ShrinkMD HIPAA Privacy Policy

Effective Date: April 21, 2024

Overview

This HIPAA Privacy Policy articulates the safeguards and practices shrinkMD, along with its affiliates and subsidiaries (collectively, “we,” “us,” or “shrinkMD”), deploy in handling Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other applicable state-specific laws, including but not limited to the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA). HIPAA is a federal program that requires that all medical records and other individually identifiable health information used or disclosed by us in any form, whether electronically, on paper or orally, are kept properly confidential. This Act gives you, the patient, significant rights to understand and control how your health information is used.

In Addition

shrinkMD operates the platform but is not a healthcare provider nor a medical group. Telehealth services facilitated through our platform are delivered by independent healthcare entities, collectively referred to in this document here as “Healthcare Groups.” These groups include a network of healthcare professionals across the United States, such as licensed therapists, nurse practitioners, and physicians, each referred to as a “Provider.” These Healthcare Groups and their Providers are obligated by both federal and state law to protect the privacy of your health information and adhere to their own detailed Notice of Privacy Practices. shrinkMD processes health information on behalf of these Healthcare Groups in strict alignment with their directives and privacy practices acting as a intermediary.

If you disagree with the Privacy Policy or the specific Privacy Practices of the Healthcare Groups, you should refrain from using our services.

Scope of the Policy

This policy encompasses all PHI managed by shrinkMD, whether collected via our website,
mobile apps, or through direct interactions, ensuring comprehensive protection across all
platforms.

Data Retention Policy

• Purpose of Policy:
  shrinkMD is committed to the responsible management of patient information in compliance with the Health Insurance Portability and Accountability Act (HIPAA) and other applicable laws. This Data Retention Policy outlines the principles by which we collect, retain, and dispose of patient and associated personal information.
• Types of Information Covered:
  This policy applies to all forms of information, including electronic and paper records, that contain personal and health information about our patients. This includes, but is not limited to, medical records, billing information, and service queries.
• Retention Period:
  shrinkMD retains personal health information for a minimum period as required by state and federal laws or to fulfill the purposes for which the information was collected. The typical retention period for medical records is a minimum of six years from the date of the last patient encounter, or longer if required by specific state laws or ongoing patient care needs.
• Data Security:
  Throughout the retention period, shrinkMD ensures that all personal information is stored securely and protected against unauthorized access, use, or disclosure. We employ physical, administrative, and technical safeguards, consistent with legal and ethical obligations, to protect patient information.
• Disposal of Information:
  Once the retention period expires, shrinkMD will securely dispose of or anonymize personal information in a manner that renders it unreadable and irrecoverable. This disposal process complies with applicable legal standards and is designed to ensure the continued protection of personal information.
• Review and Adjustment of Retention Period:
  The retention periods are reviewed periodically to ensure compliance with legal obligations and to accommodate changes in the regulatory environment. Adjustments to these periods are made in accordance with legal and operational requirements.
• Access and Correction:
  Patients have the right to access their personal information and request corrections if inaccuracies are identified. Requests for access and correction should be made in accordance with our Notice of Privacy Practices.
• Policy Enforcement and Compliance:
  shrinkMD is committed to enforcing this Data Retention Policy in accordance with applicable laws and standards. Any issues, concerns, or breaches related to this policy should be immediately reported to our Privacy Officer.
• Changes to the Data Retention Policy:
  This policy may be updated or amended at any time to reflect changes in legal requirements or our internal practices. The latest version of this policy will be posted on our website and will supersede any previous versions.

Uses and Disclosures of PHI

• For Treatment:  
  We use and disclose PHI to facilitate treatment, coordinate care, and provide services,  involving other healthcare providers as necessary. 
• For Payment:  
  We use PHI to bill and receive payment from health plans or other entities, including  verifying eligibility and coverage, and managing accounts and collections.
• For Healthcare Operations:
  PHI supports administrative, evaluation, quality improvement, and customer service  functions within our organization. 
• Public Health and Safety:  
  We may disclose PHI for public health activities, reporting suspected abuse, neglect, or  domestic violence, or preventing a serious threat to anyone’s health or safety.
• Compliance and Legal Proceedings:  
  PHI may be disclosed in response to a court or administrative order, or in legal settings as  required by law. 
• Marketing and Fundraising:  
  We will not use PHI for marketing or fundraising without your explicit consent.

Patient Rights

• Access to PHI:  
  You have the right to inspect and obtain a copy of your PHI. 
• Amendments:  
  You may ask us to amend your health information if you believe it is incorrect or  incomplete. 
• Accounting of Disclosures:  
  You can request a detailed account of the disclosures we have made of your PHI.
• Restrictions:  
  You may request limitations on our use or disclosure of your PHI. 
• Confidential Communication:  
  You may request that we communicate with you about medical matters in a specific way  or at a specific location. 
• Breach Notification:  
  You will receive notifications of any breach of your unsecured PHI in compliance with  federal law.

Other Uses and Disclosures:

We are permitted and/or required by law to make certain other uses and disclosures of your  protected health information without your consent or authorization for the following:

• Any purpose required by law. 
• Public health activities such as required reporting of immunizations, disease, injury, birth and death, or in connection with public health investigations. 
• If we suspect child abuse or neglect; if we believe you to be a victim of abuse, neglect, or domestic violence. 
• To the Food and Drug Administration to report adverse events, product defects, or to participate in product recalls. 
• To your employer when we have provided health care to you at the request of your employer. 
• To a government oversight agency conducting audits, investigations, civil or criminal proceedings. 
• Court or administrative ordered subpoena or discovery request.
• To law enforcement officials as required by law if we believe you have been the victim of abuse, neglect or domestic violence. We will only make this disclosure if you agree or  when required or authorized by law.
• To coroners and/or funeral directors consistent with law. 
• If necessary to arrange an organ or tissue donation from you or a transplant for you.
• If you are a member of the military, we may also release your protected health information for national security or intelligence activities; and 
• To workers’ compensation agencies for workers’ compensation benefit determination.

State-Specific Provisions

California Residents:

As a California resident, you are entitled to certain protections under the California Consumer  Privacy Act (CCPA). shrinkMD is committed to ensuring your privacy rights under this law.  Adhering to the CCPA, you can inquire about the categories of collected PHI, request deletion of  your PHI, and opt-out of any sale of your information. Specifically, you can: 

Request details about the categories and specific pieces of personal information shrinkMD  collects, along with the purposes for which we use this data and identify any third parties with  whom we share it.

Gain access to the personal information shrinkMD maintains about you and receive copies upon request. 

Ask for corrections to inaccuracies in your personal data that shrinkMD holds. Have your personal information deleted from shrinkMD’s records. 

Be informed of any financial incentives that shrinkMD may offer in relation to your personal information. 

shrinkMD ensures non-discrimination in service quality for users exercising their CCPA rights, though certain exemptions might apply based on specific legal requirements. We take necessary  steps to verify your identity before fulfilling any related requests to safeguard your information. 

For further inquiries or to exercise your rights, you can contact shrinkMD directly. Should you choose to have an authorized agent make requests on your behalf, appropriate verification of  authority will be required. 

shrinkMD also engages with third parties such as advertising and analytics providers, potentially involving what the CCPA terms as “sharing” for cross-context behavioral advertising. To opt-out  of such sharing or to understand more about how shrinkMD handles such arrangements, you can  visit our privacy management page. 

shrinkMD does not sell the personal information of minors under 16 years of age, and does not generally sell personal information as defined by the CCPA. For comprehensive details on data retention and handling practices, please refer to our Data Retention policy. 

Note: shrinkMD acknowledges and respects “Do Not Track” settings and signals, which may not uniformly be recognized across all platforms and services.

California Shine the Light law:  

Under Section 1798.83 of the California Civil Code, also known as the “Shine the Light” law, residents of California can request information about the types of personal information that  companies like shrinkMD share with third parties for direct marketing purposes. shrinkMD  adheres to this law by not sharing your personal information with third parties for their direct  marketing use without your consent.

Virginia Residents:  

Under the VCDPA, you have similar rights to access, delete, and restrict the processing of your PHI used for targeted advertising or profiling. 

If you reside in Virginia and are covered under the Virginia Consumer Data Protection Act (VCDPA), shrinkMD acknowledges your rights to manage your personal information. These rights include: 

• Verification of Data Processing: You can request confirmation on whether shrinkMD is processing your personal data and gain access to this data. 
• Correction of Data: You are entitled to correct any personal data that you believe is inaccurate or incomplete, considering the purpose for which the data is processed.
• Deletion of Data: You may request the deletion of your personal data from our records.
• Data Portability: You have the right to obtain a copy of your personal data in a format that is portable and, where technically feasible, in a format that can be directly transferred to another entity by automated means. 
• Opt-Out Rights: You may opt out of processing of your personal data for targeted advertising, the sale of personal data, or profiling that may have legal or significant effects on you. 
• Please be aware that certain types of personal information are essential for the provision of our services and may be exempt from deletion requests under applicable laws. Removing this information might prevent you from accessing or using shrinkMD’s services effectively. 

Changes to This Privacy Policy: 

We reserve the right to amend this policy at any time. Changes will become effective immediately upon posting on our website or through direct communication to you. 

Compliance and Enforcement: 

We adhere to all relevant federal and state laws applicable to the protection of PHI. Our practices are designed to ensure compliance with HIPAA, CCPA, VCDPA, and other relevant regulations. 

Paper Copy of this Notice: 

You have a right, even if you have agreed to receive notices electronically, to obtain a paper copy of this notice.

Complaints: 

If you believe your privacy rights have been violated, you can file a complaint with shrinkMD. If you wish to file a complaint with the Secretary of the United States Department of Health and Human Services, please go to the website of the Office for Civil Rights  

www.hhs.gov/ocr/hipaa/, call 202-619-0257 (toll free 877-696-6775), or mail to: 

Secretary of the US – Department of Health and Human Services 

200 Independence Ave S.W. 

Washington, D.C. 20201 

There will be no retaliation for filing a complaint. We are required by law to provide individuals with this notice of our legal responsibilities and privacy practices with respect to Protected Health Information. We are also required to maintain the privacy of, and abide by the terms of the notice currently in effect. If you have any questions in reference to this form, please ask to speak with our HIPAA Compliance Officer in person or by phone at the number listed above. 

The name and address of the person you can contact for further information concerning our privacy practices are at https://www.shrinkMD.com.

By utilizing shrinkMD’s services, you acknowledge your consent to the practices described in this HIPAA Privacy Policy. For further details or inquiries, please reach out to our privacy officer through the designated contact methods on our website.