice

We may update this notice from time to time. Changes will be posted at this URL with an updated effective date. Continued use of the portal after changes constitutes acceptance of the revised notice.

10. Contact Us

Privacy Officer Plastic Surgery of Palm Beach 4700 N Congress Ave Palm Beach Gardens, FL 33410 For non-urgent inquiries, you may also contact us through the secure messaging system in your patient portal.