Median is committed to protecting your privacy and personal health information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information in compliance with HIPAA and GDPR regulations.
1. Information We Collect
We collect information necessary to provide healthcare services and platform functionality:
Protected Health Information (PHI) including medical records, diagnoses, treatments, and prescriptions
Personal identifiers (name, date of birth, address, phone, email)
Insurance information and payment details
Technical data (IP address, browser type, device information)
Usage data (features accessed, time spent, interaction patterns)
2. How We Use Your Information
Treatment: To provide, coordinate, and manage healthcare services
Payment: To process billing and insurance claims
Healthcare Operations: Quality improvement, training, and compliance activities
Platform Functionality: To provide, maintain, and improve our services
Communication: To send important notifications and updates
3. Data Sharing and Disclosure
We only share your information when necessary and permitted by law:
With your healthcare providers for treatment purposes
With your insurance company for payment processing
With Business Associates under signed BAAs (HIPAA-compliant vendors)
As required by law (court orders, regulatory requirements)
In emergencies to protect health and safety
4. Your Privacy Rights
Under HIPAA (US)
• Right to access your medical records
• Right to request corrections
• Right to accounting of disclosures
• Right to request restrictions
• Right to confidential communications
Under GDPR (EU/Global)
• Right to access your data
• Right to rectification
• Right to erasure (right to be forgotten)
• Right to data portability
• Right to object to processing
5. Data Security
We implement industry-leading security measures including AES-256 encryption, multi-factor authentication, regular security audits, and SOC 2 Type II compliance. For detailed information, see our Security & Compliance page.
6. Data Retention
We retain your information as required by law: minimum 7 years for US HIPAA compliance. You may request deletion after these periods, subject to legal obligations and regulatory requirements.
7. Data Storage and Security
All patient data is stored in HIPAA-compliant data centers within the United States (AWS US-East and US-West regions). We employ end-to-end encryption, regular security audits, and comprehensive backup procedures to ensure data integrity and availability.
8. Contact Us
For privacy-related questions or to exercise your rights: