Privacy Policy

MyMed Access ("we," "our," or "us") is a HIPAA-compliant electronic health records platform operated for Belle Medical Group. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our mobile application and related services (collectively, the "Service").

We are committed to protecting your privacy and complying with the Health Insurance Portability and Accountability Act (HIPAA), the HITECH Act, and all applicable state and federal privacy laws.

We may collect the following categories of information:

• Personal Information: Name, email address, phone number, date of birth, and other identifying details you provide during registration.
• Protected Health Information (PHI): Medical records, lab results, prescriptions, diagnoses, allergies, medications, imaging reports, and other health data uploaded or entered into the Service.
• Device Information: Device type, operating system, unique device identifiers, and push notification tokens.
• Usage Data: App interactions, feature usage patterns, timestamps, and session information to improve the Service.

We use the information we collect for the following purposes:

• Treatment: Facilitating secure sharing of your health records with authorized healthcare providers.
• Healthcare Operations: Supporting administrative functions of Belle Medical Group, including scheduling, billing coordination, and quality improvement.
• Communication: Sending you notifications about your documents, provider messages, and important account updates.
• Security: Maintaining audit trails, detecting unauthorized access, and protecting the integrity of your data.

We implement robust technical and organizational safeguards to protect your data:

• Encryption: AES-256 encryption at rest and TLS 1.3 encryption in transit for all personal and health data.
• Access Controls: Role-based access controls (RBAC) ensure only authorized personnel can access your information, and only the minimum necessary data for their role.
• Audit Trails: Immutable, tamper-evident logs record every access to and action taken on your health records in compliance with HIPAA requirements.
• QR Code Security: Record-sharing QR codes are encrypted with AES-256-GCM, expire after 60 seconds, and are single-use to prevent unauthorized reuse.
• Infrastructure: All data is hosted in SOC 2 Type II certified, HIPAA-eligible AWS data centers with redundant backups.

We do not sell your personal information. We may share your information only in the following circumstances:

• With Your Consent: When you explicitly authorize sharing, such as generating a QR code to share records with a provider.
• Authorized Providers:Healthcare providers you designate through the app's secure sharing features.
• Legal Requirements: When required by law, court order, or governmental regulation, or to protect the rights, safety, or property of our users and the public.
• Business Associates: Third-party service providers (e.g., cloud hosting, OCR processing) who are bound by HIPAA Business Associate Agreements (BAAs).

As a patient, you have the following rights regarding your protected health information:

• Right to Access: You may request a copy of your health records at any time through the app or by contacting support.
• Right to Amendment: You may request corrections to your health records if you believe they contain errors.
• Right to Restriction: You may request restrictions on how your information is used or disclosed for treatment, payment, or operations.
• Right to Accounting of Disclosures: You may request a list of disclosures we have made of your health information in the past six years.
• Right to Confidential Communications: You may request that we communicate with you through specific channels or at specific locations.
• Right to File a Complaint: You may file a complaint with us or with the U.S. Department of Health and Human Services if you believe your privacy rights have been violated.

We retain your health records for a minimum of six (6) years from the date of creation or last effective date, in compliance with HIPAA requirements (45 CFR 164.530(j)). After the retention period, records may be securely destroyed.

You may request deletion of your account and associated data at any time by contacting support. We will comply with your request subject to our legal retention obligations.

MyMed Access is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected information from a child under 13, we will take steps to delete that information promptly. Parents or guardians who believe their child has provided us with personal information should contact us immediately.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. When we make material changes, we will:

• Notify you via push notification or email at least 30 days before the changes take effect.
• Update the "Last Updated" date at the top of this policy.
• Request renewed consent where required by law.

If you have questions about this Privacy Policy, wish to exercise your HIPAA rights, or have concerns about how your information is handled, please contact us: