This Privacy Policy describes how Wellness MD PC ("the Practice," "we," "us," or "our") collects, uses, stores, shares, and protects your personal information and protected health information ("PHI") in connection with our telehealth, peptide, and GLP-1 medical services. This document serves as our Notice of Privacy Practices as required under HIPAA, the HITECH Act, and applicable Colorado privacy laws.
The Practice is the HIPAA Covered Entity responsible for all clinical data and PHI. Summit Performance & Wellness MGMT LLC ("Summit"), our Management Services Organization, is a Business Associate of the Practice and handles certain administrative functions under a Business Associate Agreement.
1. Who We Are & Scope of This Policy
Wellness MD PC is a licensed medical professional corporation in Colorado providing telehealth-based medical evaluations, prescribing, and supervised peptide and GLP-1 treatment programs. This Privacy Policy applies to:
- All patients and prospective patients who inquire about, enroll in, or receive care from the Practice.
- All PHI and personal information collected through our telehealth platform, website, phone, email, or any other means.
- All employees, contracted providers, and Business Associates who handle patient information on behalf of the Practice.
2. Information We Collect
2.1 Protected Health Information (PHI)
- Full legal name, date of birth, and government-issued identification
- Contact information including address, phone number, and email address
- Medical history, current diagnoses, and past treatments
- Current medications, supplements, and known allergies
- Height, weight, BMI, and other biometric data
- Lab results, hormone panels, and diagnostic information
- Prescription history and medication records
- Provider consultation notes, treatment plans, and clinical assessments
- Photographs or images submitted for clinical evaluation purposes
2.2 Administrative & Financial Information
Certain administrative and financial information is collected and managed by Summit under a Business Associate Agreement, including billing address and payment details, subscription and transaction history, patient portal credentials, device and IP information, and communication records.
2.3 Automatically Collected Information
When you access our website or patient portal, we may automatically collect technical information such as browser type, operating system, pages visited, and time on site for security and analytics purposes. This information is not considered PHI.
3. How We Use Your Information
3.1 Treatment
- Conducting telehealth consultations and clinical assessments
- Developing and managing your personalized treatment plan
- Prescribing and coordinating dispensing through affiliated pharmacy partners
- Coordinating care among treating providers and clinical staff
- Monitoring your progress and adjusting treatment as clinically appropriate
3.2 Payment & Billing
We share necessary PHI with Summit under our Business Associate Agreement to enable billing, payment processing, and subscription management. PHI shared for billing is limited to the minimum necessary.
3.3 Healthcare Operations
We may use your information for internal operations supporting care delivery, including quality assurance, provider training, compliance audits, and service improvement.
3.4 Communications
With your consent, we or Summit (on our behalf) may send appointment reminders, follow-up care instructions, renewal notices, and educational content. You may opt out of non-clinical communications at any time.
4. How We Share Your Information
4.1 Permitted Disclosures Under HIPAA
- Treatment: Sharing PHI with other providers, pharmacies, or labs involved in your care.
- Payment: Disclosures necessary to obtain payment, including to Summit.
- Healthcare Operations: Internal uses as described in Section 3.3.
- Required by Law: Federal, state, or local legal requirements.
- Public Health Activities: Reporting to public health authorities as required.
- Health Oversight: Disclosures to agencies conducting audits.
- Serious Threats: Disclosures to prevent imminent threats to health or safety.
4.2 Management Services Organization (Business Associate)
Summit serves as a Business Associate under a fully executed BAA. Summit may access the minimum necessary PHI required to perform administrative functions and is contractually and legally obligated to protect your PHI in accordance with HIPAA.
4.3 Pharmacy Partners
We share the minimum necessary PHI with affiliated compounding pharmacy partners to fulfill prescriptions. All partners are required to enter into BAAs.
4.4 Disclosures Requiring Your Authorization
- Marketing communications involving the sale of PHI
- Sale of your PHI to any third party
- Psychotherapy notes, if applicable
- Most uses and disclosures not described in this policy
4.5 We Do Not Sell Your Information
The Practice does not sell, rent, or trade your PHI or personal information to any third party for commercial purposes. Summit is likewise prohibited from selling your PHI under our Business Associate Agreement.
5. Your HIPAA Rights
5.1 Right to Access Your PHI
You may inspect and obtain a copy of your PHI. We will provide access within thirty (30) days. A reasonable cost-based fee may apply.
5.2 Right to Amend Your PHI
You may request amendment of PHI you believe is inaccurate or incomplete.
5.3 Right to an Accounting of Disclosures
You may request a list of disclosures made for purposes other than treatment, payment, or healthcare operations during the previous six (6) years. We will respond within sixty (60) days.
5.4 Right to Request Restrictions
You may request restrictions on certain uses and disclosures. We are not required to agree except where the restriction involves disclosures to a health plan for services you paid for entirely out of pocket.
5.5 Right to Confidential Communications
You may request that we contact you through alternative means or at alternative locations.
5.6 Right to a Paper Copy of This Notice
You have the right to receive a paper copy of this Privacy Policy at any time.
5.7 Right to File a Complaint
If you believe your privacy rights have been violated, you may file a complaint with the Practice or with the U.S. Department of Health and Human Services, Office for Civil Rights at hhs.gov/ocr/privacy/hipaa/complaints. You will not be retaliated against for filing a complaint.
6. Colorado State Privacy Laws
We comply with applicable Colorado privacy and health information laws, including the Colorado Privacy Act (CPA) and Colorado health records statutes. Where Colorado law provides greater protections than HIPAA, we follow the more protective standard.
6.1 Colorado Privacy Act (CPA) Rights
- Know whether we are processing your personal data
- Access your personal data
- Correct inaccurate personal data
- Delete personal data you have provided
- Opt out of processing for targeted advertising or sale of personal data
- Obtain a portable copy of your personal data
We will respond within forty-five (45) days, with a possible extension of an additional forty-five (45) days when reasonably necessary.
6.2 Sensitive Health Records
Mental health records and substance use disorder treatment records may receive additional protections under Colorado law. We apply the most protective applicable standard.
7. Data Security
7.1 Safeguards
- Encryption of PHI in transit and at rest using industry-standard protocols
- Access controls limiting PHI to authorized personnel on a need-to-know basis
- Unique user identification and authentication for all systems containing PHI
- Automatic logoff for inactive sessions
- Audit logs tracking PHI access and modification
- Employee and Business Associate training on HIPAA Privacy and Security
- Business Associate Agreements with all vendors handling PHI, including Summit
- Regular risk assessments and security evaluations
7.2 Breach Notification
In the event of a breach of unsecured PHI, we will notify affected individuals within sixty (60) calendar days of discovery, as required by the HIPAA Breach Notification Rule.
7.3 Limitation of Security Guarantees
While we take commercially reasonable steps to protect your information, no electronic transmission or storage system is completely secure. You are responsible for maintaining the confidentiality of your patient portal credentials.
8. Data Retention
- Medical records and PHI: Minimum seven (7) years from date of service, or longer as required by Colorado law or federal regulation.
- Prescription and pharmacy records: Per Colorado pharmacy board regulations and federal requirements.
- Financial and billing records: Minimum seven (7) years for tax and accounting purposes.
- Communications: Minimum three (3) years or as required by law.
9. Telehealth-Specific Privacy Considerations
9.1 Platform Security
Telehealth consultations are conducted through HIPAA-compliant platforms operating under Business Associate Agreements.
9.2 Your Responsibility
You are responsible for participating in telehealth consultations from a private location where unauthorized individuals cannot hear or view your session.
9.3 Electronic Prescribing
Prescriptions are transmitted electronically to pharmacy partners using encrypted, HIPAA-compliant channels.
9.4 MSO Access to Telehealth Data
Summit may access scheduling and administrative data solely for coordinating appointments and administrative functions. Summit does not access clinical consultation content, provider notes, or prescription details beyond what is minimally necessary for billing and logistics coordination.
10. Minors
Our services are intended for adults aged 18 and older. We do not knowingly collect PHI from individuals under 18. If we become aware that a minor has provided information, we will promptly delete it and terminate the associated account.
11. Changes to This Privacy Policy
We reserve the right to modify this Privacy Policy at any time. Material changes will be communicated via email no fewer than thirty (30) days before taking effect. We are required by law to maintain the privacy of your PHI, to provide you with this notice of our duties and privacy practices, and to notify you following a breach of unsecured PHI.
12. Contact — Privacy Officer
Wellness MD PC — Privacy Officer · 6140 S Gun Club Rd. Ste. K6-246, Aurora, CO 80016 · 720-610-2027. For administrative and billing inquiries, contact Summit Performance & Wellness MGMT LLC separately. You also have the right to submit a complaint directly to the U.S. Department of Health and Human Services, Office for Civil Rights, without fear of retaliation.