Privacy Policy & HIPAA Notice of Privacy Practices

1. Who We Are

UltraStat Imaging is a mobile and in-office diagnostic ultrasound practice serving the Columbia, MD and greater DMV region. We are operated by Rosenie Ridore, RDMS/RVT. Our contact information:

• Practice: UltraStat Imaging
• Address: Columbia, MD (DMV Region)
• Phone: (240) 909-1395
• Email: info@ultrastatmobile.com
• Website: ultrastatmobile.com

2. Information We Collect

When you book an appointment or use our online portal, we may collect:

• Full name, date of birth, and contact information (phone, email, address)
• Service address for mobile ultrasound appointments
• Reason for visit, symptoms, and medical history relevant to the requested service
• Payment information processed securely through Square (we do not store full card numbers)
• Electronic consent signatures and acknowledgment records
• Appointment history and communication records
• Technical data such as IP address and browser type when you use our website

3. How We Use Your Health Information (Protected Health Information / PHI)

As a HIPAA-covered entity, we use and disclose your Protected Health Information (PHI) for the following purposes:

• Treatment: To schedule and perform ultrasound services, communicate findings, and coordinate care with your referring provider.
• Payment: To process your deposit and collect any remaining balance, and to submit claims where applicable.
• Healthcare Operations: For quality assurance, staff training, scheduling, and business management purposes.
• Appointment Reminders: To send email notifications confirming your appointment and reminders 24 hours and 2 hours before your scheduled visit.
• Legal Compliance: As required by law or in response to valid legal process.

We do not sell your health information. We do not share PHI with third parties for marketing purposes without your explicit written authorization.

4. How We Protect Your Information

We take the security of your health information seriously and have implemented the following safeguards:

• Encryption at Rest: All patient PHI stored in our database is encrypted using AES-256-CBC encryption.
• Encryption in Transit: All data transmitted between your browser and our servers uses TLS (HTTPS).
• Access Controls: Database access is restricted to authorized service accounts only. Public access is blocked via row-level security policies.
• Audit Logging: All access to and modifications of appointment records are logged.
• Payment Security: Payment card data is handled exclusively by Square, a PCI-DSS compliant payment processor. We never store raw card numbers.

5. Your HIPAA Rights

As our patient, you have the following rights regarding your health information:

• Right to Access: You may request a copy of your health information that we maintain.
• Right to Amend: You may request that we correct or amend inaccurate health information.
• Right to an Accounting of Disclosures: You may request a list of disclosures we have made of your PHI.
• Right to Request Restrictions: You may ask us to limit how we use or share your PHI.
• Right to Request Confidential Communications: You may request that we contact you in a specific way (e.g., only by email).
• Right to Opt Out of Fundraising: We do not conduct fundraising activities using your information.
• Right to File a Complaint: If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health & Human Services Office for Civil Rights at hhs.gov/ocr.

To exercise any of these rights, contact us at info@ultrastatmobile.com or call (240) 909-1395. We will respond within 30 days.

6. Website Analytics & Cookies

Our website uses Google Analytics to understand how visitors interact with our site. This data is collected anonymously and does not include any PHI. Google Analytics may use cookies to recognize returning visitors. You can opt out of Google Analytics tracking via the Google Analytics Opt-out Browser Add-on.

We do not use advertising cookies or sell browsing data to any third party.

7. Third-Party Service Providers

We work with the following third-party vendors who may process data on our behalf under appropriate agreements:

• Supabase — Secure database hosting (SOC 2 Type II)
• Square — Payment processing (PCI-DSS Level 1)
• Google — Calendar integration and Analytics
• Render — Application hosting infrastructure

We do not sell, rent, or trade your personal information with any other third parties.

8. Data Retention

We retain patient records for a minimum of 6 years from the date of creation, or longer as required by applicable Maryland and federal law. Appointment records, consent signatures, and payment records are retained in accordance with HIPAA requirements.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the Effective Date at the top of this page. Continued use of our services after any changes constitutes your acceptance of the revised policy.