Privacy Policy

Medikah Corporation

Effective Date: February 1, 2026

Last Updated: February 1, 2026

Our Commitment to Your Privacy

Medikah is a HIPAA-compliant technology platform that provides video conferencing, billing, and coordination services enabling independent healthcare providers to connect with patients across borders.

This Privacy Policy explains how we collect, use, protect, and share your personal health information when you use our platform.

What We Are: Technology platform (video, billing, scheduling)
What We Are NOT: Healthcare provider or medical practice

Your privacy is not negotiable. We handle your health information with the care, compliance, and security that healthcare technology demands.

1. Who We Are and Our Role Under HIPAA

1.1 Medikah’s Business Model

Medikah operates as a technology platform providing:

  • HIPAA-compliant video conferencing for medical consultations
  • Billing and payment processing services
  • Appointment scheduling and coordination
  • Secure health record storage and transmission

We are NOT:

  • Healthcare providers or medical practitioners
  • Employers or supervisors of doctors using our platform
  • Responsible for medical care, diagnosis, or treatment
  • A substitute for in-person medical care

1.2 Our Role Under HIPAA

Medikah is a Business Associate under HIPAA.

What this means:

  • Healthcare providers using our platform are “Covered Entities” — they provide medical care and are responsible for protecting your health information under HIPAA
  • Medikah is their “Business Associate” — we provide technology that handles Protected Health Information (PHI) on behalf of healthcare providers
  • We sign Business Associate Agreements (BAAs) with all healthcare provider clients
  • We implement HIPAA Security Rule safeguards (encryption, access controls, audit logs)
  • We report data breaches to healthcare providers, who are responsible for notifying patients
  • Healthcare providers, not Medikah, manage your HIPAA privacy rights (access, amendment, accounting of disclosures)

Your HIPAA Rights: Exercised through your healthcare provider, not Medikah. Contact the doctor or practice that treated you.

Medikah’s HIPAA Obligations: Protect PHI, limit use to authorized purposes, implement security safeguards, report breaches.

1.3 Corporate Information

Medikah Corporation
Incorporated: Delaware, USA
Operating Locations: Texas, California, Mexico

Contact Information:
Email: privacy@medikah.health
Privacy Officer: privacy@medikah.health
Data Protection Officer: dpo@medikah.health

Regulatory Compliance:

  • HIPAA (United States)
  • CCPA/CPRA (California)
  • LGPD (Brazil)
  • LFPDPPP (Mexico)
  • Other applicable data protection laws

2. Information We Collect

2.1 Health Information (Protected Health Information — PHI)

During video consultations, we may handle:

  • Medical symptoms and conditions discussed
  • Medical history and prior treatments
  • Medications and allergies mentioned
  • Health concerns and questions asked
  • Visual information from video consultations
  • Audio information from video consultations
  • Chat messages exchanged during consultations

For billing and payment:

  • Insurance information (if applicable)
  • Diagnosis codes (if provided by healthcare provider)
  • Procedure codes
  • Payment information associated with medical services

Documents you or your provider upload:

  • Medical records and test results
  • Prescriptions and medication lists
  • Imaging reports (X-rays, MRIs, etc.)
  • Lab results
  • Provider consultation notes

IMPORTANT: We collect this information to provide technology services. Healthcare providers, not Medikah, are responsible for the medical content and accuracy.

2.2 Personal Identification Information

To operate the platform:

  • Full name, date of birth, gender
  • Email address, phone number, mailing address
  • Country of residence and preferred language
  • Emergency contact information (optional)
  • Government-issued ID (for identity verification, if required)

2.3 Account and Technical Information

Platform usage:

  • Username and encrypted password
  • Login timestamps and IP addresses
  • Device information (browser type, operating system)
  • Pages visited and features used
  • Video call session metadata (duration, participants, timestamps)
  • Payment transaction records
  • Customer support communications

2.4 Information from Healthcare Providers

With your authorization, providers may share:

  • Medical records and treatment notes
  • Diagnostic results and test findings
  • Prescription information
  • Appointment summaries
  • Insurance verification data
  • Care coordination communications

2.5 Information We Do NOT Collect

We do not collect:

  • Genetic information (unless you explicitly provide it during a consultation)
  • Social Security numbers (except when required for insurance processing in your jurisdiction)
  • Financial account numbers (credit cards processed by third-party payment processor)
  • Unnecessary personal information unrelated to platform services

3. How We Use Your Information

3.1 Primary Uses (Technology Platform Services)

Provide Video Conferencing:

  • Enable secure, HIPAA-compliant video consultations
  • Facilitate communication between you and healthcare providers
  • Record sessions (only if you and provider consent, clearly disclosed)
  • Store chat messages exchanged during sessions

Process Payments:

  • Coordinate billing between you and healthcare providers
  • Process payments securely through third-party processors
  • Handle insurance claims (if applicable)
  • Maintain payment records

Coordinate Care:

  • Schedule appointments with providers
  • Transfer medical records securely
  • Manage referrals between providers
  • Track follow-up appointments
  • Facilitate translation services when needed

Platform Operations:

  • Maintain your account
  • Provide customer support
  • Improve platform functionality
  • Ensure security and prevent fraud
  • Comply with legal obligations

3.2 Secondary Uses (With Your Consent)

We may use de-identified, aggregated data for:

  • Quality improvement analysis
  • Platform usage statistics
  • Service enhancement research
  • Public health studies (anonymized data only)

We will NEVER:

  • Use your identifiable health information for marketing
  • Sell your health information
  • Use your data for advertising
  • Share with third parties for commercial purposes unrelated to your healthcare

3.3 Legal and Safety Uses (Without Additional Consent)

We may use or disclose information when:

  • Required by valid court order or legal subpoena
  • Mandated by public health authorities (disease reporting)
  • Necessary to prevent serious threats to health or safety
  • Requested by law enforcement with proper authorization
  • Required for regulatory compliance or audits
  • Necessary to defend against legal claims

4. Cross-Border Data Transfers and International Consultations

4.1 Understanding Cross-Border Healthcare

Critical Information for International Patients:

When you use Medikah to connect with healthcare providers in different countries, your health information crosses international borders. Examples:

  • US patient consulting with Mexican healthcare provider
  • Mexican patient consulting with US healthcare provider
  • Video consultation between patient and provider in different countries

This means:

  • Your data is transmitted internationally
  • Different privacy laws may apply
  • Data may be stored in multiple countries
  • Healthcare regulations vary by jurisdiction

4.2 Cross-Border Medical Tourism Consultations

IMPORTANT NOTICE — PLEASE READ CAREFULLY:

When you participate in a video consultation with a healthcare provider licensed in a different country than where you are located:

The Provider May NOT Be Licensed in Your Location:

  • A Mexican physician may not be licensed to practice medicine in the United States
  • A US physician may not be licensed to practice medicine in Mexico
  • Consultations may be for informational and planning purposes only (see Terms of Service)

Different Legal Protections Apply:

  • Medical care provided in another country is subject to that country’s laws
  • Your home country’s medical malpractice laws may not apply
  • Regulatory oversight differs by jurisdiction
  • Privacy protections may vary

Your Information Crosses Borders:

  • Health data transmitted from US to Mexico (or vice versa)
  • Subject to privacy laws of both countries
  • Stored on servers that may be in different countries
  • Accessible to providers in multiple jurisdictions

You acknowledge and consent to these cross-border data transfers when using our platform for international consultations.

4.3 How We Protect Cross-Border Transfers

Legal Mechanisms:

  1. Standard Contractual Clauses (SCCs): EU-approved contracts for international data transfers
  2. Business Associate Agreements: HIPAA-compliant contracts with all providers
  3. Encryption: All data encrypted in transit and at rest
  4. Access Controls: Limited access based on need and authorization
  5. Adequacy Assessments: We evaluate privacy protections in destination countries
  6. Your Consent: Explicit authorization for international coordination

Data Storage Locations:
Primary servers: United States (HIPAA-compliant data centers)
Backup servers: Geographically distributed
Provider access: From their licensed jurisdiction
Data residency: Complies with applicable laws

Your Right to Object: You can limit cross-border data sharing, but this will prevent us from facilitating international consultations.

4.4 Jurisdiction-Specific Protections

For US Patients:

  • HIPAA protections apply to US-based providers
  • State data breach notification laws apply
  • California residents: CCPA/CPRA rights apply
  • Cross-border transfers use approved mechanisms

For Mexican Patients:

  • LFPDPPP protections apply
  • ARCO rights respected (Access, Rectification, Cancellation, Opposition)
  • Cross-border transfers require consent
  • Mexican data protection standards maintained

For Brazilian Patients:

  • LGPD protections apply
  • International transfer safeguards implemented
  • Data subject rights respected
  • ANPD guidance followed

5. How We Share Your Information

5.1 Healthcare Providers

We share your information with:

  • Healthcare providers you choose to consult
  • Providers involved in your care coordination
  • Specialists to whom you’re referred
  • Healthcare facilities where you receive treatment

Sharing Method: Secure, encrypted transmission via HIPAA-compliant channels

Authorization: You authorize these disclosures when using our platform. You can restrict certain disclosures by contacting your healthcare provider.

5.2 Payment and Insurance

We share necessary information with:

  • Your insurance company (for coverage verification and claims)
  • Payment processors (for billing services)
  • Medical billing services (for claims preparation)

What We Share: Only information necessary for payment purposes. We minimize sharing of clinical details to payment processors.

5.3 Service Providers (Business Associates)

We work with trusted third parties:

Video Platform Providers: Cloud video infrastructure. All have signed Business Associate Agreements.

Payment Processors: PCI-DSS compliant payment gateways. Subject to Business Associate Agreements.

Cloud Storage and Hosting: HIPAA-compliant cloud providers. Encrypted data storage. Subject to Business Associate Agreements.

Communication Services: Secure messaging platforms, email service providers, translation services (HIPAA-compliant).

IT Security: Cybersecurity monitoring services, intrusion detection systems, encryption infrastructure.

All service providers:

  • Sign Business Associate Agreements (BAAs)
  • Commit to HIPAA compliance and equivalent international standards
  • Are contractually prohibited from using your data for their own purposes
  • Must report breaches to Medikah

5.4 What We Do NOT Share

We will NEVER share your information with:

  • Marketing companies or advertisers
  • Social media platforms (for advertising)
  • Data brokers or analytics companies (for commercial purposes)
  • Third parties for purposes unrelated to your healthcare
  • Anyone without proper authorization

6. How We Protect Your Information

6.1 Technical Safeguards

Encryption: All data encrypted in transit using TLS 1.3. All data encrypted at rest using AES-256 encryption. End-to-end encryption for video consultations.

Access Controls: Role-based access permissions. Multi-factor authentication for all accounts. Automatic session timeouts. Principle of least privilege.

Network Security: Firewalls and intrusion detection systems. 24/7 security monitoring. Regular penetration testing. DDoS protection.

Video Security: Unique, non-reusable meeting IDs. Waiting rooms for provider authorization. Recording controls with clear notification. Automatic session termination.

Audit Logging: Detailed logs of who accessed what information and when. Tamper-proof audit trails. Regular log reviews. Retention per legal requirements.

6.2 Administrative Safeguards

Workforce Training: All employees trained on HIPAA and privacy requirements. Regular security awareness training. Role-specific privacy training. Annual refresher courses.

Policies and Procedures: Written privacy and security policies. Incident response procedures. Breach notification protocols. Data retention and deletion schedules.

Vendor Management: All vendors undergo security assessments. Business Associate Agreements required. Regular vendor audits. Contract compliance monitoring.

6.3 Physical Safeguards

Data Center Security: HIPAA-compliant, SOC 2 certified facilities. 24/7 physical access controls. Video surveillance. Environmental controls.

Device Security: Encrypted devices for all staff. Remote wipe capabilities. Secure disposal of hardware.

6.4 Data Retention and Deletion

Active Platform Use:

  • Account information: While you maintain an account
  • Medical records: As needed for care coordination and legal requirements
  • Video recordings: Only if both parties consent; retained per agreement
  • Chat messages: Retained for legal requirements (typically 6 years)
  • Audit logs: Minimum 6 years per HIPAA requirements

After Account Closure:

  • Medical records: Minimum legal retention (6–10 years depending on jurisdiction)
  • Payment records: Tax and accounting requirements (typically 7 years)
  • Communication logs: Regulatory requirements (typically 6 years)

After retention periods expire, data is securely deleted or anonymized. You can request early deletion, subject to legal retention obligations.

How to Request Deletion: Email privacy@medikah.health with “Data Deletion Request”

7. Your Privacy Rights

7.1 Rights Under HIPAA (US Patients)

Important: Most HIPAA rights are exercised through your healthcare provider, not Medikah, because providers are the Covered Entities responsible for your care.

Right to Access: Request copies of your health information stored on our platform. Request provided to your healthcare provider. Or contact Medikah at privacy@medikah.health for technical records.

Right to Amendment: Request corrections to inaccurate health information. Request must be made to your healthcare provider. Medikah can correct account information.

Right to Accounting of Disclosures: Request list of PHI disclosures made by Medikah (past 6 years). Contact privacy@medikah.health. We provide within 60 days.

Right to Request Restrictions: Request limits on how providers use or disclose your information. Must be requested from healthcare provider.

Right to Confidential Communications: Request we communicate via alternative email, phone, or address. We accommodate reasonable requests. No explanation required.

7.2 Rights Under State Law

California Residents (CCPA/CPRA):

  • Right to Know: What personal information we collect and how we use it
  • Right to Delete: Request deletion of your information (subject to legal exceptions)
  • Right to Opt-Out: We don’t sell your information, so no opt-out needed
  • Right to Non-Discrimination: We won’t discriminate for exercising privacy rights
  • Right to Correct: Request correction of inaccurate information

Exercise Rights: Email privacy@medikah.health with “California Privacy Request”

7.3 Rights Under International Law

European Union/EEA Residents (GDPR):

  • Right to Access, Rectification, Erasure (“Right to be Forgotten”)
  • Right to Restrict Processing, Data Portability, Object
  • Right to Withdraw Consent, Lodge Complaint with supervisory authority

Brazilian Residents (LGPD): Right to confirmation of processing, access, correction, anonymization, blocking, deletion, portability, information about sharing, withdraw consent, petition ANPD.

Mexican Residents (LFPDPPP): ARCO rights: Access, Rectification, Cancellation, Opposition. Right to revoke consent and limit use and disclosure. Request via privacy@medikah.health or dpo@medikah.health.

7.4 How to Exercise Your Rights

Email: privacy@medikah.health
Subject Line: Include “Privacy Rights Request” or “HIPAA Request”
Include: Your name, email, description of request, identity verification

Response Time: HIPAA requests: 30 days. CCPA requests: 45 days. GDPR requests: 30 days. Other jurisdictions: As required by local law.

7.5 Breach Notification Rights

If Your Information is Breached, we will notify you:

  • Within 60 days of discovering breach (or faster if required by law)
  • Via email to address on file
  • Including: What happened, what information was affected, what we’re doing, what you should do

We will provide credit monitoring or identity protection services if financial information is affected.

8. Cookies and Tracking Technologies

8.1 What We Use

Essential Cookies (Required for Platform): Authentication, security, preferences, video session management.

Analytics Cookies (Optional, You Can Disable): Usage patterns, error tracking, performance monitoring, platform improvement data.

What We DON’T Use: Advertising cookies, social media tracking, third-party marketing trackers, cross-site tracking for advertising.

8.2 Your Control

You can disable cookies through browser settings. Some platform features may not work without essential cookies. We honor Do Not Track signals where technically feasible.

9. Children’s Privacy

Medikah is not designed for independent use by children under 13.

Users under 18 require parent/guardian consent. Parents can create and manage accounts for minors. We do not knowingly collect information from children under 13 without verifiable parental consent. If we learn we’ve collected such information, we delete it immediately.

Parents can contact privacy@medikah.health to review or delete a child’s information.

10. Changes to This Policy

When We Update:

  • Post new policy with updated “Last Updated” date
  • Email notification for material changes
  • Platform notification for significant changes affecting rights
  • 30-day notice period before material changes take effect

Continue using platform = acceptance of updated policy. Object to changes by discontinuing use before effective date. Contact us with concerns: privacy@medikah.health

11. International Users

11.1 Multi-Jurisdictional Compliance

Medikah operates across multiple countries with different privacy laws. We comply with the most protective standard applicable to your situation.

United States: HIPAA, state privacy laws (CCPA, etc.), state breach notification laws.

Mexico: LFPDPPP, ARCO rights, INAI oversight.

Brazil: LGPD, ANPD oversight, international transfer safeguards.

European Union/EEA: GDPR, supervisory authority oversight, strict cross-border transfer rules.

Other Countries: Local healthcare privacy laws apply. Contact dpo@medikah.health for jurisdiction-specific questions.

11.2 Legal Basis for Processing (GDPR)

For EU/EEA users, we process your information based on: Consent, Contract Performance, Legal Obligation, Vital Interests, and Legitimate Interests (only for non-sensitive data).

11.3 Data Protection Officer

Email: dpo@medikah.health

12. How to Contact Us

Privacy Questions or Requests

Email: privacy@medikah.health
Response Time: Within 30–60 days depending on jurisdiction and request type

Data Protection Officer

Email: dpo@medikah.health

File a Complaint

With Medikah: privacy@medikah.health (we will not retaliate for complaints)

With Regulatory Authorities:

  • United States: U.S. Department of Health and Human Services, Office for Civil Rights — www.hhs.gov/ocr/privacy/hipaa/complaints
  • California: California Attorney General — oag.ca.gov/privacy
  • Mexico: Instituto Nacional de Transparencia (INAI) — www.inai.org.mx
  • Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — www.gov.br/anpd
  • European Union: Your local Data Protection Authority

13. Definitions

  • Protected Health Information (PHI): Individually identifiable health information regulated by HIPAA (US)
  • Business Associate: Technology platform that handles PHI on behalf of healthcare providers (Covered Entities)
  • Covered Entity: Healthcare provider, health plan, or healthcare clearinghouse subject to HIPAA
  • De-identified Data: Information stripped of identifiers so it cannot be linked back to you
  • Minimum Necessary: Only the information needed to accomplish a specific purpose
  • Standard Contractual Clauses (SCCs): EU-approved contracts for international data transfers
  • Cross-Border Transfer: Transmission of data from one country to another

Acknowledgment

By using Medikah’s platform, you acknowledge that you have read and understood this Privacy Policy, and you consent to cross-border data transfers for international consultations, use of your information as described in this policy, and the Business Associate relationship between Medikah and your healthcare providers.

Healthcare Technology That Crosses Borders.
Privacy Protection That Never Does.

Medikah Corporation
HIPAA-Compliant Technology Platform
Incorporated in Delaware, USA
Operating: Texas, California, Mexico

This Privacy Policy was last updated on February 1, 2026.