Sharing your medical history with an online platform requires trust. Health data is among the most sensitive personal information that exists. Here is exactly what YourMD does to protect it — and what we will never do with it — in plain language.
The Regulatory Foundation: HIPAA and Beyond
United Medical Group, PLLC is a HIPAA Covered Entity — a healthcare provider that transmits health information electronically. This means every aspect of how we collect, store, use, and disclose your Protected Health Information (PHI) is governed by the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule. These are not optional standards — they are federal law with enforceable civil and criminal penalties. Our HIPAA Notice of Privacy Practices (v2.0, effective February 16, 2026) is available at telehealth.yourmd.online/interface/legal/hipaa.php.
How Your Data Is Protected Technically
- Encryption in transit: All data transmitted between your browser and our platform uses TLS 1.2+ encryption — the same standard used by banks and financial institutions. Your health information never travels over the internet unencrypted.
- Encryption at rest: Your records stored in the yourmdRx EHR are encrypted at rest on Microsoft Azure (Central US region) — a HIPAA-compliant, BAA-covered cloud infrastructure used by thousands of healthcare organizations.
- Access controls: Access to patient records is role-restricted and audit-logged. Your PHI is accessible only to your treating physician and the minimum necessary clinical staff. Every access is timestamped and logged for HIPAA audit trail compliance.
- Payment security: Payments are processed by Stripe (PCI DSS Level 1 — the highest payment security certification). Your full card number is never transmitted to or stored on YourMD servers.
- Consent tamper-evidence: Every consent document you sign is SHA-256 hashed at the time of signature. Any alteration after signing is detectable in the audit log.
- Cyber insurance: MagMutual Cyber Plus ($1M aggregate, bound June 1, 2026) covering data breach response, cyber extortion, regulatory penalties, and breach notification costs — including funding patient notification if a breach occurs.
Business Associates: Every Vendor Is Contractually Bound
HIPAA requires that any third party handling your PHI on our behalf — a Business Associate — sign a Business Associate Agreement (BAA) obligating them to protect your information under the same standards that apply to us. Every vendor in the YourMD ecosystem that touches patient data has a signed BAA: Microsoft Azure, MDToolbox (e-prescribing), Hallandale Pharmacy, MediVera Compounding Pharmacy, and Valiant Pharmacy. NovoCare and LillyDirect operate under their own HIPAA frameworks as manufacturer pharmacy programs — they receive only the minimum PHI necessary to process your prescription.
What We Will Never Do With Your Health Information
- We will never sell your PHI to any third party — including data brokers, analytics companies, pharmaceutical companies, or advertisers
- We will never share your PHI with employers, insurance companies, or government agencies except as required by law or for treatment, payment, and healthcare operations as described in our NPP
- We will never use your PHI for marketing third-party products without your explicit written authorization
- We will never permit advertising trackers to access patient health data on our platform — YourMD products are ad-free
- We will never disclose PHI related to your prescriptions or diagnoses to family members, partners, or anyone else without your authorization
- We will never condition your treatment on agreeing to any use of your PHI beyond what is required for your care
Your Rights Under HIPAA
- Right to access: Request a copy of your records at any time from the patient portal or by contacting our Privacy Officer
- Right to amend: Request correction of inaccurate or incomplete information in your record
- Right to restrict: Request that we limit certain uses of your PHI — including the right to restrict disclosure to your health plan for services you paid for entirely out of pocket
- Right to accounting of disclosures: Request a list of disclosures made in the past 6 years outside of treatment, payment, and healthcare operations
- Right to confidential communications: Request that we contact you only at a specific address or phone number
- Right to complain: File a complaint with our Privacy Officer or with the HHS Office for Civil Rights at hhs.gov/ocr/complaints — we will never retaliate for a complaint
If a Breach Occurs: What Happens
In the event of a breach of your unsecured PHI, we are required by the HIPAA Breach Notification Rule to notify you within 60 days of discovering the breach. The notification will include what happened, what PHI was involved, what steps you should take to protect yourself, what we are doing to investigate and prevent future incidents, and contact information for questions. Our MagMutual Cyber Plus policy ($1M aggregate) covers breach response costs including legal counsel, forensic investigation, and patient notification expenses. Breaches affecting 500 or more individuals will also be reported to HHS and to media outlets in affected states as required by law.
Special Protections for Sensitive Categories
- Substance use disorder records (42 CFR Part 2): Cannot be used in any legal proceeding against you without your specific written consent or a qualifying court order — stricter than standard HIPAA
- Mental health records: Subject to heightened protection under NV, WA, OR, and WI state laws as applicable
- Sexual orientation and gender identity: Treated as highly sensitive PHI; not disclosed beyond minimum necessary for treatment without your authorization
- HIV/AIDS status: Subject to specific state law protections in all four licensed states
Contact the Privacy Officer
Dipika Surapaneni, Privacy Officer — United Medical Group, PLLC · dipika.surapaneni@theunitedmedicalgroup.com · 702-430-7801 · 9205 W. Russell Rd, Bldg 3, Ste 240, Las Vegas, NV 89148
Related: Full HIPAA Notice of Privacy Practices v2.0 · Your First YourMD Visit: What Actually Happens · Meet Your Doctor: Dr. Teja Surapaneni