Privacy Policy

Effective Date: 3/28/26

Last Updated: 3/28/26

1. Overview

Revolution Health Alliance, PLLC, doing business as Midlife Metabolic Medicine (“MMM,” “we,” “our,” or “us”) is a telehealth nurse practitioner practice providing metabolic weight management and hormonal medicine services to patients in Idaho and Oregon. This Privacy Policy explains how we collect, use, store, share, and protect your personal information and protected health information (“PHI”) when you visit our website at midlifemetabolicmedicine.com (“Website”), use our patient portal, or receive clinical care through our practice.

By using our Website or engaging with our services, you acknowledge that you have read and understand this Privacy Policy. If you do not agree with the practices described here, please do not use our Website or services.

Our telehealth services are provided pursuant to Idaho’s Virtual Care Access Act (I.C. § 54-5703 et seq.) and applicable Oregon telehealth statutes. Remote patient monitoring, as described in Section 5 of this policy, falls within the scope of virtual care as defined by Idaho law.

2. Information We Collect

We collect different types of information depending on how you interact with us. The categories below describe what we collect, from whom, and through which platforms.

2.1 Information You Provide Directly

•       Name, email address, phone number, and mailing address when you book a Discovery Visit, register for a webinar, complete the metabolic health quiz, download a resource, or contact us.

•       Health history, symptoms, medications, and clinical information you provide during intake forms, clinical visits, and patient portal messaging through Practice Better.

•       Payment information (credit card or other payment method) processed through Stripe. MMM does not store payment card details on our servers.

•       Communication preferences and marketing opt-in/opt-out selections.

2.2 Information Collected Through Clinical Care

When you enroll in the Metabolic Rebuild or ongoing continuity care, the following clinical data is collected as part of your medical care:

•       Biometric data from monitoring devices: body composition (weight, body fat percentage, lean mass, bone mass, body water), blood pressure, heart rate, heart rate variability, sleep quality, respiratory rate, skin temperature, blood oxygen saturation, and ECG readings. These are collected through Withings Body Comp, Withings BPM Connect, and Withings ScanWatch 2 devices provided as part of your clinical monitoring kit.

•       Continuous glucose data: collected during defined monitoring windows through Dexcom Stelo or Dexcom G7 sensors. Clinical analysis is performed using Dexcom Clarity.

•       Laboratory results: ordered through Rupa Health and performed by third-party reference laboratories.

•       Nutrition, lifestyle, and biometric tracking data: entered by you or synced automatically through Practice Better.

•       Supplement orders: placed through Fullscript.

•       Prescription medication records: managed through DrFirst ePrescribe.

2.3 Information Collected Automatically

•       Website usage data including browser type, operating system, pages visited, time on site, and referring URL. This data is collected through Squarespace’s built-in analytics.

•       Cookies and similar tracking technologies as described in Section 8 of this policy.

•       Email engagement data (opens, clicks) through HubSpot for marketing communications only.

2.4 Information Collected Through Third-Party Platforms

Your information may be collected or processed through the following third-party platforms as part of our clinical and business operations:

•       Practice Better: Patient portal, clinical documentation, messaging, scheduling, intake forms, and biometric data aggregation.

•       HubSpot: Customer relationship management, email marketing, and lead nurture sequences.

•       ScoreApp: Metabolic health quiz and webinar registration.

•       Stripe: Payment processing.

•       Zoom: Telehealth visits and live webinars.

•       Zapier: Automated data transfer between marketing and CRM platforms (no clinical data flows through Zapier).

•       Rupa Health: Laboratory ordering and results.

•       Fullscript: Supplement dispensary.

•       DrFirst: Electronic prescribing.

•       Withings Health Mate, Apple Health, Google Health Connect: Biometric data routing from monitoring devices to Practice Better.

•       Dexcom (Stelo App, G7 App, Clarity): Continuous glucose monitoring data collection and clinical analysis.

•       Evergreen: Asynchronous patient education course delivery.

•       That Clean Life: Curated recipe library access.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Clinical Care

•       To provide, coordinate, and manage your medical care, including clinical evaluations, treatment planning, medication management, lab ordering, and ongoing monitoring.

•       To review biometric data collected through your monitoring devices at scheduled clinical visits and during structured between-visit chart reviews.

•       To communicate with you through your patient portal regarding your care.

•       To coordinate care with other healthcare providers with your consent.

•       To support healthcare operations, including quality assessment, clinical review, and practice improvement. The full scope of permitted uses and disclosures of your PHI for treatment, payment, and healthcare operations is described in our Notice of Privacy Practices, which is provided at intake and available upon request.

3.2 Business Operations

•       To process payments and manage your account.

•       To schedule appointments and manage the patient roster.

•       To maintain internal records and comply with legal and regulatory requirements.

3.3 Marketing and Communication

•       To send email communications about our services, educational content, and webinar invitations — only if you have opted in or provided your email through a lead capture mechanism (quiz, webinar registration, or resource download).

•       To personalize your experience based on quiz responses or prior interactions.

•       You may opt out of marketing communications at any time (see Section 7).

3.4 Website Improvement

•       To analyze aggregate, de-identified website usage data to improve our Website and services.

4. Protected Health Information and HIPAA

As a healthcare provider, Midlife Metabolic Medicine is subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations. Your protected health information (PHI) — which includes your medical records, lab results, biometric data, treatment plans, and any individually identifiable health information — is governed by HIPAA’s Privacy Rule and Security Rule.

4.1 Your Rights Under HIPAA

You have the right to:

•       Access and obtain a copy of your medical records and PHI.

•       Request corrections to your PHI if you believe it is inaccurate or incomplete.

•       Request restrictions on certain uses and disclosures of your PHI.

•       Request confidential communications (e.g., contacting you at a specific phone number or address).

•       Receive an accounting of disclosures of your PHI.

•       File a complaint if you believe your privacy rights have been violated.

4.2 How We Protect Your PHI

•       All patient messaging occurs within Practice Better’s HIPAA-compliant patient portal — not through standard email or text.

•       Outbound email that may contain PHI is encrypted through Paubox, which integrates with our Google Workspace email.

•       Telehealth visits are conducted via Zoom for Healthcare (HIPAA-compliant configuration) through Practice Better.

•       Biometric data is transmitted through HIPAA-compliant pathways and stored within your patient portal as part of your medical record.

•       Secure fax communication is handled through Doximity when required for provider-to-provider records.

•       Electronic prescriptions are transmitted through DrFirst, which meets DEA and state board requirements for ePrescribing.

4.3 Notice of Privacy Practices

A separate Notice of Privacy Practices (NPP) document is provided to each patient at intake through Practice Better.

5. Biometric Data and Monitoring Devices

As part of the Metabolic Rebuild and continuity care programs, you receive clinical-grade monitoring devices that collect biometric data. This section describes how that data flows and is used.

5.1 Data Flow

Biometric data from your monitoring devices syncs automatically through the following pathway: monitoring device → Withings Health Mate app → Apple Health or Google Health Connect → Practice Better patient portal. Continuous glucose data follows a similar pathway through the Dexcom app. All data becomes part of your medical record in Practice Better.

While in transit through Withings Health Mate, Apple Health, or Google Health Connect, your biometric data is subject to those platforms’ respective privacy policies and terms of service. Once your data reaches Practice Better, it becomes part of your protected medical record and is governed by HIPAA. We encourage you to review the privacy policies of Withings (withings.com), Apple (apple.com/privacy), Google (policies.google.com/privacy), and Dexcom (dexcom.com/privacy) to understand how your data is handled before it enters our clinical system.

5.2 How Biometric Data Is Used

•       Your provider reviews your accumulated biometric data at every scheduled clinical visit and between visits at structured intervals.

•       If a concerning trend is identified during a between-visit review, your provider will reach out to you through the patient portal.

•       Biometric data is not monitored in real time. It is reviewed at defined clinical intervals as described in your informed consent.

5.3 Device Ownership

The monitoring devices provided at enrollment are yours to keep permanently, regardless of whether you continue care with this practice. If you discontinue care, your provider will guide you in disconnecting the data pipeline if you wish.

5.4 State Biometric Privacy Laws

Idaho and Oregon biometric privacy statutes do not impose additional requirements beyond HIPAA for the collection and storage of biometric data (body composition, HRV, SpO2, ECG, glucose data).

6. How We Share Your Information

We do not sell, rent, or trade your personal information or PHI to third parties for marketing purposes.

We may share your information in the following limited circumstances:

•       Third-party service providers: We use the platforms listed in Section 2.4 to operate our practice. These providers process data on our behalf in accordance with their own privacy policies and, where applicable, Business Associate Agreements (BAAs) required by HIPAA.

•       Coordinating care: We may share clinical information with other healthcare providers involved in your care, with your consent. Clinical summaries may be sent to referring providers via Paubox-encrypted email as permitted by law and, where appropriate, with your authorization.

•       Legal requirements: We may disclose information as required by law, including in response to lawful requests by public authorities, to comply with a subpoena or court order, or to protect the rights, safety, or property of MMM, our patients, or the public.

•       Payment processing: Payment information is processed by Stripe and is subject to Stripe’s privacy policy. We do not store your payment card details.

•       De-identified data: We may use aggregated, de-identified data (from which your identity cannot be determined) for practice improvement, research, or educational purposes.

6.1 Business Associate Agreements


Practice Better, Zoom (Healthcare configuration), Google Workspace, Paubox, DrFirst, Rupa Health, Dexcom, Fullscript, and Evergreen all require and have executed BAAs in place.

7. Marketing Communications and Your Choices

You may receive marketing emails from MMM if you opted in by completing the metabolic health quiz, registering for a webinar, downloading a resource, or explicitly requesting information. Marketing emails are sent through HubSpot.

You may opt out of marketing communications at any time by clicking the unsubscribe link included in every marketing email or by contacting us at denise@midlifemetabolicmedicine.com. Opting out of marketing communications does not affect clinical communications sent through your patient portal, which are part of your medical care.

8. Cookies and Tracking Technologies

Our Website uses cookies and similar technologies to support basic site functionality and analyze aggregate usage patterns. Specifically:

•       Squarespace analytics: Collects aggregate, anonymized website usage data (pages visited, time on site, traffic sources). This data is not linked to your identity.

•       HubSpot tracking: If you arrive at the Website through a marketing email or complete a lead capture form, HubSpot may place a cookie to track your engagement with our email content and Website. This data is used to personalize follow-up communications.

•       ScoreApp: The metabolic health quiz may use cookies to support quiz functionality and track completion.

We do not use third-party advertising cookies. We do not serve ads on our Website. We do not sell cookie data to third parties.

Most browsers allow you to manage or disable cookies through their settings. Disabling cookies may affect the functionality of certain features on our Website.

A cookie consent banner is not required for visitors from jurisdictions with stricter cookie regulations.

9. Data Security

We implement reasonable administrative, technical, and physical safeguards to protect your information, consistent with HIPAA Security Rule requirements. These include:

•       Encrypted email transmission through Paubox for any business email that may contain PHI.

•       HIPAA-compliant patient portal (Practice Better) for all clinical messaging and document exchange.

•       Secure telehealth delivery through Zoom for Healthcare.

•       HIPAA-compliant fax through Doximity for provider-to-provider communications.

•       Secure electronic prescribing through DrFirst.

No method of electronic transmission or storage is completely secure. While we take reasonable measures to protect your information, we cannot guarantee absolute security. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately at denise@midlifemetabolicmedicine.com.

10. Data Retention

We retain your personal information and PHI in accordance with the following:

•       Medical records: Retained in accordance with Idaho and Oregon state medical record retention requirements.

•       Marketing contact data: Retained in HubSpot until you opt out or request deletion.

•       Payment records: Retained in accordance with IRS record-keeping requirements (generally 7 years).

•       Website analytics: Aggregate, anonymized data may be retained indefinitely.

11. Children’s Privacy

Our services are designed for adults. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that we have collected information from a minor, we will take steps to delete that information. If you believe a minor has provided us with personal information, please contact us at denise@midlifemetabolicmedicine.com.

12. State-Specific Privacy Rights

12.1 Idaho

Our telehealth services are provided pursuant to Idaho’s Virtual Care Access Act (I.C. § 54-5703 et seq., effective July 2023), which defines virtual care to include remote patient monitoring. Idaho law requires specific informed consent disclosures prior to telehealth services, including information about security measures, potential information loss, and the right to discontinue telehealth at any time (IDAPA 24.33.03.205). These consent requirements are addressed through our clinical informed consent process, which is separate from this Privacy Policy.

In the event of a breach of the security of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of your personal information, we will conduct a reasonable and prompt investigation and notify affected Idaho residents as soon as possible, in compliance with Idaho Code § 28-51-105. Under current Idaho law, commercial entities are not required to notify the Idaho Attorney General of a breach (this requirement applies only to public agencies), but we may voluntarily report a breach to the AG’s Consumer Protection Division. Idaho does not currently have a standalone biometric privacy statute comparable to Illinois’ BIPA; biometric data collected through our clinical monitoring program is governed by HIPAA as protected health information.

12.2 Oregon

Oregon requires that prior to initiating telehealth services, the provider obtain patient consent to receive services via telehealth. This consent may be verbal, written, or recorded and must be documented in the patient’s permanent record. Oregon also requires that providers have procedures in place to address remote medical emergencies at the patient’s location. These requirements are addressed through our clinical informed consent process in Practice Better.

In the event of a data breach affecting Oregon residents, we will notify affected individuals within 45 days, in compliance with Oregon’s Consumer Identity Theft Protection Act (ORS 646A.604). If a breach affects 250 or more Oregon residents, we will also notify the Oregon Attorney General.

The Oregon Consumer Privacy Act (OCPA, ORS 646A.570–646A.589, effective July 2024) applies to entities that control or process the personal data of 100,000 or more Oregon residents, or 25,000 or more Oregon residents while deriving 25% or more of annual gross revenue from selling personal data. As a solo telehealth practice with a combined patient cap of 48 active patients, MMM does not meet either OCPA processing threshold. Additionally, data processed under HIPAA is exempt from the OCPA’s numerical threshold calculations. We do not sell personal data. We do not engage in targeted advertising as defined by the OCPA. Accordingly, the OCPA’s consumer rights provisions (access, correction, deletion, data portability, opt-out) are not triggered. Notwithstanding, patients retain all rights over their protected health information as described in Section 4 of this policy and in our Notice of Privacy Practices.

12.3 California

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) apply to for-profit businesses that meet specific thresholds: annual gross revenue exceeding $25 million, buying/selling/sharing personal information of 100,000 or more California residents, or deriving 50% or more of annual revenue from selling or sharing personal information. MMM provides clinical services only to patients located in Idaho and Oregon and does not meet any CCPA/CPRA processing threshold. This section is retained as a precautionary disclosure. If you are a California resident and believe you have privacy rights under California law that are not addressed here, please contact us at denise@midlifemetabolicmedicine.com.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the “Last Updated” date at the top of this page. We encourage you to review this page periodically. Your continued use of our Website or services after any changes constitutes your acceptance of the updated policy.

14. Contact Information

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about how your information is handled, please contact us:

Denise Erland, FNP-C, FMACP

Midlife Metabolic Medicine, 1350 S Five Mile Rd, Unit 190544, Boise, ID 83719

denise@midlifemetabolicmedicine.com

midlifemetabolicmedicine.com

15. Complaints

If you believe your privacy rights have been violated, you have the right to file a complaint with:

•       Midlife Metabolic Medicine (contact information above)

•       The U.S. Department of Health and Human Services, Office for Civil Rights: hhs.gov/ocr

As a telehealth provider, we are committed to regulatory transparency. Patients receiving services in Idaho or Oregon may also provide feedback or file practice-related complaints directly with their respective state licensing boards:

  • Idaho Residents: You may contact the Idaho Board of Nursing through the Division of Occupational and Professional Licenses (DOPL) Online Complaint Portal. In accordance with the Idaho Virtual Care Access Act, we disclose that services are provided by Denise Erland, Idaho APRN-CNP #4071762, reachable at 208.575.6100. Our current location for the delivery of these services is 1350 S Five Mile Rd, Unit 190544, Boise, ID 83719.

  • Oregon Residents: You may file a complaint with the Oregon State Board of Nursing via their Online Complaint System or by mail to 17938 SW Upper Boones Ferry Road, Portland, OR 97224.  Please be advised that under Oregon law (ORS 676.175), all information regarding specific board investigations is strictly confidential. Services are provided by Denise Erland, Oregon APRN-NP #10041010.

You will not be retaliated against for filing a complaint.