Introduction
Your Practice Name ("we," "us," or "our"), located at Agoura Hills, CA, is committed to protecting the privacy and security of your personal information and protected health information (PHI). This Privacy Policy and Notice of Privacy Practices explains how we collect, use, disclose, and safeguard your information when you visit our website, use our services, or interact with us in any way.
As a healthcare provider subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and other applicable federal and state laws, we maintain strict standards for the protection of your health information.
By using our website or submitting information to us, you acknowledge that you have read and understand this Privacy Policy. If you do not agree with the practices described herein, please do not use our website or submit any personal information.
HIPAA Compliance & Notice of Privacy Practices
This section serves as our Notice of Privacy Practices (NPP) as required under the HIPAA Privacy Rule (45 CFR §§ 164.520). As a HIPAA-covered entity, we are legally required to maintain the privacy of your Protected Health Information (PHI), provide you with this notice of our legal duties and privacy practices, and abide by the terms of this notice currently in effect.
What is Protected Health Information (PHI)?
PHI is individually identifiable health information that relates to your past, present, or future physical or mental health condition, the provision of healthcare to you, or payment for healthcare services. This includes information submitted through our website forms, communicated via phone or email, or collected during the course of treatment.
How We May Use and Disclose Your PHI
We may use and disclose your PHI without your written authorization for the following purposes as permitted by HIPAA:
Treatment: To provide, coordinate, or manage your healthcare and related services. This includes consultations, referrals, and communication with other healthcare providers involved in your care.
Payment: To bill and collect payment for the treatment and services we provide. This may include contacting your health insurance company, submitting claims, and verifying coverage.
Healthcare Operations: To support our business activities including quality assessment, staff training, compliance programs, audits, and business planning.
As Required by Law: When required by federal, state, or local law, including reporting to public health authorities, responding to court orders, and cooperating with law enforcement.
Health and Safety: To prevent or lessen a serious and imminent threat to your health or safety or the health or safety of the public.
Uses and Disclosures Requiring Your Written Authorization
We will obtain your written authorization before using or disclosing your PHI for purposes other than those described above, including but not limited to: marketing communications, sale of your PHI, most uses of psychotherapy notes, and any other use not described in this notice. You may revoke your authorization in writing at any time.
Your Rights Under HIPAA
Right to Access: You have the right to inspect and obtain a copy of your PHI maintained by us, subject to limited exceptions.
Right to Amend: You may request that we amend your PHI if you believe it is incorrect or incomplete.
Right to an Accounting of Disclosures: You may request a list of certain disclosures we have made of your PHI.
Right to Request Restrictions: You may request restrictions on certain uses and disclosures of your PHI. We are not required to agree to all requests, but we must agree if you request that we not disclose PHI to your health plan for services you paid for in full out of pocket.
Right to Request Confidential Communications: You may request that we communicate with you about health matters through a particular means or at a certain location.
Right to a Paper Copy: You have the right to obtain a paper copy of this notice upon request.
Right to File a Complaint: If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights. You will not be penalized or retaliated against for filing a complaint.
Breach Notification: In the event of a breach of unsecured PHI, we will notify you as required by the HITECH Act and applicable state laws. Notification will be made without unreasonable delay and no later than 60 days after discovery of the breach.
Information We Collect
Information You Provide Directly
When you interact with our website, you may provide us with the following categories of information:
Through the "Request a Free Call" Form
Full name
Phone number
Email address
Health conditions, symptoms, and medical concerns
Preferred contact times and methods
Any additional information you choose to provide about your health situation
Through Contact Forms and Email
Name and contact information
Content of your message or inquiry
Any health-related information you voluntarily include
Information Collected Automatically
When you visit our website, certain information is collected automatically through cookies and similar technologies:
IP address and approximate geographic location
Browser type, version, and operating system
Pages visited, time spent on pages, and navigation patterns
Referring website or search terms
Device type and screen resolution
Date and time of access
Energy Score Assessment
Our Energy Score assessment collects detailed health-related information to help evaluate your wellness. Due to the sensitive nature of this data, we apply enhanced security measures beyond our standard protections.
Information Collected Through the Energy Score
Self-reported energy levels and wellness indicators
Health symptoms and their severity
Lifestyle factors relevant to your health assessment
Any additional health details you provide during the assessment
Enhanced Security Measures for Energy Score Data
Encryption: All Energy Score data is encrypted both in transit (TLS 1.2 or higher) and at rest using AES-256 encryption.
Access Controls: Access to Energy Score data is restricted to authorized healthcare personnel on a need-to-know basis, with role-based access controls and multi-factor authentication.
Audit Logging: All access to Energy Score data is logged and audited regularly to detect unauthorized access attempts.
Data Minimization: We collect only the minimum information necessary for the assessment. Data is not retained longer than required for treatment purposes.
Separate Storage: Energy Score data is stored separately from general website analytics and marketing data, with additional access restrictions.
How We Use Your Information
We use the information we collect for the following purposes:
Healthcare Services: To respond to your inquiries, schedule consultations, provide treatment, and coordinate your care.
Communication: To contact you regarding your appointment requests, treatment plans, and follow-up care. We will only use your contact information for healthcare-related communications unless you provide separate consent for other communications.
Website Improvement: To analyze website usage patterns and improve our website's functionality, content, and user experience. This analysis uses aggregated, de-identified data only.
Legal Compliance: To comply with applicable laws, regulations, and legal processes.
Security: To protect against fraud, unauthorized access, and other security threats.
Disclosure of Information
We do not sell, rent, or trade your personal information or PHI. We may share your information only in the following limited circumstances:
Healthcare Providers: With other healthcare providers involved in your treatment, with your consent or as permitted by HIPAA.
Business Associates: With third-party service providers who perform services on our behalf (e.g., IT support, billing services) under Business Associate Agreements (BAAs) that require them to protect your PHI in accordance with HIPAA.
Legal Requirements: When required by law, court order, subpoena, or government investigation.
Emergency Situations: To prevent or lessen a serious and imminent threat to health or safety.
With Your Authorization: For any other purpose with your explicit written authorization, which you may revoke at any time.
Patient Testimonials & Stories
Our website features patient testimonials that may include patient names, medical diagnoses, treatment details, and health outcomes. We take the following measures to protect patient privacy in connection with testimonials:
Written Authorization: We obtain a signed HIPAA-compliant authorization from each patient before publishing any testimonial that includes PHI. This authorization specifies exactly what information will be disclosed and where it will be published.
Voluntary Participation: Participation in testimonials is entirely voluntary and does not affect the quality of care you receive.
Right to Revoke: Patients may revoke their testimonial authorization in writing at any time. Upon revocation, we will remove the testimonial from our website within a reasonable timeframe, though we cannot retrieve copies that may have been cached or shared by third parties prior to removal.
Scope of Authorization: Each authorization is specific to the testimonial content and does not grant us permission to use your PHI for any other purpose.
YouTube & Video Embeds
Our website features embedded videos from our YouTube channel. When you view a page containing an embedded YouTube video, the following occurs:
Google Cookies: YouTube (owned by Google) may set cookies on your device when you visit a page with an embedded video, even if you do not play the video. These cookies may be used by Google for analytics, advertising, and personalization purposes.
Data Collection by Google: Google may collect information including your IP address, browser type, device information, and viewing behavior. This data collection is governed by Google's Privacy Policy, not ours.
Privacy-Enhanced Mode: Where possible, we use YouTube's privacy-enhanced mode (youtube-nocookie.com) to limit tracking until you actively play a video.
We do not control the data collection practices of YouTube or Google. We recommend reviewing Google's Privacy Policy at policies.google.com/privacy for more information about how they handle your data.
California Privacy Rights (CCPA/CPRA)
California ResidentsIf you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Please note that PHI handled in accordance with HIPAA is exempt from CCPA/CPRA; however, we extend these rights to all personal information we collect.
Your California Privacy Rights
Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, ongoing treatment).
Right to Correct: You have the right to request correction of inaccurate personal information we maintain about you.
Right to Opt Out: You have the right to opt out of the sale or sharing of your personal information. We do not sell personal information, but you may opt out of any data sharing for cross-context behavioral advertising.
Right to Limit Use of Sensitive Information: You have the right to limit the use and disclosure of your sensitive personal information to purposes necessary for providing our services.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will not receive different pricing, quality of service, or treatment.
How to Exercise Your California Rights
To exercise any of these rights, please contact us using the information in the Contact Us section below. We will verify your identity before processing your request and respond within 45 days as required by law. You may also designate an authorized agent to make a request on your behalf.
Categories of Personal Information Collected
In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:
Identifiers (name, email, phone number, IP address)
Personal information under Cal. Civ. Code § 1798.80(e) (name, address, phone number)
Protected classification characteristics (age, medical conditions)
Internet or network activity (browsing history, interactions with our website)
Sensitive personal information (health data, precise geolocation)
Children's Privacy (COPPA Compliance)
We are committed to protecting the privacy of children. Our website is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13 through our website without verifiable parental consent, in compliance with the Children's Online Privacy Protection Act (COPPA).
Treatment of Minors
While our practice may provide healthcare services to minors, any information related to a minor patient is collected directly from the parent or legal guardian, not through the website. The parent or guardian provides consent for treatment and for any collection, use, or disclosure of the minor's PHI.
Parental Rights
Parents or guardians may review their child's personal information upon request.
Parents or guardians may request deletion of their child's personal information.
Parents or guardians may refuse further collection or use of their child's information.
If we learn that we have inadvertently collected personal information from a child under 13 without proper parental consent, we will take immediate steps to delete that information. If you believe we have collected information from a child under 13, please contact us immediately.
Data Security
We implement comprehensive administrative, technical, and physical safeguards to protect your personal information and PHI as required by HIPAA and industry best practices:
Technical Safeguards
TLS 1.2+ encryption for all data in transit
AES-256 encryption for data at rest
Secure form submissions with end-to-end encryption
Regular security assessments and vulnerability scanning
Intrusion detection and prevention systems
Automatic session timeouts
Administrative Safeguards
Designated HIPAA Privacy and Security Officers
Regular staff training on HIPAA compliance and data security
Written policies and procedures for handling PHI
Business Associate Agreements with all third-party service providers
Regular risk assessments and compliance audits
Incident response and breach notification procedures
Physical Safeguards
Restricted access to facilities and workstations
Secure disposal of physical records containing PHI
Device and media controls
Data Retention
We retain your information for the following periods:
Medical Records / PHI: Retained in accordance with California law (minimum 7 years from the date of last treatment for adults, or until a minor reaches age 19, whichever is longer) and applicable federal requirements.
Request a Free Call Form Submissions: Retained for the duration of the patient relationship plus the applicable retention period. If no patient relationship is established, submissions are retained for no longer than 2 years, then securely deleted.
Contact Form and Email Submissions: Retained for no longer than 2 years from the date of submission unless the communication becomes part of a patient record. Not used for marketing without separate, explicit consent.
Energy Score Assessment Data: Retained for the duration of the patient relationship plus the applicable medical records retention period. If no patient relationship is established, data is securely deleted within 1 year.
Website Analytics Data: Aggregated and anonymized analytics data may be retained indefinitely. Individual-level browsing data is retained for no longer than 26 months.
Testimonial Authorizations: Retained for as long as the testimonial is published and for 6 years after removal, in accordance with HIPAA authorization retention requirements.
When information is no longer needed, it is securely destroyed using methods appropriate to the format (e.g., secure digital deletion, shredding of physical documents).
Your Rights
In addition to the HIPAA rights and California-specific rights described above, you have the following general rights regarding your personal information:
Access: Request access to the personal information we hold about you.
Correction: Request correction of inaccurate or incomplete information.
Deletion: Request deletion of your personal information, subject to legal retention requirements.
Portability: Request a copy of your information in a commonly used electronic format.
Withdraw Consent: Withdraw any previously given consent for data processing, without affecting the lawfulness of processing based on consent before withdrawal.
Opt Out of Communications: Opt out of non-essential communications at any time by contacting us or using the unsubscribe mechanism in any marketing communication.
To exercise any of these rights, please contact our Privacy Officer using the information provided in the Contact Us section. We will respond to your request within 30 days (or 45 days for CCPA/CPRA requests).
Medical Disclaimer
ImportantThe content on this website is for informational purposes only and does not constitute medical advice, diagnosis, or treatment.
No physician-patient relationship is created by your use of this website or its content. The information provided on this website is not a substitute for professional medical advice, diagnosis, or treatment. Always seek the advice of your physician or other qualified healthcare provider with any questions you may have regarding a medical condition.
Never disregard professional medical advice or delay in seeking it because of something you have read on this website. If you think you may have a medical emergency, call your doctor or 911 immediately.
Patient testimonials and case studies presented on this website represent individual experiences and outcomes. Results may vary and are not guaranteed. Past results do not guarantee future outcomes.
Changes to This Policy
We reserve the right to update this Privacy Policy and Notice of Privacy Practices at any time. When we make material changes, we will:
Update the 'Last Updated' date at the top of this page
Post the revised policy on our website
Make the new notice available upon request on or after the effective date
For material changes to our privacy practices regarding PHI, provide notice as required by HIPAA
We encourage you to review this policy periodically to stay informed about how we protect your information.
Contact Us
If you have questions about this Privacy Policy, wish to exercise any of your rights, or need to file a complaint, please contact us:
Your Practice Name
Agoura Hills, CA
Phone: (818) 889-5572
Email: liachiropractic@gmail.com
You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by visiting www.hhs.gov/ocr/privacy/hipaa/complaints or calling 1-877-696-6775.
© 2026 Your Practice Name. All rights reserved. This Privacy Policy and Notice of Privacy Practices is provided in compliance with HIPAA, HITECH, CCPA, CPRA, and COPPA requirements.