Consumer Health Data Privacy Policy
Nurse Numbers Consulting, LLC
What this policy is
This is the Consumer Health Data Privacy Policy of Nurse Numbers Consulting, LLC ("Nurse Numbers," "we," "our," or "us"). It describes how we collect, use, share, and protect "consumer health data" as that term is defined by the Washington My Health My Data Act (the "MHMDA"). It is published separately from our general Privacy Policy because Washington law requires consumer health data to be addressed in its own clearly identified policy.
If you are a client, prospective client, or website visitor whose consumer health data we may collect, this policy explains what to expect and how to exercise your rights.
Who we are
Nurse Numbers Consulting, LLC is a Washington State limited liability company providing health education and investigative synthesis services on a self-pay basis. The practice is led by Lynn Frair, RN, BSN, BA–Biology, a Registered Nurse licensed in Washington State.
The practice is not a clinical care provider in the conventional sense: we do not diagnose, prescribe, or treat. Our work organizes and synthesizes information for the patient and their clinical team. We are, however, a healthcare-adjacent practice that handles sensitive consumer health information, and we have built our privacy practices to reflect that responsibility.
Mailing address:
Nurse Numbers Consulting, LLC
#1165
13110 NE 177th Pl
Woodinville, WA 98072
United States
Email for privacy questions and consumer rights requests: hello@lynnfrair.com
What "consumer health data" means
Under the MHMDA, "consumer health data" includes personal information that identifies a consumer's past, present, or future physical or mental health status — including information derived or extrapolated from non-health data (for example, inferences drawn from intake responses). It covers a wide range of information, including medical conditions, symptoms, treatments, diagnoses, medications, biometric data, genetic information, reproductive and sexual health information, gender-affirming care information, and mental health information, among others.
This policy applies to all consumer health data we collect, regardless of the source or how it reaches us.
Important: HIPAA status
Nurse Numbers Consulting, LLC is not currently a HIPAA-covered entity. We do not bill insurance and do not engage in the standard electronic healthcare transactions that would bring a practice under HIPAA. The federal HIPAA Privacy Rule therefore does not govern our handling of your information.
What does govern our handling of your information includes the Washington My Health My Data Act (RCW 19.373), the Washington Uniform Health Care Information Act (RCW 70.02), our professional standards as a Washington-licensed Registered Nurse, and the commitments described in this policy and our general Privacy Policy. We have built our practices to provide robust protection of your information even in the absence of HIPAA's specific requirements.
What consumer health data we collect
We collect the following categories of consumer health data, depending on the service you engage:
Identifying and contact information:
Name, email address, phone number, mailing address
Scheduling and appointment information
Payment information processed by our payment processor (we do not store full card numbers ourselves)
Health and medical information you provide:
Medical records, lab results, imaging reports, and other clinical documents you upload through our intake process
Intake form responses describing your symptom history, medical history, family history, current and past medications and supplements, treatments tried, and goals for the engagement
Genetic information (raw data files, reports from direct-to-consumer testing, or clinical genetic testing) that you choose to provide
Information you share with us in written correspondence and during scheduled calls
Information generated by our work:
Notes, organized timelines, pattern observations, and the synthesis documents we produce for you (for example, the Clinical Spotlight Map)
Records of communications between you and the practice
We do not record audio or video of your calls. We do not take photographs. We do not collect location data through the website beyond what is standard for hosted websites (covered in our general Privacy Policy).
Where we collect this data from
Almost all consumer health data we hold comes directly from you. Specifically, we collect this data from:
You — through intake forms, uploaded documents, written correspondence, and conversation during scheduled calls.
Your authorized providers — only when you have specifically authorized us in writing to receive records directly from a treating clinician. This is uncommon; the typical pattern is that you provide records you have already obtained from your own clinical team.
Our website and scheduling tools — limited contact and scheduling information (name, email, appointment time) generated when you complete a contact form or schedule a session.
We do not purchase, lease, or otherwise acquire consumer health data from data brokers or other third-party sources.
How we use consumer health data
We use your consumer health data only for the purposes you would expect us to:
To provide the services you have engaged us for (synthesis, organization of records, preparation of Clinical Spotlight Maps and related deliverables, scheduled calls, written summaries)
To communicate with you about your engagement, scheduling, and questions
To process payments
To respond to your requests, including consumer rights requests under the MHMDA
To maintain records appropriate to a healthcare-adjacent practice
To comply with our legal and professional obligations as a Washington-licensed Registered Nurse
We do not use your consumer health data for advertising, targeted marketing, profiling for marketing purposes, or any commercial purpose beyond providing the service you engaged us for.
Who we share consumer health data with
We share consumer health data only with service providers and vendors who help us run the practice, and only to the extent necessary for them to perform their function. Each provider listed below is a third party with its own privacy and security practices; where relevant, we work to ensure data processing agreements are in place that limit how they may use information they receive from us.
Service providers we use:
Squarespace (and Acuity Scheduling, owned by Squarespace)
Website hosting, contact forms, appointment scheduling
Receives: identifying and contact information; scheduling details; any information you submit through a contact form.
JotForm
Secure intake forms and document upload
Receives: all intake responses, uploaded medical records, and information you submit via intake forms.
Stripe (via Squarespace) and Klarna
Payment processing and split-pay financing
Receives: payment information and transaction details (we do not retain full card numbers).
Google (Gmail)
Email correspondence with clients and the practice
Receives: any consumer health data you share in email correspondence.
AI redaction service (currently Bastian; transitioning to a Microsoft Azure–based solution)
Removes identifying information from records before any AI-assisted synthesis
Receives: identified records, which are returned in redacted/de-identified form.
Anthropic (Claude)
AI-assisted synthesis to support pattern recognition in complex cases
Receives: only redacted/de-identified material. Identified consumer health data is not transmitted to Anthropic.
We may also share consumer health data:
With you — providing you access to your own records, drafts, and deliverables
As required by law — in response to a valid subpoena, court order, or other legally enforceable request, after we have evaluated the request and, where lawful and appropriate, notified you
To protect rights or safety — in the rare circumstance where disclosure is necessary to prevent imminent harm
In the event of a business transaction — if Nurse Numbers Consulting is acquired, merged, or sold, your information may be transferred to the successor entity; in that case, we will notify affected consumers and the successor will be bound by this policy or one substantially similar
We do not share consumer health data with insurance companies, employers, advertisers, data brokers, or law enforcement except under the limited "as required by law" exception above.
We do not sell consumer health data
We do not sell consumer health data. We have never sold consumer health data. We have no plans to sell consumer health data.
Under the MHMDA, the sale of consumer health data requires a separate written and signed authorization from the consumer. Because we do not sell, this is not part of our business model and no such authorization process exists.
How long we keep your data
We retain consumer health data for two (2) years after the conclusion of your engagement with the practice, after which records are deleted on a rolling basis. "Conclusion of engagement" generally means the date your final deliverable was sent or the date of your last scheduled session, whichever is later.
You may request deletion of your records earlier, and we will honor that request unless we are required by law to retain specific information (for example, transaction records required by tax law, which are limited to non-health business records).
If you contact us as a prospective client but do not engage our services, we retain the information you provided for ninety (90) days and then delete it, unless you ask us to delete it sooner.
Sensitive data categories
The MHMDA recognizes certain categories of consumer health data as particularly sensitive, including reproductive health information, mental health information, gender-affirming care information, and genetic data. When your records include information in these categories, we apply additional care:
We do not include sensitive-category information in any communication, deliverable, or document beyond what is materially relevant to the synthesis you engaged us for.
We do not discuss sensitive-category information in any setting outside the practice without your specific written authorization.
We apply the same data minimization, retention, and deletion standards to sensitive-category data as to all other consumer health data — and we are particularly careful with disclosure requests touching these categories.
Your rights
As a Washington consumer (and, in practical terms, as any consumer whose health data we hold), you have the following rights:
Right to confirm and access. You may ask us to confirm whether we hold consumer health data about you and to provide you with a copy of that data.
Right to deletion. You may ask us to delete the consumer health data we hold about you.
Right to withdraw consent. You may withdraw any consent you previously provided for our collection or sharing of your consumer health data. Withdrawal does not affect actions we took before the withdrawal but will apply going forward.
Right to appeal. If we deny any of the requests above, you may appeal that decision.
Right to complain to the Washington Attorney General. Independent of any appeal to us, you may file a complaint with the Washington State Attorney General's Office about how your consumer health data has been handled.
You have these rights regardless of where you live, with respect to consumer health data we collected while operating in Washington.
How to exercise your rights
To exercise any of the rights described above, contact us at hello@lynnfrair.com. Please include in your message:
Your full name
The email address (or addresses) you have used in any communication with the practice
A description of the right you are exercising
For deletion or access requests, enough detail that we can locate your records
Verification. Before we act on any rights request, we may need to verify that the request is coming from you (and not from someone impersonating you). Verification typically involves confirming details only you would know (for example, information you previously provided to us during an engagement). We do not require you to create an account to exercise your rights.
Timeline. We will respond to your verified request within forty-five (45) days. If the request is complex or unusual, we may extend that period by an additional 45 days; in that case, we will tell you the reason for the extension before the first 45 days are up.
No charge. There is no fee to exercise these rights, unless your requests are excessive, repetitive, or manifestly unfounded — in which case we may either charge a reasonable fee or decline to act, and we will explain our reasoning.
Appeals
If we deny any of your rights requests, our response will explain the reason for the denial. You may appeal that decision by sending a written appeal to hello@lynnfrair.com with the subject line "Appeal — Consumer Health Data Rights Request." We will respond to your appeal within forty-five (45) days, with a decision and an explanation. If we deny your appeal, we will inform you of your right to file a complaint with the Washington State Attorney General's Office at https://www.atg.wa.gov.
Children's data
Our services are designed for adults. We do not knowingly serve minors as clients, and we do not direct marketing or services to minors. If we become aware that we have collected consumer health data from a minor without verifiable consent from a parent or legal guardian, we will delete the data promptly.
If you are a parent or guardian and believe a minor has provided us with consumer health data, please contact us at the email address above and we will address it.
Security
We work to protect consumer health data using reasonable administrative, technical, and physical security practices appropriate to the size of our practice and the sensitivity of the information involved. These practices include encrypted file storage where applicable, secure intake forms, vendor agreements with our service providers, and limits on who within the practice has access to records.
No system is perfectly secure. If we ever experience a security breach involving consumer health data, we will notify affected consumers in accordance with applicable law and take corrective steps.
Changes to this policy
We may update this policy from time to time, for example to reflect changes in our practices, vendors, or legal requirements. When we make a material change, we will update the "last updated" date at the top of this policy and, where practical, notify affected current clients directly. The current version is always available at this page. Material changes affecting how previously collected information is used or shared will, where required by law, be implemented only after appropriate notice and where applicable, consent.
How to contact us
For privacy questions, consumer rights requests, or any other matter related to this policy:
Email: hello@lynnfrair.com
Mail:
Nurse Numbers Consulting, LLC
Attn: Privacy
#1165
13110 NE 177th Pl
Woodinville, WA 98072
United States
For complaints to the Washington State Attorney General's Office regarding consumer health data: https://www.atg.wa.gov