Brett Kotlus MD

Oculoplastic Surgery

PRIVACY POLICY

Effective Date: March 2, 2026

Brett Kotlus MD (‘BKMD,’ ‘we,’ ‘us,’ or ‘our’) is committed to protecting the privacy and security of your personal and health information. This Privacy Policy explains how we collect, use, disclose, and safeguard information obtained through our website and any associated patient-facing digital tools, including our patient recovery application.

Please read this policy carefully. By using our website or patient application, you agree to the practices described herein. If you do not agree, please discontinue use of our services.

1. Information We Collect

A. Information You Provide Directly

We may collect the following categories of personal information when you contact us, request a consultation, or use our patient recovery application:

  • Full name, date of birth, and contact information (email, phone, address)
  • Health and medical history relevant to your oculoplastic or facial surgical care
  • Payment information processed through secure third-party payment processors (e.g., Square)
  • Communications you send to our practice via contact forms, electronic medical record systems, email, or in-app messaging
  • Procedure-specific recovery data entered into our patient recovery application

B. Information Collected Automatically

When you visit our website, certain technical information may be collected automatically, including:

  • IP address and browser type
  • Pages visited and time spent on each page
  • Referring URLs and device type
  • Cookies and similar tracking technologies (see Section 6)

C. Push Notifications (Patient Recovery App)

If you use our patient recovery application and opt in to push notifications, we collect your device’s notification token to deliver procedure-specific reminders and recovery guidance. You may revoke notification permissions at any time through your device settings.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • To schedule and coordinate consultations, procedures, and follow-up appointments
  • To provide post-operative care instructions and recovery guidance through our patient application
  • To process payments and send billing communications
  • To communicate with you regarding your care, including reminders and post-operative check-ins
  • To improve our website, services, and patient application
  • To comply with applicable legal and regulatory requirements, including HIPAA
  • To respond to your inquiries and provide customer service
  • To send administrative notices, practice updates, or important health information

3. HIPAA and Protected Health Information

BKMD is a covered entity under the Health Insurance Portability and Accountability Act (HIPAA). Any Protected Health Information (PHI) — including medical history, treatment details, and recovery data — is handled in accordance with our separately issued HIPAA Notice of Privacy Practices, which is available upon request and provided to you at the time of your first visit.

For questions specifically related to your medical records or HIPAA rights, please contact our Privacy Officer directly.

4. Disclosure of Your Information

We do not sell, rent, or trade your personal information. We may share your information in the following limited circumstances:

  • Healthcare Providers: With other treating physicians, specialists, or care coordinators involved in your treatment, as permitted by HIPAA.
  • Business Associates: With vendors and service providers who assist us in operating our practice and digital tools (e.g., secure hosting providers, payment processors, communication platforms), under written agreements requiring them to safeguard your information.
  • Legal Requirements: When required by law, court order, or governmental authority, or when necessary to protect the rights and safety of our patients, staff, or the public.
  • With Your Consent: For any other purpose with your explicit written consent.

5. Data Retention

We retain your personal information and medical records in accordance with applicable state and federal law. Medical records are generally retained for a minimum of seven (7) years from the date of last treatment, or longer as required by law. Non-medical personal data collected through our website is retained only as long as necessary for the purposes described in this policy.

6. Cookies and Tracking Technologies

Our website may use cookies and similar technologies to enhance your browsing experience and analyze site usage. You may configure your browser to refuse cookies; however, some features of our site may not function properly without them. We do not use cookies to collect PHI or to serve targeted advertising.

7. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies independently.

8. Security

We implement administrative, technical, and physical safeguards appropriate to the sensitivity of the information we maintain. Our patient recovery application uses industry-standard encryption and secure cloud infrastructure. However, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.

In the event of a data breach affecting your PHI, we will notify you as required by HIPAA and applicable state law.

9. Your Rights

Depending on your location and applicable law, you may have the following rights:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request correction of inaccurate or incomplete information.
  • Deletion: Request deletion of your personal information, subject to our legal retention obligations.
  • Opt-Out of Communications: Unsubscribe from marketing or non-essential communications at any time.
  • HIPAA Rights: Access, amend, and receive an accounting of disclosures of your PHI as described in our Notice of Privacy Practices.

To exercise any of these rights, please contact us using the information in Section 11.

10. Children’s Privacy

Our website and services are not directed to children under the age of 13. We do not knowingly collect personal information from children under 13 without verifiable parental consent. If you believe a child has provided us with personal information, please contact us immediately and we will take steps to delete such information.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. We will post the revised policy on our website with an updated effective date. Your continued use of our website or patient application following any changes constitutes your acceptance of the updated policy.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Brett Kotlus MD

Email: contact@drkotlus.com

Phone: 212-882-1011

Address: 20 E. 66th Street, 1A, NY, NY 10065

Privacy Officer: Marisa Lillie

Last Updated: March 2, 2026 | This document does not constitute legal advice. Consult a healthcare attorney for compliance review.