Privacy Policy

Luminary Integrative Health is a Direct Primary Care (DPC) practice located at 735 Arlington Ave N, Suite 112, St. Petersburg, FL 33701. The practice is owned and operated by Angela Carley, MSN, APRN, AGPCNP-BC, a board-certified Adult-Gerontology Primary Care Nurse Practitioner licensed in the State of Florida and authorized to practice as an autonomous Advanced Practice Registered Nurse (APRN) under § 464.0123, Fla. Stat.

Luminary Integrative Health functions as a HIPAA Covered Entity. Angela Carley, MSN, APRN, AGPCNP-BC, serves as the Privacy Officer and Security Officer for this practice.

a. Protected Health Information (PHI)

As a healthcare practice, we collect and maintain Protected Health Information (PHI) as defined under HIPAA (45 C.F.R. § 160.103). PHI includes any information — oral, written, or electronic — that relates to your past, present, or future health condition, the healthcare we provide to you, or payment for that healthcare, and that could reasonably identify you. This includes:

• ✦Full name, date of birth, and contact information (address, phone, email)
• ✦Medical and mental health history, diagnoses, medications, lab results, and treatment records
• ✦Insurance information, if applicable (note: Luminary is a direct primary care practice and does not bill insurance for membership or most services)
• ✦Biometric data including height, weight, vital signs, and clinical measurements
• ✦Sexual health, hormone, and reproductive health information collected in connection with specialty services
• ✦Information related to medical weight management and functional medicine assessments
• ✦Communications sent through Spruce, Atlas MD, or any other platform we use to interact with you

b. Website and Digital Information

When you visit luminaryihc.com, we or our website hosting provider may automatically collect certain technical information, which may include:

• ✦IP address, browser type, and device information
• ✦Pages viewed, time spent on the site, and referring website
• ✦Cookies and similar tracking technologies used for analytics and website performance
• ✦Information submitted through contact forms, scheduling requests, or newsletter sign-ups

Our website is hosted on Vercel. Please refer to Vercel's privacy policy for information about their data practices. We do not use our website to collect PHI, and any health-related inquiries received through the website will be handled through HIPAA-compliant channels.

c. Communications

When you contact us by phone, text, or email through our HIPAA-compliant communication platform (Spruce), we retain records of those communications as part of your care. Our primary clinical communication and electronic health record (EHR) platform is Atlas MD.

Under HIPAA, we are permitted to use and disclose your PHI without your specific written authorization for the following purposes:

a. Treatment

We use your PHI to provide, coordinate, and manage your healthcare. This includes sharing information with other healthcare providers involved in your care, ordering laboratory tests, imaging, specialist referrals, and prescribing medications as clinically appropriate.

b. Payment

We may use your PHI to process membership fees, collect payment for specialty services not covered by your DPC membership, and generate receipts or superbills upon request. As a DPC practice, we do not directly bill insurance for membership services. You are responsible for managing any interactions with your insurance carrier. In all payment-related uses and disclosures, we adhere to the HIPAA Minimum Necessary Standard — meaning we use or disclose only the minimum amount of PHI reasonably necessary to accomplish the payment purpose.

c. Healthcare Operations

We may use your PHI for quality improvement activities, staff training, practice administration, compliance audits, and accreditation or licensing activities. The Minimum Necessary Standard applies to all healthcare operations uses — we limit access to PHI to those staff members who need it to perform their job functions.

d. Check-In and Office Identification

When you arrive at our office, we may ask you to sign in by name for appointment management purposes. We may also call your name in the waiting area when we are ready to see you. These are standard, permitted disclosures under HIPAA and are used solely to facilitate your care. Sign-in sheets are managed discreetly and are not visible to other patients beyond what is minimally necessary.

e. As Required by Law

We are required by Florida and federal law to report certain information, including but not limited to:

• ✦Communicable diseases reportable under § 381.0031, Fla. Stat. and Chapter 64D-3, Fla. Admin. Code
• ✦Suspected abuse, neglect, or exploitation of a child or vulnerable adult under § 39.201 and § 415.1034, Fla. Stat.
• ✦Certain injuries (e.g., gunshot wounds) reportable under § 790.24, Fla. Stat.
• ✦Court orders, subpoenas, or valid legal process
• ✦Public health activities authorized by federal or state law
• ✦Death reporting to medical examiners or law enforcement as required by § 406.11, Fla. Stat.

f. Other Permitted Uses

• ✦Appointment reminders and follow-up communications
• ✦Public health and safety activities
• ✦Workers' compensation, to the extent required by law
• ✦Research activities conducted with appropriate safeguards and IRB approval
• ✦Organ, tissue, or eye donation, if applicable

The following uses and disclosures of your PHI require your separate written authorization. You have the right to revoke any such authorization at any time in writing:

• ✦Marketing communications (including any communications that may incentivize third-party products or services)
• ✦Sale of PHI to any third party
• ✦Psychotherapy notes, if applicable
• ✦Uses and disclosures of PHI for purposes beyond those described in Section 3 of this notice
• ✦Use of PHI for any research activity beyond what is permitted under HIPAA's limited data set provisions

To grant or revoke an authorization, contact us in writing at angela@luminaryihc.com or by mail at our clinic address.

Luminary Integrative Health offers specialty services including hormone replacement therapy (HRT), sexual wellness, medical weight management, and functional medicine. Information collected in connection with these services is considered PHI and is subject to all the protections described in this policy. We treat sensitive health information — including sexual health, reproductive health, and hormone-related data — with the highest degree of confidentiality.

Florida law provides specific protections for the following categories of information, and we apply heightened protection to each:

• ✦HIV/AIDS status — protected under § 381.004, Fla. Stat.; not disclosed without specific written consent
• ✦Substance use disorder records — may be subject to additional federal protections under 42 C.F.R. Part 2 and § 397.501, Fla. Stat.
• ✦Mental health records — subject to additional protections under § 394.4615, Fla. Stat.
• ✦Genetic information — protected under GINA (Genetic Information Nondiscrimination Act) and applicable Florida law
• ✦Reproductive health information — treated with the highest degree of privacy consistent with applicable law

Luminary Integrative Health serves patients ages 13 and older. For patients under 18, a parent or legal guardian is typically the personal representative under HIPAA and has the right to access the minor's records. However, Florida law recognizes limited exceptions where a minor may consent to and control confidentiality of certain services:

• ✦Sexually transmitted infection (STI) testing and treatment (§ 384.30, Fla. Stat.)
• ✦Substance use disorder treatment (§ 397.301, Fla. Stat.)
• ✦Mental health services when a minor initiates treatment and does not present a danger (§ 394.4784, Fla. Stat.)
• ✦Pregnancy-related care
• ✦Contraceptive services

In these limited circumstances, we will respect the minor's privacy rights as provided by Florida law and will not disclose information to the parent or guardian without the minor's consent, except where required by law.

You have the following rights regarding the PHI we maintain about you. To exercise any of these rights, please submit a written request to our Privacy Officer (contact information in Section 13).

a. Right to Access and Copy Your Records

You have the right to inspect and receive a copy of your medical records and other PHI we maintain about you. Under the HIPAA Access Rule and § 456.057, Fla. Stat., we will provide access within 30 days of your written request. Records will be provided in your requested format, if readily producible. Florida law limits copy fees to $1.00 per page for the first 25 pages and $0.25 per page thereafter. We cannot deny access for non-payment of past-due bills.

b. Right to Amend Your Records

You may request that we correct or supplement information in your record that you believe is inaccurate or incomplete. We will respond within 60 days and may deny the request if the information was not created by us, is not part of our designated record set, or is accurate and complete.

c. Right to an Accounting of Disclosures

You may request a list of disclosures of your PHI made by us during the past six (6) years, except for disclosures made for treatment, payment, operations, or certain other purposes. We will provide this accounting within 60 days of your request.

d. Right to Request Restrictions

You may request that we restrict how we use or disclose your PHI. We are not required to agree to most restrictions, but if we do, we will honor the restriction except in emergencies. However, we must agree to your request to restrict disclosure to a health plan or insurer for services you paid for in full out-of-pocket.

e. Right to Confidential Communications

You may request that we communicate with you through alternative means or at alternative locations. We will accommodate reasonable requests without requiring an explanation.

f. Right to a Paper Copy of This Notice

You have the right to receive a paper copy of this Notice of Privacy Practices at any time, even if you have agreed to receive it electronically. Please contact us and we will provide one promptly.

g. Right to Opt Out of Fundraising Communications

If we ever conduct fundraising activities, you have the right to opt out of receiving fundraising communications from us at any time.

h. Right to File a Complaint

If you believe your privacy rights have been violated, you have the right to file a complaint with Luminary Integrative Health (angela@luminaryihc.com · 727-618-3288), the U.S. Department of Health and Human Services Office for Civil Rights (www.hhs.gov/ocr/privacy · 1-800-368-1019), or the Florida Agency for Health Care Administration (www.ahca.myflorida.com · 888-419-3456). We will not retaliate against you in any way for filing a complaint.

We take the security of your health information seriously and maintain administrative, physical, and technical safeguards as required by the HIPAA Security Rule (45 C.F.R. Parts 164.302–164.318) and the Florida Information Protection Act (FIPA), § 501.171, Fla. Stat. These include:

• ✦Electronic Health Records (EHR): Maintained through Atlas MD, a HIPAA-compliant DPC-specific platform with encrypted data storage and access controls
• ✦Communications: All patient messaging, phone, and fax communications are conducted through Spruce Health, a HIPAA-compliant platform with end-to-end encryption
• ✦Email: Clinical communications are conducted through HIPAA-compliant channels; general business email is through Google Workspace, for which a Business Associate Agreement (BAA) is in place
• ✦Physical Safeguards: Our clinic maintains locked access to patient records and secure physical storage
• ✦Access Controls: PHI is accessible only to authorized personnel on a need-to-know basis
• ✦Breach Notification: In the event of a breach of unsecured PHI, we will notify affected individuals within 60 days, the Secretary of HHS, and, if the breach affects 500 or more Florida residents, the Florida Attorney General

We share PHI with certain vendors and service providers (called Business Associates under HIPAA) who perform services on our behalf. We require a fully executed Business Associate Agreement (BAA) with every Business Associate prior to any disclosure of PHI. BAAs are in place with Atlas MD (EHR and practice management), Spruce Health (patient communications), and Google Workspace (business email), as well as any additional vendors engaged as necessary for practice operations.

We do not sell your PHI to any third party. We do not use your PHI for advertising or marketing purposes without your explicit written authorization.

In accordance with § 456.057, Fla. Stat. and applicable federal law, we retain your medical records as follows:

• ✦Adult patients: A minimum of five (5) years from the date of the last patient contact
• ✦Minor patients: A minimum of seven (7) years from the date of the last patient contact, or until the patient reaches age 18 plus four (4) years, whichever is longer
• ✦Records involving deceased patients are retained in accordance with applicable Florida law

Following the applicable retention period, records will be destroyed in a secure, HIPAA-compliant manner that renders PHI unreadable and unrecoverable.

Luminary Integrative Health operates exclusively under the Direct Primary Care (DPC) membership model. We do not accept or bill health insurance for primary care membership services. As such:

• ✦We are not a participating provider in Medicare, Medicaid, or any commercial insurance network for membership-based services
• ✦We do not submit claims to insurance carriers on your behalf for DPC membership fees
• ✦Upon request, we will provide a superbill or receipt that you may submit to your insurance carrier or HSA for reimbursement at your insurer's discretion
• ✦Specialty services (HRT, medical weight loss, sexual wellness, functional medicine) are billed separately and are not included in the base DPC membership; members receive a preferred discount on these services

Luminary Integrative Health is not an urgent care facility or emergency room. In a medical emergency, please call 911 or go to your nearest emergency department immediately.

We reserve the right to modify this Privacy Policy and Notice of Privacy Practices at any time. Material changes will be posted on our website at luminaryihc.com/privacy and will be effective upon posting. The revised notice will apply to all PHI we maintain, including records created or received before the effective date of the change. You may request a copy of the current notice at any time.

If you have any questions about this notice, wish to exercise your rights, or need to report a privacy concern, please contact:

Important Notice: This Privacy Policy and Notice of Privacy Practices is provided for informational purposes. It is not a substitute for legal advice. Luminary Integrative Health recommends that patients with specific legal questions regarding their health information rights consult with a qualified attorney licensed in the State of Florida. This document has been prepared consistent with HIPAA (45 C.F.R. Parts 160 and 164), the HITECH Act, the Florida Information Protection Act (§ 501.171, Fla. Stat.), and all other applicable federal and Florida law as of the effective date above.