1. Overview

DoctorConnect ("we," "us," or "our") provides patient communication and engagement services on behalf of healthcare providers ("your Provider"). This Patient Portal allows you to view appointments, complete forms, communicate with your Provider, and manage aspects of your healthcare experience.

By using this Patient Portal, you acknowledge that you have read and understood this Privacy Policy. Your use of this portal is also governed by our Terms of Service.

2. Information We Collect

Information Your Provider Shares With Us

• Personal Identifiers — Name, date of birth, phone number, email address, mailing address
• Appointment Information — Scheduled dates, times, provider names, locations, visit types
• Health-Related Data — Medications, lab results, medical history, and other clinical data your Provider chooses to make available through the portal
• Insurance Information — If provided by your Provider for scheduling or billing purposes

Information You Provide Directly

• Authentication Data — Name and date of birth used to verify your identity, verification codes
• Messages — Content of messages you send to your Provider through the portal
• Form Responses — Intake forms, surveys, medical history questionnaires, and consent forms you complete
• Appointment Requests — Preferred times, visit reasons, and contact preferences

Information Collected Automatically

• Device & Browser Information — Browser type, operating system, screen resolution
• Usage Data — Pages visited, features used, login times, session duration
• IP Address — Used for security purposes (rate limiting, fraud detection)
• Cookies — Session cookies required for portal functionality (see Section 6)

3. How We Use Your Information

We use your information for the following purposes:

• Portal Services — Displaying your appointments, lab results, medications, and other health data provided by your Provider
• Authentication & Security — Verifying your identity via two-factor authentication, detecting unauthorized access, preventing fraud
• Communication — Delivering appointment reminders, verification codes, and facilitating messages between you and your Provider
• Form Processing — Collecting and transmitting your completed forms and surveys to your Provider
• Service Improvement — Analyzing usage patterns to improve portal functionality (using aggregated, de-identified data only)
• Legal Compliance — Meeting regulatory requirements including HIPAA, state privacy laws, and applicable healthcare regulations

4. Protected Health Information (PHI)

Much of the information available through this Patient Portal constitutes Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA). We operate as a Business Associate of your healthcare Provider under a Business Associate Agreement (BAA).

This means:

• Your PHI is handled in accordance with HIPAA requirements
• We only use your PHI as permitted by our agreement with your Provider and applicable law
• We implement administrative, physical, and technical safeguards to protect your PHI
• We do not sell your health information
• We do not use your health information for marketing purposes without your explicit consent
• Your Provider's own Notice of Privacy Practices governs the primary use and disclosure of your health information

5. When We Share Information

We may share your information in the following circumstances:

• With Your Provider — All information you provide through the portal (messages, forms, appointment requests) is shared with your healthcare Provider
• Service Providers — We use trusted third-party services for hosting (Microsoft Azure), message delivery (SMS/email), and reCAPTCHA verification (Google). These providers are contractually bound to protect your data
• Legal Requirements — When required by law, court order, or regulatory authority
• Emergency — To prevent or address an immediate threat to health or safety
• Business Transfers — In connection with a merger, acquisition, or sale of assets, with continued privacy protections

We do not sell your personal information or health data to third parties.

6. Cookies & Tracking Technologies

This Patient Portal uses only essential cookies required for the portal to function:

• Session Cookie — Maintains your authenticated session while you use the portal. This cookie is deleted when you sign out or your session expires. Configured with HTTPOnly, Secure, and SameSite=Strict attributes
• CSRF Token — Prevents cross-site request forgery attacks on form submissions

We do not use advertising cookies, analytics trackers, or third-party tracking pixels on the Patient Portal. Google reCAPTCHA is used on the login page only for bot protection.

7. Data Security

We employ industry-standard security measures to protect your information:

• Encryption at Rest — AES-256 encryption for stored data
• Encryption in Transit — TLS 1.2+ for all data transmissions
• Two-Factor Authentication — Required for every portal login; codes are time-limited and stored in session memory only (never written to database)
• Session Security — Automatic session timeout, session rotation after authentication, IP-based rate limiting
• Access Controls — Role-based access with per-client data isolation; you can only access your own records
• Infrastructure — Hosted on Microsoft Azure with HIPAA-compliant configurations
• Monitoring — Security event logging for authentication attempts, access patterns, and anomaly detection

8. Data Retention

Your portal data is retained as follows:

• Session Data — Deleted upon sign-out or session expiration (60 minutes of inactivity)
• Authentication Logs — Retained for security audit purposes per HIPAA requirements
• Health Records — Retained as long as your Provider maintains your records in their system. We display data provided by your Provider and do not independently retain copies beyond operational needs
• Messages & Forms — Retained per your Provider's data retention policy

To request deletion of your data, please contact your healthcare Provider directly.

9. Your Rights

Depending on your location, you may have the following rights:

• Access — Request a copy of the personal information we hold about you
• Correction — Request correction of inaccurate information (health record corrections must be directed to your Provider)
• Deletion — Request deletion of your personal information, subject to legal retention requirements
• Portability — Receive your data in a commonly used, machine-readable format
• Opt-Out — Opt out of non-essential communications (appointment reminders and health-related communications are managed by your Provider)

To exercise these rights, contact your healthcare Provider or reach out to us using the contact information below.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

• Right to know what personal information we collect and how it is used
• Right to request deletion of your personal information
• Right to opt out of the sale of personal information (we do not sell your data)
• Right to non-discrimination for exercising your privacy rights
• Right to correct inaccurate personal information
• Right to limit the use of sensitive personal information

Note: HIPAA-covered health information is exempt from certain CCPA/CPRA requirements where HIPAA applies.

11. Canadian Privacy (PIPEDA)

For users in Canada, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA):

• Data is stored on Microsoft Azure servers in the United States with HIPAA-grade encryption
• Cross-border data transfers are protected by contractual safeguards
• Breach notification within 72 hours of discovery, as required
• List of sub-processors available upon request
• You may file a complaint with the Office of the Privacy Commissioner of Canada

12. Children's Privacy

This Patient Portal is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If a parent or guardian needs to access a minor's health information, they should do so through their Provider's established processes. Dependent information displayed in the portal (such as appointments for minors) is provided by and managed through your healthcare Provider.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. When we make material changes, we will update the "Last Updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of the Patient Portal after changes constitutes acceptance of the revised policy.

14. Contact Us

If you have questions about this Privacy Policy or how your information is handled:

For questions specifically about your health records or to exercise your HIPAA rights, please contact your healthcare Provider directly.