Security & Privacy - YourMD Telehealth

Effective Date: May 19, 2026 · Platform: telehealth.yourmd.online

YourMD.online, LLC and United Medical Group are committed to protecting the security, privacy, and confidentiality of your health information. Our telehealth platform is built from the ground up with HIPAA and HITECH compliance as a core requirement, not an afterthought.

1. HIPAA & HITECH Compliance

YourMD Telehealth is designed to meet or exceed the requirements of the HIPAA Security Rule (45 CFR 164.302-318) and the HITECH Act. Our compliance program includes:

Administrative Safeguards: Documented risk analysis, incident response plan, business continuity procedures, workforce security training, and assigned security responsibility
Technical Safeguards: Access controls, audit controls, integrity controls, person/entity authentication, and transmission security
Physical Safeguards: Managed through our HIPAA-compliant cloud infrastructure provider (Microsoft Azure) with BAA in place
Regular Evaluation: Security controls are reviewed and updated on a continuous basis

1a. SOC 2 Readiness

Status: YourMD Telehealth has not yet completed a SOC 2 audit. We are running a SOC 2 readiness program with a target of a SOC 2 Type I report from a licensed CPA firm in our 2026–2027 roadmap, followed by a SOC 2 Type II report over the required operating-effectiveness observation window. Until those reports are issued, no representation of “SOC 2 compliance” or “SOC 2 certification” should be inferred from this page.

In parallel, our platform was engineered against the SOC 2 Trust Service Criteria from day one rather than retrofitted later. The mapping below summarizes where current controls satisfy each criterion. Independent third-party validation of this mapping is part of the planned audit.

SOC 2 Trust Service Criterion	Current YourMD control	Status

Many of the controls above are reinforced by independently-audited SOC 2 Type II reports from our infrastructure providers, including Microsoft Azure (hosting, database, secrets, observability), Stripe (payment processing), and GitHub (source control). Provider audit reports do not constitute a SOC 2 report for the YourMD Telehealth platform itself, but they establish the audited control posture for the underlying services we build on.

Internal governance policies mapped to SOC 2 (Information Security, Access Control, Change Management, Vendor Management, Risk Management, Data Retention & Disposal, Business Continuity, Security Awareness Training, HR Security, Code of Conduct, Privacy Notice) are maintained in YourMD's in-platform compliance registry. Each policy is versioned, content-hash-bound, and signed by the designated Security Officer and Privacy Officer. Annual review cadence is tracked and surfaced to the responsible officer; every signature is sealed into the same tamper-evident audit chain that covers PHI access. We will publish the issued SOC 2 report on this page upon completion of the audit.

2. Data Encryption

In Transit: All data is encrypted using TLS 1.2+ (HTTPS) with HTTP Strict Transport Security (HSTS) enforced across the entire platform. This includes all web pages, API calls, file uploads, and messaging.
At Rest — Infrastructure Layer: Protected health information (PHI) stored in our database and cloud storage is encrypted at rest using AES-256 encryption provided by our cloud infrastructure provider under a signed HIPAA Business Associate Agreement.
At Rest — Application Layer (defense in depth): In addition to infrastructure encryption, YourMD applies a second independent layer of application-managed authenticated encryption so that a compromise of the database or storage tier alone cannot expose patient data in plaintext. We use only vetted, industry-standard cryptographic primitives with per-purpose key separation; no legacy or weak algorithms are permitted.
PHI Column Encryption: Sensitive clinical data fields are encrypted at the column level with context binding that ties each ciphertext to its owning patient record. A leaked ciphertext cannot be re-linked to a different patient. Reads are transparent to authorized providers.
Patient Upload Encryption: Patient-uploaded files — identity documents, insurance cards, progress photos, and medical records — are encrypted at the application layer before reaching storage, with purpose-separated keys and per-user context binding. Decryption is mediated exclusively through authenticated server-side endpoints that enforce access control and audit-log every access.
Database Connections: All connections between our application servers and database use SSL/TLS encryption.
Telehealth Sessions: Video and audio consultations are encrypted using industry-standard protocols. Session data is isolated with unique per-session keys and does not persist on your device after the call ends.
Secret Management: Application secrets are stored in our cloud provider's managed secret store, not in source code or configuration files. Keys and credentials are rotated on a controlled schedule, and access is limited to the application processes that require them.

3. Identity Verification & Authentication

Registration Review (NIST IAL2): All new accounts undergo identity verification. Patients upload government-issued ID (front and back) during registration. A licensed administrator manually reviews and approves each submission before access is granted — we do not rely on automated face-matching software for primary identity proofing. Facial biometric data is not collected or processed on this platform. Identity verification uses government-issued ID review by our medical team (IAL2 workflow).
Single Authentication Path: The platform exposes exactly one production login flow. There are no test accounts, demo credentials, hardcoded passwords, or "shadow" login pages anywhere in the production code base. We audit for and remove any such paths on every release.
Self-Registration Restricted to Patients: Public account creation is limited to patient and therapy-patient roles. Privileged roles (clinician, biller, administrator) are provisioned exclusively by an existing administrator through a sealed user-management tool that requires multi-factor authentication and writes an audit trail.
Password Policy (NIST SP 800-63B-aligned): Passwords require a minimum of 12 characters with complexity requirements (uppercase, lowercase, numbers, special characters) and are checked against known-breached password lists. Passwords are hashed using bcrypt with a high cost factor — we never store plaintext passwords and never email or display them. Password reuse is prevented by comparing each new password against the last several hashes in a per-user history, and password reset invalidates every active session for that user (NIST SP 800-63B requirement). Periodic rotation is opt-in rather than mandatory, following NIST guidance that arbitrary rotation schedules reduce overall security.
Multi-Factor Authentication (MFA): TOTP-based multi-factor authentication is available for all roles and is enforced by default for clinicians and administrators. Backup codes are provided for account recovery, and recovery flows themselves require MFA re-verification.
Session Security: Sessions comply with NIST SP 800-63B guidelines, including session ID regeneration on every authentication step, automatic timeout after inactivity, session fingerprinting (subnet, user agent, browser characteristics), and secure cookie configuration (HttpOnly, Secure, SameSite=Strict). Concurrent session limits prevent credential sharing.
Account Lockout & Rate Limiting: Accounts are automatically locked after multiple failed login attempts. Login endpoints carry stricter per-IP rate limits than ordinary API traffic to prevent credential-stuffing and brute force attacks. Every authentication handler passes through a unified security middleware layer that additionally performs bot detection and auto-blocks any network address exceeding the failure threshold.
Anti-Bot Protection: Login, registration, and password-reset forms are protected by a multi-layer bot defense stack combining behavioral analysis, cryptographic challenge-response, and optional third-party enterprise CAPTCHA. Controls are designed so that defeating any single layer does not bypass the others.
Administrator "View As" Controls: When an administrator needs to view the platform as another user for support purposes, the action requires a dedicated gated tool, is restricted to non-privileged accounts, generates a new session, and is attributed to the original administrator in the audit trail on both start and end.

4. Access Controls

Role-Based Access Control (RBAC): Access to patient data follows the HIPAA "minimum necessary" principle. Six distinct roles (patient, therapy patient, provider, therapist, biller, administrator) each have specific permissions limiting data access to only what is needed for their function.
Break-the-Glass Minimum-Necessary Gate: Access to sensitive patient records (minors, psychiatric records, patients outside a normal care relationship, medication histories, lab orders and results, billing staff accessing clinical data) requires the requesting user to document a justification reason before the record is released. Each justification is scoped to a single patient, valid for one hour within the current session, and written to the tamper-evident audit chain along with the reason, role, timestamp, and network address. Providers cannot browse the database — they can only see records for which they have either a treatment relationship or a documented break-the-glass reason.
Segregation of Duties: Billing staff can access patient demographics and billing codes but have limited access to clinical notes. Providers cannot access financial transaction data. Administrative functions are separated from clinical functions.
Concurrent Session Limits: Users are limited to a maximum number of concurrent sessions to prevent credential sharing.
Controlled Substance Policy: Our platform does not prescribe controlled substances. The prescription system actively blocks and logs any attempt to prescribe medications on DEA controlled substance schedules.

5. Telehealth Session Security

Session Isolation: Each telehealth consultation operates in a cryptographically isolated session with unique encryption keys generated for each call.
Zero-Persistence: No protected health information is stored on your device during or after a telehealth session. All session data exists only in memory during the active call and is securely destroyed when the session ends.
Signed Session Tokens: Access to telehealth sessions is controlled through cryptographically signed tokens that prevent unauthorized access or tampering.
Real-Time Monitoring: Active telehealth sessions are monitored by our security operations team for anomalous activity.
Encrypted Transcripts: If session notes or transcripts are saved, they are encrypted before storage and accessible only to authorized providers.

6. Monitoring, Audit & Incident Response

Comprehensive Audit Trail: Every access to PHI is logged with user identity, action performed, timestamp, IP address, and user agent. Audit logs are retained for 7 years per HIPAA requirements (45 CFR § 164.316(b)(2)(i)). Audit records are append-only — deleting a user account does not remove that user's historical audit entries.
Tamper-Evident Audit Chain: Every audit record is sealed into a cryptographic chain so that any attempt to forge, reorder, or silently delete entries is detectable. The chain integrity is verified on an automated schedule, and any failure triggers an immediate security operations alert.
Continuous Compliance Testing: Our compliance program runs a register of recurring tests against our own operational controls — daily, monthly, quarterly, semi-annual, and annual cadences. Daily tests run automatically: TLS certificate expiry, audit chain HMAC integrity, scheduled-job health, and WAF anomaly review. Manual tests — quarterly access review, semi-annual phishing simulation, annual penetration test — are tracked in an evidence register with each run logged. Results are written to an append-only log retained for seven years.
Internal Policy Framework: Twenty governance policies (Information Security, Access Control, Change Management, Risk Management, Incident Response, Vendor Management, Business Continuity, Data Retention, Acceptable Use, HIPAA Privacy, HIPAA Security, Breach Notification, Workforce Clearance, Encryption, Logging & Monitoring, Security Awareness Training, Code of Conduct & Ethics, HR Security, Privacy Notice, Minimum Necessary) are versioned, content-hash bound, and electronically signed by the designated Security Officer and Privacy Officer on an annual cycle. Any change to a policy invalidates the prior signature and requires re-signing. Signature records are sealed into the same tamper-evident audit chain that covers PHI access.
Application-Layer Security Controls: Every request is inspected by our security middleware, which enforces per-IP rate limits, bot blocking, injection pattern detection, CORS enforcement, upload validation, and automatic lockout after repeated failed authentications. Cloud-platform DDoS protection operates in front of the application layer.
Incident Response Plan: YourMD maintains a written Incident Response Plan with separated Security Officer and Privacy Officer roles (45 CFR §§ 164.308(a)(2), 164.530(a)) for independent accountability on containment and breach-notification decisions. The plan covers evidence preservation, HIPAA breach risk assessment, and state-specific notification timelines for all states where we hold patient licenses. It is reviewed and attested annually.
Backup & Recovery Testing: Database backups are tested on a regular schedule by restoring to an isolated instance and verifying integrity. Results are documented to satisfy HIPAA § 164.308(a)(7)(ii)(D).
Continuous Security Review: Our engineering team performs automated and manual security reviews of the production code base on a continuous basis. Findings are triaged promptly, and critical issues are patched as a priority. Dependency vulnerabilities are surfaced via automated supply-chain scanning.
Defense-in-Depth: We do not wait for vulnerability disclosures to harden the platform. New defensive layers are added proactively so that a single control failure cannot expose patient data.
Security Operations: Our security team has real-time visibility into authentication events, access anomalies, and platform health. Automated alerts escalate integrity anomalies to the security operations inbox with severity classification.
Threat Detection: Automated controls enforce rate limiting, bot blocking, injection prevention, and malicious upload prevention on all requests. Our cloud provider's threat-detection services provide an additional overlay across database, application, storage, and key management resources.
Network Address Management: Suspicious addresses are automatically blocked after repeated failed authentication attempts. Administrators can manually block or unblock addresses with documented reasons.
Incident Response & Breach Notification: We maintain a documented incident response plan with procedures for identifying, containing, eradicating, and recovering from security incidents. Breach notification is provided within 60 days to affected individuals and to the U.S. Department of Health and Human Services as required by the HITECH Act, with sooner notification when warranted by state statute (Washington: 30 days; Oregon and Wisconsin: 45 days; Nevada and California: without unreasonable delay).

7. Infrastructure

Cloud Provider: Microsoft Azure with a signed HIPAA Business Associate Agreement (BAA) covering App Service, MySQL Flexible Server, Key Vault, Communication Services, Application Insights, Storage, and Defender for Cloud.
Region: United States (Central US)
Database: Azure MySQL with SSL-enforced connections, automated point-in-time backups, and quarterly restore-to-throwaway-instance testing.
HTTPS Enforcement: HTTP access is automatically redirected to HTTPS. HSTS headers ensure browsers always use encrypted connections.
Security Headers: Content Security Policy (CSP) with a strict img-src 'self' restriction so patient images cannot be hot-linked from external origins, frame-ancestors 'none' clickjacking prevention, X-Content-Type-Options: nosniff, Referrer-Policy: no-referrer so internal PHI URLs do not leak on navigation, and X-Frame-Options: DENY are set on all authenticated responses.
Search-Engine Exclusion on PHI Pages: Every authenticated PHI page carries both HTTP and HTML noindex/nofollow/noarchive/nosnippet directives so no internal URL can be indexed by a search crawler.
DDoS Protection: Azure DDoS Protection Basic is automatically enabled on every Azure public endpoint.
Email Authentication: Outbound email from yourmd.online is authenticated with SPF, DKIM, and DMARC. DKIM signing is in place for our Azure Communication Services sending domain, SPF is aligned, and DMARC is currently published in monitored mode (p=none with aggregate reporting) while we confirm full alignment of every sending source — after which the policy is tightened to p=quarantine and then p=reject. MTA-STS and TLS-RPT are progressively enabled for transport-layer authentication.

8. Third-Party Services & Business Associate Agreements

YourMD maintains a Business Associate Agreement (BAA) tracker and signs a BAA with every vendor that creates, receives, maintains, or transmits PHI on our behalf before any PHI is shared.

E-Prescribing: MDToolbox, a certified e-prescribing platform integrated with pharmacy networks. BAA required and executed prior to first Rx.
Payment Processing: Stripe (PCI DSS Level 1 certified). YourMD never stores, processes, or has access to your full credit card number. A healthcare BAA is executed prior to any payment flow that touches PHI.
Compounding Pharmacies: Hallandale Pharmacy and Valiant Pharmacy — BAA-covered.
Cloud Storage: YMD Drive provides HIPAA-compliant encrypted document storage with AES-256 encryption, audit logging, and provider sharing controls.
AI Services: AskUnitedMedicalAI and health tools operate under our AI Terms of Use with data handling governed by our Privacy Policy. We do not use third-party web analytics (including Google Analytics) on any PHI-handling page; telemetry is handled in-tenant via Microsoft's Application Insights.

9. Privacy, Cookies & Consent

First-Party Cookies Only: YourMD Telehealth does not use third-party tracking cookies, advertising pixels, or cross-site analytics tags. Every cookie the platform sets is first-party, strictly-necessary or functional, and is documented in our Cookie Disclosure.
Granular Consent Manager: A GDPR- and CCPA-compliant consent banner is presented to every visitor on first arrival. Users can accept all categories, reject all non-essential categories, or choose per category (strictly necessary, functional, analytics, marketing). The consent state is stored in a first-party cookie so that clearing cookies also clears consent, and the banner version is bumped whenever a new category is introduced so existing users are re-prompted.
Persistent Cookie Preferences Link: Every page in the platform and on our marketing site exposes a "Cookie preferences" link so users can revisit and change their choices at any time.
Minimum Necessary Processing: Per the HIPAA minimum-necessary standard, any disclosure of PHI is scoped to the least amount needed to accomplish the authorized purpose. Our access controls and break-the-glass gate enforce this automatically at the application layer.

10. Application Security

Parameterized Queries: Every database query uses parameterized prepared statements. We do not assemble SQL by string concatenation anywhere in the production code base, eliminating SQL injection as a class of vulnerability.
Cross-Site Scripting (XSS): All user-controlled output is HTML-encoded at the rendering layer. A strict per-page Content Security Policy header restricts script sources to same-origin and a small allowlist of trusted CDNs, blocking inline scripts unless they carry a per-request cryptographic nonce.
Cross-Site Request Forgery (CSRF) — Three Defensive Layers:
1. Session cookies use the SameSite=Strict attribute, so the browser does not send credentials on any cross-site navigation.
2. HTML form submissions are gated by a per-session CSRF token validated on every state-changing request.
3. Application-layer JSON APIs additionally enforce a same-origin guard that rejects any state-changing request whose Origin or Referer does not match the platform host. This protects critical actions (subscription changes, prescription writes, medical record updates, document uploads) even if the first two layers were ever bypassed.
HTTP Header Hardening: Strict-Transport-Security with includeSubDomains, X-Frame-Options DENY (clickjacking prevention), X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, and Permissions-Policy restricting camera, microphone, and geolocation to first-party use only.
HTTP Response Splitting / CRLF Injection: User-controlled values that flow into HTTP response headers (file download names, redirects) are sanitized to strip control characters before they reach the response, preventing header injection attacks.
File Upload Security: Uploaded files are validated by extension, MIME type sniffed from file content (not just the client-supplied Content-Type), and file size limits. Executable files and active content types are blocked. Uploaded files are stored outside the executable web root with random-bytes filenames so an attacker cannot guess upload paths.
Secret Management: All API keys, database credentials, JWT signing secrets, and third-party tokens are loaded from runtime environment variables managed by our cloud provider. We do not commit secrets to the source code repository, and any historical reference to a secret is rotated on discovery.
Anti-Bot Protection: Honeypot fields, form submission timing analysis, behavioral pattern detection, and CAPTCHA on high-value endpoints protect against automated abuse and credential stuffing.
Information Disclosure Prevention: Production responses never include stack traces, internal file paths, server software versions, or database error details. All exceptions are logged server-side and the client receives a generic error message.

10a. Data Classification

Every data element the platform handles falls into one of four tiers, with distinct encryption, access control, and retention requirements:

Tier 1 — PHI: All patient health information including clinical records, prescriptions, documents, lab orders, and session data. Application-layer authenticated encryption; role-based access; 7-year retention; every access audit-logged into the tamper-evident chain.
Tier 2 — PII (non-clinical): Billing information and provider credentialing data. Encryption for high-sensitivity fields; 7-year retention; access restricted to authorized roles.
Tier 3 — Internal Business Data: Operational logs without PHI linkage, vendor records. Cloud-default encryption; 3-year retention.
Tier 4 — Public: Marketing pages, legal pages. No access restriction.

10b. How YourMD Security Compares

Patients often ask how YourMD's security posture compares to other digital health platforms. Here is an honest, non-marketing overview:

=== '✓' ? 'color:#1d8348;font-weight:700' : ( === 'No' ? 'color:#c0392b' : 'color:#7d6608'); ?>

Control	YourMD	Typical Telehealth Platform	Basic EHR / Portal

“Typical telehealth platform” reflects our assessment of common industry practice based on publicly available security documentation and HIPAA audit frameworks. Individual platform postures vary.

11. Vulnerability Disclosure & Responsible Reporting

If you believe you have discovered a security vulnerability affecting YourMD Telehealth, please report it to us privately rather than disclosing it publicly. We will acknowledge your report within two business days and work with you toward a coordinated fix. You may report via:

Email: support@yourmd.online (subject line: SECURITY)
Encrypted communication: available on request

Researchers acting in good faith and within the scope below will not be subject to legal action by YourMD.online, LLC. We ask that you:

Avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during your research.
Use only test accounts you control. Do not interact with patient data that does not belong to you.
Give us a reasonable opportunity to remediate before public disclosure.

12. Your Rights & Responsibilities

Your Rights:

Access and download your medical records at any time through your patient portal
Request amendments to your health information
Request an accounting of disclosures of your PHI
File a privacy complaint with us or with the HHS Office for Civil Rights

Your Responsibilities:

Choose a strong, unique password and do not share it with anyone
Enable multi-factor authentication on your account
Conduct telehealth sessions from a private location
Keep your device and browser updated
Report any suspicious activity to our support team immediately

13. Contact Us

If you have security concerns, discover a vulnerability, or need to report a security incident:

Email: support@yourmd.online
Phone: 914-996-8763
Customer Support: www.yourmd.online/customer

For HIPAA complaints, you may also contact the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/hipaa.

YourMD.online, LLC · United Medical Group
www.yourmd.online · telehealth.yourmd.online

Platform Security