Notice of Privacy Practices

Last Updated: APRIL 2026

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Mercedes Baez, RN, MSN ("I," "me," or "my") is committed to protecting the privacy of your health information. This Notice of Privacy Practices ("Notice") describes how I may use and disclose your protected health information ("PHI") to carry out treatment and practice operations, and for other purposes permitted or required by law. It also describes your rights regarding your PHI and how you may exercise those rights.

PHI is information about you — including demographic information — that may identify you and that relates to your past, present, or future physical health or condition, or to payment for healthcare services.

I am required by applicable law, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, to maintain the privacy of your PHI, to provide you with this Notice of my legal duties and privacy practices, and to notify you in the event of a breach of your unsecured PHI. I am required to abide by the terms of this Notice currently in effect.

1. How I may use and disclose your PHI

Treatment. I may use and disclose your PHI to provide, coordinate, or manage your aesthetic and wellness care. For example, your PHI may be shared with other healthcare providers to whom you are referred in connection with your treatment, or to obtain records necessary to inform your care.

Practice operations. I may use your PHI to support the day-to-day operations of my practice, including quality improvement, scheduling, recordkeeping, training, legal and compliance activities, and maintaining and supporting electronic health record systems such as Nextech EMR. I will use the minimum necessary PHI to accomplish these purposes.

Payment. Because my practice is cash-pay only and does not bill insurance, I do not transmit your PHI to health insurers or third-party payers for reimbursement purposes. If this changes, this Notice will be updated and you will be notified.

As required or permitted by law. I may use or disclose your PHI without your authorization in the following circumstances, as permitted or required by applicable law:

  • As required by federal, state, or local law;

  • For public health activities, such as reporting communicable diseases or adverse events;

  • To report suspected abuse, neglect, or domestic violence to appropriate authorities;

  • For health oversight activities, including audits and investigations by government agencies;

  • In connection with judicial or administrative proceedings, in response to a court order or subpoena;

  • For law enforcement purposes, as required by law;

  • To coroners, medical examiners, and funeral directors, as permitted by law;

  • For organ and tissue donation purposes;

  • For certain research purposes, subject to applicable legal requirements and oversight;

  • To avert a serious threat to health or safety; and

  • For workers' compensation purposes, as required by applicable law.

2. Uses and disclosures that require your authorization: Other than as described above, I will only use or disclose your PHI with your written authorization. In particular, I will not use or disclose your PHI for the following purposes without your explicit written authorization:

  • Marketing communications;

  • Sale of your PHI; or

  • Any other purpose not described in this Notice.

You may revoke any authorization you have given me at any time, in writing, except to the extent that I have already taken action in reliance on it.

3. Your rights regarding your PHI: You have the following rights with respect to your PHI. To exercise any of these rights, please submit a written request to hello@mercedesbaez.com.

  • Right to access: Request to inspect and receive a copy of your PHI maintained in my records, including electronic records.

  • Right to amend: Request a correction or amendment to your PHI. If I deny your request, you have the right to file a statement of disagreement.

  • Right to restrict: Request restrictions on certain uses and disclosures of your PHI. Because I am cash-pay only, I am required by law to honor requests to restrict disclosures to health plans for services you have paid for in full out-of-pocket.

  • Right to confidential communications: Request that I communicate with you about your PHI by alternative means or at an alternate location (e.g., a different email address or phone number).

  • Right to an accounting: Request a list of certain disclosures of your PHI I have made, other than disclosures for treatment, payment, or operations, or those made with your authorization.

  • Right to a paper copy: Request a paper copy of this Notice at any time, even if you previously received it electronically.

4. Breach notification

I am required by law to notify you in the event of a breach of your unsecured PHI. If such a breach occurs, I will notify you in writing as required by applicable law, including the nature of the breach, the types of PHI involved, steps you should take to protect yourself, and steps I am taking to address the breach.

5. Electronic health records & third-party platforms

I maintain electronic health records using Nextech EMR. Nextech operates as a Business Associate under HIPAA and is contractually obligated to protect your PHI in accordance with applicable law. I also use third-party scheduling and communication platforms; these platforms are selected with privacy and security in mind, and where required, are governed by Business Associate Agreements.

No platform used by my practice is authorized to sell, share, or use your PHI for marketing purposes.

6. My duties: I am required by law to:

  • Maintain the privacy and security of your PHI;

  • Provide you with this Notice of my privacy practices;

  • Follow the terms of this Notice currently in effect; and

  • Notify you in the event of a breach of your unsecured PHI.

I reserve the right to change the terms of this Notice and to make new provisions effective for all PHI I maintain. If I make a material change to this Notice, I will post the revised Notice on my website and make it available to you upon request.

7. Complaints

If you believe your privacy rights have been violated, you may file a complaint with me hello@mercedesbaez.com or with the U.S. Department of Health and Human Services Office for Civil Rights https://www.hhs.gov/ocr/privacy/hipaa/complaints. I will not retaliate against you in any way for filing a complaint.

8. Effective date & revisions

This Notice is effective as of April 2026. I reserve the right to revise this Notice at any time. The revised Notice will be effective for PHI I already have about you as well as any information I receive in the future. The current version will always be available at www.mercedesbaez.com and will be provided to you upon request.

Questions? Contact me:

hello@mercedesbaez.com

www.mercedesbaez.com