Privacy Policy & HIPAA Notice of Privacy Practices

1. Introduction

This Privacy Policy ("Policy") explains how YourMD Online, LLC ("YourMD," "we," "us," or "our") and United Medical Group collect, use, disclose, retain, and protect information when you access telehealth.yourmd.online, receive care from our Providers, or purchase any direct-to-consumer (DTC) subscription service through this platform (collectively, the "Services").

This Policy also serves as our HIPAA Notice of Privacy Practices for protected health information (PHI) that we create, receive, maintain, or transmit as a HIPAA Covered Entity (for clinical services rendered by United Medical Group) and as a Business Associate (for platform services rendered by YourMD Online, LLC).

By using the Services, you agree to this Policy and to the Terms of Service.

2. Information We Collect

a) Protected Health Information (PHI)

• Chief complaint, symptoms, medical history, allergies, current medications, and family history
• Diagnoses, clinical notes, SOAP notes, and prescriptions
• Lab orders, lab results, imaging orders, vital signs, and wearable/Apple HealthKit data if you choose to sync it
• Telehealth session content (chat transcripts auto-saved to your SOAP note; video/audio is not recorded by default and Jitsi Meet uses DTLS-SRTP encryption in transit)
• Photos (intake, progress photos for DTC subscriptions, document uploads) and scanned insurance cards where provided

b) Personally Identifiable Information (PII)

• Name, date of birth, gender, mailing address, phone, email
• Government-issued ID (front and back) uploaded during IAL2 identity verification for registration
• Payment method data, handled by PCI-DSS-compliant processors (Stripe, PayPal) — YourMD does not store full card numbers
• Emergency contact information

c) Technical and Security Data

• IP address, browser, device, and operating system
• Session fingerprints and activity logs (NIST SP 800-63B compliant)
• Audit trails of logins, PHI access, prescription activity, and administrative actions
• Cookies and similar technologies for session continuity, CSRF protection, and security monitoring. For more information about the cookies we use and how to manage your cookie preferences, see our Cookie Policy.
• Referral source data, including referral codes, referring provider identifiers, and referring pharmacy identifiers, collected when you register through a referral link. This data is used for internal analytics and program management and is not shared with the referring party in a manner that identifies you unless you provide separate written consent for clinical coordination.

d) DTC Subscription Data

• Intake-form responses (weight loss, ED, hair loss, dermatology, vitality, and peptide therapy categories)
• Subscription status, billing cycle, shipping address, product selections, and fulfillment details shared with compounding and partner pharmacies
• Progress photos you voluntarily upload to track treatment

Telehealth Session Content

Chat transcripts are auto-saved to your SOAP note as part of the clinical record. Video and audio sessions are NOT recorded or stored by default. Real-time video/audio uses end-to-end DTLS-SRTP encryption in transit via Jitsi Meet and is not retained after the session ends. If our recording policy changes in the future, you will be notified and your consent will be obtained before any session is recorded.

3. How We Use Your Information

We use your information for the following purposes permitted under HIPAA (45 CFR 164.506) and applicable state law:

• Treatment: Coordinating and delivering telehealth consultations, prescribing, lab orders, and follow-up care by licensed Providers.
• Payment: Billing you for consultations and subscriptions, processing payments via Stripe/PayPal, and coordinating benefits where applicable.
• Healthcare Operations: Quality improvement, credentialing, training, compliance, audit, legal, and business management activities.
• Identity & Security: Verifying identity (IAL2 human review of government ID), preventing fraud, defending the platform against attack, and enforcing our Terms.
• Communications: Sending appointment reminders, refill notices, welcome emails, and clinical follow-up.
• Required by Law: Reporting as required by federal and state law (e.g., public health, suspected abuse, subpoenas, court orders).

4. How We Share Your Information

We disclose PHI and other information only as permitted by HIPAA or as required by law. Specifically:

• To Providers within United Medical Group for treatment, coordination, and continuity of care.
• To compounding pharmacies and fulfillment partners (for DTC subscription medications) under written Business Associate Agreements. When you enroll in a DTC subscription program, the following information is shared with our compounding pharmacy partner(s) to fill and ship your prescription: your full name, date of birth, shipping address, phone number, prescription details (medication, dose, quantity, prescriber information), and, where the pharmacy collects payment directly, your payment method. This sharing is necessary for Treatment purposes under HIPAA and is governed by a Business Associate Agreement with each pharmacy partner. You may request the identity of the pharmacy filling your prescription at any time by contacting privacy@yourmd.online.
• To Referring Providers: If you were referred to YourMD by an outside healthcare provider and you provide written consent, we may share relevant clinical information (treatment plan, medication prescribed, lab results, and progress updates) with your referring provider for care coordination purposes. This sharing is limited to information relevant to the referred treatment and requires your explicit written authorization. You may revoke this authorization at any time by contacting privacy@yourmd.online, and revocation will not affect the legality of disclosures made prior to revocation. No referring provider receives financial compensation for referring you — see our Referral Program Disclaimer.
• To Laboratory and Diagnostic Partners: When your Provider orders laboratory tests, your name, date of birth, relevant clinical information, and test order details are transmitted to our laboratory partner(s) (for example, Everlywell / Everly Health Solutions, Quest Diagnostics, Labcorp) for test fulfillment. Results are returned to our platform and reviewed by your Provider before being made available to you. Laboratory partners operate under their own privacy policies and, where applicable, under Business Associate Agreements with YourMD. At-home test kits are shipped directly to you by the laboratory partner using the shipping address on file.
• To payment processors (Stripe, PayPal) for payment authorization and subscription billing.
• To cloud and infrastructure providers (Microsoft Azure) operating under HIPAA-eligible services and BAAs.
• To e-prescribing partners (MDToolbox, Surescripts) for routing prescriptions to pharmacies.
• To government agencies and law enforcement when required by subpoena, court order, or statute.
• To the affiliated AI-native platform at www.yourmd.online when you or your Provider explicitly invokes an AI clinical tool (AskUnitedMedicalAI, diagnostic companion, drug interaction checker, lab interpreter, medical dictation). Use is governed by the AI Terms posted at www.yourmd.online. Data transmitted through these tools is handled under written Business Associate-level safeguards where the interaction involves PHI.

We do not sell, rent, or trade your personal information or PHI for marketing purposes. We do not permit third-party advertising trackers to access PHI.

5. State-Specific Privacy Rules

In addition to HIPAA, the following state rules apply to residents of the states where our Providers are licensed:

• Nevada: We comply with Nevada Revised Statutes (NRS) 603A (security of personal information) and NRS 629 (medical records). Nevada residents have the right to request that we not "sell" covered information under NRS 603A.340. We do not sell covered information; nevertheless, opt-out requests may be sent to privacy@yourmd.online.
• Washington: We comply with the Washington My Health My Data Act (MHMDA, RCW 19.373) to the extent applicable. Washington residents may request a list of third parties to whom their consumer health data has been disclosed, may request deletion, and may withdraw consent to future processing by contacting our Privacy Officer. MHMDA consent and deletion requests are honored within the timelines required by RCW 19.373.
• Oregon: We comply with Oregon's Consumer Privacy Act (OCPA, ORS 646A.570-646A.589) and Oregon's medical records statutes (ORS 192.553 et seq.). Oregon residents have the right to confirm, access, correct, delete, obtain a portable copy of, and opt out of certain processing of their personal data.
• All states: Regardless of residence, you may exercise your HIPAA rights (access, amendment, accounting of disclosures, restriction requests, confidential communications, and complaints) at any time under 45 CFR 164.524-164.528.

6. HIPAA Safeguards

We implement the administrative, physical, and technical safeguards required by the HIPAA Security Rule (45 CFR 164.308-164.312):

• Encryption in transit (TLS 1.2+) and at rest (Azure HIPAA- eligible storage)
• Role-based access control, least-privilege access, and break-the-glass controls for sensitive records (minors, unassigned patients, psychiatric records)
• Multi-factor authentication enforced for Providers, admins, and other high-privilege roles
• Comprehensive audit logging of PHI access, prescription events, and administrative actions
• Automated account lockout, rate limiting, IP blocking, bot detection, and malware upload prevention
• Bcrypt password hashing (cost 12) and NIST SP 800-63B session management with device fingerprinting
• Strict Content Security Policy headers, CSRF tokens, and parameterized SQL queries
• Executed Business Associate Agreements with all qualifying vendors
• Workforce training, documented policies and procedures, and periodic risk assessments

7. Breach Notification

In the event of a breach of unsecured PHI, we will notify affected individuals, the U.S. Department of Health and Human Services, and, where required, state regulators and the media, within the timelines required by the HIPAA Breach Notification Rule (45 CFR 164.400-414) and applicable state breach-notice laws.

8. Data Retention

We retain medical records for the longer of: (a) the period required by federal and state law (generally six years for HIPAA compliance documentation and the period required by the state in which the Provider is licensed for the clinical record itself), or (b) the period reasonably needed to support continuity of care, billing, and legal claims. Audit logs are retained for at least six years. Inactive accounts may be anonymized after retention requirements expire.

9. Your HIPAA Rights

You have the right, subject to limited exceptions, to:

• Inspect and copy your PHI held in our designated record set (45 CFR 164.524)
• Request amendment of PHI you believe is incorrect or incomplete (45 CFR 164.526)
• Request an accounting of disclosures of your PHI (45 CFR 164.528)
• Request restrictions on certain uses and disclosures (45 CFR 164.522(a))
• Request confidential communications through alternate channels (45 CFR 164.522(b))
• Receive a paper copy of this Notice
• Request a portable copy of your health records in a commonly used electronic format. We can provide records in PDF, CCD (Continuity of Care Document), or other standard formats upon request. Contact privacy@yourmd.online to request a data export.
• Withdraw consent for optional uses (marketing communications, research) at any time
• File a complaint with our Privacy Officer or with the U.S. Department of Health and Human Services, Office for Civil Rights (www.hhs.gov/ocr). You will not be retaliated against for filing a complaint.

To exercise any of these rights, contact our Privacy Officer at privacy@yourmd.online or (914) 996-8763. We respond to requests within the timelines required by HIPAA and applicable state law.

10. Minors

The Services are not intended for use by persons under 18 years of age without a legally authorized parent or guardian. For minors, a parent or guardian must provide informed consent and accept this Policy on the minor's behalf. We do not knowingly collect PHI from minors without appropriate consent.

11. AI Clinical Tools

Providers may invoke AI clinical decision-support tools offered by our affiliated AI-native platform at www.yourmd.online, including AskUnitedMedicalAI, the diagnostic companion, drug interaction checker, lab interpreter, and medical dictation. When these tools are invoked inside the telehealth platform, data transmitted to the AI tool is governed by the AI Terms of Service posted at www.yourmd.online and, where the interaction involves PHI, by Business Associate-level safeguards. AI output is clinical decision-support only and does not replace Provider judgment.

12. Limitation of Liability

13. Updates to This Policy

We may update this Policy from time to time to reflect changes in law, technology, or our practices. The revised Policy will be posted at this URL with a new "Last Updated" date. Material changes will be communicated through the patient dashboard or email. Continued use of the Services after changes are posted constitutes acceptance of the revised Policy.

14. Contact Us

For privacy questions, to exercise your rights, or to file a complaint, contact: