Privacy Policy

A Feat of Hands PLLC Privacy Policy

Introduction. At A Feat of Hands PLLC ("we," "us," or "our"), we are committed to protecting the privacy and security of our clients' personal and medical information in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations. As a healthcare provider, we understand the importance of maintaining the confidentiality of our clients' protected health information (“PHI”) and have implemented comprehensive measures to ensure compliance with all applicable federal and state privacy laws as described herein in this Privacy Policy (the “Policy”) as well as in our Terms and Conditions of Use.

  1. Types of PHI We Collect. In the course of providing massage therapy services, we may collect and maintain the following types of PHI: 

  • Client name, contact information, and demographic data;

  • Medical history, including any injuries, conditions, or medications;

  • Records of massage therapy treatment, including date, duration, and techniques used;

  • Payment information and insurance details, if applicable; and

  • Any other information provided by you or your healthcare providers that is relevant to your massage therapy treatment.


2. How We Use and Disclose PHI. We will use and disclose your PHI only as permitted by HIPAA and as necessary to provide you with quality massage therapy services. This includes using your PHI to:

  • Provide, coordinate, and manage your treatment and care;

  • Obtain payment for the services we provide;

  • Conduct our normal business operations, such as quality improvement activities and staff training;

  • Communicate with you about appointment reminders, treatment alternatives, or other health-related benefits and services;

  • Comply with public health and safety requirements, as mandated by law; and

  • Fulfill any other purposes for which you have given consent.


We will not use or disclose your PHI for any other purpose without your written authorization, except as required or permitted by law. For example, we may disclose your PHI without your authorization: 

  • To public health authorities for public health activities;

  • To a health oversight agency for activities authorized by law;

  • To law enforcement officials for law enforcement purposes;

  • To prevent or lessen a serious and imminent threat to the health or safety of a person or the public;

  • For workers' compensation or similar programs, as required by law; and

  • In response to a court or administrative order, subpoena, discovery request, or other lawful process.


3. Safeguarding Your PHI. We have implemented administrative, physical, and technical safeguards to protect the privacy and security of your PHI, including: 

  • Access Controls: Restricting access to your PHI to only those members of our workforce who need it to provide services to you, and implementing role-based access controls for our electronic systems;

  • Training: Requiring all members of our workforce to undergo initial and ongoing HIPAA privacy and security training;

  • Encryption: Implementing end-to-end encryption for all electronic PHI stored on our computers, servers, and during transmission;

  • Physical Security: Maintaining a secure facility with access controls to prevent unauthorized entry, including locked file cabinets, secure document disposal, and monitored alarm systems;

  • Network Security: Utilizing firewalls, intrusion detection systems, and regular security updates to protect our network infrastructure;

  • Audit Logging: Maintaining detailed logs of all access to and modifications of PHI within our systems;

  • Mobile Device Management: Implementing policies and technical controls to secure any mobile devices that may access or store PHI; and

  • Regular Risk Assessments: Conducting periodic risk analyses and vulnerability assessments to identify and address potential security risks.


4. Your Rights Regarding Your PHI. You have the following rights with respect to your PHI: 

a) Right to Access and Obtain a Copy: You have the right to access, inspect, and obtain a copy of your PHI maintained in our designated record set. To exercise this right:

i. Submit a written request to our Privacy Officer, specifying the desired format (paper or electronic).

ii. We will respond to your request within 30 days (with a possible 30-day extension if needed).

iii. We may charge a reasonable, cost-based fee for copying and mailing, if applicable.

b) Right to Request Amendments: You have the right to request amendments to your PHI if you believe it is incorrect or incomplete. To exercise this right:

i. Submit a written request to our Privacy Officer, clearly stating the reason for the amendment.

ii. We will respond to your request within 60 days (with a possible 30-day extension if needed).

iii. If we deny your request, we will provide a written explanation and information about your right to file a statement of disagreement.

c) Right to Request Restrictions: You have the right to request restrictions on the use or disclosure of your PHI. To exercise this right:

i. Submit a written request to our Privacy Officer, specifying the requested restriction.

ii. We are not required to agree to your request unless it pertains to disclosures to a health plan for payment or healthcare operations purposes and the PHI relates solely to a healthcare item or service for which you have paid in full out-of-pocket.

iii. We will notify you in writing of our decision regarding your request.

d) Right to an Accounting of Disclosures: You have the right to receive an accounting of certain disclosures of your PHI made by us. To exercise this right:

i. Submit a written request to our Privacy Officer, specifying the time period (not to exceed six years prior to the date of your request).

ii. We will provide the accounting within 60 days (with a possible 30-day extension if needed).

iii. We will provide one free accounting per 12-month period, with a reasonable, cost-based fee for any additional requests within that period.

e) Right to Request Confidential Communications: You have the right to request that we communicate with you about your PHI by alternative means or at alternative locations. To exercise this right:

i. Submit a written request to our Privacy Officer, specifying the alternative means or location.

ii. We will accommodate reasonable requests and will not require an explanation from you as to the basis for the request.


To exercise any of these rights, please contact our HIPAA Privacy Officer using the contact information provided at the end of this policy. We are committed to facilitating your rights under HIPAA and will respond to all requests in a timely and professional manner.

5. Breach Notification. In the event of a breach of unsecured PHI, we will notify you and any other required parties in accordance with HIPAA's breach notification requirements. Our breach notification procedures include: 

  • Conducting a thorough risk assessment to determine the probability that PHI has been compromised;

  • Notifying affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery of the breach;

  • Providing written notification by first-class mail (or by email if specified as a preference);

  • Including in the notification a description of the breach, the types of information involved, steps individuals should take to protect themselves, a brief description of our investigation and mitigation efforts, and contact procedures for questions or additional information;

  • Notifying prominent media outlets in the event of a breach affecting more than 500 residents of a State or jurisdiction; and

  • Notifying the Secretary of the Department of Health and Human Services as required by law.


7. Compliance with State Privacy Laws. In addition to HIPAA, we also comply with all applicable state privacy laws and regulations that govern the handling of PHI in Washington state. This includes, but is not limited to:

  • My Health, My Data Act (RCW §§ 19.373.005 – 19.373.900); and

  • Breach Notification Requirements (RCW § 42.46.590)


We are committed to staying informed about any changes to state privacy laws that may affect our practices and will promptly update our policies and procedures to maintain compliance.

8. Business Associates. We may share your PHI with certain third-party service providers, known as "business associates," who perform functions or activities on our behalf. These business associates are also required to protect the privacy and security of your PHI in accordance with HIPAA. Our business associates may include, but are not limited to:

  • Billing and claims processing services;

  • Electronic health record system providers;

  • IT support and maintenance services;

  • Cloud storage and data backup providers;

  • Practice management software providers; and

  • Legal, accounting, or consulting services.


We enter into written business associate agreements with all such third parties, which contractually obligate them to:

  • Use appropriate safeguards to protect the confidentiality, integrity, and availability of PHI;

  • Report any security incidents or breaches of PHI to us promptly;

  • Ensure that any subcontractors they engage also agree to these same restrictions and conditions; and

  • Return or destroy all PHI at the termination of the agreement, when feasible.


We maintain oversight of our business associates through regular monitoring, auditing, and review of their compliance with these obligations.

9. Changes to this Privacy Policy. We reserve the right to change this Privacy Policy at any time. Any changes will be effective for all PHI that we maintain, both new and existing. We will: 

  • Post the revised Privacy Policy on our website;

  • Provide you with a copy of the revised Privacy Policy upon request;

  • Notify you of any material changes as required by law; and

  • Maintain an archive of previous versions of the Privacy Policy for reference.


10. Ongoing Compliance Commitment. We are committed to maintaining the privacy and security of your PHI and to ensuring ongoing compliance with HIPAA and applicable state privacy laws. To this end, we: 

  • Regularly review and update our privacy and security policies and procedures;

  • Conduct periodic risk assessments and audits of our privacy and security practices;

  • Provide ongoing training to our workforce on privacy and security best practices;

  • Monitor changes in privacy laws and regulations that may affect our practices;

  • Promptly implement any necessary changes to maintain compliance; and

  • Foster a culture of privacy and security awareness throughout our organization.

11. Minors. We do not knowingly collect or solicit PHI from anyone under the age of 18. By accessing or using this website, you represent and warrant that you are at least 18 years of age.  If you are under 18 years old, we will not collect or use any PHI for treatment without the supervision and consent of a parent or legal guardian


We reserve the right to verify your age at any time. If we learn or have reason to suspect that a patient is under 18 years of age, we will promptly delete any PHI in that patient’s records.


If you believe that we might have collected PHI from someone under the age of 18 without parental consent, please contact us immediately at the information in Section 12 of this Policy.


12. Contact Information. By maintaining this comprehensive Privacy Policy and adhering to its provisions, we demonstrate our unwavering commitment to protecting your privacy and maintaining the confidentiality of your personal health information. 


If you have any questions or concerns about our privacy practices or this Privacy Policy, please contact our HIPAA Privacy Officer:

Privacy Officer – A Feat to Hands PLLC
Attn: Privacy, 100 Howard St., Ste R , Spokane, WA 99201-0508


massage@featofhands.com



Last Updated: June 20, 2025