POWER SOURCE RX PRIVACY POLICY
Effective Date: Sept, 1 2025
Last Updated: Sept, 1 2025
This Privacy Policy complies with the Health Insurance Portability and Accountability Act (HIPAA), Colorado Privacy Act (CPA), Colorado Medical Practice Act, federal telehealth regulations, and applicable federal laws.
1. INTRODUCTION
Power Source Rx ("we," "our," or "us") is a Colorado-based telehealth provider committed to protecting your privacy and maintaining the confidentiality of your protected health information (PHI). This Privacy Policy explains how we collect, use, disclose, and safeguard your information in compliance with:

• Health Insurance Portability and Accountability Act (HIPAA)

• Colorado Privacy Act (CPA)

• Colorado Medical Practice Act (C.R.S. § 12-240-101 et seq.)

• Colorado Telehealth Act (C.R.S. § 12-240-130)

• DEA Controlled Substances Act regulations

• FDA regulations for prescription medications

• Ryan Haight Online Pharmacy Consumer Protection Act

2. INFORMATION WE COLLECT
2.1 Protected Health Information (PHI) - HIPAA Covered
We collect PHI that identifies you and relates to your health, including:

• Medical history, symptoms, and current health conditions

• Prescription medication history and current medications

• Mental health and substance use history (required for controlled substances)

• Weight management and metabolic health information

• Laboratory results, vital signs, and diagnostic information

• Treatment plans, progress notes, and clinical assessments

• Insurance information and healthcare payment records

• Emergency contact and healthcare proxy information

2.2 Personal Information - Colorado Privacy Act Covered

• Full legal name, date of birth, and government-issued ID

• Colorado address and contact information (required for in-state practice)

• Payment and financial information

• Device identifiers, IP addresses, and geolocation data

• Biometric identifiers (photos for identity verification)

• Social media profiles (if connected with consent)

2.3 Sensitive Personal Data (Colorado CPA Definition)

• Precise geolocation data

• Racial or ethnic origin information

• Religious beliefs or philosophical information

• Sexual orientation and gender identity

• Mental health and substance use information

• Biometric data for identification purposes

2.4 Technical and Usage Information

• Website and mobile app usage analytics

• Video consultation recordings (with explicit consent)

• Communication logs and customer service interactions

• Device information, browser type, and operating system

• Cookies and similar tracking technologies

3. COLORADO-SPECIFIC COLLECTION REQUIREMENTS
3.1 Colorado Residency Verification
Per Colorado Medical Practice Act requirements:

• We verify Colorado residency for all patients

• Out-of-state patients require special licensing verification

• We maintain records of residency verification methods

3.2 Telehealth Consent (C.R.S. § 12-240-130)
Before providing telehealth services, we obtain specific consent for:

• Use of telehealth technology and its limitations

• Risks associated with remote consultations

• Emergency procedures and local resources

• Recording of consultations (separate consent required)

• Sharing of information with Colorado healthcare providers

3.3 Controlled Substance Prescribing
Per DEA and Ryan Haight Act requirements:

• Valid patient-prescriber relationship establishment

• Medical evaluation appropriate for prescribed medication

• Compliance with Colorado Prescription Drug Monitoring Program (PDMP)

• Verification of identity and Colorado address

4. HOW WE USE YOUR INFORMATION
4.1 Treatment (HIPAA-Permitted Uses)

• Conducting telehealth medical consultations

• Prescribing and monitoring weight management medications

• Coordinating care with Colorado healthcare providers

• Managing medication interactions and contraindications

• Providing follow-up care and treatment adjustments

4.2 Payment (HIPAA-Permitted Uses)

• Processing payments for services and medications

• Verifying insurance coverage and prior authorizations

• Submitting claims to Colorado-licensed insurance providers

• Managing payment plans and financial assistance programs

• Conducting fraud prevention and billing verification

4.3 Healthcare Operations (HIPAA-Permitted Uses)

• Quality assurance and clinical outcome monitoring

• Provider training and competency verification

• Compliance with Colorado medical board requirements

• Internal audits and regulatory compliance monitoring

• Research and development (de-identified data only)

4.4 Colorado Legal Requirements

• Reporting to Colorado Department of Public Health and Environment

• Compliance with Colorado Prescription Drug Monitoring Program

• Mandatory reporting of suspected abuse or neglect

• Public health emergency reporting as required by state law

• Colorado medical board licensing and oversight compliance

5. INFORMATION SHARING AND DISCLOSURE
5.1 Required Disclosures - Colorado Law
We are required to disclose PHI to:

• Colorado PDMP: All controlled substance prescriptions

• Colorado Department of Public Health: Reportable diseases and conditions

• Colorado Medical Board: For licensing investigations and complaints

• Law Enforcement: When required by Colorado criminal laws

• Child/Adult Protective Services: Suspected abuse or neglect cases

5.2 Permitted Disclosures - HIPAA Authorization
With your written authorization, we may share information with:

• Your designated healthcare providers in Colorado

• Family members or caregivers you specify

• Insurance companies for coverage determinations

• Research institutions for approved studies

• Marketing partners (separate authorization required)

5.3 Emergency Disclosures
Without authorization, we may disclose PHI:

• To prevent imminent threat to health or safety

• To emergency medical services and hospitals

• To public health authorities during health emergencies

• To law enforcement for public safety purposes

5.4 Business Associates (HIPAA-Compliant)
We share limited PHI with HIPAA-compliant business associates:

• Colorado-licensed pharmacy partners

• Secure technology and data storage providers

• Billing and payment processing companies

• Colorado-based laboratory and diagnostic services

6. YOUR PRIVACY RIGHTS
6.1 HIPAA Rights
You have the right to:

• Access and Copy: Request copies of your medical records (within 30 days)

• Amend: Request corrections to inaccurate health information

• Restrict: Request limits on use and disclosure of your PHI

• Confidential Communications: Request alternative communication methods

• Accounting of Disclosures: List of PHI disclosures for 6-year period

• File Complaints: With us, HHS Office for Civil Rights, or Colorado Attorney General

6.2 Colorado Privacy Act Rights (Effective July 15, 2023)
Colorado residents have additional rights:

• Right to Know: What personal data we collect and how it's used

• Right to Access: Confirm processing and obtain copies of personal data

• Right to Correct: Inaccurate personal data

• Right to Delete: Personal data (subject to healthcare record retention requirements)

• Right to Portability: Obtain personal data in portable format

• Right to Opt-Out: Of targeted advertising, sale of personal data, or profiling

6.3 Exercising Your Rights
To exercise privacy rights:

1. Submit written request to our Privacy Officer

2. Verify your identity (Colorado driver's license or state ID)

3. Specify which rights you wish to exercise

4. We will respond within timeframes required by law (typically 30-45 days)

7. COLORADO-SPECIFIC PROTECTIONS
7.1 Mental Health Records (C.R.S. § 27-10-120)

• Mental health information requires special authorization for disclosure

• Psychotherapy notes have enhanced protection under Colorado law

• Substance use treatment records protected under federal and state confidentiality laws

7.2 Genetic Information Protection

• Genetic testing information protected under Colorado Genetic Non-Discrimination Act

• Special consent required for genetic information sharing

• Insurance discrimination protections for genetic information

7.3 Reproductive Health Privacy

• Enhanced privacy protections for reproductive health services

• Special confidentiality requirements for minors (where applicable)

• Protection from disclosure to certain third parties

8. DATA SECURITY AND PROTECTION
8.1 Technical Safeguards

• Encryption: End-to-end encryption for all PHI transmission and storage

• Access Controls: Multi-factor authentication and role-based permissions

• Audit Logs: Comprehensive tracking of all PHI access and modifications

• Secure Video: HIPAA-compliant telehealth platform with encryption

• Backup Systems: Secure, encrypted backup of all medical records

8.2 Administrative Safeguards

• HIPAA Training: Annual training for all workforce members

• Background Checks: For all employees with PHI access

• Business Associate Agreements: With all vendors handling PHI

• Incident Response Plan: For security breaches and privacy incidents

• Colorado Compliance Officer: Designated for state law compliance

8.3 Physical Safeguards

• Secure Facilities: Restricted access to areas containing PHI

• Workstation Security: Automatic logout and screen locks

• Media Controls: Secure disposal of electronic and paper records

• Colorado Data Center: PHI stored within United States with preference for Colorado facilities

9. DATA RETENTION
9.1 Medical Records Retention
Per Colorado requirements:

• Adult Medical Records: 7 years from last treatment

• Minor Medical Records: Until age 25 or 7 years, whichever is longer

• Mental Health Records: 7 years from last treatment

• Controlled Substance Records: Minimum 2 years per DEA requirements

9.2 Colorado Privacy Act Retention

• Personal Data: No longer than necessary for disclosed purposes

• Sensitive Personal Data: Minimized retention periods

• Marketing Data: Until opt-out request or account deletion

• Technical Logs: Maximum 2 years unless required for legal compliance

10. BREACH NOTIFICATION
10.1 Colorado Requirements
In case of a data breach affecting Colorado residents:

• Individual Notification: Within 30 days of discovery

• Colorado Attorney General: Notification if breach affects 500+ residents

• Method: Written notice, email, or substitute notice as legally required

• Content: Nature of breach, information involved, steps taken, and contact information

10.2 HIPAA Requirements
For PHI breaches:

• Individual Notification: Within 60 days of discovery

• HHS Notification: Within 60 days (or annually for smaller breaches)

• Media Notification: If breach affects 500+ individuals in Colorado

• Business Associate Notification: Within 60 days to covered entities

11. COLORADO TELEHEALTH SPECIFIC PROVISIONS
11.1 Provider Licensing

• All prescribing providers licensed in Colorado

• Compliance with Colorado Medical Practice Act

• Participation in Colorado Prescription Drug Monitoring Program

• Maintenance of Colorado DEA registration for controlled substances

11.2 Standard of Care

• Telehealth services meet same standard as in-person care

• Appropriate technology for safe and effective treatment

• Clear protocols for emergency situations

• Coordination with local Colorado healthcare providers

11.3 Patient Location Requirements

• Services provided only to patients physically located in Colorado

• Verification of patient location for each consultation

• Emergency protocols for Colorado-specific resources

• Compliance with interstate medical practice limitations

12. FEDERAL COMPLIANCE
12.1 DEA Regulations

• Compliance with Controlled Substances Act

• Valid patient-prescriber relationship requirements

• Prescription monitoring and reporting

• Security requirements for controlled substance prescribing

12.2 FDA Regulations

• Compliance with prescription drug marketing regulations

• Adverse event reporting requirements

• Drug safety monitoring and communication

• Medical device software compliance (if applicable)

12.3 FTC Regulations

• Truth in advertising requirements

• Health claims substantiation

• Privacy and data security expectations

• Consumer protection compliance

13. CONTACT INFORMATION
13.1 Privacy Officer
HIPAA Privacy Officer
Power Source Rx
Denver, CO [ZIP]
Email: privacy@powersourcerx.com
Phone: [Phone Number]
13.2 Colorado Compliance Officer
Colorado Privacy Act Compliance
Email: colorado-privacy@powersourcerx.com
Phone: [Phone Number]
13.3 Filing Complaints
Internal Complaints: Contact Privacy Officer above
HIPAA Complaints:
U.S. Department of Health and Human Services
Office for Civil Rights
Region VIII
1961 Stout Street, Room 08-143
Denver, CO 80294
Phone: (303) 844-2024
Colorado Privacy Act Complaints:
Colorado Attorney General
Consumer Protection Section
1300 Broadway, 10th Floor
Denver, CO 80203
Phone: (720) 508-6000
14. EFFECTIVE DATE AND UPDATES
This Privacy Policy is effective as of [Insert Date] and applies to all information collected on or after this date. We will notify Colorado residents of material changes through:

• Email notification (preferred method)

• Prominent website notice

• Direct mail (if email unavailable)

• Mobile app notification

Continued use of our services constitutes acceptance of updated terms.
Power Source Rx
[Colorado Business Address]
Denver, CO [ZIP]
Colorado Business License: [License Number]
DEA Registration: [DEA Number]
Phone: [Phone Number]
Website: [URL]
This Privacy Policy has been drafted to comply with HIPAA, Colorado Privacy Act, Colorado Medical Practice Act, and applicable federal regulations. This document should be reviewed by qualified legal counsel familiar with Colorado healthcare law and federal telehealth regulations.

A Legal Disclaimer