← Back to home
Legal · HIPAA

Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Effective date: July 3, 2026

1. Who follows this Notice

This Notice of Privacy Practices (this “Notice”) is issued by TOX DEN, a Texas aesthetic and wellness practice (the “Practice”), and applies to all sites of service, all clinicians and workforce members under our medical direction, and any business associates acting on our behalf. We are required by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”) and applicable Texas law (including Tex. Health & Safety Code ch. 181 and 25 TAC §181.1 et seq.) to maintain the privacy of your protected health information (“PHI”), to provide you with this Notice of our legal duties and privacy practices with respect to PHI, to notify you following a breach of unsecured PHI, and to abide by the terms of the Notice currently in effect.

2. How we may use and disclose your PHI without your authorization

The following categories describe the ways we may use and disclose PHI without your written authorization. Not every use or disclosure is listed; all permitted uses fall within one of the categories below.

2.1 Treatment

We use and disclose PHI to provide, coordinate, and manage your healthcare. For example, we may share your PHI with a consulting physician, supervising physician, dispensing pharmacy, laboratory, or imaging center; document a procedure in your chart; or communicate with another clinician participating in your care.

2.2 Payment

We use and disclose PHI to bill and obtain payment for the care you receive — for example, to verify benefits if you elect insurance reimbursement, to process card charges through Stripe, to bill membership dues, or to collect outstanding balances.

2.3 Healthcare operations

We use PHI for activities necessary to operate the Practice, including quality improvement, peer review, accreditation, training of clinicians and staff, audit, business planning, and compliance.

2.4 Appointment reminders, treatment alternatives, and health-related benefits

We may contact you (by phone, secure portal message, email, or SMS to numbers you provide) to remind you of appointments, recall you for follow-up, or to inform you about treatment alternatives or health-related products and services we offer.

2.5 Individuals involved in your care

With your verbal agreement or, if you are not present or are incapacitated, in our professional judgment, we may share relevant PHI with a family member, friend, or other person you identify as involved in your care or payment for your care. You may instruct us at any time to limit or stop these disclosures.

2.6 As required by law

We will disclose PHI when required by federal, state, or local law, including for public-health activities, abuse or neglect reporting, food and drug safety reporting, health-oversight activities, judicial and administrative proceedings (such as in response to a court order, subpoena, or discovery request that meets HIPAA standards), law-enforcement purposes, decedent information to coroners and funeral directors, organ-donation purposes, certain research with appropriate authorizations or waivers, and to avert a serious threat to health or safety.

2.7 Specialized government functions and workers' compensation

We may disclose PHI for military and veterans activities, national security and intelligence activities, protective services for the President and others, correctional institutions if you are an inmate, and as authorized by Texas workers' compensation laws.

2.8 Business associates

We share PHI with vendors that perform services on our behalf (for example, our backend infrastructure provider, secure messaging provider, telehealth platform, and clearinghouse partners) under written Business Associate Agreements requiring HIPAA-equivalent safeguards.

3. Uses and disclosures that require your written authorization

The following uses and disclosures require your prior written authorization:

  • Marketing communications that involve financial remuneration to us from a third party.
  • Sale of PHI, which the Practice does not engage in.
  • Most uses and disclosures of psychotherapy notes, where applicable.
  • Disclosures of identifiable photographs for marketing, social media, or external publication.
  • Use of PHI for genetic information for underwriting purposes, which is prohibited.
  • Other uses and disclosures not described in this Notice.

You may revoke an authorization at any time, in writing, except to the extent we have already acted in reliance on it.

4. Your rights with respect to your PHI

4.1 Right to access and obtain a copy

You have the right to inspect and obtain a copy of PHI maintained in our designated record set, including in electronic form. We will respond within thirty (30) days (with one 30-day extension if needed) and may charge a reasonable, cost-based fee. We will furnish electronic copies in the form and format you request if readily producible.

4.2 Right to amend

You may request that we amend PHI you believe is inaccurate or incomplete. Requests must be in writing and explain the reason. We may deny the request in limited circumstances; if we deny it, you have the right to submit a written statement of disagreement that will be included in your record.

4.3 Right to an accounting of disclosures

You may request an accounting of certain disclosures of your PHI made by us in the six (6) years preceding your request, excluding disclosures for treatment, payment, and healthcare operations and certain other categories. The first accounting in any twelve-month period is free; subsequent requests may incur a reasonable, cost-based fee after notice.

4.4 Right to request restrictions

You may request that we restrict our uses or disclosures of PHI for treatment, payment, or healthcare operations, or to a person involved in your care. We are not required to agree, except that we will agree to a request that we not disclose PHI to a health plan for purposes of payment or operations if the disclosure relates to a service for which you (or someone on your behalf) have paid out of pocket in full.

4.5 Right to confidential communications

You may request that we communicate with you about medical matters in a particular way or location (for example, by portal message only, or to a specific phone number). We will accommodate reasonable requests.

4.6 Right to be notified of a breach

We will notify you if a breach of your unsecured PHI occurs in accordance with the HIPAA Breach Notification Rule and Tex. Bus. & Com. Code ch. 521.

4.7 Right to a paper copy of this Notice

Even if you have agreed to receive this Notice electronically, you may request a paper copy at any time.

4.8 Right to choose someone to act for you

If you have given a personal representative medical power of attorney or if a person is your legal guardian, that person may exercise these rights and make choices about your PHI. We will verify the person's authority before taking action.

5. Our responsibilities

We are required by law to:

  • maintain the privacy and security of your PHI;
  • provide you with this Notice of our legal duties and privacy practices;
  • follow the duties and privacy practices described in the Notice currently in effect;
  • notify you promptly if a breach of unsecured PHI affects you;
  • not use or disclose your PHI in a manner other than as described unless you authorize us in writing or as otherwise permitted or required by law; and
  • train our workforce and our business associates to protect your information.

6. Changes to this Notice

We reserve the right to change this Notice and to make the revised Notice effective for all PHI we maintain, including PHI created or received before the change. The current Notice will be posted on our website and made available at our practice locations. The effective date of any revision will appear on the first page.

7. Complaints

If you believe your privacy rights have been violated, you may file a complaint with the Practice's Privacy Officer through the patient portal or by contacting the clinic. You may also file a written complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, 200 Independence Avenue, S.W., Washington, D.C. 20201, by calling 1-877-696-6775, or by visiting hhs.gov/hipaa/filing-a-complaint. We will not retaliate against you for filing a complaint.

8. Contact

To exercise any right described in this Notice, request a paper copy, or ask a question, contact our Privacy Officer through the patient portal, by emailing the clinic, or by speaking with the front-desk team during business hours.

This Notice is a general HIPAA-aware template and does not constitute legal advice. Consult Texas-licensed healthcare counsel to tailor it to the Practice's specific operations, scope of services, and contracted business associates.