Summary: We collect only the health information needed to evaluate your refill request. We never sell your data. We never use it for marketing. A board-certified physician reviews every case. All data is stored in HIPAA-compliant systems.
Who We Are
Dr. Refills Medical Group operates drrefills.com, an asynchronous telehealth service for chronic medication refills in California. We are a covered entity under HIPAA. Contact us at admin@drrefills.com.
This Notice describes how we use and protect your Protected Health Information (PHI) as required by the Health Insurance Portability and Accountability Act (HIPAA) and California law.
Information We Collect
We collect the following information when you use our service:
- Full name and date of birth
- Cell phone number and email address
- City and state of residence
- Biological sex and gender identity (for clinical relevance)
- Requested medication name and dose
- Duration of medication use
- All current medications, supplements, and vitamins
- Pharmacy name and street address
- Health screening responses (symptoms, hospitalizations, blood pressure readings, mood screening)
- Pharmacy fill history retrieved through the Surescripts national pharmacy network
- Electronic prescription records generated through DoseSpot/Treat
- Payment confirmation (processed by Stripe — no credit card numbers stored by Dr. Refills)
- Photos of medication bottles submitted during intake (read by AI, never stored)
How We Use Your Information
Treatment: We use your health information to evaluate your refill request, verify your prescription history, make clinical decisions, and transmit your prescription to your pharmacy. This is the primary purpose of this service.
Operations: We maintain records of your encounters for quality assurance and to fulfill our legal obligations as a healthcare provider.
De-Identified Research: We may use de-identified health information — information that cannot be used to identify you, consistent with HIPAA Safe Harbor standards (45 CFR §164.514(b)) — for quality improvement, clinical research, analytics, and business development. Your identifiable health information will never be sold or used for marketing purposes.
AI-Assisted Intake Disclosure
This service uses an AI-assisted intake system called Maya, powered by Anthropic Claude. Maya is an administrative intake tool only — it does not diagnose, treat, or prescribe. All clinical decisions are made exclusively by a California-licensed board-certified physician.
As required by California AB 3030, we notify you that generative AI is used in our intake process. A licensed physician reviews every request before any clinical decision is made. If you have questions, contact us at admin@drrefills.com.
Our Business Associates
We share your information only with vendors who have signed Business Associate Agreements (BAAs) as required by HIPAA:
- Google Workspace — secure storage of patient encounter records (BAA executed March 18, 2026)
- Anthropic — AI-assisted patient intake screening (BAA executed)
- DoseSpot/Treat — electronic prescription transmission (BAA executed)
- Stripe — payment processing; PHI limited to name only (BAA executed)
Your Rights Under HIPAA
- Right to Access: You may request a copy of your health information. We will respond within 30 days. Email: admin@drrefills.com
- Right to Amend: You may request correction of inaccurate information.
- Right to Restriction: You may request limits on how we use your information.
- Right to an Accounting: You may request a list of disclosures we have made of your PHI.
- Right to a Paper Copy: You may request a paper copy of this Notice at any time.
California-Specific Rights
California residents have additional rights under the Confidentiality of Medical Information Act (CMIA) and California Consumer Privacy Act (CCPA). We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
California physicians are regulated by the Medical Board of California. You may verify physician license status at breeze.ca.gov. To file a complaint: (800) 633-2322 or mbc.ca.gov.
Data Security
- All patient data is stored in HIPAA-compliant Google Workspace under an executed BAA
- Data is encrypted in transit (TLS 1.2+) and at rest
- Access is limited to authorized personnel only
- Two-factor authentication is required for all system access
- We maintain a written Security Incident Response Plan
- We do not use advertising tracking pixels on pages where health information is entered
Data Retention
Patient records are retained for a minimum of seven (7) years from the date of service, consistent with California Health & Safety Code §123111. Records for minor patients are retained until age 19 or seven years, whichever is longer.
How to File a Complaint
If you believe your privacy rights have been violated, you may contact:
- Dr. Refills: admin@drrefills.com
- U.S. Department of Health and Human Services, Office for Civil Rights: hhs.gov/ocr or 1-800-368-1019
You will not be penalized for filing a complaint.
Changes to This Policy
We may update this policy at any time. Changes will be posted at drrefills.com/privacy with an updated effective date. The current version is always the governing version.
Questions? Email us at admin@drrefills.com