Privacy Policy

Effective Date: January 18, 2023
Applies To: serenityfamilyclinic.com and services provided by Serenity Family Clinic (the “Clinic,” “we,” “us,” or “our”).
Location: 845 Mission Street, Suite 210, San Francisco, CA 94103
Contact: (415) 555‑7294 • info@serenityfamilyclinic.com

1) Scope & Overview

This Privacy Policy explains how we handle your information in two contexts:

1. Website & Administrative Privacy Notice – covers information collected through our website, contact forms, scheduling tools, and routine business operations.

2. HIPAA Notice of Privacy Practices (NPP) – covers Protected Health Information (PHI) created or received when we provide healthcare services. When the two sections differ, the HIPAA Notice governs PHI.

We do not sell or share patient information for cross‑context behavioral advertising.

2) Information We Collect

A. Website/Business Information (Non‑PHI)

• Contact details (name, email, phone).

• Appointment details (requested date/time, service type).

• Technical data (IP address, device/browser info, pages visited, cookies).

• Communications (messages you send us, call recordings where permitted and disclosed).

• Billing/Payment data (if you pay online—processed by a PCI‑compliant vendor).

B. Protected Health Information (PHI)

PHI may include your medical history, diagnoses, lab results, medications, insurance details, and other health data we create/receive in the course of treatment or payment/operations.

3) How We Use Your Information

A. For Website/Business Operations (Non‑PHI)

• To respond to inquiries, schedule visits, and provide customer support.

• To operate, secure, analyze, and improve our website and services.

• For marketing communications with your consent or as permitted by law (you may opt out at any time).

• For legal compliance, fraud prevention, and safety.

B. For PHI (HIPAA Purposes)

We may use and disclose PHI without additional authorization for:

• Treatment (e.g., sharing relevant info with specialists or labs).

• Payment (e.g., submitting claims to your insurer).

• Healthcare operations (e.g., quality assessment, accreditation, audits).

We may also use/disclose PHI as required or permitted by law (e.g., public health reporting, preventing serious threats, workers’ compensation, law enforcement with proper authority, responding to court orders/subpoenas).

Other uses/disclosures of PHI—such as most marketing, sale of PHI, or certain fundraising communications—require your written authorization, which you can revoke in writing at any time unless we have already acted in reliance on it.

4) Your Rights Regarding PHI

Under HIPAA, you have the right to:

• Access and obtain a copy of your medical record.

• Request corrections to your PHI if you believe it is inaccurate or incomplete.

• Request restrictions on certain uses/disclosures (we are not always required to agree).

• Request confidential communications (e.g., alternative mailing address or phone).

• Receive an accounting of disclosures (certain exceptions apply).

• Receive a paper copy of this Notice at any time.

• File a complaint without retaliation if you believe your privacy rights have been violated:

  • With us: info@serenityfamilyclinic.com, (415) 555‑7294

  • With HHS Office for Civil Rights: https://www.hhs.gov/ocr/privacy/hipaa/complaints/

5) California Privacy Notice (CPRA/“CCPA”) — Non‑PHI

For California residents, to the extent we process personal information outside HIPAA:

• Categories collected: identifiers (name, email, phone), internet/network activity (pages viewed, device data), geolocation (coarse), and professional info (if you apply for a job).

• Sources: directly from you; from your device/browser; service providers (e.g., scheduling, analytics).

• Purposes: website operation, responding to inquiries, security/fraud prevention, analytics, and—with consent—marketing.

• Disclosure: we disclose to service providers/contractors bound by contracts limiting use to our business purposes (e.g., hosting, email, analytics, payments).

• Sale/Sharing: We do not sell personal information and do not share it for cross‑context behavioral advertising.

• Your CPRA rights: to know/access, correct, delete, and to limit use of sensitive personal information (if collected). You may also opt out of sale/sharing (not applicable as we do not sell/share). To exercise rights, email privacy@serenityfamilyclinic.com (or use our web form if provided). We will verify your request as required by law.

Note: CPRA does not apply to PHI processed under HIPAA; your PHI is governed by HIPAA rights described above.

6) Cookies & Analytics (Website)

• We may use strictly necessary cookies (site functionality), performance/analytics cookies (to understand site usage), and preference cookies (remember settings).

• You can manage cookies via your browser settings. If we use consent banners, you can adjust preferences there.

• If any third‑party analytics or maps are embedded, those providers may collect device and usage data per their privacy policies.

7) Data Security

We use administrative, technical, and physical safeguards to protect information, including encryption in transit, access controls, staff training, and vendor due diligence. No system is 100% secure; please contact us immediately if you believe your data has been compromised.

8) Data Retention

• PHI: retained according to applicable laws and professional guidelines (often at least 6 years under HIPAA; longer under California medical record rules and payer requirements).

• Website/business records: retained as needed for the purposes described or as required by law, then securely deleted or de‑identified.

9) Children’s Privacy

Our pediatric care involves PHI with parental/guardian consent as permitted by law. We do not knowingly collect non‑clinical personal information from children under 13 via the website without verifiable parental consent (consistent with COPPA).

10) Third‑Party Services & Links

Our site may link to third‑party sites or use third‑party tools (e.g., online booking, payment processors, maps, analytics). Their privacy practices are governed by their own policies. We encourage you to review them.

11) Breach Notification

If PHI is involved in a breach, we will notify affected individuals and regulators consistent with HIPAA Breach Notification Rule timelines and requirements. For non‑PHI, we follow applicable state/federal laws.

12) How to Exercise Your Rights or Ask Questions

• HIPAA/Medical Record Requests: medicalrecords@serenityfamilyclinic.com

• General Privacy/CPRA Requests: privacy@serenityfamilyclinic.com

• Phone: (415) 555‑7294

• Mail: Privacy Officer, Serenity Family Clinic, 845 Mission Street, Suite 210, San Francisco, CA 94103

Please include sufficient details for verification. We may ask for additional information to confirm your identity.

13) Changes to This Policy

We may update this policy from time to time. Changes will be posted here with a new Effective Date. For material changes affecting PHI, we will update our Notice of Privacy Practices and make it available in our clinic and on our website.