Forge Performance PC ("Forge," "we," "us," or "our") operates Forge Performance Medicine, a concierge medical practice providing precision performance medicine services. This Privacy Policy explains how we collect, use, disclose, and protect your information when you interact with our website, services, and practice.
1. Overview
Forge is committed to protecting your privacy. As a medical practice, we handle both general personal information and Protected Health Information ("PHI") under the Health Insurance Portability and Accountability Act ("HIPAA"). This policy covers both.
PHI is governed by our separate HIPAA Notice of Privacy Practices, which you will receive upon becoming a patient. In the event of any conflict between this Privacy Policy and our HIPAA Notice of Privacy Practices with respect to PHI, the HIPAA Notice controls.
2. Information we collect
Information you provide
- Contact information: name, email, phone number, mailing address.
- Intake information: health history, goals, lifestyle information, and any other information you submit through our intake form.
- Account information: credentials you create to access any patient portal or member area.
- Payment information: billing address and payment card details, processed by our payment provider.
- Communications: emails, messages, and other correspondence between you and Forge.
Information collected automatically
- Device and usage data: IP address, browser type, device identifiers, pages viewed, time spent, referral source.
- Cookies and similar technologies: see Section 10.
Information from third parties
- Wearable device data: if you elect to connect a Garmin or other wearable device, we receive biometric and activity data as authorized by you.
- Laboratory and diagnostic results: from labs and diagnostic providers we partner with for your care.
- Referrals: information from physicians or parties who refer you to Forge.
3. HIPAA and health information
Protected Health Information is subject to HIPAA and is handled in accordance with our HIPAA Notice of Privacy Practices. PHI includes any individually identifiable health information we create, receive, or maintain about you in connection with your care, including diagnostic results, treatment plans, physician notes, and billing records.
We do not sell PHI. We do not use PHI for marketing purposes without your express written authorization. We do not share PHI with third parties for their own commercial purposes.
HIPAA Notice of Privacy Practices
A full copy of our HIPAA Notice of Privacy Practices is available upon request (available upon request — contact our Privacy Officer below). It describes your rights regarding PHI in detail, including your right to access, amend, request restrictions on, and receive an accounting of disclosures of your health information.
4. How we use information
We use information to:
- Provide medical care, including diagnostics, consultations, and ongoing treatment.
- Communicate with you about your care, appointments, and results.
- Process payments and manage your account.
- Respond to inquiries and intake submissions.
- Improve our website, services, and patient experience.
- Comply with legal and regulatory obligations.
- Detect, prevent, and respond to fraud, security incidents, or misuse.
5. How we share information
We share information only as described below:
- With your consent: when you authorize us to share information with a specific party.
- Service providers: vendors that support our operations (payment processing, scheduling, diagnostic testing, IT hosting, customer support) under agreements that require them to protect your information.
- Healthcare providers: physicians, specialists, laboratories, and other providers involved in your care.
- Legal and safety: when required by law, court order, subpoena, or to protect the rights, safety, or property of Forge, our patients, or others.
- Business transfers: in connection with a merger, acquisition, or sale of assets, subject to continued privacy protections.
We do not sell your personal information.
6. Third-party services
Forge uses the following categories of third-party services to operate the practice. Each provider handles information under its own privacy practices:
- Practice management and CRM: for scheduling, patient records, and communications.
- Payment processing: to securely process membership fees and payments.
- Laboratory and diagnostic partners: for blood panels, DEXA, VO₂ max, and other testing.
- Wearable integrations: Garmin Health or similar, subject to your authorization.
- Communication tools: email, SMS, and secure messaging.
- Analytics: to understand website usage and improve our service.
Our third-party vendors are bound by Business Associate Agreements ("BAAs") where they handle PHI, and by data processing agreements for general personal information.
7. Your rights and choices
You have the following rights with respect to your personal information:
- Access: request a copy of the personal information we hold about you.
- Correction: request that we correct inaccurate information.
- Deletion: request deletion of information, subject to legal and medical record retention requirements.
- Opt-out of marketing: unsubscribe from marketing emails at any time via the link in each message.
- Wearable disconnection: revoke our authorization to receive wearable device data at any time.
Rights regarding PHI are governed by HIPAA and described in our HIPAA Notice of Privacy Practices.
To exercise any of these rights, contact us using the details in Section 14.
8. Data security
We implement administrative, physical, and technical safeguards designed to protect your information. This includes encryption of PHI in transit and at rest, access controls, and employee training. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
If you believe your account or information has been compromised, contact us immediately.
9. Data retention
We retain personal information for as long as necessary to provide our services and comply with legal obligations. Medical records are retained for the period required by applicable state and federal law (typically a minimum of seven years from the date of last service, and longer for minors). Other information is retained only as long as needed for the purposes described in this policy.
10. Cookies and tracking
Our website uses cookies and similar technologies to remember preferences, analyze usage, and improve performance. You can control cookies through your browser settings. Blocking certain cookies may affect site functionality.
We do not currently respond to "Do Not Track" browser signals. We will update this policy if our practices change.
11. Children's privacy
Forge's services are intended for adults aged 18 and older. We do not knowingly collect personal information from children under 18 through our website or services. If you believe a child has provided information to us, contact us and we will delete it.
12. California residents
If you are a California resident, you have additional rights under the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA"), including the right to know what personal information we collect, the right to delete, the right to correct, and the right to opt out of the "sale" or "sharing" of personal information. Forge does not sell personal information.
To exercise your California rights, contact us using the details in Section 14. We will not discriminate against you for exercising these rights.
13. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated by email or a prominent notice on our website before they take effect.
14. Contact us
For questions about this policy or to exercise your rights, contact:
Forge Performance PC
13111 E Briarwood Ave, Suite 140
Centennial, CO 80112
[email protected]
(970) 688-1975
For HIPAA-related inquiries, contact our Privacy Officer: [email protected].