Privacy Policy

Last Updated: November 15, 2023

Introduction and Scope

Max Dental Club LLC (“Max Dental Club,” “we,” “us,” or “our”) is a dental practice located in Queen Creek, Arizona, United States. We are committed to protecting the privacy of our patients, website visitors, and users of our online services. This Privacy Policy describes how we collect, use, disclose, and safeguard personal information, including protected health information (PHI), in compliance with applicable laws and regulations. These laws include, without limitation, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) for California residents, and Arizona state privacy and healthcare confidentiality laws.

This Policy applies to information collected through our website (including any online booking or contact forms), by phone or email, and in our office. By using our services or providing us with your information, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use our website or services.

Definitions

  • Personal Information: Any information that identifies, relates to, describes, or is reasonably capable of being associated with an individual. This includes identifying information such as name and contact details, as well as other data described below. For California residents, “personal information” is defined under the CCPA to include categories like identifiers, internet activity, and sensitive personal information such as health data.
  • Protected Health Information (PHI): Individually identifiable health information that relates to an individual’s past, present, or future physical or mental health or condition, the provision of health care, or payment for health care, and that is protected under HIPAA. PHI includes information such as medical records, treatment information, and other health-related data that can identify you.
  • Business Associate: A third-party person or entity (not part of our workforce) that performs services for us which involve the use or disclosure of PHI (for example, a cloud service hosting patient records). We require Business Associates to sign agreements to safeguard PHI in compliance with HIPAA.

Information We Collect

We collect various categories of information from or about you when you use our website or services, including:

  • Personal Identifiers and Contact Information: Your name, postal address, email address, telephone number, date of birth, and other identifiers you provide to us. For example, when you fill out an appointment request or contact form, we may ask for your name, phone, and email.
  • Health and Medical Information (PHI): Information you provide related to your dental and medical history and current health status. This includes symptoms, diagnoses, treatment plans, x-rays or other diagnostic images, medications, allergies, insurance information, and any other health information you or your other healthcare providers supply to us for treatment purposes. This also encompasses records of your past and present dental treatments at our practice, and may include referral information from other providers. All such health information is treated as confidential PHI under HIPAA and Arizona law.
  • Insurance and Payment Information: Details related to your dental insurance or benefits coverage, member identification numbers, and, if applicable, financial information such as billing records. If you make payments for services (including any online payments for services or products), we or our payment processor may collect payment card information or bank account details. Payment card transactions are processed securely in compliance with Payment Card Industry Data Security Standards (PCI DSS), and we do not store full credit/debit card numbers on our systems.
  • Appointment and Communication Records: Records of appointments you have scheduled with us (including date and time, services requested) and any communications with or from you. This includes phone call logs, voicemails, emails, text/SMS messages, and written correspondence related to your care or inquiries. We maintain these records to document your care and our interactions.
  • Online Usage Data: When you visit our website, we may automatically collect technical data about your usage of the site. This includes information such as your IP address, device type, browser type, operating system, referring URLs, pages viewed, and the dates/times of site visits. We collect this data through cookies and similar tracking technologies as described in the “Cookies and Tracking” section below. This information helps us administer and improve our website and services.
  • Cookies and Similar Technologies: Our website uses “cookies,” which are small text files placed on your device, and similar technologies (such as web beacons or pixels) to enhance user experience and analyze web traffic. For example, we may use cookies to remember your preferences, understand how you navigate our site, and provide relevant content. You can control or disable cookies through your browser settings; however, note that disabling cookies may affect certain features or functionality of our site. For more details, see Cookies and Tracking below.
  • Optional Information: If you choose to participate in any surveys, promotions, or subscribe to newsletters (if we offer these), we will collect any information you provide in those contexts (such as feedback or preferences). Providing this information is voluntary.

We do not knowingly collect personal information directly from children under the age of 13 through our website. Our services are intended for use by adults or by minors with the involvement of a parent or guardian. If you are a parent or guardian and believe your child under 13 has provided us personal information online without your consent, please contact us so we can remove the information.

How We Use Your Information

We use the personal information we collect for one or more of the following purposes, in accordance with applicable law:

  • Providing Dental Care and Services: We use your information to schedule and confirm your appointments, review your medical and dental history, diagnose and treat your dental conditions, and generally deliver personalized dental care and treatment services to you. This includes using PHI for “treatment” purposes as defined by HIPAA – for example, sharing relevant information with other healthcare providers if we refer you to a specialist.
  • Payment and Insurance Processing: We use your information to bill and collect payment for dental services, whether from you, an insurance company, or a third-party payor. This may include contacting your insurance provider to verify coverage, submitting insurance claims that include relevant PHI, and sending billing statements. These uses are part of “payment” activities under HIPAA.
  • Healthcare Operations: We use and disclose information as needed for our internal operations and administration. This includes quality assessment and improvement activities, peer reviews, staff training, customer service, recordkeeping, audits, and other activities necessary to run our practice effectively. For example, we might review records to ensure quality standards or use patient feedback to improve services. These “health care operations” uses are permitted by HIPAA.
  • Communication with You: We may use your contact information (email, phone number, mailing address) to communicate with you about matters related to your care or our services. For instance, we will call or send messages to remind you of upcoming appointments, provide pre- or post-treatment instructions, or notify you when it’s time for routine check-ups. We may also respond to inquiries you send us through the website or email. With your consent, we may send you informational newsletters or promotional materials about our practice; you can opt-out of marketing communications at any time. We will not send you marketing emails or texts without the appropriate consent if required by law.
  • Compliance and Legal Obligations: We use and disclose information as necessary to comply with our legal and regulatory obligations. This includes uses or disclosures required by law (for example, reporting certain injuries or diseases as mandated by public health authorities), responding to court orders or lawful subpoenas, and fulfilling HIPAA’s requirements (such as providing you with a Notice of Privacy Practices, or disclosing PHI to the U.S. Department of Health and Human Services (HHS) for a compliance review). We may also use information to enforce our legal rights or defend against legal claims.
  • Security and Fraud Prevention: We may use information (particularly usage data or technical identifiers) to protect our website, systems, and patients from fraud, security threats, or other malicious activity. For example, we might analyze IP addresses to detect hacking attempts or use cookies to ensure that our forms are submitted by actual users.
  • Site Operation and Improvement: Usage data and cookies help us operate, evaluate, and improve our website and online services. We analyze how users interact with our site to troubleshoot performance issues, test changes in user experience, and gauge the effectiveness of our content and navigation. This is done to provide a better and more useful site for our users.
  • Other Purposes with Consent: If we intend to use your information for a purpose not listed above, we will describe it to you at the time of collection and obtain your consent if required. For example, if we ever wanted to feature a patient testimonial with your personal story or image, we would only do so with your written authorization.

We will not use or disclose your personal information in ways that are incompatible with the purposes described above without updating this Privacy Policy and, if required by law, obtaining your consent.

Disclosure of Information (Data Sharing)

We do not sell your personal information to third parties for their own marketing or commercial purposes. However, in the course of running our dental practice and providing services to you, we may share your information with certain third parties under strict conditions, as outlined below:

  • Service Providers and Business Associates: We share personal information, including PHI when necessary, with third-party vendors who perform services on our behalf. These include, for example:
    • Appointment Scheduling and Practice Management: If we use third-party software or cloud services to manage appointments, medical records, or patient communications, the providers of those platforms will have access to your information to the extent needed to perform their functions. They are contractually obligated to protect your data and use it only for our specified purposes. If any such vendor may handle PHI, we enter into a formal Business Associate Agreement with them requiring compliance with HIPAA’s privacy and security standards.
    • Dental Laboratories and Specialists: We may share relevant PHI with dental labs (for fabrication of crowns, dentures, retainers, etc.) or with specialists (such as oral surgeons, endodontists, or other dentists to whom we refer you) in order to facilitate your treatment. In doing so, we will only disclose the minimum necessary information needed for those parties to provide their services.
    • Insurance Companies and Payment Processors: We disclose PHI and billing information to your insurance company or health plan as needed to process claims and obtain payment for services. We may also share information with third-party payment processors or financing companies if you use such services to pay for treatment; in those cases, only the information required to process the payment (such as your name, payment amount, and card or account details) is provided. Payment processors are required to safeguard your data and comply with applicable security standards.
    • Website Analytics Providers: We use third-party analytics tools (for example, Google Analytics) to collect and analyze usage data for our website. These providers may set cookies or use similar technologies to gather information about your interactions with our site (see Cookies and Tracking below for details). The information shared with analytics providers typically does not include identifiable personal information or any PHI; it is largely technical data like device information and browsing patterns. We configure such tools to avoid collecting sensitive data wherever feasible. Analytics providers are prohibited from using the data we share for purposes other than providing us with insights and improvements.
    • Email, Cloud Storage, and IT Providers: We may use third-party companies to provide IT infrastructure, cloud storage/backup, or email delivery. For instance, if we send appointment reminders via email or text, we might use a trusted service to do so. These providers will process contact information and message content on our behalf. We select providers that offer strong security and confidentiality commitments, and if PHI is involved, we have Business Associate Agreements in place with them to ensure HIPAA compliance.
    All such service providers are given only the information necessary to perform their functions, and they are contractually bound to keep information confidential and secure. When PHI is shared, we comply with HIPAA’s requirements for “business associates,” including implementing contracts that impose appropriate safeguards on the information.
  • Healthcare Operations and Referrals: As part of coordinating your care, we may disclose PHI to other healthcare providers or facilities involved in your treatment. For example, if we are referring you to a specialist or obtaining a second opinion, we will share the relevant portions of your dental records or x-rays with that provider (with your knowledge). Similarly, if another dentist or physician involved in your care requests your records (and it’s permitted or required to coordinate treatment), we will provide them as appropriate. These disclosures are made in line with HIPAA allowances for treatment and healthcare operations.
  • Legal Requirements and Public Safety: We may disclose personal information (including PHI) when required to do so by law or when such disclosure is reasonably necessary to:
    • Comply with applicable laws, regulations, legal process (such as a subpoena or court order), or government requests. For instance, Arizona law requires healthcare providers to report certain communicable diseases or suspected abuse to authorities; we will follow such laws.
    • Respond to requests from regulatory bodies or accreditation organizations as part of audits or inspections.
    • Protect the vital interests of an individual, such as in a medical emergency or if we believe disclosure is necessary to prevent a serious threat to health or safety.
    • Assist law enforcement or other government agencies in investigations (for example, providing limited information to locate a missing person or report a crime that occurred on our premises) as permitted by HIPAA and applicable law.
  • Business Transfers: In the event that Max Dental Club LLC is involved in a merger, acquisition, asset sale, or other business transaction, your information (including patient records) may be transferred to the successor entity as part of that transaction, to be used in accordance with this Privacy Policy. In such a case, we will ensure that the new owner is under an obligation to handle your data in a manner consistent with applicable law and this Policy, including obtaining any required consents or providing required notices.
  • With Your Authorization: Apart from the scenarios above, we will not disclose your PHI to third parties for purposes such as marketing or other uses without your explicit written authorization, as required by HIPAA. If you provide an authorization for a specific use or disclosure of your information, you have the right to revoke it at any time (for future disclosures). We will honor your revocation except to the extent we have already acted in reliance on your authorization.

We emphasize that all medical/dental records and information about our patients are kept confidential in accordance with HIPAA and Arizona law. Under Arizona Revised Statutes, patient medical records are considered privileged and confidential, and may only be released as allowed by state or federal law or with the patient’s written consent. Max Dental Club will only disclose the portions of your records that are necessary to fulfill the purpose of the disclosure, and whenever PHI is disclosed, we adhere to the “minimum necessary” rule as required by HIPAA.

Online Booking and Digital Communications

Our website may offer features such as online appointment requests or live chat, to facilitate communication with our office. Please note the following regarding these online and electronic communications:

  • Online Appointment Requests/Booking: When you use our online booking form or portal to request an appointment, we will collect the personal information you provide (such as name, contact information, desired appointment date/time, and reason for visit). We use this information to schedule and confirm your appointment and to prepare for your visit. This may involve entering your information into our internal scheduling system or communicating with you to finalize the appointment. The online booking system may be provided by a third-party service provider; if so, that provider is contractually obligated to protect your information just like any other service provider we use. Information submitted through the online booking process that includes health details is treated as PHI and protected under HIPAA once received by us.
  • Patient Portal (if applicable): If we provide a secure patient portal for you to complete forms, review treatment plans, or communicate with our staff, that portal will require you to log in with a username and password. Activity within the portal is encrypted and protected. We advise you not to share your portal credentials with anyone and to log out after each session to maintain security.
  • Email and Text Communications: You may choose to communicate with us via email or text message (SMS) for convenience. For example, you might email us with a question or opt to receive text appointment reminders. Please be aware that standard email and SMS communications are not always secure. While we take precautions (such as using encryption where possible) to protect the content of emails and texts, these communications could potentially be intercepted or accessed by unauthorized parties. By sending us information via unencrypted email or text, or by consenting to receive texts/emails from us, you acknowledge and accept any inherent privacy risks. We will limit the amount of PHI we include in email or text messages to the minimum necessary (for example, an appointment reminder may include your first name, appointment time, and our office info, but not detailed medical information). If you prefer not to use email or text, you can always call us or request communications by alternative means.
  • Consent for Electronic Communications: By providing your email address and/or cell phone number to us, you are consenting to our use of that contact information to send you communications as described in this Policy. You may opt out of marketing or newsletter emails at any time by using the unsubscribe link in the email or contacting us directly. However, we may still send you non-promotional communications, such as appointment confirmations, billing communications, or information about your ongoing treatment, as these may be necessary for managing your care.
  • Telehealth Services: Currently, Max Dental Club does not routinely provide tele-dentistry or virtual consultations through the website. If in the future we offer telehealth consultations and you partake in them, any audiovisual communications will be conducted through secure, HIPAA-compliant platforms whenever PHI is involved. Additional consent may be obtained for telehealth services per legal requirements.

Data Retention

We retain personal information, including health information, for as long as necessary to fulfill the purposes outlined in this Policy or as required by law:

  • Patient Medical/Dental Records: Under Arizona law and healthcare regulations, we maintain patient treatment records for a minimum period. If you are an adult, we will retain your dental records for at least six (6) years after the date of your last visit or treatment. If you are a minor (under 18), we will retain your records until at least three (3) years after you reach age 18 or for six (6) years after your last treatment, whichever is later. These retention periods comply with A.R.S. § 12-2297 and applicable regulations. In many cases, we may keep records longer than these minimum periods, especially if required for ongoing treatment, insurance purposes, or our internal recordkeeping practices.
  • Financial and Insurance Records: We retain billing records, payment histories, and insurance claims information for a period required by accounting standards, payer contracts, and applicable laws (often 7 years or more). This helps us address any billing inquiries or audits and comply with tax and accounting obligations.
  • Communications and Consent Records: If you have signed any consent forms, authorizations, or communications preferences, we will keep those documentation records as part of your file, typically for as long as we maintain your medical record (or as otherwise required by law, such as HIPAA which requires documentation retention for at least 6 years).
  • Website and Operational Data: Web server logs and analytics data are generally retained for a shorter period (for example, 1-2 years) in an aggregated form for analysis, after which we either delete or anonymize the data. Cookie data is retained according to the cookie’s typical lifespan (some cookies exist only during your session, while others may persist for a few days or weeks unless cleared by you).
  • Prospective Patient Information: If you contact us but do not become a patient, we may retain the information you provided (such as through a contact form) for a reasonable time in order to follow up with you, but not indefinitely. Unnecessary data will be periodically purged.
  • Deletion of Data: We securely dispose of or delete personal information when it is no longer required. Paper records are shredded or incinerated, and electronic data is permanently erased or wiped in a manner that prevents recovery. When disposing of PHI, we follow HIPAA guidelines and any applicable Arizona laws to ensure confidentiality is maintained even in disposal.

Please note that in some circumstances we may retain information for longer periods if required to do so by law (for example, in the case of ongoing litigation holds, regulatory investigations, or if retention is advisable to protect our legal interests). We also may retain de-identified information (data that no longer identifies you) for research, statistical analysis, or business planning purposes without time limitation, since such information is not considered personal information or PHI under law.

Data Security Measures

Max Dental Club takes the security of your personal information very seriously. We have implemented administrative, technical, and physical safeguards designed to protect your data against unauthorized access, use, alteration, and disclosure. These measures include, but are not limited to:

  • Administrative Safeguards: We have internal policies and procedures for data privacy and security. Our staff members are trained on patient privacy, HIPAA requirements, and proper handling of personal information. We limit access to patient information to only those workforce members who need it to perform their job duties (“need-to-know” basis). We also have a designated Privacy Officer or compliance team that oversees adherence to privacy laws and investigates any concerns.
  • Technical Safeguards: We use secure computer systems and networks to store and transmit personal data. This includes employing encryption technology for electronic PHI, such as encrypting our electronic health records database and using SSL/TLS encryption for our website and online forms so that information is transmitted securely. We maintain firewalls and anti-malware protections on our systems, use strong access controls (such as unique user IDs and passwords for staff, with multi-factor authentication where feasible), and audit logs to track access to sensitive information. If we maintain PHI in cloud services, we ensure the cloud provider meets HIPAA security standards.
  • Physical Safeguards: Our office maintains physical security measures to prevent unauthorized access to facilities and records. Paper records and files are kept in locked cabinets or rooms when not in use. Our offices have security systems in place, and we restrict access to areas where sensitive information is stored (for example, only authorized personnel can enter file storage areas or server rooms). Media containing personal information (like backup drives or USB keys) are encrypted and stored securely, or rendered unreadable before disposal.
  • Device and Hardware Security: All company-owned computers and devices that handle personal information are password-protected and encrypted. We have policies to ensure that mobile devices or laptops used by staff for work are secured and that PHI is not stored on personal devices without proper safeguards.
  • Backup and Recovery: We perform regular backups of electronic records to prevent data loss, and these backups are stored securely. In the event of a technical incident (like a server failure), we have disaster recovery plans to restore necessary information promptly and safely.
  • Monitoring and Testing: We regularly update our software and systems to patch vulnerabilities and protect against new threats. Periodic security risk assessments are conducted to identify and address potential weaknesses in our privacy and security practices (a requirement under HIPAA). We may also engage third-party experts to test our network and systems for security (penetration testing) to ensure robustness.
  • Incident Response: Despite our best efforts, no security measure is 100% infallible. We have an incident response plan in place to promptly address any suspected data breaches or security incidents. If a breach affecting your personal information occurs, we will take appropriate steps to contain and remedy the incident and notify affected individuals and authorities as required by law.
  • HIPAA Breach Notification Compliance: In the event of a breach of unsecured PHI, we will notify you without unreasonable delay and no later than 60 days after discovery of the breach, as required by HIPAA. This notification will include information about what happened and what information was involved, as well as steps you can take to protect yourself and what we are doing to mitigate the issue. We will also comply with any additional state law notification requirements. (For example, Arizona law may require notice to individuals if certain personal information is compromised, generally within 45 days of determination of a breach, except where HIPAA already applies or law enforcement delay is requested.)

We are continuously working to enhance our security procedures as threats evolve. By using our services, you acknowledge that you understand these security measures and the inherent risks of transmitting information over the internet. While we strive to protect your information, we cannot guarantee absolute security. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your account or information has been compromised), please immediately notify us using the contact information below.

Your Privacy Rights

We respect your rights regarding your personal information. Depending on whether your information is health-related and protected under HIPAA or is subject to other privacy laws such as the CCPA/CPRA, you have various rights, which we describe below.

Rights Under HIPAA (Health Information)

If you are our patient or otherwise receive healthcare services from us, the following rights apply to your Protected Health Information (PHI) that we maintain, as provided under HIPAA and applicable Arizona law:

  • Right to Access and Obtain Copies: You have the right to inspect and get copies of your health information that we maintain in your designated record set, with limited exceptions. This includes your dental charts, x-rays, billing records, and other records used to make decisions about your care. You may request access to your records by contacting us. We will respond to your request within a reasonable time (usually within 30 days). We may charge a reasonable, cost-based fee as allowed by law for copies, postage, or summaries of records.
  • Right to Request Amendment: If you believe that any information in your records is incorrect or incomplete, you have the right to request that we correct or add to the record. Your request must be in writing and provide a reason for the amendment. We will review your request and either amend the information or provide an explanation in writing of why we cannot fulfill the request (for example, if we determine the record is accurate, or if we did not create the information which you want amended). Even if we deny an amendment request, you have the right to add a statement of disagreement to your record.
  • Right to an Accounting of Disclosures: You have the right to request a list of certain disclosures of your PHI that we have made to third parties outside of treatment, payment, or healthcare operations in the past six (6) years. This accounting will include disclosures made for legal or public purposes as required by HIPAA. (Note: Disclosures made with your authorization or for certain common purposes like sending records to you or your family, or disclosures before April 14, 2003, may not be required to be listed.) If you need an accounting, please contact us in writing. The first accounting in any 12-month period is free; a reasonable cost may be charged for additional requests.
  • Right to Request Restrictions: You have the right to ask us to restrict the use or disclosure of your PHI in certain circumstances. For example, you could request that we not share certain information with a particular family member or with your insurance company for a service you pay for out-of-pocket. While we will consider all reasonable requests, please note we are not required to agree to a requested restriction in most cases. If we do agree, we will abide by the restriction (except in an emergency or as required by law). One important exception: if you pay for a service in full out-of-pocket and request that we not share information about that service with your health plan, we will honor that request, provided the disclosure is not otherwise required by law.
  • Right to Request Confidential Communications: You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you may request that we contact you only at your work address or via email instead of calling. We will accommodate reasonable requests whenever feasible. You do not have to provide a reason for the request, but you must specify the alternative contact method or location.
  • Right to a Paper Copy of Notice: You have the right to receive a paper copy of our Notice of Privacy Practices (which may be this document or a separate “HIPAA Notice” we use) at any time, even if you have agreed to receive it electronically. You may request a paper copy by contacting us or by visiting our office.
  • Right to Revoke Authorization: If you have given us an authorization to use or disclose your PHI for a purpose not generally covered by HIPAA (for example, for marketing), you have the right to revoke that authorization at any time, in writing. Once we receive your revocation, we will stop using or disclosing your PHI for that purpose, except to the extent that we have already relied on your authorization.
  • Right to Notification of Breach: As mentioned in the Security section, you have the right to be notified in the event of a breach of your unsecured PHI. We will inform you of any such incident in accordance with HIPAA and Arizona law, typically via written notice, without unreasonable delay and within the timeframes required by law.

To exercise any of the above rights under HIPAA, please contact us using the information in the Contact section below. We may need to verify your identity and, if you are an authorized representative (such as a legal guardian or person with power of attorney), we may require proof of that authority. We will not retaliate against you for exercising your rights. If you feel your HIPAA privacy rights have been violated, you also have the right to file a complaint with us or directly with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). Our Contact section provides information on how to reach us; to contact HHS OCR, you can visit www.hhs.gov/ocr/privacy/hipaa/complaints/. We encourage you to contact us with any concerns so we can address them directly.

Rights of California Residents (CCPA/CPRA)

If you are a resident of California, you are entitled to certain rights with respect to personal information (as defined by California law) that is not otherwise exempt from CCPA/CPRA. For example, personal information collected in the context of providing you with health care (PHI) may be exempt from CCPA because it is protected under HIPAA or related laws. However, other information we collect (such as through our website for general marketing or analytics purposes) or if you are not our patient could be subject to California privacy law. In the interest of transparency and compliance, we extend the following rights to California residents:

  • Right to Know: You have the right to request that we disclose what personal information we have collected, used, or disclosed about you over the past 12 months. This includes the categories of personal information collected, the categories of sources of that information, the business or commercial purposes for collecting (or selling/sharing, if applicable) the information, the categories of third parties to whom we disclosed the information, and the specific pieces of personal information we have about you. Most of this information is provided in this Privacy Policy. If you request a more detailed report, we will provide it to the extent required by law after verifying your identity.
  • Right to Delete: You have the right to request deletion of personal information we have collected from you and retained, subject to certain exceptions. Once we receive and confirm a verifiable deletion request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. Important exceptions: We may deny deletion for reasons such as completing a transaction or service you requested, complying with a legal obligation (including record retention laws for medical information), detecting security incidents, protecting against illegal activity, or for other internal uses that are lawful under CCPA. Notably, because we are a healthcare provider, we cannot delete medical/dental information that we are required to maintain under HIPAA or Arizona law, even if requested, until the applicable retention period lapses or unless otherwise permitted by law. We will inform you if we cannot delete some data due to a legal requirement.
  • Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you. If you submit a verifiable request pointing out that some of your personal information (subject to CCPA) is incorrect, we will use commercially reasonable efforts to correct it as directed, taking into account the nature of the information and purpose for which we process it. If you have a patient account or profile with us, you may also have the ability to correct certain information directly by logging in.
  • Right to Opt-Out of Sale or Sharing: You have the right to opt out of the sale of your personal information or the sharing of your personal information for cross-context behavioral advertising. However, please be advised that Max Dental Club does not sell personal information to third parties for monetary consideration. We also do not share your personal information for targeted advertising across different websites. In other words, we do not exchange your data with third parties in a way that would be considered a “sale” or “sharing” under CCPA (such as providing it to data brokers or allowing third-party ad networks to use it for profiling). Therefore, there is no need for you to submit an opt-out request, as we have no such activity to stop. If our practices change in the future, we will update this Policy and provide a mechanism for you to exercise this opt-out right.
  • Right to Limit Use of Sensitive Personal Information: To the extent we collect “sensitive personal information” (as defined by CPRA) about you, such as health information, social security number, or precise geolocation, you have the right to direct us to limit the use or disclosure of that sensitive information to that which is necessary to perform the services or provide the goods you requested (with certain exceptions). Max Dental Club already limits the use of sensitive personal information to the purposes reasonably expected for your care or the provision of our services. We do not use your sensitive information for purposes like inferring characteristics about you or for marketing unrelated services without your consent. If you have any concerns about how your sensitive data is handled, you may contact us to discuss limitations and we will address any applicable requests.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. This means we will not deny you services, charge you different prices, or provide a different quality of service just because you exercised your privacy rights under California law. If you are a patient, your care and costs will remain the same regardless of whether you have made a privacy request. In certain cases, however, if you request deletion of information that we need to provide services (for example, deletion of contact info or necessary medical data), we may not be able to continue providing you with those services. We will inform you if such a situation arises so you can make an informed decision.

Submitting Requests: If you are a California resident and wish to exercise your Right to Know, Right to Delete, or Right to Correct, you or your authorized agent can submit a request to us through any of the contact methods listed at the end of this Policy (phone, email, or mail). Please indicate that you are making a “CCPA Request” and specify which right you seek to exercise. We will need to verify your identity (or the authority of your agent) before processing the request, which may involve asking you to confirm personal details we already have on file or providing identification. We will respond to your request within 45 days of receipt when possible, or notify you if we need an extension (up to an additional 45 days). If we decline any part of your request due to a legal exception or inability to verify your identity, we will explain the reasons in our response.

For requests to opt-out of sale/sharing or limit use of sensitive information: As noted above, our current practices do not trigger these rights in a typical scenario, because we do not sell or improperly use your information. However, if you still wish to formally record an opt-out preference with us, you may contact us and we will honor it and document that choice. You may also use a browser-based opt-out signal (such as the Global Privacy Control, “GPC”) if you prefer; if we detect such a signal from a California-based IP address, we will treat it as a valid opt-out request for the device/browser visiting our site.

Please note that certain personal information may be exempt from the CCPA/CPRA, such as PHI governed by HIPAA or information collected as part of a clinical trial, etc. To the extent an exemption applies, we may decline the CCPA request as to the exempt information and will let you know. Where your rights under HIPAA or other laws apply in lieu of CCPA, we will process your request under those laws (for example, a request to access medical records will be processed under HIPAA’s rules).

If you have questions about your California privacy rights or need assistance, you can contact us using the information below. Additionally, California law permits you to request certain information about our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for direct marketing without consent, so we do not maintain lists of such disclosures.

Cookies and Tracking Technologies

As mentioned in the Information We Collect section, we use cookies and similar tracking technologies on our website. Here we provide more detail on how we use these technologies and your choices:

  • Types of Cookies: The cookies on our site may be classified as:
    • Essential Cookies: These are necessary for the website to function correctly, such as maintaining your session when you fill out a multi-page form, or remembering your privacy preferences. Without these cookies, certain services or features may not be available.
    • Analytics/Performance Cookies: These cookies collect information about how visitors use our site (which pages are visited, how long users stay, if error messages are encountered, etc.). We aggregate this information to improve our website’s performance and to understand what parts of our site are of most interest to visitors. For instance, we may use Google Analytics to help analyze site traffic and improve design. The data collected typically includes IP addresses, browser type, and pages visited, but is aggregated and does not directly identify you personally in our reports.
    • Functional Cookies: These cookies remember choices you make to personalize content (like your preferred language or other settings) to provide enhanced features. They may also be used to provide services you’ve asked for, like live chat support if available.
    • Advertising/Targeting Cookies: Currently, Max Dental Club does not use third-party advertising cookies or engage in targeted advertising on our site. We do not serve third-party ads. If this changes in the future, we will update our policy and obtain any necessary consents. As of the effective date of this Policy, any cookies of this nature on our site would be limited to our own marketing of our services and would not involve sharing your browsing behavior with unrelated parties.
  • Cookie Disclosure: By using our website, you agree to the placement of cookies and similar technologies on your browser as described. On your first visit, you may see a cookie notice or banner informing you of our use of cookies.
  • Third-Party Tools: In addition to cookies, we might incorporate third-party services such as Google Maps (to show our location) or social media plugins (like a Facebook “share” button). These services may set their own cookies or gather information via their embedded features. For instance, if we have a YouTube video embedded, YouTube may set cookies when you play the video. We do not control these third-party tracking technologies; however, we do not knowingly allow third parties to collect your personal information from our site for their own purposes except as disclosed.
  • Your Choices: You can control or delete cookies through your web browser settings. Most browsers allow you to block third-party cookies, block all cookies, or receive a warning before a cookie is stored. You can also delete cookies after they have been set. Please refer to your browser’s help documentation for guidance on how to adjust your cookie preferences. Additionally, tools like browser extensions or privacy software can help manage cookies. Keep in mind that if you disable cookies, some parts of our site may not function properly (for example, appointment forms might not remember your inputs).
    • For Google Analytics specifically, Google provides an opt-out mechanism (a browser add-on) which you can install to prevent your data from being used by Google Analytics on websites that use it.
    • If our site uses any tracking for advertising, you could opt out of targeted ads by using industry opt-out sites like the DAA’s opt-out (if applicable), but as noted, we currently do not track for advertising purposes.
  • Do Not Track: Our website does not currently respond to “Do Not Track” (DNT) signals from web browsers, due to the lack of a universal standard. However, as noted above, California residents can use the Global Privacy Control (GPC) signal, which we will treat as an opt-out of sale/sharing as required by CPRA.

Additional Notices for Arizona Residents

While much of our privacy practices have been covered above, Arizona law has certain specific provisions regarding health information and personal data that we adhere to:

  • Confidentiality of Health Records: Arizona’s laws (e.g., A.R.S. §§ 12-2292, 36-509) reinforce that your health records are confidential and may only be released as allowed by law or with proper authorization. We comply fully with these state requirements. In some cases, state law may be even more protective than HIPAA. For instance, records related to certain medical conditions or treatments might have additional protections under state law.
  • Mental Health and Other Sensitive Information: If we hold any particularly sensitive health information (for example, mental health records or communicable disease test results), we follow applicable Arizona statutes that provide extra confidentiality. We will only disclose such information in strict accordance with the law’s allowances and will often require specific patient authorization even for disclosures that HIPAA might permit.
  • Data Breach Notifications: As mentioned, if a security breach occurs involving computerized personal information of Arizona residents, we will comply with Arizona’s Data Breach Notification Law (A.R.S. §§ 18-551, 18-552), in addition to HIPAA if PHI is involved. Arizona law generally requires notification to affected individuals within 45 days of determining a breach occurred, subject to certain exceptions. However, entities covered by the federal Health Insurance Portability and Accountability Act (“HIPAA”) are exempt from the state notification requirement in many cases. Rest assured, we will ensure any required notifications are made in a timely manner as mandated by whichever law applies, and we will take steps to prevent and mitigate any breaches.
  • Arizona Consumer Data: Arizona does not currently have a broad consumer privacy law like California’s CCPA. However, if you are an Arizona resident, you can be confident that we treat your personal information with care and largely in accordance with the principles discussed in this Policy. Should Arizona enact additional privacy legislation in the future, we will adjust our practices accordingly.
  • Telemarketing and Email Laws: We also comply with Arizona’s and federal laws regarding telemarketing and email (e.g., we honor “Do Not Call” requests and abide by the CAN-SPAM Act for emails). So if you are an Arizona patient who opts into text or email reminders, know that those communications will still follow relevant regulations.

In summary, we are committed to complying with all applicable Arizona laws concerning privacy and security of personal data, in addition to federal requirements.

Changes to This Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices or to ensure compliance with new laws and regulations. If we make significant changes, we will notify you in a manner proportionate to the changes. For example, we may post a prominent notice on our website or, if the changes substantially affect the way we handle PHI, we may provide a revised Notice of Privacy Practices at your next appointment as required by HIPAA.

At the top of this Policy, we indicate the effective date. Any changes will become effective on the revision date or as otherwise required by law. We encourage you to periodically review this Privacy Policy when you visit our site to stay informed about how we are protecting your information.

If we update the Policy, your continued use of our services or website after the effective date of the new policy constitutes your acceptance of the revised terms (except as to PHI handled under HIPAA, where we will not use or disclose your PHI in a materially different manner than described in the Privacy Policy under which it was collected without your consent or as otherwise permitted by law).

For your convenience, we will keep prior versions of this Policy available upon request so you can see how our practices have evolved.

Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us. We are here to help and will respond promptly.

Max Dental Club LLC
Attn: Privacy Officer (or Office Manager)
22485 E. Queen Creek Rd., Suite 105
Queen Creek, AZ 85142, USA
Phone: 480-900-2331
Email: info@maxdentalclub.com

You may contact us by phone or email during our normal business hours. For certain privacy requests (such as exercising HIPAA or CCPA rights), we may ask that you submit your request in writing for verification and recordkeeping purposes.

We value the trust you place in us as your dental care provider. Protecting your privacy is integral to our mission. If you have any feedback on this Policy or how we can improve our privacy practices, please do not hesitate to reach out.

Last Updated: October 7, 2025

Sources:

  1. HHS, Summary of the HIPAA Privacy Rule – Definition of PHI; Permitted uses and disclosures for treatment, payment, and health care operations.
  2. HHS, Guidance on HIPAA – HIPAA Privacy Rule permits use/disclosure of PHI for treatment, payment, and health care operations without patient authorization.
  3. Arizona Revised Statutes – Medical records are privileged and confidential; disclosure only as authorized by law or patient.
  4. Arizona Revised Statutes § 36-509 – Health care entities must keep records confidential, not public, except as provided by law.
  5. Desert River Solutions (Arizona medical records custodian) – Arizona law requires health providers to retain adult patient records at least 6 years after last service; minors’ records until age 21 or 6 years after last service (whichever later).
  6. Bella Dental (California practice) Privacy Policy – Example of patient rights under HIPAA (access, amendment, restrictions, confidential communications, complaints); commitment not to sell personal information; cookie usage purposes; third-party business associate agreements for HIPAA compliance; breach notification within 60 days as required by HIPAA; California privacy rights (right to know, delete, non-discrimination, correct).
  7. California Attorney General’s Office – California Consumer Privacy Act (CCPA) summary of consumer rights: right to know, delete, opt-out of sale or sharing, correct, limit use of sensitive info, and non-discrimination.
  8. Arizona Attorney General’s Office – Data Breach Notification Law FAQ: A.R.S. §§ 18-551, 18-552 require notice of data breaches involving personal information generally within 45 days; HIPAA-covered entities are exempt from state notification if HIPAA applies.
  9. HHS, HIPAA Privacy Rule – Individuals’ right to access their PHI and request restrictions on uses/disclosures.
  10. HIPAA Journal – Patients’ right to request amendment of PHI if inaccurate and right to be notified of breaches of unsecured PHI.
  11. HHS, HIPAA Administrative Simplification – Requirement for business associate contracts to impose safeguards on PHI.
  12. HHS, HIPAA Privacy Rule – Covered entities must maintain reasonable administrative, technical, and physical safeguards to protect PHI