Privacy Policy & HIPAA Notice | Solas Physical Therapy El Paso

HIPAA

Notice of Privacy Practices

This Notice of Privacy Practices describes how Solas Physical Therapy ("we," "us," or "our") may use and disclose your protected health information (PHI) and how you can get access to that information. Please review this notice carefully.

Who This Applies To

This notice applies to all health information collected by Solas Physical Therapy operated by Dr. Andrew Cisneros, PT, DPT, MS, located at 6633 N Mesa St, Suite 508B, El Paso, TX 79912. It covers information collected through our online booking system, phone and text communications, and in-person clinical encounters.

What We Collect

Protected Health Information We Receive

When you use our online booking system or contact us directly, we may collect the following information, which may constitute PHI when combined with your identity:

Your name, phone number, and email address
The nature of your injury, pain, or condition (as you describe it)
Your preferred appointment date, time, and service type
Brief clinical notes you voluntarily provide during intake
Communication records related to scheduling and care coordination

We do not collect payment card numbers, insurance information, or social security numbers through this system.

Optional identity verification: Our intake form invites you to upload a photograph of your driver's license to confirm your identity before your first visit. This upload is optional and used solely to verify identity. The image is stored in encrypted, HIPAA-compliant cloud storage (Google Firebase Storage, under a Business Associate Agreement) and is automatically deleted after 30 days. A non-sensitive audit record indicating that verification was completed (date only — no image) is retained as part of your clinical record.

Use & Disclosure

How We May Use Your Health Information

We use and disclose your PHI only as permitted or required by law. The primary ways we use your information are:

Treatment

We use your PHI to provide, coordinate, and manage your physical therapy care. This includes reviewing your intake information before your evaluation, preparing a personalized treatment plan, and following up after sessions.

Scheduling & Operations

We use your contact information and appointment details to confirm, modify, or follow up on booking requests. As a cash-based practice, we do not submit claims to insurance companies, which significantly limits the number of parties who receive your information.

As Required by Law

We may disclose your PHI when required by federal, state, or local law — including to public health authorities, law enforcement in specific circumstances, or in response to a court order or subpoena.

What We Will NOT Do

We will never sell your PHI. We will not use or disclose your PHI for marketing purposes without your written authorization. We will not share your information with employers or family members without your explicit consent, except as permitted by law.

Your Rights

Your Rights Regarding Your Health Information

You have the following rights with respect to your PHI. To exercise any of these rights, contact us using the information at the bottom of this page.

Right to Access: You may request a copy of your health information that we maintain. We will provide access within 30 days of your request.
Right to Amend: You may request that we correct or amend PHI you believe is inaccurate or incomplete. We may deny the request if we believe the information is accurate. When we accept an amendment, the original entry is preserved unchanged and the correction is added as a dated, signed addendum — both the original and the addendum will appear together in any future copy of your records.
Right to an Accounting of Disclosures: We maintain an active log of every disclosure of your PHI to third parties (e.g., insurance carriers, attorneys, other providers) and will provide this accounting on request, going back six years as required by HIPAA §164.528.
Right to Request Restrictions: You may request restrictions on how we use or disclose your PHI. We are not required to agree to all restrictions, but we will honor any restriction we do agree to.
Right to Confidential Communications: You may request that we communicate with you in a specific way or at a specific location (e.g., only by text, not email).
Right to a Paper Copy of This Notice: You may request a printed copy of this notice at any time, even if you previously agreed to receive it electronically.

Our Obligations

Our Duties Under HIPAA

Solas Physical Therapy is required by law to:

Maintain the privacy of your protected health information
Provide you with this notice of our legal duties and privacy practices
Notify you in the event of a breach of your unsecured PHI
Follow the terms of the notice currently in effect
Not retaliate against you for exercising your privacy rights

We reserve the right to change this notice and our privacy practices. If we make a material change, we will update this page and the effective date above. Changes apply to PHI we already hold as well as PHI we receive after the change date.

Complaints

How to File a Privacy Complaint

If you believe your privacy rights have been violated, you have the right to file a complaint with us or with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights. You will not be penalized for filing a complaint.

To File a Complaint With Us

Dr. Andrew Cisneros, PT, DPT, MS — Privacy Contact
Solas Physical Therapy
6633 N Mesa St, Suite 508B, El Paso, TX 79912
Phone / Text: (915) 318-7381
Email: info@solaspt.com

To file a complaint with the HHS Office for Civil Rights, visit hhs.gov/ocr or call 1-800-368-1019.

Website

Website Privacy Policy

This section covers how we collect and use information through the solaspt.com website — separate from the HIPAA-governed clinical information described above.

Analytics & Tracking

Third-Party Tools We Use

Google Analytics 4 (GA4)

We use Google Analytics to understand how visitors interact with our website — which pages are visited, how long visitors stay, and how they arrived. GA4 collects anonymized usage data such as browser type, device type, and geographic region. It does not collect your name, phone number, or health information. You can opt out via Google's opt-out tool.

Microsoft Clarity

We use Microsoft Clarity to record anonymized session replays and heatmaps to understand how users navigate the site. Clarity may capture mouse movements, clicks, and scroll behavior but does not record passwords, payment data, or personally identifiable information entered into forms. Microsoft Privacy Statement →

Firebase / Google Cloud (Booking Data)

Appointment requests submitted through our booking system are stored in Google Firebase Firestore, a secure cloud database operated by Google. This data is encrypted in transit and at rest. Google Cloud supports HIPAA compliance under a Business Associate Agreement (BAA), which we have executed with Google. Access to stored booking data is restricted to authorized personnel only.

Spruce Health (Secure Messaging & SMS)

We use Spruce Health for patient text messaging and secure communication. Spruce is a HIPAA-compliant healthcare communication platform operating under a Business Associate Agreement, meaning your messages, phone number, and any health information shared via text are stored and transmitted within a healthcare-grade security environment — not on general consumer messaging infrastructure.

Resend (Booking Confirmation Email)

We use Resend to send booking confirmation and appointment reminder emails. These emails contain only your name and appointment details — they do not contain protected health information such as your condition, treatment notes, or any clinical content. Resend operates as a transactional email delivery service for these limited, non-PHI notifications.

Cookies

Cookies & Local Storage

Our website uses cookies and similar tracking technologies placed by Google Analytics and Microsoft Clarity. These are analytics cookies used to distinguish unique visitors and track sessions. They do not store health information or personally identifiable data.

You can control cookie settings through your browser preferences. Disabling cookies may affect some website features but will not prevent you from using the booking system or contacting us.

Data Retention

How Long We Keep Your Information

Booking request data (name, contact, appointment details, and condition description) is retained in accordance with Texas state requirements for healthcare records — a minimum of 7 years from the date of the last clinical encounter, or 7 years after a minor reaches the age of 18. After this period, data is securely deleted.

Website analytics data (GA4, Clarity) is retained according to each provider's default retention settings — typically 14 months for GA4.

Minors

Children's Privacy

Our website is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13 through the website. If you are a parent or guardian and believe your child has submitted information to us, please contact us and we will promptly delete it. For patients under 18, a parent or legal guardian must provide consent for treatment.

Questions

Contact Us About This Policy

If you have questions about this Privacy Policy or our HIPAA practices, or wish to exercise any of your rights, please contact us:

Privacy Contact

Dr. Andrew Cisneros, PT, DPT, MS
Solas Physical Therapy
6633 N Mesa St, Suite 508B
El Paso, TX 79912

Phone / Text: (915) 318-7381
Email: info@solaspt.com