Privacy Policy & HIPAA Notice of Privacy Practices

Effective date: January 1, 2026 · Last updated: March 2026

This document covers both our general Privacy Policy and our HIPAA Notice of Privacy Practices as required by the Health Insurance Portability and Accountability Act (HIPAA) and the Jamaica Data Protection Act 2020.

Part 1: HIPAA Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Who We Are

Amadeo Labs ("we," "us," or "our") is a diagnostic blood testing facility located at 11A Young Street, Spanish Town, St. Catherine, Jamaica. We are committed to protecting the privacy of your Protected Health Information (PHI) in compliance with HIPAA and the Jamaica Data Protection Act 2020.

What Is Protected Health Information (PHI)?

PHI is any information that identifies you and relates to your health, healthcare, or payment for healthcare services. This includes your name, test results, date of birth, and any other information that could reasonably identify you as a patient.

How We Use and Disclose Your PHI

We may use and disclose your PHI in the following ways without your specific written authorization:

Treatment: To provide and coordinate your diagnostic testing and care
Payment: To bill and collect payment for services provided to you
Healthcare Operations: For quality improvement, training, and administrative functions
As Required by Law: In response to lawful court orders or public health requirements
Emergency Situations: To prevent a serious, imminent threat to health or safety

All other uses and disclosures of your PHI require your written authorization. You may revoke any such authorization at any time in writing.

Your Rights Regarding Your PHI

You have the following rights regarding the PHI we hold about you:

Right to Access: Request a copy of your test results and health records
Right to Correct: Request corrections to inaccurate information
Right to Know: Request a list of disclosures we have made of your PHI
Right to Restrict: Request restrictions on how we use or share your PHI
Right to Confidential Communications: Request we contact you in a specific way
Right to a Paper Copy: Request a paper copy of this Notice at any time
Right to Deletion: Request deletion of your records where legally permissible

Our Duties

We are required by law to maintain the privacy of your PHI, to provide you with this Notice, and to abide by its terms. We reserve the right to change our privacy practices and to make the new provisions effective for all PHI we maintain. We will post the updated Notice on our website and make copies available at our facility.

Breach Notification

If we discover a breach of unsecured PHI that affects you, we will notify you within 60 days of discovering the breach, as required by the HIPAA Breach Notification Rule.

Part 2: General Privacy Policy

Information We Collect

We collect the following types of information:

Identity information: Name, date of birth, National ID or passport number
Contact information: Email address, phone number, mailing address
Health information: Test orders, results, and medical history relevant to testing
Account information: Portal login credentials (password is hashed and never stored in plain text)
Usage data: Pages visited, browser type, IP address (analytics only, consent-gated)
Payment information: Payment method and transaction records (card numbers are not stored by us)

How We Store Your Data

Test result files (PDFs) are stored exclusively on HIPAA-certified Amazon Web Services (AWS) S3 servers with AES-256 server-side encryption. These files do not pass through or reside on our application servers. When you access a result, your browser receives a temporary, expiring link (valid for 15 minutes) that connects directly to AWS.

Patient profile data (name, email, appointment history, result metadata) is stored in an encrypted AWS RDS PostgreSQL database, also HIPAA-certified.

Access logs are maintained for 7 years in compliance with both HIPAA (6-year minimum) and Jamaica DPA 2020 requirements.

How We Protect Your Data

All data transmitted between you and our systems is encrypted via TLS 1.3
Patient portal access requires two-factor authentication (TOTP)
Every result access is logged with timestamp, IP address, and user identity
No PHI is included in WhatsApp or email notifications — only a secure link to your portal
Staff access is role-based; lab technicians cannot access administrative functions
We have a signed Business Associate Agreement (BAA) with Amazon Web Services

Cookies and Analytics

We use cookies for website analytics (Google Analytics 4 and Microsoft Clarity) to understand how visitors use our public website. These analytics tools are consent-gated — they will not activate unless you click "Accept" on our cookie banner.

We do not use advertising cookies or retargeting pixels. Your medical information is never used for any advertising purpose.

You may withdraw your cookie consent at any time by clearing your browser storage or adjusting your preferences via the cookie settings link in our footer.

Third-Party Services

We work with the following third parties who may process your data under our instruction:

Amazon Web Services (AWS): HIPAA-compliant data storage (BAA signed)
Twilio: WhatsApp notification delivery (notifications contain no PHI)
Cal.com: Appointment scheduling (name and contact information only)
Google Analytics / Microsoft Clarity: Website analytics (consent-gated, no medical data)

Jamaica Data Protection Act 2020

We comply fully with the Jamaica Data Protection Act 2020. You have the right to access, correct, and delete your personal data held by us. To exercise these rights, contact us at privacy@amadeo-labs.com.

We will respond to all data subject access requests within 30 days.

Data Retention

Test results and patient records: 7 years from date of last visit
Access audit logs: 7 years
Consent records: Duration of patient relationship + 7 years
Analytics data: 26 months (GA4 default)

Children's Privacy

Our portal is not intended for use by persons under the age of 18 without parental or guardian consent. If we become aware that we have collected PHI from a minor without appropriate consent, we will take steps to delete the information.

Contact for Privacy Questions

For any questions about this Notice or to exercise your privacy rights:

Email: privacy@amadeo-labs.com
Phone: (876) 618-0552
Address: 11A Young Street, Spanish Town, St. Catherine, Jamaica

This policy was last reviewed and updated in March 2026. We will notify existing patients of material changes via email.