Privacy Policy

Effective Date: 01/01/2025
Provider: Dr. Margot Wacks, D.O., FACOG
Practice: Halcyon Medical Group, PLLC (“Halcyon,” “we,” “us,” “our”)

This Privacy Policy explains how we collect, use, disclose, and safeguard information in connection with our medical coaching and telemedicine services focused on peri-menopause and menopause, and with our website and related online services (the “Services”).

If you are a patient, certain information we maintain about you is “Protected Health Information” or “PHI” under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). When we handle PHI, we do so in line with HIPAA and applicable state privacy laws. This Privacy Policy works together with our HIPAA Notice of Privacy Practices (“NPP”). If this Policy ever conflicts with the NPP for PHI, the NPP controls for PHI.

1. Who this applies to

  • Patients and prospective patients using our telemedicine or coaching Services

  • Website visitors interacting with our site, forms, and scheduling tools

  • Vendors and partners who support delivery of care and operations

2. Information we collect

A. PHI and medical information (subject to HIPAA)

Examples include:

  • Identification details: name, date of birth, contact details, sex assigned at birth

  • Medical history, symptoms, medications, allergies, lab orders and results, imaging, vital signs, treatment plans, care notes

  • Visit metadata: appointment date and time, licensed state at time of visit, referring providers

B. Non-PHI personal information

  • Contact details: email, phone, mailing address

  • Account and billing details for self-pay services

  • Communications with our team (email, portal messages, forms)

C. Website and device data

  • IP address, browser type, device type, pages viewed, time on page, referring URLs

  • Cookies or similar technologies used for basic site functionality, analytics, and scheduling

Medical information entered into our patient portal or telemedicine platform is treated as PHI. Some website analytics data is not PHI and is handled as described in Section 8.

3. How we collect information

 

  • Directly from you: intake forms, consents, telemedicine visits, emails, messages, payments

  • From your devices: when you visit our website or portal

  • From third parties: labs, pharmacies, other healthcare providers, or services you authorize

  • From vendors under contract: telehealth, EHR, payment processors, scheduling systems

 

 

4. How we use information

For care and operations (HIPAA-permitted uses)

  • Provide telemedicine and medical coaching services

  • Assess symptoms and history, develop recommendations, and coordinate care

  • Order and review labs or imaging when clinically appropriate

  • Quality improvement, training, audits, and internal reporting

  • Practice management, accounting, and legal compliance

  • Communicate with you about appointments, results, and care instructions

For non-PHI website and business uses

  • Respond to inquiries and support requests

  • Process payments for self-pay services

  • Operate, maintain, and improve our website

  • Basic analytics to understand site performance

We do not sell PHI. We do not use PHI for targeted advertising.

5. How we share information

PHI (HIPAA)

We may share PHI as allowed or required by HIPAA, such as:

  • Treatment: with other providers involved in your care at your request or where appropriate

  • Payment and operations: with billing, accounting, or compliance vendors

  • Business Associates: with contracted vendors (e.g., telehealth platform, EHR, secure messaging, labs) who sign Business Associate Agreements to protect PHI

  • Legal and safety: when required by law, public health reporting, or to prevent serious threats to health or safety

Non-PHI

We may share limited non-PHI with service providers who help run our site and office functions (hosting, analytics, scheduling, email). These partners are bound by contracts to protect information and to use it only for our purposes.

6. Telemedicine privacy specifics

 

  • Telemedicine visits occur on secure, HIPAA-supporting platforms.

  • Visits are not recorded unless we get your explicit written consent and the platform supports it.

  • You must be physically located in a state where Dr. Wacks is licensed at the time of the visit.

  • You are responsible for a private location and a secure internet connection during your session.

 

7. Your rights (patients)

When we maintain PHI about you as a covered entity under HIPAA, you may have the right to:

  • Access and receive a copy of your PHI

  • Request amendments to your PHI

  • Receive an accounting of certain disclosures

  • Request restrictions on uses or disclosures (we will consider and comply where required)

  • Request confidential communications by alternative means or at alternative locations

  • Receive a paper copy of the NPP

To make a request, contact us using the details in Section 15. We will respond within HIPAA timelines.

8. Cookies, analytics, and online tracking (non-PHI)

  • Our website may use strictly necessary cookies for core functionality and optional cookies for analytics.

  • You can adjust browser settings to limit cookies. Doing so may affect site features.

  • We do not use PHI for advertising. Any analytics are applied to non-PHI website data.

If you are a California resident, see Section 12 regarding choices for non-PHI website data.

9. Payment processing

  • We are a self-pay practice. Payments may be processed by third-party processors that receive limited billing information to complete transactions. We do not receive or store full card numbers on our servers.

10. Data retention

 

  • PHI: Retained in line with federal and state medical record retention rules and our internal policy.

  • Non-PHI: Retained for the period necessary to support website operations, security, and business records, then deleted or de-identified.

11. Security

  • We use reasonable administrative, technical, and physical safeguards designed to protect information. No method of transmission or storage is fully secure. If we believe a breach has affected your PHI, we will notify you as required by law.

12. State-specific notices (non-PHI consumer data)

California residents (CCPA/CPRA)

  • PHI under HIPAA is exempt from CCPA/CPRA. This section applies only to non-PHI personal information collected through our website or business operations outside HIPAA.

  • You may have rights to know, correct, delete, and limit certain uses of your non-PHI.

  • We do not “sell” non-PHI personal information for money. If we ever “share” non-PHI for cross-context behavioral advertising, you will have the right to opt out.

  • To submit a request or opt out, use the contact options in Section 15.

Residents of Virginia, Colorado, Connecticut, and other states with consumer privacy laws may have similar rights for non-PHI. Contact us to exercise those rights.

13. Children’s privacy

Our website is not directed to children under 13, and we do not knowingly collect non-PHI personal information from them. Pediatric medical services are not the focus of this practice.

14. Third-party sites and tools

Our site may link to external sites or embed tools operated by others. Their practices are governed by their policies. Review those policies before providing information.

 

15. How to contact us

Halcyon Medical Group, PLLC
Email: [email protected]

For HIPAA rights requests, please state you are submitting a “HIPAA privacy request” and describe the right you wish to exercise.