REQUEST YOUR PRIVATE CONSULTATION

Dr. Grace will personally reach out within 24 hours

Select all that apply
Book A Consultation Now
Privacy Policy | Level Up PT Doc | Dr. Grace Villaver, DPT
Privacy & HIPAA Compliance | Level Up PT Doc

Privacy Policy

This Privacy Policy describes how Level Up PT Doc collects, uses, maintains, and discloses information collected from patients and website visitors. This document also serves as our Notice of Privacy Practices as required under the Health Insurance Portability and Accountability Act (HIPAA).

Effective Date: December 27, 2025 | Last Updated: December 27, 2025

Table of Contents

1. Introduction 2. Information We Collect 3. Protected Health Information (PHI) 4. How We Use Your Information 5. Disclosures of Your Information 6. Your Rights Under HIPAA 7. How We Protect Your Information 8. Business Associates 9. Telehealth Privacy 10. Website Privacy 11. Cookies & Tracking Technologies 12. Third-Party Links 13. Children's Privacy 14. Virginia Consumer Data Protection 15. Data Retention 16. Breach Notification 17. Changes to This Policy 18. How to File a Complaint 19. Contact Information

1. Introduction

Level Up PT Doc ("we," "us," "our," or "the Practice"), owned and operated by Dr. Grace Villaver, DPT, is committed to protecting the privacy and security of your personal information and health information. We understand the importance of safeguarding the information you entrust to us and are dedicated to maintaining your confidence and trust.

As a healthcare provider, we are required by law to maintain the privacy of your Protected Health Information (PHI), provide you with notice of our legal duties and privacy practices with respect to your PHI, and notify you following a breach of unsecured PHI. This Privacy Policy and Notice of Privacy Practices describes how medical information about you may be used and disclosed and how you can access this information.

We are required by law to:

• Maintain the privacy of your Protected Health Information (PHI)

• Provide you with this Notice of our legal duties and privacy practices

• Follow the terms of this Notice currently in effect

• Notify you if a breach of your unsecured PHI occurs

This Policy applies to all information collected through our physical therapy services, whether provided in-person at your home or location, via telehealth, or through our website at levelupptdoc.com.

2. Information We Collect

We collect different types of information depending on how you interact with our practice. This includes information you provide directly to us, information we collect during treatment, and information collected automatically when you visit our website.

Personal Information

When you become a patient or inquire about our services, we may collect:

  • Full name, date of birth, and gender
  • Home address and service location address
  • Phone number(s) and email address
  • Emergency contact information
  • Insurance information (if applicable)
  • Payment and billing information
  • Driver's license or government-issued ID

Health Information

As part of providing physical therapy services, we collect health-related information including:

  • Medical history and current health conditions
  • Physician referrals and orders
  • Medications, allergies, and contraindications
  • Physical examination findings
  • Diagnoses, treatment plans, and progress notes
  • Functional assessments and outcome measurements
  • Imaging studies and diagnostic reports
  • Communication with other healthcare providers

Website Information

When you visit our website, we may automatically collect:

  • IP address and browser type
  • Device information and operating system
  • Pages visited and time spent on site
  • Referring website or search terms
  • Geographic location (city/region level)

3. Protected Health Information (PHI)

Protected Health Information (PHI) is any individually identifiable health information that we create, receive, maintain, or transmit in connection with the healthcare services we provide. This includes information that relates to your past, present, or future physical or mental health condition, the provision of healthcare to you, or past, present, or future payment for healthcare services.

What Constitutes PHI

PHI includes but is not limited to:

  • Your name, address, phone number, email, or other contact information when associated with health information
  • Social Security number, medical record number, or account numbers
  • Dates related to your health (appointment dates, admission/discharge dates, date of birth, date of death)
  • Photographs, biometric data, or other unique identifying characteristics
  • Information about your diagnosis, treatment, medications, or health history
  • Billing records and insurance information linked to your health services

Electronic Protected Health Information (ePHI)

Electronic Protected Health Information (ePHI) is PHI that is created, stored, transmitted, or received in electronic format. This includes information stored in our electronic health records system, transmitted via email or secure messaging, or stored on computers, mobile devices, or in cloud-based systems. We apply additional security measures to protect ePHI as required by the HIPAA Security Rule.

4. How We Use Your Information

We use your personal and health information for various purposes related to your care and the operation of our practice. Under HIPAA, we may use and disclose your PHI without your written authorization for the following purposes:

Treatment

We use your health information to provide, coordinate, and manage your physical therapy care and related services. This includes conducting evaluations and assessments, developing and implementing treatment plans, documenting your progress, communicating with other healthcare providers involved in your care (such as your physician), and consulting with other healthcare professionals as needed.

Payment

We use your information to obtain payment for services we provide. While Level Up PT Doc operates as a cash-pay practice, we may still use your information to prepare Superbills , if you would like to personally seek insurance reimbursement, Reimbursement subject to individual plan terms.

Healthcare Operations

We may use your information for activities necessary to operate our practice, including quality assessment and improvement activities, reviewing competence and qualifications of healthcare professionals, conducting training programs, business planning and development, and general administrative activities.

Minimum Necessary Standard: When using or disclosing PHI for payment or healthcare operations purposes, we make reasonable efforts to limit the information to the minimum necessary to accomplish the intended purpose.

Other Permitted Uses Without Authorization

We may also use or disclose your PHI without authorization for:

  • Appointment reminders and health-related benefits: Contacting you about appointments or treatment alternatives
  • Individuals involved in your care: Sharing information with family members or others you identify as involved in your care or payment
  • Research: Under certain circumstances and with appropriate approvals
  • Public health activities: As required by law for disease prevention and control
  • Health oversight activities: To health agencies for activities authorized by law
  • Legal proceedings: In response to court orders or subpoenas
  • Law enforcement: As required by law or in response to lawful requests
  • To avert serious threat: To prevent serious threat to health or safety
  • Workers' compensation: As authorized by workers' compensation laws

5. Disclosures of Your Information

Disclosures Requiring Your Written Authorization

Certain uses and disclosures of your PHI require your specific written authorization. These include:

  • Marketing purposes: We will not use your PHI for marketing without your authorization, unless the communication is made face-to-face or involves promotional gifts of nominal value
  • Sale of PHI: We will never sell your PHI without your written authorization
  • Psychotherapy notes: If applicable, require specific authorization
  • Disclosures not otherwise permitted by law: Any use or disclosure not described in this Notice requires your written authorization

Your Right to Revoke Authorization

If you provide us with written authorization to use or disclose your PHI, you may revoke that authorization at any time by submitting a written request. However, revocation will not affect any uses or disclosures we made in reliance on your authorization before we received your revocation.

Disclosures to Other Healthcare Providers

We may disclose your PHI to other healthcare providers who are treating you. For example, if you are referred to us by your physician, we may share evaluation findings, treatment plans, and progress reports with that physician to coordinate your care. Similarly, if you need specialized care beyond physical therapy, we may share relevant information with the appropriate specialist.

Virginia Direct Access: Under Virginia law, if you are receiving physical therapy services under direct access (without a physician referral), we are required to send a copy of your initial evaluation to a healthcare provider you identify within 14 days of the evaluation.

6. Your Rights Under HIPAA

Under the Health Insurance Portability and Accountability Act (HIPAA), the HITECH Act, and the Omnibus Rule, you have important rights regarding your Protected Health Information. We are committed to honoring these rights.

Right Description
Right to Access You have the right to inspect and obtain a copy of your PHI maintained in our designated record set. This includes the right to request an electronic copy if we maintain your records electronically. We may charge a reasonable, cost-based fee for copies. We must act on your request within 30 days (with one 30-day extension if needed).
Right to Amend You may request that we amend PHI we maintain about you. Your request must be in writing and include the reason for the amendment. We may deny your request in certain circumstances (e.g., if the information was not created by us or is accurate and complete). If denied, you may submit a statement of disagreement.
Right to Accounting of Disclosures You have the right to request a list of certain disclosures we have made of your PHI. This accounting covers disclosures made in the six years prior to your request but does not include disclosures for treatment, payment, or healthcare operations, or disclosures made with your authorization.
Right to Request Restrictions You may request restrictions on how we use or disclose your PHI for treatment, payment, or healthcare operations. We are not required to agree to your request unless it involves a disclosure to a health plan for payment or healthcare operations and the PHI relates solely to a service for which you have paid out-of-pocket in full.
Right to Confidential Communications You may request that we communicate with you about your health information in a certain way or at a certain location. For example, you may ask that we only contact you by mail or at a specific phone number. We will accommodate reasonable requests.
Right to Paper Copy of This Notice You have the right to obtain a paper copy of this Privacy Policy and Notice of Privacy Practices upon request, even if you have agreed to receive it electronically.
Right to Opt Out of Fundraising If we use your PHI for fundraising communications, you have the right to opt out of receiving such communications.
Right to Be Notified of a Breach You have the right to be notified if there is a breach of your unsecured PHI.

How to Exercise Your Rights

To exercise any of these rights, please submit a written request to our Privacy Officer at the contact information provided at the end of this Policy. We will respond to your request within the timeframes required by law and will provide written explanations if any request is denied.

7. How We Protect Your Information

We are committed to ensuring the confidentiality, integrity, and availability of your Protected Health Information. In compliance with the HIPAA Security Rule, we have implemented comprehensive administrative, physical, and technical safeguards to protect your information.

Administrative Safeguards

  • Designation of a Privacy Officer responsible for developing and implementing privacy policies
  • Written policies and procedures governing the use and disclosure of PHI
  • Workforce training on privacy and security requirements
  • Regular risk assessments to identify potential vulnerabilities
  • Sanctions for workforce members who violate privacy policies
  • Business Associate Agreements with all vendors who access PHI

Physical Safeguards

  • Secure storage of paper records with limited access
  • Workstation security and positioning to prevent unauthorized viewing
  • Policies for portable device use and protection
  • Proper disposal of paper and electronic records containing PHI

Technical Safeguards

  • Encryption of electronic PHI in transit (TLS 1.2 or higher) and at rest
  • Unique user identification and strong password requirements
  • Automatic logoff after periods of inactivity
  • Access controls limiting access to PHI based on job function
  • Audit controls to monitor access to electronic systems
  • Antivirus software and regular security updates
  • Secure, encrypted backups of electronic records

Our Commitment: While no method of transmission or storage is 100% secure, we continuously work to protect your information and stay current with security best practices and regulatory requirements.

8. Business Associates

We may share your PHI with certain third-party service providers, known as "Business Associates," who perform functions on our behalf that involve access to PHI. Examples include:

  • Electronic health records software providers
  • Billing and payment processing services
  • Secure email and communication platforms
  • Cloud storage and backup services
  • Telehealth technology platforms
  • Accounting and legal professionals

Before sharing any PHI with a Business Associate, we enter into a Business Associate Agreement (BAA) that requires the Business Associate to:

  • Use appropriate safeguards to protect your PHI
  • Report any security incidents or breaches
  • Use or disclose PHI only as permitted by the agreement
  • Ensure any subcontractors also agree to the same requirements
  • Return or destroy PHI upon termination of the agreement
  • Make information available for your right of access

9. Telehealth Privacy

Level Up PT Doc offers telehealth services that allow you to receive physical therapy consultations and certain services remotely. We are committed to ensuring that your privacy is protected during telehealth encounters.

Telehealth Platform Security

We use HIPAA-compliant telehealth platforms that include:

  • End-to-end encryption of video and audio communications
  • Secure, authenticated access requiring login credentials
  • Business Associate Agreements with platform providers
  • No recording of sessions without your explicit consent

Your Responsibilities During Telehealth

To help protect your privacy during telehealth sessions, we recommend:

  • Participating from a private location where you cannot be overheard
  • Using a secure, private internet connection (avoid public WiFi)
  • Ensuring no unauthorized individuals are present during your session
  • Not recording sessions without express permission from all parties

Telehealth Consent: Before your first telehealth session, you will be asked to provide informed consent acknowledging that you understand the nature and limitations of telehealth services, including potential privacy and technology-related risks.

10. Website Privacy

This section describes our practices regarding information collected through our website (levelupptdoc.com). Note that information collected through the website is separate from Protected Health Information collected in the course of providing healthcare services.

Information Collected Through the Website

When you visit our website, we may collect information you voluntarily provide, such as your name and contact information when you fill out a contact form, request information about our services, or schedule an appointment. We may also automatically collect certain information about your device and browsing activity.

Contact Forms

If you submit information through a contact form on our website, please be aware that this information may not be encrypted in transit. We recommend that you do not include sensitive health information in contact form submissions. Once received, your information is stored securely and handled in accordance with this Privacy Policy.

Important: Our website contact forms are not intended for transmitting Protected Health Information. If you need to share health-related information, please contact us directly by phone or through our secure patient portal.

Analytics

We may use analytics services to help us understand how visitors use our website. These services may collect information such as pages visited, time on site, and general location. This information is used to improve our website and does not include any individually identifiable health information.

11. Cookies & Tracking Technologies

Our website may use cookies and similar tracking technologies to enhance your browsing experience and analyze website traffic.

Types of Cookies We May Use

  • Essential Cookies: Necessary for basic website functionality, such as page navigation and access to secure areas
  • Analytics Cookies: Help us understand how visitors interact with our website by collecting information anonymously
  • Preference Cookies: Remember your preferences and settings for a better user experience

Your Cookie Choices

Most web browsers allow you to control cookies through their settings. You can typically:

  • View what cookies are stored on your device
  • Delete some or all cookies
  • Block cookies from certain or all websites
  • Set preferences for certain types of cookies

Please note that blocking or deleting cookies may affect your experience on our website and limit certain functionality.

HIPAA and Tracking Technologies

In accordance with recent HHS guidance (March 2024) regarding online tracking technologies, we do not use tracking technologies on any pages that collect or display Protected Health Information, such as patient portals or appointment scheduling systems that require login. We are committed to ensuring that third-party tracking does not inadvertently expose PHI.

12. Third-Party Links

Our website may contain links to third-party websites, such as professional organizations, educational resources, or social media platforms. These links are provided for your convenience and informational purposes only.

Please be aware that:

  • We do not control the content or privacy practices of third-party websites
  • This Privacy Policy does not apply to third-party websites
  • We encourage you to review the privacy policies of any third-party sites you visit
  • We are not responsible for the privacy practices or content of linked websites

When you leave our website to visit a third-party site, you do so at your own risk.

13. Children's Privacy

We provide physical therapy services to patients of all ages, including minors. When treating minor patients, we obtain consent from a parent or legal guardian and comply with all applicable laws regarding the privacy of children's health information.

Website and Online Privacy for Children

Our website is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13 through our website. If we learn that we have collected personal information from a child under 13 without parental consent, we will delete that information promptly.

Minors' Health Information Rights

Generally, a parent or legal guardian may exercise privacy rights on behalf of a minor patient. However, there may be circumstances under Virginia and federal law where a minor may exercise certain rights independently or where parental access may be limited. We will comply with all applicable laws governing minors' health information rights.

14. Virginia Consumer Data Protection Act (VCDPA)

Level Up PT Doc is headquartered in Virginia, and we are committed to transparency regarding our data practices. While healthcare providers are generally exempt from the Virginia Consumer Data Protection Act (VCDPA) for information protected under HIPAA, we provide the following information regarding any personal data that may be collected outside the scope of HIPAA.

HIPAA Exemption: Protected Health Information (PHI) collected by covered entities or business associates governed by HIPAA is exempt from the VCDPA. However, we respect the principles of data privacy and apply similar protections to all personal information we collect.

For Non-Health-Related Personal Data

For any personal data collected outside the scope of HIPAA (such as through general website browsing), Virginia residents may have rights including:

  • The right to confirm whether we are processing personal data and to access such data
  • The right to correct inaccuracies in personal data
  • The right to delete personal data
  • The right to obtain a copy of personal data in a portable format
  • The right to opt out of processing for targeted advertising, sale of personal data, or profiling

To exercise any of these rights regarding non-health-related personal data, please contact us using the information provided at the end of this Policy.

15. Data Retention

We retain your information for as long as necessary to provide you with healthcare services, comply with legal obligations, resolve disputes, and enforce our agreements.

Medical Records Retention

In accordance with Virginia law and professional standards, we retain adult patient medical records for a minimum of six (6) years from the date of the last patient encounter. Records of minor patients are retained until the patient reaches the age of 18, plus an additional six years, or for six years from the last encounter, whichever is longer.

Other Records

  • Billing and financial records: Retained for a minimum of seven (7) years as required by tax and accounting regulations
  • HIPAA-related documentation: Retained for six (6) years from the date of creation or when last in effect, whichever is later
  • Authorizations: Retained for six (6) years from the date of creation or when last in effect
  • Website inquiry information: Retained for as long as necessary to respond to your inquiry and for a reasonable period thereafter

Secure Disposal

When we no longer need to retain your information, we dispose of it using secure methods. Paper records are shredded, and electronic records are permanently deleted or rendered unreadable.

16. Breach Notification

In compliance with the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414), we are committed to notifying you promptly in the event of a breach of your unsecured Protected Health Information.

What Constitutes a Breach

A breach is the acquisition, access, use, or disclosure of Protected Health Information in a manner not permitted by the HIPAA Privacy Rule that compromises the security or privacy of the information. Not all incidents involving PHI constitute a reportable breach—we conduct a risk assessment to determine if notification is required.

Notification Process

If we discover a breach of your unsecured PHI, we will:

  • Notify you without unreasonable delay and no later than 60 days after discovery of the breach
  • Provide notification in writing by first-class mail (or by email if you have agreed to electronic notice)
  • Include a description of what happened and the dates of the breach
  • Describe the types of information involved
  • Explain steps you should take to protect yourself from potential harm
  • Describe what we are doing to investigate the breach, mitigate harm, and prevent future breaches
  • Provide contact information for questions

Reporting to Authorities

We will also report breaches to the U.S. Department of Health and Human Services as required by law. Breaches affecting 500 or more individuals are reported immediately and may also be reported to local media outlets.

17. Changes to This Privacy Policy

We reserve the right to change, modify, or update this Privacy Policy at any time. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this Policy
  • Post the revised Policy on our website
  • Make the new Policy available upon request
  • Notify you of significant changes by email or other appropriate means if required by law

Changes to this Policy are effective when posted. We encourage you to review this Policy periodically to stay informed about how we protect your information.

We are required by law to abide by the terms of this Privacy Policy currently in effect. If we significantly change our privacy practices, we will not apply the new practices to information collected before the change without your consent, unless required or permitted by law.

18. How to File a Complaint

If you believe your privacy rights have been violated, you have the right to file a complaint with us and with the U.S. Department of Health and Human Services.

Filing a Complaint With Us

To file a complaint with our practice, please contact Dr. Grace Villaver, DPT:

  • Email: [email protected]
  • Phone: (703) 637-8252
  • Service Area: Loudoun County, Fairfax County, and Northern Virginia
  • Mail: Level Up PT Doc, Attn: Privacy Officer, [Practice Address], Loudoun County, VA

Filing a Complaint With HHS

You may also file a complaint with the Secretary of Health and Human Services:

  • Online: https://www.hhs.gov/hipaa/filing-a-complaint
  • Phone: 1-800-368-1019 (TDD: 1-800-537-7697)
  • Mail: Centralized Case Management Operations, U.S. Department of Health and Human Services, 200 Independence Avenue, S.W., Room 509F HHH Bldg., Washington, D.C. 20201

No Retaliation: You will not be penalized or retaliated against for filing a complaint. We take all complaints seriously and are committed to addressing your concerns.

19. Contact Information

If you have any questions about this Privacy Policy, our privacy practices, or wish to exercise any of your rights, please contact us:

Level Up PT Doc
Privacy Officer: Dr. Grace Villaver, DPT

Email: [email protected]

Phone: (703)637-8252

Service Area: Loudoun County, Fairfax County, and Northern Virginia

For general inquiries, you may also contact us at [email protected]

We are committed to addressing your privacy concerns promptly and thoroughly. Please do not hesitate to reach out if you have questions about how we handle your personal or health information.

Request Consultation (703) 637-8252