CompassionMD™ Direct Virtual Care & Privacy Policy
Privacy and Security
- Introduction and Scope
This Privacy Policy describes how information is collected, used, disclosed, and protected when you use CompassionMD™ and all related services (collectively, the “Services”).
CompassionMD™ is a subscription-based telehealth membership offered by Compassion MD, Inc. (“Compassion MD”). The CompassionMD™ platform is operated by CareClix Services, LLC (“CareClix Services”), which provides the technology, billing, and administrative infrastructure. Clinical services are provided by licensed physicians of CareClix Network PA (“the Practice”), an independent physician-owned professional association. In this Privacy Policy, “we,” “us,” and “our” refer collectively to Compassion MD, Inc. and CareClix Services, LLC in their respective roles. References to clinical care or medical records refer to the Practice.
By accessing or using the Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy and our Member Agreement. If you do not agree, please do not use the Services.
This Privacy Policy applies to all users of the Services, including members, website visitors, and individuals who contact us through any channel. It does not apply to information collected by third parties through links on our Services or to information you submit directly to your physician outside of the CompassionMD™ platform.
- Categories of Information We Collect
2.1 Personal Data You Provide
When you register for an account, schedule a consultation, or otherwise interact with the Services, we may collect: identifiers (full name, date of birth, email address, phone number, mailing address, and account credentials); health and medical information (medical history, symptoms, diagnoses, medications, prescriptions, lab results, and clinical notes generated during consultations); financial information (payment card details, billing address, and transaction history — payment processing is handled by PCI-DSS-compliant third-party processors; we do not store full payment card numbers on our servers); demographic information (age, sex, gender, race, ethnicity, and preferred language, to the extent voluntarily provided or required for clinical care); and communications (messages, emails, chat transcripts, consultation recordings where applicable and with your consent, and feedback you submit).
2.2 Information Collected Automatically
When you access the Services, we automatically collect: device and browser information (IP address, device type, operating system, browser type and version, unique device identifiers, and mobile advertising identifiers); usage data (pages visited, features used, session duration, clickstream data, referring URLs, and actions taken within the platform); and location data (general geographic location inferred from your IP address — we do not collect precise GPS location unless you grant explicit permission through your device settings).
2.3 Cookies and Tracking Technologies
We use cookies, browser storage, pixel tags, web beacons, and similar technologies to operate and improve the Services. These include: strictly necessary cookies required for platform functionality, authentication, and security; analytics cookies (including Google Analytics) that help us understand usage patterns and improve performance; functional cookies that remember your preferences, such as language or display settings; and affiliate tracking cookies set by our affiliate referral platform (Post Affiliate Pro, operated by Quality Unit, LLC), including a persistent visitor identifier (PAPVisitorId, 365-day duration) and impression-type cookies (PAPCookie_Imp_*, 365-day duration), which link enrollment events to referring Affiliates for commission attribution purposes.
You may manage your cookie preferences through the cookie consent banner displayed upon your first visit or through your browser settings. Where required by Washington’s My Health My Data Act, Nevada’s consumer health data law, or similar state laws, non-essential and health-related cookies and tracking technologies will not fire until you provide affirmative opt-in consent. Disabling cookies may limit certain features of the Services. For more information on Google Analytics, visit www.google.com/policies/privacy/partners/.
2.4 Information from Third Parties
We may receive information about you from referring providers, pharmacies, laboratories, or other healthcare entities involved in your care, as permitted or required by applicable law.
- How We Use Your Information
We use the information we collect for the following purposes: treatment (to facilitate telehealth consultations, diagnose conditions, prescribe medications, order lab tests, generate referrals, and coordinate care with other providers involved in your treatment); payment (to process subscription charges, collect fees, generate billing statements, and pursue reimbursement); healthcare operations (to conduct quality assessment, care coordination, provider credentialing, training, compliance auditing, and business planning); platform operation and improvement (to maintain, protect, and enhance the Services, diagnose technical issues, develop new features, and personalize your experience); communications (to send appointment reminders, prescription notifications, treatment follow-ups, and service updates — we may also send marketing communications with your consent, from which you may opt out at any time); legal compliance (to comply with applicable federal, state, and local laws, regulations, and legal processes, including HIPAA, HITECH, and applicable state health information and consumer health data laws); and safety (to detect, prevent, and respond to fraud, unauthorized access, security incidents, and other harmful activity).
- How We Disclose Your Information
We do not sell your Personal Data or Protected Health Information. We may disclose your information in the following circumstances:
For treatment, payment, and healthcare operations: as described in Section 3 and as permitted under HIPAA (45 CFR §§ 164.502 and 164.506).
To business associates: we share PHI with service providers who perform functions on our behalf under written Business Associate Agreements that require the same level of protection required by this Privacy Policy and HIPAA. These include cloud hosting providers, payment processors, analytics services, affiliate tracking platform operators, and technology vendors.
With your authorization: for any use or disclosure not described in this Privacy Policy or not otherwise permitted by law, we will obtain your written authorization before disclosing your PHI. You may revoke any authorization in writing at any time.
As required by law: we may disclose information when required by federal, state, or local law, including for public health activities, health oversight, judicial and administrative proceedings, law enforcement, organ donation, research (with appropriate approvals), to prevent a serious threat to health or safety, for workers’ compensation, and for government functions such as military, national security, or correctional institution purposes.
Business transfers: in the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction, subject to applicable law and continued protection under this Privacy Policy or an equivalent policy.
- HIPAA Notice of Privacy Practices
CompassionMD™ provides telehealth services through licensed, board-certified physicians of CareClix Network PA. In this capacity, Protected Health Information (“PHI”) created, received, maintained, or transmitted through the Services is protected by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and their implementing regulations at 45 CFR Parts 160, 162, and 164 (collectively, the “HIPAA Rules”).
5.1 Your Rights Under HIPAA
You have the following rights with respect to your PHI: the right to inspect and obtain a copy of your PHI maintained in a Designated Record Set, including in electronic format upon request, subject to limited exceptions (45 CFR § 164.524); the right to request amendment if you believe your PHI is inaccurate or incomplete (45 CFR § 164.526); the right to an accounting of certain disclosures made in the six years preceding your request (45 CFR § 164.528); the right to request restrictions on certain uses and disclosures for treatment, payment, or healthcare operations (we must honor a restriction on disclosure to a health plan if you paid for the service in full out of pocket, as required by the HITECH Act); the right to request confidential communications through a particular method or at a specific location; the right to a paper copy of this Privacy Policy at any time; and the right to file a complaint with us or with the Secretary of the U.S. Department of Health and Human Services without penalty.
5.2 Breach Notification
In the event of a breach of unsecured PHI, we will notify affected individuals without unreasonable delay and no later than sixty (60) calendar days following discovery of the breach, as required by 45 CFR §§ 164.404 through 164.410. Notification will include a description of the breach, the types of information involved, steps individuals should take, what we are doing in response, and contact information. Breaches affecting 500 or more individuals will also be reported to the Secretary of HHS and to prominent media outlets as required by law. We will also provide notice as required by the FTC Health Breach Notification Rule where applicable.
5.3 Substance Use Disorder Records (42 CFR Part 2)
To the extent we create, receive, or maintain records relating to the treatment of substance use disorders, such records are subject to the confidentiality protections of 42 CFR Part 2, as aligned with HIPAA pursuant to the February 2024 Final Rule (effective April 16, 2024; full compliance required February 16, 2026). We will not use or disclose Part 2 records except as permitted by Part 2 and HIPAA, and will not use such records in civil, criminal, administrative, or legislative proceedings against the patient without proper consent or court order.
- Data Security
We implement administrative, technical, and physical safeguards designed to protect Personal Data and PHI in accordance with HIPAA, HITECH, and industry best practices. These safeguards include: encryption of all PHI at rest using AES-256 and in transit using TLS 1.2 or higher, consistent with NIST standards; role-based access controls and multi-factor authentication (MFA) for all systems that create, receive, maintain, or transmit PHI; audit logs for all access to systems containing PHI, regular vulnerability assessments and penetration testing, and monitoring for unauthorized access or anomalous activity; a written Incident Response Plan consistent with NIST SP 800-61, reviewed, updated, and tested at least annually; encryption key management procedures following NIST SP 800-57, with storage of unencrypted PHI on portable devices, removable media, or personally owned devices prohibited; Business Associate Agreements with all vendors and subcontractors with access to PHI, requiring equivalent safeguards; all PHI stored in secure data facilities physically located within the United States, with access from outside the United States prohibited absent documented technical controls and prior written authorization; and alignment with the HHS Cybersecurity Performance Goals (January 2024) and NIST CSF 2.0.
No method of electronic transmission or storage is completely secure. While we implement robust safeguards, we cannot guarantee absolute security. We encourage you to protect your account credentials and to notify us immediately if you suspect unauthorized access.
- Telehealth-Specific Disclosures
Video and audio consultations may be recorded for quality assurance, clinical documentation, or training purposes only with your knowledge and consent as required by applicable state law. Where recording occurs, recordings are encrypted and stored in compliance with the same standards applicable to all PHI. When a physician determines that a prescription is clinically appropriate, prescription data is transmitted electronically to your designated pharmacy through secure, HIPAA-compliant channels. Certain states require separate informed consent for telehealth encounters; we obtain telehealth-specific consent as required by the laws of the state where services are delivered, and your consent will be documented in your patient record.
We may use clinical decision support tools or other technology to assist physicians in care delivery. These tools augment physician judgment and do not replace it. No automated system makes final diagnostic or treatment decisions without physician review and approval.
- California Privacy Rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”), provides you with additional rights regarding your personal information. To the extent your information is not subject to a HIPAA exemption, you have the following rights: the right to know the categories and specific pieces of personal information collected, the sources, the business purpose, and the third parties with whom it is shared; the right to delete personal information subject to legal exceptions; the right to correct inaccurate personal information; the right to opt out of sale or sharing (we do not sell personal information; if we “share” personal information as defined by the CCPA, you may opt out using the “Do Not Sell or Share My Personal Information” link on our website or by contacting us at privacy@careclix.com); the right to limit use of sensitive personal information to uses necessary to perform the Services; and the right to non-discrimination for exercising any CCPA right.
To exercise any of these rights, submit a verifiable consumer request to privacy@careclix.com. We will respond within forty-five (45) days and may extend by an additional forty-five (45) days where reasonably necessary. You may designate an authorized agent to make a request on your behalf.
8.1 Categories Collected in the Preceding Twelve Months
In accordance with CCPA disclosure requirements, the following categories of personal information have been collected in the twelve months preceding the effective date of this Privacy Policy: identifiers; personal information as defined by Cal. Civ. Code § 1798.80(e); characteristics of protected classifications; commercial information; internet or electronic network activity; geolocation data; audio, electronic, or visual information (from telehealth consultations); professional or employment-related information (from providers); inferences drawn from the foregoing; and sensitive personal information (including health data, account credentials, and precise geolocation where applicable).
8.2 Data Retention
Medical records and PHI are retained in accordance with applicable state and federal medical records retention requirements, which vary by jurisdiction and typically range from six to ten years following the last date of service (or longer for minors). Non-medical personal information collected for marketing, analytics, or operational purposes is retained for no longer than twenty-four (24) months following your last interaction with the Services, unless a longer retention period is required by law or necessary for legal defense. Account data is retained for the duration of your account and for a reasonable period thereafter to fulfill legal obligations. You may request deletion of personal information not subject to a legal retention requirement at any time.
8.3 Automated Decision-Making Technology
To the extent we use automated decision-making technology (“ADMT”) as defined by CCPA regulations effective January 1, 2027, to make significant decisions about you, we will provide a pre-use notice explaining the purpose of the ADMT, your right to opt out, and your right to access meaningful information about the logic involved. As of the effective date of this Privacy Policy, no automated system makes final treatment, diagnostic, or coverage decisions without physician review.
- Consumer Health Data
In addition to PHI governed by HIPAA, our website and enrollment process may collect consumer health data as defined by Washington’s My Health My Data Act (RCW 19.373), Nevada’s consumer health data law (NRS 603A.495–540), Connecticut’s Data Privacy Act health data amendments, and any successor or equivalent state law. Consumer health data includes personal information that identifies, or is reasonably linkable to, a consumer’s past, present, or future physical or mental health status, and may include data collected through cookies, browser storage, and affiliate tracking technologies even where that data would not qualify as PHI under HIPAA.
Where required by these laws, we obtain your affirmative opt-in consent before collecting or sharing consumer health data that is not strictly necessary to provide the Services you requested. Consent is not inferred from a general cookie banner or the acceptance of our Member Agreement. You have the right to confirm whether we are collecting consumer health data about you, to access that data, to request its deletion (including by directing any vendor or Affiliate that received it to delete their copy), and to withdraw any consent you have given. We do not sell consumer health data. We do not use geofencing technology around any healthcare facility to identify, track, or target advertising to consumers.
Our Consumer Health Data Privacy Notice, linked separately on compassionmd.com, provides additional detail on what consumer health data is collected, why, and who receives it.
- Additional State Law Compliance
We operate in all fifty states and comply with applicable state health information and consumer privacy laws to the extent they impose requirements more stringent than HIPAA. These include, without limitation: the California Confidentiality of Medical Information Act (Cal. Civ. Code § 56 et seq.); the Texas Medical Records Privacy Act (Tex. Health & Safety Code Ch. 181) and the Texas Data Privacy and Security Act (Tex. Bus. & Com. Code § 541 et seq.); Washington’s My Health My Data Act (RCW 19.373); and any other enacted state health or consumer privacy law applicable in a jurisdiction where we operate or where members receive services.
If you have questions about your rights under a specific state law, please contact us at privacy@careclix.com.
- Children’s Privacy
CompassionMD™ provides pediatric telehealth services. Children under the age of thirteen (13) are not permitted to create accounts or use the Services independently. Pediatric services are accessed through a parent or legal guardian’s account, and parental or guardian consent is obtained prior to any consultation involving a minor, consistent with applicable state law regarding minor consent to healthcare. For minors aged thirteen (13) to seventeen (17), we comply with applicable state minor consent laws, which may permit minors to consent to certain categories of healthcare (such as mental health or reproductive health services) without parental involvement. We comply with the Children’s Online Privacy Protection Act (“COPPA”) to the extent applicable. If we learn that we have inadvertently collected personal information from a child under thirteen without proper consent, we will take steps to delete that information promptly.
- Your Choices
Marketing communications: You may opt out of promotional emails at any time by following the unsubscribe instructions in the email or by contacting us. Opting out does not apply to transactional or service-related communications (e.g., appointment reminders, prescription notifications). Cookies: You may manage cookie preferences through the cookie consent banner or your browser settings; disabling certain cookies may impair the functionality of the Services. Do Not Track: We honor Global Privacy Control (GPC) signals as opt-out requests under the CCPA. Account deletion: You may request deletion of your account and associated personal information by contacting privacy@careclix.com, subject to legal retention requirements.
- Third-Party Links and Services
The Services may contain links to third-party websites, applications, or services not operated by us. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party service before providing your information. We are not responsible for the privacy practices of third parties.
- Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. Material changes will be communicated by posting the updated Privacy Policy on our website with a revised effective date and, where required by law, by notifying you directly (e.g., via email or through the member portal). Your continued use of the Services following any update constitutes acceptance of the revised Privacy Policy. We encourage you to review this Privacy Policy periodically.
- Contact Information
If you have questions about this Privacy Policy, wish to exercise any of your privacy rights, or need to report a privacy concern, please contact us:
General Privacy Inquiries: privacy@careclix.com
HIPAA Privacy and Complaints: compliance@careclix.com
CCPA / State Privacy Requests: privacy@careclix.com
You also have the right to file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, at https://www.hhs.gov/hipaa/filing-a-complaint/ or by calling 1-800-368-1019.
Effective Date: June 2026
Compassion MD, Inc. | 950 N. Washington St., Alexandria, VA 22314
© 2026 CompassionMD™. All Rights Reserved.