BELMAR CARDIOPULMONARY DIAGNOSTIC CENTER
Cardiopulmonary & Body Composition Diagnostic Services
PRIVACY POLICY
& Notice of Privacy Practices (NPP)
Web Platform | iOS Application | Android Application
Privacy Contact: privacy@belmardiagnostic.com
AT A GLANCE — WHAT THIS POLICY COVERS
• Belmar Cardiopulmonary Diagnostic Center collects and stores your health data (DEXA/DXA Scan, VO2 Max, RMR) solely to deliver personalized diagnostic and wellness services.
• We protect your information using HIPAA-compliant security practices including encryption, access controls, and audit logging.
• We do NOT sell your personal or health information — ever.
• We do NOT provide medical advice, diagnosis, or treatment. All results should be reviewed with your physician.
• You have the right to access, correct, and request deletion of your data at any time.
• We will notify you promptly if your data is ever involved in a security breach.
• This policy applies to our Web Dashboard, iOS App, and Android App.
01 Introduction
Belmar Cardiopulmonary Diagnostic Center ("Belmar," "the Center," "we," "us," or "our") operates a complete health testing and patient management platform — including a web dashboard, iOS application, and Android application (collectively, the "Platform" or "Services"). Our diagnostic services include DEXA/DXA Body Composition scanning, VO2 Max cardiorespiratory fitness testing, and Resting Metabolic Rate (RMR) metabolic testing.
This Privacy Policy and Notice of Privacy Practices (NPP) describes how we collect, use, store, protect, and share information when you use our Platform. It applies to:
Patients who access test results, AI-generated health reports, book appointments, and manage their health profiles through the Platform
Staff and Administrators who manage patient data, upload test results, generate reports, and administer services
Visitors who browse our website or app without creating an account
By using our Platform, you agree to the terms of this Privacy Policy. If you do not agree, please do not use our Services.
MEDICAL DISCLAIMER — PLEASE READ
Belmar Cardiopulmonary Diagnostic Center does not provide medical advice, diagnosis, or treatment.
All DEXA/DXA, VO2 Max, and RMR results are provided for informational and wellness purposes only. They are not intended to diagnose, treat, cure, or prevent any disease or medical condition. All AI-generated assessments (including cardiac and pulmonary fitness correlations) are non-clinical wellness indicators — not clinical diagnoses.
If you have questions about your test results or health data, please seek the advice of your primary care physician or a qualified medical professional.
02 Who We Are & Our HIPAA Status
Belmar Cardiopulmonary Diagnostic Center is a diagnostic center providing medical-grade body composition, cardiorespiratory fitness, and metabolic health testing. Our Platform facilitates the secure management and delivery of these services including AI-generated health assessments, personalized wellness guidance, appointment scheduling, and payment processing.
2.1 Business Associate Relationship
To the extent that our Platform is used by or on behalf of a HIPAA-covered entity (including any licensed healthcare facility, physician, or health plan), we operate as a Business Associate as defined under HIPAA (45 CFR § 160.103). As a Business Associate:
We are bound by a Business Associate Agreement (BAA) with the covered entity
We implement appropriate safeguards to protect all Protected Health Information (PHI)
We comply with HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule
2.2 Direct Patient Services
Where Belmar provides services directly to patients, we maintain HIPAA-equivalent standards for all health information regardless of whether a formal covered entity relationship exists. All users benefit from the same level of data protection.
2.3 Non-Clinical Wellness Services
Our AI-generated reports, fitness rankings, workout zone recommendations, exercise plans, and cardiopulmonary fitness assessments are wellness tools — not clinical medical services. These are provided as non-clinical, informational outputs to support your personal health goals.
03 Test Services & What We Measure
Understanding exactly what data our tests generate helps you understand what information we store. Here is a description of each service:
3.1 DEXA / DXA Body Composition Scan
What it measures: DXA uses low-dose X-ray absorptiometry (dual energy) to separate fat tissue, lean tissue, and bone. It is considered the gold standard for body composition measurement.
Test duration: 6–11 minutes. Total appointment: 30 minutes.
Report: 4-page printed/digital report.
Data points stored in your profile:
Total body fat percentage
Fat tissue mass (lbs)
Lean tissue mass (lbs)
Bone Mineral Content (BMC) and Bone Mineral Density (BMD) — total body T-score
Visceral fat (lbs)
Android-to-Gynoid ratio
Segmental readings for arms, legs, and trunk (body fat %, fat mass, lean mass, BMC per region)
DEXA ELIGIBILITY LIMITATIONS (stored in your intake record):
• Cannot be performed if you are pregnant or may be pregnant
• Cannot be performed if you weigh over 350 lbs
• Requires ability to lie still on your back for at least 6 minutes
• Cannot be performed within 7 days of gastrointestinal contrast or radionuclide administration
• Clients ~250 lbs+ may not receive a left arm or visceral fat reading due to scanner limitations
• Radiation exposure is approximately equivalent to eating 4 bananas or a cross-country flight
3.2 VO2 Max Cardiorespiratory Fitness Test
What it measures: VO2 Max is performed on a treadmill using indirect calorimetry with a face mask and chest-strap heart rate monitor. It measures your maximum oxygen uptake and cardiorespiratory capacity.
Test duration: 10–20 minutes. Total appointment: 30 minutes.
Report: 1-page digital/printed report. Requires fasting for at least 3 hours prior.
Data points stored in your profile:
VO2 Max value (ml/kg/min)
Cardiorespiratory fitness level classification
Maximum heart rate achieved during test
Anaerobic Threshold (AT) VO2 and heart rate
1-minute and 2-minute recovery heart rates
5-zone heart rate training zones (based on max heart rate achieved)
Substrate utilization data (oxygen and CO2 measurements)
IMPORTANT NOTE ON WEARABLE DEVICES: Our VO2 Max test uses medical-grade equipment with daily calibration and breath-by-breath metabolic analysis. Wearable device VO2 Max estimates are algorithm-based and typically report HIGHER values than actual lab tests. Your Belmar result reflects your true clinical measurement.
3.3 Resting Metabolic Rate (RMR) Test
What it measures: RMR uses indirect calorimetry with a face mask and finger heart rate monitor to measure your caloric needs while at rest.
Test duration: 11–20 minutes. Total appointment: 30 minutes.
Report: 1-page digital/printed report. Requires fasting for at least 5–6 hours prior.
Data points stored in your profile:
Actual measured RMR vs. predicted RMR (equation-based comparison)
Metabolism classification: Slow, Normal, or Fast
Respiratory Exchange Ratio (RER) with percentage of fat vs. sugar burn
Resting heart rate at time of test
Caloric needs and macronutrient utilization guidance
04 Information We Collect
4.1 Personal Identification Information
Full name, date of birth, gender
Email address, phone number, mailing address
Account login credentials (username and encrypted password)
Emergency contact information (optional)
4.2 Health & Biometric Data
Height, weight, age
All DEXA/DXA, VO2 Max, and RMR data as described in Section 3
Historical test results and trends over time
Pre-test eligibility intake information (including contraindication screening)
Pre-test fasting compliance and preparation records
4.3 AI-Generated Wellness Assessments
Cross-metric correlation analysis (e.g., body fat percentage relative to VO2 Max — non-clinical cardiac risk indicators)
Fitness rankings benchmarked against age, height, and weight
Heart rate and workout training zones (5-zone model)
Personalized exercise plans with daily and weekly workout recommendations
Non-clinical pulmonary and cardiac fitness wellness assessments
4.4 Appointment & Transaction Data
Appointment bookings, reschedules, cancellations, and full booking history
Payment method information (processed via PCI-DSS compliant third-party gateway — we do not store full card numbers)
HSA, FSA, Apple Pay, and Google Pay transaction references
Transaction receipts and billing history
4.5 Technical & Usage Data
Device type, operating system, browser type, and IP address
App usage patterns and session data
Push notification preferences
Cookies and similar tracking technologies (see Section 11)
05 How We Use Your Information
We use the information we collect only for the following purposes:
Purpose
Data Used
Legal Basis
Deliver DEXA, VO2 Max, and RMR testing services and upload results to your profile
Health data, personal info
Contract / HIPAA
Generate AI-powered wellness reports, fitness rankings, and exercise plans
Health data, biometrics
Contract / Consent
Manage appointment scheduling, reminders, and cancellation processing
Personal info, appointment data
Contract
Process payments and issue receipts (HSA, FSA, card, Apple/Google Pay)
Payment data, personal info
Contract
Enable patient portal and staff admin portal access
Account credentials
Contract
Send push notifications and appointment reminders
Contact info, app data
Consent
Improve AI accuracy using de-identified, anonymized aggregate data
Anonymized data only
Legitimate Interest
Maintain platform security and prevent unauthorized access
Usage data, technical data
Legitimate Interest / Law
Comply with HIPAA, FTC rules, and applicable legal obligations
All categories as required
Legal Obligation
Respond to support, privacy rights, and breach notification requests
Personal info, account data
Legal Obligation / Contract
WE NEVER use your health data for advertising or marketing profiling.
WE NEVER sell your personal information or health data to any third party.
WE NEVER use your PHI for AI training without your explicit written authorization.
06 How We Share Your Information
We do not sell your data. We share your information only in the following limited and necessary circumstances:
6.1 With Clinical Staff at the Diagnostic Center
Your test results and health profile are accessible to licensed and trained staff at Belmar Cardiopulmonary Diagnostic Center who are directly involved in performing your tests and administering your results. Access is limited to the minimum necessary.
6.2 With Business Associates & Service Providers
We may share information with third-party vendors who assist in operating the Platform. All vendors handling PHI are required to sign a Business Associate Agreement (BAA). These include:
HIPAA-compliant cloud hosting and storage providers
PCI-DSS compliant payment processors (we do not share full card data)
Email and SMS notification delivery services
AI model infrastructure providers (PHI only shared under executed BAA)
Analytics providers (de-identified, aggregated data only)
6.3 With Your Written Authorization
We may share your health information with other parties — such as your personal trainer, physician, nutritionist, or dietitian — only if you provide explicit written authorization. You may revoke authorization at any time.
6.4 As Required by Law
We may disclose information as required to comply with applicable law, court orders, government requests, or to protect the safety, rights, or property of the Center or our patients.
6.5 Business Transfers
In the event of a merger, acquisition, or asset sale, your information may be transferred. You will be notified in advance of any such transfer and any resulting change to this Privacy Policy.
07 HIPAA Rights & Notice of Privacy Practices
As a patient whose health information may constitute Protected Health Information (PHI) under HIPAA, you have the following rights. To exercise any right, contact our Privacy Officer (Section 15).
7.1 Right to Access Your PHI
You may request a copy of your health records, test results, and AI-generated reports at any time through your patient portal or by contacting us directly. We will respond within 30 days.
7.2 Right to Amend / Correct PHI
If you believe your health information is inaccurate or incomplete, you may submit an amendment request. We will evaluate your request and respond within 60 days.
7.3 Right to an Accounting of Disclosures
You may request a list of disclosures we have made of your PHI within the prior six years, excluding disclosures for treatment, payment, or healthcare operations.
7.4 Right to Request Restrictions
You may request that we restrict how we use or disclose your PHI. We will accommodate reasonable requests where required by law.
7.5 Right to Confidential Communications
You may request that we communicate your health information through alternative means or at alternative locations (for example, by email instead of postal mail).
7.6 Right to a Paper Copy of This Notice
You have the right to receive a printed copy of this Notice of Privacy Practices at any time upon request. A current version is also available at [INSERT WEBSITE URL].
7.7 Right to File a Complaint
You may file a complaint about our privacy practices with our Privacy Officer or directly with the U.S. Department of Health & Human Services. We will not retaliate against you for filing a complaint.
08 Data Security
We implement comprehensive administrative, technical, and physical safeguards to protect your health information against unauthorized access, disclosure, alteration, or destruction.
8.1 Technical Safeguards
AES-256 encryption for all data stored at rest
TLS 1.2 or higher encryption for all data transmitted over networks
Multi-factor authentication (MFA) required for all staff and administrator accounts
Role-based access controls (RBAC) — staff access limited to minimum necessary data
Automatic session timeouts after periods of inactivity
Comprehensive audit logging of all access to patient PHI
Regular automated vulnerability scanning and patching
8.2 Administrative Safeguards
Formal HIPAA compliance training for all workforce members with PHI access
Signed Business Associate Agreements with all relevant third-party vendors
Documented HIPAA privacy and security policies and procedures
Annual security risk assessments
Designated Privacy Officer and Security Officer
8.3 Physical Safeguards
Platform hosted on HIPAA-compliant cloud infrastructure with physical access controls
Secure data center facilities with 24/7 monitoring and environmental controls
Workstation access policies and screen lock requirements for clinical staff
SECURITY NOTICE: While we take every reasonable measure to protect your data, no system is 100% secure. If you believe your account has been compromised or you notice suspicious activity, contact us immediately at: [INSERT SECURITY EMAIL]
09 Breach Notification
In the event of a data breach involving your Protected Health Information (PHI) or personal health record information, we will notify you in accordance with applicable law:
9.1 HIPAA Breach Notification Rule
We will notify affected individuals within 60 days of discovering a breach of unsecured PHI. If the breach affects 500 or more individuals in a state, we will also notify the HHS Secretary and prominent media outlets in that state.
9.2 FTC Health Breach Notification Rule
We comply with the FTC's Health Breach Notification Rule and will notify affected users, the FTC, and applicable media outlets as required following any breach of personal health record information.
9.3 State Law Compliance
We comply with all applicable state breach notification laws, which may impose shorter notification timeframes than federal law.
9.4 Contents of Breach Notifications
Breach notifications will be delivered to your registered email address and will include: a description of what occurred, the types of information involved, steps we are taking to address the breach, and recommended steps for you to protect yourself.
10 Data Retention
We retain your information only as long as necessary to provide services and meet legal obligations. Our retention schedule is:
Data Category
Retention Period
Basis
Patient health records & all test results (DEXA, VO2 Max, RMR)
7 years from last service (or as required by state law)
HIPAA / State Law
AI-generated wellness reports and exercise plans
7 years from generation date
HIPAA / State Law
Intake forms & pre-test eligibility records
7 years from last service
HIPAA / State Law
Appointment records
5 years from appointment date
Business / Legal
Payment and billing records
7 years
Financial / Legal
Account credentials
Duration of account + 90 days post-deletion
Security
HIPAA audit logs
6 years
HIPAA Security Rule
De-identified / anonymized aggregate data
Indefinite (cannot identify you)
Research / Improvement
You may request deletion of your account and personal data at any time by contacting our Privacy Officer. Requests that conflict with mandatory legal retention periods will be honored to the maximum extent permissible by law.
11 Cookies & Tracking Technologies
Our web dashboard uses cookies and similar tracking technologies. We use the following types:
Essential Cookies — Required for platform authentication, session management, and core functionality. These cannot be disabled.
Functional Cookies — Remember your preferences and settings to improve your experience across sessions.
Analytics Cookies — Help us understand Platform usage patterns using de-identified, aggregated data only. No PHI is ever shared with analytics providers without an executed BAA.
Our mobile applications use device identifiers for similar functional purposes. You can opt out of non-essential analytics through your device privacy settings at any time.
HIPAA TRACKING NOTICE: In accordance with HHS guidance on the use of online tracking technologies, we do not permit any third-party tracking technology to access Protected Health Information (PHI) without an executed Business Associate Agreement. Consent to cookies does not constitute HIPAA authorization for PHI disclosure.
12 Children's Privacy
Our Platform is intended for users 18 years of age or older. We do not knowingly collect personal information from children under the age of 13 without verifiable parental consent, in compliance with the Children's Online Privacy Protection Act (COPPA).
For users between the ages of 13 and 17, account creation must be accompanied by verifiable parental or guardian consent. A parent or guardian may request access to, correction of, or deletion of their minor child's information at any time by contacting our Privacy Officer.
If we become aware that a child under 13 has created an account without proper parental consent, we will promptly delete that account and its associated data.
13 Your Privacy Rights by State
Depending on your state of residence, you may have additional rights beyond those conferred by HIPAA. The following rights may apply:
Right
Description
Right to Know / Access
Request details of the personal information we hold about you and how it is used.
Right to Correction
Request correction of inaccurate or incomplete personal information.
Right to Deletion
Request deletion of your personal information, subject to legal retention requirements.
Right to Data Portability
Receive a structured, machine-readable copy of your personal data.
Right to Opt-Out of Sale
We do not sell personal data — this right is inherently honored.
Right to Non-Discrimination
You will not receive inferior service for exercising any privacy right.
Right to Limit Sensitive Data Use
Limit the use of sensitive personal information beyond core service delivery.
Right to Appeal
Appeal any decision we make on your privacy rights request.
Applicable state frameworks include: California Consumer Privacy Act (CCPA/CPRA), Colorado Privacy Act (CPA), Virginia Consumer Data Protection Act (VCDPA), Texas Data Privacy and Security Act, Connecticut Data Privacy Act, and similar state statutes. To exercise any state-level right, contact us using the information in Section 15.
14 Third-Party Links & Integrations
Our Platform integrates with, or may contain links to, the following categories of third-party services:
Payment processors — for credit/debit card, HSA/FSA, Apple Pay, and Google Pay transactions (PCI-DSS compliant; BAA executed where PHI is involved)
Apple Health and Google Fit — if you choose to connect these, data sharing is governed by Apple's and Google's own privacy policies
Calendar integrations — for appointment reminders (no PHI shared without BAA)
Email and SMS services — for appointment notifications and account communications
Third-party services operate under their own privacy policies. We are not responsible for their privacy practices. We strongly encourage you to review the privacy policies of any third-party services you connect to our Platform.
15 Contact Us & Privacy Officer
For all privacy-related questions, requests, or concerns — including exercising your HIPAA rights or state consumer privacy rights — please contact our Privacy Officer:
PRIVACY OFFICER — BELMAR CARDIOPULMONARY DIAGNOSTIC CENTER
Name: [PRIVACY OFFICER FULL NAME]
Title: HIPAA Privacy Officer & Compliance Officer
Organization: Belmar Cardiopulmonary Diagnostic Center
Email: privacy@belmardiagnostic.com
Phone: [INSERT PHONE NUMBER]
Mailing Address: [INSERT STREET ADDRESS, CITY, STATE, ZIP]
Website: [INSERT WEBSITE URL]
Response Time: We acknowledge all requests within 5 business days.
Full response provided within 30 days (60 days for amendment requests).
To file a complaint directly with the federal government regarding our HIPAA compliance:
U.S. DEPARTMENT OF HEALTH & HUMAN SERVICES — OFFICE FOR CIVIL RIGHTS (OCR)
Website: https://www.hhs.gov/hipaa/filing-a-complaint
Phone: 1-800-368-1019 | TDD: 1-800-537-7697
Mail: 200 Independence Avenue, S.W., Washington, D.C. 20201
Belmar Cardiopulmonary Diagnostic Center will NEVER retaliate against any patient or user for filing a complaint with HHS or any regulatory authority.
16 Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Platform features. When we make material changes, we will:
Update the Effective Date and Last Updated date at the top of this document
Post a prominent notice on the Platform and send a notification to your registered email address
For material changes affecting how we use your PHI, obtain renewed consent where required by HIPAA
Your continued use of the Platform after the effective date of any update constitutes acceptance of the revised Privacy Policy. We encourage you to review this Policy periodically. The current version is always available at [INSERT WEBSITE URL/privacy-policy].
17 Glossary of Key Terms
Term
Definition
Android-to-Gynoid Ratio
A body fat distribution metric from DEXA comparing fat in the abdominal region (android) to the hip region (gynoid). Used as a non-clinical cardiovascular risk indicator.
Anaerobic Threshold (AT)
The exercise intensity at which lactic acid builds faster than it can be cleared — a key VO2 Max test metric used to set training zones.
BAA (Business Associate Agreement)
A HIPAA-required contract between a covered entity and a business associate specifying PHI protection obligations.
BMC / BMD
Bone Mineral Content (total bone weight) and Bone Mineral Density (bone strength T-score) — both measured by DEXA scan.
Covered Entity
A health plan, health care clearinghouse, or health care provider that transmits health information electronically under HIPAA.
DEXA / DXA
Dual-Energy X-ray Absorptiometry. Medical-grade imaging technology used to measure body composition (fat, lean tissue, bone).
ePHI
Electronic Protected Health Information — PHI created, stored, transmitted, or received in any electronic format.
HIPAA
Health Insurance Portability and Accountability Act of 1996. Federal law governing PHI privacy and security.
Indirect Calorimetry
The measurement technique used in both VO2 Max and RMR tests — analyzes exhaled gases (O2 and CO2) to measure metabolism.
PHI (Protected Health Information)
Individually identifiable health information created, received, stored, or transmitted by a covered entity or business associate.
RER (Respiratory Exchange Ratio)
The ratio of CO2 produced to O2 consumed — indicates whether the body is primarily burning fat or carbohydrates.
RMR (Resting Metabolic Rate)
The number of calories the body burns at complete rest — measured by indirect calorimetry.
VO2 Max
Maximum rate of oxygen consumption during exercise. The gold-standard measure of cardiorespiratory fitness.
Visceral Fat
Fat stored around internal organs in the abdominal cavity — measured by DEXA. A key non-clinical indicator of metabolic health.
This document was prepared as a starting template and should be reviewed by a qualified HIPAA compliance attorney before publication or patient distribution.
© 2026 Belmar Cardiopulmonary Diagnostic Center. All Rights Reserved.