Your data is protected health information.

Mon Élan is a private, physician-led lab-tracked-care practice. We do not bill insurance, we do not sell your protected health information to advertising or marketing networks, and we do not use your clinical information to target you with marketing. We collect what we need to provide your care, secure it under HIPAA-grade controls, and give you control of it.

• What we collect: identifiers (name, contact info, date of birth), clinical data (medical history, lab results, intake responses, prescriptions), payment data (handled by our PCI-compliant payment processor), and standard website telemetry.
• What we do with it: provide your medical care, coordinate prescriptions with the dispensing pharmacy, communicate with you, run our internal quality operations, and meet our legal obligations.
• What we don't do: sell your protected health information to advertising or marketing networks, use your clinical information to target advertising, discriminate in care based on your data, or re-identify de-identified data.
• Your control: request a copy, request a correction, request a list of who saw it, restrict our uses, opt out of the Insights Program at any time, request that we communicate with you confidentially, and file a complaint with us or with the U.S. Department of Health and Human Services.

This notice describes the privacy practices of:

• Mon Élan Medical, P.C. — the professional corporation responsible for your clinical care, including physician visits, peptide therapy, GLP-1 weight optimization, evidence-based protocols, and the prescribing decisions made for you.
• Mon Élan MSO — the management services organization that operates the platform, brand, technology, and billing relationships supporting Mon Élan Medical, P.C.
• Partner Professional Corporations — independent professional corporations that may deliver additional programs under a Professional Services Agreement and Business Associate Agreement with Mon Élan MSO as those programs activate. No Partner PC services are active at launch. Each Partner PC is a distinct legal entity with its own malpractice and state authorizations. When you receive care from a Partner PC clinician, you receive a co-branded notice of that PC's privacy practices, which mirrors this notice.

Throughout this notice, "Mon Élan," "we," "us," and "our" refer collectively to these entities operating as an Organized Health Care Arrangement under 45 CFR §164.501. "You" and "your" refer to the patient or the patient's authorized personal representative.

This notice covers protected health information (PHI) — health information that identifies you or could reasonably be used to identify you — held in any form: electronic, paper, or oral.

HIPAA permits us to use and disclose your PHI in specific circumstances without a separate written authorization from you. The categories below cover the routine uses. Any use not described below requires your written authorization, which you may revoke in writing at any time (revocations apply prospectively and do not undo a use already made).

You have the following rights with respect to your PHI:

The Texas Medical Privacy Act (TX Health & Safety Code Chapter 181, also known as HB 300) provides Texas residents protections that are in some respects broader than federal HIPAA:

• Electronic copies on request. If your record is maintained in electronic form, we provide your PHI to you in electronic form within 15 business days of a written request — faster than the federal 30-day deadline.
• Sale of PHI is restricted in Texas except in narrow circumstances and requires separate written authorization. Mon Élan does not solicit such authorization for advertising or marketing purposes.
• Marketing requires explicit, separate authorization in Texas. We will not use your PHI for marketing unless you've given a separate written authorization specifically for that purpose; you may revoke that authorization at any time.
• Required training for our workforce. Every Mon Élan employee, contractor, or workforce member who handles PHI completes Texas Medical Privacy Act training within 90 days of joining and at least every two years thereafter.
• State complaint route. You may file a complaint with the Texas Attorney General's office in addition to or instead of HHS. See the Complaints section.

Mon Élan also complies with the Texas Identity Theft Enforcement and Protection Act with respect to sensitive personal information collected through our website and intake.

Mon Élan is currently expanding nationwide. When Mon Élan becomes available to California residents, the following rights apply. As a California resident, in addition to your HIPAA rights, you have specific rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) regarding personal information that is not protected health information already covered by HIPAA:

• Right to know what categories of personal information we collect, use, and disclose.
• Right to access the specific pieces of personal information we hold about you.
• Right to deletion of personal information, subject to legal exceptions (we are required to retain medical records for a minimum of 10 years; medical records cannot be deleted on request, but website usage data can).
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of personal information. Mon Élan does not sell or share your personal information with cross-context behavioral advertising networks.
• Right to limit use of sensitive personal information. We use sensitive personal information (including health information) only for purposes you would reasonably expect from a clinical practice — providing your care, billing, and required operational functions.
• Right to non-discrimination for exercising any of these rights.

To exercise any California right, contact our Privacy Officer. We do not require you to create an account or submit a fee to exercise your rights.

Beyond your protected health information, we collect a limited set of non-clinical information when you use our website and patient portal:

• Account information you provide when creating a Mon Élan account: name, email, phone, postal address, date of birth, state of residence.
• Authentication data needed to verify you log in: hashed credentials, multi-factor authentication tokens, session metadata.
• Payment data handled by our PCI-compliant payment processor (Stripe). Mon Élan does not store full payment-card numbers; we store the processor's tokenized reference and the last four digits for your reference.
• Website telemetry: pages viewed, IP address, browser and device type, referral source. We use first-party analytics only; we do not use third-party advertising trackers, retargeting pixels, or behavioral ad networks on the patient-facing surfaces.
• Communications: the content of secure messages you exchange with your care team, support requests, and survey responses.

We do not place advertising or tracking cookies that share data with third parties on the patient portal or any page where you are signed in. Marketing pages may use a minimal set of first-party performance cookies that you can disable in your browser without losing access to the site.

We may send you communications about your care (appointment reminders, lab results, prescription shipping notifications) — these are treatment communications, not marketing, and you cannot opt out of them while you are an active patient.

Marketing communications — promotions, new-program launches, content emails — are sent only with your affirmative opt-in and use only the contact information and tier preferences you've explicitly provided. We do not use your clinical information (lab results, screening scores, prescriptions) to target marketing. You may unsubscribe from any marketing email with a single click or by updating your communication preferences in your portal.

Per Texas law, we obtain a separate written authorization from Texas residents before any marketing use of PHI; we do not use PHI for marketing in Texas without that separate authorization.

The Insights Program is Mon Élan's longitudinal data infrastructure. It powers two outputs: your personal Patient Dashboard, and an aggregate dataset that is used to refine clinical protocols across the practice.

• Universal opt-out. Every patient is enrolled in the Insights Program by default at intake. You may opt out at intake or at any time afterward from your portal under Data & Privacy. Opt-out is a single click.
• Care is identical regardless of opt-status. Your clinicians do not see your opt-status during encounters. Prescribing decisions, scheduling, response-time SLAs, and care quality are unaffected by whether you participate.
• Personal dashboard always available. The personal dashboard built from your own data is available to you whether or not you participate in the aggregate dataset.
• De-identification. Data added to the aggregate dataset is de-identified per the HIPAA Safe Harbor method (45 CFR §164.514(b)(2)). The 18 Safe Harbor identifiers are removed before the data enters the aggregate.
• No re-identification. We do not attempt to re-identify de-identified data and we do not provide it to any third party who would.
• Internal use. The aggregate dataset is used internally to refine Mon Élan clinical protocols. We do not provide the aggregate dataset to advertising or marketing networks. We may evaluate partnerships with academic or clinical research collaborators in the future; any such partnership will be governed by a data use agreement and will not include identifiable PHI.

The Insights Program is not a research study, a clinical trial, or an experimental program. It is operational quality improvement using de-identified aggregate data permitted by HIPAA. It does not require IRB review and is not represented otherwise.

Some functions of Mon Élan are performed by service providers we contract with — collectively called Business Associates under HIPAA. Each Business Associate signs a Business Associate Agreement requiring them to handle PHI to at least the standards we maintain. Categories of Business Associates:

• Cloud infrastructure — Microsoft Azure (compute, database, storage, identity, monitoring), governed by Microsoft's Online Services Data Protection Addendum and the Microsoft Business Associate Agreement.
• Telehealth video — Azure Communication Services for live video visits.
• 503A compounding pharmacy partners — licensed compounding pharmacies that fill peptide protocols. Each partner is a separate covered entity under HIPAA and signs both a BAA (where they receive PHI from us beyond what's needed for prescription fulfillment) and the standard prescriber-pharmacy information exchange.
• Branded medication routing — branded FDA-approved GLP-1 medications (Wegovy®, Zepbound®, Mounjaro®) are retail-dispensed by our 503A pharmacy partner alongside the compounded peptide protocols. Mon Élan operates a single fulfillment relationship.
• Laboratory services — diagnostic laboratories that perform your blood-work panels. Each lab is separately covered by HIPAA and may also have its own privacy notice it provides directly.
• Payment processing — Stripe (PCI-DSS Level 1). Stripe receives only the minimum information needed to process payment and does not receive clinical information.
• Drug-interaction screening — a pharmacist-grade clinical-knowledge service used in our prescribing workflow.
• Email and SMS delivery — vendors used only after a BAA is executed. We do not send PHI by SMS or unencrypted email; secure messaging happens inside the patient portal.

Mon Élan does not use third-party advertising, marketing attribution, or analytics services that would require sharing PHI. Third-party services that have not signed a BAA do not receive PHI from us — full stop.

We implement technical, administrative, and physical safeguards required by HIPAA at 45 CFR §164.312, plus controls beyond the regulatory floor:

• Encryption. All PHI is encrypted at rest with AES-256 and in transit with TLS 1.2 or higher. Database storage uses infrastructure encryption (a second encryption layer beneath the application-level encryption).
• Access control. Role-based access via Microsoft Entra ID. Clinicians see only their assigned patients. All PHI access is logged with user identity, action, resource, timestamp, and IP address.
• Authentication. JWT-based authentication on every endpoint that touches PHI; multi-factor authentication for all clinical and administrative staff.
• Network isolation. Backend services operate inside a private virtual network. Public access to data services is disabled.
• Audit logging. Application audit logs record every PHI access; platform audit logs record administrative changes. Logs are retained for at least seven years.
• Soft delete only. Clinical records are never hard-deleted. When a record is removed from active use, it is soft-deleted with the user and reason recorded; the record remains retrievable by a Privacy Officer for the legal retention window.
• Backup and recovery. Continuous point-in-time backups of clinical data with a 7-day restore window; longer-term archival is immutable.
• Workforce training. Annual HIPAA training plus Texas Medical Privacy Act training every two years for everyone who touches PHI.

In the event of a breach of unsecured PHI, we notify affected patients per 45 CFR §164.404 within 60 days of discovery. Notification is by first-class mail (or email, where you have agreed to electronic notice) and includes:

• A description of what happened, including the date of the breach and the date of discovery.
• The types of unsecured PHI involved.
• The steps you should take to protect yourself.
• What we are doing to investigate, mitigate, and prevent recurrence.
• Contact information for our Privacy Officer.

Where a breach affects 500 or more patients in a single state or jurisdiction, we also notify the U.S. Department of Health and Human Services and prominent local media per HIPAA. We notify the Texas Attorney General per Chapter 521 of the Texas Business & Commerce Code where applicable. For breaches affecting fewer than 500 patients, HHS is notified annually as required.

Mon Élan does not provide care to patients under age 18. Our intake collects date of birth as the first clinical question, and a patient who indicates they are under 18 is exited from intake before any clinical information is collected. We do not knowingly collect personal information from anyone under age 13 (per the Children's Online Privacy Protection Act). If we learn that we have inadvertently collected personal information from a child under 13, we will delete it.

If you believe your privacy rights have been violated, you can file a complaint. We will not retaliate against you for filing a complaint. Filing with us does not prevent you from also filing with the agencies below.

We may revise this notice. The current version is always posted at monelan.co/privacy with the effective date at the top. Material changes will be communicated to active patients by email at least 30 days before they take effect, and a paper copy will be available on request. Continuing to use the service after the effective date of a revision means you accept the revised notice; you may opt out by cancelling your membership at any time.