Comment by WA

Since we're talking about regulation here: Your site is accessible from the EU. You do not have a GDPR compliant privacy policy (or one at all). The GDPR does apply to you, if you allow Europeans to sign up.

The primary goal of your site is to store medical data. For this, you'd need a dedicated data protection officer (DPO). Article 37 1c applies to your case: https://gdpr.eu/article-37-designation-of-the-data-protectio...