Refresh Health Insurance Portability and Accountability Act (“HIPAA”) Policy Last Updated- Friday, July 15, 2025

1. Introduction & About Us

Welcome to Refresh and thank you for accessing our website at refreshpbma.com (hereinafter, the “Site”). This Site is owned and operated by Refresh Palm Beach Medical Aesthetics LLC, Refresh Port St Lucie Medical Aesthetics LLC, and Refresh Vero Beach Medical Aesthetics LLC (collectively, hereinafter referred to as “Refresh”, “we”, “our”, or “us”).

2. About this HIPAA Policy

Refresh is committed to maintaining the privacy and security of your protected health information (PHI) in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), its implementing regulations, and applicable state laws. This HIPAA Policy outlines how we collect, use, disclose, and safeguard PHI when you engage with our services, including those provided through our physical centers and our website.

Our goal is to ensure that your health information is handled responsibly and transparently, while supporting the highest standards of care and compliance. This policy applies to all employees, contractors, and service providers who may have access to PHI through their work with Refresh. Please read this policy carefully to understand your rights and our responsibilities regarding your health information.

3. Rights with respect to your Personal Health Information (PHI)

When it comes to your health information, you have certain rights as mentioned below;

1. Get an electronic or paper copy of your medical record. You can ask to see or get an electronic or paper copy of your medical record and other health information we have about you. If you would like, we also can send this information in either paper or electronic form to another person you identify in your request. A copy or a summary of your health information shall be provided to you within 30 days of your request.
2. Seek correction of your medical records. You can request a correction to your health information that you think is incorrect or incomplete.
3. Request confidential You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address. We will say “yes” to all reasonable requests.
4. Limit what we use or share. You can ask us not to use or share certain health information for treatment, payment, or our operations. We are not required to agree to your request, and we may say “no” if it would be harmful or compromise your care. If you pay for a service or healthcare item out-of-pocket in full, you can ask us not to share that information for the purpose of payment or our operations with your health insurer. We will say “yes” unless any law requires us to share that information.
5. Get a list of those with whom we have shared information You can ask for a list (accounting) of the times we have shared your health information for six years prior to the date you ask, who we shared it with, and why. We will include all the disclosures except for those about treatment, payment, and healthcare operations, and certain other disclosures (such as any you asked us to make).
6. Get a copy of this privacy notice. You can ask for a paper copy of this notice at any time, even if you have agreed to receive the notice We will provide you with a paper copy promptly.
7. Choose someone to act for you. If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health We will make sure the person has this authority and can act for you before we take any action.
8. File a complaint if you feel your rights are You can complain if you feel we have violated your rights by contacting us. You can file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights by sending a letter to 200 Independence Avenue SW, Washington, DC 20201, calling 1-800-368-1019, or visiting www.hhs.gov/hipaa/filing-a-complaint/index.html. We will not retaliate against you for filing a complaint.

4. Use and Disclosure of your PHI

1. General We may use and disclose your Protected Health Information (PHI) for purposes related to your care, billing, and the overall operation of our services, as permitted under HIPAA. Access to PHI is limited to authorized employees and healthcare professionals who require the information to perform their job duties or provide care and services. All employee access to PHI is logged, tracked, and subject to ongoing monitoring through our electronic health record systems or other secure platforms. Audit logs are regularly reviewed to detect unauthorized access, misuse, or policy violations. Any suspicious or inappropriate access is promptly investigated and may result in disciplinary action, including termination. Employees receive training on HIPAA compliance, confidentiality, and data security, and are required to sign confidentiality agreements acknowledging their responsibilities.
2. Treatment. We may use and share your PHI as necessary to provide, coordinate, or manage your health care and related (Example: Your medical history may be shared with a specialist to whom you are referred to ensure continuity of care.)
3. Payment. Your PHI may be used and disclosed to obtain payment for the health care services we This may include billing and collection activities, claim submissions, and eligibility verification. (Example: We may submit information to your health insurance provider to receive reimbursement for services rendered.)
4. Health Care Operations. We use your PHI to support essential operational functions, such as quality assessment, staff training, accreditation, licensing, and administrative activities necessary to maintain and improve our services. (Example: We may review patient records to evaluate staff performance or improve service delivery.)
5. Licensure and Certification. We may disclose your Protected Health Information (PHI) as necessary for licensure, certification, or credentialing purposes, including disclosures to professional boards such as the American Board of Plastic Surgery. These disclosures help ensure compliance with professional standards and support the evaluation of clinical performance and qualifications.
6. Appointment Reminders. We may contact you by phone, email, or other means to remind you of upcoming appointments or follow-up If you wish to receive communications in a specific manner or at a specific location, you may submit a written request for confidential communication, and we will accommodate reasonable requests.
7. Involvement of Family and Friends. We may disclose your PHI to family members, close friends, or other individuals involved in your care or payment for your care, when appropriate and permitted by law. In situations where you are not present or unable to consent, we may make such disclosures if we determine it is in your best interest, such as during emergencies or based on professional judgment.
8. Emergency Situations. In the event of a medical emergency, we may use or disclose your PHI as necessary to provide treatment or ensure your We will make reasonable efforts to obtain your acknowledgment of this Notice of Privacy Practices as soon as it is practical following the emergency.
9. Health-Related Benefits and Services. We may contact you to provide information about health-related benefits, services, or treatment alternatives that may be of interest to you.
10. Legal Requirements. We will disclose PHI when required to do so by federal, state, or local law, including compliance with government regulations and public health reporting obligations.
11. Communicable Diseases. We may disclose PHI to public health authorities or individuals legally authorized to receive such information to prevent or control the spread of communicable diseases.
12. Health Oversight We may disclose PHI to health oversight agencies for activities authorized by law, such as audits, investigations, inspections, licensure, or disciplinary actions.
13. Abuse, Neglect, or Domestic Violence. If we reasonably believe you are a victim of abuse, neglect, or domestic violence, we may disclose PHI to appropriate government authorities, as permitted or required by law.
14. Food and Drug Administration (FDA). We may share PHI with the FDA or parties under FDA jurisdiction to report adverse events, track products, report defects, or ensure the safety and efficacy of regulated products.
15. Legal Proceedings. PHI may be disclosed in response to a valid court order, subpoena, discovery request, or other lawful legal process, subject to applicable procedural
16. Law Enforcement. We may disclose PHI to law enforcement officials for legally permissible purposes, including to support investigations, comply with legal requirements, or protect national security and government officials.
17. Coroners, Medical Examiners, Funeral Directors, and Organ Donation. PHI may be shared with coroners or medical examiners to identify a deceased individual or determine the cause of death. We may also disclose PHI to funeral directors as needed to carry out their duties and to organizations involved in organ, eye, or tissue donation and transplantation, consistent with applicable laws.
18. Research. PHI may be used or disclosed for research purposes when approved by an Institutional Review Board (IRB) or privacy board and when adequate safeguards are in place to protect your privacy.
19. To Prevent Serious Threats to Health or Safety. We may disclose PHI when necessary to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public, including disclosures to law enforcement.
20. Workers’ We may release PHI as authorized by law to comply with workers’ compensation or similar programs that provide benefits for work-related injuries or illness.

5. Breach Notification in accordance with 45 CFR § 164.400–414

In accordance with the HIPAA Breach Notification Rule, we are committed to protecting your Protected Health Information (PHI) and will notify you promptly in the event of a breach that compromises the privacy or security of your PHI.

a. What is a breach?

A “breach” is defined as the unauthorized acquisition, access, use, or disclosure of unsecured PHI that compromises the security or privacy of the information, as determined by a risk assessment under HIPAA.

b. Timely notification of breach

If a breach of your unsecured PHI occurs, we will;

1. Notify you without unreasonable delay and no later than 60 calendar days from the discovery of the breach;
2. Provide notification by first-class mail or, if you have agreed to electronic communication, by email; or
3. If contact information is insufficient, we may use alternative means such as a public posting or media notice.

c.  What will the breach notification include?

1. A brief description of the breach, including the date it occurred and the date it was discovered;
2. A description of the types of PHI involved (e.g., name, date of birth, treatment details);

• Steps you should take to protect yourself from potential harm;

1. A description of what we are doing to investigate, mitigate, and prevent future breaches; and
2. Contact information for you to reach us with questions or

*If a breach affects 500 or more individuals, we will also notify the U.S. Department of Health and Human Services (HHS) and prominent media outlets serving the state or jurisdiction. For breaches affecting fewer than 500 individuals, we will maintain a breach log and report it to HHS annually.

6. Changes to this Notice

We reserve the right to amend or update this Notice of Privacy Practices at any time. Any revisions will apply to all Protected Health Information (PHI) that we maintain, including information created or received prior to the effective date of the updated notice. Whenever this Notice is revised, the updated version will be prominently posted on our website and made available at our office locations. The effective date of the revised Notice will be clearly indicated at the top of the document.

Contact Us.

If you have any questions or concerns, or if you wish to share your feedback of our Services with us, you may kindly contact us at the following email addresses-

For Palm Beach: support@refreshpbma.com

For Port St. Lucie: supportpsl@refreshpbma.com

For Vero: supportvero@refreshpbma.com