LEGAL · HIPAA

Notice of Privacy Practices

Effective date: April 29, 2026 · Version: 2.0

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Medmi Health ("Medmi," "we," "us," or "our") is a digital health platform that coordinates access to independent licensed healthcare providers, pharmacies, and related care partners. Healthcare services made available through the platform involve the creation, use, and disclosure of protected health information ("PHI") under applicable privacy laws, including the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the HITECH Act, the HIPAA Privacy Rule (as amended through 2024, including reproductive health care protections), and applicable state privacy laws.

This Notice applies to PHI created, received, or maintained by Medmi, participating providers, professional entities, affiliated service partners, and business associates who are legally required to follow this Notice in connection with healthcare services coordinated through Medmi.

I. Our Commitment to Your Privacy

We understand that health information is personal. We are committed to protecting your privacy and maintaining the confidentiality of your protected health information. We are required by law to:

Maintain the privacy and security of your PHI.
Provide you with this Notice of our legal duties and privacy practices.
Follow the terms of the Notice currently in effect.
Notify you, and where required the U.S. Department of Health and Human Services (HHS) and applicable state authorities, in the event of a breach of unsecured PHI, generally within 60 days of discovery as required by HIPAA and applicable state law.
Not use or disclose your PHI in ways inconsistent with this Notice except as authorized by you in writing or as permitted by law.

II. What Is Protected Health Information?

Protected health information includes information that identifies you (or could reasonably be used to identify you) and relates to your past, present, or future physical or mental health, the provision of healthcare to you, or payment for healthcare services.

Examples include but are not limited to: your name, date of birth, address, contact information, government-issued ID images submitted for identity verification, intake responses, biological sex assigned at birth, diagnosis information, prescription history, provider notes, uploaded scalp or hairline photos (clinical photography), medication lists, allergy information, pregnancy status, mental health screening responses, blood pressure and heart rate values, treatment recommendations, refill requests, payment records related to care, and communications regarding healthcare services.

A. Categories of Sensitive Information We May Process

In addition to PHI generally, we may process the following categories of sensitive personal information, which are subject to additional protections under federal and certain state laws (including the California Consumer Privacy Act / CPRA, the Virginia, Colorado, Connecticut, Texas, and other comprehensive state privacy laws):

Government-issued identification numbers and images.
Health data, including diagnosis, prescriptions, and clinical photographs.
Biometric or biometric-derived information (where applicable to facial verification).
Information regarding sex life or sexual orientation, when relevant to clinical evaluation.
Information regarding reproductive health care, including pregnancy status, lactation status, and fertility-related history. Such information receives additional protection under the 2024 HIPAA Privacy Rule update related to reproductive health care.
Mental health screening responses, including depression, anxiety, and suicidal ideation history.

III. How We May Use and Disclose Your PHI Without Additional Authorization

A. Treatment

We may use and disclose your PHI to provide, coordinate, or manage your healthcare and related services. For example:

Sharing intake responses with a licensed provider for clinical review.
Sharing prescriptions with a state-licensed pharmacy for dispensing.
Communicating with providers, pharmacists, and care coordinators regarding treatment progress.
Reviewing uploaded scalp or hairline photos for care decisions and documentation.
Coordinating follow-up care, refills, lab orders, or specialist referrals.
Conducting telehealth visits via secure video, phone, or messaging.

B. Payment

We may use and disclose PHI to obtain payment for healthcare services or products related to treatment. For example:

Processing consultation fees, treatment charges, or subscription billing.
Verifying transactions or investigating billing issues.
Sending the minimum necessary billing information to PCI-DSS compliant payment processors.
Coordinating with insurers (if applicable) for eligibility, authorization, or claims.

C. Healthcare Operations

We may use and disclose PHI for operational purposes needed to run healthcare services, including:

Quality improvement, peer review, and clinical case review.
Provider credentialing, licensing verification, and training.
Audits, regulatory compliance, and accreditation activities.
Business planning and internal administration.
Fraud prevention, identity verification, and information security monitoring.
De-identified analytics and reporting (data is de-identified per HIPAA Safe Harbor or Expert Determination methods before such use).

D. Appointment and Service Communications

We may contact you regarding treatment updates, refill reminders, account notices, appointment reminders, secure portal messages, follow-up recommendations, and similar healthcare communications, in compliance with HIPAA and the federal Telephone Consumer Protection Act (TCPA). You may opt out of non-treatment communications at any time using the unsubscribe link in any email or by replying STOP to any text message.

E. Individuals Involved in Your Care

We may share relevant PHI with family members, caregivers, or others involved in your care or payment for care when you agree, request it, or when permitted by law. You may object to such disclosures at any time.

F. Required by Law

We may disclose PHI when required by federal, state, or local law, including court orders, subpoenas, or government investigations. Consistent with the 2024 HIPAA Privacy Rule update, we will not disclose PHI for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care, except as specifically permitted or required by federal law.

G. Public Health and Safety

We may disclose PHI for public health activities (such as reporting adverse drug events to the FDA Adverse Event Reporting System / FAERS) or to prevent a serious and imminent threat to health or safety when permitted by law.

H. Health Oversight Activities

We may disclose PHI to agencies responsible for oversight of healthcare systems, licensing, audits, inspections, investigations, and compliance activities (e.g., HHS Office for Civil Rights, state medical boards, state attorneys general).

I. Law Enforcement

We may disclose PHI to law enforcement officials under limited circumstances allowed by law, such as in response to a valid warrant, subpoena, or court order, or to identify or locate a suspect, fugitive, material witness, or missing person, subject to applicable HIPAA and state law restrictions (including those related to reproductive health care).

J. Research

Certain uses of PHI for research may be permitted under applicable law with appropriate safeguards, including approval by an Institutional Review Board (IRB), a waiver of authorization, or de-identification of the data prior to use.

K. Business Associates and Sub-Processors

We may share PHI with service providers who perform functions on our behalf and who have signed a HIPAA-compliant Business Associate Agreement ("BAA") with us. Categories of business associates and sub-processors that may have access to PHI include:

Cloud hosting and infrastructure providers (HIPAA-eligible).
Secure messaging, email, and communications platforms.
Electronic health record (EHR) and clinical documentation systems.
Telehealth video / audio platforms.
Identity verification services.
Payment processors and billing services (PCI-DSS compliant).
Pharmacy fulfillment partners.
Customer support and call-center services bound by confidentiality.
Compliance, security, audit, and legal advisors.

A list of current categories of business associates is available upon request to our Privacy Office. Each business associate is contractually required to protect PHI in a manner consistent with HIPAA and this Notice.

IV. Uses and Disclosures Requiring Your Written Authorization

For uses not described above, we will obtain your written authorization. You may revoke an authorization in writing at any time, except to the extent action has already been taken in reliance on it.

Your written authorization is specifically required for:

Most uses or disclosures of PHI for marketing purposes.
Any sale of PHI.
Most uses or disclosures of psychotherapy notes (where applicable).
Any use or disclosure not otherwise permitted by law.
Use of clinical photographs or images for purposes other than treatment, payment, or healthcare operations (including educational, marketing, or research uses).

V. Clinical Photography and Imaging

As part of your hair loss evaluation, you may be asked to upload clinical photographs of your scalp, hairline, or related areas. These photographs are PHI and are handled with the following safeguards:

Photographs are encrypted in transit (TLS 1.2 or higher) and at rest (AES-256).
Access is restricted to authorized clinical reviewers and personnel with a treatment-related need to view them.
Access is logged and auditable.
Photographs are retained for the period required by applicable medical recordkeeping laws (typically 7-10 years from last encounter, or longer for minors), after which they are securely destroyed unless otherwise required by law.
Photographs are not used for marketing, advertising, training of artificial intelligence models, or any non-treatment purpose without your separate written authorization.
You may request deletion of your photographs at any time, subject to applicable medical recordkeeping requirements.

VI. Your Rights Regarding PHI

1. Right to Access and Receive Copies

You may request access to and a copy of certain PHI maintained about you, in paper or electronic form. We will respond within 30 days (or 60 days where extended notice is permitted by HIPAA). A reasonable, cost-based fee may apply.

2. Right to Request Amendment

If you believe PHI we maintain is incomplete or inaccurate, you may request a correction or amendment. We may deny certain requests as permitted by law and will inform you of the reason and your right to submit a written statement of disagreement.

3. Right to Request Restrictions

You may request limits on certain uses or disclosures of your PHI for treatment, payment, or healthcare operations. We are not always required to agree, except where required by law (for example, you have the right to request that we not disclose PHI to a health plan if you paid in full out of pocket for the related service and the disclosure is for payment or operations only).

4. Right to Confidential Communications

You may request that we communicate with you in a particular way or at a particular location, such as by email only, text only, alternate phone number, or alternate mailing address. We will accommodate reasonable requests.

5. Right to an Accounting of Disclosures

You may request a list of certain disclosures of your PHI made during the prior six years (excluding disclosures for treatment, payment, healthcare operations, those made to you, and those made under your authorization). The first accounting in any 12-month period is free; we may charge a reasonable cost-based fee for additional requests.

6. Right to a Paper Copy of This Notice

You may request a paper copy of this Notice at any time, even if you agreed to receive it electronically. We will provide it promptly.

7. Right to File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with us using the contact information at the end of this Notice, or with the U.S. Department of Health and Human Services Office for Civil Rights at https://www.hhs.gov/hipaa/filing-a-complaint/index.html or by mail to: U.S. Department of Health and Human Services, 200 Independence Avenue, S.W., Washington, D.C. 20201. You will not be retaliated against for filing a complaint.

8. State-Specific Rights (e.g., California, Virginia, Colorado, Connecticut, Texas)

Depending on your state of residence, you may have additional rights under state law, including:

Right to know what categories of personal information we collect, the sources, the purposes, and the categories of third parties to whom we disclose it.
Right to delete personal information we have collected from you, subject to legal exceptions including ongoing care and recordkeeping obligations.
Right to correct inaccurate personal information.
Right to opt out of the sale or sharing of personal information for cross-context behavioral advertising. Medmi does not sell PHI.
Right to limit the use and disclosure of sensitive personal information.
Right to non-discrimination for exercising privacy rights.
Right to appeal a denied privacy request, where required by your state.

To exercise these state-law rights, contact our Privacy Office using the information at the end of this Notice. We will verify your identity before responding. We will respond within the timeframes required by the applicable state law (typically 45 days, with possible extensions).

VII. How to Exercise Your Rights

To exercise any privacy right, submit a written request to the contact information at the end of this Notice. We may need to verify your identity before responding. You may also designate an authorized agent in writing to act on your behalf, subject to verification.

VIII. Security Measures

We use reasonable administrative, technical, and physical safeguards designed to protect PHI, consistent with the HIPAA Security Rule and the 2024 HIPAA Security Rule update. Safeguards include:

Encryption of PHI in transit (TLS 1.2 or higher) and at rest (AES-256).
Multi-factor authentication for systems accessing PHI.
Role-based access controls and the principle of least privilege.
Activity logging and monitoring.
Workforce training and confidentiality agreements.
Vendor risk management and signed Business Associate Agreements.
Incident response and breach notification procedures.
Periodic risk analysis and remediation.

However, no system is completely secure. You are responsible for protecting your own devices, passwords, and account access. If you believe your account has been compromised, contact us immediately.

IX. Telehealth and Electronic Communications

Healthcare services coordinated through Medmi may involve telehealth technologies such as online intake forms, secure messaging, photographs, video, phone, or remote communications. By using these services, you acknowledge there are inherent privacy and security risks associated with electronic communications despite reasonable safeguards. You also acknowledge that:

You have a right to in-person care and may decline telehealth at any time.
Telehealth has limitations and may not be appropriate for all conditions.
Communications may be transmitted across jurisdictional lines.
If a technical failure occurs, alternative means of contact will be used.

X. Cookies, Tracking, and Online Identifiers

Our website uses cookies, pixels, and similar technologies. We have configured our marketing and analytics tools to avoid transmitting PHI. We do not use third-party tracking technologies that could disclose PHI in a manner inconsistent with HHS guidance on the use of online tracking technologies. For more information, see our Privacy Policy and Cookie Policy, where applicable.

XI. State Law Protections

Some states provide privacy protections that are stricter than federal law. Where applicable, we will comply with the more protective state requirements, including but not limited to:

California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) and the Confidentiality of Medical Information Act (CMIA).
Texas Data Privacy and Security Act (TDPSA) and the Texas Medical Records Privacy Act.
Virginia Consumer Data Protection Act (VCDPA).
Colorado Privacy Act (CPA).
Connecticut Data Privacy Act (CTDPA).
Washington My Health My Data Act, where applicable.
Illinois Biometric Information Privacy Act (BIPA), where applicable.
Other state laws providing equal or greater privacy protection.

XII. Reproductive Health Care Information

Consistent with the 2024 HIPAA Privacy Rule update on reproductive health care, we will not use or disclose PHI to investigate or impose liability on any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care. Where we are presented with a request that may relate to reproductive health care, we will require an attestation as required by HIPAA before disclosing the information.

XIII. Minors

Medmi services are intended for adults age 18 and older. We do not knowingly collect PHI from individuals under 18. If we learn that we have collected information from a minor, we will delete that information, except where retention is required by law.

XIV. Data Retention

We retain PHI for the length of time required by federal and state medical recordkeeping laws, generally 7-10 years from your last encounter (longer in some states or for minors). Non-clinical account data (such as marketing preferences) is retained only as long as necessary for the purposes for which it was collected. After applicable retention periods, PHI is securely destroyed in accordance with HIPAA standards.

XV. Changes to This Notice

We reserve the right to revise this Notice and make the revised Notice effective for PHI we already maintain and any future PHI we receive. Updated versions are posted on our website with a new effective date. For material changes, we will make reasonable efforts to notify you via email or another reasonable means.

XVI. Questions, Requests, or Complaints

If you have questions about this Notice, want to exercise any of your rights, or wish to file a complaint, contact:

Medmi Health · Privacy Office
HIPAA Privacy Officer: [Insert Privacy Officer Name]
Email: privacy@medmi.org
Mailing Address: [Insert Business Mailing Address]
Phone: [Insert Phone Number]

You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at https://www.hhs.gov/hipaa/filing-a-complaint/index.html. We will not retaliate against you for filing a complaint.

This Notice is provided for informational purposes consistent with the requirements of the HIPAA Privacy Rule, 45 C.F.R. § 164.520. It does not create any contractual obligation beyond those imposed by law. The use of "Medmi" in this Notice refers to Medmi Health and its participating providers, professional entities, and business associates, as applicable.