HIPAA Website Compliance and Security Policy

Effective Date: January 1, 2025
Practice/Entity: Avenue U Medical Wellness, P.C. through TonedMD, LLC (the "Practice")
Address: 409B Central Ave, Cedarhurst, NY 11516
Privacy Officer: Peiman Ghatan, PA-C, [4104586666], [[email protected]], 409B Central Ave, Cedarhurst, NY 11516

1. Purpose and Scope

1.1 Purpose

This HIPAA Website Compliance and Security Policy (the "Policy") describes the administrative, technical, and physical safeguards the Practice uses (and requires its vendors to use) to protect Protected Health Information ("PHI") that may be collected, transmitted, maintained, or accessed through the Practice website, including through appointment requests, contact forms, telehealth scheduling, and related communications.

1.2 Scope

This Policy applies to the Practice website and all website features that may process PHI, including any web forms, embedded scheduling tools, chat features (if enabled), telehealth links, and website-hosted content that invites a patient to request care or provide health-related information.

1.2.1 Relationship to Notice of Privacy Practices

This Policy is separate from the Practice HIPAA Notice of Privacy Practices ("NPP"). The NPP describes how the Practice may use and disclose PHI and describes patient rights under HIPAA. The NPP must be posted prominently and made available to patients in accordance with HIPAA requirements. This Policy addresses website-specific safeguards and operational controls.

1.2.2 Emergency and Time-Sensitive Communications

The website and any website forms are not intended for urgent or emergency medical issues. Users should be directed to call 911 or go to the nearest emergency room for emergencies. Website submissions are processed during business hours and are not monitored continuously.

2. Definitions

2.1 Protected Health Information (PHI)

PHI has the meaning set forth under HIPAA and includes individually identifiable health information that is transmitted or maintained in any form or medium, including information that identifies an individual as seeking or receiving healthcare services.

2.2 Workforce

Workforce means employees, volunteers, trainees, and other persons whose conduct is under the direct control of the Practice, whether or not they are paid by the Practice.

2.3 Business Associate

Business Associate means a third party that creates, receives, maintains, or transmits PHI on behalf of the Practice. Business Associates must enter into a Business Associate Agreement ("BAA") with the Practice as required by HIPAA.

3. Website Data Collection and Classification

3.1 Information Submitted by Users

Users may submit information through website forms or scheduling tools, including name, email, phone number, appointment requests, and any free-text description of questions or concerns. If a user includes health-related information, that content may constitute PHI and must be handled accordingly.

3.2 Technical and Security Data

The website may collect limited technical information for security and operational purposes, such as IP address, device type, browser type, timestamps, and log data. The Practice treats security logs as confidential and restricts access to authorized personnel or vendors.

3.3 Data Minimization

The Practice designs website forms to request only the minimum information reasonably necessary for scheduling, responding to inquiries, and routing communications. The Practice discourages submission of detailed clinical histories through general website contact forms unless specifically requested via a secure channel.

4. Permitted Uses of Website-Submitted Information

4.1 Scheduling and Communications

The Practice may use website-submitted information to respond to inquiries, schedule appointments, send appointment confirmations or reminders, and coordinate follow-up communications in accordance with HIPAA and applicable law.

4.2 Security and Operational Integrity

The Practice may use technical data and logs to protect against malicious activity, to detect and respond to security incidents, and to maintain website reliability and performance.

4.3 No Sale of PHI

The Practice does not sell PHI and does not permit third-party advertising platforms to receive PHI through website technologies.

5. HIPAA Security Safeguards for the Website

5.1 Administrative Safeguards

The Practice maintains written policies and procedures addressing website data handling, access controls, vendor management, and incident response. The Practice designates a Privacy Officer and a Security Officer (which may be the same individual) responsible for oversight.

5.1.1 Workforce Training and Access Authorization

Workforce members with access to website-submitted information must be authorized based on role, trained on HIPAA privacy and security requirements, and instructed to access PHI only when necessary to perform assigned job functions.

5.1.2 Minimum Necessary and Role-Based Access

Access to PHI originating from the website is restricted to the minimum necessary workforce members. The Practice uses role-based access where feasible and requires unique user credentials for systems that store or display website submissions.

5.2 Technical Safeguards

The Practice implements technical controls appropriate to the website risk profile, including secure transmission, authentication controls, and logging.

5.2.1 Encryption in Transit

The website uses HTTPS/TLS to encrypt data in transit. Forms that collect information in a healthcare context must submit data through encrypted connections.

5.2.2 Encryption at Rest

Where PHI is stored electronically on behalf of the Practice in connection with website submissions, the Practice requires encryption at rest or equivalent compensating controls appropriate to the vendor environment.

5.2.3 Authentication, Passwords, and Multi-Factor Authentication

Administrative access to the website, hosting control panels, and any systems storing website-submitted PHI must be protected by strong passwords and, where available, multi-factor authentication. Default credentials must not be used.

5.2.4 Audit Logs and Monitoring

Where feasible, the Practice enables audit logging for administrative access and for systems that store or route website submissions. Logs are reviewed periodically or upon a suspected incident.

5.2.5 Secure Development and Patch Management

The Practice requires timely security updates for the content management system, plugins, themes, and server software. Security patches are applied promptly based on severity and vendor guidance. Unused plugins and accounts are removed or disabled.

5.3 Physical Safeguards

The Practice restricts physical access to devices used to access PHI, including staff computers and mobile devices. Devices must be protected by screen locks, secure storage, and appropriate endpoint protections.

6. Business Associate Management for Website Vendors

6.1 Business Associate Agreements (BAAs)

If a vendor creates, receives, maintains, or transmits PHI on behalf of the Practice in connection with website operations, the Practice requires a HIPAA-compliant BAA prior to enabling or continuing the vendor service.

6.1.1 Vendor Examples

Vendors that may require BAAs include web hosting providers (if PHI is stored on servers), form or chat providers, scheduling platforms, CRM tools receiving inquiries, telehealth platforms integrated with scheduling, and support vendors with administrative access that could expose PHI.

6.2 Due Diligence and Security Representations

The Practice performs reasonable due diligence on vendors that handle PHI, which may include review of security practices, access controls, and breach response commitments, and confirmation of subcontractor controls.

7. Website Tracking Technologies and Marketing Controls

7.1 HIPAA Considerations for Tracking

The Practice takes steps to prevent disclosure of PHI through tracking technologies (including pixels, tags, and scripts) on pages where a user may request healthcare services, schedule appointments, or submit health-related information.

7.2 Limitations on Advertising Pixels and Third-Party Tracking

The Practice does not deploy advertising pixels or similar technologies in a manner that discloses that a specific individual visited the site to seek services or that associates an individual with specific services or health conditions, unless permitted by HIPAA and properly safeguarded.

7.3 Analytics Configuration

If analytics tools are used, they must be configured to minimize data collection, avoid collecting form inputs, and avoid transmitting identifiers that could reasonably be used to identify an individual as seeking care. The Practice evaluates whether a BAA is required based on the analytics implementation and data flows.

7.4 Cookie Disclosures

The Practice discloses use of cookies and similar technologies in its Privacy Policy and provides appropriate cookie controls where required by law or as a best practice.

8. Website Forms, Disclaimers, and Patient Communications

8.1 Website Form Disclaimers

Website forms intended for routine questions and scheduling must include disclaimers indicating that the form is not for emergencies and that submission does not by itself establish a provider-patient relationship.

8.2 Consent to Contact

If the Practice uses phone, email, or text messaging for scheduling and follow-up initiated through the website, the Practice obtains appropriate user consent (including consent for text messages when applicable) and maintains records of such consent.

8.3 Email Security

Standard email is not always secure. The Practice discourages transmission of detailed clinical information through unencrypted email and provides secure alternatives when appropriate. When patients request email communications, the Practice may document patient preference and provide reasonable warnings regarding security risks.

9. Telehealth Website Compliance Controls

9.1 Patient Location and Licensure

Telehealth services are provided only where legally permitted. The Practice limits telehealth services to patients who are physically located in jurisdictions where the treating clinician is licensed at the time of the visit.

9.2 Clinical Appropriateness

Telehealth is not appropriate for every condition or patient. Providers determine whether telehealth is clinically appropriate and may require an in-person evaluation, examination, laboratory testing, or referral when indicated.

9.3 Secure Telehealth Platform

Telehealth visits must be conducted through a secure platform configured to protect PHI. If a third-party telehealth vendor handles PHI on behalf of the Practice, a BAA must be executed prior to use.

10. Incident Response and Breach Notification

10.1 Security Incident Identification and Response

The Practice maintains an incident response process to identify, contain, investigate, and remediate suspected or confirmed security incidents affecting website systems or website-submitted PHI.

10.2 Breach Risk Assessment and Notifications

If a breach of unsecured PHI is suspected or confirmed, the Practice performs a HIPAA-required risk assessment and provides notices as required by applicable federal and state law.

10.3 Documentation

The Practice documents security incidents, investigations, and corrective actions and retains records in accordance with HIPAA documentation requirements and internal retention policies.

11. Patient Rights and Requests

11.1 Notice of Privacy Practices

Patient rights regarding PHI are described in the Practice NPP, including rights to access records, request amendments, request confidential communications, and receive an accounting of certain disclosures.

11.2 Contact for Privacy Requests

Patients may contact the Privacy Officer using the contact information above to exercise HIPAA rights or to ask questions about the Practice privacy and security practices.

12. Policy Maintenance and Updates

12.1 Review and Revision

This Policy is reviewed periodically and updated as needed to reflect changes in website features, vendors, applicable law, and security best practices. Material changes are reflected by updating the Effective Date.

12.2 Conflicts

If there is a conflict between this Policy and the Practice NPP, the NPP controls with respect to uses and disclosures of PHI and patient rights. This Policy governs website-specific safeguards and operational controls.

13. Contact Information

13.1 Privacy Officer

Privacy Officer: Peiman Ghatan, PA-C, [4104586666], [[email protected]], 409B Central Ave, Cedarhurst, NY 11516