Privacy Policy

Last Updated: January 2025

1. Introduction

Metabology Wellness is committed to protecting your privacy and maintaining the security of your Protected Health Information (PHI). This Privacy Policy explains how we collect, use, disclose, and safeguard your information in compliance with the Health Insurance Portability and Accountability Act (HIPAA) and Washington State privacy laws.

2. HIPAA Compliance Statement

Metabology Wellness is a HIPAA-covered entity. We comply with all HIPAA Privacy Rule and Security Rule requirements, including:

  • Administrative, physical, and technical safeguards for PHI
  • Minimum necessary standard for PHI use and disclosure
  • Patient rights to access, amend, and receive accounting of disclosures
  • Business Associate Agreements with third-party service providers
  • Breach notification procedures for unauthorized PHI disclosure

3. Information We Collect

3.1 Protected Health Information (PHI)

We collect and store the following medical information:

  • Personal identifiers: name, date of birth, email, phone, address
  • Medical history: conditions, medications, allergies, surgeries
  • Biometric data: height, weight, BMI
  • Lifestyle information: activity level, smoking, alcohol consumption
  • Treatment records: consultation notes, prescriptions, lab results

3.2 Technical Information

  • IP addresses (for security and audit purposes)
  • Browser type and version
  • Login timestamps and session data
  • Device information for access control

4. How We Use Your Information

4.1 Treatment, Payment, and Healthcare Operations (TPO)

We use your PHI for:

  • Treatment: Providing medical consultations, prescribing medications, coordinating care
  • Payment: Processing payments, billing insurance, managing accounts
  • Healthcare Operations: Quality improvement, staff training, business management

4.2 Other Permitted Uses

  • Appointment reminders and health-related communications
  • Legal compliance and regulatory reporting
  • Public health and safety activities
  • Law enforcement requests (when legally required)

5. Data Encryption and Security

5.1 Encryption at Rest

  • All PHI fields are encrypted using AES-256 encryption before storage
  • Passwords are hashed using bcrypt with cost factor 12
  • Encryption keys are stored separately from encrypted data
  • Database files are protected with file-system level permissions

5.2 Encryption in Transit

  • All web traffic uses HTTPS/TLS 1.3 encryption
  • Email communications use TLS encryption when supported
  • API connections require secure protocols

5.3 Access Controls

  • Role-based access control (patient vs. admin)
  • Multi-factor authentication for administrative access
  • Account lockout after 5 failed login attempts
  • 15-minute session timeout for inactive users
  • IP-based rate limiting to prevent brute force attacks

5.4 Audit Logging

We maintain comprehensive audit logs including:

  • User authentication events (login, logout, failed attempts)
  • PHI access and modifications (who, when, what changed)
  • Administrative actions (user management, system changes)
  • Security events (lockouts, suspicious activity)

Audit logs are retained for 6 years per HIPAA requirements.

6. Third-Party Service Providers

We work with the following Business Associates who may have access to PHI:

6.1 Mailtrap (Development Email Testing)

  • Purpose: Email testing in development environment
  • PHI Exposure: Email addresses only (no medical data)
  • Status: Business Associate Agreement in place

6.2 Email Service Provider (Production)

  • Purpose: Sending appointment reminders and notifications
  • PHI Exposure: Email addresses, names (no detailed medical information)
  • Status: Business Associate Agreement required before production

6.3 Vagaro (Scheduling and Payment)

  • Purpose: Appointment scheduling and payment processing
  • PHI Exposure: Names, contact information, appointment details
  • Status: HIPAA-compliant platform with Business Associate Agreement

6.4 Cloudflare (CDN and Security)

  • Purpose: Content delivery, DDoS protection, SSL/TLS termination
  • PHI Exposure: IP addresses, encrypted traffic
  • Status: Business Associate Agreement in place

7. Your Rights Under HIPAA

7.1 Right to Access

You have the right to view and obtain copies of your medical records. Access your information through the patient portal or request copies by emailing [email protected].

7.2 Right to Amend

You may request corrections to your medical information if you believe it is inaccurate or incomplete. Requests must be submitted in writing with supporting documentation.

7.3 Right to Accounting of Disclosures

You may request a list of disclosures of your PHI made by Metabology Wellness for purposes other than treatment, payment, or healthcare operations.

7.4 Right to Restrict Use

You may request restrictions on how we use or disclose your PHI. We are not required to agree to all restrictions but will consider reasonable requests.

7.5 Right to Confidential Communications

You may request communications via specific methods or locations (e.g., only via email, only to specific phone number).

7.6 Right to File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with:

  • Metabology Wellness: [email protected]
  • U.S. Department of Health and Human Services Office for Civil Rights

We will not retaliate against you for filing a complaint.

8. Data Retention

  • Medical records: Retained for 10 years after last patient contact (Washington State requirement)
  • Audit logs: Retained for 6 years (HIPAA requirement)
  • Inactive accounts: Data retained unless deletion requested by patient
  • Verification tokens: Automatically deleted after 5 hours
  • Expired sessions: Deleted after 24 hours of inactivity

9. Breach Notification

In the event of a breach of unsecured PHI, we will:

  • Notify affected patients within 60 days of discovery
  • Report breaches affecting 500+ individuals to HHS and media
  • Provide details about the breach and steps being taken
  • Offer credit monitoring services if financial data was compromised

10. Children's Privacy

Our services are intended for adults 18 years and older. We do not knowingly collect PHI from individuals under 18 without parental consent. If you believe we have collected information from a minor, contact us immediately.

11. California and Washington State Privacy Rights

Residents of California and Washington have additional rights:

  • Right to know what personal information is collected
  • Right to deletion of personal information (subject to legal retention requirements)
  • Right to opt-out of sale of personal information (we do not sell PHI)
  • Right to non-discrimination for exercising privacy rights

12. International Users

Our services are provided in Washington State, USA. If you access our services from outside the United States, your information will be transferred to and processed in the United States. By using our services, you consent to this transfer.

13. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via:

  • Email notification to registered users
  • Prominent notice on our website
  • Updated "Last Updated" date on this page

14. Contact Information

For privacy-related questions, concerns, or to exercise your rights:

Privacy Officer
Metabology Wellness
Email: [email protected]
Subject Line: "Privacy Request"

15. Notice of Privacy Practices

This Privacy Policy serves as our Notice of Privacy Practices as required by HIPAA. You have the right to receive a paper copy of this notice upon request.

16. Effective Date

This Privacy Policy is effective as of January 7, 2025, and applies to all PHI collected before and after this date.

Back to Home