Privacy Policy

Who We Are

Livea Medical ("Livea," "we," "our," or "us") is a medical weight loss and metabolic health clinic operating eight locations across Minnesota and Wisconsin, as well as a telehealth program serving patients statewide. Our registered address is [CLINIC ADDRESS]. We are committed to protecting the privacy and security of every patient's personal and health information.

This Privacy Policy applies to:

• The Livea website at livea.com and all subdomains (the "Site")
• Our telehealth platform and patient portal
• Information collected at or transmitted from any of our clinic locations
• Any communications you send to us by phone, email, or online form

Information We Collect

Personal and Contact Information

When you contact us, complete a form, create an account, or book a consultation, we may collect:

• Full name, date of birth, and biological sex
• Mailing address, email address, and phone number
• Emergency contact information
• Username, password, and account preferences
• Insurance information and member ID numbers

Health and Medical Information

As a medical provider, we collect Protected Health Information (PHI) as defined by HIPAA, including but not limited to:

• Medical history, current conditions, and diagnoses
• Medications, allergies, and supplements
• Vital signs including height, weight, body mass index (BMI), and blood pressure
• Lab results and biometric measurements
• Treatment plans, clinical notes, and progress records
• Information related to weight loss goals and metabolic health
• Information related to GLP-1 therapy, hormone therapy (HRT), NAD+ therapy, and other programs

Payment and Financial Information

We collect payment card information, billing address, and transaction records as needed to process payments for services. Payment card data is processed through PCI-DSS compliant third-party payment processors and is not stored on our servers.

Website and Technical Information

When you visit our Site, we automatically collect certain technical information, including:

• IP address and approximate geographic location (city/region level)
• Browser type, operating system, and device type
• Pages visited, time spent on each page, and referring URLs
• Cookie identifiers and session data (see Analytics & Cookies section below)

How We Use Your Information

Treatment, Care, and Clinical Operations

The primary purpose for which we collect and use your health information is to provide you with medical care. This includes:

• Diagnosing and treating your condition
• Creating and managing your individualized treatment plan
• Communicating with you about your care, appointments, and prescriptions
• Coordinating care with other healthcare providers when necessary
• Conducting quality assurance and patient safety reviews
• Training clinical and administrative staff

Billing and Payment Processing

We use your information to bill for services, submit claims to insurance carriers, process payments, and resolve billing disputes. This may involve sharing relevant PHI with your insurance company or a third-party billing service.

Clinic Operations and Administration

We may use your information for general business operations, including appointment scheduling, records management, compliance monitoring, and business analytics that do not directly identify you as an individual.

Communications and Marketing

With your consent, we may send you health tips, program updates, appointment reminders, and information about Livea services by email, text message, or phone. You may opt out of marketing communications at any time by clicking the unsubscribe link in any email, replying STOP to any text message, or contacting us at the information below. Appointment reminders and clinical communications are not marketing messages and are sent pursuant to your care relationship with us.

Legal and Regulatory Compliance

We may use or disclose your information as required by law, including to respond to court orders, government investigations, public health reporting obligations, or as otherwise required by HIPAA, Minnesota law, or Wisconsin law.

HIPAA Notice of Privacy Practices Summary

As a HIPAA-covered entity, we are required to provide you with a Notice of Privacy Practices that describes how we may use and disclose your Protected Health Information (PHI). This section provides a summary. Our complete Notice of Privacy Practices is available upon request.

Permitted Uses and Disclosures Without Authorization

Under HIPAA, we may use or disclose your PHI without your written authorization for the following purposes:

• Treatment: Providing, coordinating, or managing your health care
• Payment: Billing and collecting payment for services rendered
• Health care operations: Administrative, legal, and quality-improvement activities
• Public health activities: Reporting communicable diseases, adverse drug events, or abuse
• Law enforcement: Responding to valid court orders or legal process
• As required by law: Federal, state, or local regulatory requirements

Uses and Disclosures Requiring Your Authorization

We will obtain your written authorization before using or disclosing your PHI for purposes not described above, including most marketing activities, sale of your PHI, and psychotherapy notes (if applicable).

Your Patient Rights Under HIPAA

As a Livea patient, you have the following rights with respect to your Protected Health Information:

Right to Access

You have the right to inspect and obtain a copy of your medical records and other PHI that we maintain. Requests should be submitted in writing. We will respond within 30 days and may charge a reasonable cost-based fee for copies.

Right to Amend

If you believe that information in your record is incorrect or incomplete, you may request an amendment. We may deny your request under certain circumstances (for example, if we believe the record is accurate), but we will provide you with a written explanation.

Right to Request Restrictions

You may request that we restrict certain uses or disclosures of your PHI. We are not required to agree to every request, but we must comply if you request that we not disclose PHI to your health plan for services you paid for in full out of pocket.

Right to an Accounting of Disclosures

You have the right to receive a list of disclosures of your PHI that we have made for purposes other than treatment, payment, and health care operations during the past six years.

Right to Confidential Communications

You may request that we communicate with you about your health information in a specific way or at a specific location (for example, by calling only your cell phone, or by sending mail only to a P.O. box). We will accommodate reasonable requests.

Right to a Paper Copy of This Notice

You have the right to receive a paper copy of our Notice of Privacy Practices at any time, even if you have agreed to receive it electronically. Contact us at any clinic location or call 763-319-2020.

Right to File a Complaint

If you believe we have violated your privacy rights, you may file a complaint with Livea or with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr. You will not be retaliated against for filing a complaint.

Telehealth-Specific Data Handling

Livea offers telehealth consultations and follow-up appointments to patients throughout Minnesota and Wisconsin. The following additional practices apply to telehealth encounters:

Platform Security

Telehealth sessions are conducted through a HIPAA-compliant video platform that encrypts all audio and video transmissions. We do not record telehealth sessions without your separate informed consent.

Data Transmission

All clinical information exchanged during a telehealth visit, including intake forms, health histories, and clinical notes, is transmitted using Transport Layer Security (TLS) encryption and stored in access-controlled, encrypted servers.

Minimum Necessary Standard

We apply the HIPAA minimum necessary standard to all telehealth communications, disclosing only the PHI needed to accomplish the purpose of the interaction.

Patient Identity Verification

Prior to each telehealth visit, we verify your identity using at least two identifying factors to ensure the confidentiality of your health information.

Out-of-State Patients

If you receive telehealth services while located in a state other than Minnesota or Wisconsin, additional state-specific requirements may apply. Our providers are licensed in Minnesota and Wisconsin only. Please contact us if you have questions about your specific situation.

How We Share Your Information

We do not sell your personal information or PHI to third parties. We may share information with:

• Business Associates: Third-party vendors who perform services on our behalf (billing, IT support, cloud storage) under HIPAA-compliant Business Associate Agreements (BAAs)
• Insurance companies and payors: As needed for claims submission and payment
• Pharmacies and laboratories: To fulfill prescriptions and process lab orders
• Referring and treating providers: As necessary for coordinated care
• Legal and regulatory authorities: When required by law or valid legal process

Analytics and Cookies

Our website uses Google Analytics 4 (GA4) to understand how visitors interact with the Site. GA4 collects aggregated, anonymized data including page views, session duration, traffic sources, and device type. This data does not include your name, email address, or any health information.

What Cookies We Use

• Essential cookies: Required for the Site to function (session management, security)
• Analytics cookies (GA4): Google Analytics cookies (_ga, _ga_*, _gid) that track aggregate usage patterns. Data is retained by Google for 26 months by default.
• Preference cookies: Remember your settings and preferences across visits

Your Cookie Choices

You may disable or delete cookies through your browser settings at any time. Disabling analytics cookies will not affect your ability to use the Site or receive medical care, but may affect the accuracy of analytics we use to improve the Site. To opt out of Google Analytics across all websites, you may install the Google Analytics Opt-out Browser Add-on.

Data Security

We implement administrative, physical, and technical safeguards to protect your information against unauthorized access, disclosure, alteration, or destruction. These measures include:

• Encryption of data at rest and in transit using industry-standard protocols
• Role-based access controls limiting PHI access to personnel with a need to know
• Regular security risk assessments in compliance with HIPAA Security Rule requirements
• Employee training on privacy and security practices
• Audit logging of access to electronic health records

In the event of a data breach affecting your PHI, we will notify you as required by HIPAA's Breach Notification Rule and applicable state law.

Data Retention

We retain medical records for a minimum of seven years from the date of last service, or for three years after a minor patient reaches the age of majority, whichever is longer, in accordance with Minnesota and Wisconsin law. Website usage data collected through GA4 is retained for up to 26 months. You may request deletion of non-PHI personal data by contacting us; however, we are required to retain PHI for the legally mandated period regardless of such requests.

Children's Privacy

Our website and services are not directed at children under the age of 13. We do not knowingly collect personal information from children under 13 through the Site. If you believe we have inadvertently collected such information, please contact us immediately and we will take steps to delete it.

Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or services. When we make material changes, we will update the "Last Updated" date at the top of this page. We encourage you to review this Policy periodically. Continued use of our Site or services after changes are posted constitutes your acceptance of the updated Policy.

---