Privacy Policy & HIPAA Notice of Privacy Practices

1. Introduction

This Privacy Policy ("Policy") explains how YourMD Online, LLC ("YourMD," "we," "us," or "our") and United Medical Group collect, use, disclose, retain, and protect information when you access telehealth.yourmd.online, receive care from our Providers, or purchase any direct-to-consumer (DTC) subscription service through this platform (collectively, the "Services").

This Policy also serves as our HIPAA Notice of Privacy Practices for protected health information (PHI) that we create, receive, maintain, or transmit as a HIPAA Covered Entity (for clinical services rendered by United Medical Group) and as a Business Associate (for platform services rendered by YourMD Online, LLC).

By using the Services, you agree to this Policy and to the Terms of Service.

2. Information We Collect

a) Protected Health Information (PHI)

• Chief complaint, symptoms, medical history, allergies, current medications, and family history
• Diagnoses, clinical notes, SOAP notes, and prescriptions
• Lab orders, lab results, imaging orders, and vital signs
• Telehealth session content (chat transcripts auto-saved to your SOAP note; video/audio is not recorded by default and all session media uses end-to-end encrypted transmission)
• Photos (intake, progress photos for DTC subscriptions, document uploads) and scanned insurance cards where provided

b) Personally Identifiable Information (PII)

• Name, date of birth, gender, mailing address, phone, email
• Identity verification documents submitted during registration, retained only for the duration required to complete verification and then securely deleted. Verification records (not document images) are retained for compliance purposes for a minimum of six (6) years.
• Payment method data, handled by our PCI-DSS-compliant payment processor — YourMD does not store full card numbers
• Emergency contact information

c) Technical and Security Data

• IP address, browser, device, and operating system
• Session fingerprints and activity logs (NIST SP 800-63B compliant)
• Audit trails of logins, PHI access, prescription activity, and administrative actions
• Cookies and similar technologies for session continuity, CSRF protection, and security monitoring. For more information about the cookies we use and how to manage your cookie preferences, see our Cookie Policy.
• Referral source data, including referral codes, referring provider identifiers, and referring pharmacy identifiers, collected when you register through a referral link. This data is used for internal analytics and program management and is not shared with the referring party in a manner that identifies you unless you provide separate written consent for clinical coordination.

d) DTC Subscription Data

• Intake-form responses (weight loss, ED, hair loss, dermatology, vitality, and peptide therapy categories)
• Subscription status, billing cycle, shipping address, product selections, and fulfillment details shared with compounding and partner pharmacies
• Progress photos you voluntarily upload to track treatment

Telehealth Session Content

Chat transcripts are auto-saved to your SOAP note as part of the clinical record. Video and audio sessions are NOT recorded or stored by default. Real-time video/audio uses end-to-end end-to-end encrypted media transmission and is not retained after the session ends. If our recording policy changes in the future, you will be notified and your consent will be obtained before any session is recorded.

3. How We Use Your Information

We use your information for the following purposes permitted under HIPAA (45 CFR 164.506) and applicable state law:

• Treatment: Coordinating and delivering telehealth consultations, prescribing, lab orders, and follow-up care by licensed Providers.
• Payment: Billing you for consultations and subscriptions, processing payments via our payment processor, and coordinating benefits where applicable.
• Healthcare Operations: Quality improvement, credentialing, training, compliance, audit, legal, and business management activities.
• Identity & Security: Verifying identity (IAL2 human review of government ID), preventing fraud, defending the platform against attack, and enforcing our Terms.
• Communications: Sending appointment reminders, refill notices, welcome emails, and clinical follow-up.
• Required by Law: Reporting as required by federal and state law (e.g., public health, suspected abuse, subpoenas, court orders).

4. How We Share Your Information

We disclose PHI and other information only as permitted by HIPAA or as required by law. Specifically:

• To Providers within United Medical Group for treatment, coordination, and continuity of care.
• To compounding pharmacies and fulfillment partners (for DTC subscription medications) under written Business Associate Agreements. When you enroll in a DTC subscription program, the following information is shared with our compounding pharmacy partner(s) to fill and ship your prescription: your full name, date of birth, shipping address, phone number, prescription details (medication, dose, quantity, prescriber information), and, where the pharmacy collects payment directly, your payment method. This sharing is necessary for Treatment purposes under HIPAA and is governed by a Business Associate Agreement with each pharmacy partner. You may request the identity of the pharmacy filling your prescription at any time by contacting privacy@yourmd.online.
• To Referring Providers: If you were referred to YourMD by an outside healthcare provider and you provide written consent, we may share relevant clinical information (treatment plan, medication prescribed, lab results, and progress updates) with your referring provider for care coordination purposes. This sharing is limited to information relevant to the referred treatment and requires your explicit written authorization. You may revoke this authorization at any time by contacting privacy@yourmd.online, and revocation will not affect the legality of disclosures made prior to revocation. No referring provider receives financial compensation for referring you — see our Referral Program Disclaimer.
• To Laboratory and Diagnostic Partners: When your Provider orders laboratory tests, your name, date of birth, relevant clinical information, and test order details are transmitted to our licensed laboratory partner(s) for test fulfillment. You may request the identity of the laboratory fulfilling your order by contacting privacy@yourmd.online. Results are returned to our platform and reviewed by your Provider before being made available to you. Laboratory partners operate under Business Associate Agreements with YourMD where required by HIPAA. At-home test kits are shipped directly to you by the laboratory partner using the shipping address on file.
• To our payment processor for payment authorization and subscription billing. Payment card data is handled by a PCI-DSS-compliant processor and is not shared with YourMD's clinical systems.
• To cloud and infrastructure providers (Microsoft Azure) operating under HIPAA-eligible services and BAAs.
• To licensed e-prescribing and pharmacy integration services for routing prescriptions to dispensing pharmacies. All such services operate under a signed Business Associate Agreement prior to receiving any protected health information.
• To government agencies and law enforcement when required by subpoena, court order, or statute.
• To AI-assisted information tools used by Providers as reference resources during clinical encounters. All clinical decisions are made by the licensed Provider. AI tools are used to assist with information retrieval and documentation, not to make clinical determinations. Use is governed by the AI Terms at www.yourmd.online.

We do not sell, rent, or trade your personal information or PHI for marketing purposes. We do not permit third-party advertising trackers to access PHI.

No ad-tech or analytics pixels on authenticated pages. Consistent with the FTC's November 2023 health-data enforcement guidance and the April 2024 FTC enforcement action against Cerebral (In the Matter of Cerebral, Inc.), YourMD does not use third-party advertising pixels, analytics tags, session recorders, or conversion trackers on any authenticated page or any page that transmits protected health information. Ad-tech platforms including Meta, Google Ads, Google Analytics, TikTok, LinkedIn Insight, Pinterest, X (Twitter), Reddit, and any similar service receive no patient identifiers, no prescription data, no diagnosis codes, and no health-condition information from any YourMD system.

5. State-Specific Privacy Rules

In addition to HIPAA, the following state rules apply to residents of the states where our Providers are licensed:

• Nevada: We comply with Nevada Revised Statutes (NRS) 603A (security of personal information) and NRS 629 (medical records). Nevada residents have the right to request that we not "sell" covered information under NRS 603A.340. We do not sell covered information; nevertheless, opt-out requests may be sent to privacy@yourmd.online.
• Washington: We comply with the Washington My Health My Data Act (MHMDA, RCW 19.373) to the extent applicable. Washington residents may request a list of third parties to whom their consumer health data has been disclosed, may request deletion, and may withdraw consent to future processing by contacting our Privacy Officer. MHMDA consent and deletion requests are honored within the timelines required by RCW 19.373.
• Oregon: We comply with Oregon's Consumer Privacy Act (OCPA, ORS 646A.570-646A.589) and Oregon's medical records statutes (ORS 192.553 et seq.). Oregon residents have the right to confirm, access, correct, delete, obtain a portable copy of, and opt out of certain processing of their personal data.
• Wisconsin: We comply with Wisconsin Statutes Chapter 146 (Patient Health Care Records Privacy), Wis. Stat. § 146.82, which governs patient access, amendment, and release of medical records. Wisconsin residents may request a copy of their medical record, request amendment, and receive an accounting of disclosures consistent with HIPAA and Wisconsin law. Medical record retention follows the longer of federal HIPAA (6 years) and Wisconsin record retention requirements.
• California: We comply with the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (together, the "CCPA"; Cal. Civ. Code §§ 1798.100-1798.199.100) and the California Confidentiality of Medical Information Act (CMIA, Cal. Civ. Code § 56 et seq.). See Section 5a below for the full California Residents' notice and how to exercise your CCPA rights.
• All states: Regardless of residence, you may exercise your HIPAA rights (access, amendment, accounting of disclosures, restriction requests, confidential communications, and complaints) at any time under 45 CFR 164.524-164.528.

5a. California Residents — Your CCPA/CPRA Rights

This section applies to California residents and is provided under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 - 1798.199.100) (together, the "CCPA"). Medical information that is covered by the California Confidentiality of Medical Information Act (CMIA, Cal. Civ. Code § 56) or HIPAA is exempt from the CCPA and is governed by those laws; the rights below apply to your remaining personal information (e.g., website analytics, billing address, marketing contact data).

Categories of personal information we collect

In the 12 months preceding the effective date above, we have collected the following categories of personal information, as defined in Cal. Civ. Code § 1798.140:

• Identifiers: name, email address, postal address, phone number, IP address, unique account identifier (YMD-prefix user_id).
• Commercial information: subscription plan, payment records (processed via Stripe; we do not store card numbers), billing history.
• Internet or other electronic network activity: device type, browser, session logs, pages visited within the telehealth portal.
• Geolocation: approximate location derived from IP address; state of residence where required for provider licensing.
• Professional or employment-related information (for providers only): NPI, DEA number, state license numbers, malpractice attestations.
• Sensitive personal information (CPRA § 1798.140(ae)): account credentials (password hashes only; never the plaintext), government-issued ID images (IAL2 verification), biometric liveness data captured during identity proofing, and precise geolocation only when the user explicitly grants browser geolocation for telehealth dispatch. We use sensitive personal information only for the disclosed purposes and do not use it to infer characteristics about you.
• Inferences: none drawn from your personal information for profiling or advertising.
• Medical information / protected health information: Exempt from the CCPA — governed by HIPAA and CMIA. See Sections 6 and 9 of this policy.

Sources of personal information

• Directly from you during registration, intake, or support interactions.
• Automatically from your device and browser (cookies, server logs).
• From our service providers who process data on our behalf under a written Business Associate Agreement or Data Processing Agreement (e.g., Microsoft Azure, Stripe, compounding pharmacy partners).
• From government or licensure databases for provider credentialing.

Business purposes for collection and disclosure

• Providing the telehealth services you request.
• Processing payments and subscription fulfillment.
• Identity verification and fraud prevention (IAL2).
• Complying with legal obligations (HIPAA audit, prescription records, breach notification).
• Platform security, anti-abuse, and incident response.
• Transactional service communications (appointment reminders, password resets, security alerts).

Categories of personal information disclosed for business purposes

In the 12 months preceding the effective date above, we have disclosed the following categories to the following recipients, all of whom are bound by written confidentiality and data-protection obligations:

• Identifiers + commercial information to payment processors (Stripe) for billing.
• Identifiers + medical information to compounding pharmacy partners for prescription fulfillment, under a Business Associate Agreement.
• Identifiers + internet activity to our cloud hosting and email providers (Microsoft Azure, Azure Communication Services) as necessary to operate the platform.
• Identifiers + professional information (for providers) to e-prescribing and credentialing vendors as necessary to process prescriptions and maintain licensure verification.

Sale and sharing of personal information — we do neither

YourMD does not "sell" personal information for monetary or other valuable consideration, and does not "share" personal information for cross-context behavioral advertising, as those terms are defined in the CCPA. We have not sold or shared personal information in the 12 months preceding the effective date above, and we do not intend to do so in the future. Consequently:

• We are not required to, and do not, operate a "Do Not Sell or Share My Personal Information" link. You may still submit a "right to opt out" request using the contact information below, and we will confirm our no-sale / no-share status in writing.
• We do not knowingly sell or share the personal information of consumers under 16 years of age.

Your rights under the CCPA

As a California resident you have the following rights with respect to the non-HIPAA-exempt personal information described above. Medical information and PHI are governed by your HIPAA rights in Section 9 of this policy.

• Right to know: request the categories of personal information we have collected about you, the categories of sources, the business purposes for collection, the categories of third parties with whom we share it, and the specific pieces of personal information we have collected about you in the past 12 months (or longer if requested).
• Right to delete: request that we delete personal information we have collected about you, subject to the CCPA's exemptions (including our legal obligation to retain medical records under HIPAA §164.316 for 7 years, financial records under federal/state law, and security logs).
• Right to correct: request that we correct inaccurate personal information we maintain about you.
• Right to limit use of sensitive personal information: direct us to limit our use of your sensitive personal information to what is strictly necessary to provide the telehealth service. We already confine sensitive personal information to the disclosed purposes, so exercising this right results in no practical change in how we handle your data, but you may still submit the request and we will confirm our limited-use posture in writing.
• Right to data portability: receive a copy of the personal information we hold about you in a portable, machine-readable format.
• Right to non-discrimination: we will not deny, charge different prices for, or provide a different quality of service because you exercised any CCPA right. YourMD does not operate any financial incentive program under Cal. Civ. Code § 1798.125.
• Right to opt out of automated decision-making: YourMD does not subject California residents to profiling or automated decision-making that produces legal or similarly significant effects. Clinical decisions are made by licensed physicians, not by software.

How to exercise your CCPA rights

Submit a request using any of the methods below. We will acknowledge receipt within 10 business days and respond within 45 calendar days (extendable by 45 days with notice, per the CCPA):

• Email: privacy@yourmd.online — include the words "CCPA request" in the subject line.
• Web form: through the patient portal account settings once logged in.
• Mail: YourMD.Online, LLC, Attn: Privacy Officer, 9205 W. Russell Rd, Bldg 3, Ste 240, Las Vegas, NV 89148.
• Phone (toll-free): we do not currently operate a toll-free line; email is the fastest channel.

Verifiable consumer requests

We must verify your identity before fulfilling a request to know, delete, correct, or limit. To verify, we match the information in your request against the information we already hold for you in our authenticated patient record (typically: full name, registered email address, and a date of a recent platform interaction). For high-risk requests (deletion, access to sensitive personal information) we may require additional identity proofing such as re-verification of your government ID. We will never ask you to create a new account, pay a fee, or provide information we do not already have in order to submit a request.

Authorized agents

You may designate an authorized agent to make a request on your behalf. The agent must provide (i) written permission signed by you, (ii) proof of their own identity, and (iii) for requests to know or delete, verification of your identity directly with us. We may deny a request from an agent who cannot provide signed permission demonstrating the agent's authorization to act on your behalf.

Shine the Light (Cal. Civ. Code § 1798.83)

California residents may request a notice identifying the categories of personal information we have shared with third parties for those third parties' direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes, so there is nothing to report under the Shine the Light law. You may confirm this in writing by contacting privacy@yourmd.online.

Complaints

If you believe we have not complied with the CCPA, you may file a complaint with the California Privacy Protection Agency at cppa.ca.gov or with the California Attorney General at oag.ca.gov/privacy. We would appreciate the opportunity to resolve the concern directly first — please contact privacy@yourmd.online.

6. HIPAA Safeguards

We implement the administrative, physical, and technical safeguards required by the HIPAA Security Rule (45 CFR 164.308-164.312):

• Encryption in transit (TLS 1.2+) and at rest (Azure HIPAA- eligible storage)
• Role-based access control, least-privilege access, and break-the-glass controls for sensitive records (minors, unassigned patients, psychiatric records)
• Multi-factor authentication enforced for Providers, admins, and other high-privilege roles
• Comprehensive audit logging of PHI access, prescription events, and administrative actions
• Automated account lockout, rate limiting, IP blocking, bot detection, and malware upload prevention
• Bcrypt password hashing (cost 12) and NIST SP 800-63B session management with device fingerprinting
• Strict Content Security Policy headers, CSRF tokens, and parameterized SQL queries
• Executed Business Associate Agreements with all qualifying vendors
• Workforce training, documented policies and procedures, and periodic risk assessments

7. Breach Notification

In the event of a breach of unsecured PHI, we will notify affected individuals, the U.S. Department of Health and Human Services, and, where required, state regulators and the media, within the timelines required by the HIPAA Breach Notification Rule (45 CFR 164.400-414) and applicable state breach-notice laws.

8. Data Retention

We retain medical records for the longer of: (a) the period required by federal and state law (generally six years for HIPAA compliance documentation and the period required by the state in which the Provider is licensed for the clinical record itself), or (b) the period reasonably needed to support continuity of care, billing, and legal claims. Audit logs are retained for at least six years. Inactive accounts may be anonymized after retention requirements expire.

9. Your HIPAA Rights

You have the right, subject to limited exceptions, to:

• Inspect and copy your PHI held in our designated record set (45 CFR 164.524)
• Request amendment of PHI you believe is incorrect or incomplete (45 CFR 164.526)
• Request an accounting of disclosures of your PHI (45 CFR 164.528)
• Request restrictions on certain uses and disclosures (45 CFR 164.522(a))
• Request confidential communications through alternate channels (45 CFR 164.522(b))
• Receive a paper copy of this Notice
• Request a portable copy of your health records in a commonly used electronic format. We can provide records in PDF, CCD (Continuity of Care Document), or other standard formats upon request. Contact privacy@yourmd.online to request a data export.
• Withdraw consent for optional uses (marketing communications, research) at any time
• File a complaint with our Privacy Officer or with the U.S. Department of Health and Human Services, Office for Civil Rights (www.hhs.gov/ocr). You will not be retaliated against for filing a complaint.

To exercise any of these rights, contact our Privacy Officer at privacy@yourmd.online or (702) 430-7801. We respond to requests within the timelines required by HIPAA and applicable state law.

10. Minors

The Services are not intended for use by persons under 18 years of age without a legally authorized parent or guardian. For minors, a parent or guardian must provide informed consent and accept this Policy on the minor's behalf. We do not knowingly collect PHI from minors without appropriate consent.

11. AI Clinical Tools & the SOAP Note AI Writer

When a Provider invokes an authorized AI clinical decision-support tool during a telehealth encounter, data transmitted to that tool is governed by our HIPAA Privacy Policy and applicable Business Associate Agreements. AI output is clinical decision-support only and does not replace Provider judgment. Any AI-assisted diagnosis, prescribing, or treatment decision is ultimately made by the treating Provider, not the AI tool. For the full AI Terms of Service, see www.yourmd.online.

SOAP Note AI Writer (Provider-Only Feature)

YourMD's electronic medical record includes an AI-assisted clinical documentation tool called the SOAP Note AI Writer. This tool helps licensed Providers structure and improve the accuracy of clinical notes (Subjective, Objective, Assessment, and Plan sections) during and after telehealth encounters. This feature is available to Providers only and is never shown to or operated by patients.

How your information is protected when this feature is used:

1. De-identification before processing. Before any clinical note text is sent for AI processing, our system automatically removes direct patient identifiers — including name, date of birth, phone number, email address, Social Security number, medical record number, street address, and all other identifiers listed under the HIPAA Safe Harbor de-identification standard (45 CFR § 164.514(b)). Clinical data necessary for accurate documentation — such as vital signs, diagnoses, medications, and lab values — is preserved so the AI can produce a meaningful note. The de-identification step runs on our servers before the text leaves our infrastructure.
2. Processing by a HIPAA Business Associate. De-identified note text is processed by Azure OpenAI (Microsoft), operating under a signed HIPAA Business Associate Agreement with YourMD Online, LLC. Azure OpenAI is hosted within Microsoft's HIPAA-eligible cloud infrastructure. Microsoft does not use your data to train or improve its AI models.
3. Provider review before any note is saved. AI-generated text is presented to the Provider as a draft for review. The Provider must explicitly accept, edit, or discard the AI output before it is saved to the medical record. No AI-generated content enters the medical record without Provider review and attestation.
4. Audit logging. Every use of the AI Writer is recorded in our tamper-evident HIPAA audit log, including which Provider initiated the request, which note section was processed, and confirmation that de-identification ran successfully.

The SOAP Note AI Writer is a documentation-assistance tool only. It does not make clinical decisions, suggest diagnoses, or recommend medications. All clinical judgments remain the sole responsibility of the treating Provider.

Separately, open AI tools on www.yourmd.online are intended for general health information and education only, and must not be used to submit PHI. See the AI Terms of Service for details.

12. Limitation of Liability

13. Updates to This Policy

We may update this Policy from time to time to reflect changes in law, technology, or our practices. The revised Policy will be posted at this URL with a new "Last Updated" date. Material changes will be communicated through the patient dashboard or email. Continued use of the Services after changes are posted constitutes acceptance of the revised Policy.

14. Contact Us

For privacy questions, to exercise your rights, or to file a complaint, contact: