Notice of Privacy Practices

1. Our Commitment to Your Privacy

We are required by law to maintain the privacy of your Protected Health Information (PHI), provide you with this Notice of our legal duties and privacy practices, notify you following a breach of unsecured PHI, and abide by the terms of the Notice currently in effect.

2. How We May Use and Disclose Your PHI

2.1 For Treatment

We may use your health information to provide, coordinate, or manage your healthcare and related services. This includes AI-assisted consultation processing, generating clinical summaries, and facilitating communication between you and your healthcare providers.

2.2 For Payment

We may use and disclose your health information to obtain payment for services provided, including billing and collections activities.

2.3 For Healthcare Operations

We may use your health information for our business operations, including quality assessment, training, compliance activities, and improving our services.

2.4 With Your Written Authorization

Other uses and disclosures not described in this Notice will be made only with your written authorization. You may revoke such authorization at any time in writing.

2.5 Without Your Authorization

We may use or disclose your PHI without your authorization in the following circumstances:

• When required by law
• For public health activities
• To report abuse, neglect, or domestic violence
• For health oversight activities
• For judicial and administrative proceedings
• For law enforcement purposes
• To avert a serious threat to health or safety
• For specialized government functions
• For workers' compensation

3. Your Rights Regarding Your PHI

3.1 Right to Access

You have the right to inspect and obtain a copy of your PHI maintained in a designated record set. Requests must be submitted in writing. We may charge a reasonable fee for copies.

3.2 Right to Amend

You have the right to request that we amend your PHI if you believe it is incorrect or incomplete. We may deny your request under certain circumstances, and we will explain any denial.

3.3 Right to an Accounting of Disclosures

You have the right to request a list of certain disclosures of your PHI that we have made. This accounting does not include disclosures for treatment, payment, healthcare operations, or disclosures made with your authorization.

3.4 Right to Request Restrictions

You have the right to request restrictions on how we use or disclose your PHI. We are not required to agree to your request, except in certain circumstances involving self-pay patients.

3.5 Right to Request Confidential Communications

You have the right to request that we communicate with you about your health information in a specific way or at a specific location.

3.6 Right to a Paper Copy of This Notice

You have the right to obtain a paper copy of this Notice upon request, even if you have agreed to receive it electronically.

3.7 Right to Be Notified of a Breach

You have the right to be notified if there is a breach of your unsecured PHI.

4. Information We Collect

Account Information

• Name and email address (via Google OAuth)
• Profile picture (from your Google account)
• Authentication tokens and session data

Clinical Data

• Consultation notes and patient information
• Uploaded audio recordings and documents
• AI-generated summaries and email drafts
• Chat interactions with our AI assistant

Technical Data

• IP address (anonymized in logs)
• Browser type and device information
• Usage patterns and feature interactions

5. Data Security

We implement comprehensive security measures to protect your PHI:

• Encryption in Transit: TLS 1.2+ for all data transmission
• Encryption at Rest: Database encryption for stored PHI
• Access Controls: User-level data isolation and role-based access
• Session Management: 15-minute inactivity timeout
• Audit Logging: Comprehensive tracking of PHI access
• Multi-Factor Authentication: Available for enhanced security
• Rate Limiting: Protection against unauthorized access attempts
• Security Headers: Industry-standard web security protections

6. Business Associates

We share your PHI with trusted service providers (Business Associates) who help us provide our services. These include:

• OpenAI: AI processing for consultation analysis
• Resend: Email delivery services
• Vercel: Cloud hosting services
• Neon: Database services

We require all Business Associates to sign Business Associate Agreements (BAAs) and comply with HIPAA requirements for protecting your PHI.

7. Data Retention

We retain your PHI for as long as required to provide services and comply with legal requirements. Medical records are retained for a minimum of 6 years from the date of creation or last service, as required by HIPAA. You may request deletion of your data, subject to legal retention requirements.

8. Changes to This Notice

We reserve the right to change this Notice at any time. Changes will apply to PHI we already have about you as well as any new information we receive. The revised Notice will be available on our website and at our office.

9. Complaints

If you believe your privacy rights have been violated, you have the right to file a complaint:

• With Us: Contact our Privacy Officer at privacy@mediconsultai.com
• With HHS: File a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, at www.hhs.gov/hipaa/filing-a-complaint

You will not be retaliated against for filing a complaint.

10. Contact Information

Acknowledgment of Receipt