Privacy Policy & HIPAA Notice

Last updated: April 2026

Important: T. Hayden Barnes Law, LLC takes the privacy and security of your personal and medical information seriously. This policy describes what we collect, how we protect it, and your rights. If you have questions, contact us at the information provided at the bottom of this page.

1. Information We Collect

We may collect the following types of information:

  • Contact information: name, email address, phone number, mailing address
  • Medical billing records: medical bills, Explanation of Benefits (EOBs), collection notices, and related documents you upload
  • Payment information: processed securely through Stripe; we do not store credit card numbers on our servers
  • Case-related communications: messages sent through the client portal
  • Website usage data: pages visited, browser type, and IP address (no third-party tracking cookies)

2. How We Use Your Information

We use collected information to:

  • Screen potential matters for acceptance and evaluate the scope of legal work
  • Provide legal services under the terms of a signed engagement agreement
  • Communicate with you about your matter via email, SMS, and the client portal
  • Process payments securely
  • Comply with legal obligations, including Georgia Rules of Professional Conduct record-keeping requirements

3. HIPAA Notice: Protected Health Information

Because our legal services involve reviewing and handling medical records and billing information, we treat all medical-related information as Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).

Our HIPAA-compliant safeguards include:

  • Encryption at rest and in transit (AES-256 / TLS 1.2+)
  • Secure Azure cloud hosting with a signed Microsoft HIPAA Business Associate Agreement (BAA)
  • Private database connections with no public internet exposure
  • Two-factor authentication and strict role-based access controls
  • Tamper-proof audit trail of all access to client records and PHI
  • BAA-covered vendors only: all third-party services that handle PHI have signed Business Associate Agreements

Only your attorney and authorized firm personnel have access to your case data. We do not share your medical information with anyone outside of what is necessary to provide legal services or as required by law.

4. Third-Party Service Providers

We use the following third-party services to operate securely. Each provider with access to PHI has executed a Business Associate Agreement:

  • Microsoft Azure: Cloud hosting and data storage (HIPAA BAA)
  • Stripe: Payment processing (PCI DSS Level 1)
  • Postmark: Transactional email delivery (DPA)
  • Twilio: SMS notifications, generic alerts only, no PHI transmitted (HIPAA BAA)
  • PostGrid: Certified mail (SOC-2, HITRUST, BAA)
  • FAXAGE: HIPAA-compliant faxing (HIPAA BAA, HITRUST)

5. Attorney-Client Privilege

Communications between you and your attorney through this website's client portal and related systems are protected by attorney-client privilege to the extent recognized under Georgia law and the Georgia Rules of Professional Conduct. We will not disclose privileged information without your consent unless required by law or court order.

6. Data Retention

We retain client records for a minimum of six (6) years after the conclusion of the matter, consistent with the Georgia Rules of Professional Conduct, Rule 1.15(I). After the retention period, records are securely destroyed. You may request a copy of your file at any time during or after representation.

7. Your Rights

You have the right to:

  • Request a copy of the personal and medical information we hold about you
  • Request correction of inaccurate information
  • Request deletion of your information, subject to our legal retention obligations
  • Receive an accounting of disclosures of your PHI (as required by HIPAA)
  • File a complaint if you believe your privacy rights have been violated

8. Cookies and Tracking

This website uses only essential cookies required for site functionality and security (such as authentication and session management). We do not use third-party advertising trackers, social media tracking pixels, or analytics cookies that share data with third parties.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be noted with a revised "Last updated" date. Your continued use of the website after changes are posted constitutes acceptance of the revised policy.

10. Contact

Questions about this Privacy Policy or HIPAA practices may be directed to:

Hayden Barnes
T. Hayden Barnes Law, LLC
P.O. Box 294
Columbus, GA 31902
hayden@haydenbarneslaw.com