Privacy Policy

1. Introduction

Welcome to YBT Health. This Privacy Policy describes how Medicare Services Enterprises, LLC, doing business as YBT Health ("YBT Health," "we," "us," or "our"), collects, uses, discloses, and protects your personal information when you access or use our website, mobile applications, telehealth platform, and related services (collectively, the "Services").

YBT Health provides mental and behavioral health care services, including psychiatric evaluation, medication management, therapy, and care coordination. We are committed to protecting your privacy and handling your personal and health information responsibly and in compliance with applicable federal and state laws, including the Health Insurance Portability and Accountability Act ("HIPAA").

By accessing or using our Services, you acknowledge that you have read and understand this Privacy Policy. If you do not agree with our practices, please do not use our Services.

2. Information We Collect

We collect information in several ways depending on how you interact with our Services:

a. Information You Provide Directly

• Account and registration information: name, email address, phone number, date of birth, mailing address, and login credentials.
• Patient intake information: demographic details, emergency contact information, insurance information, and referral source.
• Health and clinical information: medical history, psychiatric history, current symptoms, medications, diagnoses, treatment plans, clinical notes, assessment results, and information related to your mental and behavioral health care.
• Insurance and billing information: health insurance plan details, subscriber information, group and member IDs, and payment information.
• Communications: messages you send through our platform, emails, phone calls, SMS text messages, and any other correspondence with our care team or support staff.
• Consent and legal documents: electronic signatures, consent forms, and acknowledgments.

b. Information Collected Automatically

• Device and browser information: IP address, browser type and version, operating system, device type, and unique device identifiers.
• Usage information: pages viewed, features accessed, links clicked, session duration, and referring URLs.
• Log data: server logs that may include your IP address, access times, and activity within our Services.
• Cookies and similar technologies: as described in Section 11 of this Privacy Policy.

c. Information from Third Parties

• Referring providers: clinical information or referral documentation from your other healthcare providers.
• Insurance companies: eligibility verification, benefits information, and claims processing data.
• Identity verification services: information used to confirm your identity for security purposes.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Providing care: to deliver mental and behavioral health services, coordinate treatment, manage prescriptions, and communicate with your care team.
• Scheduling and appointments: to manage appointment bookings, send reminders, and coordinate telehealth sessions.
• Billing and insurance: to verify insurance eligibility, process claims, collect payments, and manage your account balance.
• Communications: to send appointment reminders, care-related notifications, treatment updates, and administrative messages via email, phone, or SMS text message.
• Quality improvement: to monitor and improve the quality of our Services, conduct internal audits, and train our care team.
• Compliance and legal obligations: to comply with applicable laws, regulations, and legal processes, including HIPAA requirements.
• Security: to detect, prevent, and address fraud, unauthorized access, and other security concerns.
• Platform operations: to maintain, troubleshoot, and improve the performance and functionality of our Services.

4. SMS & Text Messaging

We may send you text messages for the following purposes:

• Appointment reminders and scheduling confirmations
• Telehealth session links and instructions
• Prescription and medication reminders
• Intake form completion reminders
• Account notifications and security alerts
• Care coordination and follow-up messages
• Billing and payment reminders

Opting Out of Text Messages

You may opt out of receiving text messages at any time by replying STOP to any message you receive from us. After you send STOP, we will send you a confirmation message to acknowledge your request. Once opted out, you will no longer receive SMS messages from us unless you re-enroll.

You may also opt out by contacting us at support@oneybt.com or by calling (310) 560-7866.

Help

For help with our text messaging program, reply HELP to any message, email support@oneybt.com, or call (310) 560-7866.

Carrier Liability

Carriers are not liable for delayed or undelivered messages. Message and data rates may apply. Check with your mobile carrier for details about your messaging plan.

Consent Not Required for Purchase

Your consent to receive text messages is not a condition of purchasing any goods or services from YBT Health. You may use our Services and receive care without opting in to text messaging. Opting out of text messages will not affect your ability to receive treatment or access your account.

Data Sharing for Messaging

We use a third-party messaging service provider to deliver SMS and MMS messages. Your phone number and message content are shared with this provider solely for the purpose of delivering messages to you. We do not sell, rent, loan, or share your phone number, opt-in information, or messaging consent data with third parties or affiliates for their marketing or promotional purposes.

5. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

• Treatment, payment, and health care operations: as permitted under HIPAA, we may share your protected health information (PHI) with healthcare providers involved in your care, insurance companies for billing and claims processing, and within our organization for quality improvement and operational purposes.
• Service providers: we work with trusted third-party vendors who assist with delivering our Services, including secure electronic health record hosting, payment processing, insurance eligibility verification, appointment scheduling, and communications. These providers are contractually obligated to protect your information and may only use it to provide services on our behalf.
• Legal requirements: we may disclose your information when required by law, regulation, subpoena, court order, or other legal process, or when necessary to protect the safety of you or others.
• Public health and safety: as permitted or required by law, we may disclose information to public health authorities, to prevent or lessen a serious and imminent threat to health or safety, or to report suspected abuse, neglect, or domestic violence.
• Business transfers: in the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.
• With your consent: we may share your information for purposes not described in this Privacy Policy with your explicit authorization.

6. HIPAA & Protected Health Information

As a healthcare provider, YBT Health is a covered entity under the Health Insurance Portability and Accountability Act (HIPAA). We maintain the privacy and security of your protected health information (PHI) in accordance with HIPAA and its implementing regulations.

Your rights under HIPAA include, but are not limited to:

• The right to receive a Notice of Privacy Practices describing how we use and disclose your PHI.
• The right to request restrictions on certain uses and disclosures of your PHI.
• The right to access and obtain a copy of your PHI.
• The right to request amendments to your PHI.
• The right to receive an accounting of disclosures of your PHI.
• The right to request confidential communications.
• The right to file a complaint with us or with the U.S. Department of Health and Human Services if you believe your privacy rights have been violated.

To exercise any of these rights, please contact us using the information provided in Section 18 of this Privacy Policy.

7. Data Security

We take the security of your information seriously and implement administrative, technical, and physical safeguards designed to protect your personal and health information, including:

• Encryption of data in transit and at rest using industry-standard protocols.
• Role-based access controls limiting access to authorized personnel only.
• Regular security assessments and vulnerability monitoring.
• Secure authentication mechanisms, including multi-factor authentication.
• Audit logging of access to patient records and sensitive information.
• Employee training on privacy and security practices.
• Business Associate Agreements with all third-party vendors who handle PHI.

While we strive to protect your information, no method of electronic transmission or storage is completely secure. If you have reason to believe your account or information has been compromised, please contact us immediately.

8. Data Retention

We retain your personal and health information for as long as necessary to fulfill the purposes described in this Privacy Policy, comply with our legal and regulatory obligations, and resolve disputes. Specifically:

• Medical records: retained for a minimum of seven (7) years from the date of last treatment, or longer as required by applicable state law.
• Billing and insurance records: retained for a minimum of seven (7) years as required by federal and state regulations.
• Account information: retained for the duration of your account and for a reasonable period thereafter.
• Communications and messaging logs: retained in accordance with our record-keeping obligations and internal policies.

When information is no longer required, we securely destroy or de-identify it in accordance with applicable laws and our data destruction policies.

9. Data Breach Notification

In the event of a breach of unsecured protected health information, we will notify affected individuals, the U.S. Department of Health and Human Services, and, where required, the media, in accordance with the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414).

Notification will be provided without unreasonable delay and no later than sixty (60) calendar days from the date we discover the breach. Notifications will be sent via first-class mail to your last known address (or by email if you have agreed to receive electronic notices) and will include:

• A description of the breach and the types of information involved.
• Steps you should take to protect yourself from potential harm.
• A description of what we are doing to investigate the breach, mitigate harm, and prevent future breaches.
• Contact information for you to ask questions or obtain additional information.

We also comply with applicable state breach notification laws, which may require additional or faster notification in certain circumstances.

10. Your Rights & Choices

Depending on your state of residence and applicable law, you may have the following rights regarding your personal information:

• Access: the right to request access to the personal information we hold about you.
• Correction: the right to request correction of inaccurate personal information.
• Deletion: the right to request deletion of your personal information, subject to certain exceptions (e.g., legal retention requirements for medical records).
• Data portability: the right to receive a copy of your personal information in a structured, commonly used, and machine-readable format.
• Opt-out of communications: the right to opt out of non-essential communications, including marketing emails and text messages.
• Non-discrimination: we will not discriminate against you for exercising any of your privacy rights.

To exercise any of these rights, please contact us at support@oneybt.com or by calling (310) 560-7866. We will respond to your request within the timeframe required by applicable law.

11. Cookies & Tracking Technologies

Our Services use cookies and similar technologies to enhance your experience, analyze usage patterns, and support the functionality of our platform. The types of cookies we use include:

• Essential cookies: required for the basic functionality of our Services, such as session management and security.
• Analytics cookies: help us understand how visitors interact with our Services so we can improve performance and usability.
• Preference cookies: remember your settings and preferences (e.g., language, display options) to personalize your experience.

We do not use cookies for third-party advertising or behavioral targeting. You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of our Services.

Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals to websites. Because there is no universally accepted standard for how to respond to DNT signals, our Services do not currently respond to DNT signals. However, as noted above, we do not engage in third-party advertising tracking or cross-site behavioral targeting.

12. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18 without the consent of a parent or legal guardian. If we become aware that we have inadvertently collected personal information from a child under 18 without appropriate consent, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us at support@oneybt.com.

13. Psychotherapy Notes

Under HIPAA, psychotherapy notes — defined as notes recorded by a mental health professional documenting or analyzing the contents of a counseling session — receive heightened protections. These notes are maintained separately from the rest of your medical record.

We will not use or disclose your psychotherapy notes without your specific written authorization, except in limited circumstances permitted by law, including:

• Use by the originator of the notes for treatment purposes.
• Use or disclosure required by law (e.g., mandatory reporting obligations).
• Disclosures to the U.S. Department of Health and Human Services for HIPAA compliance investigations.
• Use or disclosure to avert a serious threat to health or safety.

14. De-Identified & Aggregated Data

We may create de-identified or aggregated information from your personal and health information by removing data elements that could reasonably be used to identify you. De-identification is performed in accordance with the standards set forth in the HIPAA Privacy Rule (45 CFR § 164.514).

De-identified and aggregated data is not subject to this Privacy Policy. We may use such data for research, analytics, quality improvement, and other lawful purposes without restriction or obligation to you.

15. Geographic Limitations

Our Services are intended for use within the United States. We do not knowingly collect personal information from individuals located outside the United States. If you access our Services from outside the United States, you do so at your own risk and are responsible for compliance with your local laws. By using our Services, you consent to the transfer and processing of your information in the United States.

16. State-Specific Disclosures

California Residents

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal information we collect and how it is used, the right to request deletion, and the right to opt out of the sale or sharing of personal information. YBT Health does not sell personal information. To exercise your California privacy rights, please contact us using the information in Section 18.

Other State Privacy Laws

Residents of other states with comprehensive privacy laws (including but not limited to Colorado, Connecticut, Virginia, Utah, and Texas) may have similar rights. We will comply with applicable state privacy laws. Please contact us to exercise your rights under your state's privacy law.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify you via email or a prominent notice within our Services.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

If you believe your privacy rights have been violated, you also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at www.hhs.gov/hipaa/filing-a-complaint.