%20scale(0.008000%20-0.008000)'%3e%3cpath%20d='M74%20714H250L447%20155H449L641%20714H815V0H696V551H694L496%200H393L195%20551H193V0H74Z'/%3e%3c/g%3e%3cg%20transform='translate(114.2240%2035.7)%20scale(0.008000%20-0.008000)'%3e%3cpath%20d='M76%20714H372Q454%20714%20514.0%20686.0Q574%20658%20612.0%20609.5Q650%20561%20668.5%20496.0Q687%20431%20687%20357Q687%20283%20668.5%20218.0Q650%20153%20612.0%20104.5Q574%2056%20514.0%2028.0Q454%200%20372%200H76ZM201%20102H324Q397%20102%20443.5%20121.5Q490%20141%20516.5%20175.5Q543%20210%20552.5%20256.5Q562%20303%20562%20357Q562%20411%20552.5%20457.5Q543%20504%20516.5%20538.5Q490%20573%20443.5%20592.5Q397%20612%20324%20612H201Z'/%3e%3c/g%3e%3c/g%3e%3c/svg%3e){kind=small}
Health data privacy
Consumer Health Data Privacy Policy
Last updated: May 10, 2026
Why this Policy exists
Several states — including Washington (My Health My Data Act), Nevada (SB 370), and Connecticut (SB 3) — have adopted laws that protect "consumer health data" collected outside the scope of the federal Health Insurance Portability and Accountability Act (HIPAA). This Policy describes how Protocol MD handles consumer health data covered by those laws and your rights regarding that data.
This Policy supplements our Privacy Policy and our HIPAA Notice of Privacy Practices (which governs information held by your treating Provider in the course of clinical care).
What is 'consumer health data'?
Consumer health data is information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status. Under state laws like Washington's My Health My Data Act, this can include:
- Information you provide during the assessment about symptoms, medical history, treatments, or medications
- Health-adjacent inferences derived from your interactions with our site
- Information about appointments, diagnoses, or treatments
- Information about reproductive or sexual health, gender-affirming care, biometric data, or precise location data that could indicate health status
How we collect consumer health data
- Directly from you when you complete the assessment, message our care team, or upload records
- Automatically from your interactions with our site (for example, which protocols you view)
- From service providers we engage to support our platform, only as needed to deliver our services
How we use consumer health data
- To match you to a US-licensed physician in your state
- To facilitate clinical care through our affiliated provider network
- To improve our services, troubleshoot issues, and develop new features
- To comply with legal obligations
We do not use consumer health data for cross-context behavioral advertising and do not sell consumer health data.
With whom we share consumer health data
- Your treating Provider. Information relevant to your care is shared with the Provider so they can review your case and prescribe a protocol if appropriate. Once shared with the Provider, that information becomes protected health information (PHI) governed by HIPAA and the HIPAA Notice of Privacy Practices.
- Compounding pharmacies and laboratories that fulfill prescriptions and process bloodwork ordered through the services
- Service providers that operate our platform (hosting, payment processing, analytics, customer support), each contractually obligated to protect your data
- Legal and safety disclosures when required by law or to protect the rights, property, or safety of Protocol MD, our users, or others
Your rights regarding consumer health data
Depending on your state of residence, you have rights with respect to your consumer health data, including:
- The right to confirm whether we collect, share, or sell your consumer health data
- The right to access a list of categories of consumer health data we have collected and the third parties with whom we have shared it
- The right to withdraw consent to collection or sharing
- The right to delete the consumer health data we hold about you, subject to certain exceptions (for example, medical record retention obligations that apply to your treating Provider)
To exercise any of these rights, contact us at hello@protocolmd.com. We will respond within the timeframe required by applicable law.
Consent
Before we collect or share consumer health data beyond what is necessary to provide the services you have requested, we will obtain your affirmative, opt-in consent as required by applicable state law (for example, Washington's MHMD Act). You may withdraw your consent at any time by contacting us at hello@protocolmd.com.
Geofencing notice (Washington only)
Washington's My Health My Data Act prohibits geofencing within 2,000 feet of an in-person healthcare facility for the purpose of identifying or tracking consumers seeking healthcare services, collecting consumer health data from consumers, or sending notifications, messages, or advertisements to consumers based on their consumer health data or healthcare services. Protocol MD does not engage in such geofencing.
Contact us
Questions about this Policy? Email hello@protocolmd.com.