HIPAA Notice & Security Overview

Last updated: May 12, 2026

1. Our Commitment to HIPAA Compliance

YourMD Telehealth is operated by United Medical Group, PLLC (NPI: 1295393601), a licensed telehealth medical practice. We are a HIPAA Covered Entity subject to:

HIPAA Privacy Rule (45 CFR Part 164 Subpart E)
HIPAA Security Rule (45 CFR Part 164 Subpart C)
HITECH Act Breach Notification Requirements (45 CFR §§ 164.400–414)

For your full Notice of Privacy Practices as required under 45 CFR § 164.520, see our Privacy Policy.

2. How We Protect Your Health Information

Encryption

All protected health information (PHI) is encrypted using modern, authenticated encryption standards:

In transit: All data is encrypted using TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced across all platform connections.
In your telehealth session: Video and audio travel directly between your device and your physician's device using end-to-end encrypted media streams (DTLS with Secure Real-time Transport Protocol). Your session media never passes through or is stored on YourMD servers.
At rest: PHI stored in our systems uses authenticated encryption. Clinical notes, chat messages, and session records are individually encrypted with unique keys — a compromise of one record does not expose others.

Telehealth Session Privacy

When you have a telehealth session with your YourMD physician:

Your video and audio are encrypted before they leave your device and travel directly to your physician — not through our servers
Sessions are not recorded. Recording is disabled at the system level and cannot be enabled by users
No audio from your session is processed by any third-party transcription service
Every session requires explicit informed consent before joining, including acknowledgment that recording is prohibited
Optional session guests (such as a family member) require your explicit real-time approval before joining and can be removed at any time

Access Controls

Multi-factor authentication is required for all physician and administrator accounts
Access to patient records follows the HIPAA minimum necessary standard — each role can access only the information required for their function
All access to PHI is logged with user identity, timestamp, and action type
Administrative access to sensitive functions requires written justification and generates an immediate security alert

3. Audit Logging & Retention

All access to protected health information is logged with: user identity, patient record, action type, timestamp, source address, and user agent. Audit logs are:

Protected by a tamper-evident cryptographic chain — any modification or deletion of prior entries is detectable
Retained for a minimum of seven (7) years per 45 CFR § 164.316(b)(2)(i)
Reviewed as part of our ongoing HIPAA Security Rule compliance program

4. Business Associate Agreements

YourMD executes a Business Associate Agreement (BAA) with every vendor that creates, receives, maintains, or transmits PHI on our behalf, before any PHI is shared with that vendor.

Categories of Business Associates with whom we may share PHI include:

Category	Purpose
Cloud infrastructure provider	Hosting, storage, and compute for our HIPAA-compliant platform
Electronic prescribing service	Transmission of prescriptions to pharmacies
Compounding pharmacy partners	Fulfillment of compounded prescriptions
Secure fax service	Transmission of prior authorization and clinical documents

We do not share PHI with payment processors — payment card data is handled independently of health information. We do not sell PHI. We do not share PHI with advertising platforms.

For GLP-1 medications (Wegovy, Zepbound, Foundayo, Ozempic, Mounjaro), prescriptions are sent directly to FDA-approved manufacturer pharmacies. Patients interact with those pharmacies directly for fulfillment and payment.

5. Your Rights Under HIPAA

As a YourMD patient, you have the following rights regarding your protected health information:

Right to access (45 CFR § 164.524)
You may request a copy of your health records. We will provide access within 30 days of your request.

Right to amend (45 CFR § 164.526)
You may request correction of inaccurate or incomplete information in your health record.

Right to an accounting of disclosures (45 CFR § 164.528)
You may request a list of disclosures of your PHI made for purposes other than treatment, payment, or healthcare operations.

Right to request restrictions (45 CFR § 164.522)
You may request restrictions on how we use or share your PHI. We are not required to agree to all requests, but we will consider each one.

Right to confidential communications
You may request that we communicate with you in a specific way or at a specific location.

Right to a copy of this Notice
You may request a paper or electronic copy of this Notice at any time.

To exercise any of these rights, contact our Privacy Officer:

Email: privacy@yourmd.online
Phone: (702) 430-7801
Mail: 9205 W. Russell Rd, Bldg 3, Ste 240, Las Vegas, NV 89148

6. Breach Notification

In the event of a breach of unsecured PHI, YourMD will notify affected individuals and the U.S. Department of Health and Human Services within the timelines required by the HIPAA Breach Notification Rule.

We also comply with state breach notification laws for patients in each state where we are licensed:

Nevada — as required by NRS § 603A
Washington — as required by RCW § 19.255.010
Oregon — as required by ORS § 646A.604
Wisconsin — as required by Wis. Stat. § 134.98

YourMD maintains a written Incident Response Plan with designated HIPAA Security Officer and Privacy Officer accountability per 45 CFR §§ 164.308(a)(2) and 164.530(a).

7. Minimum Necessary Standard

We apply the HIPAA minimum necessary standard (45 CFR § 164.502(b)) to all uses and disclosures of PHI. This means:

Physicians access only the records of their own patients
Clinical staff access only the information required for their specific function
Session content is accessible only to the treating physician and the patient
PHI is retained only as long as required for care and by applicable law

8. Complaints

If you believe your privacy rights have been violated, you may file a complaint with:

YourMD Privacy Officer
Email: privacy@yourmd.online
Phone: (702) 430-7801

U.S. Department of Health and Human Services, Office for Civil Rights
hhs.gov/hipaa/filing-a-complaint

You will not be retaliated against for filing a complaint.

United Medical Group, PLLC DBA YourMD Telehealth • NPI: 1295393601
Licensed in Nevada • Washington • Oregon • Wisconsin
9205 W. Russell Rd, Bldg 3, Ste 240, Las Vegas, NV 89148 • telehealth.yourmd.online
This notice is effective as of May 12, 2026. A copy of this notice is available upon request.