Notice of Privacy Practices
Dr. Eskander's SUCCESS Weight Management Program · Version 1.0 · Effective March 1, 2026
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
1. Who We Are
Dr. Eskander's SUCCESS Weight Management Program ("we," "us," or "our") is a expert-guided weight management and wellness program operated by Dr. Eskander, M.D. This Notice applies to all health information collected through the SUCCESS Patient Portal, intake assessments, weekly check-ins, and any direct communications between patients and the program's coaching team.
We are a Covered Entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations at 45 CFR Parts 160 and 164. We are required by law to maintain the privacy of your Protected Health Information (PHI), to provide you with this Notice, and to abide by the terms of the Notice currently in effect.
2. What Is Protected Health Information (PHI)?
PHI is individually identifiable health information that we create, receive, maintain, or transmit. In the context of this program, PHI includes but is not limited to:
- Your name, email address, phone number, and date of birth
- Body weight, height, BMI, and calorie intake data you submit
- Health conditions, medications, and medical history from intake assessments
- Weekly check-in responses including mood, challenges, and questions for Dr. Eskander
- Direct messages exchanged with the coaching team through the portal
- Program progress data including current week, weight trends, and goal tracking
- Payment information associated with your subscription (processed by Stripe)
Your motivational journal entries ("My Why") are treated as PHI and afforded the same protections, even though they are primarily personal in nature.
3. How We Use and Disclose Your PHI
We may use and disclose your PHI for the following purposes without your specific authorization:
Treatment
We use your PHI to provide, coordinate, and manage your weight management care. This includes reviewing your check-ins, responding to your questions, adjusting your calorie goals, and delivering program content tailored to your progress.
Payment
We may use your PHI to bill for services and process payments through our payment processor (Stripe). Stripe maintains its own privacy and security practices and has executed a Business Associate Agreement with us.
Health Care Operations
We may use your PHI for quality assessment, program improvement, staff training, and compliance activities. This includes de-identified aggregate analysis of program outcomes.
As Required by Law
We will disclose your PHI when required to do so by federal, state, or local law, including in response to a court order, subpoena, or public health reporting requirement.
Serious Threats to Health or Safety
We may disclose your PHI to prevent or lessen a serious and imminent threat to your health or safety or the health or safety of another person or the public.
All other uses and disclosures require your written authorization.
We will not sell your PHI. We will not use or disclose your PHI for marketing purposes without your written authorization. You may revoke any authorization you have given us at any time by contacting us in writing.
4. Your Rights Regarding Your PHI
You have the following rights with respect to your PHI. To exercise any of these rights, please contact us using the information in Section 8.
Right to Access (§164.524)
You have the right to inspect and obtain a copy of your PHI that we maintain. We will respond to your request within 30 days. You may request your data export directly through the Patient Portal under Settings → My Data.
Right to Amend (§164.526)
You have the right to request that we amend your PHI if you believe it is inaccurate or incomplete. We may deny your request in certain circumstances and will explain the reason in writing.
Right to an Accounting of Disclosures (§164.528)
You have the right to request a list of certain disclosures we have made of your PHI during the past six years. This does not include disclosures for treatment, payment, or health care operations.
Right to Request Restrictions (§164.522)
You have the right to request restrictions on how we use or disclose your PHI. We are not required to agree to your request, but if we do, we will comply with the agreed restriction.
Right to Confidential Communications (§164.522)
You have the right to request that we communicate with you about your health information in a specific way or at a specific location (e.g., only by email, not by phone).
Right to Erasure
You may request deletion of your PHI from our systems. We will anonymize your health data within 30 days of a verified request. Note that we are required to retain certain records for legal and regulatory purposes. You may initiate a deletion request through the Patient Portal under Settings → My Data.
Right to a Paper Copy of This Notice
You have the right to a paper copy of this Notice at any time, even if you have agreed to receive it electronically. Contact us to request a printed copy.
5. How We Protect Your PHI
We implement the following technical, administrative, and physical safeguards required by the HIPAA Security Rule (45 CFR §164.300 et seq.):
Encryption in Transit
All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS).
Encryption at Rest
Your PHI stored in our database is encrypted at rest using industry-standard AES-256 encryption.
Automatic Session Timeout
Your portal session automatically expires after 15 minutes of inactivity to prevent unauthorized access on shared devices.
Access Controls
Role-based access controls ensure that only authorized personnel (Dr. Eskander and designated staff) can access patient PHI.
Audit Logging
All access to PHI is logged with timestamps, user identifiers, and action types for compliance and breach investigation purposes.
Login Lockout
Accounts are temporarily locked after 5 consecutive failed login attempts to prevent unauthorized access.
6. Business Associates
We share certain PHI with third-party service providers ("Business Associates") who assist us in operating the program. Each Business Associate has executed a Business Associate Agreement (BAA) with us, contractually obligating them to protect your PHI in accordance with HIPAA. Our current Business Associates include:
| Vendor | Purpose | BAA Status |
|---|---|---|
| Manus (Hosting) | Web application hosting and database | Pending execution |
| Stripe | Payment processing | Available on request |
* We are actively working to execute BAAs with all vendors. Until BAAs are fully executed, this program should not be used with real patient PHI in a production environment.
7. Changes to This Notice
We reserve the right to change this Notice at any time. We reserve the right to make the revised or changed Notice effective for PHI we already have about you as well as any information we receive in the future. We will post the current Notice on the Patient Portal and on our website. The effective date appears at the top of every version of this Notice.
8. Complaints and Contact Information
If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights. You will not be retaliated against for filing a complaint.
Program Privacy Contact
Dr. Eskander's SUCCESS Program
Privacy Officer
Email: [email protected]
Response within 30 days
HHS Office for Civil Rights
U.S. Department of Health & Human Services
200 Independence Avenue, S.W.
Washington, D.C. 20201
www.hhs.gov/ocr/privacy/hipaa/complaints
Dr. Eskander's SUCCESS Weight Management Program · Privacy Policy Version 1.0 · Effective March 1, 2026
This notice was last reviewed on February 27, 2026.
← Return to the SUCCESS Program