Introduction

This document includes both our HIPAA Notice of Privacy Practices (for patients) and our Website Privacy Policy (for all site visitors).

MedPodLA (“we,” “us,” or “our”) is committed to protecting your privacy and maintaining the confidentiality of your health information. We take our obligations under applicable privacy laws seriously, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the California Confidentiality of Medical Information Act (CMIA), and other applicable laws.

By accessing or using our website and services, you acknowledge that you have read, understood, and agree to be bound by this policy.

Information We Collect

Personal Identification Information

• Name, email, phone number, address
  
  
• Date of birth, Social Security number
  
  
• Emergency contacts, payment, and insurance info
  
  
• Government-issued ID
  
  

Protected Health Information (PHI)

• Medical history, symptoms, diagnoses, treatment
  
  
• Medications, labs, diagnostics, clinical notes
  
  
• Insurance and billing records
  
  
• Mental health, substance abuse, biometric data
  
  

Website Usage Information

• IP address, browser type, OS, location
  
  
• Pages visited, time spent, referral sources
  
  
• Cookies, device IDs, and session behavior
  
  

How We Collect Information

Direct Collection

• Patient intake forms
  
  
• Appointment booking (via our HIPAA-compliant EMR)
  
  
• Secure messaging and email
  
  
• Telehealth sessions
  
  
• Payments and communications
  
  

Third-Party Collection

• Healthcare providers, insurance, labs, pharmacies
  
  
• Legal reps, family members (with permission)
  
  
• Public health and emergency personnel
  
  

How We Use Your Information

For Treatment

• Direct care, coordination with providers
  
  
• Emergency care, telehealth, follow-ups
  
  

For Payment

• Insurance billing, verification, collections
  
  

For Healthcare Operations

• Quality reviews, credentialing, audits, risk management
  
  

Additional Uses

• Appointment reminders (email, text, call)
  
  
• Treatment alternatives
  
  
• Health-related products or services
  
  
• Public health reporting
  
  
• Legal compliance
  
  
• Research (with approvals)
  
  

Disclosure of Your Information

With Providers & Business Associates

• Clinical teams, specialists, labs, pharmacies, billing companies, IT vendors
  
  
• All business associates must sign Business Associate Agreements (BAAs)
  
  

Legal Disclosures

• Required by law, court orders, law enforcement, public health, emergencies, etc.
  
  

Family & Friends

• Only with your permission, or in emergencies where you cannot object
  
  

Your Rights Under HIPAA

• Right to Access: You may request your designated record set, including medical and billing records.
  
  
• Right to Amendment: Request corrections if you believe data is incomplete or inaccurate.
  
  
• Right to an Accounting: Receive a list of certain disclosures made in the past 6 years.
  
  
• Right to Restrictions: Request limits on what we share (we may not be required to agree).
  
  
• Right to Confidential Communications: Ask us to contact you in specific ways or locations.
  
  
• Right to Receive This Notice: Request a paper copy at any time.
  
  
• Right to File a Complaint: You may file complaints with our Privacy Officer or HHS. No retaliation will occur.
  
  

California Privacy Rights (CCPA/CPRA)

If you’re a California resident, you also have:

• Right to Know: What we collect and how we use/share it
  
  
• Right to Delete: Request deletion of personal info, with some exceptions
  
  
• Right to Opt-Out: We do not sell personal info
  
  
• Right to Correct: Fix inaccurate personal info
  
  
• Right to Non-Discrimination: You won’t be penalized for exercising your rights
  
  

To exercise these rights, contact us at: [email protected]

Data Security

We use administrative, technical, and physical safeguards to protect your data:

• Encryption (AES-256, TLS 1.3)
  
  
• Access controls & audit logs
  
  
• Firewall & intrusion detection
  
  
• Risk assessments & breach response
  
  
• Workstation/device security protocols
  
  

Breach Notification

If your PHI is compromised, we will:

• Notify you within 60 days
  
  
• Report to HHS if required
  
  
• Notify the media (if breach affects 500+ people)
  
  
• Mitigate any harm
  
  

Data Retention

• Adult medical records: 7 years from last treatment
  
  
• Minor records: Until age 25 or 7 years from last visit (whichever is longer)
  
  
• Mental health records: 7 years post-treatment or until age 25
  
  
• Billing: 7 years
  
  
• Website data: Up to 3 years after last interaction
  
  

Cookies and Tracking Technologies

Essential Cookies

• Website security, patient portal logins, cart functionality
  
  

Functional Cookies

• Preferences, accessibility, session memory
  
  

Analytics Cookies

• Site performance, user behavior tracking
  
  

Advertising and Tracking Technologies

We use Google Ads and similar platforms to measure ad performance. These tools may collect limited device/browser data.

You can manage tracking at:

• Google Ads Settings
  
  
• Network Advertising Initiative Opt-Out
  
  

We do not share PHI with advertising platforms.

Telehealth & Digital Communications

• All video and secure messaging is encrypted
  
  
• Sessions may be recorded with your consent
  
  
• Mobile app data is protected with biometrics (if enabled)
  
  
• Emails with PHI use encrypted platforms
  
  

Third-Party Services

We work with HIPAA-compliant vendors for:

• Patient portal
  
  
• Telehealth
  
  
• Scheduling
  
  
• Billing
  
  
• Secure messaging
  
  
• Analytics
  
  

All vendors must sign a Business Associate Agreement and maintain data protections.

Marketing Communications

With your authorization, we may contact you about:

• Treatment options
  
  
• Health-related products
  
  
• Wellness and practice updates
  
  

We may also send appointment reminders via text, email, or phone.

We will never sell or disclose your PHI for marketing without your written authorization, unless HIPAA permits (e.g., face-to-face communications).

You can opt out anytime by:

• Clicking “unsubscribe” in emails
  
  
• Replying STOP to texts
  
  
• Updating preferences in your portal
  
  

International Data Transfers

Data is primarily stored in the U.S. If transferred internationally, we apply appropriate legal safeguards.

Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in the law or our practices. We will:

• Update the “Last Updated” date
  
  
• Post a notice on our site
  
  
• Notify patients of material changes via email or in-office communication
  
  

Contact Information

Privacy Officer
MedPodLA
2840 E Los Angeles Ave
Simi Valley, CA 93065
Phone: (424) 279-6337
Email: [email protected]

Complaint Procedures

If you believe your privacy rights have been violated, contact:

U.S. Department of Health and Human Services
Office for Civil Rights
www.hhs.gov/ocr/privacy
Phone: 1-877-696-6775

California Attorney General
Privacy Enforcement Unit
Phone: (213) 269-6000

Medical Board of California
Phone: (916) 263-2389

We will not retaliate against you for filing a good-faith complaint.

Acknowledgment

By using our services, you acknowledge that:

• You’ve read and understand this Privacy Policy
  
  
• You are aware of your privacy rights
  
  
• You accept our use and disclosure practices