At Plume, protecting the privacy of our members is central to our mission. That’s why our policies and procedures ensure that sensitive health information remains private. Like the majority of healthcare organizations, both digital and traditional hospitals and clinics, we use digital marketing to raise awareness of our brand and services. But in doing so we follow all HIPAA guidelines, only leverage HIPAA-compliant platforms for data storage and communications, and never share private information about our Members that could jeopardize their privacy, health, or personal safety in any way.

What does it mean for Plume to be HIPAA compliant?

As a healthcare provider, Plume is required to follow the Health Insurance Portability and Accountability Act (HIPAA) which sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. We take this responsibility very seriously, and train all staff on our HIPAA requirements. In the unfortunate event that a breach occurs, we follow federal guidelines including notifying all impacted parties with details as soon as possible.

How is my data stored?

At Plume, we ensure secure, HIPAA compliant data protocols. This means that we encrypt your information while it is at rest and in transit. You can read more about how we store and protect your data in our Privacy Policy.

When and where does Plume share patient information?

Plume utilizes a variety of HIPAA-compliant third-party platforms to deliver care including Spruce (our patient messaging platform), Elation (our medical record system), Healthie (our current financial management platform), Hint (our previous financial management platform), and Freshdesk (our support help desk). You can view their privacy policy with the links provided above.

Plume will also share patient information with your specified pharmacies and labs to support delivery of care. In these instances we will share information that could include: legal name, DOB, legal gender, current medication list, previously taken medications (if provided in intake), previous diagnoses (if provided in intake), family medical history (if provided in intake), previous surgery history (if provided in intake), any known drug allergies (if provided in intake), lab orders, lab results, provider notes, visit notes, BP, height, weight, address on file, phone number on file, and pharmacy locations on file.

Does Plume share or sell my information?

We never share or sell any user information without your consent. Plume will always ask your permission before sharing any information with a 3rd party partner. 

How can I have my information deleted?

We can delete some information related to your account, but state laws require health care providers retain patient medical records for a certain period of time – generally between 5 to 10 years. We will not be able to delete this information. So while we will be able to delete your information from our marketing and communications platforms, we are not able to delete your information from our medical platforms. If you are no longer a patient with Plume and would like to delete your information from our systems please email us at and we will help support the process through deleting some of your information.

Would Plume ever provide my name and information to a government-entity regarding my care? 

We understand that in this political and judicial environment, many of our members are concerned about government access to private health information. There are currently no government-led efforts to identify individuals seeking gender affirming hormone therapy, and Plume is not interested in providing this information. We never share or sell any user information without your consent and this extends to government entities. There are, however, unavoidable instances in which government entities currently receive your information as part of your care, such as:

  • Testosterone, as a prescribed controlled substance, is cataloged in state-based prescription drug monitoring programs. This information could be viewed by the Drug Enforcement Agency (DEA).

  • If you ever use Medicaid or Medicare to pay for services at Plume, these entities can also have access to your healthcare information as needed to fulfill coverage of services and/or medications.