HIPAA Compliance Policy

At The Body Shoppe, we are committed to protecting the privacy and security of your Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and applicable state privacy laws.

1. Scope

This policy applies to all workforce members, including employees, contractors, trainees, and any third parties who may access PHI while providing services on our behalf.

2. What We Protect

Protected Health Information (PHI)

PHI includes individually identifiable health information related to your medical history, test results, diagnoses, treatments, and payment details, whether shared verbally, on paper, or electronically.

3. How We May Use and Share PHI

We use and disclose PHI only as permitted by HIPAA, including for treatment, payment, and healthcare operations, and as otherwise required by law.

Treatment

To coordinate and provide care, including sharing relevant information with authorized healthcare providers involved in your treatment.

Payment

To support billing, claims processing, eligibility verification, and related payment activities.

Healthcare Operations

To support quality improvement, training, auditing, and clinic operations, while limiting access to authorized personnel.

4. Minimum Necessary Standard

When using or disclosing PHI for purposes other than treatment, we limit information to the minimum necessary to accomplish the intended purpose.

5. Patient Privacy Rights

You may have the right to access your records, request corrections, request confidential communications, and receive an accounting of certain disclosures, as permitted by HIPAA and state law.

6. Safeguards We Use to Protect PHI

Administrative Safeguards

We maintain internal policies, workforce training, role based access, and vendor oversight procedures designed to protect PHI.

Physical Safeguards

We secure paper records and restrict access to areas where PHI is stored or discussed, using reasonable measures to prevent unauthorized viewing or access.

Technical Safeguards

We use appropriate security controls such as unique user access, authentication, access monitoring, secure storage, and secure transmission methods where applicable.

7. Business Associates

When we work with vendors who may access PHI, we require appropriate agreements and safeguards to support HIPAA compliant handling of your information.

8. Incidents and Breach Response

We take privacy and security incidents seriously and follow established procedures to investigate, mitigate, document, and notify affected individuals and regulators when required by law.

9. Policy Updates

We may update this policy periodically to reflect operational, legal, or regulatory changes. The most current version will be posted on our website.

Questions

For questions about our privacy practices or HIPAA related requests, please visit our Contact page.