Privacy Policy

Effective Date: February 22, 2026

1. Introduction

DefineMD (“we,” “our,” or “us”) is committed to protecting the privacy and security of the personal and health information of our patients. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our concierge medical services, including through our website, patient portal, telehealth platforms, and in-person visits.

This policy has been drafted to comply with applicable federal and state laws, including the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the California Confidentiality of Medical Information Act (CMIA), and the Texas Medical Records Privacy Act (Texas Health & Safety Code Chapter 181).

2. Information We Collect

2.1 Protected Health Information (PHI)

In the course of providing medical services, we collect and maintain Protected Health Information, including but not limited to:

  • Name, date of birth, address, phone number, and email address

  • Medical history, diagnoses, treatment plans, and clinical notes

  • Laboratory results, imaging reports, and medication records

  • Insurance information (if applicable) and billing records

  • Communications between you and our providers

2.2 Personal Information

We may also collect personal information that is not classified as PHI, including:

  • Website usage data and cookies

  • Device identifiers and IP addresses

  • Communication preferences

  • Payment and financial information

  • Emergency contact information

3. How We Use Your Information

We use your information for the following purposes:

  • Treatment: Providing, coordinating, and managing your healthcare and related services.

  • Payment: Processing payments for services rendered, including invoicing and collections.

  • Healthcare Operations: Quality assessment, training, compliance, auditing, and business management activities.

  • Communication: Appointment reminders, health-related information, and responding to your inquiries.

  • Legal Compliance: Meeting obligations under federal and state law.

  • As Otherwise Permitted or Required by Law: Including public health activities, reporting abuse, health oversight, judicial proceedings, law enforcement purposes, and other purposes as described in our Notice of Privacy Practices.

4. How We Share Your Information

We do not sell your personal information or protected health information. We may share your information in the following circumstances:

  • With your written authorization or consent.

  • With other healthcare providers involved in your care for treatment purposes.

  • With business associates who perform services on our behalf, subject to Business Associate Agreements.

  • As required by law, including court orders, subpoenas, or government investigations.

  • For public health and safety purposes as permitted by law.

  • With health oversight agencies for lawful oversight activities.

5. Your Rights Under Federal Law (HIPAA)

Under HIPAA, you have the following rights regarding your Protected Health Information:

  • Right to Access: You may request access to and obtain a copy of your medical records.

  • Right to Amend: You may request amendments to your health information if you believe it is inaccurate or incomplete.

  • Right to an Accounting of Disclosures: You may request a list of certain disclosures we have made of your health information.

  • Right to Request Restrictions: You may request restrictions on certain uses and disclosures of your health information.

  • Right to Request Confidential Communications: You may request that we communicate with you through alternative means or at alternative locations.

  • Right to a Paper Copy of This Notice: You may request a paper copy of this Privacy Policy at any time.

  • Right to File a Complaint: You may file a complaint with us or with the U.S. Department of Health and Human Services if you believe your privacy rights have been violated.

6. Additional Rights for California Residents

6.1 California Consumer Privacy Act (CCPA/CPRA)

If you are a California resident, you have additional rights under the CCPA as amended by the CPRA. Please note that certain health information governed by HIPAA or CMIA may be exempt from CCPA requirements. For non-exempt personal information, you have the following rights:

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which your information was collected, the business or commercial purpose for collection, and the categories of third parties with whom we share your information.

  • Right to Delete: You may request that we delete personal information we have collected from you, subject to certain exceptions.

  • Right to Correct: You may request that we correct inaccurate personal information.

  • Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising.

  • Right to Limit Use of Sensitive Personal Information: You may request that we limit our use of your sensitive personal information to purposes necessary for providing our services.

  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

6.2 California Confidentiality of Medical Information Act (CMIA)

Under the CMIA, we will not disclose your medical information without your prior written authorization, except as permitted by law. Your medical information will be handled with the highest level of confidentiality as required under California law. You have the right to receive a copy of your medical records within 15 days of your written request.

7. Additional Rights for Texas Residents

7.1 Texas Medical Records Privacy Act

If you are a Texas resident, you have the following additional rights and protections:

  • Right to Access Medical Records: You may request access to your medical records. We will provide the requested records within 15 business days of receiving your written request.

  • Right to Amend: You may request amendments to your medical records if you believe they contain inaccurate information.

  • Electronic Health Records: If your records are maintained electronically, you may request an electronic copy in a commonly used format.

  • Confidentiality Protections: Texas law provides strong protections for the confidentiality of your medical records, including mental health records, substance abuse treatment records, and HIV/AIDS-related information, which may not be disclosed without your specific written consent except as provided by law.

7.2 Texas Identity Theft Enforcement and Protection Act

In the event of a data breach involving your personal information, we will notify you in accordance with the Texas Identity Theft Enforcement and Protection Act (Texas Business & Commerce Code Chapter 521), which requires notification without unreasonable delay and no later than 60 days after discovery of the breach.

7.3 Texas Data Privacy and Security Act (TDPSA)

For personal data not otherwise exempt under HIPAA, Texas residents may have additional rights under the TDPSA, including the right to access, correct, delete, and obtain a portable copy of personal data, as well as the right to opt out of the processing of personal data for targeted advertising, sale, or profiling.

8. Data Security

We implement administrative, technical, and physical safeguards designed to protect your personal and health information from unauthorized access, use, or disclosure. These safeguards include but are not limited to:

  • Encryption of data in transit and at rest.

  • Access controls limiting access to authorized personnel only.

  • Regular security assessments and audits.

  • Employee training on privacy and security practices.

  • Secure disposal of records containing personal or health information.

9. Data Retention

We retain your medical records and personal information in accordance with applicable state and federal retention requirements. In California, medical records are retained for a minimum of seven (7) years from the date of the last service, or for minor patients, until the patient reaches age 19, whichever is longer. In Texas, medical records are retained for a minimum of seven (7) years from the date of last treatment. After the applicable retention period, records will be securely destroyed.

10. Telehealth and Electronic Communications

When you participate in telehealth consultations, additional information may be collected through our telehealth platform, including audio and video recordings (with your consent), device information, and session metadata. We use HIPAA-compliant telehealth platforms and require our technology vendors to enter into Business Associate Agreements. All telehealth communications are encrypted and stored securely.

11. Contact Information

If you have questions about this Privacy Policy, wish to exercise any of your rights, or wish to file a complaint, please contact us at:

DefineMD

Attn: Privacy Officer

contact@timetodefine.com

You may also file a complaint with:

  • U.S. Department of Health and Human Services, Office for Civil Rights: www.hhs.gov/ocr

  • California Attorney General: oag.ca.gov

  • Texas Attorney General: texasattorneygeneral.gov

12. Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time. Any changes will be effective upon posting the revised policy on our website. We encourage you to review this Privacy Policy periodically. If we make material changes to this policy, we will provide notice as required by law.