1. Scope & Who We Are
This Privacy Policy describes how DocsMD™ ("DocsMD," "we," "us," or "our") collects, uses, discloses, and protects information when healthcare practices use our autonomous operations engine and when patients of those practices receive automated communications from us on behalf of their healthcare provider.
DocsMD™ is operated by DocsMD LLC, an Arizona limited liability company headquartered at 24871 S Ellsworth Rd, Suite 100-170, Queen Creek, AZ 85142. Contact: hello@docsmd.com.
Important distinction: When DocsMD acts on behalf of a healthcare practice that has engaged us as a HIPAA Business Associate, the practice (not DocsMD) is the controller of Protected Health Information ("PHI"). DocsMD processes PHI strictly under the terms of a signed Business Associate Agreement ("BAA") with each practice. Patients with questions about how their healthcare provider uses their information should contact their provider directly.
2. Information We Collect
From Healthcare Practices
- Practice name, address, specialty, and business contact information
- Practice manager and authorized user account information
- Patient list data imported into our system (name, phone number, email, date of birth, appointment history, last visit, clinical encounter notes from the practice's Electronic Health Record)
- Billing and subscription information
From Patients (Indirectly, Through the Practice)
- Name, phone number, email address provided by the patient to the healthcare practice during intake
- Appointment history and scheduling preferences
- Inbound text message replies sent to the practice's DocsMD-managed phone number
- Clinical encounter context provided by the practice to support personalized communications
Automatically Collected
- System usage data, log files, IP addresses, browser and device information from users of our dashboards
- Timestamps and delivery status of automated communications sent on behalf of practices
3. How We Use Information
We use information collected to:
- Operate the DocsMD autonomous operations engine on behalf of the healthcare practice
- Detect operational gaps (missed calls, idle patients, scheduling failures, referral delays) and execute corrective patient communications
- Send appointment reminders, missed-call follow-ups, and patient re-engagement messages on behalf of the practice
- Process patient replies (YES, CANCEL, BOOK, STOP, etc.) and update appointment records accordingly
- Provide dashboards, reports, and operational metrics to the practice
- Improve system performance, accuracy, and effectiveness
- Maintain audit logs and comply with legal obligations including HIPAA
- Bill and collect subscription fees
4. SMS / Text Messaging Program
Program Description: DocsMD operates an SMS/text messaging program on behalf of contracted healthcare practices. Messages include appointment reminders, missed-call follow-ups, cancellation/rescheduling notifications, and patient re-engagement communications. Messages are sent only to existing patients of the practice who have provided their phone number and consented to receive text communications at the practice's patient intake.
Message Types
- Appointment Reminders: "Hi [Name], this is a reminder from [Practice Name]. Your appointment is tomorrow at [time]. Reply YES to confirm or CANCEL to cancel. Reply STOP to opt out."
- Missed Call Follow-up: "Hi [Name], we missed your call at [Practice Name]. We would love to help you schedule an appointment. Reply BOOK to get started or call us at [phone]. Reply STOP to opt out."
- Re-engagement & Other Care-Related Communications
Message Frequency
Message frequency varies based on the patient's appointment activity, response behavior, and the practice's communication preferences. Typical frequency is 1–4 messages per month per patient. Frequency may be higher around scheduled appointments.
Costs
Standard message and data rates may apply, depending on the recipient's mobile carrier and plan. DocsMD does not charge patients for messages received.
Supported Carriers
Messages are delivered via Twilio's A2P 10DLC-registered messaging service. Carrier support includes AT&T, T-Mobile, Verizon, and other major U.S. mobile carriers. Carriers are not liable for delayed or undelivered messages.
HELP & STOP
Reply HELP at any time for assistance, or contact the practice directly. Reply STOP, CANCEL, END, QUIT, UNSUBSCRIBE, or REVOKE to opt out of all future automated messages from the practice via the DocsMD system. After opting out, you will receive one confirmation message and no further automated communications.
5. Consent & Opt-Out
Patients consent to receive automated text messages from their healthcare practice at the time of patient intake, by providing their mobile phone number and acknowledging the practice's communication preferences. DocsMD only contacts existing patients of practices that have engaged us as their automated communications provider.
Opting Out is Permanent and Immediate. Reply STOP (or any opt-out keyword listed above) to any DocsMD message. Your opt-out is recorded permanently in our system and applies to all future automated communications from any DocsMD-operated practice, until you explicitly re-subscribe by replying START.
6. How We Share Information
We do not sell personal information. We do not use personal information for advertising. We share information only as follows:
- With the Healthcare Practice: All information collected on behalf of a practice is shared with and accessible to that practice
- With Subprocessors: Service providers who help us operate the platform under signed agreements (see Subprocessors below)
- For Legal Reasons: When required by law, court order, or to protect the rights and safety of DocsMD, the practice, the patient, or others
- In a Business Transfer: If DocsMD is acquired or merged, information may transfer to the acquiring entity subject to this Privacy Policy
7. Subprocessors
DocsMD uses the following subprocessors to deliver its services. All subprocessors handling PHI have executed Business Associate Agreements:
| Subprocessor | Purpose | Data Handled |
|---|---|---|
| Airtable, Inc. | Database / data store | Practice and patient records (PHI under BAA) |
| Make.com (Celonis) | Workflow automation orchestration | Patient records, scheduling data (PHI under BAA) |
| Twilio Inc. | SMS and voice telephony | Phone numbers, message content (PHI under BAA) |
| Anthropic, PBC | AI / large language model processing | De-identified or contextual data for message generation |
| Netlify (BVL) | Web hosting (dashboards) | System usage, log files, no direct PHI storage |
| Stripe, Inc. | Payment processing | Practice billing information (no PHI) |
8. Data Security
We protect information using the following measures:
- Transport Layer Security (TLS 1.2+) for all data transmitted between systems
- AES-256 encryption at rest in our subprocessor data stores
- Access controls and authentication for authorized users
- Audit logging of access to patient records
- Permanent opt-out enforcement checked before every outbound communication
- Regular security review and incident response procedures
No system is perfectly secure. In the event of a security incident affecting PHI, we will notify the affected practice in accordance with the HIPAA Breach Notification Rule.
9. HIPAA Compliance
DocsMD operates as a HIPAA Business Associate to contracted healthcare practices. We:
- Execute a Business Associate Agreement (BAA) with each practice before any PHI is accessed or stored
- Execute BAAs with all subprocessors that handle PHI
- Limit access to PHI to the minimum necessary to perform our services
- Provide patients with access to their PHI through the practice upon request, in accordance with HIPAA
- Comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule
10. Your Rights
Depending on your location, you may have the following rights regarding your information:
- Access: Request a copy of the information we hold about you (through your healthcare practice for PHI)
- Correction: Request correction of inaccurate information
- Deletion: Request deletion, subject to legal retention requirements
- Opt-Out of Communications: Reply STOP to any text message, or contact your practice
- Data Portability: Request your data in a portable format
- California Residents: Rights under the California Consumer Privacy Act (CCPA), including no sale of personal information
To exercise these rights, contact your healthcare practice (for PHI) or DocsMD directly at hello@docsmd.com.
11. Data Retention
We retain information as long as needed to provide our services to the practice and to comply with legal obligations. Audit logs are retained for a minimum of six (6) years in accordance with HIPAA. Upon termination of a practice's account, PHI is returned to the practice or destroyed as specified in the BAA.
12. Children's Privacy
DocsMD services are directed to healthcare practices and their adult patients. We do not knowingly collect information directly from children under 13. When practices serve pediatric patients, the practice (not DocsMD) is responsible for parental consent and HIPAA compliance regarding minors' PHI.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to practices and posted with an updated effective date at the top of this page.
14. Contact Us
For questions about this Privacy Policy or our practices:
DocsMD™
DocsMD LLC
24871 S Ellsworth Rd, Suite 100-170
Queen Creek, Arizona 85142, USA
Email: hello@docsmd.com