Consumer Health Data Privacy Policy

This document is a template and should be reviewed by legal counsel before use.

Last updated: January 1, 2026

Elm Tree Health (“Elm Tree,” “we,” “us,” or “our”) is committed to transparency about how we collect, use, and protect consumer health data. This Consumer Health Data Privacy Policy supplements our general Privacy Policy and applies to consumer health data as defined by applicable state laws, including the Washington My Health My Data Act, Nevada Senate Bill 370, and similar legislation.

1. What Is Consumer Health Data?

Consumer health data is personal information that identifies or is reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status. This may include, but is not limited to:

• Health conditions, diagnoses, treatment history, and medications.
• Use of healthcare services, including telehealth visits.
• Bodily functions, vital signs, and biometric data.
• Information about attempts to seek healthcare services or supplies.
• Gender-affirming care information.
• Reproductive or sexual health information.
• Precise location information that could indicate attempts to obtain health services.

Note: Health data that is already regulated under HIPAA or other federal health privacy laws may be exempt from certain state consumer health data laws. This policy addresses data that falls within the scope of applicable state regulations.

2. Consumer Health Data We Collect

In the course of providing our telehealth services, we may collect the following categories of consumer health data:

• Health history and conditions: information you provide during scheduling and your Annual Wellness Visit, including medical history, current symptoms, medications, and allergies.
• Healthcare service usage: records of your telehealth visits, including dates, duration, and visit summaries.
• Wellness assessment data: responses to health risk assessments, screening questionnaires, and preventive care plans.
• Geolocation data: approximate location information used to verify you are in a state where we are authorized to provide services.

3. Purposes of Collection and Use

We collect and use consumer health data for the following purposes:

• Providing, managing, and improving our telehealth services.
• Conducting your Annual Wellness Visit and creating your personalized wellness plan.
• Verifying Medicare eligibility and processing claims.
• Communicating appointment reminders, wellness recommendations, and service updates.
• Ensuring the safety, security, and integrity of our services.
• Complying with applicable legal and regulatory requirements.
• Internal research and analytics to improve health outcomes and service quality.

4. Sharing of Consumer Health Data

We do not sell consumer health data. We may share consumer health data with:

• Healthcare providers: licensed clinicians involved in your care.
• Service providers: third-party companies that help us operate our platform, process payments, and deliver services, bound by contractual data protection obligations.
• Government agencies: when required by law or regulation, such as Medicare claims processing.
• With your consent: when you direct us to share your information with a specific party.

5. Your Rights

Depending on your state of residence, you may have the following rights regarding your consumer health data:

• Right to know: you may request confirmation of whether we are collecting, sharing, or selling your consumer health data and obtain a list of third parties and affiliates with whom we have shared your data.
• Right to access: you may request a copy of the consumer health data we have collected about you.
• Right to delete: you may request deletion of your consumer health data, subject to certain exceptions (e.g., legal retention requirements).
• Right to withdraw consent: if we process your consumer health data based on your consent, you may withdraw that consent at any time.
• Right to non-discrimination: we will not discriminate against you for exercising your rights.

6. Data Security

We implement administrative, technical, and physical safeguards to protect consumer health data from unauthorized access, disclosure, alteration, and destruction. These measures include data encryption in transit and at rest, role-based access controls, regular security audits, and employee training on data handling practices. Despite these efforts, no security measures are perfect, and we cannot guarantee absolute security.

7. Data Retention

We retain consumer health data only for as long as necessary to fulfill the purposes described in this policy or as required by applicable law. Medical records are retained in accordance with HIPAA and state retention laws (typically a minimum of six years). When consumer health data is no longer needed, we securely delete or de-identify it.

8. How to Exercise Your Rights

To exercise any of the rights described above, or to ask questions about our consumer health data practices, please contact us using any of the following methods:

• Email: privacy@elmtreehealth.com
• Phone: (800) 555-0142
• Mail: Elm Tree Health, 1234 Wellness Ave, Suite 200, Arlington, VA 22201

We will verify your identity before processing your request and respond within the timeframe required by applicable law. If we deny your request, we will provide an explanation and information about how to appeal.

9. Changes to This Policy

We may update this Consumer Health Data Privacy Policy from time to time. When we make material changes, we will post the revised policy on this page and update the “Last updated” date. Your continued use of our services after changes are posted constitutes your acceptance of the revised policy.