top of page

Visit us today: 3333 W Commercial Blvd Suite 110 Oakland Park FL 33309

Ask us about our new patient promos

fulllogo_transparent.png

(954) 909-1458

Ambroise Hair Institute - Privacy & Accessibility Policy

Effective date: August 26, 2025
 

Ambroise Hair Institute (“Ambroise,” “we,” “us,” or “our”) respects your privacy and is committed to protecting personal information. This Policy explains how we collect, use, disclose, secure, and retain information in our medical practice and across our website(s), patient portal(s), telehealth, SMS/email communications, and advertising properties (collectively, the “Services”).
 

This Policy has four parts:

  1. HIPAA Notice of Privacy Practices (NPP) – applies to Protected Health Information (PHI) when we act as a HIPAA-covered health care provider. (See Section A.)

  2. Website & Online Privacy Policy – applies to non-PHI collected from visitors, prospects, and users of our online Services. (See Section B.)

  3. Florida Addendum – includes Florida Information Protection Act (FIPA) and Florida medical-record requirements. (See Section C.)

  4. ADA Website Accessibility Statement – our commitment and contact options for accessibility help. (See Section D.)

If any conflict arises, HIPAA controls for PHI. For non-PHI, state law may provide additional protections.
 

A) HIPAA Notice of Privacy Practices (PHI)

1) What counts as PHI

“Protected Health Information” (PHI) includes individually identifiable information relating to your health, health care, and payment for care. PHI is governed by the HIPAA Privacy, Security, and Breach Notification Rules.
 

2) How we may use and disclose PHI (without your written authorization)

  • Treatment: To provide, coordinate, or manage your care with other providers or facilities.

  • Payment: To bill and obtain payment from you, your plan, or a third party.

  • Health Care Operations: Quality assessment, training, accreditation, auditing, compliance, and general practice management.

  • Public health & law: As required by law (e.g., reporting certain diseases, abuse/neglect, health oversight), to avert serious threats, or for specialized government functions.

  • Business Associates: We may share PHI with vetted vendors under HIPAA Business Associate Agreements.
     

3) Uses/disclosures that require your written authorization

  • Marketing with PHI and sale of PHI require your prior, written authorization (exceptions exist for face-to-face communications and nominal-value gifts). You may revoke an authorization at any time in writing.
     

4) Your HIPAA privacy rights

  • Right of Access: Get copies of your health records in paper/electronic form (with limited exceptions) and direct them to a third party.

  • Right to Amend: Request corrections to your records if you believe information is inaccurate or incomplete.

  • Right to an Accounting of Disclosures: Receive a list of certain PHI disclosures we made in the past six years (excluding, for example, disclosures for treatment/payment/operations).

  • Right to Request Restrictions: Ask us to limit certain uses/disclosures; we will consider requests and must agree for them to be binding (except where the law requires disclosure).

  • Right to Confidential Communications: Request we contact you at alternate addresses, phone numbers, or via secure methods.

  • Right to a Paper Copy: You may request a paper copy of this Notice at any time.

How to exercise your rights: Contact us using the details at the end of this Policy. We may need to verify your identity and may charge reasonable, cost-based fees as allowed by law.
 

5) HIPAA breach notification

If a breach of unsecured PHI occurs, we will provide required notices to affected individuals, HHS, and (when applicable) the media without unreasonable delay and within the timeframes mandated by HIPAA.
 

B) Website & Online Privacy Policy (non-PHI)

1) The information we collect

  • You provide: contact details, messages, forms/intake questionnaires, appointment requests, before/after photos (if uploaded), payment information (processed by PCI-compliant processors), and marketing preferences.

  • Collected automatically: IP address, device/browser data, pages viewed, session logs, general location, and identifiers via cookies, pixels, or similar technologies.

  • From third parties: advertising and analytics partners, lead-gen platforms, and social media tools—consistent with your settings on those services.

Children’s privacy: Our online Services are not intended for children under 13, and we do not knowingly collect personal information from them.
 

2) How we use online data

  • Provide and secure the Services (fraud prevention, troubleshooting).

  • Respond to inquiries, schedule consultations, and deliver requested materials.

  • Improve user experience and website performance.

  • Marketing/ads (where permitted): show relevant content, measure campaign performance, and manage preferences.


3) Cookies, analytics, and ads

We use essential cookies (site functionality), analytics (e.g., traffic and performance), and advertising/retargeting pixels. You can manage preferences via your browser, OS settings, and our Cookie Settings link [add link] (note: blocking certain cookies may impact site functionality).
 

4) How we share information (non-PHI)

  • Service providers (IT, hosting, analytics, payments, communications) under contracts limiting use.

  • Legal compliance (court orders, law enforcement with valid process).

  • Business transfers (e.g., mergers or acquisitions).
    We do not sell PHI. We do not sell personal information in the common sense; some states define “sale”/“share” broadly for targeted advertising—see “Your Choices” below.

5) Your choices & controls

  • Email/SMS: Opt out via the unsubscribe link or “STOP” for SMS.

  • Cookies/ads: Use our Cookie Settings and your browser’s tools; reset mobile ad IDs.

  • Access/Deletion (non-PHI): Contact us; we will honor applicable state rights requests and verify your identity.
     

6) Data retention (online)

We retain non-PHI as long as needed for the purposes above or as required by law/contract. See Section C(2) for Florida/medical retention of PHI.
 

7) Security

We maintain administrative, technical, and physical safeguards (e.g., access controls, encryption in transit, vendor due diligence, secure disposal). No method is 100% secure, but we work to minimize risk and detect/respond to incidents.
 

C) Florida Addendum (FIPA & Medical Records)

1) Florida Information Protection Act (FIPA), breach notifications (non-PHI)

For personal information under Florida law, we will notify affected Florida residents of a data breach as expeditiously as practicable and no later than 30 days after determination, unless a law-enforcement delay applies. If a breach affects 500+ Florida residents, we will also notify the Florida Department of Legal Affairs (Attorney General) within 30 days; we may also notify consumer reporting agencies when required.
 

HIPAA breaches of PHI follow HIPAA timelines (see Section A(5)), but when both laws apply, we follow the stricter timeline/requirements.
 

2) Florida medical record confidentiality & retention (PHI)

  • Confidentiality: Florida law requires records owners to implement policies, standards, and procedures protecting medical record confidentiality and security and to train employees accordingly.

  • Minimum retention: Florida Board of Medicine rules require physicians to retain medical records at least five (5) years from the last patient contact. Many providers keep seven (7) years given Florida’s malpractice statute of limitations.

  • Minors: Retain records for 7 years after the minor reaches age 18 (i.e., until age 25). Specialty/facility type may impose longer retention; we apply the longest applicable period.
     

When we terminate/relocate a practice or a provider passes away, we follow Florida rules for notifying patients and disposition of records.
 

D) ADA Website Accessibility Statement

Ambroise is committed to providing equal access to our services—both in-clinic and online, for people with disabilities. The ADA requires businesses open to the public (Title III) to ensure nondiscrimination and effective communication; DOJ guidance confirms these obligations apply to web content as well.
 

Our accessibility approach

  • We aim for substantial conformance with WCAG 2.1 Level AA across our web and digital content and treat WCAG as our benchmark for continuous improvement.

  • We use semantic HTML, keyboard-navigable interfaces, text alternatives for images, sufficient color contrast, logical headings, form labels/errors, focus indicators, captions/transcripts for media, and skip links—updated during regular audits.

  • Assistive options & alternatives: If a digital feature is not accessible to you, we will provide the requested information or service through an alternative method (e.g., staffed phone support, relay services, email, in-person assistance) at no additional charge and in a timely manner.
     

Report an accessibility issue / request an accommodation

If you encounter any barrier on our site or need an auxiliary aid or service, please contact us:
Accessibility Contact: [Name/Title] • Phone: [###-###-####] • Email: [accessibility@ambroisehair.com] • Address: [Street, City, FL ZIP]

Please include the page/feature, the assistive tech you use (if any), and your contact info. We will respond promptly.
 

How we protect PHI and personal information

  • Policies & training: Workforce members receive privacy, security, and incident-response training (HIPAA + Florida).

  • Vendors: We assess service providers, execute required agreements (e.g., HIPAA BAAs), and restrict use to our purposes.

  • Technical controls: Role-based access, encryption in transit, MFA for admin access where feasible, logging/monitoring, secure configuration and patching, and least-privilege practices.

  • Incident response & breach notices: We investigate suspected incidents, mitigate harm, and issue notices consistent with HIPAA and FIPA timelines.
     

Your choices and how to contact us

  • Marketing communications: You may opt out of marketing emails (unsubscribe link) and texts (“STOP”). HIPAA-regulated marketing that uses PHI requires your prior authorization (see Section A(3)).

  • HIPAA rights requests (PHI): To access, amend, obtain an accounting, request restrictions, or request confidential communications, contact us using the details below. We will respond within HIPAA timelines.

  • Non-PHI privacy requests (online data): Email privacy@ambroisehair.com for access/deletion/preferences; we will honor applicable state rights and verify your identity.

Complaints

If you believe your HIPAA privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health & Human Services Office for Civil Rights (OCR). We will not retaliate against you for filing a complaint. HHS OCR: 1-800-368-1019; TTY: 1-800-537-7697; online complaint portal available on hhs.gov.
 

Changes to this Policy

We may update this Policy to reflect operational, legal, or regulatory changes. The “Effective date” above shows when it was last revised. If changes materially affect how we handle PHI or personal information, we will provide appropriate notice (e.g., posting a prominent notice, emailing portal users, or updating our NPP in-clinic).

Before and After (2).png

PRIVACY POLICY

bottom of page