Operated by: Intellimed Nutritional Systems, LLC
Address: 349 Ave. Felisa Rincón de Gautier, Paseo Las Cumbres Shopping Center, Ste 204, San Juan, Puerto Rico 00926
Phone: 787-244-0145 | 787-738-2871
Official Contact Channel: “Contact Us” form
Effective Date: March 18, 2026
Privacy Officer / Contact: Name and Title | 787-244-0145 | 787-738-2871

THIS NOTICE DESCRIBES HOW YOUR MEDICAL AND PERSONAL INFORMATION MAY BE USED AND DISCLOSED, AND HOW YOU CAN ACCESS THAT INFORMATION. PLEASE REVIEW IT CAREFULLY.

This structure and content follow the framework required under HIPAA for Notices of Privacy Practices applicable to healthcare providers, including rights, choices, uses/disclosures, and responsibilities.

1. SCOPE, ACCEPTANCE, AND NATURE OF THIS NOTICE

This Privacy Policy and Notice of Privacy Practices governs the collection, use, storage, protection, retention, disclosure, and other processing of personal information, health information, and, where applicable, Protected Health Information (“PHI”) and electronic PHI (“ePHI”) by Wellness Medical Clinic and Intellimed Nutritional Systems, LLC in connection with this website, forms, appointment systems, intake processes, payments, electronic communications, telehealth services, messaging systems, automated tools, clinical and administrative services, and all related interactions.

HIPAA requires that individuals receive a notice clearly explaining their rights and the provider’s privacy practices.

By using this website, submitting information, requesting services, booking appointments, completing forms, interacting with chat or AI systems, using messaging channels, or continuing with any digital or clinical process of the Clinic, YOU acknowledge that you have read this Notice and agree that your information may be handled in accordance with its terms, to the extent permitted by law.

Where applicable law requires separate consent or authorization, the Clinic will obtain it expressly, and this Notice does not replace such specific authorization. Nothing in this Notice waives non-waivable patient rights or limits mandatory legal obligations of the Clinic.

2. IDENTITY OF THE CLINIC, PRIVACY OFFICER, AND CONTACT

For purposes of this Notice, “the Clinic” includes Wellness Medical Clinic, Intellimed Nutritional Systems, LLC, and its authorized workforce, physicians, providers, contractors, agents, and representatives acting within the scope of their permitted duties.

The Clinic is responsible for maintaining the privacy and security of PHI under HIPAA when acting as a covered healthcare provider or in any other regulated capacity. HIPAA requires that this Notice identify the appropriate contact and be made available on the website and upon request.

For questions, rights requests, revocations, restrictions, complaints, or formal privacy communications, YOU must use the “Contact Us” form or contact the Privacy Officer at the information listed above. The Clinic may require reasonable verification of identity, authority, or representation before responding to any request involving personal information, PHI, or ePHI.

The Clinic will make this Notice available to any individual upon request and will post it prominently on any website providing information about its services, in accordance with HIPAA NPP requirements.

3. INFORMATION WE COLLECT

The Clinic may collect identifying and contact information, including name, address (where applicable), email, phone numbers, date of birth, sex, billing information, appointment identifiers, communications history, operational preferences, and any other information YOU voluntarily provide through forms, intake processes, calls, messaging, telehealth, or in person.

The Clinic may also collect financial and transaction-related information, including prepayments, Stripe identifiers, confirmations, timestamps, authorization logs, and evidence associated with charges or reservations.

The Clinic may also collect health-related information, including symptoms, metabolic conditions, medical history, medications, allergies, test results, clinical notes, telehealth data, insurance information, and any information that identifies or could reasonably identify YOU in connection with your physical or mental health, healthcare services, or payment for such services.

Such information may constitute PHI or ePHI and will be handled in accordance with the HIPAA Privacy Rule, Security Rule, and other applicable regulations.

4. AUTOMATICALLY COLLECTED INFORMATION, COOKIES, PIXELS, AND TRACKING

When YOU visit the site, the Clinic may automatically collect technical and usage data such as IP address, browser type, operating system, language, pages visited, timestamps, referrers, device identifiers, and interaction data necessary for maintenance, security, abuse prevention, and operation of the site.

In healthcare environments, HHS has warned that certain technical data collected through websites or applications may become regulated or sensitive depending on context and whether it can be linked to an individual’s healthcare interactions.

Accordingly, the Clinic adopts a restrictive, segmented, and legally conditioned approach to the use of cookies, pixels, SDKs, tags, analytics, CRM integrations, call tracking, automation tools, and advertising attribution technologies.

The Clinic may use such tools for operational, security, measurement, attribution, campaign optimization, commercial management, coordination, or aggregated analysis purposes, including integrations with platforms such as Meta or Google, only to the extent that such tools can be configured to reasonably prevent unauthorized transmission of PHI or identifiable health-related data in violation of HIPAA, FTC, or other applicable laws.

The Clinic does not authorize the use of tracking technologies to disclose, sell, share, or enable unauthorized inference of regulated or sensitive health information. If any platform or tool cannot operate in compliance with applicable privacy and security obligations, it shall not receive PHI or equivalent data.

Recommendations or requirements from advertising or analytics platforms do not override the Clinic’s legal obligations.

5. SOURCES OF INFORMATION

The Clinic may obtain information directly from YOU when you complete forms, request services, book appointments, make payments, complete intake processes, interact with chat tools, use WhatsApp, SMS, or email, participate in telehealth, communicate by phone, or provide information in person.

The Clinic may also receive information from authorized representatives, family members (when permitted), treating providers, insurers, technology platforms, and business associates where a valid legal basis exists.

Additionally, the Clinic may generate internal administrative, clinical, technical, and security records, including logs, notes, authentication records, change histories, timestamps, interaction histories, form responses, supporting files, payment records, and documentation necessary for compliance, audit, security, fraud prevention, chargeback response, incident investigation, and legal defense.

6. YOUR RIGHTS UNDER HIPAA AND THIS NOTICE

When it comes to your health information, YOU have certain rights. The official HHS model requires that a provider’s Notice of Privacy Practices include, at a minimum, the right to access records, request amendments, receive confidential communications, request restrictions, obtain an accounting of disclosures, receive a copy of the notice, designate a personal representative, and file a complaint.

Accordingly, and to the extent recognized by law, YOU have the right to:

• Request an electronic or paper copy of your medical record and other health information we maintain
• Request corrections if you believe information is incorrect or incomplete
• Request confidential communications through reasonable alternative means or locations
• Request restrictions on certain uses or disclosures
• Request a list of certain disclosures made of your information
• Obtain a paper copy of this Notice, even if you received it electronically
• Designate a legally authorized person to act on your behalf
• File a complaint if you believe your privacy rights have been violated

The Clinic may require identity verification, proof of authority, reasonable forms, and appropriate processing time in accordance with HIPAA.

7. RIGHT TO ACCESS AND OBTAIN COPIES OF YOUR RECORDS

YOU have the right to inspect or obtain an electronic or paper copy of your medical record and other health information maintained by the Clinic.

HIPAA generally requires a response within 30 days, subject to permitted extensions, and allows a reasonable, cost-based fee where permitted by law.

The Clinic may verify identity, reasonably define the scope of the request, protect third-party information, and provide access in the form of copies, summaries, or other reasonable formats. The Clinic may deny or limit access to the extent permitted by law, including where disclosure is restricted due to legal, safety, privilege, record integrity, or third-party protection concerns. Any denial will be handled in accordance with applicable law.

8. RIGHT TO REQUEST CORRECTIONS (AMENDMENTS)

YOU have the right to request that the Clinic correct health information that you believe is inaccurate or incomplete.

Under HHS guidance, the Clinic may deny the request but must do so in writing within the applicable timeframe.

The Clinic will evaluate requests in good faith but may deny them if it determines that the record is accurate and complete, the information was not created by the Clinic and cannot be verified, the information is not part of the designated record set, or for any other legally valid reason. A requested amendment does not require the Clinic to alter clinical judgment, historical documentation, or record integrity.

9. RIGHT TO CONFIDENTIAL COMMUNICATIONS

YOU have the right to request that the Clinic communicate with you through a specific, reasonable method or location, such as a different phone number, email, or address.

HHS guidance requires that reasonable requests for confidential communications be accommodated.

The Clinic will make reasonable efforts to honor such requests, provided they are operationally feasible and do not compromise identity verification, security, compliance, or continuity of care. YOU remain responsible for the security of any communication channels you choose, including email, shared devices, messaging apps such as WhatsApp, or personal phones.

10. RIGHT TO REQUEST RESTRICTIONS

YOU have the right to request that the Clinic limit certain uses or disclosures of your PHI for treatment, payment, or healthcare operations.

HIPAA does not require the Clinic to agree to all requested restrictions, except in specific circumstances, such as when a service is paid out-of-pocket in full and the patient requests that the information not be shared with a health plan for payment or operations, unless disclosure is otherwise required by law.

The Clinic will evaluate restriction requests on a case-by-case basis. If accepted, the restriction will be reasonably documented; if denied, such denial shall not constitute a violation, provided the Clinic acts in accordance with applicable law. Even where a restriction is accepted, the Clinic may disclose information in emergencies or where required by law.

11. RIGHT TO AN ACCOUNTING OF DISCLOSURES

YOU have the right to request an accounting of certain disclosures of your PHI made by the Clinic within the time period permitted by law.

The HHS model generally uses a six-year lookback period and excludes certain disclosures, including those made for treatment, payment, and healthcare operations, as well as other legally excluded categories.

The Clinic will provide such an accounting in accordance with HIPAA and may charge a reasonable fee for additional requests within the same period. The Clinic is not required to include disclosures excluded by law or to generate reports beyond those required by applicable regulations.

12. RIGHT TO A COPY OF THIS NOTICE AND TO DESIGNATE A REPRESENTATIVE

YOU have the right to obtain a paper copy of this Notice at any time, even if you agreed to receive it electronically. HIPAA requires that this Notice be available upon request and prominently posted on the website.

If a person has legal authority to act on your behalf, such as a healthcare proxy, legal guardian, or valid personal representative, the Clinic may allow that person to exercise your rights and make privacy-related decisions on your behalf, subject to reasonable verification of authority. The Clinic is not obligated to accept instructions from third parties without sufficient verification.

13. RIGHT TO FILE A COMPLAINT AND NON-RETALIATION

YOU have the right to file a complaint with the Clinic if you believe your privacy rights have been violated. You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), using the contact information provided by HHS.

The HHS model requires that this right be clearly stated and that no retaliation occur.

The Clinic will not retaliate against you for filing a complaint in good faith. However, this protection does not prevent the Clinic from defending itself against false, malicious, reckless, fraudulent, or abusive claims, nor from preserving evidence, contesting improper allegations, or exercising its contractual and legal remedies in response to bad-faith conduct.

13A. OUR RESPONSIBILITIES

The Clinic is legally obligated to maintain the privacy and security of your PHI and ePHI, to provide you with this Notice of its legal duties and privacy practices, and to comply with the terms of the Notice currently in effect, except to the extent that the law permits or requires a different use or disclosure.

The Clinic will apply reasonable and commercially prudent administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of regulated information.

The Clinic will notify YOU without undue delay when a security breach or unauthorized disclosure triggers a legal notification obligation under HIPAA, the FTC Health Breach Notification Rule, or another applicable framework.

However, the Clinic reserves the right to investigate, contain, document, and remediate any incident before issuing external communications, and is not obligated to disclose technical details, attack vectors, or internal security configurations beyond what is legally required or reasonably necessary.

14. YOUR CHOICES

For certain categories of information, YOU may indicate your preferences regarding how to use or share your information, particularly in contexts where HIPAA permits sharing based on your choice, such as communicating information to family members or individuals involved in your care, or in other discretionary contexts permitted by law.

The HHS model also references directory, disaster relief, mental health care, marketing, sale of information, and fundraising as “Your Choices” categories, as applicable to the type of entity.

The Clinic will follow your instructions where legally and operationally appropriate. In situations where you are unable to express your preference and there is a legal basis to act in your best interest or to reduce a serious and imminent threat to health or safety, the Clinic may share information in accordance with applicable rules.

Where the law requires written authorization, the Clinic will not share the information without such valid authorization.

15. MARKETING, SALE OF INFORMATION, AND EXPLICIT CONSENT

The Clinic will not use or disclose PHI for marketing purposes where HIPAA requires a valid written authorization, except for the exceptions permitted by the rule itself.

HHS maintains that communications that fall within the regulatory definition of marketing generally require authorization, and if they involve third-party remuneration, this must be disclosed in the authorization.

The Clinic will not sell your PHI without the authorization required by law.

The Clinic will also not deliberately use PHI to build advertising audiences, commercial profiles, retargeting campaigns, or sensitive segmentation with advertising platforms without a sufficient legal and technical basis.

If the stack includes CRM, advertising platforms, automation, lead tracking, or integrations, clinical or potentially clinical information may only be used for advertising when there is valid authorization and a real compliance architecture; otherwise, such flows must exclude PHI or sensitive data.

The Clinic does not conduct fundraising and will not use your PHI or ePHI for fundraising purposes. If in the future the Clinic decides to implement fundraising activities in a manner permitted by law, it will not use PHI for such purposes without first complying with applicable legal requirements, including any notice obligations, opt-out options, or authorization requirements under the applicable regulatory framework.

16. TYPICAL USES AND DISCLOSURES OF YOUR INFORMATION

The Clinic may use and share your health information to treat you, operate the practice, and bill for services.

The HHS model identifies those three categories specifically as “treat you,” “run our organization,” and “bill for your services.”

Additionally, the Clinic may use or disclose information in other situations permitted or required by law, including public health and safety, research, compliance with the law, organ or tissue donation, work with a medical examiner or funeral director, workers’ compensation, law enforcement and other authorized governmental requests, and responses to lawsuits or legal actions, always subject to applicable legal conditions and limitations.

The Clinic does not interpret this language as an obligation to disclose automatically upon any request; each request will be evaluated based on its legal basis, scope, necessity, and compatibility with privacy.

17. PRIVACY RULE REGARDING REPRODUCTIVE HEALTH

If the Clinic maintains PHI potentially related to reproductive health care, the Clinic will not use or disclose such PHI to investigate or impose liability on an individual solely for the act of seeking, obtaining, providing, or facilitating reproductive health care when such care is lawful under the applicable circumstances, nor to identify a person for that purpose.

The final HHS rule imposes that prohibition and requires changes to the NPP.

Additionally, when the Clinic receives a request for PHI potentially related to reproductive health care for purposes such as health oversight activities, judicial or administrative proceedings, law enforcement purposes, or disclosures to coroners or medical examiners, the Clinic may require, as a prior and indispensable condition before considering any disclosure, a signed attestation consistent with the applicable legal framework.

The Clinic expressly reserves the right to deny, limit, defer, object to, or challenge any request that does not strictly comply with that requirement or that reasonably appears to pursue a prohibited, improper, incomplete, overbroad, or legally defective purpose.

18. BUSINESS ASSOCIATES AND STACK PROVIDERS

The Clinic may share information with third parties that provide legitimate and reasonably necessary services for its operations, including, without limitation: Stripe for payment processing, Calendly for appointment scheduling, telehealth platforms, digital forms, CRM, cookies and session technologies, artificial intelligence tools, chat widgets, WhatsApp business workflows, web hosting, security, messaging, electronic signature, storage, support, automation, and other technological tools that form part of the operational stack of the site.

Where any such third party acts or is required to act as a business associate under HIPAA, the Clinic will seek to ensure that the corresponding agreement exists and that reasonable privacy and security controls are in place consistent with the level of risk involved.

The Clinic does not represent or guarantee that every component of its stack is appropriate to receive PHI in every context.

On the contrary, the Clinic’s governing operational rule is that no component of the stack may receive PHI, ePHI, or functionally equivalent information unless it is legally authorized, technically configured, and contractually supported to do so.

YOU acknowledge that the existence of technological integrations on the site does not mean that all information submitted through any field, button, pixel, form, or channel is appropriate for transmitting full clinical data, and therefore the Clinic may apply data minimization, flow segmentation, use restrictions, and channel-specific controls.

18A. FORMS, DATA MINIMIZATION, AND SITE USE

The Clinic may use digital forms to receive information requests, coordinate appointments, perform initial intake, administrative follow-up, or general communication. Such forms may request identifying, contact, availability, payment, or health-related information depending on the nature of the service.

However, the Clinic will seek to structure its forms under a reasonable data minimization principle, limiting collection to what is legitimately necessary for the corresponding operational or clinical purpose.

YOU acknowledge that you must not include excessive clinical information, unnecessary files, third-party documents, or especially sensitive information in general forms, open fields, free text boxes, chat widgets, or messaging channels when the flow is not expressly designed for that purpose.

The Clinic may, at its sole discretion, limit, segment, remove, redirect, or reject submissions that contain improperly shared information, and may retain evidence of such submissions when necessary for compliance, security, audit, fraud prevention, or legal defense.

The Clinic will not deliberately use PHI, ePHI, or identifiable clinical information to feed advertising audiences, remarketing, conversion APIs, optimization events, lead syncing, customer matching, behavioral targeting, or segmentation based on health conditions, unless there is valid authorization, a sufficient legal basis, and a technical architecture compatible with applicable obligations.

If such conditions do not exist, the Clinic will limit the use of such tools to non-regulated, aggregated, de-identified, or strictly necessary data for permitted functions.

19. AI TOOLS, CHAT WIDGET, WHATSAPP, AND AUTOMATION

The Clinic may use artificial intelligence tools, chatbots, automation, WhatsApp business workflows, or other systems to respond to general questions, assist with coordination, initial intake, reminders, or administrative support.

These systems do not replace a healthcare professional, do not independently establish a physician-patient relationship, and must not be used for medical emergencies or relied upon exclusively for automated responses.

Where AI tools or automated workflows access potentially clinical information, the Clinic will seek to limit data, restrict permissions, log activity, evaluate vendors, and apply appropriate contractual and technical controls.

YOU acknowledge that you must not send more clinical information than strictly necessary through chat or messaging unless the flow is expressly designed for that purpose.

YOU also acknowledge that messaging and AI channels may involve residual risks, and that the Clinic may log, retain, review, and use such interactions for security, compliance, coordination, audit, and legal defense purposes.

20. TELEHEALTH, AUDIO-ONLY, AND REMOTE COMMUNICATIONS

Where the Clinic provides telehealth, audio-only telehealth, or remote technologies, YOU acknowledge that your information may be processed through specialized platforms and that privacy also depends on factors under your own control, such as using secure networks, protecting your devices, avoiding third parties in your environment, and maintaining the confidentiality of your credentials.

HHS has issued specific guidance regarding privacy and security in telehealth.

The Clinic will implement reasonable controls and may require authentication, identity verification, and minimum technical conditions before proceeding.

However, the Clinic shall not be responsible for access, exposure, or interception primarily caused by insecure devices, compromised networks, shared accounts, misconfiguration, or user-side negligence.

21. SECURITY, ENCRYPTION, RESTRICTED ACCESS, AND RECOGNIZED PRACTICES

The Clinic implements and may continue to implement reasonable administrative, physical, and technical safeguards to protect ePHI, including access control, need-to-know principles, permission management, authentication, segmentation, endpoint protection, backup, documentation, training, vendor review, and encryption measures where appropriate. HHS maintains guidance materials regarding the Security Rule, risk analysis, and recognized security practices.

However, no system can guarantee absolute security, zero incidents, or continuous availability. To the maximum extent permitted by law, the Clinic disclaims any absolute guarantee of invulnerability and limits its obligation to maintaining a reasonable, documented, and prudent posture of compliance and security. This Notice does not constitute a promise of technological perfection nor a waiver of defenses against events caused by third parties, force majeure, third-party software, zero-day vulnerabilities, or malicious conduct outside the Clinic’s reasonable control.

22. BREACHES, INCIDENTS, AND NOTIFICATIONS

If a breach or incident occurs that triggers legal notification obligations, the Clinic will act in accordance with the HIPAA Breach Notification Rule and, where applicable, the FTC Health Breach Notification Rule. The FTC has made clear, including through enforcement actions, that unauthorized disclosure of health data to third parties may trigger that rule and require notification to consumers, the FTC, and in certain cases the media.

The Clinic reserves the right to investigate, contain, correct, document, and report incidents in accordance with the law and with the advice of its counsel. Not every technical incident automatically constitutes a legally reportable “breach.” The Clinic is not obligated to disclose sensitive operational details, attack vectors, or internal configurations beyond what is necessary or legally required.

23. PAYMENTS, STRIPE, AND FINANCIAL DATA

The Clinic may process payment and billing information to confirm appointments, manage prepayments, identify transactions, document authorization, prevent fraud, defend disputes, and comply with tax and accounting obligations. Payments may be processed through third parties such as Stripe, also subject to the policies of the corresponding processor. The Clinic may retain evidence related to transactions, including identifiers, timestamps, receipts, IP addresses, and associated communications.

The existence of this policy does not limit the Clinic’s rights under its Terms and Conditions regarding non-refund, anti-chargeback measures, mandatory prior contact, and defense costs. Payment information will be handled with reasonable controls, but the Clinic does not guarantee the internal operation of Stripe or other third parties beyond its reasonable control.

24. MINORS, REPRESENTATIVES, AND LEGAL AUTHORITY

The Clinic does not intend to knowingly collect information from minors through the website without valid legal participation and authorization. When a person acts on behalf of another, that person represents that they have sufficient authority to do so and agrees to be responsible for the truthfulness and legitimacy of that action.

The Clinic may require evidence of representation, parental authority, guardianship, medical power of attorney, or other legal authority before processing requests or disclosing information. The Clinic assumes no responsibility for information improperly provided by a third party without authority.

25. RETENTION, EVIDENCE PRESERVATION, AND LEGAL DEFENSE

The Clinic will retain information for as long as reasonably necessary for treatment, payment, operations, compliance, audit, security, fraud prevention, legal retention, response to chargebacks, defense against claims, and preservation of evidence. Retention may include clinical records, logs, metadata, messages, payment records, authorizations, appointment histories, and technical documentation.

A request for deletion does not require the destruction of information that the Clinic must or reasonably should retain by law, for record integrity, operational continuity, investigation, fraud prevention, protection against chargebacks, or defense in current or potential proceedings.

26. LIMITATION OF LIABILITY REGARDING PRIVACY AND TECHNOLOGY

To the maximum extent permitted by law, any claim related to privacy, security, the website, forms, tracking, telehealth, AI, CRM, cookies, pixels, payments, digital stack, or data processing shall also be subject to the limitations of liability validly established in the Clinic’s Terms and Conditions, except where a mandatory rule provides otherwise in an express and non-waivable manner.

YOU acknowledge that the Clinic assumes duties of reasonable care, not of absolute results. Acceptance of this Notice constitutes acknowledgment that privacy and security in digital ecosystems depend both on the Clinic’s controls and on third-party providers, the user, and circumstances outside reasonable control.

27. CHANGES TO THIS NOTICE

The Clinic may change the terms of this Notice, and such changes may apply to all information that the Clinic maintains about you, in accordance with the framework permitted by HIPAA. The HHS model expressly contemplates that the new notice be available upon request, at the office, and on the website.

The updated version will be posted on the website and will be available to anyone who requests it. When a change requires additional authorization or consent, the Clinic may request it separately and may limit functionalities or communications until it is obtained.

28. AVAILABILITY OF THE NOTICE AND PRINTED COPY

This Notice will be prominently posted on the Clinic’s website and must be available to any person who requests it. This obligation is expressly reflected in HHS guidance and in the revised 2026 models.

YOU may request a printed copy of this Notice at any time, even if you have accessed it electronically. The Clinic will provide it in a reasonable and timely manner.

28A. NO FUNDRAISING; NO SALE OF PHI

The Clinic does not conduct fundraising and will not use YOUR PHI or ePHI for fundraising purposes. The Clinic will also not sell YOUR PHI or ePHI without the express authorization required by law, should such a scenario ever become legally applicable.

Nothing in this clause shall prevent the Clinic from using non-regulated, de-identified, aggregated, or purely operational information for legitimate internal purposes, general business metrics, aggregated analysis, compliance, security, or reasonable process improvement, provided that this is done in a manner consistent with the law and without improperly exposing identifiable health information.