Overview & Scope of This Policy
HealingTourist, LLC ("HealingTourist," "we," "us," or "our") operates the website healingtourist.com and associated digital services (collectively, the "Platform"), which facilitates connections between international patients and verified medical specialists in India for purposes including medical tourism, treatment coordination, and medical second opinions.
This Privacy Policy applies to all individuals who:
- Visit or use the HealingTourist website or mobile applications
- Submit inquiries for medical treatment or second opinions
- Register as patients, caregivers, or authorized representatives
- Communicate with HealingTourist via email, WhatsApp, phone, or web forms
- Participate in video consultations facilitated through our Platform
- Upload medical records, imaging files, or health-related documents
This Policy does not govern the independent privacy practices of the hospitals, clinics, or physicians in our network. Those providers maintain their own HIPAA-compliant privacy notices, which will be provided to you at the point of care.
Important: HealingTourist is a medical facilitation and coordination service, not a covered healthcare provider under HIPAA. However, we voluntarily adopt HIPAA-equivalent standards for all Protected Health Information (PHI) because we believe your medical data deserves the highest level of protection, regardless of what the law minimally requires of us.
Privacy Laws That Protect You
HealingTourist designs its data practices to meet or exceed the following legal frameworks that protect medical patients in the United States and internationally:
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA establishes national standards to protect individuals' medical records and other personal health information. Key HIPAA provisions we adhere to include:
- Privacy Rule: Limits the uses and disclosures of Protected Health Information (PHI) without patient authorization
- Security Rule: Requires administrative, physical, and technical safeguards for electronic PHI (ePHI)
- Breach Notification Rule: Requires notification to affected individuals within 60 days of discovering a breach
- Minimum Necessary Standard: We only use, request, and disclose the minimum amount of PHI necessary to accomplish the intended purpose
The Health Information Technology for Economic and Clinical Health (HITECH) Act strengthens HIPAA penalties and extends privacy obligations to Business Associates. All third-party vendors who access your PHI through HealingTourist are required to sign Business Associate Agreements (BAAs) and are bound by HIPAA/HITECH requirements.
California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
California residents have additional rights under the CCPA and CPRA, including the right to know what personal information is collected, the right to delete personal information, the right to opt-out of the sale or sharing of personal information, the right to correct inaccurate personal information, and the right to limit use of sensitive personal information. HealingTourist does not sell personal information as defined by the CCPA. We do not share personal information for cross-context behavioral advertising without your explicit consent.
Washington My Health MY Data Act
For Washington State residents, HealingTourist complies with the My Health MY Data Act, which provides additional protections for consumer health data beyond HIPAA, including geofencing restrictions near healthcare facilities and heightened consent requirements for health data processing.
Texas HB 300
Texas residents benefit from the protections of Texas HB 300, which imposes HIPAA-like requirements on businesses that handle PHI of Texas residents, carries significantly enhanced penalties over federal HIPAA, and requires employee training on privacy obligations.
Information We Collect
We collect only the information necessary to match you with appropriate medical care and facilitate your treatment journey. We are transparent about every category of data we handle.
3.1 Personal Identification Information
- Full name, date of birth, gender
- Email address, phone number (including WhatsApp)
- Country of residence, nationality, and passport number (for visa facilitation purposes only)
- Emergency contact information
3.2 Protected Health Information (PHI)
This is the most sensitive category of information we handle. PHI includes anything that relates to your health condition, treatment, or payment, and that could be used to identify you. This includes:
- Diagnosis, symptoms, and medical history
- Radiology images (X-rays, MRI, CT scans, PET scans)
- Pathology and laboratory reports
- Surgical and procedure notes
- Medications, allergies, and treatment history
- Physician referral letters and prior second opinion reports
- Insurance information (if relevant to treatment coordination)
All PHI uploaded to the HealingTourist platform is encrypted immediately upon receipt using AES-256 encryption. PHI is stored in access-controlled, HIPAA-compliant cloud infrastructure and is never accessible to HealingTourist staff without a documented, legitimate care coordination purpose.
3.3 Technical & Usage Information
- IP address, browser type, operating system, and device identifiers
- Pages visited, time spent, and navigation patterns on our website
- Referring URL and search terms used to find HealingTourist
- Cookie identifiers and session data (see Section 10)
3.4 Communication Records
- Emails, web form submissions, and chat messages to our coordination team
- Video consultation recordings (only with your explicit written consent)
- WhatsApp and phone call notes maintained by our care coordinators
3.5 Financial Information
- Payment card information (processed by PCI-DSS compliant third-party payment processors — HealingTourist never stores raw card numbers)
- Bank transfer records for treatment deposits
- Wire transfer confirmation references
3.6 Information We Do Not Collect
HealingTourist does not collect Social Security Numbers, government ID numbers (except for visa support documents handled under separate security protocols), biometric data for identification purposes, or information from third-party data brokers.
How We Use Your Information
We use your personal information only for the purposes described below. We will never use your medical information for any purpose other than facilitating your care.
| Purpose | Types of Data Used | Legal Basis |
|---|---|---|
| Matching you with appropriate specialists | PHI, diagnosis, treatment type requested | Patient consent; Legitimate interest in care facilitation |
| Facilitating medical second opinions | All PHI, medical records, imaging | Explicit written consent |
| Treatment coordination & logistics | Personal ID, contact info, travel details | Contract performance; Patient consent |
| Visa invitation letter generation | Name, nationality, hospital assignment | Patient consent |
| Processing payments | Financial information | Contract performance |
| Customer support & inquiries | Contact info, communication records | Legitimate interest; Contract |
| Legal compliance & safety | As required by law | Legal obligation |
| Service improvement (anonymized) | Aggregated, de-identified usage data only | Legitimate interest |
| Marketing communications (opt-in only) | Email address, name — never PHI | Explicit consent; opt-out honored immediately |
We will never: Sell your personal or medical information to any third party; use your PHI for advertising or marketing; share your health information with your employer, insurer, or government without your consent (except as required by law); or use your information to make automated decisions that significantly affect you without human oversight.
Special Protections for Medical Second Opinions
We recognize that patients seeking a second medical opinion are in a uniquely vulnerable position — often facing a serious diagnosis, questioning their current care plan, and sharing some of their most sensitive health information. We apply the highest level of care and the most stringent data protections to second opinion requests.
5.1 Consent Requirements for Second Opinion Service
Before any medical records are transmitted to a reviewing physician, we require:
- Explicit written authorization (not implied consent) for each specific physician who will review your case
- Confirmation of the specific purpose: diagnostic confirmation, treatment alternatives review, or surgical necessity assessment
- Your acknowledgment that the reviewing physician may contact you directly via our platform
- Clear understanding of what will happen to your records after review is complete
5.2 Physician Confidentiality Obligations
Every physician in our second opinion network has signed a Data Processing Agreement (DPA) and Physician Confidentiality Agreement that:
- Prohibits use of your PHI for any purpose other than rendering the second opinion
- Requires records to be deleted from personal devices within 30 days of opinion delivery
- Mandates reporting of any unauthorized access or data breach within 24 hours
- Binds them to HIPAA-equivalent standards regardless of their country of practice
- Prevents sharing your information with their employer hospitals without your explicit consent
5.3 Video Consultation Privacy
All second opinion video consultations are conducted on our end-to-end encrypted video platform. Recordings are only made with your explicit consent at the start of each call. If you consent to recording, the recording is:
- Stored encrypted in your private patient portal for 12 months
- Accessible only by you and the reviewing physician
- Never used for training, quality analysis, or any other purpose without separate consent
- Permanently deleted upon your request at any time
Your formal second medical opinion is delivered in writing through your encrypted patient portal. It is never sent via unencrypted email, WhatsApp, or SMS. If you choose to share this written opinion with your primary physician, that is entirely your decision — we will never do so without your explicit instruction.
When We Share Your Information
HealingTourist shares your information only in the circumstances described below. In every case, we share the minimum necessary information and require all recipients to protect it appropriately.
6.1 Sharing With Your Consent
The primary reason we share your PHI is because you ask us to — to connect you with a physician, to coordinate your hospital admission, or to facilitate a second opinion. We will always confirm the specific recipients before transmitting any medical records.
6.2 Our Network Physicians & Hospitals
To facilitate medical care, we share relevant PHI with:
- The specific physician(s) you select or approve from our network
- The hospital or clinic you choose for treatment or consultation
- Ancillary care providers involved in your treatment (anesthesiologists, radiologists) where clinically necessary and disclosed to you
All network providers are under binding confidentiality and data processing agreements.
6.3 Service Providers (Business Associates)
We use the following categories of trusted service providers who may process your data on our behalf. All are bound by Business Associate Agreements or equivalent Data Processing Agreements:
- Encrypted cloud storage: For secure storage of medical records and documents
- Video conferencing: For doctor-patient consultations (HIPAA-compliant platform)
- Payment processing: PCI-DSS Level 1 compliant processors (they never see your PHI)
- Translation services: For medical document translation (under strict NDA)
- Email & communication: HIPAA-compliant encrypted communication tools
6.4 Legal Requirements
We may disclose your information without consent only when:
- Required by a valid court order, subpoena, or other legal process
- Required by law enforcement to prevent imminent harm to you or others
- Necessary to defend HealingTourist against a legal claim you have brought
- Required by a public health authority for reportable disease investigation
In all such cases, we will notify you of the disclosure request as promptly as legally permitted, and we will disclose only the minimum information required to comply.
6.5 What We Will Never Do
- Sell your personal or health information to data brokers, marketers, or any third party
- Share your PHI with your employer, family members, or insurance company without your consent
- Provide your information to immigration or government authorities except where legally compelled
- Use your health information for targeted advertising on social media or other platforms
International Data Transfers
Because HealingTourist facilitates care in India, your medical records will necessarily be transmitted to physicians and hospitals located outside the United States. We take this responsibility extremely seriously and have implemented the following safeguards:
7.1 Safeguards for Transfers to India
- Encryption in transit: All medical records are transmitted using TLS 1.3 encryption — the same standard used by major financial institutions
- Physician DPAs: Every Indian physician and hospital partner has executed a Data Processing Agreement that incorporates HIPAA-equivalent protections
- India DPDP Compliance: We adhere to India's Digital Personal Data Protection Act (2023) for all data processed within Indian jurisdiction
- Restricted access: Only the specific treating physician and their directly involved clinical team may access your records — not the hospital's administrative or billing departments
- Post-care deletion: Partner hospitals are required to delete your PHI from local systems within 90 days of completing your care, retaining only what is legally required for medical record-keeping
7.2 European Residents (GDPR)
For patients located in the European Union or United Kingdom, the transfer of your personal data outside the EU/EEA is governed by Standard Contractual Clauses (SCCs) approved by the European Commission, supplementary technical measures including encryption and access controls, and your explicit informed consent provided before any data transfer occurs.
7.3 No Transfer Without Your Knowledge
You will always be informed in advance of which country your data will be transferred to, which specific institution or physician will receive it, and the purpose of the transfer. You retain the right to withdraw consent for any transfer that has not yet occurred.
How We Protect Your Data
HealingTourist implements a comprehensive, layered security program designed to protect your medical information to the highest available standards.
Technical Safeguards
- Encryption at rest: AES-256 encryption for all stored PHI
- Encryption in transit: TLS 1.3 for all data transmissions
- Access controls: Role-based access — staff can only access information necessary for their specific function
- Multi-factor authentication: Required for all staff and physician portal access
- Audit logging: Every access to PHI is logged with timestamp, user identity, and purpose
- Penetration testing: Quarterly third-party security assessments
- Vulnerability management: Continuous monitoring and patch management program
Physical Safeguards
- All servers are hosted in SOC 2 Type II and ISO 27001 certified data centers
- No PHI is processed on portable devices without remote wipe capability and full-disk encryption
- Physical access to server infrastructure is restricted to authorized data center personnel
Administrative Safeguards
- Annual HIPAA privacy and security training for all staff
- Background checks for all employees with access to PHI
- Designated Privacy Officer and Security Officer
- Documented incident response plan with defined escalation procedures
- Regular risk assessments and mitigation planning
Breach Notification
In the event of a security breach involving your PHI, HealingTourist will notify you within 60 days of discovering the breach (consistent with HIPAA requirements), or sooner where state law requires a faster timeline (California: 45 days; Texas: as expeditiously as possible). Notification will include what information was affected, what HealingTourist is doing about it, and what steps you can take to protect yourself.
Your Privacy Rights
You have significant rights over your personal and health information. These rights are not contingent on you proceeding with treatment — they apply even if you only submitted an initial inquiry.
Right to Access
Request a complete copy of all personal and health information we hold about you. We will provide this within 30 days at no charge.
Right to Correct
If any information we hold about you is inaccurate or incomplete, you may request that we correct or supplement it.
Right to Delete ("Right to Be Forgotten")
Request deletion of your personal information. We will delete all PHI and personal data except what we are legally required to retain.
Right to Restrict Processing
Ask us to stop using your information for specific purposes (e.g., communications) while retaining it for others (e.g., your treatment record).
Right to Portability
Receive your data in a structured, machine-readable format (e.g., FHIR-compatible export) to transfer to another provider.
Right to Opt Out of Sale
California residents may opt out of the "sale" or "sharing" of personal information. We do not sell data, but this right is preserved for you.
Right to Non-Discrimination
Exercising any privacy right will never result in denial of services, different pricing, or reduced quality of care coordination.
Right to Withdraw Consent
You may withdraw consent for any data processing at any time. Withdrawal does not affect processing already carried out in good faith.
How to Exercise Your Rights
To exercise any of the above rights, contact our Privacy Officer:
- Email: privacy@healingtourist.com
- Subject line: "Privacy Rights Request — [Your Name]"
- Response time: We will acknowledge within 5 business days and fulfill within 30 days (extendable to 60 days for complex requests, with notice)
- Identity verification: We will ask you to verify your identity before acting on any request to protect against unauthorized access
You may also submit requests via our secure patient portal. If you are a California resident and we fail to respond appropriately to your request, you may file a complaint with the California Privacy Protection Agency (CPPA) at cppa.ca.gov.
Cookies & Tracking Technologies
Our website uses cookies and similar tracking technologies to operate the site, understand usage, and improve your experience. We do not use cookies to track your medical research activity for advertising purposes.
Types of Cookies We Use
| Cookie Type | Purpose | Duration | Can You Opt Out? |
|---|---|---|---|
| Strictly Necessary | Login sessions, security tokens, form submissions | Session | No — required for site function |
| Functional | Language preference, remembered inquiry details | 12 months | Yes — via cookie settings |
| Analytics | Anonymized page view tracking (Cloudflare Analytics — no personal data) | 30 days | Yes — via cookie settings |
| Marketing | We do not serve targeted medical ads. Limited non-medical campaign tracking with opt-in only | N/A | Opt-in required |
You may manage cookie preferences at any time via the cookie preferences link in our website footer. Most web browsers also allow you to control cookies through browser settings. Note that disabling strictly necessary cookies may affect site functionality.
Health Information & Cookies
We will never use cookies, pixels, or any tracking technology to infer, record, or transmit information about your health conditions, medical searches, or treatment interests to third-party advertisers. What you research on HealingTourist stays on HealingTourist.
Children's Privacy
HealingTourist is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13 without verifiable parental consent, in compliance with the Children's Online Privacy Protection Act (COPPA).
For patients under 18 (minors) seeking medical care:
- All inquiries must be submitted by a parent or legal guardian
- The parent/guardian's consent is required for all data processing
- The minor's PHI receives the same (or higher) level of protection as adult PHI
- Access to a minor's health information is restricted to the parent/guardian and the treating physician
If you believe we have inadvertently collected information from a minor without appropriate consent, please contact us immediately at privacy@healingtourist.com and we will delete the information promptly.
Data Retention
We retain your information only as long as necessary to fulfill the purpose for which it was collected, or as required by law.
| Data Category | Retention Period | Reason |
|---|---|---|
| PHI — Treated Patients | 7 years from date of last care coordination | Medical record retention laws (varies by state) |
| PHI — Inquiry Only (No Treatment) | 2 years from inquiry date, then permanently deleted | Operational necessity; your right to follow up |
| Second Opinion Records | 5 years from opinion delivery date | Clinical continuity and legal protection |
| Video Consultation Recordings | 12 months, or upon your deletion request | Your review and access; deleted sooner on request |
| Financial Records | 7 years | Tax and accounting legal requirements |
| Website Analytics (Anonymized) | 26 months | Service improvement; no personal data retained |
| Email Communications | 3 years | Service continuity and dispute resolution |
At the end of any retention period, data is securely and permanently deleted using NIST 800-88 compliant data destruction methods. You may request earlier deletion of any data category subject to applicable legal minimum retention requirements.
Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal obligations. When we make material changes, we will:
- Post the updated policy on this page with a revised "Last Updated" date
- Send an email notification to registered users and active patients at least 30 days before material changes take effect
- Display a prominent notice on our homepage for 60 days after significant changes
- For changes affecting how we use existing PHI, obtain fresh consent before the new use begins
Your continued use of HealingTourist services after the effective date of any update constitutes acceptance of the revised policy for non-material changes. For material changes, we will obtain affirmative consent.
We maintain an archive of all previous versions of this Privacy Policy. Previous versions are available by emailing privacy@healingtourist.com.
Contact Us & Filing Complaints
We take privacy concerns seriously and are committed to resolving them promptly and fairly. Please contact our Privacy Officer directly for any questions or concerns about this policy or our data practices.
🔒 Privacy Officer
HealingTourist Privacy Office
Email: privacy@healingtourist.com
Response: Within 48 business hours
Subject line: "Privacy Inquiry — [Your Name]"
📬 Postal Address
HealingTourist, LLC
Attn: Privacy Officer
[Street Address]
[City, State, ZIP]
United States of America
⚖️ Regulatory Complaints — USA
If we fail to resolve your privacy concern, you may file a complaint with:
HHS Office for Civil Rights (HIPAA):
hhs.gov/ocr/complaints
California CPPA: cppa.ca.gov
FTC: reportfraud.ftc.gov
🌐 Regulatory Complaints — International
EU/UK residents (GDPR): Your local Data Protection Authority. EU DPA directory: edpb.europa.eu
India residents: Data Protection Board of India (operational from 2025)
Filing a complaint with a regulator does not affect your right to seek legal remedy in court.
This Privacy Policy is provided for informational purposes and reflects HealingTourist's good-faith effort to comply with applicable privacy laws. It does not constitute legal advice. The legal landscape around health data privacy is evolving rapidly; HealingTourist regularly reviews and updates its practices. If you are an attorney or compliance professional with questions about our data practices, please contact legal@healingtourist.com.