Compliance, in plain language

YourMD is operated by YourMD.online, LLC. The prescribing physician is Teja V. Surapaneni, MD, MS, a board-certified internal-medicine physician (ABIM). Consultations are physician-led; we do not use nurse-practitioner or questionnaire-only models.

Associated physician group: United Medical Group, PLLC.

Currently Nevada, Washington, Oregon, and Wisconsin. You must be physically located in one of these states at the time of your consultation. You will be asked to confirm your state and ZIP at the start of every visit.

No. YourMD is telehealth for focused care — weight management, men's health, dermatology, peptide therapy, and related wellness programs. If you need a primary-care physician, a hospital, or an emergency room, YourMD is not the right place. For emergencies, call 911.

Controlled substances carry higher risks of diversion, dependency, and drug-drug interactions. They also require additional regulatory infrastructure (DEA registration, PDMP checks, in-person visit requirements that shift every year) that is poorly suited to a focused, cash-pay telehealth practice. The cleanest compliance posture — and the one that best protects patients — is to decline them entirely. Our software rejects any attempt to e-prescribe a scheduled molecule.

• Weight management — compounded GLP-1 receptor agonists (semaglutide, tirzepatide).
• Men's sexual health — compounded sildenafil, tadalafil, and sublingual ED troches.
• Hair loss — compounded finasteride and minoxidil formulations.
• Dermatology — compounded topicals (retinoids, hydroquinone cycles, azelaic acid, compounded anti-acne / anti-aging combinations).
• Peptide therapy — BPC-157, sermorelin, PT-141, and others, depending on your clinical profile.
• Longevity / hormone optimization — testosterone, compounded bioidentical hormones, off-label metformin / rapamycin / NAD+ with appropriate risk disclosure.
• Wellness injections — B12 / methylation, lipotropic ("MIC"), glutathione, methylene blue, low-dose naltrexone.
• At-home labs — where clinically indicated, routed through a partner laboratory.

A compounded medication is prepared by a state-licensed pharmacy for you individually, under a prescription from your physician, following FDCA Section 503A and USP chapters <795> and <797>. It is not an FDA-approved drug product; it is a pharmacy preparation tailored to your prescription.

No. Compounded semaglutide is not the same product as Ozempic® or Wegovy®. Those are FDA-approved Novo Nordisk products with one labeled strength ladder, one set of inactive ingredients, and one regulatory submission behind them. A compounded preparation uses the same active molecule but is formulated at a 503A compounding pharmacy to your prescription, can come at different concentrations, and is not evaluated or approved as a finished drug by the FDA. We state this explicitly in every treatment-acknowledgment document.

Same logic applies to compounded sildenafil (not Viagra®), compounded tadalafil (not Cialis®), compounded finasteride (not Propecia®), and compounded minoxidil (not Rogaine®).

Two reasons. First, regulators and plaintiffs' lawyers hold telehealth platforms accountable for what patients understand about compounded medications — the lawsuits against competitors in 2024 make that explicit. Documented, affirmative, checkbox-level understanding of each risk protects you (you know exactly what you're signing up for) and us (we can demonstrate informed consent on every shipment). Second, the FDA boxed warnings on medications like GLP-1s (thyroid cancer risk, pancreatitis, pregnancy) are serious and we want your affirmative acknowledgment that you've read and understood them before any drug reaches your door.

Before each refill of a compounded medication we ask you four short questions — essentially the same things your physician would ask at a follow-up visit. Any red-flag answer pauses the shipment for physician review. It takes about a minute and goes straight into your chart.

Yes. YourMD is a HIPAA-covered entity. The health information you share in the portal, the medications you are prescribed, your messages with your physician, and the records you upload are all Protected Health Information and are handled under our Notice of Privacy Practices and our Privacy Policy.

We read the FTC's November 2023 guidance and the April 2024 Cerebral Inc. $7 million enforcement action as a bright-line prohibition: sending diagnosis, medication, or appointment events to ad-tech platforms is unfair and deceptive. We don't do it. The authenticated portal runs zero third-party ad or analytics pixels. Our marketing site uses a strict-by-default cookie banner; analytics and marketing categories are opt-in.

Every file you upload is encrypted at rest using XChaCha20-Poly1305-IETF authenticated encryption with a master key that is never stored in the database or in source code. The key lives only in Azure App Service environment configuration. Even if our database were compromised, the attacker would have nothing readable.

Uploaded documents are streamed to authorized viewers through an authenticated proxy endpoint with path-hardening and MIME allow-listing. Every view is recorded in our tamper-evident HMAC-chained audit log.

Secure portal messaging is served over TLS 1.2+ with our bundled Azure Managed Certificates. Video visits use Jitsi Meet over DTLS-SRTP with end-to-end encryption capability. We do not use consumer SMS or email for clinical content.

Our physician uploads a full credentialing packet — state licenses, board certification, NPI verification, residency and medical-school diplomas, professional-liability certificate, and a 2-year work-history narrative — through our credentialing module. Our compliance dashboard records each document, its expiration, and the administrator who verified it. Every year, our physician signs an attestation that the on-file credentials remain accurate.

Dr. Surapaneni's physician profile, license numbers, and board certification can also be verified through the Nevada, Washington, Oregon, and Wisconsin medical-board websites and through the ABIM diplomate search.

Yes. Every privileged user (physician, administrator, privacy officer, security officer) signs an annual compliance orientation covering prescribing policy, treatment categories, HIPAA fundamentals, data security, incident response, and our no-controlled-substance posture. Access to any patient record is gated on that signed attestation.

Message your physician directly through the portal. If you prefer to escalate outside of the physician you worked with, write to privacy@yourmd.online and we will route it to our Privacy Officer.

Email our Privacy Officer at privacy@yourmd.online and we will investigate. You can also file a complaint directly with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr/complaints.

Tell your YourMD physician right away through the portal. For direct reporting to the FDA, use the MedWatch program: call 1-800-FDA-1088 or report online at fda.gov/safety/medwatch. If you experience a life-threatening reaction, call 911 first.

Stop the medication and tell your physician immediately. Several of our medication categories (GLP-1s, finasteride, hydroquinone, retinoids, bremelanotide) are contraindicated in pregnancy. If you are on a GLP-1 medication, the manufacturer pregnancy-exposure registries are:

• Novo Nordisk (semaglutide products): 1-877-390-2760
• Eli Lilly (tirzepatide products): 1-800-LillyRx

The complete Sources & Rationale document, with citations for every claim on this page and every clause in our acknowledgments and policies, is maintained internally at /docs/compliance/sources-rationale.md. Licensed physicians, board investigators, auditors, and insurance underwriters can request a PDF snapshot by emailing compliance@yourmd.online.

Yes. See /docs/baa-inventory.md (internal) for our current vendor inventory, or email compliance@yourmd.online for a copy of the YourMD.online, LLC template BAA.