YourMD Telehealth complies with HIPAA (45 CFR Part 160 & 164) and HITECH Act security requirements for telehealth, e-prescribing, and PHI protection.
Administrative Safeguards
Workforce Training
- Mandatory HIPAA/HITECH training for all personnel
- Annual security awareness refreshers
- Role-specific privacy training
- Incident response drills
Access Controls
- Role-based access controls (RBAC)
- Principle of least privilege
- Regular access reviews
- Immediate termination procedures
Risk Management
- Mandatory annual security risk assessments
- Vulnerability scanning and penetration testing
- Risk mitigation planning
- Third-party vendor assessments
Continuous Monitoring
- 24/7 security operations center
- Real-time breach detection
- Automated threat intelligence
- Suspicious activity alerts
Sanctions Policy
- Workforce members who violate HIPAA policies, access PHI without authorization, or fail to report security incidents are subject to disciplinary action up to and including termination.
- Sanctions are applied consistently regardless of role or seniority.
- All sanctions are documented per HIPAA requirements (45 CFR 164.308(a)(1)(ii)(C)).
Pharmacy and Third-Party Partner Security
All compounding pharmacy partners, laboratory partners, and third-party vendors who receive, process, or store PHI on behalf of YourMD are required to:
- Execute a HIPAA Business Associate Agreement (BAA) before receiving any PHI.
- Maintain compliance with HIPAA Security Rule requirements.
- Provide evidence of appropriate administrative, physical, and technical safeguards.
- Report any security incident or potential breach within 24 hours of discovery.
- Cooperate with YourMD's vendor security assessment process.
YourMD conducts periodic vendor security reviews and reserves the right to terminate any partnership where security standards are not maintained.
Physical Safeguards
Data Center Security
- Tier III+ HIPAA-compliant data centers
- SOC 2 Type II certified facilities
- Biometric access controls
- 24/7 physical security personnel
Facility Access
- Multi-factor entry authentication
- Visitor escort requirements
- Security camera surveillance
- Environmental monitoring
Data Backup & Recovery
- Redundant off-site encrypted backups
- Automated daily backup procedures
- Tested disaster recovery plans
- 99.99% uptime SLA
Technical Safeguards
Encryption Standards
- At Rest: AES-256 encryption
- In Transit: TLS 1.3 protocol
- Key management with HSM
- Certificate pinning
User Authentication
Multi-Factor Authentication (MFA)
- SMS/Voice verification
- Authenticator app support
- Hardware token compatibility
- Biometric options
Time-Based One-Time Passwords (TOTP)
- 30-second token rotation
- RFC 6238 compliant
- Backup codes available
- QR code enrollment
NIST IAL2 Identity Assurance
- Government ID verification
- Liveness detection
- Knowledge-based authentication
- Address verification
Platform Security
- reCAPTCHA v3: Advanced bot detection
- Anomaly Detection: ML-powered unauthorized login detection
- Intrusion Prevention: Real-time threat blocking
- Anti-phishing: Domain monitoring and email security
Audit Trail & Compliance
PHI Access Logging
- Who accessed what data
- When access occurred
- What actions were taken
- Source IP and device
Provider Activity
- Login/logout events
- Patient record views
- Prescription history
- System modifications
System Events
- Security incidents
- Failed login attempts
- Permission changes
- Data exports
All audit logs are retained per HIPAA 45 CFR ยง164.312(b) requirements (minimum 6 years)
Patient Data Access
Patients may securely access their health records, visit history, prescriptions, and lab results through the patient portal at telehealth.yourmd.online. All patient portal sessions are protected by the same encryption and authentication standards described above. To request a full export of your health records, contact privacy@yourmd.online.
Incident Response & Breach Notification
0-1 Hour
Detection & Containment
Automated detection systems identify and contain potential breaches
1-24 Hours
Initial Assessment
Security team evaluates scope and impact of incident
24-72 Hours
Initial Notification
Initial notification to affected users begins where the scope of the breach has been determined.
Within 60 Days
Full HITECH Act Notification
Full notification to all affected individuals, HHS, and (where applicable) media outlets is completed within 60 days of breach discovery as required by the HITECH Act (45 CFR 164.404). For breaches affecting fewer than 500 individuals, HHS notification occurs annually. For breaches affecting 500 or more individuals, HHS and prominent media outlets are notified within 60 days.
72+ Hours
Remediation
Full forensic review and security improvements implemented
Certifications & Compliance
HIPAA Compliant
HITECH Act Compliant
Hosted on SOC 2 Type II
Certified Infrastructure
(Microsoft Azure)
NIST 800-53 Framework Aligned
