ReGlow Wellness Privacy Policy

Effective Date: February 8, 2026Last Updated: February 8, 2026

1. Introduction

1.1 Who We Are

ReGlow Wellness ("we," "us," or "our") operates as a Management Services Organization (MSO) providing scheduling, operational support, and administrative services to a physician-owned medical practice located in Levittown, NY.

Important: ReGlow Wellness (MSO) does not practice medicine, make clinical decisions, or own the medical practice. All medical care is provided by a separate physician-owned professional medical corporation. This Privacy Policy applies to our scheduling and operational systems only.

1.2 What This Policy Covers

This Privacy Policy describes how we collect, use, disclose, and protect your information through our scheduling platform and patient portal (the "System"). This System is an operational tool for appointment scheduling and coordination—it is not an electronic health records (EHR) system.

Scope:

• ✅ Covered: Scheduling data, appointment management, patient portal, communications
• ❌ Not Covered: Medical records, clinical notes, treatment documentation (maintained separately by the medical practice)

1.3 HIPAA Designation

ReGlow Wellness operates as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA) to the physician-owned medical practice. We handle certain protected health information (PHI) necessary for scheduling and operational purposes, and we maintain strict compliance with all HIPAA Privacy and Security Rules.

1.4 Geographic Scope

We operate in New York State and comply with all applicable New York privacy laws, including the NY SHIELD Act.

2. Information We Collect

2.1 Patient Demographics & Contact Information

We collect and maintain:

• Personal identifiers: Full name, date of birth, sex/gender
• Contact information: Phone number(s), email address, mailing address
• Insurance information: Insurance carrier, policy numbers, subscriber information
• Patient identifiers: Internal patient ID numbers

Collection method: Provided directly by you, entered by our staff, or synced from the medical practice's records.

2.2 Appointment & Scheduling Information

• Appointment dates, times, and locations
• Appointment type (medical, massage, acupuncture)
• Appointment status (pending, confirmed, checked-in, completed, cancelled, no show)
• Provider assignments
• Appointment history
• Linked appointments (e.g., medical clearance appointment paired with treatment)
• Cancellation and rescheduling history

2.3 Medical Referral Information (Scripts)

To enforce medical requirements for massage and acupuncture treatments, our System reads (but does not store in our database) the following information from the medical practice's EHR:

• Active medical referrals ("scripts") for specific treatment types
• Script issue and expiration dates
• Authorized visit counts
• Used visit counts
• Treatment type authorizations

Critical clarification: This medical referral information remains stored and controlled by the physician-owned medical practice. Our scheduling system only references this information to enforce booking rules. We do not make medical determinations about these scripts—they are issued solely by licensed medical providers.

2.4 Financial & Billing Information

• Account balances
• Payment history
• Payment method information (processed by third-party payment processors)
• Insurance verification status

2.5 Authentication & Portal Access Data

• Login credentials (date of birth used for authentication)
• SMS one-time passwords (OTPs) — stored temporarily for verification
• Login timestamps and session information
• Failed login attempts
• IP addresses and device information
• Session tokens

2.6 Communications

• SMS appointment reminders and confirmations
• Email notifications and correspondence
• Communication preferences (SMS vs. email)
• Delivery status and read receipts
• Appointment confirmation link interactions

2.7 Audit & Operational Data

Our System automatically logs:

• All appointment changes and who made them
• Status updates
• Staff time-off requests and approvals
• Admin override actions and reasons
• Medical data access logs
• System access by staff members

All logs include: user identity, action taken, date, time, and reason (when applicable).

2.8 Technical & Usage Information

• Browser type and version
• Device type and operating system
• Pages visited within patient portal
• Session duration
• Cookies and similar tracking technologies
• Referral sources

3. How We Collect Information

3.1 Direct Collection

• Information you provide when booking appointments
• Portal registration and profile updates
• Phone calls with our staff
• Forms and questionnaires

3.2 From Healthcare Providers

• Information entered by staff during scheduling
• Updates from front desk and administrative staff

3.3 From Medical Practice EHR

• Read-only access to medical referral (script) information stored in the physician-owned practice's Airtable-based EHR
• Patient demographic updates for consistency
• Insurance information for verification

3.4 Automatically

• Login and session data through the patient portal
• Audit logs of all system activities
• Device and browser information

3.5 From Third Parties

• Insurance eligibility verification services
• SMS verification service (Twilio) for authentication
• Payment processing partners

4. How We Use Your Information

4.1 Primary Purposes (HIPAA Treatment, Payment, Healthcare Operations)

Scheduling & Appointment Management:

• Schedule, confirm, reschedule, and cancel appointments
• Assign appropriate providers based on appointment type
• Manage provider availability and schedules
• Enforce medical clearance requirements (linked medical appointments)
• Prevent double-booking and scheduling conflicts

Medical Requirement Enforcement:

• Verify active medical referrals (scripts) before booking massage or acupuncture
• Check script expiration dates and visit limits
• Automatically create required medical clearance appointments
• Alert staff when scripts are near expiration or low on visits

Note: This is operational enforcement of requirements set by the medical practice; we do not make medical determinations.

Communications:

• Send appointment confirmations and reminders (SMS and email)
• Notify you of schedule changes
• Provide appointment confirmation links
• Send script expiration warnings
• Communicate account information and balances

Patient Portal:

• Enable secure login and authentication
• Allow self-service appointment booking within established rules
• Display your appointment history and upcoming visits
• Show account balances and alerts
• Enable appointment confirmation via public links

Billing Support:

• Process payments and maintain account balances
• Support insurance verification and claims
• Provide billing information to the medical practice

Staff Operations:

• Manage staff schedules, roles, and availability
• Coordinate multi-location staffing
• Track time-off requests
• Optimize provider assignments

4.2 Secondary Purposes

System Security & Fraud Prevention:

• Authenticate users and prevent unauthorized access
• Detect and prevent fraudulent bookings or abuse
• Maintain audit trails for security investigations
• Monitor system integrity

Operational Analytics:

• Analyze appointment patterns and no-show rates
• Optimize scheduling efficiency
• Improve patient and staff experience
• Identify operational bottlenecks

Legal Compliance:

• Respond to legal requests and regulatory requirements
• Maintain required records and audit trails
• Comply with HIPAA, state, and federal regulations
• Support regulatory audits

Quality Improvement:

• Improve our scheduling system and processes
• Train staff on system usage
• Develop new features and functionality

4.3 What We DON'T Use Your Information For

• ❌ Medical treatment decisions (limited by MSO structure)
• ❌ Clinical judgment or diagnosis (physician-owned practice only)
• ❌ Marketing or advertising without your explicit consent
• ❌ Selling or renting to third parties
• ❌ Sharing with employers (even if your insurance is through your employer)
• ❌ Controlling or directing medical care

5. Legal Bases for Processing

We process your information based on:

• HIPAA Treatment, Payment, and Healthcare Operations (TPO): Necessary for coordinating your care and managing appointments
• Consent: You provide consent when creating an account and booking appointments
• Contractual Necessity: Required to fulfill our scheduling services
• Legal Obligation: Compliance with HIPAA, NY state law, and other regulations
• Legitimate Business Interests: Operational improvements, security, and fraud prevention (balanced against your privacy rights)

6. Information Sharing & Disclosure

6.1 With the Physician-Owned Medical Practice

We share scheduling and operational data with the medical practice that provides your care, including:

• Appointment schedules and status
• Patient contact information
• Insurance information
• Appointment history

Purpose: Care coordination and operational support. The medical practice maintains separate medical records that we do not control.

6.2 With Business Associates (HIPAA-Compliant Service Providers)

We work with third-party service providers who have signed Business Associate Agreements (BAAs) and maintain HIPAA compliance:

Service ProviderPurposeData SharedTwilioSMS notifications and authenticationPhone numbers, appointment details, OTP codesEmail Service ProviderEmail notificationsEmail addresses, appointment details, notificationsDatabase HostingSystem infrastructureAll scheduling data (encrypted)Payment ProcessorPayment processingName, payment information, amounts

All Business Associates are contractually required to:

• Maintain HIPAA compliance
• Use appropriate security safeguards
• Only use PHI for specified purposes
• Report any breaches immediately

You may request a current list of our Business Associates by contacting our Privacy Officer.

6.3 For Legal Reasons

We may disclose information when required by law:

• Subpoenas or court orders
• Regulatory investigations (Department of Health, HHS Office for Civil Rights)
• Law enforcement requests (with appropriate legal authority)
• Public health reporting (as required by law)
• Worker's compensation (if applicable)

We will notify you of such disclosures unless prohibited by law.

6.4 Business Transfers

If ReGlow Wellness or the MSO is involved in a merger, acquisition, sale of assets, or bankruptcy:

• You will be notified via email and portal notification
• Your information may be transferred as part of business assets
• The new entity must honor this Privacy Policy
• You will have the opportunity to opt out where legally permitted

6.5 With Your Consent

We may share information with other parties if you provide specific written consent.

6.6 We Do NOT Share

• ❌ For marketing purposes (unless you opt-in separately)
• ❌ With employers (even if employer-sponsored insurance)
• ❌ With insurance companies (except as required for coverage verification)
• ❌ Publicly or on social media
• ❌ To data brokers or aggregators

7. Data Storage, Security & Protection

7.1 Technical Safeguards

Encryption:

• In Transit: All data transmitted using TLS 1.3 encryption (HTTPS)
• At Rest: PostgreSQL database encryption for all stored data
• Backups: Encrypted backup storage

Access Controls:

• Role-based access control (RBAC) limiting data access by job function
• Multi-factor authentication (MFA) for all staff accounts
• Strong password requirements
• Automatic session timeout after inactivity
• Failed login attempt lockouts

Monitoring & Logging:

• Comprehensive audit logs of all data access and changes
• Real-time security monitoring and alerts
• Regular log review by security team
• Intrusion detection systems

Network Security:

• Firewall protection
• Regular penetration testing
• Vulnerability scanning
• Secure API design and authentication

7.2 Physical Safeguards

Data Center Security:

• US-based data centers with 24/7 physical security
• Biometric access controls
• Video surveillance
• Environmental controls (fire suppression, climate control)
• Redundant power and network connectivity

Geographic Storage:

• All data stored on servers located in the United States
• No international data transfers

7.3 Administrative Safeguards

Staff Training:

• Annual HIPAA and privacy training for all staff
• Role-specific security training
• Incident response training
• Regular security awareness updates

Policies & Procedures:

• Written information security policies
• Incident response plan
• Disaster recovery and business continuity plans
• Vendor management and BAA oversight
• Regular policy reviews and updates

Risk Management:

• Annual HIPAA risk assessments
• Regular security audits
• Third-party security assessments
• Continuous compliance monitoring

7.4 System-Specific Security

Patient Portal:

• DOB + SMS OTP two-factor authentication
• Secure session management
• No storage of OTP codes after verification
• Rate limiting on authentication attempts

Public Confirmation Links:

• Time-limited, single-use tokens
• No sensitive PHI exposed in URLs
• Secure token generation
• Link expiration after use or timeout

Database Architecture:

• Separation of operational (scheduling) and medical record systems
• Read-only access to medical EHR for script verification
• No storage of clinical data in scheduling database

8. Data Retention & Deletion

8.1 Retention Periods

Active Patient Records:

• Scheduling data retained while you remain an active patient
• Appointment history maintained for continuity of care

Audit Logs:

• Retained for 7 years (HIPAA requirement)
• Cannot be deleted due to compliance obligations

Inactive Accounts:

• If no appointment activity for 3 years, account marked inactive
• Data archived according to legal requirements
• Notice sent before archiving (if contact information is current)

Legal Holds:

• Data subject to legal proceedings retained until matter resolved
• Override normal deletion schedules

8.2 Deletion Requests

You may request deletion of your information, subject to limitations:

What can be deleted:

• Marketing preferences and communications
• Portal access credentials
• Optional contact information

What cannot be deleted:

• Records required for legal/regulatory compliance (7-year minimum)
• Audit logs
• Financial records
• Information necessary for legitimate business purposes

Process: Submit written request to our Privacy Officer (see Section 17).

8.3 Account Closure

If you close your account or stop receiving services:

• Portal access disabled immediately
• Personal identifiers maintained for records retention
• Historical appointment data archived
• Compliance with applicable retention laws

9. Your HIPAA Privacy Rights

Under HIPAA and New York law, you have the following rights regarding your information:

9.1 Right to Access

You have the right to inspect and obtain a copy of your scheduling information.

• How to request: Submit written request to our Privacy Officer
• Response time: Within 30 days (one 30-day extension if needed)
• Format: Electronic or paper copy, as requested
• Fee: We may charge reasonable copying costs
• What's included: All scheduling data, appointment history, communications

How to make a request: See Section 17 for contact information.

9.2 Right to Amend

You have the right to request corrections to your information.

• Submit written request with specific corrections
• We may deny if information is accurate and complete
• If denied, you may submit a statement of disagreement
• Response within 60 days

Note: Medical determinations (scripts, medical clearances) can only be amended by the physician-owned medical practice, not by ReGlow.

9.3 Right to an Accounting of Disclosures

You have the right to receive a list of certain disclosures we made.

• Covers 6 years prior to request
• Excludes routine disclosures (treatment, payment, operations)
• Includes unusual disclosures (legal requests, breaches)
• First accounting per year free; fee for additional requests
• Response within 60 days

9.4 Right to Request Restrictions

You have the right to request limits on how we use or share your information.

• Submit written request with specific restriction
• We are not required to agree, except in limited circumstances
• If we agree, we must follow the restriction
• Restriction does not apply to emergencies or legal requirements

Example: Request that we not leave appointment reminders as voicemail.

9.5 Right to Confidential Communications

You have the right to request we contact you in specific ways.

• Request specific phone number or email address
• Request no phone calls, SMS only
• Request communications be sent to alternative address
• We will accommodate reasonable requests

How to request: Update preferences in patient portal or contact our office.

9.6 Right to Breach Notification

You have the right to be notified if your information is breached.

• Notification within 60 days of discovery (federal requirement)
• Notification within shorter timeframe if required by NY law
• Written notice including:
  • What happened
  • What information was involved
  • Steps we've taken
  • What you can do
  • How to contact us

9.7 Right to a Paper Copy of This Policy

You have the right to receive a paper copy of this Privacy Policy.

• Available at any time upon request
• Posted on our website
• Provided during first appointment
• Updated versions available online

9.8 Right to File a Complaint

You have the right to complain if you believe your privacy rights were violated.

File a complaint with us:

• Contact our Privacy Officer (see Section 17)
• We will not retaliate against you

File a complaint with HHS:

• U.S. Department of Health & Human Services
• Office for Civil Rights
• Online: https://ocrportal.hhs.gov/ocr/portal/lobby.jsf
• Mail: See HHS website for regional office addresses
• Phone: 1-800-368-1019

No Retaliation: We will not retaliate, intimidate, or discriminate against you for filing a complaint or exercising your rights.

10. MSO Structure & Clinical Separation

10.1 Understanding Our Role

ReGlow Wellness (MSO) provides:

• ✅ Scheduling system and technology
• ✅ Operational and administrative support
• ✅ Billing operations assistance
• ✅ Facilities and non-clinical staffing coordination
• ✅ Marketing and business analytics

ReGlow Wellness (MSO) does NOT:

• ❌ Practice medicine or make clinical decisions
• ❌ Own or control the medical practice
• ❌ Direct or influence medical judgment
• ❌ Control medical records or treatment documentation
• ❌ Employ physicians or make personnel decisions for clinical staff

10.2 Medical Practice Relationship

Your medical care is provided by Alliance Wellness Medical PLLC, a separate physician-owned professional corporation. This legal structure is required by New York's Corporate Practice of Medicine doctrine.

Medical Practice (Physician-Owned Entity):

• Issues medical referrals (scripts) for treatments
• Makes all clinical decisions
• Maintains medical records and clinical documentation
• Employs or contracts with licensed medical providers
• Has ultimate authority over patient care

MSO–Medical Practice Agreement:

• Formal contract defines roles and responsibilities
• Ensures clinical independence
• Protects patient care quality
• Maintains regulatory compliance

10.3 Data Separation

Two Separate Systems:

Scheduling System (ReGlow MSO):

• Built on Next.js, Prisma, PostgreSQL
• Stores operational and scheduling data
• Appointment management
• Patient portal
• Communications
• Does NOT store medical records

Medical Records System (Medical Practice):

• Built on Airtable
• Stores all medical documentation
• SOAP notes
• Medical referrals (scripts)
• Procedures and clinical data
• Controlled by physician-owned practice

Integration:

• Scheduling system has read-only access to medical referral (script) data
• Purpose: Enforce booking rules, not make clinical judgments
• Medical practice owns and controls all clinical data
• Clear audit trail of all cross-system access

10.4 Script Enforcement Clarification

When our System checks for valid medical referrals (scripts) before booking:

• This is operational enforcement, not clinical decision-making
• Scripts are created by licensed medical providers
• System prevents booking if script requirements not met
• Admins may override with documented reason
• All medical determinations remain with the physician-owned practice

We do not:

• Decide what treatments are medically necessary
• Determine script validity or appropriateness
• Make clinical judgments about patient conditions
• Influence provider medical decision-making

11. New York State Law Compliance

11.1 NY SHIELD Act

We comply with the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which requires:

• Reasonable administrative, technical, and physical safeguards
• Written information security policy
• Risk assessment and mitigation
• Employee training
• Vendor oversight

11.2 NY Data Breach Notification

New York requires faster breach notification than federal HIPAA:

• Notification "without unreasonable delay"
• Generally interpreted as more quickly than HIPAA's 60 days
• Notification to NY Attorney General if 500+ NY residents affected
• Notification to consumer reporting agencies if 5,000+ affected

11.3 Corporate Practice of Medicine Compliance

Our MSO structure complies with NY's prohibition on corporate practice of medicine:

• Medical practice is physician-owned and operated
• Clinical independence maintained
• MSO provides operational support only
• No corporate control over medical decisions

12. Children's Privacy

12.1 Minors Under 18

Parental Consent Required:

• Parents/legal guardians must provide consent for minors
• Parents may access minor's scheduling information
• Parents may book and manage appointments for minors

Age of Majority:

• At age 18, patient gains full control of their account
• Parents no longer have automatic access
• Patient may grant parent continued access

12.2 Children Under 13 (COPPA)

For children under 13:

• Enhanced parental consent required
• Parent/guardian must create and control patient portal account
• We do not knowingly collect information directly from children under 13 without verifiable parental consent

12.3 Emancipated Minors

If you are an emancipated minor or legally authorized to consent to your own care under New York law, please notify us to ensure appropriate access controls.

13. Cookies & Tracking Technologies

13.1 What We Use

Essential Cookies:

• Session management for patient portal
• Authentication tokens
• Security features
• Required for system functionality
• Cannot be disabled

Functional Cookies:

• Remember your preferences
• Language settings
• Portal customization

Analytics Cookies (if applicable):

• Understand how portal is used
• Improve user experience
• Aggregate usage statistics
• No PHI included in analytics

13.2 Your Choices

Browser Controls:

• Most browsers allow you to control cookies
• Blocking essential cookies will prevent portal access
• Clear cookies through browser settings

Do Not Track:

• We respect Do Not Track (DNT) signals where technically feasible
• Essential cookies will still function

13.3 Third-Party Tracking

We do not allow third-party advertising or tracking on our patient portal.

14. Notifications & Communications

14.1 Appointment Reminders

Methods:

• SMS (primary): Text message reminders
• Email (fallback): Email if SMS fails

Timing:

• 2 days before appointment
• 1 day before appointment
• Day of appointment (morning)

Content:

• Appointment date, time, location
• Provider name
• Appointment type
• Confirmation/cancellation options

14.2 Communication via Twilio

SMS Provider: We use Twilio as our Business Associate for SMS delivery.

Security:

• Twilio has signed HIPAA Business Associate Agreement
• SMS content encrypted in transit
• Messages contain minimal PHI
• OTP codes deleted after verification

Limitations:

• SMS is not 100% secure
• Messages may be visible on locked screens
• Carrier networks may have access
• Consider email if SMS security concerns you

14.3 Opt-Out Options

You may opt out of:

• SMS reminders (email reminders will be used instead)
• Email reminders (SMS will be used instead)
• Marketing communications (if any)

You cannot opt out of:

• Essential service communications (appointment confirmations, cancellations, urgent schedule changes)
• Security alerts
• Legal notices

How to opt out: Update preferences in patient portal or contact our office.

14.4 Failure Retry

If SMS or email delivery fails:

• System automatically retries with alternate method
• Multiple delivery attempts made
• Staff may call if critical appointment

15. International Data & Transfers

15.1 US-Based Operations

• All data stored on servers located in the United States
• No international data transfers
• No storage in foreign jurisdictions

15.2 GDPR & International Privacy Laws

We do not target or serve patients outside the United States. If you are located outside the US:

• Our services may not be available to you
• Different privacy laws may apply
• Please contact us before using our services

16. Changes to This Privacy Policy

16.1 Updates

We may update this Privacy Policy to reflect:

• Changes in laws or regulations
• New system features
• Operational changes
• Security enhancements

16.2 Notice of Changes

How we notify you:

• Email to address on file
• Notification in patient portal
• Posted on our website with "Last Updated" date

Material Changes:

• 30 days' advance notice
• Opt-out opportunity if legally required
• Effective date clearly stated

16.3 Version History

Previous versions of this Privacy Policy are available upon request.

16.4 Your Acceptance

By continuing to use our services after changes, you accept the updated Privacy Policy.

If you do not agree with changes, you may:

• Discontinue using the patient portal
• Request information deletion (subject to legal limitations)
• Contact us to discuss concerns

17. Contact Information

17.1 Privacy Officer

For privacy questions, requests, or complaints:

ReGlow Wellness — Privacy Officer11 Emerson AveLevittown, NY 11756

• Email: hello@reglowwellness.com
• Phone: 516-566-0000
• Hours: Monday–Friday, 9:00 AM – 5:00 PM EST

17.2 Types of Requests

Privacy Officer can help with:

• Access requests (copies of your data)
• Amendment requests (corrections)
• Accounting of disclosures
• Restriction requests
• Confidential communication requests
• Privacy complaints
• General privacy questions
• Business Associate list requests
• Consent management

17.3 Medical Practice Contact

For medical record requests or clinical questions:

Alliance Wellness Medical PLLC11 Emerson AveLevittown, NY 11756

• Phone: 516-566-0000

Note: The medical practice maintains separate medical records not covered by this Privacy Policy.

17.4 Response Times

• Access requests: 30 days (one 30-day extension if needed)
• Amendment requests: 60 days
• Accounting of disclosures: 60 days
• General inquiries: 5–7 business days
• Urgent matters: Within 24 hours

18. Compliance Certifications & Audits

18.1 Our Commitments

We maintain:

• HIPAA Privacy Rule compliance
• HIPAA Security Rule compliance
• NY SHIELD Act compliance
• Regular security audits
• Annual risk assessments
• Business Associate Agreement oversight

18.2 Verification

You may request:

• Summary of our most recent risk assessment
• List of current Business Associates
• Confirmation of specific security measures

Contact our Privacy Officer to request compliance verification information.

18.3 External Audits

We undergo:

• Annual HIPAA compliance audits
• Third-party security assessments
• Penetration testing
• Vulnerability assessments

19. Data Breach Response

19.1 Our Commitment

We take data security seriously. Despite our safeguards, no system is 100% secure.

19.2 What Constitutes a Breach

A breach occurs when:

• Unauthorized acquisition of PHI
• PHI is accessed, used, or disclosed impermissibly
• Security incident compromises confidentiality, integrity, or availability

19.3 Our Response

If a breach occurs:

Immediate:

• Contain and mitigate the breach
• Begin investigation
• Preserve evidence
• Assess risk to patients

Notification:

• Patients affected: Within 60 days (federal) or sooner (NY law)
• NY Attorney General: If 500+ NY residents affected
• HHS Office for Civil Rights: As required
• Media: If 500+ individuals affected

Remediation:

• Fix vulnerability
• Enhance security measures
• Additional staff training
• System improvements

19.4 What You'll Receive

Breach notifications include:

• Description of what happened
• Types of information involved
• Steps we've taken
• What you can do to protect yourself
• How to contact us for questions
• Contact for credit monitoring (if applicable)

19.5 Low Risk Exceptions

If we determine a breach poses low risk of harm (after thorough risk assessment), notification requirements may differ. We document all risk assessments.

20. Patient Portal Specifics

20.1 Authentication Security

Login Process:

1. Enter date of birth (DOB)
2. Receive SMS one-time password (OTP) to phone on file
3. Enter OTP within 5 minutes
4. Access granted for secure session

Security features:

• OTP codes are single-use and time-limited
• OTP not stored after verification
• Failed attempt lockout after 5 tries
• Session timeout after 15 minutes of inactivity
• Must re-authenticate for sensitive actions

20.2 Public Confirmation Links

How they work:

• Receive link via SMS or email
• Click to confirm appointment without logging in
• Link contains secure token

Security:

• Links expire after 7 days or after use
• Single-use tokens
• No sensitive PHI in URL
• Time-limited access
• Cannot access other appointments or data

20.3 Portal Capabilities

What you can do:

• View upcoming appointments
• View appointment history (past 2 years)
• Book new appointments (within rules)
• Reschedule appointments (if permitted)
• Cancel appointments
• Update contact preferences
• View account balance

What you cannot do:

• Access medical records or SOAP notes
• View test results or clinical data
• Request prescriptions
• Communicate with providers about medical issues

For medical questions: Contact the medical practice directly.

21. Additional Disclosures

21.1 No Medical Advice

This System provides scheduling services only. It does not provide medical advice, diagnosis, or treatment.

• Script requirement enforcement is operational, not clinical
• Appointment booking does not replace medical judgment
• Always consult your healthcare provider for medical questions

21.2 System Availability

While we strive for 24/7 availability:

• System maintenance may require downtime
• Emergency outages may occur
• Scheduled maintenance announced in advance
• Call our office if portal is unavailable and you need assistance

21.3 Third-Party Links

Our patient portal may contain links to third-party websites (e.g., payment processors). We are not responsible for the privacy practices of third-party sites. Review their privacy policies separately.

21.4 Limitation of Liability

To the extent permitted by law and HIPAA:

• We are not liable for force majeure events
• System outages do not waive our HIPAA obligations
• Your use of SMS assumes inherent security risks

Note: This limitation does not waive your HIPAA rights or our HIPAA obligations.

22. Definitions

• Business Associate (BA): A person or entity that performs functions or activities on behalf of, or provides services to, a covered entity that involve PHI.
• Covered Entity (CE): Healthcare providers, health plans, and healthcare clearinghouses that transmit health information electronically.
• Electronic Protected Health Information (ePHI): PHI that is created, stored, transmitted, or received electronically.
• Management Services Organization (MSO): An entity that provides operational and administrative services to a medical practice without practicing medicine.
• Protected Health Information (PHI): Individually identifiable health information transmitted or maintained in any form.
• Script: Medical referral or authorization for specific treatment (massage or acupuncture) including treatment type, duration, and visit limits.

23. Legal Notices

23.1 Governing Law

This Privacy Policy is governed by:

• Health Insurance Portability and Accountability Act (HIPAA)
• HITECH Act
• New York State law
• Federal regulations as applicable

Venue: Any disputes shall be resolved in New York State courts.

23.2 Severability

If any provision of this Privacy Policy is found invalid or unenforceable, the remaining provisions remain in full effect.

23.3 No Waiver of Rights

• You do not waive any HIPAA privacy rights by using our System.
• Our failure to enforce any right or provision does not constitute a waiver of that right.

23.4 Entire Agreement

This Privacy Policy, together with our Terms and Conditions, constitutes the entire agreement regarding privacy practices for our scheduling system.

24. Acknowledgment

By using our scheduling system or patient portal, you acknowledge that:

• You have read and understood this Privacy Policy
• You consent to the collection, use, and disclosure of your information as described
• You understand our MSO role and the separation from the medical practice
• You understand that scheduling data is separate from medical records
• You have the right to revoke consent (with limitations)

For questions about this Privacy Policy, contact our Privacy Officer using the information in Section 17.

Last Updated: February 8, 2026Effective Date: February 8, 2026Version: 1.0

© 2026 ReGlow Wellness. All rights reserved.

‍