Effective Date: September 5, 2025
This HIPAA Privacy Notice (the “Notice”) describes how Growth Marketing Studios (the “Company,” “we,” “us,” or “our”) handles Protected Health Information (PHI) when we act as a Business Associate to a Covered Entity (e.g., a plastic surgery clinic) under the U.S. Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, “HIPAA”).
Important: We are not a Covered Entity. We act as a Business Associate only when there is an executed Business Associate Agreement (BAA) with a clinic or other Covered Entity. If no BAA is in place, do notshare PHI with us. This website is not intended to collect PHI. Patients should contact their clinic directly for medical questions or HIPAA rights requests.
This Notice applies only to PHI we receive, create, maintain, or transmit on behalf of a Covered Entity pursuant to a BAA. It does not apply to information we process outside HIPAA’s scope (e.g., de‑identified data, aggregated marketing metrics, or non‑PHI business contact information). For non‑HIPAA data, see our Privacy Policy and Cookie Policy.
When acting as a Business Associate, we may use or disclose PHI solely as permitted by the BAA and HIPAA, including:
To Perform Services for the Covered Entity: e.g., analytics, call routing solutions configured for HIPAA, secure lead intake workflows, patient communications expressly authorized by the Covered Entity, and reporting necessary to support clinic operations.
Minimum Necessary: We limit PHI to the minimum necessary to accomplish the intended purpose.
As Required by Law: Disclosures required by federal or state law, court order, or government agencies consistent with HIPAA.
De‑identification: We may de‑identify PHI in accordance with HIPAA and use/disclose the resulting de‑identified data for lawful purposes.
We will not use or disclose PHI for marketing (as defined by HIPAA), or for any sale of PHI, without a valid written authorization from the individual or as expressly permitted by HIPAA and the BAA. Authorizations may be revoked in writing, except to the extent we have already relied on them.
Under HIPAA, individuals have rights regarding their PHI, including the right to access, obtain copies, request amendments, receive an accounting of disclosures, request confidential communications, and request restrictions. Because we are a Business Associate, we typically do not respond directly to individuals. Instead:
Submit requests to your Covered Entity (clinic).
We will support the clinic in fulfilling valid requests and will promptly relay any request we receive to the clinic, as required by the BAA and HIPAA.
We are required by HIPAA and our BAAs to:
Maintain Safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of electronic PHI (ePHI).
Use/Disclose PHI Only as Permitted by the BAA or as required by law.
Report Security Incidents and Breaches of unsecured PHI to the Covered Entity without unreasonable delay, consistent with HIPAA and the BAA.
Ensure Subcontractor Compliance: Bind subcontractors who create, receive, maintain, or transmit PHI on our behalf to written obligations that are at least as protective as our BAA.
We implement administrative, technical, and physical safeguards appropriate to the sensitivity of PHI, which may include: role‑based access controls, least‑privilege permissions, encryption in transit and at rest where supported, logging and monitoring, secure development practices, vulnerability management, personnel training, and vendor due diligence.
AI & data training: We do not use our clients’ data—including any PHI—to train artificial intelligence models. Where we use AI‑assisted services under a HIPAA engagement, we select configurations or providers that offer and honor no‑training commitments and are compatible with HIPAA requirements, as documented in the BAA.
We retain PHI only for as long as necessary to perform the Services or as required by law or the BAA. Upon termination of the BAA or at the Covered Entity’s written request, we will return or securely destroy PHI in our possession or control within a reasonable period, except where retention is legally required or for backup/archival media maintained in the ordinary course of business (which remain protected until destroyed).
We may engage vetted subcontractors or service providers (e.g., secure cloud hosting, communications platforms) to support HIPAA‑scoped Services. Any such third party that handles PHI must sign a Business Associate‑level agreementand implement safeguards consistent with HIPAA and our BAA.
If we discover a breach of unsecured PHI (as defined by HIPAA), we will notify the Covered Entity without unreasonable delay and provide required information so the Covered Entity can fulfill individual and regulatory notifications, consistent with HIPAA and the BAA.
Where PHI processing involves cross‑border transfers, we will do so only as permitted by the BAA and applicable law, and we will implement appropriate safeguards. If geographic restrictions are required by the Covered Entity, they will be reflected in the BAA and our technical controls.
If you believe your privacy rights have been violated, you may file a complaint with your clinic (the Covered Entity) and/or with the U.S. Department of Health and Human Services, Office for Civil Rights (HHS‑OCR). We will not retaliate for filing a complaint.
For questions about this Notice or our Business Associate privacy practices, contact our Privacy Officer:
Mail: Growth Marketing Studios — Privacy Officer, Miami‑Dade County, Florida (USA)
We may update this Notice from time to time. Material changes will apply on a go‑forward basis and become effective on the Effective Date listed at the top. When we update the Notice, we will maintain copies as required by HIPAA and applicable BAAs.
Covered Entity: A health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically in connection with a HIPAA standard transaction.
Business Associate: An entity that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity to perform functions regulated by HIPAA.