Privacy Policy and Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

This document also explains how we collect, use, and share personal information through our website, booking tools, communications, intake forms, and related services.

This Privacy Policy and Notice of Privacy Practices applies to information collected, used, maintained, or disclosed through Baseline Medical websites, booking pages, mobile pages, online forms, scheduling and payment tools, email, text, phone, patient intake, telehealth or remote communications, in-person mobile visits, customer support, and related services.

Baseline Medical means the consumer-facing brand used for mobile non-emergency medical and wellness services, website content, booking pages, communications, and related client-facing operations. Baseline Medical is a brand name and may be used by Baseline Medical Management, LLC, Baseline Medical Group, PC, or affiliated entities depending on the context.

Management Company means Baseline Medical Management, LLC, the non-clinical administrative and management company that may operate or support the Site, Platform, booking functions, payment functions, customer service, marketing, membership administration, business operations, and other non-clinical services.

Professional Entity means Baseline Medical Group, PC and/or another licensed professional entity responsible for furnishing professional medical services, as applicable.

Clinicians means licensed healthcare professionals affiliated with or engaged by the applicable Professional Entity, including nurse practitioners, registered nurses, physicians, physician assistants, or other licensed professionals acting within the scope of their licenses.

We, us, and our refer to Baseline Medical, the Management Company, the Professional Entity, and their workforce members, contractors, vendors, service providers, and business associates, as applicable to the context.

You means the person using the website or services, requesting information, booking an appointment, completing forms, purchasing services, or receiving care. Where clinical services are provided, you may also be a patient of the applicable Professional Entity.

Personal Information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to you.

Protected Health Information or PHI means individually identifiable health information protected by the Health Insurance Portability and Accountability Act and its implementing regulations when HIPAA applies.

To the extent a Professional Entity is a HIPAA covered entity, the HIPAA Notice of Privacy Practices portion of this Policy describes how that Professional Entity may use and disclose PHI and describes your rights regarding PHI.

The Management Company is not a professional medical provider and does not provide diagnosis, treatment, prescribing, medical eligibility determinations, or other clinical decision-making.

When the Management Company creates, receives, maintains, or transmits PHI on behalf of a Professional Entity, it does so only as permitted by applicable law, applicable business associate agreements, management services arrangements, privacy policies, and patient authorizations or consents where required.

If a requirement of HIPAA or another applicable health privacy law conflicts with a more general provision of this Policy, the more protective or legally required health privacy provision controls.

Baseline Medical Management, LLC may provide non-clinical management, administrative, operational, billing, technology, customer support, marketing, membership, compliance, and business services for the Baseline Medical brand and for the Professional Entity.

These services may require the Management Company to collect, receive, maintain, process, or transmit Personal Information and, where permitted, PHI.

The Management Company may support scheduling, intake, payment processing, membership administration, appointment communications, vendor management, quality and safety operations, business analytics, record-management support, and other administrative functions.

The Management Company does not control Clinicians' professional judgment and does not make clinical decisions.

Where the Management Company acts on behalf of a HIPAA-covered Professional Entity with respect to PHI, it is expected to use and disclose PHI only for permitted management, payment, health care operations, business associate, subcontractor, or other legally permitted purposes, and to safeguard PHI as required by applicable law and agreements.

The website, contact forms, email, text messages, social media, booking pages, and other non-emergency communication channels are not for medical emergencies.

If you are experiencing a medical emergency or a potentially life-threatening condition, call 911 or seek emergency medical care immediately.

Please do not submit highly sensitive medical information through a general website contact form, public social media page, or ordinary email unless we specifically instruct you to do so through a secure or clinically appropriate workflow.

Appointment requests and messages are not a substitute for emergency care or urgent medical evaluation.

This portion explains privacy practices related to the website, booking tools, communications, administrative services, consumer interactions, and related platform functions.

Some information described in this section may also be PHI depending on the context in which it is collected, used, maintained, or disclosed.

We may collect contact and identity information, including name, phone number, email address, mailing address, service address, date of birth, emergency contact, and similar identifiers.

We may collect account and booking information, including login credentials, appointment requests, appointment dates and times, provider assignments, service area, service type, membership or package status, gift card information, and appointment history.

We may collect health, intake, and clinical information, including symptoms, medical history, allergies, medications, vital signs, treatment preferences, eligibility screening information, clinical notes, consents, forms, visit records, prescriptions or medication administration records where applicable, and follow-up instructions.

We may collect payment and billing information, including billing address, card brand, last four digits, payment tokens, receipts, transaction history, refunds, charge disputes, membership billing status, and other payment-related information. We generally rely on payment processors to collect and process full payment-card details.

We may collect communications information, including calls, texts, emails, chat messages, voicemails, form submissions, customer-service requests, reviews, survey responses, and marketing preferences.

We may collect device, usage, and website information, including IP address, browser type, device identifiers, operating system, referring URLs, pages viewed, links clicked, approximate location derived from technical data, cookies, pixels, analytics tags, log files, and similar technology data.

We may collect location and mobile-visit information, including service address, appointment location, access instructions, travel-related notes, parking or gate information, and other information needed to provide mobile services safely and efficiently.

We may collect photos, images, documents, identification materials, consent forms, lab documents, or other files you provide, if applicable.

We may receive information from third parties, including scheduling platforms, payment processors, telehealth or communication vendors, referral sources, labs, pharmacies, clinicians, caregivers, family members, event organizers, employers, or other parties involved in services or communications, where permitted by law.

Some information may be both Personal Information and PHI depending on the context in which it is collected, used, or maintained.

We may use Personal Information and, where permitted, PHI to respond to questions, requests, and customer-service inquiries.

We may use information to create, manage, and verify accounts, appointments, forms, consents, and patient records.

We may use information to schedule, confirm, reschedule, or cancel appointments.

We may use information to evaluate service eligibility and coordinate clinical services with licensed Clinicians.

We may use information to provide, document, support, and follow up on services.

We may use information to process payments, appointment prepayments, memberships, packages, gift cards, refunds, chargebacks, collections, and related billing or accounting functions.

We may use information to support non-clinical management and administrative services performed by the Management Company, including booking, customer support, membership administration, vendor oversight, business operations, compliance support, record-management support, and service coordination.

We may use information to send appointment reminders, operational messages, clinical follow-up messages, service notices, and administrative communications.

We may use information to send marketing communications only where permitted by law and, when required, with your separate consent.

We may use information to improve the website, booking flow, patient experience, clinical operations, safety, quality, training, and service offerings.

We may use information to maintain security, prevent fraud, troubleshoot technology issues, and enforce our Terms of Service and other policies.

We may use information to comply with legal, regulatory, licensing, accreditation, tax, accounting, insurance, audit, and professional obligations.

We may create de-identified, aggregated, or statistical information that does not identify you and may be used or disclosed as permitted by law.

We may share information with the Professional Entity and Clinicians to evaluate, coordinate, deliver, document, supervise, or follow up on care and related services.

We may share information with the Management Company to support non-clinical administrative, scheduling, billing, payment, customer support, membership, marketing, technology, compliance, management, and business operations. The Management Company may receive or process PHI only where permitted by law, applicable agreements, and this Policy.

We may share information with service providers, business associates, and subcontractors that support scheduling, intake, telehealth, patient communication, text messaging, email, cloud hosting, data storage, payment processing, analytics, customer support, forms, document signing, quality assurance, compliance, legal, accounting, or other operations.

Where a vendor or support party creates, receives, maintains, or transmits PHI on behalf of a HIPAA covered entity or business associate, we require a HIPAA-compliant business associate agreement or other legally appropriate privacy and security arrangement when required by law.

We may share information with payment processors and financial institutions to process payments, refunds, memberships, packages, chargebacks, fraud prevention, and related financial transactions.

We may share information with labs, pharmacies, suppliers, referral sources, and other care-related parties where needed for treatment, care coordination, medication administration, testing, follow-up, or referrals and where permitted by law.

We may share information with family members, caregivers, emergency contacts, or others involved in your care when you direct us to do so, when you do not object and the disclosure is relevant to their involvement, or when otherwise permitted by law.

We may share information with public health, safety, oversight, licensing, and legal authorities when permitted or required by law, including for adverse event reporting, product recalls, suspected abuse or neglect, health oversight, subpoenas, court orders, law enforcement requests, workers compensation, or serious threats to health or safety.

We may share information in connection with corporate, professional, or business transactions, including a merger, acquisition, reorganization, financing, sale of assets, management transition, or similar transaction, subject to applicable legal protections for PHI and other sensitive information.

We may share information with authorized representatives, such as a parent, guardian, health-care agent, attorney-in-fact, or other person legally authorized to act for you, after we verify the authority where appropriate.

We do not sell PHI. We do not sell Personal Information. The Management Company does not use PHI for unrelated third-party advertising or marketing.

We do not use or disclose PHI for third-party targeted advertising or third-party marketing unless permitted by law and any required authorization, consent, business associate agreement, or other legal safeguard is in place.

Our website and booking tools may be operated or supported by the Management Company and may use cookies, pixels, tags, analytics tools, log files, and similar technologies to operate the website, remember preferences, analyze traffic, improve user experience, help measure campaigns, and protect security.

Because we operate in a healthcare context, including through a Management Company and Professional Entity structure, we aim to avoid using tracking technologies in a way that impermissibly discloses PHI.

We will not knowingly disclose PHI to advertising, analytics, or tracking vendors unless permitted by applicable law and unless any required patient authorization, consent, business associate agreement, or other legal safeguard is in place.

Public analytics must be governed carefully on health-related pages, booking flows, and patient-intake surfaces to avoid unauthorized disclosure of sensitive health information.

You can usually adjust browser settings to refuse or delete cookies. Some website features may not function properly if cookies are disabled.

We currently do not respond to browser Do Not Track signals unless required by applicable law.

By requesting information, booking an appointment, creating an account, completing intake forms, purchasing a membership or package, or receiving services, you may receive operational communications from Baseline Medical, the Management Company, the Professional Entity, Clinicians, or their authorized vendors.

Operational communications may include appointment confirmations, reminders, arrival updates, care coordination messages, payment notices, intake requests, service updates, and follow-up instructions. Message and data rates may apply.

Consent to marketing texts or marketing emails is not required as a condition of purchasing or receiving services.

Marketing text messages will be sent only with your separate consent where required by law.

You may opt out of marketing texts by replying STOP and may opt out of marketing emails by using the unsubscribe link or contacting us.

Opting out of marketing does not stop necessary operational, transactional, payment, or care-related communications.

Ordinary email and text messaging may not be encrypted or secure. We may use secure messaging, patient portals, telehealth tools, or other protected workflows when clinically appropriate or legally required.

Please do not include sensitive health information in ordinary texts or emails unless you accept the risk or we specifically instruct you to use that channel for a particular purpose.

We may use the Management Company, payment processors, and financial service providers to process transactions.

Full card details are generally provided directly to the payment processor, not stored by us.

We may retain transaction records, payment tokens, card brand, last four digits, receipts, charge authorizations, membership billing records, appointment prepayment records, and similar billing information as needed for operations, accounting, compliance, and dispute resolution.

In connection with billing, collections, refunds, chargebacks, or payment disputes, the Management Company, Professional Entity, or their authorized vendors may submit booking records, receipts, payment authorizations, cancellation records, and limited service documentation to payment processors, card issuers, banks, collection vendors, professional advisors, or appropriate parties as permitted by law and consistent with applicable privacy notices.

We endeavor to limit disclosures to the minimum information reasonably necessary for the payment or dispute purpose.

We will not use patient images, names, testimonials, before/after content, or identifiable health information for marketing by Baseline Medical, the Management Company, the Professional Entity, or any third party without any consent or authorization required by law.

If we ask to use your image, story, review, or testimonial in a way that involves PHI, we will use a separate authorization form when required.

Information you post publicly on social media, review sites, or public forums may be visible to others and may no longer be private.

We may respond to public reviews or comments in a general way, but we generally avoid confirming patient status or disclosing PHI in public responses.

We retain information for as long as reasonably necessary for the purposes described in this Policy, including to provide services, maintain medical, administrative, membership, payment, and business records, comply with legal and professional obligations, resolve disputes, enforce agreements, maintain security, and support audits or investigations.

Medical records and PHI may be retained for periods required by applicable federal and state law, professional rules, payer requirements, insurance requirements, and clinical risk-management practices.

The Management Company may retain administrative, billing, membership, payment, website, and business records as needed for lawful management, operational, accounting, compliance, and dispute-resolution purposes.

We may retain de-identified or aggregated information without time limitation unless prohibited by law.

We use administrative, technical, and physical safeguards designed to protect Personal Information and PHI against unauthorized access, use, disclosure, alteration, or destruction.

These safeguards may apply across the Management Company, Professional Entity, Clinicians, vendors, and authorized support personnel, as applicable, and may include workforce training, access controls, vendor review, encrypted systems where appropriate, secure storage, audit logs, and incident-response procedures.

No website, mobile tool, communication channel, or electronic system is completely secure.

You are responsible for keeping your account credentials confidential and for promptly notifying us if you believe your account, device, email, phone, or communications have been compromised.

The website and general booking services are intended for adults.

We do not knowingly collect Personal Information directly from children under 13 through the website without verifiable parental consent.

Unless we expressly offer a minor-specific service and obtain all required parent or guardian consent, services are intended for individuals who are at least 18 years old.

Parents, guardians, or personal representatives who believe a child or minor has provided information to us without proper authorization should contact us so we can review and address the request as appropriate.

Depending on where you live and whether an applicable state privacy law applies to us and to the information at issue, you may have rights to request access to Personal Information, correction of inaccurate Personal Information, deletion of Personal Information, portability of Personal Information, and opt-out of certain processing such as sale of Personal Information, targeted advertising, or certain profiling decisions.

You may also have the right to appeal certain decisions and to be free from unlawful discrimination for exercising privacy rights.

Many state consumer privacy laws exempt PHI and other information handled by HIPAA covered entities or business associates.

Requests involving PHI or medical records will generally be handled under the HIPAA rights described below or under other applicable health privacy laws, rather than under general consumer privacy rights.

To submit a consumer privacy request, contact us using the information at the end of this Policy.

We may need to verify your identity and authority before acting on a request.

We will respond within the timeframe required by applicable law. If we deny a request, we will explain the basis for the denial and provide appeal instructions if required by law.

Our website or communications may link to third-party websites, platforms, payment pages, scheduling tools, social media pages, app stores, or other services that we do not control.

Their privacy practices are governed by their own privacy policies and terms.

You should review those policies before submitting information to them.

When the Management Company, Professional Entity, or affiliated entities use third-party vendors to perform services for us, we contractually require appropriate privacy and security obligations where required or appropriate, including HIPAA business associate agreements for vendors handling PHI on behalf of a HIPAA covered entity or business associate.

Our services are intended for users located in the United States.

If you access the website from outside the United States, you understand that information may be processed and stored in the United States, where privacy laws may differ from those in your jurisdiction.

Baseline Medical services are designed for jurisdictions where affiliated clinicians are authorized to operate.

Baseline Medical may use software tools, rules-based systems, analytics, or automation to support operations, routing, scheduling, fraud prevention, quality review, platform reliability, and service improvement.

Clinical decisions are not delegated to automation where licensed clinician judgment is required.

If AI-enabled tools are used in the future, they must be governed by privacy, security, clinical, and compliance controls appropriate to their use.

We may create or use de-identified, aggregated, or statistical information that does not reasonably identify an individual for analytics, service improvement, operational planning, safety evaluation, research support where permitted, and platform development.

The following sections describe rights and privacy practices for PHI maintained by a Professional Entity when HIPAA applies.

This Notice applies to records of care generated or received by the Professional Entity and its Clinicians and workforce members, including clinical and billing records associated with Baseline Medical services.

The Management Company may assist with administrative, billing, technology, management, communications, and operational functions on behalf of the Professional Entity, but the Management Company does not provide professional medical services or make clinical decisions.

Get an electronic or paper copy of your medical record: You can ask to inspect or receive an electronic or paper copy of your medical record and other health information in a designated record set. We will respond as required by law and may charge a reasonable, cost-based fee where permitted.

Ask us to correct your medical record: You can ask us to amend health information about you that you believe is incorrect or incomplete. We may deny your request in limited circumstances, but we will tell you why in writing within the timeframe required by law.

Request confidential communications: You can ask us to contact you in a specific way, such as at a specific phone number, email, or address. We will accommodate reasonable requests as required by law.

Ask us to limit what we use or share: You can ask us not to use or share certain health information for treatment, payment, or health care operations. We are not required to agree in most cases, and we may say no if it would affect your care or operations.

Restrict disclosure to a health plan for fully out-of-pocket services: If you pay for a health care item or service out-of-pocket in full, you can ask us not to share that information with your health insurer for payment or health care operations. We will agree unless a law requires us to share the information.

Get a list of certain disclosures: You can ask for an accounting of certain disclosures of your health information for up to six years before the date of your request. We will include disclosures required by law, except for disclosures that are excluded from the accounting requirement, such as many disclosures for treatment, payment, health care operations, and disclosures you authorized.

Get a copy of this Notice: You can ask for a paper copy of this Notice at any time, even if you agreed to receive it electronically. We will provide a copy promptly.

Choose someone to act for you: If you have given someone medical power of attorney, if someone is your legal guardian, or if another person is legally authorized to act for you, that person may be able to exercise your rights and make choices about your health information. We will verify the authority before taking action when appropriate.

File a complaint: You can complain to us if you believe your privacy rights have been violated. You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights. We will not retaliate against you for filing a complaint.

Limit disclosure in certain legal proceedings: Depending on applicable law, including Virginia Code Section 32.1-127.1:03 where applicable, you may have rights to object to or seek limits on disclosure of health records in response to certain subpoenas or legal demands.

For certain health information, you can tell us your choices about what we share.

If you have a clear preference for how we share information, tell us what you want us to do.

You generally have both the right and choice to tell us to share information with family, close friends, caregivers, or others involved in your care or payment for your care.

You generally have both the right and choice to tell us to share information in a disaster relief or emergency situation.

You generally have both the right and choice to tell us whether to contact you for fundraising, if we ever conduct fundraising. You may opt out of fundraising communications if applicable.

If you are unable to tell us your preference, such as if you are unconscious or unavailable, we may share information if we believe it is in your best interest or if needed to lessen a serious and imminent threat to health or safety.

We generally will not use or disclose your PHI for marketing purposes, sell your PHI, or use or disclose psychotherapy notes, if any are maintained, without your written authorization unless HIPAA permits the use or disclosure without authorization.

Treatment: We can use your health information and share it with Clinicians, supervising or collaborating professionals, pharmacies, labs, referral providers, emergency providers, primary care providers, specialists, or others involved in your care. For example, a nurse practitioner may review your symptoms, medical history, allergies, medications, and vital signs with a mobile registered nurse or another treating professional.

Payment: We can use and share health information to bill and collect payment for services. For example, we may share billing information with a payment processor or provide limited documentation to resolve a charge dispute, consistent with applicable law.

Health care operations: We can use and share health information to run our practice, improve care, train workforce members, conduct quality review, evaluate clinician performance, manage business and administrative operations, conduct compliance activities, and contact you when necessary. Health care operations may be supported by the Management Company or other business associates where permitted by HIPAA.

Appointment reminders and health-related services: We may use and disclose health information to contact you about appointments, intake forms, follow-up, treatment alternatives, prescriptions or medication instructions, health-related benefits, services we offer, care coordination, membership-related service availability, and administrative matters.

Business associates and management support: We may disclose PHI to Baseline Medical Management, LLC and to other vendors or subcontractors that perform functions for us, such as scheduling, telehealth, intake, cloud storage, secure communications, billing, membership administration, legal, accounting, compliance, management services, and technology support, when they agree to safeguard PHI as required by HIPAA and applicable agreements.

We are allowed or required to share health information in other ways, usually in ways that contribute to public health, safety, legal compliance, or oversight. We must meet legal conditions before sharing information for these purposes.

Examples include preventing disease, helping with product recalls, reporting adverse reactions to medications, or supporting public health activities.

Examples include reporting suspected abuse, neglect, or domestic violence as permitted or required by law.

Examples include preventing or reducing a serious threat to anyone's health or safety.

Examples include complying with federal, state, or local law, including disclosures to the Department of Health and Human Services to determine HIPAA compliance.

Examples include responding to health oversight agencies for activities authorized by law, such as audits, investigations, inspections, licensing, and disciplinary actions.

Examples include responding to court or administrative orders, subpoenas, discovery requests, or other legal processes when legal requirements are met.

Examples include responding to law enforcement requests as permitted or required by law.

Examples include addressing workers compensation claims and similar programs.

Examples include supporting special government functions, such as military, national security, or protective services, where permitted by law.

Examples include working with coroners, medical examiners, or funeral directors where applicable and permitted by law.

Examples include conducting research where approved or otherwise permitted by law.

Uses and disclosures of PHI not described in this Notice generally require your written authorization.

If you authorize us to use or disclose PHI, you may revoke the authorization in writing at any time.

A revocation will not affect actions already taken in reliance on the authorization.

We will obtain written authorization where required for uses or disclosures of PHI for marketing, sale of PHI, patient testimonials or identifiable marketing content involving PHI, and other uses or disclosures requiring authorization under HIPAA or applicable law.

We are required by law to maintain the privacy and security of PHI when HIPAA applies.

The Professional Entity is responsible for the HIPAA Notice of Privacy Practices when HIPAA applies.

The Management Company may have HIPAA and contractual obligations when acting as a business associate, subcontractor, or administrative support entity for the Professional Entity.

We will let affected individuals know if a breach occurs that may have compromised the privacy or security of unsecured PHI, as required by law.

We must follow the duties and privacy practices described in this Notice and provide a copy of it.

We will not use or share PHI other than as described in this Notice unless you authorize us in writing or the law permits or requires the use or disclosure.

If you give us written authorization, you may revoke it in writing at any time, except to the extent we have already relied on it.

We may change this Policy and Notice.

Changes may apply to all information we maintain, including information created or received before the effective date of the revised Policy.

The updated Policy will be available on our website and upon request.

The date at the top of this document shows when it was last updated.

To ask questions, request a copy of this Policy, exercise privacy rights, file a complaint, or contact the Privacy Officer regarding the Management Company, the Professional Entity, or Baseline Medical privacy practices, contact us through the channels below.

Privacy Officer: Baseline Medical Privacy Officer.

Email: baselinemedical@baselinemedical.com.

Phone/Text: (571) 461-1700.

Mailing Address: Baseline Medical Management, LLC / Baseline Medical HQ, 3251 Blenheim Blvd, Suite 405, Fairfax, VA 22030.

You may also file a HIPAA complaint with the U.S. Department of Health and Human Services Office for Civil Rights by writing to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-800-368-1019 or TDD 1-800-537-7697, emailing OCRComplaint@hhs.gov, or visiting the HHS Office for Civil Rights complaint portal.

Privacy requests involving PHI or medical records may be processed by the Management Company on behalf of the Professional Entity, but the Professional Entity remains responsible for HIPAA-covered clinical records and HIPAA-required responses where applicable.

We will not retaliate against you for filing a complaint or exercising privacy rights.