1. Introduction
This Privacy Policy explains how Baba Lee Chiropractic APC collects, uses, stores, shares, and protects your personal information and protected health information (PHI). It applies to all current, former, and prospective patients, as well as to visitors to our website at www.lifochiro.com.
We understand that your health information is among the most sensitive personal information you hold. Protecting your privacy is not simply a legal obligation for us — it is a fundamental part of the trust you place in us when you seek chiropractic care. We are committed to handling your information with the utmost care, transparency, and respect.
This policy complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations, the California Consumer Privacy Act of 2018 (CCPA) as amended by the California Privacy Rights Act of 2020 (CPRA), and all other applicable state and federal privacy laws.
Please read this policy carefully. If you have any questions about how we handle your information, you are always welcome to contact us directly using the details in Section 15.
2. Who We Are
Baba Lee Chiropractic APC is a California professional corporation providing chiropractic care services in Redding, California. For the purposes of HIPAA, we are a Covered Entity, which means we are legally obligated to protect your Protected Health Information (PHI) and to provide you with this Notice of Privacy Practices. For the purposes of the California Consumer Privacy Act, we are the Business that determines how and why your personal information is collected and used.
Our Contact Details
• Legal Business Name: Baba Lee Chiropractic APC
• Address: 3665 Eureka Way, Redding, CA 96001
• Email: drbaba@lifochiro.com
• Phone: 530-983-0912
• Website: www.lifochiro.com
If you have any questions, concerns, or requests relating to your privacy or your health information, please contact us using the details above.
3. What Personal Data We Collect
We collect several categories of personal information in order to provide you with safe, effective chiropractic care. Below is a detailed description of the types of information we may hold about you.
3.1 Identity and Contact Data
• Your full name, date of birth, and gender
• Home address, email address, and telephone number(s)
• Emergency contact name and relationship
• For patients under 18: name and contact details of the parent or legal guardian
3.2 Health and Clinical Data (Protected Health Information)
This is the most sensitive category of information we hold. It includes all information relating to your physical health, treatment, and care.
• Your presenting complaint, symptoms, and reason for seeking chiropractic care
• Medical and health history, including previous injuries, surgeries, and chronic conditions
• Current medications, supplements, and allergies
• Relevant family health history where clinically appropriate
• Postural analysis, range-of-motion findings, and neurological assessments
• X-ray, imaging, or diagnostic reports where obtained or reviewed in connection with your care
• Clinical notes, treatment records, SOAP notes, and progress reports created at each appointment
• Referral letters and correspondence with other healthcare providers involved in your care
• Functional outcome measures and treatment plans
3.3 Financial and Insurance Data
• Payment card details (processed securely and not stored by us — see Section 6)
• Cash payment records
• Health insurance policy details, insurance company name, member ID, and group number
• Insurance claims information, billing codes, and explanation of benefits documents
• Membership plan details and payment history
3.4 Appointment and Administrative Data
• Appointment booking history, appointment dates and times, and attendance records
• Cancellation and rescheduling records
• Communications between you and the clinic, including emails, voicemails, and text messages
• Consent forms, intake forms, and patient agreements
3.5 Technical and Website Data
• IP address and general geographic location when you visit our website
• Browser type and device information
• Pages visited on our website and duration of visits
• Cookie data (see Section 12 for full details)
3.6 Marketing and Communications Data
• Your marketing communication preferences
• Records of whether you have consented to receive marketing emails
• Records of your interactions with marketing emails (e.g., opens and clicks), as tracked through our email marketing platform
4. How We Collect Your Data
We collect personal information through several channels, all of which are described below.
4.1 Directly From You
Most of the information we hold about you is information you provide to us directly. This includes:
• Patient intake forms and health history questionnaires that you complete at the start of your care
• Verbal information you provide during consultations and treatment sessions
• Consent forms and agreements you sign
• Communications you initiate with us by phone, email, or in person
• Membership enrollment forms and agreements
4.2 Through Our Online Booking System
We use an online booking system on our website that allows you to request and manage appointments. When you use this system, we collect your name, contact information, and appointment details. Please see Section 6 for information about the third-party provider that operates this system.
4.3 Through Payment Processing
When you pay by card in clinic, your payment is processed through our payment terminal. We do not store your full card number. When insurance billing is applicable, we collect and process insurance information in connection with submitting claims on your behalf.
4.4 From Your Insurance Company
Where you authorize us to bill your insurance company, we may receive information back from your insurer regarding your coverage, eligibility, prior authorizations, and claims adjudication. This information forms part of your treatment and billing record.
4.5 Automatically Through Our Website
Our website automatically collects certain technical data when you visit, including your IP address, browser type, and pages visited. This data is collected through standard web server logs and cookies. For full details, please see Section 12.
5. Why We Collect Your Data and Our Legal Basis
We only collect and use your personal information for specific, legitimate purposes. The table below explains each purpose, the legal basis for it under HIPAA and applicable California law, and what this means for you in plain terms.
5.1 Providing Chiropractic Treatment and Care
The primary reason we collect and use your health information is to provide you with chiropractic diagnosis, treatment, and ongoing care. This includes performing clinical assessments, developing treatment plans, maintaining clinical records, and coordinating your care with other healthcare providers where necessary.
Legal Basis: Under HIPAA, this is classified as Treatment — one of the three core permitted uses of PHI. We do not need your separate written authorization for treatment purposes.
5.2 Appointment Booking and Management
We use your contact and scheduling information to book, confirm, remind you about, and manage your appointments. This includes sending appointment reminders by text message, email, or phone. Appointment reminders are clinical communications, not marketing, and will continue to be sent as part of your care.
Legal Basis: Treatment under HIPAA. Necessary for the performance of healthcare services.
5.3 Billing, Payment, and Insurance Claims
We use your financial and health information to process payments, issue invoices and receipts, submit insurance claims on your behalf where applicable, and manage our accounts. This is necessary for the lawful operation of our practice.
Legal Basis: Under HIPAA, this is classified as Payment — one of the three core permitted uses of PHI. We may share the minimum necessary information with your insurance company to process claims.
5.4 Clinic Operations and Healthcare Management
We use information as necessary for the legitimate operation of our chiropractic practice. This includes quality assurance activities, auditing our records, training (within our clinic), managing appointment cancellations and rescheduling, and responding to your queries and complaints.
Legal Basis: Under HIPAA, this is classified as Healthcare Operations — the third core permitted use of PHI.
5.5 Compliance with Legal Obligations
We may be required to use or disclose your information to comply with applicable federal or California state law. This includes complying with mandatory reporting requirements, responding to lawful court orders or subpoenas, responding to requests from government or regulatory bodies, and cooperating with professional licensing authorities.
Legal Basis: Required by law under HIPAA and applicable state statutes.
5.6 Membership Administration
Where you have enrolled in one of our care membership plans, we use your personal and payment information to manage your membership, including billing cycles, benefits administration, and communication about your plan.
Legal Basis: Performance of a contract (the membership agreement between you and the clinic).
5.7 Marketing Communications (Optional)
With your explicit prior consent, we may send you marketing emails about our services, health tips, special offers, and news from the clinic using our email marketing platform, GoHighLevel. You will only receive marketing communications if you have actively opted in to receive them.
Legal Basis: Your freely given, specific, and informed consent. You may withdraw your consent and unsubscribe at any time — see Section 11.
Please note: We will never use your PHI (Protected Health Information from your clinical records) for marketing purposes without your separate explicit written authorization, as required by HIPAA.
5.8 Website Operation and Improvement
We use technical data collected from our website to ensure the site functions correctly, to diagnose technical problems, and to understand how visitors use the site in aggregate. We do not use this data to build individual profiles for advertising purposes.
6. Who We Share Your Data With
Your privacy matters deeply to us. We do not sell your personal information to third parties. We do not share your information with third parties for their own marketing purposes. We share your data only in the limited circumstances described below, and only to the minimum extent necessary.
6.1 Insurance Companies
If you have authorized us to bill your health insurance, we will share the minimum necessary clinical and administrative information with your insurance company to submit claims, obtain prior authorizations, verify eligibility, and respond to claims inquiries. The specific insurance company will depend on your individual coverage.
Insurance companies that handle your PHI are required by HIPAA to protect that information. In some cases, we may enter into a Business Associate Agreement (BAA) with your insurer or its representatives as required by HIPAA.
6.2 Online Booking System Provider
We use an online booking platform on our website to manage appointment scheduling. When you book an appointment online, your name and contact information is processed by this platform. We recommend confirming the specific platform’s privacy practices directly. The clinic owner should confirm the data residency location of this platform and update this policy accordingly.
We have reviewed the terms of service of this platform and are satisfied that appropriate data handling commitments are in place.
6.3 GoHighLevel — Email Marketing Platform
We use GoHighLevel, a customer relationship and marketing automation platform, to manage marketing email communications with patients who have opted in to receive them. Your name, email address, and marketing preferences are shared with GoHighLevel for this purpose.
GoHighLevel is a US-based company. The clinic owner should confirm the specific data residency and data processing terms applicable to their GoHighLevel account, including reviewing GoHighLevel’s Business Associate Agreement (BAA) provisions if PHI is processed through the platform. We strongly recommend ensuring a BAA is in place with GoHighLevel if any PHI is handled through that service.
6.4 Payment Processors
In-clinic card payments are processed through a payment terminal. Card transaction data is handled in accordance with Payment Card Industry Data Security Standard (PCI DSS) requirements. We do not store your full card number. The specific payment processor used for your transaction will be disclosed on your receipt.
6.5 Other Healthcare Providers
If we need to refer you to another healthcare provider, specialist, or emergency service, we may share the minimum necessary clinical information to facilitate that referral or to coordinate your care. We will generally inform you before making such a referral except in emergencies.
6.6 Legal, Regulatory, and Law Enforcement Disclosures
We may disclose your information without your authorization to the extent required by law, for example in response to a valid court order, subpoena, or lawful request from a regulatory or law enforcement authority. Where permitted by law, we will attempt to notify you of any such disclosure.
6.7 No Other Third-Party Sharing
Beyond the categories listed above, we do not share your personal information or PHI with any other third parties. The practice owner is the only individual with direct access to patient records within the clinic.
7. How Long We Keep Your Data
We keep your records only for as long as required by law and as necessary for the legitimate purposes for which they were collected. Our retention periods are based on the default requirements applicable to chiropractic practices in California, as set out below.
7.1 Adult Patient Records (Age 18 and Over)
Under California Business and Professions Code Section 4084 and related regulations, chiropractic patient records must be retained for a minimum of seven (7) years from the date of the patient’s last visit. We retain adult patient records for seven years from your last appointment date, after which records are securely destroyed in accordance with HIPAA requirements.
7.2 Minor Patient Records (Under Age 18)
For patients who were under 18 years of age at any point during their treatment, records are retained until the patient reaches the age of 19 (one year after reaching the age of majority in California), or for seven years from the date of the last treatment visit, whichever period is longer. This ensures that records are available to former minor patients who may wish to access them when they reach adulthood.
7.3 Financial and Insurance Records
Billing records, insurance claims, and payment records are retained for a minimum of seven years in accordance with Medicare and Medi-Cal requirements where applicable, and for general tax and audit purposes.
7.4 Marketing and Communications Data
Marketing preference records, including records of your consent to receive marketing emails, are retained for as long as you remain on our mailing list plus three years thereafter, to demonstrate your consent in the event of a complaint.
7.5 What Happens When the Retention Period Ends
When the applicable retention period expires, your records are securely destroyed. For digital records, this means permanent deletion from our systems and any backup systems. We do not retain records beyond the minimum required period without a specific legal or clinical reason to do so.
8. How We Keep Your Data Safe
We take the security of your personal information and Protected Health Information very seriously. We have put in place a range of technical and organizational safeguards to protect your data against unauthorized access, accidental loss, alteration, or disclosure.
8.1 Technical Safeguards
• All clinical records are stored in digital format using secure, password-protected systems
• Access to patient records is restricted to authorized personnel only — at present, access is limited to the clinic owner/treating chiropractor
• Digital devices used to access patient records are protected with strong passwords or biometric authentication
• Secure, encrypted connections are used for transmitting data over the internet (HTTPS/TLS)
• Regular software updates and security patches are applied to all systems used to manage patient data
• Secure, encrypted backup procedures are in place to prevent data loss
8.2 Organizational Safeguards
• All individuals with access to patient data are subject to strict confidentiality obligations
• We follow a minimum necessary standard, meaning we only access or share the minimum amount of information needed for each specific purpose
• We conduct periodic reviews of our data security practices in line with HIPAA Security Rule requirements
• We maintain a written HIPAA Security Risk Assessment as required by federal law
8.3 Data Breach Response
Despite our best efforts, no data security system is completely impenetrable. In the event of a data breach affecting your PHI, we will comply fully with HIPAA’s Breach Notification Rule, which requires us to notify affected individuals, the U.S. Department of Health and Human Services (HHS), and in some cases the media, within the timeframes specified by law. We will notify you of any breach that poses a significant risk to your rights and interests.
8.4 Third-Party Security
We take care to engage only third-party technology providers that maintain appropriate security standards. Where required by HIPAA, we enter into Business Associate Agreements (BAAs) with third-party service providers who handle PHI on our behalf. We encourage you to review the privacy and security policies of any third-party platforms identified in Section 6.
9. Your Rights
You have a number of important rights over your personal information and your Protected Health Information. These rights are guaranteed to you under HIPAA and the California Consumer Privacy Act (CCPA/CPRA). We explain each right below in plain English, and tell you how to exercise each one.
9.1 Right to Access Your Records (HIPAA Right of Access)
You have the right to request a copy of your Protected Health Information that we hold in a Designated Record Set (which includes your clinical records and billing records). We must provide access within 30 days of a valid request (with one possible 30-day extension in limited circumstances). We may charge a reasonable, cost-based fee for providing copies. To request your records, please contact us in writing using the details in Section 15.
9.2 Right to Request an Amendment
If you believe that information in your medical records is incorrect or incomplete, you have the right to request that we amend it. We will consider your request and respond within 60 days. If we deny the amendment request, we will explain why in writing, and you have the right to submit a written statement of disagreement, which will be retained with your records.
9.3 Right to an Accounting of Disclosures
You have the right to request a list of the disclosures we have made of your PHI for purposes other than Treatment, Payment, or Healthcare Operations for the six years prior to your request. This allows you to see who we have shared your information with outside of routine care purposes.
9.4 Right to Request Restrictions
You may request that we restrict certain uses or disclosures of your PHI. For example, you may ask us not to share specific information with your insurance company if you pay for a service in full out of pocket. We are required by law to honor requests to restrict disclosures to a health plan where you pay for the service in full. For other restriction requests, we will consider them but are not always legally obligated to agree to them.
9.5 Right to Request Confidential Communications
You have the right to ask us to communicate with you in a particular way or at a particular location. For example, you may ask us to contact you only by email rather than phone, or only at a particular address. We will accommodate reasonable requests.
9.6 Right to a Copy of This Notice
You have the right to receive a paper copy of this Notice of Privacy Practices at any time, even if you have already received it electronically. Please contact us and we will provide one.
9.7 California-Specific Rights Under the CCPA/CPRA
As a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:
• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources from which it was collected, the purposes for collecting it, and the categories of third parties with whom we have shared it.
• Right to Delete: You may request that we delete personal information we hold about you, subject to certain exceptions (including our legal obligation to retain medical records for the required retention period).
• Right to Correct: You may request that we correct inaccurate personal information we hold about you.
• Right to Opt Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising. This right therefore does not apply to our current practices, but we will honor any such request.
• Right to Limit Sensitive Personal Information: You may request that we limit our use of sensitive personal information to what is necessary to provide the requested service. Health information is sensitive personal information under the CPRA.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your California privacy rights.
9.8 How to Exercise Your Rights
To exercise any of the rights described above, please contact us in writing using the contact details in Section 15. Please describe your request clearly and include enough information for us to verify your identity. We will respond within the timeframes required by applicable law. There is generally no charge for exercising your rights, except where permitted by law (such as reasonable copy fees for medical record requests).
10. Children’s Privacy
We do provide chiropractic care to patients under the age of 18. We take additional care to ensure that the privacy of minor patients is properly protected.
10.1 Consent for Minor Patients
For patients under the age of 18, we require the written consent of a parent or legal guardian before beginning treatment. The parent or legal guardian will be asked to sign all consent and intake forms on behalf of the minor patient. We collect contact information for the parent or legal guardian, and clinical communications regarding the minor’s care will be directed to them.
10.2 Access to Minor’s Records
Generally, the parent or legal guardian of a minor patient has the right to access the minor’s Protected Health Information. However, there are limited exceptions where California law grants adolescents the right to consent to certain types of care without parental involvement (such as certain mental health, substance abuse, or reproductive health services). In those cases, we will comply with the applicable California law regarding parental access.
10.3 Minor Patients Who Reach 18
When a minor patient reaches the age of 18, control over their health information transfers to them. From that point, the former minor patient may exercise all of the rights described in Section 9 on their own behalf, and we will no longer routinely communicate about their care with their parent or guardian without the patient’s own consent.
10.4 Website and Online Services
Our website and online booking services are not directed at children under the age of 13, and we do not knowingly collect personal information directly from children under 13 through our website without parental consent. If you believe a child under 13 has submitted personal information through our website without parental consent, please contact us immediately and we will promptly delete that information.
11. Marketing Communications
We use GoHighLevel, an email marketing and communication platform, to send marketing communications to patients who have chosen to receive them. This section explains how our marketing communications work and how you can control your preferences.
11.1 Opt-In Basis for Marketing Emails
We will only send you marketing emails if you have explicitly opted in to receive them. You will be given the opportunity to opt in when you register as a patient, when booking online, or at other clearly marked points. Opting in to marketing emails is entirely voluntary and is not a condition of receiving chiropractic care from us.
Marketing emails may include information about our services, health tips, seasonal promotions, membership offers, clinic news, and similar content.
11.2 Appointment Reminders Are Not Marketing
Appointment reminders, recall notices, follow-up messages about your care, and other clinical communications are sent as part of your treatment and are not classified as marketing. These communications will be sent to you regardless of your marketing preferences, as they are necessary for the management of your care and our clinical obligations.
11.3 How to Unsubscribe
You can withdraw your consent to receive marketing emails at any time. The easiest way is to click the unsubscribe link at the bottom of any marketing email you receive from us. You can also contact us directly using the details in Section 15 and request to be removed from our marketing list. We will action your request promptly and in any event within 10 business days. Unsubscribing from marketing will not affect your receipt of clinical appointment reminders or other care-related communications.
11.4 Important HIPAA Note Regarding Marketing
Under HIPAA, we are required to obtain your written authorization before using your Protected Health Information for marketing purposes where we receive financial remuneration from a third party for making the communication. We will always seek and record your authorization in such circumstances and will not use your PHI for marketing without your knowledge and agreement.
12. Cookies and Website Tracking
Our website, www.lifochiro.com, uses cookies and similar technologies. This section explains what cookies are, which types our site uses, and how you can manage them.
12.1 What Are Cookies?
Cookies are small text files that are placed on your device (computer, tablet, or smartphone) when you visit a website. They allow the website to recognize your device and remember information about your visit. Cookies are widely used to make websites work efficiently and to provide information to website owners.
12.2 Cookies We Use
• Strictly Necessary Cookies: These cookies are essential for the website to function. They include session cookies that allow you to navigate the site, use the online booking system, and complete forms. You cannot opt out of these cookies as the site would not work without them.
• Functional Cookies: These cookies allow the website to remember choices you make (such as your language preferences or whether you have already accepted this cookie notice) and provide enhanced, more personal features.
• Analytics Cookies: If our website uses an analytics tool (such as Google Analytics), analytics cookies allow us to collect aggregate, anonymized information about how visitors use the site — for example, which pages are most visited and where visitors come from. This helps us improve the site over time. No personally identifiable information is collected through analytics cookies. The clinic owner should confirm which, if any, analytics tools are active on the website and update this section accordingly.
12.3 Managing Cookies
You can control and manage cookies through your browser settings. Most browsers allow you to refuse to accept cookies, delete cookies you have already received, or warn you before cookies are placed. Please note that disabling cookies may affect the functionality of our website, including the online booking system. For information about managing cookies in your specific browser, please visit your browser provider’s help pages.
You may also opt out of Google Analytics tracking (if applicable) by installing the Google Analytics Opt-out Browser Add-on, available at tools.google.com/dlpage/gaoptout.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or the services we offer. When we make changes, we will update the “Last Updated” date at the top of this document.For material changes — meaning changes that significantly affect how we use your Protected Health Information or your privacy rights — we will take additional steps to notify you. This may include posting a prominent notice on our website, sending an email notification to current patients, or providing written notice at your next appointment. We will provide notice of material changes in advance where required by law.
We encourage you to review this policy periodically. Your continued use of our services after any changes to this policy constitutes your acknowledgment of the updated terms.
14. How to Make a Complaint
We are committed to handling your personal information responsibly and to respecting your privacy rights. If you have a concern about the way we have collected, used, or handled your personal information, we encourage you to contact us first so that we can try to resolve the matter directly.14.1 Raise a Concern with Us Directly
In the first instance, please contact us using the details below. We will acknowledge your complaint promptly and aim to provide a substantive response within 30 days.
• Email: drbaba@lifochiro.com
• Phone: 530-983-0912
• Mail: 3665 Eureka Way, Redding, CA 96001
14.2 HIPAA Complaints — U.S. Department of Health and Human Services
If you believe we have violated your rights under HIPAA, you have the right to file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). You will not be penalized or retaliated against in any way for filing a complaint.
• Website: www.hhs.gov/ocr
• Phone: 1-800-368-1019 (toll-free) or 1-800-537-7697 (TDD)
• Mail: Centralized Case Management Operations, 200 Independence Avenue, S.W., Room 509F, HHH Bldg., Washington, D.C. 20201
You must file a HIPAA complaint within 180 days of when you knew or should have known about the alleged violation (this may be extended in certain circumstances).
14.3 California Privacy Rights Complaints
If you have concerns about how we have handled your rights under the California Consumer Privacy Act or California Privacy Rights Act, you may also contact the California Privacy Protection Agency (CPPA).
• Website: cppa.ca.gov
• Email: publiccomments@cppa.ca.gov
15. Contact Us
If you have any questions about this Privacy Policy, wish to exercise any of your rights, or need to discuss how we handle your personal information, please do not hesitate to get in touch. We are happy to help.• Clinic Name: Baba Lee Chiropractic APC
• Address: 3665 Eureka Way, Redding, CA 96001
• Email: drbaba@lifochiro.com
• Phone: 530-983-0912
• Website: www.lifochiro.com
We aim to respond to all privacy-related enquiries within 5 business days.