CharterMD Privacy Policy
Last updated: 2026-06-02 · **Draft pending final review by licensed counsel.** This policy describes our current practices; material changes will be re-published with a new effective date.
1. Who we are
CharterMD LLC ("CharterMD", "we", "us") provides a software platform that independent, licensed physicians use to deliver direct-care and telehealth services. When your Provider uses CharterMD to deliver care, CharterMD acts as a Business Associate (under HIPAA) of your Provider, who is the Covered Entity. We handle Protected Health Information ("PHI") only to provide the Platform and as permitted by our Business Associate Agreements (BAAs) and law.
2. Information we collect
- Account data: name, email, password hash, MFA/passkey credentials, role.
- Patient health data: intake responses, vitals, visit notes, prescriptions, lab orders/results, secure messages, and video-visit metadata.
- Provider data: NPI, DEA registration, state licenses, practice details.
- Identity verification: government-ID images and selfies you submit for verification (stored by reference; we do not retain full ID numbers in plain text).
- Payment data: processed by Square. We store payment-processor identifiers (e.g., customer/card tokens) — not full card numbers.
- Usage & security data: audit logs of access, IP address, device/browser, and similar technical data.
3. How we use information
- To operate the Platform's clinical and administrative workflows.
- To facilitate care between you and your Provider.
- To process payments and memberships.
- To secure the Platform, detect abuse, and maintain audit trails.
- To meet legal and regulatory obligations (HIPAA, state telehealth and controlled-substance rules).
We do not sell your personal information. Our AI features run on Azure OpenAI under our Microsoft BAA and are not used to train third-party foundation models on your data.
4. How we share information
We share information only as needed to provide the Platform and as law allows:
- Your Provider and their authorized practice staff, for your care.
- Microsoft Azure (one Microsoft BAA) — hosting, database, email + video (Azure Communication Services), clinical AI (Azure OpenAI), storage, registry, and Key Vault.
- Cloudflare — DNS and TLS only; no PHI traverses Cloudflare, so a BAA is not required for this use.
- Square — payment processing only; Square receives the financial data needed to charge you, not your medical record. No PHI is shared with Square.
- Pharmacies, labs, and e-prescribing networks you and your Provider direct us to transmit to, when those integrations are enabled.
- Legal/compliance: when required by law, subpoena, or to protect rights and safety.
5. Security
We use encryption in transit (TLS) and at rest, role-based access controls, multi-factor authentication, audit logging, and least-privilege access. No system is perfectly secure, but we work to protect your information and to meet the HIPAA Security Rule's safeguards.
6. Data retention
Medical records are retained as required by law (generally at least six years) regardless of membership status. Other data is retained as long as needed for the purposes above or as law requires, then deleted or de-identified.
7. Your rights
Subject to law, you may access the PHI we hold (self-service export in the Platform), request amendment of inaccurate records, request an accounting of certain disclosures, and restrict or revoke certain authorizations (with limits where care or law requires retention). Where applicable state privacy laws grant additional rights, you may exercise them by contacting us. Use Settings → My Data, or contact privacy@chartermd.ai.
8. Breach notification
If a breach of unsecured PHI occurs, we will notify the affected Provider (Covered Entity) and support required notifications to individuals and authorities within the timeframes required by the HIPAA Breach Notification Rule.
9. Children
The Platform is intended for adults (18+) or minors with verified guardian consent where permitted.
10. Changes
We may update this policy; material changes will be posted with a new "Last updated" date and, where required, communicated to you.
11. Contact
Privacy questions or requests: privacy@chartermd.ai. For HIPAA matters, your Provider is the Covered Entity and may also be contacted directly.