top of page

 

Privacy Policy and Notice of Privacy Practices (HIPAA)

​

Effective Date: 9/12/2025
Practice Name: Achieve Your Peak Physio, LLC, a health care provider and HIPAA “Covered Entity” (“we,” “us,” “our”)
Primary Website: https://www.achieveyourpeakphysio.com (the “Site”)

​

1) Scope & How to Read This Policy

This document combines:

  1. a HIPAA Notice of Privacy Practices (NPP) describing how we use and disclose Protected Health Information (PHI); and

  2. a Website & App Privacy Notice describing how we handle non-PHI collected through this Site, our newsletters, and marketing tools.
    Where laws conflict, we apply the rule that offers greater protection for you.

2) Key Definitions

  • PHI: Individually identifiable health information created or received by us that relates to your health, care, or payment for care.

  • Business Associate (BA): A vendor that handles PHI on our behalf under a Business Associate Agreement (BAA).

  • Personal Information (PI): Non-PHI collected via the Site (e.g., cookies, device data).

  • Sensitive PI (non-PHI context): Precise location, login credentials, financial data, etc.

3) What We Collect

​

A) PHI (Clinically Related)

  • Demographics; contact details; emergency contact.

  • Intake forms; evaluations; treatment notes; plans of care; progress measures; movement/ROM data; images/videos you provide for clinical purposes.

  • Scheduling, billing, insurance eligibility/claims, and payment details (we do not store full card numbers).

  • Communications with our care team (portal, secure messages, phone).

B) Website/App (Non-PHI)

  • Contact forms (non-clinical): name, email, phone, inquiry contents.

  • Device & usage data: IP address, browser/OS, pages viewed, session duration, general geolocation (from IP).

  • Cookies/Pixels/SDKs: for site performance, security, analytics, and (if enabled) advertising/retargeting.

  • User content: testimonials, reviews, non-clinical photos you submit for marketing with your consent.

Important: We do not use public web forms, standard email, or marketing pixels to collect PHI. For clinical matters, we direct you to our HIPAA-enabled systems under BAAs (see Section 11).

4) How We Use Information

​

A) PHI (HIPAA Purposes)

  • Treatment: Provide and coordinate your care, consult with other providers at your direction.

  • Payment: Billing you or your health plan, eligibility checks, prior authorization.

  • Health Care Operations: Quality assurance, training, audits, credentialing, compliance, security, customer service.

  • Legal/Public Health: As permitted or required by law (see Section 6).

B) Website/App (Non-PHI Purposes)

  • Operate, secure, and improve the Site and services.

  • Respond to inquiries and send service updates.

  • Run analytics and (if enabled) marketing communications; you can opt out at any time.

  • Prevent fraud and abuse.

5) HIPAA: Uses/Disclosures Requiring No Authorization

Where allowed by HIPAA and state law, we may use/disclose PHI for:

  • Treatment, Payment, and Health Care Operations (see above).

  • Public health & safety: report certain diseases/injuries; prevent serious threats.

  • Health oversight: audits, inspections, licensure.

  • Judicial/law enforcement: in response to court orders or as permitted.

  • Workers’ compensation and similar programs.

  • Research under HIPAA-compliant approvals/waivers.

  • Decedents/organ donation/coroners/medical examiners where applicable.

  • As required by law or for specialized government functions.

We apply the minimum necessary rule except for treatment and other HIPAA-specified exceptions.

6) HIPAA: Uses/Disclosures Requiring Your Written Authorization

We will obtain your authorization for uses/disclosures not described above, including most marketing, any sale of PHI, and most disclosures of psychotherapy notes (if applicable). You may revoke an authorization in writing at any time, except to the extent we have already relied on it.
We do not sell your PHI.

7) Your HIPAA Rights

You have the right to:

  • Access/Copy PHI: including electronic copies where available, within HIPAA timeframes.

  • Request Amendments to PHI you believe is incomplete or inaccurate.

  • Accounting of Disclosures (certain exclusions apply).

  • Request Restrictions: We must agree to your request to restrict disclosure to your health plan if you pay in full out-of-pocket and ask us to restrict.

  • Confidential Communications: Request we contact you at specific addresses/numbers or via alternative means.

  • Receive a Paper/Electronic Copy of this NPP at any time.

  • Breach Notification: If a breach of unsecured PHI occurs.

  • Fundraising Opt-Out (if we send any).

To exercise rights, contact our Privacy Official (above). We may require written requests and reasonable identity verification.

8) Our HIPAA Duties

We are required to:

  • Maintain the privacy and security of your PHI;

  • Provide this NPP and follow it;

  • Notify you following a breach of unsecured PHI;

  • Use administrative, technical, and physical safeguards; and

  • Ensure vendors that handle PHI are bound by BAAs and follow HIPAA standards.

9) Telehealth, Remote Coaching & Recordings

We use HIPAA-enabled platforms under BAAs for telehealth, secure forms, and messaging. We do not record sessions without your written authorization. For privacy, join from a private space and keep your software up to date.

10) Record Retention

We retain medical records for [10 years] (or longer if required by your state or payers). When no longer required, records are securely destroyed or de-identified.

11) Our Systems & Vendors

​

A) HIPAA-Enabled Systems (with BAAs)

[List your systems: e.g., EHR/Portal, Telehealth, Secure Forms/Intake (IntakeQ/FormDr/Jotform HIPAA), e-fax, Cloud Storage (HIPAA-eligible tier).

B) Website & Marketing (Non-PHI Context)

  • Hosting: Wix. We configure Wix so it does not collect or store PHI.

  • Payments: [Stripe/PayPal/Wix Payments] for non-clinical transactions; limited data shared to complete payments.

  • Analytics/Ads (optional): [e.g., Google Analytics, Meta pixel]. We configure these not to receive PHI and avoid placing them on any page where PHI could be entered.

If a tool will handle PHI, we either execute a BAA with the vendor or do not use that tool for PHI.

12) Website & App Privacy (Non-PHI)

​

A) Categories of PI

Identifiers (name, email), device/usage data (IP, pages visited), and communications you send via general contact forms.

B) Purposes

Operate and secure the Site; respond to requests; analytics; optional marketing (with your consent where required).

C) Cookies & Tracking

  • Essential cookies: site security and functionality.

  • Analytics: understand usage and improve the Site.

  • Advertising (optional): only if enabled and not on clinical/PHI pages.
    Manage cookies via our banner and your browser settings. Some features may not work without essential cookies.

D) Do Not Track / Global Privacy Control

We honor legally required signals where applicable and will treat them as opt-out of targeted advertising or “sharing” to the extent required by law.

E) Third-Party Links/Embeds

Third-party sites and widgets have their own privacy practices. Review them before sharing information.

13) United States State Privacy Rights (Including Washington)

Many U.S. states provide residents with privacy rights for certain non-PHI personal information. If you are a resident of one of those states—including Washington—you may have the right to access, correct, or delete certain PI we hold about you; to opt out of targeted advertising or certain data “sales”/“sharing”; and to appeal our decisions regarding your request. These rights do not apply to PHI governed by HIPAA (covered elsewhere in this Policy).

A) Washington Residents

Washington law provides enhanced protections for consumer health data outside HIPAA contexts. Where applicable to our non-PHI website/app practices, Washington residents may have the ability to:

  • Know/Access the categories and specific pieces of consumer health data we collect and the purposes for use;

  • Delete consumer health data, subject to legal exceptions;

  • Withdraw consent for collection or sharing where consent is required;

  • Obtain a list of third parties with whom consumer health data was shared; and

  • Opt out of targeted advertising or certain disclosures of PI where applicable.

How to Exercise U.S./Washington Rights:
Use our request channels below. We will verify your identity and respond within required timelines.

  • Data Rights Request: [link to form or email]

  • U.S. State Opt-Out (Targeted Advertising / Sale / Sharing): [link/button]

Note: These U.S. state rights apply to non-PHI personal information. PHI is handled under HIPAA (Sections 5–8). If a state law offers stronger protections than HIPAA for certain data, we follow the more protective rule.

B) International Transfers (U.S. Context)

If we transfer non-PHI PI to processors outside your state or the U.S., we use appropriate safeguards consistent with applicable law.

14) Security

We implement reasonable administrative, technical, and physical safeguards, including encryption in transit, access controls, role-based permissions, workforce training, audits, and vendor oversight. No system is 100% secure; please use strong, unique passwords and avoid sending PHI via non-secure channels.

15) Children’s Privacy

Our Site and services are intended for adults. We do not knowingly collect PI from children under 13 (or under 16 where applicable) without appropriate consent. If you believe a child provided information, contact us to remove it.

16) Marketing Communications

We may send non-essential emails/SMS with your consent (where required). You can opt out anytime using the link or instructions provided. We may still send transactional or service messages.

17) Transfers of Ownership

If we undergo a merger, acquisition, or asset transfer, your information may transfer as permitted by law. We will continue to protect PHI under HIPAA and provide required notices.

18) Changes to This Policy

We may update this Policy. Changes take effect on the “Effective Date” above. If we make material changes, we will post the new Policy on the Site and, where required, notify you.

19) Contact, Requests & Complaints

For HIPAA complaints, you may also contact the U.S. Department of Health & Human Services, Office for Civil Rights (OCR). We will not retaliate for filing a complaint.

For U.S. state privacy requests (including Washington), submit via the links above or contact us by email.

20) Disclosures Summary (At-a-Glance)

  • We use HIPAA-enabled systems with BAAs for all PHI.

  • We do not sell PHI or PI.

  • We do not use marketing pixels or analytics on pages where PHI could be entered.

  • U.S. residents (including Washington): use our U.S. State Opt-Out link for targeted advertising / “sale” / “sharing” opt-outs where applicable.

  • International users: see Section 13B for transfer safeguards for non-PHI PI.

bottom of page