Privacy Policy
Bloomfield Wellness & Aesthetics
Privacy Policy
Effective Date: July 2026
Bloomfield Wellness & Aesthetics ("we," "our," or "us") is committed to protecting the privacy and security of our patients and website visitors. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website, schedule appointments, communicate with us, receive medical or aesthetic services, or interact with our patient portal.
Our practice is located at:
Bloomfield Wellness & Aesthetics
4723 Liberty Avenue
Pittsburgh, PA 15224
Phone: (412) 999-4306
BLOOMFIELD WELLNESS & AESTHETICS
Privacy Policy
Effective Date: July 11, 2026
Last Updated: July 11, 2026
1. Introduction
Bloomfield Wellness & Aesthetics ("BWA," "we," "our," or "us") respects your privacy and is committed to protecting the confidentiality, integrity, and security of the personal information and protected health information ("PHI") entrusted to us.
This Privacy Policy explains how we collect, use, disclose, maintain, and safeguard your information when you:
- Visit our website
- Schedule appointments
- Complete online forms
- Create or access a patient portal account
- Receive medical or aesthetic services
- Participate in telehealth visits
- Contact our office by phone, email, text message, or social media
- Purchase products or services
- Subscribe to newsletters or marketing communications
Our goal is to provide transparent information regarding our privacy practices while maintaining full compliance with applicable federal and Pennsylvania privacy laws.
2. Practice Information
Bloomfield Wellness & Aesthetics
4723 Liberty Avenue
Pittsburgh, Pennsylvania 15224
Phone: (412) 999-4306
Website: www.bloomfieldwellnessandaesthetics.com
Email: privacy@bloomfieldwellnessandaesthetics.com (or designated privacy contact)
Medical Director:
Dr. Domenic Mantella, MD
Compliance Officer:
Kathryn Confer, PharmD
Privacy Officer:
Kathryn Confer, PharmD
HIPAA Security Officer:
Kathryn Confer, PharmD
3. Our Commitment to Privacy
Protecting patient privacy is a fundamental responsibility of Bloomfield Wellness & Aesthetics.
We recognize that every patient entrusts us with highly personal medical information. We maintain administrative, physical, and technical safeguards designed to ensure that your information remains confidential and secure.
Our privacy program is built upon the principles of:
- Confidentiality
- Integrity
- Availability
- Transparency
- Accountability
- Patient Choice
- Regulatory Compliance
All workforce members receive privacy and security training and are required to follow our confidentiality policies as a condition of employment.
4. Scope of This Privacy Policy
This Privacy Policy applies to all information collected by Bloomfield Wellness & Aesthetics through:
Medical Services
- Hormone Replacement Therapy
- Functional Medicine
- Weight Management
- Medical Aesthetics
- Laser Treatments
- Skin Care Services
- Injectable Treatments
- Wellness Consultations
- Laboratory Testing
- Nutritional Counseling
- Preventive Healthcare Services
Digital Services
- Practice Website
- Patient Portal
- Online Appointment Scheduling
- Secure Messaging
- Telemedicine Platform
- Electronic Medical Records
- Email Communications
- Text Messaging Services
- Online Payment Processing
In-Person Services
- Office Visits
- Consultations
- Follow-up Appointments
- Retail Product Purchases
- Educational Events
This Privacy Policy applies regardless of whether information is collected electronically, verbally, in writing, or through third-party service providers acting on our behalf.
5. HIPAA Compliance
Bloomfield Wellness & Aesthetics is committed to complying with the:
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- HIPAA Privacy Rule
- HIPAA Security Rule
- HIPAA Breach Notification Rule
- Health Information Technology for Economic and Clinical Health (HITECH) Act
- Pennsylvania Medical Records Act
- Pennsylvania Breach of Personal Information Notification Act
- Applicable Pennsylvania healthcare privacy regulations
Protected Health Information ("PHI") is handled in accordance with these laws and our internal privacy and security policies.
Where applicable, this Privacy Policy works together with our Notice of Privacy Practices required under HIPAA.
If any portion of this Privacy Policy conflicts with applicable federal or Pennsylvania law, the applicable law will control.
6. Information We Collect
Depending upon the services you receive, we may collect the following categories of information.
A. Personal Identification Information
We may collect:
- Full legal name
- Preferred name
- Date of birth
- Gender
- Mailing address
- Email address
- Telephone numbers
- Emergency contacts
- Driver's license or government-issued identification
- Photograph (when appropriate)
- Signature
B. Protected Health Information (PHI)
During the course of providing healthcare services, we may collect:
- Medical history
- Surgical history
- Medication history
- Allergies
- Family history
- Social history
- Review of systems
- Physical examination findings
- Laboratory results
- Imaging reports
- Treatment plans
- Diagnoses
- Clinical photographs
- Procedure documentation
- Consent forms
- Prescription information
- Pharmacy information
- Progress notes
- Follow-up recommendations
This information is maintained within our secure electronic medical record system.
C. Insurance Information
If applicable, we may collect:
- Insurance carrier
- Member identification numbers
- Group numbers
- Claims information
- Prior authorization information
- Coordination of benefits information
Many aesthetic procedures are elective and self-pay; however, certain medical services may involve insurance information when appropriate.
D. Payment Information
We may collect:
- Credit card information
- Debit card information
- Payment history
- Billing address
- Financing information
- Outstanding balances
- Payment plans
Payment card information is processed using secure third-party payment processors. Bloomfield Wellness & Aesthetics does not store complete payment card numbers on its internal systems unless required for authorized recurring payment arrangements and protected in accordance with PCI-DSS standards.
E. Website Information
When you visit our website, we may automatically collect:
- IP address
- Browser type
- Device information
- Operating system
- Pages visited
- Date and time of visit
- Referring website
- Session duration
- Clickstream information
- General geographic location based on IP address
This information helps us improve website performance, security, accessibility, and user experience.
F. Communications
We may retain communications including:
- Emails
- Telephone messages
- Secure patient portal messages
- Appointment requests
- Text message conversations
- Online contact forms
- Patient surveys
- Reviews voluntarily submitted by patients
These communications become part of our business records and, where applicable, your medical record.
G. Clinical Photography
With your written consent when required, we may obtain clinical photographs for purposes such as:
- Treatment planning
- Monitoring clinical progress
- Medical documentation
- Before-and-after comparisons
- Quality improvement
- Medical education, when separately authorized
No clinical photographs used for marketing, advertising, social media, or educational purposes will be published without your separate written authorization unless otherwise permitted by law.
7. How Bloomfield Wellness & Aesthetics Uses Your Information
Bloomfield Wellness & Aesthetics collects, maintains, uses, and discloses personal information and Protected Health Information ("PHI") only for legitimate business, healthcare, legal, and operational purposes. We are committed to collecting only the minimum information necessary to accomplish the intended purpose whenever practical and as required by applicable law.
Our use of your information is governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, applicable Pennsylvania laws, and our internal privacy and security policies.
7.1 Treatment
The primary reason we collect your information is to provide safe, effective, and individualized healthcare services.
Your information may be used to:
- Establish your medical record.
- Confirm your identity before providing treatment.
- Review your medical history.
- Document allergies and medication interactions.
- Perform physical assessments.
- Develop individualized treatment plans.
- Order laboratory testing.
- Review diagnostic imaging.
- Monitor treatment progress.
- Coordinate follow-up care.
- Evaluate treatment outcomes.
- Prescribe medications.
- Recommend nutritional supplements.
- Perform aesthetic procedures.
- Provide hormone replacement therapy.
- Manage weight loss programs.
- Monitor chronic medical conditions.
- Provide telemedicine services.
- Develop long-term wellness plans.
Information may be shared among members of your treatment team when necessary to provide appropriate medical care.
7.2 Payment
Your information may be used to obtain payment for healthcare services.
Examples include:
- Preparing invoices
- Processing payments
- Verifying insurance eligibility
- Filing insurance claims
- Collecting outstanding balances
- Managing payment plans
- Processing refunds
- Maintaining accounting records
- Preventing payment fraud
- Responding to billing inquiries
Payment information is only shared with authorized payment processors, insurance carriers, financing companies (when authorized), and billing service providers as necessary.
7.3 Healthcare Operations
Healthcare operations are activities necessary to operate Bloomfield Wellness & Aesthetics efficiently while maintaining high standards of patient care.
Examples include:
- Quality improvement initiatives
- Clinical outcome reviews
- Peer review
- Staff education
- Employee training
- Compliance monitoring
- HIPAA auditing
- Infection control monitoring
- OSHA compliance
- Credentialing
- Risk management
- Practice accreditation
- Internal audits
- Financial auditing
- Technology maintenance
- Patient satisfaction surveys
- Performance improvement programs
These activities help ensure our practice maintains safe, compliant, and effective healthcare services.
7.4 Appointment Management
Your information may be used to schedule, confirm, modify, or cancel appointments.
We may communicate with you using:
- Telephone
- Secure email
- Secure patient portal messages
- SMS/text messaging
- Voicemail
- Postal mail
Examples include:
- Appointment reminders
- Waitlist notifications
- Schedule changes
- Provider delays
- Missed appointment follow-up
- Procedure preparation instructions
- Follow-up appointment reminders
Whenever possible, communications will contain only the minimum necessary information.
7.5 Patient Portal
If you enroll in our patient portal, your information may be used to:
- View laboratory results
- Review treatment plans
- Access educational materials
- Complete forms
- Send secure messages
- Pay invoices
- Request appointments
- Receive clinical updates
- Review medications
- Complete health questionnaires
Patient portal access is protected by secure authentication measures.
Patients are responsible for maintaining the confidentiality of their usernames and passwords.
7.6 Telehealth Services
If you participate in telemedicine visits, we may use your information to:
- Verify your identity
- Confirm your location
- Document informed consent
- Conduct virtual examinations
- Develop treatment recommendations
- Prescribe medications when appropriate
- Coordinate laboratory testing
- Arrange referrals
- Schedule follow-up appointments
Telehealth services are conducted using secure, encrypted technology whenever feasible.
Patients acknowledge that no electronic communication system can guarantee absolute security.
7.7 Laboratory Testing
When laboratory testing is ordered, we may disclose necessary information to licensed laboratories, including:
- Patient identifiers
- Ordering provider information
- Diagnosis codes
- Test orders
- Relevant medical history
- Insurance information when applicable
Laboratory results become part of your permanent medical record.
7.8 Pharmacy Communications
When medications are prescribed, we may communicate with pharmacies regarding:
- Prescription transmission
- Medication clarification
- Prior authorization requests
- Drug interactions
- Prescription renewals
- Controlled substance monitoring
- Medication reconciliation
These communications are limited to information necessary to provide safe pharmaceutical care.
7.9 Consultation with Other Healthcare Providers
Your information may be shared with physicians, specialists, hospitals, laboratories, imaging centers, pharmacies, therapists, or other healthcare professionals involved in your care.
Examples include:
- Referral letters
- Consultation reports
- Laboratory findings
- Medication lists
- Treatment summaries
- Surgical clearances
- Follow-up recommendations
Only information relevant to your ongoing treatment will be shared unless otherwise authorized.
7.10 Medical Emergencies
If necessary to prevent serious harm or protect your health, we may disclose relevant medical information to:
- Emergency departments
- Emergency Medical Services (EMS)
- First responders
- Treating physicians
- Hospitals
- Public health authorities when required
Such disclosures are made only when permitted or required by law.
7.11 Public Health Activities
Federal and Pennsylvania law may require us to report certain information to public health agencies.
Examples include:
- Reportable communicable diseases
- Vaccine administration
- Adverse vaccine reactions
- Drug recalls
- Medical device recalls
- Child abuse reporting
- Elder abuse reporting
- Certain injuries
- Public health investigations
These disclosures are made only when legally authorized or required.
7.12 Regulatory Compliance
We may use or disclose information to comply with:
- HIPAA investigations
- Pennsylvania Department of Health requirements
- Centers for Medicare & Medicaid Services (CMS)
- OSHA inspections
- DEA requirements
- State licensing boards
- Court orders
- Subpoenas
- Law enforcement requests permitted by law
- Professional liability investigations
7.13 Business Associates
Bloomfield Wellness & Aesthetics works with carefully selected third-party vendors that assist us in operating our practice.
Examples include:
- Electronic Health Record providers
- Practice management software
- Patient portal providers
- Secure messaging platforms
- Laboratory vendors
- Payment processors
- Medical billing companies
- IT security vendors
- Cloud hosting providers
- Document destruction companies
- Electronic fax providers
- Telephone service providers
Each Business Associate that receives Protected Health Information is required, when applicable, to enter into a Business Associate Agreement (BAA) requiring compliance with HIPAA Privacy, Security, and Breach Notification Rules.
Our use of vendors does not reduce our responsibility to safeguard your information.
7.14 Technology Providers
Bloomfield Wellness & Aesthetics may utilize third-party technology platforms to support patient care and business operations.
Examples may include:
- Electronic Health Records
- Patient portals
- Appointment scheduling software
- Secure messaging systems
- Telehealth platforms
- Payment processing services
- Cloud storage providers
- Website hosting services
These providers process information solely for the purpose of delivering contracted services and are not authorized to use your information for their own marketing purposes when acting on our behalf.
7.15 Marketing Communications
We may communicate with patients regarding:
- Practice announcements
- New providers
- Office closures
- Educational events
- Wellness seminars
- New services
- Seasonal promotions
- Product availability
- Newsletter subscriptions
Marketing communications unrelated to your treatment will only be sent where permitted by law or with your consent when required.
Patients may opt out of marketing communications at any time without affecting their ability to receive medical care.
7.16 Educational Information
We may send educational materials related to:
- Skin health
- Hormone optimization
- Nutrition
- Weight management
- Functional medicine
- Preventive health
- Medication education
- Procedure preparation
- Post-treatment instructions
These communications are intended to improve patient education and health outcomes.
7.17 Patient Satisfaction Surveys
Following appointments, patients may be invited to complete satisfaction surveys.
Survey responses help us:
- Improve patient experience
- Evaluate service quality
- Identify operational improvements
- Enhance provider education
- Improve scheduling efficiency
Participation is voluntary.
7.18 Website Analytics
Information collected through our website may be used to:
- Improve website performance
- Monitor cybersecurity threats
- Understand visitor behavior
- Evaluate marketing effectiveness
- Improve accessibility
- Optimize online scheduling
- Identify technical issues
Website analytics generally utilize de-identified or aggregated information whenever practical.
7.19 Fraud Prevention
Information may be used to:
- Verify patient identity
- Detect fraudulent transactions
- Prevent identity theft
- Protect financial accounts
- Prevent unauthorized portal access
- Investigate suspicious activity
- Secure electronic systems
These activities protect both patients and the practice.
7.20 Minimum Necessary Standard
Except where otherwise permitted or required by law, Bloomfield Wellness & Aesthetics follows the HIPAA "Minimum Necessary" standard.
This means workforce members will access, use, or disclose only the minimum amount of information necessary to perform their assigned duties.
Access to Protected Health Information is role-based and limited according to each employee's job responsibilities.
Unauthorized access, viewing, disclosure, or use of patient information is strictly prohibited and may result in disciplinary action up to and including termination, civil penalties, criminal penalties, and reporting to applicable licensing authorities.
8. When We Share Your Information
Bloomfield Wellness & Aesthetics is committed to protecting the privacy and confidentiality of your personal information and Protected Health Information ("PHI"). We do not sell your PHI and do not disclose your information except as permitted or required by applicable law, with your authorization, or as necessary to provide healthcare services.
Whenever possible, we disclose only the minimum amount of information necessary to accomplish the intended purpose.
8.1 Disclosures for Treatment
We may share your PHI without your written authorization when necessary to provide, coordinate, or manage your healthcare.
Examples include sharing information with:
- Primary care physicians
- Specialists
- Consulting physicians
- Hospitals
- Emergency departments
- Pharmacies
- Clinical laboratories
- Imaging facilities
- Physical therapists
- Home healthcare agencies
- Other healthcare providers participating in your care
Information shared may include:
- Medical history
- Current diagnoses
- Medication lists
- Allergies
- Laboratory results
- Procedure notes
- Treatment recommendations
- Clinical photographs when medically necessary
- Follow-up instructions
8.2 Disclosures for Payment
We may disclose information necessary to obtain payment for healthcare services.
Examples include:
- Insurance companies
- Third-party administrators
- Billing companies
- Payment processors
- Collection agencies (when appropriate)
- Financing companies approved by the patient
Information disclosed may include:
- Diagnosis codes
- Procedure codes
- Dates of service
- Provider information
- Charges
- Insurance policy information
- Medical necessity documentation
Only information reasonably necessary for payment purposes will be disclosed.
8.3 Healthcare Operations
We may disclose information for healthcare operations including:
- Internal quality improvement
- Accreditation activities
- Compliance reviews
- Risk management
- Employee education
- Clinical audits
- Infection control monitoring
- Technology maintenance
- HIPAA compliance activities
- Medical record reviews
- Practice administration
These disclosures help ensure safe, effective, and legally compliant healthcare services.
8.4 Business Associates
Bloomfield Wellness & Aesthetics contracts with trusted third-party service providers that perform functions on our behalf.
Examples include:
- Electronic Health Record providers
- Practice management software vendors
- Patient portal providers
- Medical billing companies
- Secure cloud storage providers
- IT security consultants
- Telephone systems
- Appointment reminder services
- Payment processing companies
- Secure document destruction vendors
- Electronic fax services
- Telehealth technology providers
Each Business Associate receiving Protected Health Information, when required by law, must execute a HIPAA-compliant Business Associate Agreement (BAA) requiring the protection of patient information.
Business Associates are contractually prohibited from using patient information for unauthorized purposes.
8.5 Appointment Reminders
We may contact you regarding:
- Upcoming appointments
- Missed appointments
- Waitlist opportunities
- Schedule changes
- Procedure preparation
- Follow-up appointments
- Prescription refill reminders
- Preventive care reminders
These communications may occur through:
- Telephone
- Voicemail
- Text message
- Secure email
- Patient portal
- Postal mail
We attempt to limit the amount of medical information contained within appointment reminders.
8.6 Family Members, Caregivers, and Personal Representatives
Unless you object, we may share relevant medical information with:
- A spouse
- Parent
- Adult child
- Legal guardian
- Healthcare proxy
- Durable power of attorney for healthcare
- Caregiver involved in your care
Examples include:
- Appointment scheduling
- Medication instructions
- Home care instructions
- Billing information
- Transportation coordination
- Emergency contact information
If you are unable to communicate due to an emergency or incapacity, we may exercise professional judgment to determine whether disclosure is in your best interest.
8.7 Public Health Reporting
Federal and Pennsylvania law may require disclosures to public health authorities.
Examples include:
- Communicable disease reporting
- Vaccine administration records
- Adverse drug reactions
- Medical device reporting
- Birth defects
- Public health investigations
- Disease surveillance
- Certain occupational illnesses
These disclosures occur only as required or authorized by law.
8.8 Abuse, Neglect, and Domestic Violence
We may disclose information when required to report:
- Child abuse
- Child neglect
- Elder abuse
- Abuse of dependent adults
- Domestic violence
- Human trafficking when legally required
Whenever appropriate and permitted by law, we will inform the patient before making such disclosures.
8.9 Health Oversight Activities
We may disclose PHI to governmental agencies responsible for healthcare oversight.
Examples include:
- Pennsylvania Department of Health
- Pennsylvania Department of State
- Centers for Medicare & Medicaid Services (CMS)
- Office for Civil Rights (OCR)
- Drug Enforcement Administration (DEA)
- Food and Drug Administration (FDA)
- Office of Inspector General (OIG)
These disclosures may occur during:
- Audits
- Investigations
- Licensure reviews
- Compliance inspections
- Fraud investigations
8.10 Judicial and Administrative Proceedings
We may disclose information in response to:
- Court orders
- Search warrants
- Lawfully issued subpoenas
- Administrative tribunal orders
- Discovery requests
- Arbitration proceedings
Whenever appropriate, Bloomfield Wellness & Aesthetics will seek reasonable assurances that the patient has been notified or that appropriate legal protections are in place before releasing information.
8.11 Law Enforcement
We may disclose limited information to law enforcement officials when permitted or required by law, including:
- Locating a missing person
- Reporting a crime
- Responding to a court order
- Complying with a warrant
- Reporting certain injuries
- Preventing or reducing a serious threat to public safety
- Identifying deceased individuals
Each request is evaluated individually to ensure compliance with HIPAA and Pennsylvania law.
8.12 Medical Emergencies
When necessary to prevent serious harm or protect your health, we may disclose relevant information to:
- Emergency physicians
- Hospitals
- Emergency Medical Services (EMS)
- Poison control centers
- Treating specialists
Only information necessary to address the emergency will be disclosed.
8.13 Disaster Relief
If you are involved in a natural disaster or public emergency, we may disclose limited information to organizations involved in disaster relief efforts to assist with:
- Locating family members
- Coordinating emergency care
- Identifying patients
- Facilitating reunification efforts
8.14 Organ, Tissue, and Eye Donation
If permitted by law, we may disclose relevant medical information to organizations involved in:
- Organ procurement
- Tissue donation
- Eye donation
- Organ transplantation
Such disclosures occur only in accordance with applicable federal and state laws.
8.15 Workers' Compensation
We may disclose information necessary to comply with workers' compensation laws or similar programs that provide benefits for work-related injuries or illnesses.
8.16 Military and National Security
If applicable, we may disclose information to authorized military authorities or federal officials when required by federal law for:
- Military command activities
- National security
- Protective services for government officials
8.17 Correctional Institutions
If you become incarcerated or are in the lawful custody of a correctional institution, we may disclose information necessary for:
- Medical treatment
- Institutional safety
- Security
- Transportation
- Emergency medical care
8.18 Research
Bloomfield Wellness & Aesthetics may participate in clinical research or quality improvement initiatives.
Protected Health Information will not be used for research purposes unless:
- You provide written authorization;
- The research has received approval from an Institutional Review Board (IRB) or Privacy Board where applicable;
- The information has been properly de-identified under HIPAA standards; or
- Another legal exception applies.
Participation in research is voluntary unless otherwise required by law.
8.19 Sale of Protected Health Information
Bloomfield Wellness & Aesthetics does not sell Protected Health Information.
We do not receive payment in exchange for patient medical information.
Any disclosure involving remuneration will require your written authorization unless specifically permitted by applicable law.
8.20 Marketing Uses of PHI
Your Protected Health Information will not be used for marketing purposes requiring authorization unless you first provide written authorization.
Examples include:
- Testimonials
- Before-and-after photographs
- Promotional videos
- Social media content
- Advertising campaigns
- Patient success stories
You may revoke your authorization at any time, except to the extent we have already relied upon it.
8.21 Fundraising Communications
Should Bloomfield Wellness & Aesthetics conduct fundraising activities in the future, patients will have the opportunity to opt out of future fundraising communications as required by law.
8.22 Written Authorizations
Certain disclosures require your written authorization before we may release information.
Examples include:
- Most disclosures to employers
- Attorneys (unless otherwise required by law)
- Life insurance companies
- Schools
- News media
- Marketing uses
- Sale of PHI
- Most disclosures to third parties not involved in treatment, payment, or healthcare operations
Authorizations must:
- Identify the information to be disclosed.
- Identify the recipient.
- State the purpose of the disclosure.
- Include an expiration date or event.
- Be signed and dated by the patient or authorized representative.
8.23 Revocation of Authorization
You may revoke a written authorization at any time by submitting a written request to our Privacy Officer.
Revocation will apply prospectively and will not affect disclosures already made in reliance upon the authorization.
8.24 Minimum Necessary Standard
For disclosures not directly related to treatment, Bloomfield Wellness & Aesthetics limits the information disclosed to the minimum amount reasonably necessary to accomplish the intended purpose.
Examples include:
- Limiting billing information to payment-related data.
- Limiting employment verification to authorized information.
- Limiting legal disclosures to records specifically requested.
- Restricting staff access based upon job responsibilities.
Role-based access controls, workforce training, and routine auditing help ensure compliance with this standard.
8.25 Unauthorized Disclosures
Unauthorized access, use, or disclosure of patient information is strictly prohibited.
Any suspected privacy incident is promptly investigated in accordance with our HIPAA Privacy and Security Incident Response Policy.
Confirmed breaches are managed in accordance with the HIPAA Breach Notification Rule and applicable Pennsylvania law, including notification to affected individuals and regulatory authorities when required.
9. Your Privacy Rights
Bloomfield Wellness & Aesthetics believes every patient has the right to understand, access, and exercise control over their personal information and Protected Health Information ("PHI"). Federal law, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and applicable Pennsylvania laws provide patients with important privacy rights.
This section explains those rights and the procedures for exercising them.
9.1 Right to Receive a Notice of Privacy Practices
You have the right to receive a copy of Bloomfield Wellness & Aesthetics' Notice of Privacy Practices.
The Notice explains:
- How we may use your information
- When information may be disclosed
- Your legal privacy rights
- How to exercise those rights
- How to file a privacy complaint
The Notice is available:
- During your first visit
- Upon request at any time
- Through the patient portal (when available)
- On our website (if applicable)
Patients may request a paper copy at any time, even if they previously agreed to receive the Notice electronically.
9.2 Right to Inspect and Obtain Copies of Your Medical Records
You have the right to inspect and obtain copies of your medical record and certain billing records maintained by Bloomfield Wellness & Aesthetics.
This includes, when applicable:
- Office visit notes
- Laboratory reports
- Procedure documentation
- Medication lists
- Treatment plans
- Imaging reports received by our office
- Clinical photographs that are part of your medical record
- Billing records
Records may be provided in:
- Paper format
- Electronic PDF
- Secure electronic portal
- Other mutually agreed-upon electronic formats when feasible
We may charge a reasonable, cost-based fee as permitted by federal and Pennsylvania law for copies of records.
Certain records may be excluded from access under HIPAA or other applicable laws, including psychotherapy notes maintained separately, information compiled for legal proceedings, or records restricted by law.
9.3 Timeframe for Record Requests
Upon receipt of a valid request, Bloomfield Wellness & Aesthetics will respond within the timeframes required by applicable law.
If additional time is permitted and necessary, patients will receive written notification explaining:
- The reason for the delay.
- The expected completion date.
- Any additional information needed to process the request.
9.4 Right to Request Amendments
If you believe information contained in your medical record is inaccurate or incomplete, you may request that Bloomfield Wellness & Aesthetics amend your record.
Requests should:
- Be submitted in writing.
- Clearly identify the information you believe is inaccurate.
- Explain the reason for the requested amendment.
- Include supporting documentation when appropriate.
We are not required to amend information that:
- Was not created by our practice.
- Is already accurate and complete.
- Is not maintained by our practice.
- Is otherwise excluded from access under HIPAA.
If an amendment request is denied, you may submit a written statement of disagreement, which may become part of your medical record.
9.5 Right to Request Restrictions
You may request restrictions regarding how your Protected Health Information is used or disclosed.
Examples include requesting that we:
- Not disclose information to certain family members.
- Limit information shared with another provider.
- Restrict communications regarding specific services.
- Restrict disclosure to your health plan for services you paid for entirely out-of-pocket when permitted by HIPAA.
While we are not required to agree to every requested restriction, we will carefully evaluate each request.
If we agree to a restriction, we will comply unless disclosure is required by law or necessary during a medical emergency.
9.6 Right to Confidential Communications
You may request that Bloomfield Wellness & Aesthetics communicate with you using alternative methods or at alternative locations.
Examples include:
- Calling only your mobile phone.
- Mailing correspondence to a different address.
- Sending secure portal messages instead of email.
- Avoiding voicemail messages.
- Using your work address instead of your home address.
- Contacting you only during specified hours.
Reasonable requests will be accommodated whenever practical.
9.7 Right to an Accounting of Disclosures
You have the right to receive an accounting of certain disclosures of your Protected Health Information made by Bloomfield Wellness & Aesthetics.
The accounting generally excludes disclosures made:
- For treatment
- For payment
- For healthcare operations
- With your authorization
- To you directly
- For national security or intelligence activities when exempted by law
- Certain law enforcement disclosures
The accounting will identify disclosures required under HIPAA regulations and include:
- Date of disclosure
- Recipient
- Brief description of information disclosed
- Purpose of the disclosure
9.8 Right to Receive Electronic Records
When technically feasible, you may request an electronic copy of your health information.
Electronic records may be delivered through:
- Secure patient portal
- Encrypted email (when appropriate)
- Secure file transfer
- Other mutually agreed secure electronic methods
Patients requesting unencrypted electronic delivery acknowledge the potential security risks associated with that method.
9.9 Right to Designate a Personal Representative
You may authorize another individual to act on your behalf.
Examples include:
- Parent of a minor child
- Legal guardian
- Healthcare power of attorney
- Court-appointed representative
- Personal representative recognized under applicable law
Documentation may be required before releasing Protected Health Information.
9.10 Right to Revoke Authorization
If you previously authorized Bloomfield Wellness & Aesthetics to disclose your information, you may revoke that authorization at any time.
Revocation must:
- Be submitted in writing.
- Clearly identify the authorization being revoked.
- Be signed and dated.
Revocation applies only to future disclosures and does not affect information already released in reliance upon the authorization.
9.11 Right to Request Alternative Contact Methods
Patients may request alternative methods of communication regarding:
- Appointment reminders
- Laboratory results
- Billing statements
- Prescription notifications
- Follow-up instructions
Examples include:
- Secure patient portal only
- Telephone only
- Email only
- Postal mail only
Reasonable requests will be honored whenever feasible.
9.12 Right to Receive Breach Notification
If Bloomfield Wellness & Aesthetics determines that your unsecured Protected Health Information has been compromised through a reportable data breach, you will be notified in accordance with:
- HIPAA Breach Notification Rule
- HITECH Act
- Pennsylvania Breach of Personal Information Notification Act
Notifications will include:
- What happened
- Information involved
- Steps you should take
- What we are doing to investigate and mitigate the incident
- Contact information for additional assistance
9.13 Right to File a Privacy Complaint
If you believe your privacy rights have been violated, you may file a complaint without fear of retaliation.
Complaints may be submitted to:
Privacy Officer
Bloomfield Wellness & Aesthetics
4723 Liberty Avenue
Pittsburgh, PA 15224
Phone: (412) 999-4306
Email: privacy@bloomfieldwellnessandaesthetics.com (or designated privacy email)
Patients may also file complaints directly with the:
U.S. Department of Health and Human Services
Office for Civil Rights
There is no penalty for filing a complaint.
Bloomfield Wellness & Aesthetics strictly prohibits retaliation against any patient who exercises their privacy rights.
9.14 Right to Receive Information in an Accessible Format
Patients with disabilities or language barriers may request reasonable accommodations, including:
- Large-print documents
- Interpreter services when available
- Auxiliary aids
- Alternative communication formats
- Assistance completing privacy forms
Requests will be handled in accordance with applicable disability laws.
9.15 Right to Non-Discrimination
Bloomfield Wellness & Aesthetics does not discriminate in the exercise of patient privacy rights.
Patients will not receive different treatment, pricing, quality of care, or access to services because they:
- Exercise HIPAA rights
- Request copies of records
- Request restrictions
- File privacy complaints
- Decline certain optional communications
- Exercise other legal privacy protections
9.16 Verification of Identity
To protect patient confidentiality, Bloomfield Wellness & Aesthetics may require verification of identity before releasing Protected Health Information.
Verification methods may include:
- Government-issued identification
- Date of birth
- Address verification
- Security questions
- Patient portal authentication
- Written authorization
- Documentation of legal authority for representatives
Failure to adequately verify identity may delay or prevent disclosure of Protected Health Information until identity can be confirmed.
9.17 Fees for Records
Bloomfield Wellness & Aesthetics may charge reasonable, cost-based fees permitted by federal and Pennsylvania law for:
- Paper copies
- Electronic media
- Postage
- Supplies
- Labor associated with preparing copies when allowed by law
Patients will be informed of applicable fees before records are released.
9.18 Questions Regarding Privacy Rights
Questions regarding patient privacy rights should be directed to the Privacy Officer.
Our staff is available to explain:
- HIPAA rights
- Record request procedures
- Authorization forms
- Privacy restrictions
- Confidential communication requests
- Complaint procedures
- Available patient resources
We are committed to helping every patient understand and exercise their privacy rights while maintaining the highest standards of confidentiality, professionalism, and regulatory compliance.
10. Information Security and Data Protection
Bloomfield Wellness & Aesthetics is committed to maintaining the confidentiality, integrity, and availability of all personal information and Protected Health Information ("PHI") entrusted to our practice.
We maintain a comprehensive information security program designed to protect patient information from unauthorized access, alteration, disclosure, destruction, loss, theft, misuse, or cyberattack.
Our security program is based upon the requirements of:
- Health Insurance Portability and Accountability Act (HIPAA)
- HIPAA Security Rule (45 CFR Part 164)
- Health Information Technology for Economic and Clinical Health (HITECH) Act
- Pennsylvania Breach of Personal Information Notification Act
- National Institute of Standards and Technology (NIST) Cybersecurity Framework (where applicable)
- Industry best practices for healthcare cybersecurity
Information security is a shared responsibility of every workforce member.
10.1 Security Program Objectives
The goals of our security program are to:
- Protect patient confidentiality.
- Maintain accurate medical records.
- Prevent unauthorized disclosure.
- Protect against cyber threats.
- Ensure system availability.
- Detect security incidents promptly.
- Restore operations following disruptions.
- Maintain compliance with applicable laws.
- Promote patient trust.
10.2 Administrative Safeguards
Bloomfield Wellness & Aesthetics maintains administrative safeguards that include:
- Written HIPAA Privacy Policies
- Written HIPAA Security Policies
- Workforce confidentiality agreements
- Employee background screening, where appropriate
- HIPAA workforce training
- Annual security education
- Risk assessments
- Vendor security reviews
- Business Associate Agreement management
- Security awareness reminders
- Incident reporting procedures
- Disaster recovery planning
- Business continuity planning
- Sanction policies for privacy violations
- Regular compliance monitoring
Administrative safeguards are reviewed and updated periodically to reflect changes in technology, legal requirements, and operational risks.
10.3 Workforce Access Controls
Access to patient information is granted only to workforce members who require access to perform their assigned duties.
Access is based upon:
- Job responsibilities
- Clinical role
- Department
- Required system permissions
- Minimum Necessary Standard
Examples include:
Clinical Providers may access:
- Medical histories
- Laboratory results
- Clinical notes
- Medication records
- Treatment plans
Billing personnel may access:
- Demographic information
- Insurance information
- Billing records
- Payment history
Reception personnel may access:
- Scheduling information
- Contact information
- Appointment status
Employees are prohibited from accessing records of:
- Friends
- Family members
- Coworkers
- Public figures
- Themselves
- Any patient without a legitimate business or treatment purpose
10.4 User Authentication
Every authorized workforce member receives an individual user account.
Shared usernames are prohibited.
Authentication measures may include:
- Unique username
- Strong password
- Multi-factor authentication (MFA), when available
- Biometric authentication where supported
- Automatic session timeout
- Password expiration policies
- Account lockout following repeated failed login attempts
Employees are responsible for maintaining the confidentiality of their login credentials.
10.5 Password Standards
Passwords should comply with current organizational security standards and may include requirements such as:
- Minimum length requirements
- Combination of uppercase and lowercase letters
- Numbers
- Special characters
- Prohibition against dictionary words
- Regular password changes when appropriate
- Unique passwords for critical systems
Passwords may never be:
- Shared
- Written on visible notes
- Stored in unsecured documents
- Transmitted through unsecured email
10.6 Encryption
Bloomfield Wellness & Aesthetics utilizes encryption where appropriate to protect sensitive information.
Encryption may be used for:
- Electronic medical records
- Backup systems
- Mobile devices
- Laptop computers
- Secure messaging
- Patient portals
- Data transmission
- Cloud storage
Whenever feasible, encryption technologies meet current industry standards.
10.7 Secure Transmission of Information
Electronic transmission of Protected Health Information occurs using secure technologies whenever reasonably available.
Examples include:
- Encrypted patient portals
- Secure email systems
- Secure file transfer
- Encrypted telehealth platforms
- Secure electronic prescribing
- Secure electronic laboratory interfaces
Patients requesting unencrypted communications acknowledge the increased security risks associated with those communication methods.
10.8 Audit Controls
Electronic systems maintain audit logs capable of recording activity such as:
- User logins
- Failed login attempts
- Record access
- Record modification
- Record deletion
- Printing activity
- Export activity
- Administrative actions
Audit logs are periodically reviewed to detect inappropriate access or suspicious activity.
10.9 Monitoring for Unauthorized Access
Bloomfield Wellness & Aesthetics routinely monitors electronic systems for signs of:
- Unauthorized record access
- Password compromise
- Malware activity
- Ransomware indicators
- Suspicious downloads
- Unusual login behavior
- Excessive record viewing
- Unauthorized exports
Potential security incidents are investigated promptly.
10.10 Physical Security
Physical safeguards include measures designed to protect facilities and equipment.
Examples include:
- Locked offices
- Controlled building access
- Alarm systems
- Security cameras where appropriate
- Locked filing cabinets
- Visitor sign-in procedures
- Restricted records storage
- Secure server locations
- Workstation positioning to prevent unauthorized viewing
Visitors are not permitted unsupervised access to areas containing confidential patient information.
10.11 Workstation Security
Employees are expected to:
- Lock computers before leaving workstations.
- Log off when work is complete.
- Prevent unauthorized viewing of screens.
- Maintain clean desk practices.
- Secure printed documents.
- Avoid discussing confidential information in public areas.
Computer monitors should be positioned to minimize viewing by unauthorized individuals.
10.12 Mobile Device Security
If workforce members access practice systems using mobile devices, those devices should be protected through security measures such as:
- Passcodes
- Device encryption
- Automatic locking
- Remote wipe capability where available
- Updated operating systems
- Anti-malware protections where applicable
Lost or stolen devices capable of accessing patient information must be reported immediately.
10.13 Remote Access
Remote access to practice systems is permitted only through authorized secure methods.
Security requirements may include:
- VPN connections
- Multi-factor authentication
- Device security verification
- Encrypted connections
- Session monitoring
Remote users remain subject to all privacy and security policies.
10.14 Data Backup
Critical information systems are backed up according to established operational procedures.
Backups are intended to:
- Prevent permanent data loss
- Support disaster recovery
- Restore patient records
- Maintain continuity of operations
Backup media are secured against unauthorized access.
10.15 Disaster Recovery and Business Continuity
Bloomfield Wellness & Aesthetics maintains plans to restore operations following events such as:
- Cyberattacks
- Ransomware incidents
- Power outages
- Fire
- Flood
- Severe weather
- Hardware failure
- Software failure
- Other business interruptions
Recovery plans prioritize:
- Patient safety
- Continuity of clinical operations
- Restoration of electronic medical records
- Protection of patient information
- Regulatory compliance
10.16 Malware and Ransomware Protection
Practice technology systems employ commercially reasonable security measures to reduce the risk of malicious software, which may include:
- Endpoint protection
- Antivirus software
- Threat detection
- Firewall protection
- Email filtering
- Software updates
- Security patch management
Employees receive education regarding:
- Phishing emails
- Social engineering
- Suspicious attachments
- Fraudulent websites
- Password theft
- Business email compromise
10.17 Software Updates
Authorized systems are maintained through routine updates when practical, including:
- Operating system updates
- Security patches
- Application updates
- Firmware updates
- Anti-malware definition updates
Timely updates reduce exposure to known cybersecurity vulnerabilities.
10.18 Secure Disposal of Information
Protected Health Information is securely destroyed when retention requirements have been satisfied.
Approved destruction methods may include:
Paper Records:
- Cross-cut shredding
- Secure shredding vendors
- Locked shredding containers
Electronic Information:
- Secure data wiping
- Cryptographic erasure where appropriate
- Physical destruction of storage media
- Certified electronic destruction vendors
No patient information is discarded in regular trash receptacles.
10.19 Business Associate Security
Third-party vendors that create, receive, maintain, or transmit Protected Health Information on behalf of Bloomfield Wellness & Aesthetics are expected to implement reasonable administrative, physical, and technical safeguards consistent with applicable legal requirements.
Where required, Business Associate Agreements establish each party's responsibilities for protecting PHI.
10.20 Security Incident Reporting
Every workforce member has an obligation to immediately report suspected privacy or security incidents.
Examples include:
- Lost laptops
- Lost mobile devices
- Misdirected emails
- Suspicious phone calls
- Phishing attempts
- Malware infections
- Unauthorized record access
- Stolen documents
- Password compromise
- Unauthorized disclosures
Prompt reporting enables rapid investigation and mitigation.
10.21 Breach Investigation
Reported security incidents are investigated to determine:
- Nature of the incident
- Information involved
- Number of affected individuals
- Probability of compromise
- Corrective actions
- Notification obligations
Investigations are documented and maintained in accordance with applicable regulatory requirements.
10.22 Workforce Training
All workforce members receive privacy and security education appropriate to their responsibilities.
Training may include:
- HIPAA Privacy Rule
- HIPAA Security Rule
- Password security
- Phishing awareness
- Social engineering
- Physical security
- Secure communications
- Mobile device security
- Incident reporting
- Patient confidentiality
- Record retention
- Cybersecurity awareness
Additional training is provided when policies change or new security risks are identified.
10.23 Continuous Improvement
Information security is an ongoing process.
Bloomfield Wellness & Aesthetics periodically evaluates and updates its security program to address:
- Emerging cybersecurity threats
- Changes in healthcare technology
- Regulatory updates
- Lessons learned from security incidents
- Industry best practices
- Results of internal audits and risk assessments
By continuously improving our security program, we strive to maintain the trust our patients place in us while ensuring compliance with federal and Pennsylvania privacy and security requirements.
11. Website Privacy, Cookies, Online Communications, and Digital Services
Bloomfield Wellness & Aesthetics is committed to protecting the privacy of visitors to our website and individuals who communicate with us through electronic means. This section explains how we collect, use, protect, and disclose information obtained through our website, patient portal, online forms, text messaging services, email communications, telehealth technologies, and other digital platforms.
This Website Privacy Policy supplements our Notice of Privacy Practices and applies to information collected through our online services.
11.1 Website Purpose
The Bloomfield Wellness & Aesthetics website is intended to provide educational information about our practice and to facilitate patient access to healthcare services.
Our website may allow visitors to:
- Learn about our providers
- View available services
- Request appointments
- Complete patient forms
- Contact our office
- Subscribe to newsletters
- Purchase skincare products
- Access educational resources
- Access the patient portal
- Pay invoices
- Request prescription refills
- Learn about wellness programs
- Register for seminars or events
Information provided on our website is for informational purposes only and should not be considered medical advice or a substitute for consultation with a qualified healthcare professional.
11.2 Information Collected Automatically
When you visit our website, certain technical information may be collected automatically by our website servers or authorized service providers.
This may include:
- Internet Protocol (IP) address
- Browser type and version
- Operating system
- Device type
- Screen resolution
- Internet service provider
- Date and time of access
- Pages visited
- Duration of your visit
- Clickstream data
- Referring website
- Exit pages
- General geographic location derived from your IP address
- Website performance data
This information generally does not identify you personally but helps us improve the performance, functionality, accessibility, and security of our website.
11.3 Information You Voluntarily Provide
You may voluntarily provide personal information when you:
- Complete a contact form
- Request an appointment
- Register as a patient
- Subscribe to emails
- Join our mailing list
- Purchase products
- Submit employment inquiries
- Register for educational events
- Complete online questionnaires
- Participate in surveys
- Send us email communications
Information you voluntarily provide may include:
- Name
- Email address
- Telephone number
- Mailing address
- Date of birth
- Preferred appointment times
- Service interests
- Medical concerns submitted through secure forms
- Insurance information, if applicable
- Payment information
- Employment information when applying for positions
11.4 Cookies
Our website may use cookies and similar technologies to improve your browsing experience.
Cookies are small text files stored on your computer or mobile device that allow websites to recognize returning visitors and remember certain preferences.
Cookies may be used to:
- Maintain website functionality
- Improve website performance
- Remember user preferences
- Save language settings
- Analyze visitor traffic
- Improve online scheduling
- Monitor website security
- Prevent fraudulent activity
Cookies generally do not provide us with direct access to personal medical information.
11.5 Types of Cookies
Our website may utilize:
Essential Cookies
Required for:
- Website functionality
- Security
- Authentication
- Patient portal access
Essential cookies cannot generally be disabled without affecting website functionality.
Performance Cookies
Used to evaluate:
- Website speed
- Page loading
- Technical errors
- Website usage patterns
Performance data is generally aggregated and does not identify individual patients.
Analytics Cookies
Analytics technologies may help us understand:
- Number of visitors
- Popular pages
- Navigation paths
- Device usage
- Geographic trends
- User engagement
Information is generally reported in aggregate.
Functional Cookies
Functional cookies may remember:
- User preferences
- Display settings
- Accessibility options
- Language preferences
- Previously entered information
11.6 Managing Cookies
Most internet browsers allow users to:
- View stored cookies
- Delete cookies
- Block cookies
- Limit tracking technologies
- Receive cookie notifications
Disabling certain cookies may reduce website functionality or prevent access to certain features.
11.7 Website Analytics
Bloomfield Wellness & Aesthetics may use website analytics tools to understand website performance and visitor engagement.
Analytics information may include:
- Number of visitors
- Most frequently viewed pages
- Referral sources
- Time spent on pages
- Device types
- Browser usage
- General geographic information
- Website performance metrics
Analytics data is used to improve user experience and website performance and is not used to make clinical decisions.
11.8 Online Appointment Requests
Patients may request appointments electronically through our website.
Appointment request information may include:
- Name
- Telephone number
- Email address
- Requested services
- Preferred appointment dates
- Insurance information when applicable
- General comments
Submitting an appointment request does not establish a provider-patient relationship until the appointment has been confirmed by our office.
11.9 Online Forms
Patients may complete electronic forms before appointments.
Examples include:
- Registration forms
- Medical history forms
- Consent forms
- Insurance forms
- Financial responsibility agreements
- Health questionnaires
- Cosmetic consultation forms
Completed forms become part of the patient's medical record when applicable.
11.10 Email Communications
Patients may communicate with Bloomfield Wellness & Aesthetics by email.
Email may be used for:
- Scheduling
- Billing questions
- General practice information
- Administrative requests
- Educational materials
Patients should not use standard email for urgent medical issues or to transmit highly sensitive medical information unless specifically instructed to do so through a secure system.
Although we take reasonable precautions, standard email cannot be guaranteed to be completely secure.
11.11 Secure Patient Portal
When available, patients are encouraged to use the secure patient portal for communications involving Protected Health Information.
The patient portal may allow patients to:
- Review laboratory results
- Request appointments
- Send secure messages
- Pay balances
- Update demographic information
- Complete forms
- View treatment plans
- Access educational resources
Patients are responsible for safeguarding their usernames, passwords, and other authentication credentials.
11.12 Text Messaging (SMS)
Bloomfield Wellness & Aesthetics may communicate with patients through SMS text messaging for purposes including:
- Appointment reminders
- Appointment confirmations
- Schedule changes
- Prescription notifications
- Billing reminders
- Office closures
- Follow-up reminders
By providing a mobile telephone number, patients consent to receive these communications unless they opt out.
Message and data rates may apply depending upon the patient's wireless carrier.
Patients may opt out of non-essential text communications by following the instructions provided in the message or by contacting our office.
Text messaging should not be used to communicate medical emergencies.
11.13 Telehealth Platforms
Bloomfield Wellness & Aesthetics may utilize secure telehealth technologies to provide healthcare services when clinically appropriate.
Telehealth platforms may collect:
- Audio communications
- Video communications
- Electronic documentation
- Patient authentication information
- Device information
- Technical connection information
Telehealth visits are conducted using commercially reasonable security measures designed to protect patient privacy.
11.14 Social Media
Bloomfield Wellness & Aesthetics maintains social media accounts to provide educational information and communicate with the public.
Examples may include:
- TikTok
- YouTube
- Other social media platforms
Patients should not submit Protected Health Information through public comments, direct messages, or social media messaging systems.
Public interactions with our social media accounts may be visible to other users.
11.15 Online Reviews
Patients may voluntarily submit online reviews through third-party websites.
Bloomfield Wellness & Aesthetics does not request that patients disclose Protected Health Information in online reviews.
To protect patient privacy, we generally will not confirm whether an individual is a patient when responding to public reviews.
11.16 Third-Party Websites
Our website may contain links to third-party websites for educational purposes or patient convenience.
Examples include:
- Laboratory partners
- Patient financing providers
- Professional organizations
- Educational resources
- Government agencies
- Payment processors
Bloomfield Wellness & Aesthetics is not responsible for the privacy practices, content, security, or availability of third-party websites.
Users should review the privacy policies of those websites independently.
11.17 Website Security
We employ commercially reasonable safeguards designed to protect information transmitted through our website, which may include:
- Secure Socket Layer (SSL) or Transport Layer Security (TLS) encryption
- Firewalls
- Malware protection
- Security monitoring
- Access controls
- Website vulnerability management
- Software updates
Although we strive to protect personal information, no internet transmission or electronic storage method can be guaranteed to be 100% secure.
11.18 Children's Online Privacy
Our website is intended for adults and individuals seeking healthcare services.
We do not knowingly collect personal information directly from children under the age of 13 through our website without appropriate parental or legal guardian involvement, as required by applicable law.
If we become aware that information has been submitted inappropriately, we will take reasonable steps to delete it.
11.19 Changes to Website Privacy Practices
Bloomfield Wellness & Aesthetics reserves the right to update this Website Privacy Policy as technology, legal requirements, or business operations evolve.
The revised policy will become effective upon posting unless otherwise stated.
Patients are encouraged to review this policy periodically to remain informed of our current privacy practices.
11.20 Contact Regarding Website Privacy
Questions regarding website privacy, cookies, online communications, or digital security may be directed to:
Privacy Officer
Bloomfield Wellness & Aesthetics
4723 Liberty Avenue
Pittsburgh, PA 15224
Phone: (412) 999-4306
Email: privacy@bloomfieldwellnessandaesthetics.com (or your designated privacy email address)
We are committed to maintaining a secure digital environment while providing convenient access to healthcare services and patient information.
12. Record Retention, Data Destruction, Governance, and Policy Administration
Bloomfield Wellness & Aesthetics maintains patient records and other business information in accordance with applicable federal laws, Pennsylvania regulations, professional standards, accreditation requirements, payer obligations, and accepted healthcare recordkeeping practices.
The purpose of this section is to establish consistent standards for retaining, protecting, archiving, and securely disposing of information while preserving the integrity of the medical record and protecting patient privacy.
12.1 Medical Record Ownership
Medical records created and maintained by Bloomfield Wellness & Aesthetics are the property of Bloomfield Wellness & Aesthetics.
Patients have important legal rights regarding access to and copies of their health information; however, ownership of the original medical record remains with the practice unless otherwise required by law.
This includes records maintained in:
- Electronic Health Record (EHR) systems
- Paper charts
- Diagnostic reports
- Clinical photographs
- Procedure documentation
- Consent forms
- Billing records
- Telephone encounter documentation
- Secure patient portal communications
- Telehealth documentation
12.2 Record Integrity
Medical records are legal healthcare documents.
Workforce members shall ensure that records are:
- Accurate
- Complete
- Legible
- Timely
- Objective
- Authenticated
- Properly dated and timed
- Maintained in chronological order whenever applicable
Documentation must accurately reflect the services provided and may never be altered to conceal an error or misrepresent patient care.
Corrections shall be made in accordance with established documentation standards while preserving the original entry whenever required.
12.3 Record Retention
Bloomfield Wellness & Aesthetics retains records for periods required by applicable federal and Pennsylvania law, contractual obligations, payer requirements, litigation holds, and accepted healthcare practices.
Retention schedules may differ depending upon:
- Adult medical records
- Minor patient records
- Financial records
- Employment records
- Billing documentation
- Controlled substance documentation
- Laboratory reports
- Quality assurance records
- Incident reports
- Compliance records
When multiple retention requirements apply, the practice will generally retain records for the longest applicable period.
12.4 Litigation Holds
If Bloomfield Wellness & Aesthetics becomes aware of pending or reasonably anticipated litigation, government investigation, audit, or other legal proceeding, records subject to that matter shall not be destroyed until the litigation hold has been formally released.
The Privacy Officer and Compliance Officer are responsible for coordinating litigation hold procedures.
12.5 Archived Records
Older records that are no longer actively used may be archived using secure methods.
Archived records remain subject to:
- HIPAA Privacy Rule
- HIPAA Security Rule
- Record retention requirements
- Access controls
- Disaster recovery planning
- Confidentiality protections
Archived records remain retrievable within reasonable operational timeframes.
12.6 Secure Disposal of Paper Records
When paper records have satisfied all retention requirements and no legal hold exists, they shall be destroyed using secure methods designed to prevent reconstruction.
Approved destruction methods include:
- Cross-cut shredding
- Locked shredding consoles
- Certified document destruction vendors
- Pulverization or other secure destruction methods approved by the practice
Patient information shall never be discarded in ordinary trash or recycling containers.
12.7 Secure Disposal of Electronic Information
Electronic information shall be destroyed using commercially reasonable methods appropriate for the type of media involved.
Methods may include:
- Secure electronic wiping
- Cryptographic erasure
- Overwriting
- Physical destruction of storage devices
- Certified destruction services
Electronic devices containing Protected Health Information shall not be donated, recycled, sold, or transferred until all patient information has been securely removed.
12.8 Clinical Photography Retention
Clinical photographs maintained as part of the medical record are retained in accordance with the same privacy and security standards applicable to other Protected Health Information.
Photographs used for:
- Treatment planning
- Medical documentation
- Clinical progress
- Insurance documentation
become part of the patient's designated record set when applicable.
Marketing photographs require separate written authorization unless otherwise permitted by law.
12.9 Email and Electronic Communications
Electronic communications relating to patient care may be retained when they become part of the medical record.
Examples include:
- Secure patient portal messages
- Clinical emails
- Electronic refill requests
- Telehealth communications
- Patient questionnaires
- Electronic consent forms
Administrative emails unrelated to patient care are retained according to business record retention policies.
12.10 Backup Retention
Electronic backups are maintained according to operational and disaster recovery requirements.
Backup retention schedules are designed to:
- Protect against accidental deletion
- Support disaster recovery
- Restore business operations
- Maintain continuity of patient care
Backups remain subject to the same confidentiality requirements as live production systems.
12.11 Privacy Officer
Bloomfield Wellness & Aesthetics designates a Privacy Officer responsible for overseeing compliance with applicable privacy laws.
The Privacy Officer is responsible for:
- Developing privacy policies
- Investigating complaints
- Managing privacy incidents
- Coordinating breach response
- Conducting privacy training
- Monitoring HIPAA compliance
- Responding to patient privacy requests
- Coordinating regulatory communications
- Reviewing Business Associate Agreements
- Updating privacy documentation
Current Privacy Officer:
Kathryn Confer, PharmD
Bloomfield Wellness & Aesthetics
4723 Liberty Avenue
Pittsburgh, PA 15224
Phone: (412) 999-4306
12.12 HIPAA Security Officer
Bloomfield Wellness & Aesthetics designates a Security Officer responsible for protecting electronic Protected Health Information (ePHI).
Responsibilities include:
- Conducting security risk analyses
- Monitoring cybersecurity threats
- Managing technical safeguards
- Coordinating incident response
- Reviewing system security
- Overseeing access controls
- Supervising disaster recovery planning
- Coordinating security awareness training
Current Security Officer:
Kathryn Confer, PharmD
12.13 Compliance Officer
The Compliance Officer is responsible for coordinating the overall compliance program of Bloomfield Wellness & Aesthetics.
Responsibilities include:
- Regulatory monitoring
- Policy development
- Internal auditing
- Workforce education
- Corrective action planning
- Regulatory investigations
- Compliance reporting
- Practice-wide compliance initiatives
Current Compliance Officer:
Kathryn Confer, PharmD
Medical Director:
Dr. Domenic Mantella, MD
12.14 Workforce Responsibilities
Every member of the Bloomfield Wellness & Aesthetics workforce shares responsibility for protecting patient privacy.
All workforce members are expected to:
- Maintain confidentiality
- Complete required training
- Report suspected violations
- Protect passwords
- Secure workstations
- Follow HIPAA policies
- Comply with security procedures
- Respect patient privacy
- Report lost devices immediately
- Cooperate with investigations
Failure to comply with privacy policies may result in disciplinary action.
12.15 Sanctions for Violations
Violations of this Privacy Policy may result in disciplinary action appropriate to the nature and severity of the violation.
Possible sanctions include:
- Verbal counseling
- Written warning
- Retraining
- Suspension
- Termination of employment
- Reporting to licensing boards
- Civil penalties
- Criminal prosecution where applicable
Sanctions are applied consistently and documented in accordance with practice policy.
12.16 Auditing and Monitoring
Bloomfield Wellness & Aesthetics conducts periodic privacy and security monitoring activities to evaluate compliance.
Auditing activities may include:
- Medical record access reviews
- User access audits
- Password compliance
- Security log reviews
- Vendor assessments
- Policy compliance reviews
- Physical security inspections
- HIPAA documentation reviews
Corrective actions are implemented when deficiencies are identified.
12.17 Policy Review
This Privacy Policy shall be reviewed periodically and updated as necessary to reflect:
- Changes in applicable law
- Regulatory guidance
- Technology updates
- Operational changes
- Cybersecurity risks
- Best practices
- Accreditation standards
Revisions become effective on the date specified within the updated policy unless otherwise required by law.
12.18 No Waiver of Legal Rights
Nothing contained within this Privacy Policy shall be interpreted as limiting or waiving any rights or obligations provided under:
- HIPAA
- HITECH Act
- Pennsylvania law
- Federal regulations
- Other applicable healthcare privacy laws
If any provision of this Privacy Policy is determined to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
12.19 Questions or Concerns
Patients who have questions regarding this Privacy Policy or the handling of their personal information are encouraged to contact the Privacy Officer.
Bloomfield Wellness & Aesthetics
Attention: Privacy Officer
4723 Liberty Avenue
Pittsburgh, PA 15224
Phone: (412) 999-4306
Email: privacy@bloomfieldwellnessandaesthetics.com
We are committed to responding to patient questions promptly, respectfully, and in accordance with applicable law.
12.20 Effective Date
Effective Date: July 11, 2026
This Privacy Policy supersedes all previous versions of the Bloomfield Wellness & Aesthetics Privacy Policy.
Bloomfield Wellness & Aesthetics reserves the right to revise this Privacy Policy as necessary to comply with changes in federal law, Pennsylvania law, healthcare regulations, technology, or business operations. Updated versions will be made available to patients upon request and, when applicable, through our website and patient portal.
Acknowledgment
Bloomfield Wellness & Aesthetics is committed to maintaining the highest standards of patient privacy, professionalism, ethical conduct, and regulatory compliance. Protecting the confidentiality of our patients' information is a fundamental responsibility shared by every member of our organization. Through comprehensive policies, workforce education, technical safeguards, and continuous quality improvement, we strive to earn and maintain the trust our patients place in us every day.