Privacy Policy

1.1 What Is Protected Health Information (PHI)?

Protected Health Information (PHI) is information that identifies you or could reasonably be used to identify you, and relates to your past, present, or future physical or mental health condition, the provision of healthcare to you, or payment for your healthcare. PHI includes information in any form: written, oral, or electronic.

1.2 How We May Use and Disclose Your PHI Without Your Authorization

Federal and Maryland law permit us to use and disclose your PHI in the following circumstances without obtaining your prior written authorization:

1.3 Uses and Disclosures That Require Your Written Authorization

For any use or disclosure of your PHI not described above, we must obtain your written authorization. Specifically, we must obtain your written authorization before using or disclosing your PHI for:

• Marketing purposes, including communications that may encourage you to purchase products or services
• Sale of your PHI to any third party
• Psychotherapy notes (if applicable) — subject to additional protections
• Any other use or disclosure not permitted by law without authorization

You have the right to revoke your written authorization at any time by submitting a written revocation to us. Revocation does not affect uses or disclosures made prior to the revocation.

1.4 Special Protections for Behavioral Health Information

Because DeluxMed Primary & Behavioral Health Services provides integrated primary care and behavioral health services, certain categories of health information receive heightened legal protection beyond standard HIPAA requirements:

1.5 Your Right to Restrict Disclosure to Health Plans When You Pay Out of Pocket

If you pay in full out of pocket for a specific service and request that we not share information about that service with your health plan for payment or healthcare operations purposes, we are required to honor that restriction — provided the disclosure is not otherwise required by law. Please notify us at the time of service if you wish to exercise this right.

1.6 Your Rights Regarding Your PHI

You have the following rights with respect to your Protected Health Information. To exercise any of these rights, please submit a written request using the contact information in Section 4.6.

1.7 Telehealth Services and Privacy

DeluxMed provides telehealth services through Tebra — a HIPAA-compliant telehealth and scheduling platform. Tebra serves as a Business Associate of DeluxMed under a signed Business Associate Agreement (BAA) in accordance with 45 CFR §164.504(e). All video sessions conducted through Tebra are end-to-end encrypted. Session recordings are not made without your explicit consent.

While we take all reasonable precautions to protect the privacy of your telehealth sessions, you should be aware that:

• Electronic communications carry inherent security risks despite encryption measures
• You are responsible for conducting telehealth sessions in a private location where others cannot overhear
• In rare circumstances, technical failures may interrupt or limit a session
• Telehealth may not be appropriate for all clinical situations — our clinical team will advise when in-person evaluation is necessary

1.8 Minimum Necessary Standard

When using or disclosing PHI, or requesting PHI from another covered entity, we will make reasonable efforts to limit the information to the minimum necessary to accomplish the intended purpose. This standard does not apply to disclosures for treatment purposes or disclosures you have authorized.

1.9 Our Legal Duties

DeluxMed is required by law to:

• Maintain the privacy and security of your Protected Health Information
• Provide you with this Notice of Privacy Practices
• Follow the terms of this Notice while it is in effect
• Notify you if we cannot accommodate a requested restriction or alternative communication
• Notify you in the event of a breach of unsecured PHI affecting your information

We reserve the right to change the terms of this Notice and to make new provisions effective for all PHI we maintain. Revised Notices will be posted on our website and made available upon request.

2.1 Information We Collect Through the Website

Information You Provide Directly

• Contact information (name, phone number, email address) submitted through any form on the Website
• Appointment requests and scheduling information
• Communications you send to us via email or through any contact mechanism on the Website

Information Collected Automatically

When you visit our Website, we automatically collect certain technical information through cookies and similar tracking technologies, including:

• IP address and approximate geographic location (city/region level)
• Browser type and version
• Device type and operating system
• Pages visited, time spent on pages, and navigation patterns
• Referring URL (the page that linked you to our Website)
• Date and time of your visit

2.2 Cookies and Analytics

Our Website uses Google Analytics 4 (GA4) to understand how visitors interact with our content. GA4 collects anonymized, aggregated data about website usage patterns to help us improve the Website experience. This data is processed by Google under their Privacy Policy and Terms of Service.

We do not use advertising cookies, retargeting cookies, or cookies that track your browsing activity on other websites. You may manage your cookie preferences through the cookie consent panel available at the bottom of every page on our Website.

2.3 How We Use Website Information

We use information collected through our Website exclusively for the following purposes:

• Responding to inquiries and appointment requests
• Improving Website content and user experience
• Analyzing Website traffic patterns through anonymized analytics data
• Complying with legal obligations
• Protecting the security and integrity of our Website
• SMS Consent, and phone numbers collected for SMS communication purposes will not be shared with any third party or affiliates for marketing purposes.

We do not use Website information to make automated decisions about your healthcare, and Website information is maintained separately from your clinical health record.

2.4 Third-Party Service Providers

We work with the following third-party service providers in connection with our Website and digital services. Each is bound by appropriate data protection agreements:

3.1 SMS Zero-Sharing Statement

This commitment applies regardless of any other data sharing arrangements described in this Privacy Policy. SMS opt-in data and consent records are maintained separately and are not subject to any third-party sharing arrangement.

3.2 What Information We Collect Through SMS

• Your mobile phone number when you provide it through our website, forms, or direct communication
• Records of your opt-in consent to receive text messages, including the date, time, and method of consent
• Message content when you initiate a text message to us
• Opt-out requests (when you text STOP)

3.3 How We Use SMS Information

We use your mobile phone number and SMS opt-in status exclusively for the following purposes:

• Sending appointment reminders and scheduling notifications
• Communicating patient care updates and follow-up information
• Sending health-related notifications relevant to your care
• Responding to your direct inquiries sent via text message

We will not use your mobile phone number to send marketing, promotional, or advertising messages without your separate, explicit consent for that specific purpose.

3.4 SMS Program Details

3.5 SMS Consent and HIPAA

When SMS communications relate to your healthcare (such as appointment reminders), they may involve PHI and are therefore subject to HIPAA protections in addition to the provisions of this section. We will only communicate PHI via SMS in accordance with HIPAA requirements, including obtaining any necessary authorization and implementing appropriate safeguards.

4.1 Data Security

We maintain administrative, technical, and physical safeguards designed to protect your information against unauthorized access, use, modification, or disclosure. These safeguards include:

• Encrypted data transmission using industry-standard TLS/SSL protocols
• Access controls limiting information access to authorized personnel
• Regular security training for all staff
• HIPAA Security Rule compliance for all electronic PHI
• Business Associate Agreements with all third-party service providers that handle PHI

4.2 Data Retention

We retain your PHI for a minimum of six years from the date of creation or the date it was last in effect, whichever is later, in compliance with Maryland law. For minors, records are retained until the patient reaches the age of majority plus six years. Website analytics data is retained in accordance with Google Analytics default retention settings. SMS opt-in records are retained for the duration required to demonstrate consent compliance.

4.3 Children's Privacy

Our Website is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13 through our Website. If you believe a child under 13 has provided us with personal information, please contact us immediately. For minors seeking healthcare services, appropriate parental or guardian consent processes apply in accordance with Maryland law.

4.4 Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time. Material changes will be posted on our Website with an updated effective date. If we make material changes to how we handle your PHI, we will provide notice as required by HIPAA, including updating our Notice of Privacy Practices. Your continued use of our Website or receipt of our services after changes are posted constitutes your acknowledgment of the revised policy.

4.5 How to File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with either of the following:

4.6 Contact Information

For questions about this Privacy Policy, to exercise your rights, or for any privacy-related concerns: