How We Handle Your Personal Information
state-medical-board.org/ takes data protection seriously. This page sets out what we collect from you as a visitor, why, and the rights you have under federal and state privacy laws.
What’s on this page
- Who we are
- Scope of this policy
- FCRA โ we are not a CRA
- HIPAA โ we are not a covered entity
- NPDB โ we are not the Data Bank
- Information we collect
- Physician records โ held by boards
- How we collect it
- Why we collect it
- Who we share with
- “Sale” and “sharing”
- Cookies and analytics
- Retention
- State privacy rights
- How to exercise rights
- Children โ COPPA
- Security
- International visitors
- Changes to this policy
1. Who We Are
state-medical-board.org/ is an independent informational directory that publishes practical guidance for verifying physician licenses, filing complaints, and accessing state medical board procedures across all 50 U.S. states, the District of Columbia, and U.S. territories. We are the business and the controller for the personal information described on this page.
For any privacy-related question, contact us at info@state-medical-board.org with the subject line “Privacy request” and we will respond within the time limits set out below.
2. Scope of This Policy โ Important
This privacy policy covers personal information about you, the visitor to state-medical-board.org/. It does not cover the physician records held by U.S. state medical boards, the Federation of State Medical Boards (FSMB), DocInfo.org, the National Practitioner Data Bank (NPDB), the HHS Office of Inspector General (OIG), the Drug Enforcement Administration (DEA), CMS, or any state public-health agency. Those records are governed by the holding agency's own statutory framework (state Medical Practice Acts, the federal Health Care Quality Improvement Act for NPDB, the Privacy Act of 1974 for federal records, state public-records / sunshine laws). state-medical-board.org/ does not host, mirror, or republish those records. Concerns about a specific licensing record, disciplinary action, or NPDB report must be raised with the holding agency directly.
3. FCRA โ state-medical-board.org/ Is NOT a Consumer Reporting Agency
state-medical-board.org/ is not a consumer reporting agency as that term is defined in the federal Fair Credit Reporting Act (FCRA), 15 U.S.C. ยง 1681 et seq. Information accessed through public-record portals we link to may not lawfully be used to make decisions about employment, tenant or housing screening, credit eligibility, insurance underwriting, or any other “permissible purpose” under 15 U.S.C. ยง 1681b. For those purposes, you must use a licensed FCRA-compliant consumer reporting agency. Misuse may expose you to civil liability under federal law.
4. HIPAA โ We Are Not a Covered Entity or Business Associate
state-medical-board.org/ is not a "covered entity" (health plan, healthcare clearinghouse, or healthcare provider transmitting electronic transactions) or a "business associate" under the Health Insurance Portability and Accountability Act (HIPAA), 45 C.F.R. Parts 160 and 164. Because we do not provide healthcare and do not handle protected health information (PHI) on behalf of a covered entity, HIPAA's Privacy Rule and Security Rule do not apply to information collected from visitors to this site. Please do not send us PHI โ patient identifiers, clinical details, diagnostic information, mental-health information, or other health data โ through our contact channels. If you need to discuss specific patient care, contact your physician, the hospital’s Patient Safety Officer, or the state medical board directly through their secure channel.
5. NPDB โ We Are Not the National Practitioner Data Bank
The National Practitioner Data Bank (NPDB) is a federal data bank operated by the Health Resources & Services Administration (HRSA) under the Health Care Quality Improvement Act of 1986. NPDB collects mandatory reports of medical malpractice payments, adverse licensure actions, adverse clinical-privileges actions, exclusions from federal healthcare programs, and certain other adverse actions involving physicians. Access to NPDB is restricted by federal regulation to authorised entities (state licensing boards, hospitals, other healthcare entities, certain federal agencies, and the practitioner's own self-query). state-medical-board.org/ does not have access to NPDB, does not query NPDB on your behalf, and is not a substitute for an NPDB query in any credentialing process. To learn about NPDB or initiate a self-query, go to npdb.hrsa.gov directly.
6. The Personal Information We Collect About You
| Category | Examples | Source |
|---|---|---|
| Identifiers | Email address, name (if provided), IP address | You ยท Your browser, automatically |
| Contact content | The content of messages you send us | You โ when you email us or use a contact form |
| Internet/network activity | Pages visited, time on page, click paths, referring URL | Cookies and analytics, when you consent |
| Device and technical data | Browser, device type, OS, approximate location from IP (e.g., to suggest your nearest state board page) | Your browser, automatically |
| Inferences | Aggregate inferences about which content is most useful | Derived from analytics, where consented |
| Advertising identifiers | Identifiers used to limit ad frequency and measure ad performance | Third-party advertising networks, when you consent |
We do not collect Sensitive Personal Information โ no Social Security numbers, government identification numbers, financial accounts, precise geolocation, racial or ethnic origin, religious beliefs, union membership, contents of mail/email/text, genetic data, biometric data, sex-life or sexual-orientation data, or specific health information about you. We do not ask for it and you should not send it through our contact channel.
We do not collect or retain physician identifiers, license numbers, NPI numbers, NPDB report content, or disciplinary action details from visitors as part of analytics. Those interactions happen between you and the state board, FSMB DocInfo, NPDB, or the federal agency directly โ we don’t see or log them.
7. Physician Records โ Held by Government Bodies, Not by Us
If you have a question about a specific physician license record, disciplinary action, NPDB report, OIG exclusion, DEA registration, or NPI assignment, the record is held by the originating state medical board, HRSA-NPDB, HHS-OIG, DEA, or CMS. state-medical-board.org/ does not have access to those records and does not maintain a parallel database. To request access or correction, contact the holding agency directly. State Medical Practice Acts and the federal Health Care Quality Improvement Act and Privacy Act of 1974 set out the applicable procedures.
8. How We Collect Personal Information
- Directly from you โ when you email us, complete a contact form, or set cookie preferences
- Automatically โ when you visit the site, your browser sends standard technical information so the page can load
- From third-party services we use โ analytics and advertising providers, but only after you have given consent through our cookie banner
9. Business Purposes for Collection and Use
- Providing the website and its content
- Responding to questions, corrections, and feedback
- Securing the site and protecting against abuse, fraud, and unauthorised access
- Auditing interactions and measuring site performance (analytics, where consented)
- Supporting display advertising that funds the site (where consented)
- Complying with legal obligations and responding to lawful requests
We do not use personal information for automated decision-making with legal or similarly significant effects, and do not engage in profiling within the meaning of state privacy laws.
11. “Sale” and “Sharing” of Personal Information
We do not sell personal information for money. However, under CCPA/CPRA the term “sale” is broad, and use of certain advertising cookies may meet the CCPA/CPRA definition of “sharing for cross-context behavioural advertising.” Where that applies, you have the right to opt out โ see Section 14 for state-by-state procedures.
The site honours the Global Privacy Control (GPC) signal as a valid opt-out of “sale” and “sharing” under CCPA/CPRA, the Colorado Privacy Act, the Connecticut Data Privacy Act, and similar laws that recognise universal opt-out mechanisms.
12. Cookies, Analytics, and Advertising
For full detail โ including the cookies used, third-party services, and how to manage them โ see our Cookie Policy. Key controls: the cookie banner, the “Cookie settings” link in the footer, browser-level controls, and industry opt-outs (NAI, DAA).
13. How Long We Keep Personal Information
| Category | Retention |
|---|---|
| Email correspondence and contact-form messages | Up to 24 months from last contact, then deleted unless an active matter requires longer retention |
| Server access logs (IP addresses, request data) | Up to 90 days, then aggregated or deleted |
| Analytics data | Aggregated; identifiable data retained no longer than 14 months |
| Cookie consent records | 12 months from when you set your preference |
| Backups | Rotating backups deleted on a 30โ90 day cycle |
14. U.S. State Privacy Rights
state-medical-board.org/ is accessible from across the U.S. Visitors from states with comprehensive privacy laws have rights under those laws:
| State | Law |
|---|---|
| California | CCPA / CPRA โ access, delete, correct, opt out of sale/sharing, limit use of sensitive PI |
| Texas | Texas Data Privacy and Security Act (TDPSA) |
| Florida | Florida Digital Bill of Rights (FDBR) |
| Virginia | Virginia Consumer Data Protection Act (VCDPA) |
| Colorado | Colorado Privacy Act (CPA) โ recognises Universal Opt-Out Mechanisms |
| Connecticut | Connecticut Data Privacy Act (CTDPA) |
| Utah, Oregon, Montana, Iowa, Indiana, Tennessee, NJ, NH, KY, MN, MD, RI, DE | Comprehensive state privacy laws (effective dates vary) |
Right to access
Confirm processing and access your personal data.
Right to correct
Correct inaccuracies in your personal data.
Right to delete
Delete personal data we hold, subject to legal exceptions.
Right to portability
Obtain a copy in a portable, technically feasible format.
Right to opt out
Opt out of targeted advertising, sale, and decision-making profiling.
Right to non-discrimination
You will not be denied service or charged more for exercising these rights.
15. How to Exercise Your Rights
For all privacy requests, email info@state-medical-board.org with subject line “[State] privacy request.” Include enough information for us to identify the data you’re asking about. We may need to verify your identity before responding โ most commonly by confirming you control the email address that submitted the request. We respond within the period required by the applicable law (typically 45 days, with possible extensions).
16. Children โ COPPA Compliance
This site is not directed at children under 13 and we do not knowingly collect personal information from children under 13. We comply with the federal Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. ยงยง6501โ6506, and its implementing regulations at 16 C.F.R. Part 312. If we learn we have collected personal information from a child under 13 without verifiable parental consent, we will delete it promptly.
17. Security
We apply technical and organisational measures appropriate to the risk: encryption of data in transit (HTTPS across the site), access controls on administrative tools, regular software updates, secure authentication for our editorial team, and contractual security commitments from vendors. If we become aware of a breach involving your personal information, we will notify you and applicable authorities consistent with state breach-notification laws.
18. International Visitors (GDPR / UK GDPR)
The site is operated for a U.S. audience but is accessible globally. EU and UK visitors have rights under the EU GDPR and UK GDPR โ access, rectification, erasure, restriction, portability, and objection. UK residents may complain to the Information Commissioner’s Office at ico.org.uk.
19. Changes to This Policy
We update this policy when our practices change or when state privacy laws change. The “Last reviewed” date at the top reflects the current version. Substantive changes will be flagged on the homepage banner for at least 30 days. This policy is read alongside our Cookie Policy, Terms of Service, and Disclaimer.
Questions About Your Personal Information?
Email us. We respond to general privacy questions within seven business days, and to formal state-law requests within the deadline set by the applicable law.
๐ง info@state-medical-board.org