Your privacy matters to us. This policy explains how Skinovatio Medical Spa collects, uses, and protects your personal information.
Last Updated: May 1, 2026
Skinovatio Medical Spa (“we,” “us,” or “our”) is a medical service provider operating in the State of Ohio. As such, we are required by both federal and state law to protect the privacy and security of your medical information. This Medical Privacy & Data Protection Notice (“Notice”) explains:
What Protected Health Information (PHI) we collect about you;
How we use and disclose your PHI;
Your rights with respect to your PHI under federal and Ohio law; and
Our legal obligations under HIPAA, the Ohio Administrative Code (OAC), the Ohio Revised Code (ORC), and applicable Ohio consumer protection laws.
Scope of This Notice: This Notice applies to all individuals who visit our website, receive medical spa services at our physical location, or otherwise interact with us. It supplements our standalone HIPAA Notice of Privacy Practices, which we provide to all patients at the time of service.
By accessing our services or our website, you acknowledge that you have read and understood this Notice.
We collect and maintain Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 45 C.F.R. §160.103. Under Ohio law, medical spas are classified as medical service providers, and therefore all patient information must be protected in accordance with HIPAA regulations and applicable state medical record requirements. For non‑patients who merely browse our website, we may collect limited website usage information as described below.
Medical & Health Information (PHI) we may collect:
Demographic information: name, address, date of birth, emergency contact information;
Medical history: past diagnoses, allergies, medications, previous surgical or cosmetic procedures;
Treatment records: consent forms, procedure notes, pre‑ and post‑treatment photographs;
Payment and insurance information: billing details, insurance policy numbers, payment card information;
Communications: any medical information you provide during consultations, by phone, email, or through our patient portal;
Appointment information: dates of service, appointment reminders, and after‑care instructions.
Website‑Collected Information (for general website visitors who are not patients):
Automatically Collected Information: IP address, browser type, device type, pages visited, and referral source;
Cookies and Similar Technologies: we may use cookies to analyze website traffic and improve user experience. You may control cookie preferences through your browser settings.
We use your PHI only as permitted or required by HIPAA and Ohio law. Uses include:
Treatment: coordinating and providing medical spa services (e.g., injectables, laser treatments, chemical peels, IV therapy) under the supervision of a licensed physician as required by Ohio Revised Code Chapter 4731 and Ohio Medical Board rules;
Payment: billing you, your insurance carrier, or a third party for services rendered;
Healthcare Operations: internal quality assessment, training, compliance monitoring, and business management;
Appointment Communications: sending appointment reminders, pre‑treatment instructions, and after‑care instructions via phone, email, or text message. Healthcare‑related messages are exempt from certain enhanced consent requirements under the Telephone Consumer Protection Act (TCPA) and FCC regulations, provided they serve a treatment purpose;
Marketing Communications: from time to time, we may send you promotional materials about services or special offers. Prior express written consent is required for automated marketing text messages under the TCPA. You may opt out of marketing communications at any time by following the unsubscribe instructions in the message or by contacting us directly;
As Required by Law: we may use or disclose your PHI when required to do so by federal, state, or local law, including compliance with mandatory reporting statutes or valid court orders.
We do not sell your Protected Health Information to third parties for marketing purposes. We may share your PHI with third parties only in the following limited circumstances, consistent with HIPAA and Ohio law:
| Type of Disclosure | Example | Legal Basis |
|---|---|---|
| Treatment | Sharing records with a consulting physician or specialist for coordinated care | Permitted for treatment under 45 C.F.R. §164.506 |
| Payment | Submitting claims to your insurance carrier | Permitted for payment under 45 C.F.R. §164.506 |
| Healthcare Operations | Engaging a billing company or IT support vendor (Business Associate) | Requires Business Associate Agreement under 45 C.F.R. §164.504(e) |
| Legal Compliance | Responding to a subpoena, court order, or Ohio Medical Board investigation | Permitted or required by law; may require patient notification |
| Public Health | Reporting certain conditions to the Ohio Department of Health | Permitted under 45 C.F.R. §164.512(b) |
| Law Enforcement | Reporting a crime on our premises or as otherwise authorized | Permitted under 45 C.F.R. §164.512(f) |
| Sale or Merger | Transferring records to another healthcare provider in a business transaction | Permitted with patient notification or as required by law |
We require all third‑party service providers who receive your PHI to sign a Business Associate Agreement, contractually obligating them to safeguard your information in accordance with HIPAA and Ohio law.
You have the following rights with respect to your PHI, established under HIPAA (45 C.F.R. §164.524 – 528) and supplemented by Ohio law:
Right to Access (45 C.F.R. §164.524): You may request to inspect or obtain a copy of your medical records maintained by us. We will respond within 30 days (60 days if extended) and may charge a reasonable, cost‑based fee for copies.
Right to Amend (45 C.F.R. §164.526): You may request that we correct inaccurate or incomplete PHI. We may deny your request if we determine the record is accurate and complete, but we will provide a written explanation.
Right to an Accounting of Disclosures (45 C.F.R. §164.528): You may request a list of certain disclosures of your PHI made outside of treatment, payment, and healthcare operations during the six years prior to your request.
Right to Request Restrictions (45 C.F.R. §164.522(a)): You may ask us to restrict uses or disclosures of your PHI for treatment, payment, or operations. We are not required to agree, except where you have paid out‑of‑pocket in full and request that we not disclose the information to a health plan.
Right to Request Confidential Communications (45 C.F.R. §164.522(b)): You may request that we communicate with you about your PHI by alternative means or at alternative locations.
Right to a Copy of This Notice: You may request a paper copy of this Notice at any time, even if you previously agreed to receive it electronically.
Ohio‑Specific Rights:
Under Ohio law, you have the right to be notified of a breach of your unsecured PHI in the most expedient time possible, but no later than 45 days following discovery of the breach, consistent with the legitimate needs of law enforcement. The Ohio Attorney General may enforce this requirement on behalf of affected consumers.
If you believe we have violated your privacy rights, you may file a complaint with us directly or with the U.S. Department of Health and Human Services, Office for Civil Rights. You may also file a complaint with the Ohio Attorney General’s Office.
Under the Ohio Administrative Code, we are legally required to maintain medical records for each patient for at least six years from the date of discharge or last service. This requirement applies to all health care facilities within Ohio.
We maintain an adequate medical record‑keeping system and take appropriate measures to protect medical records against theft, loss, destruction, and unauthorized use or access, as required by Ohio law. If your records are maintained in electronic format, we implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C).
When we no longer have a legal obligation to retain your medical records, we dispose of them in a secure manner consistent with Ohio law and professional standards of practice.
In the event of a breach of unsecured PHI (as defined under HIPAA) involving your personal information, we will provide notification as follows:
Individual Notification: We will notify affected individuals in the most expedient time possible, but no later than 45 days following discovery of the breach. Notification may be provided in writing, by email, or by telephone as circumstances warrant.
Media Notice: If the breach involves more than 500 residents of a state or jurisdiction, we will notify prominent media outlets serving that area without unreasonable delay.
Secretary of HHS: We will report breaches to the Secretary of Health and Human Services as required by 45 C.F.R. §164.408.
Ohio Attorney General: For breaches involving Ohio residents, we will comply with applicable notification requirements enforced by the Ohio Attorney General.
The Ohio Attorney General defines “personal information” for breach notification purposes as an individual’s name combined with a Social Security number, driver’s license number, or financial account number with security code, and requires notification when such information is subject to a breach that creates a material risk of identity theft.
As a medical spa offering services to Ohio consumers, we comply with the Ohio Consumer Sales Practices Act (ORC Chapter 1345) and its implementing rules (OAC Chapter 109:4‑3). The CSPA requires that we:
Accurately represent the characteristics of our medical spa services and products;
Not make misrepresentations about the nature of our business, the prices of our services, or the terms of any transaction;
Not mislead consumers regarding expected results, risks, or other material aspects of treatments;
Disclose important exclusions, limitations, and risks in our advertising;
Not take advantage of a consumer’s inability to understand the terms of a transaction.
All of our marketing communications, including website content, social media posts, email newsletters, and printed materials, are subject to these requirements. If you believe we have engaged in an unfair or deceptive sales practice, you may file a complaint with the Ohio Attorney General’s Office.
Appointment Reminders & Treatment Communications: We may send you text messages related to your appointments, pre‑treatment instructions, after‑care instructions, and other treatment‑related matters. Healthcare‑related text messages are generally exempt from certain enhanced consent requirements under the TCPA and FCC regulations, provided they serve a legitimate healthcare purpose and are not primarily marketing or promotional in nature.
Marketing Text Messages: We will send you marketing or promotional text messages (e.g., special offers, new service announcements) only after obtaining your prior express written consent. By providing your phone number and checking the appropriate consent box on our intake forms or website, you agree to receive such marketing text messages from us. Message frequency may vary. Message and data rates may apply.
Opt‑Out Rights: You may opt out of receiving any or all text messages from us at any time by:
Replying STOP or UNSUBSCRIBE
Replying STOP to any treatment‑related text message (which will unsubscribe you from all future text communications);
Contacting us directly at the information provided in Section 13 below.
We will honor all opt‑out requests without unreasonable delay. You may not be able to receive appointment reminders via text message after opting out.
Our services are directed to adults aged 18 and older. We do not knowingly collect PHI from individuals under the age of 18 without verifiable parental consent. If we become aware that we have inadvertently collected PHI from a minor without appropriate consent, we will take steps to delete that information, except as required to be retained by law. For minors, Ohio law requires that medical records be maintained for three years past the age of majority, but not less than seven years from the date of discharge.
We may update this Notice from time to time to reflect changes in our privacy practices, legal requirements, or operational procedures. Material changes will be posted on our website at www.skinovatioohio.com/
Skinovatio Medical Spa operates under the regulatory authority of the State Medical Board of Ohio. The Medical Board’s purpose is to protect the public by ensuring that physicians and other licensed practitioners provide safe, competent, and ethical care. We maintain all required physician supervision, delegation, and scope‑of‑practice standards under Ohio Revised Code Chapter 4731, including having a licensed physician direct all medical services provided at our facility. If you have concerns about the medical care you received at our facility, you may file a complaint with the State Medical Board of Ohio.
If you have any questions about this Notice, our privacy practices, or your rights under federal or Ohio law, you may contact us at:
Skinovatio Medical Spa – Privacy Office
Email: info@skinovatioohio.com
Phone: (216) 712-4605
Address: 1139 Rockside Rd., Parma, OH 44134
To file a complaint:
With us: Contact the Privacy Office using the information above.
With the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR):
Phone: 1‑800‑368‑1019
Mail: U.S. Department of Health and Human Services, 200 Independence Avenue S.W., Washington, D.C. 20201
With the Ohio Attorney General’s Office (for consumer protection complaints, including data breaches and CSPA violations):
Phone: 1‑800‑282‑0515
We will not retaliate against you for filing a complaint.
