How we handle your health information

Highland Longevity is a longevity medicine clinic in Fort Worth/Dallas, Texas operated by Dr. Joshua Lindsley, DO, DABOM. We provide longevity-focused medical care including evaluation, lab review, telehealth visits, and supervised interventions.

We are a covered entity under the Health Insurance Portability and Accountability Act (HIPAA). When you become a patient, your medical information is protected as Protected Health Information (PHI).

We collect health information from several sources:

• From you directly — your name, date of birth, contact information, medical history, current medications, allergies, lifestyle, family history, and the answers you give on intake forms.
• From your visits — vital signs, examination findings, assessments, treatment plans, and clinical notes created by your care team.
• From labs and imaging — results from labs, DEXA scans, metabolic testing, and other studies ordered for your care.
• From connected wearables (optional) — if you choose to connect a device on the “My Health Data” page, we import sleep, heart rate variability (HRV), resting heart rate, activity, recovery, and related biometric data from that device. You can disconnect at any time.
• From manual file uploads (optional) — Apple Health exports, Oura CSV exports, and similar files you choose to upload.
• From our website and portal — basic technical information needed to operate the service securely (IP address, user agent, audit logs of who accessed what and when).

We use your information to:

• Provide medical care and document your treatment
• Coordinate care with other providers, labs, and pharmacies involved in your treatment
• Bill for services and process payments
• Send appointment reminders and care-related messages
• Share educational content from the Highland Longevity library that is relevant to your conditions or goals
• Operate, secure, and improve the patient portal and the EMR platform
• Comply with legal and regulatory obligations (medical records retention, public health reporting, etc.)

Connecting a wearable is optional. When you connect Oura, Whoop, Apple Health, or upload a data export, the following applies:

• We collect only the metrics relevant to your care: sleep duration and stages, HRV, resting heart rate, daily activity, steps, workouts, recovery scores, and VO2 max where available.
• For OAuth-connected devices (Oura, Whoop), we store an encrypted access token so we can pull new data on a daily schedule. Tokens are encrypted at rest using AES-256-GCM and are never shared.
• You decide whether your care team can see this data. The default when you grant consent is “share with providers.” You can revoke this at any time on the “My Health Data” page; from that point forward, providers will no longer see new wearable data.
• You can disconnect any device at any time. Disconnecting stops future data collection. Historical data already imported remains in your chart unless you ask us to delete it.
• We do not sell, rent, or share wearable data with advertisers, data brokers, or any party outside your direct care team and the vendors we use to operate the EMR (see “Who has access” below).

Your information is accessible to a small set of clearly defined parties:

• Your care team — physicians, nurse practitioners, physician assistants, and clinical staff directly involved in your treatment.
• Highland Longevity operations — administrative staff who handle scheduling, billing, and records, on a minimum-necessary basis.
• Service providers under written Business Associate Agreements (BAAs) — Google Cloud (hosting, storage, email), our database provider, secure messaging vendor, and any third party that processes PHI on our behalf. These vendors are contractually required to protect your information to HIPAA standards.
• Where required by law — court orders, public health authorities, and similar legal mandates.

We do not sell your information. We do not use it for advertising.

• All data is encrypted in transit (TLS) and at rest in our database and storage systems
• OAuth tokens for connected wearables are envelope-encrypted with AES-256-GCM using keys stored in Google Secret Manager
• Access is gated by authentication, role-based permissions, and multi-factor authentication for clinical staff
• Every access to your record is logged in an immutable audit trail
• Production systems are operated under written Business Associate Agreements with HIPAA-compliant cloud vendors

You have the right to:

• See and request a copy of your health record
• Ask us to correct information you believe is inaccurate
• Request restrictions on how certain information is used or disclosed
• Ask for an accounting of disclosures of your information
• Receive a paper copy of this notice on request
• Revoke wearable data sharing or any other consent you have given (revocation does not apply to actions already taken)
• Request deletion of historical wearable data from your chart by contacting our Privacy Officer
• File a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights without retaliation

We retain medical records for the period required by Texas law and applicable federal regulations, which is at least seven years from the date of last service for adult patients. Wearable data associated with your care follows the same retention rules. When data is no longer needed, we securely destroy it.

Highland Longevity does not knowingly collect health information from anyone under the age of 18 without a parent or guardian present and consenting.

We may update this notice as our practices change or as required by law. The “Last updated” date at the top will reflect the most recent revision. Material changes will be highlighted on the patient portal home page.

Questions about this notice or requests to exercise your rights:

Highland Longevity — Privacy Officer
Email: josh@highlandlongevity.com
Web: highlandlongevity.com

To file a complaint with the federal government, contact the Office for Civil Rights at hhs.gov/ocr.