It describes your rights regarding your Protected Health Information (PHI) and our legal obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations.
1. Understanding Protected Health Information
"Protected Health Information" (PHI) is individually identifiable health information that relates to your past, present, or future physical or mental health condition; the provision of health care to you; or the past, present, or future payment for such care.
PHI includes information such as your name, date of birth, address, medical records, lab results, prescriptions, and any other information that could reasonably identify you in connection with your health care.
2. How We Use and Disclose Your PHI
HIPAA permits us to use and disclose your PHI without your specific written authorization for the following purposes:
2.1 Treatment
We use and disclose your PHI to provide, coordinate, and manage your healthcare. This includes sharing information with licensed providers who evaluate your clinical eligibility and issue prescriptions, as well as with 503A-certified compounding pharmacies that fulfill your medications.
2.2 Payment
We use and disclose your PHI to obtain payment for services rendered. This may include sharing information with payment processors, billing services, and — where applicable — insurance companies or health benefit administrators.
2.3 Healthcare Operations
We may use and disclose your PHI for internal healthcare operations, including quality assessment and improvement, staff training, compliance reviews, and other administrative functions necessary to operate our platform.
2.4 As Required by Law
We may disclose your PHI when required to do so by federal, state, or local law, including disclosures to public health authorities, law enforcement agencies, or pursuant to a valid court order or subpoena.
2.5 Public Health and Safety Activities
We may disclose PHI to public health authorities, the FDA, or other agencies for activities such as reporting adverse events, tracking product recalls, or preventing the spread of disease.
2.6 Business Associates
We share your PHI with trusted third-party service providers ("Business Associates") — such as IT vendors, analytics platforms, and secure messaging services — who assist us in providing healthcare services. All Business Associates are required to sign a Business Associate Agreement (BAA) and comply with HIPAA requirements.
2.7 Health Oversight Activities
We may disclose PHI to health oversight agencies for activities authorized by law, such as audits, investigations, and inspections.
2.8 Serious Threats to Health or Safety
We may disclose PHI when necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
3. Uses Requiring Your Authorization
The following uses and disclosures of PHI require your written authorization:
- Marketing communications that constitute marketing under HIPAA.
- Sale of PHI to third parties.
- Most uses and disclosures of psychotherapy notes.
- Any use or disclosure not described in this Notice.
You have the right to revoke your authorization at any time in writing, except to the extent that we have already taken action in reliance on it.
4. Your Rights Regarding Your PHI
You have the following rights with respect to your PHI:
4.1 Right to Access and Inspect
You have the right to inspect and obtain a copy of your PHI that we maintain in a designated record set. We will respond to your request within 30 days. We may charge a reasonable, cost-based fee for copies.
4.2 Right to Amend
If you believe that information in your record is inaccurate or incomplete, you may request an amendment. We may deny your request under certain circumstances; if we do, you have the right to submit a statement of disagreement.
4.3 Right to an Accounting of Disclosures
You have the right to receive a list of disclosures of your PHI made by us for purposes other than treatment, payment, or healthcare operations during the previous six years.
4.4 Right to Request Restrictions
You have the right to request restrictions on our use and disclosure of your PHI. We are not required to agree to all requested restrictions, but we will accommodate reasonable requests to the extent permitted by law.
4.5 Right to Request Confidential Communications
You have the right to request that we communicate with you about your PHI using a specific method or at a specific address. We will accommodate reasonable requests.
4.6 Right to a Paper Copy of This Notice
You have the right to receive a paper copy of this Notice upon request, even if you have agreed to receive it electronically.
4.7 Right to Be Notified of Breaches
You have the right to be notified in the event of a breach of your unsecured PHI, as required by HIPAA's Breach Notification Rule.
5. Our Duties
RX Health is required by law to:
- Maintain the privacy and security of your PHI.
- Provide you with this Notice of Privacy Practices.
- Abide by the terms of the Notice currently in effect.
- Notify you in the event of a breach of your unsecured PHI.
We reserve the right to change the terms of this Notice at any time, provided that such changes are permitted by law. Material changes will be posted on this page with a revised effective date. Changes will apply to PHI we already hold, as well as to PHI we receive in the future.
6. Minors
Our services are available to individuals 18 years of age and older. We do not knowingly collect or maintain PHI from minors. If we become aware that PHI of a minor has been submitted, we will delete it promptly.
7. Breach Notification
In the event of a breach of your unsecured PHI, we will notify you without unreasonable delay and no later than 60 days following discovery of the breach. Notice will be provided via email (or first-class mail if email is not available) and will include a description of the breach, the types of PHI involved, steps you can take to protect yourself, what we are doing to investigate and mitigate the breach, and contact information for questions.
8. How to File a Complaint
If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights:
- With us: Contact our Privacy Officer using the information below. We will not retaliate against you for filing a complaint.
- With HHS: Office for Civil Rights, U.S. Department of Health and Human Services, 200 Independence Avenue SW, Washington, D.C. 20201 | hhs.gov/ocr
9. Contact Our Privacy Officer
For questions, requests, or complaints related to this Notice or your PHI, contact:
- Organization: RX Health
- Role: Privacy Officer
- Contact Form: Submit a Request
We will respond to all PHI-related requests within 30 days, as required by HIPAA.