My Cart
Search
  • Home
  • Defy Medical Privacy Policy

Defy Medical Privacy Policy

DEFY MEDICAL, LLC
Effective Date: December 9, 2025

This Notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

For purposes of this Notice, ‘Services’ has the same meaning as in our Terms of Service.


1. Who This Notice Covers

This Notice applies to:

  • Defy Medical, LLC (“Defy Medical,” “we,” “us,” or “our”).
  • Any health care professional authorized to enter information into your medical record maintained by Defy Medical.
  • Any persons or companies with whom Defy Medical contracts to provide services and who have access to your medical information as our Business Associates.
  • All Defy Medical locations, staff, and workforce members.

All of these parties follow the terms of this Notice. They may share information with each other for treatment, payment, and health care operations and other purposes described in this Notice.


2. Our Legal Duties

When we handle your health information in connection with providing care, that information is “Protected Health Information” (“PHI”) under HIPAA.

We are legally required to:

  • Maintain the privacy and security of your PHI.
  • Give you this Notice of our legal duties and privacy practices.
  • Follow the terms of the Notice that are currently in effect.
  • Notify you following a breach of your unsecured PHI as required by law.

We also maintain other personal information (for example, when you visit our websites, contact us, or purchase services). We treat that information in accordance with this Notice and other applicable laws, but it may not all be PHI.

By using our services, including our websites, you acknowledge the data practices described in this Notice.


3. How We May Use and Disclose Your Medical Information

Not every use or disclosure is listed, but all fall within categories permitted or required by law.

A. Treatment

We may use and disclose your medical information to provide, coordinate, or manage your medical care. For example:

  • A practitioner treating you for testosterone deficiency may need to know if you have diabetes.
  • We may share information with laboratories, pharmacies, or other providers involved in your care.
  • With your written authorization or as required by law, we may share your records with other providers, family members, or designated decision-makers.

B. Payment

We may use and disclose your medical information to bill and collect payment from you or a third party and to support the payment activities of other providers involved in your care.

Currently, Defy Medical does not accept insurance of any kind. These descriptions apply if and when we submit claims to health plans or insurers on your behalf in the future.

We may disclose information to other health care providers for their payment activities concerning you, after receiving your written authorization or as required by law.

C. Health Care Operations

We and our Business Associates may use and disclose your medical information for health care operations, such as:

  • Quality assessment and improvement.
  • Reviewing provider performance.
  • Training staff and providers.
  • Managing and operating our business.
  • Conducting internal audits, compliance programs, and risk management.
  • Evaluating which services to offer or discontinue.

When we de‑identify information so that it no longer identifies you, we do so in accordance with HIPAA’s de‑identification standard at 45 C.F.R. §164.514, using either the “Safe Harbor” method (removing specified identifiers) or the “Expert Determination” method, and we do not have actual knowledge that the remaining information can be used to identify you.

Business Associates

We may share PHI with third-party contractors and service providers (“Business Associates”) that perform functions or services on our behalf, such as hosting, IT support, billing, analytics, or document management. When we do so, we require these Business Associates to sign written agreements that obligate them to safeguard PHI and to use and disclose PHI only as permitted by us and by law, consistent with HIPAA’s Business Associate requirements. We also review and oversee Business Associates as part of our ongoing compliance and risk management activities.

D. Appointment Reminders

We may use and disclose your information to contact you with appointment reminders by phone, text, portal message, or email, unless you ask us to use a different method or limit such communications.

E. Treatment Alternatives and Health-Related Benefits

We may use and disclose your medical information to tell you about treatment options, health-related benefits, or services that may be of interest to you.

F. Research

Under certain conditions, we may use and disclose medical information for research, including:

  • Using de-identified information for research without your authorization.
  • Allowing researchers to review information on-site to prepare research, provided the information does not leave Defy Medical without appropriate approvals.

If research involves your identifiable PHI in a way that requires your authorization, we will obtain your written authorization unless an institutional review board or privacy board waives that requirement as permitted by law.

G. Individuals Involved in Your Care or Payment

We may disclose medical information to a family member, friend, or another person you identify as being involved in your care or helping to pay for your care. This includes persons named in a health care power of attorney or similar document.

If you are not present or cannot agree or object, we may use our professional judgment to determine whether disclosure is in your best interests.

We may disclose information to disaster relief organizations to help notify your family about your condition, status, or location.

H. Public Health and Safety

We may disclose medical information without your authorization for public health and safety purposes, including to:

  • Report, prevent, or control disease, injury, or disability.
  • Report births and deaths.
  • Report adverse events or product problems.
  • Notify people of product recalls.
  • Notify persons who may have been exposed to a disease or may be at risk for spreading or contracting a condition.
  • Report suspected abuse, neglect, or domestic violence to authorized agencies.

I. Health Oversight Activities

We may disclose medical information to health oversight agencies for activities authorized by law, such as audits, investigations, inspections, licensure, and monitoring of the health care system and government programs.

J. Food and Drug Administration (FDA)

We may disclose information to persons or companies required by the FDA to report adverse events, track products, enable recalls, or perform post-marketing surveillance.

K. Lawsuits and Disputes

If you are involved in a lawsuit or legal dispute, we may disclose medical information in response to:

  • A court or administrative order.
  • A subpoena or discovery request, when permitted by law and after efforts to notify you or obtain protective measures as required.

L. Law Enforcement

We may disclose medical information to law enforcement officials as allowed or required by law, for example:

  • In response to a court order, warrant, summons, or similar process.
  • To report certain injuries (such as gunshot or stab wounds) as required by law.
  • To locate a suspect, fugitive, material witness, or missing person.
  • To report a death or injury that may be the result of criminal conduct.
  • To report suspected criminal conduct occurring at Defy Medical facilities.

M. To Avert a Serious Threat to Health or Safety

We may disclose information when necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, consistent with applicable law.

N. Organ and Tissue Donation

If you are an organ donor, we may disclose medical information to organizations involved in organ, eye, or tissue procurement, banking, or transplantation.

O. Military, Veterans, National Security, and Protective Services

We may disclose medical information:

  • For certain activities of the armed forces if you are in the military.
  • To authorized federal officials for national security, intelligence, or protective services for the President and others, as permitted by law.

P. Workers’ Compensation

We may disclose medical information as authorized by workers’ compensation or similar laws, including to employers, insurers, or care managers involved in your work-related claim.

Q. Coroners, Medical Examiners, and Funeral Directors

We may disclose medical information to coroners, medical examiners, or funeral directors for purposes such as identifying a deceased person, determining cause of death, or carrying out their duties.

R. Inmates and Correctional Institutions

If you are an inmate or in custody, we may disclose medical information to correctional institutions or law enforcement officials as necessary:

  • For your health care.
  • To protect your health and safety or that of others.
  • For the safety and security of the institution or transport personnel.
  • For payment for services provided to you.

S. Psychotherapy Notes

Psychotherapy notes receive special protection. We will not use or disclose psychotherapy notes without your written authorization except as permitted by law (for example, to defend Defy Medical in a legal action, as required by law, or pursuant to a court order).

T. Marketing of Health-Related Products and Services

We may contact you about our own health-related products or services or those of another entity that are related to your care and permitted by law.

We do not use your PHI to create profiles for targeted advertising on third-party platforms, and we do not combine your PHI with cookies or similar online identifiers for remarketing or behavioral advertising. Where we send you communications about our services, we do so in a manner permitted by HIPAA and applicable state law, and you may opt out of non-required marketing communications at any time.

U. Sale of Medical Information

We do not sell your PHI. If we ever wish to receive direct or indirect payment in exchange for your PHI in a way that qualifies as a “sale” under HIPAA, we will obtain your specific written authorization in advance. Fees we charge to cover our costs of producing and transmitting records are not considered a sale.

V. Other Uses and Disclosures

Any uses or disclosures of your medical information not described in this Notice will be made only with your written authorization or as required by law. You may revoke any authorization in writing at any time, except to the extent we have already acted in reliance on it.


4. Your Rights Regarding Your Medical Information

You have the following rights with respect to your PHI. To exercise these rights, contact Defy Medical Management in writing at the address at the end of this Notice.

A. Right to Inspect and Copy

You have the right to inspect and receive a copy of medical information about you that we maintain, with certain limited exceptions (for example, information compiled for legal proceedings).

If we maintain your information electronically, you may request an electronic copy or direct us to send an electronic copy to a person or entity you designate.

We may charge a reasonable, cost-based fee for copying, mailing, or providing electronic copies. We may also provide a summary if you agree in advance and agree to any associated fees.

We may deny access in certain circumstances. If we deny access for specific reasons related to potential harm, you may have the right to have the denial reviewed by another licensed health care professional not involved in the original decision.

B. Right to Amend

If you believe the medical information we have about you is incorrect or incomplete, you may request an amendment as long as we maintain the information.

We may deny your request if:

  • The information was not created by us (unless the creator is no longer available).
  • The information is not part of the records we maintain.
  • The information is not subject to inspection and copying.
  • The information is already accurate and complete in our judgment.

If we deny your request, you may submit a written statement of disagreement to be included in your record.

C. Right to an Accounting of Disclosures

You have the right to request an accounting of certain disclosures of your PHI made in the six years before your request, excluding disclosures for treatment, payment, and health care operations and certain other disclosures (such as those you asked us to make).

We may charge a reasonable fee for more than one accounting request in a 12-month period.

D. Right to Request Restrictions

Except where we are required by law to disclose information, you may request restrictions on how we use or disclose your PHI. We are not generally required to agree, but if we do, we will comply unless the information is needed for emergency treatment or as otherwise permitted by law.

Special Rule: If you request that we not disclose PHI about a service to your health plan and you pay for that service in full out-of-pocket at the time of service, we are required to honor that restriction, unless the disclosure is otherwise required by law.

All restriction requests must be in writing and must specify:

  • What information you want restricted.
  • Whether the restriction applies to use, disclosure, or both.
  • To whom the restriction applies.

E. Right to Request Confidential Communications

You may request that we communicate with you in a particular way (for example, only at work, by mail, or at an alternate address). We will accommodate reasonable requests and will not ask you to explain the reason.

F. Right to a Paper Copy of This Notice

You have the right to receive a paper copy of this Notice at any time, even if you previously agreed to receive it electronically.

G. Right to Notification of a Breach

If your unsecured PHI is subject to a breach, we will notify you as required by federal and applicable state law and describe what happened, what information was involved, steps you can take, and what we are doing in response.


5. Personal Information Collected Through Our Websites and Services

In addition to PHI, we may collect other personal information when you use our websites, portals, or contact us outside of clinical encounters.

A. Types of Information We Collect

Depending on how you interact with us, we may collect:

  • Identifiers and contact information
    Name, address, email, phone number, date of birth, account credentials.
  • Transaction and payment information
    Services purchased, order history, limited payment information (with payment card details generally handled by third-party processors).
  • Usage and device information
    IP address, browser type, device identifiers, pages visited, time spent, clickstream data, and similar information collected through cookies and other technologies.
  • Communications and preferences
    Messages you send us, survey responses, and your marketing preferences.

Some of this information may overlap with PHI; when it does, HIPAA protections apply.

B. How We Use Non-PHI Personal Information

We may use this information to:

  • Operate, maintain, and improve our websites and Services.
  • Provide customer support and respond to inquiries.
  • Process orders and payments.
  • Send administrative communications (such as confirmations, notices, and updates).
  • Conduct analytics, security monitoring, fraud prevention, and debugging.
  • Comply with legal obligations and enforce our agreements.

C. Sharing of Non-PHI Personal Information

We may share non-PHI personal information with:

  • Service providers (for example, hosting providers, IT support, payment processors, analytics vendors, email platforms) who are contractually required to protect your information.
  • Other parties as required by law or to protect our rights, safety, or property or that of others.
  • Successors or assigns in connection with a proposed or actual merger, acquisition, or other business transaction, as allowed by law.

When non-PHI is combined with PHI, we treat the combined information as PHI.  We do not use or disclose PHI to tracking or advertising technologies for targeted advertising or remarketing to you.

D. Website Tracking and Analytics

We use tools such as Microsoft Clarity and Google Analytics to understand how users interact with our public websites and to improve usability and performance.

These tools may collect information such as:

  • IP address, device identifiers, and browser type.
  • Pages visited, time spent, and interactions with page elements.

We configure our websites so that online tracking technologies (such as cookies, pixels, and analytics scripts) are not used on secure patient portals or other pages where you log in to view, submit, or manage your clinical information or records, and we do not intentionally permit these tools to collect or receive your lab results, diagnoses, detailed medical histories, or other clinical record content.

You may manage or disable certain cookies through your browser settings and, where available, through vendor-specific opt-out mechanisms. Disabling cookies may affect some website features but will not affect your access to clinical care.

We are not responsible for the privacy practices of Microsoft, Google, or other third parties, and you should review their privacy statements for details on their practices.


6. Artificial Intelligence (AI) and Your Information

To support efficient, high-quality, and patient-centered care, Defy Medical may use AI tools that help with:

  • Drafting or organizing communications.
  • Analyzing trends in de-identified or aggregated data.
  • Supporting internal workflows, documentation, or quality improvement.

Our commitments:

  • HIPAA and Legal Compliance
    Any use of AI involving PHI complies with HIPAA, applicable state law, and our Business Associate Agreements. We do not permit AI vendors to use your PHI for their own independent purposes that are not allowed by law or our agreements.
  • Minimum Necessary and De-Identification
    Where we use AI tools with de‑identified or aggregated data derived from PHI, we do so only after meeting HIPAA’s de‑identification standards and subject to contractual safeguards that prohibit the AI vendor from attempting to re‑identify individuals or using the data for unrelated purposes.
  • Human Oversight
    Clinical decisions about your diagnosis, treatment, or care plan are always made or confirmed by licensed health care professionals. AI tools may assist with drafting, organizing, or analyzing information, but they do not independently diagnose, prescribe, or make final treatment decisions about you.
  • No Unauthorized Marketing or Sale
    We do not use AI tools to sell your PHI or to market third-party products in ways that require your written authorization without first obtaining that authorization.
  • Business Associates and Vendor Oversight
    When AI tools involve PHI, the vendors that provide those tools act as our Business Associates under HIPAA. We require such vendors to enter into written Business Associate Agreements that obligate them to: (1) use and disclose PHI only as permitted by us and by law; (2) implement appropriate administrative, technical, and physical safeguards; and (3) assist us with meeting our HIPAA obligations, including breach notification where applicable. We also evaluate and periodically review these vendors as part of our risk management and compliance program.

If we ever intend to use your PHI with AI tools for a purpose that legally requires your specific written authorization, we will obtain that authorization before doing so.


7. Third-Party Websites and Services

Our websites and communications may contain links to third-party sites or services (such as laboratories, pharmacies, or educational resources). Their privacy practices are not controlled by Defy Medical and are not covered by this Notice. You should review the privacy policies of any third-party site or service you use.


8. State-Specific Rights

Depending on where you live, you may have additional rights under state consumer or health privacy laws. For example, residents of certain states may have rights to request access to, correction of, or deletion of certain personal information that is not PHI, to receive information about how we use and disclose such personal information, or to opt out of certain uses of personal information for targeted advertising or “sales” of personal information as defined by state law.

To the extent those state laws apply and are not preempted by HIPAA or other federal law, we will honor your state-law rights with respect to personal information that is not PHI. You may submit a request by contacting Defy Medical Management at the address below and stating your place of residence and the nature of your request.

You may also submit state-law privacy requests through the ‘Privacy Rights Request’ form on our website or by emailing care@defymedical.com.


9. Changes to This Notice

We reserve the right to change this Notice at any time. When we make changes, we will:

  • We will provide you with notice of material changes by posting the revised Notice on our website and, where appropriate, through the patient portal or direct communication.
  • Update the Effective Date at the top of the Notice.

The revised Notice will apply to all information we maintain, including information collected before the change. It is your responsibility to review the most current version of this Notice.


10. Complaints and Questions

If you believe your privacy rights have been violated, or if you have questions about this Notice, you may contact:

Defy Medical Management
4809 N. Armenia Ave., Suite 220
Tampa, FL 33603
Phone: 813-445-7342

You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services. We will not retaliate against you for filing a complaint with us or with the government.


11. Data Retention and Destruction

We retain medical and personal information for as long as required by applicable law, regulation, or professional standards, and as necessary to support your care, our operations, and our legal and compliance obligations. Retention periods may vary depending on the type of information, the services provided, and applicable state or federal requirements.

When information is no longer required for these purposes, we will dispose of it or de‑identify it in a manner designed to protect against unauthorized access or use, using methods consistent with HIPAA and applicable industry standards (for example, secure deletion of electronic media and shredding or secure destruction of paper records).

This Notice is intended to describe our practices and your rights as required by law. To the extent our Terms of Service incorporate this Notice by reference, it also forms part of our agreement with you, but nothing in this Notice is intended to expand any private right of action beyond what applicable law provides.

 

To Top