HIPAA Notice

Notice of Privacy Practices

(HIPAA & Health Information Privacy)

Effective Date: December 7, 2025

This Notice describes how medical information about you may be used and disclosed, and how you can get access to this information. Please review it carefully.

1. Who We Are

This Notice applies to:

• VITL Healthcare (“we,” “us,” or “Company”) – an online platform that helps connect you with licensed healthcare providers and pharmacies.

• Partner Healthcare Providers and Pharmacies – the independent physicians and pharmacies who review your information, prescribe (if appropriate), and dispense medications.

We are not a pharmacy or medical practice. We facilitate the transmission of your information to licensed providers and pharmacies who are responsible for your diagnosis, treatment, and dispensing of medications.

Depending on our role and contracts, we may act as a Business Associate of these covered entities under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

2. What Is Protected Health Information (PHI)?

“Protected Health Information” or PHI is information that:

• Identifies you or can reasonably be used to identify you; and

• Relates to your past, present, or future physical or mental health or condition, the provision of healthcare to you, or payment for that care.

Examples: your name, date of birth, contact details, medical history, medication requests, questionnaires, payment info tied to medical services, etc.

3. How We Use and Disclose Your PHI

When acting on behalf of our partner physicians and pharmacies, we may use and disclose your PHI as permitted or required by HIPAA, including:

a. Treatment

We may use and disclose your PHI to help provide, coordinate, or manage your medical care. For example:

• Sending your health questionnaire and order request to a licensed physician for review.

• Sharing necessary info with a partner pharmacy to dispense an approved prescription.

b. Payment

We may use and disclose your PHI to obtain payment for services provided by our partner providers or pharmacies, such as:

• Processing payments for consultations or prescriptions.

• Working with payment processors or billing services as needed.

c. Healthcare Operations

We may use and disclose PHI for healthcare operations, such as:

• Quality assessment and improvement activities.

• Customer service, training, auditing, and compliance monitoring.

• Managing our relationships with partner providers and pharmacies.

When possible, we use de-identified or limited data sets for analytics and internal reporting.

4. Other Uses and Disclosures Permitted or Required by Law

We may also use or disclose your PHI without your authorization in situations such as:

• As required by law – when we must share information with regulators, law enforcement, courts, or government agencies.

• Public health activities – reporting certain information to public health authorities (e.g., adverse events, product recalls).

• Health oversight activities – audits, inspections, or investigations by oversight agencies.

• Legal proceedings and law enforcement – in response to subpoenas, court orders, or lawful investigations.

• To prevent a serious threat – to your health or safety or the health or safety of another person or the public, consistent with applicable law.

• Business associates – with vendors who perform services for us (IT, hosting, billing, etc.) under contracts that require them to safeguard your PHI.

Where state law provides greater privacy protections than HIPAA, we will follow the more protective rule.

5. Uses and Disclosures Requiring Your Authorization

In all other situations not described in this Notice, we will ask for your written authorization before using or disclosing your PHI. This includes, for example:

• Most uses or disclosures of psychotherapy notes (if applicable).

• Most uses or disclosures of your PHI for marketing purposes that go beyond basic communications about your own treatment or benefits.

• Any sale of your PHI, as defined by HIPAA.

You may revoke your authorization at any time in writing, except to the extent that we or our partners have already relied on it.

6. Your Rights Regarding Your PHI

Under HIPAA (and, where applicable, state law), you have the following rights:

a. Right to Access

You have the right to inspect and obtain a copy of your PHI that our partner providers or we maintain in a designated record set, with certain limited exceptions.

• To request access, contact us at: [email protected] or 5900 Balcones Drive, STE 100, Austin, TX, 78731.

• We may charge a reasonable cost-based fee as permitted by law.

b. Right to Request an Amendment

If you believe your PHI is incomplete or inaccurate, you may request an amendment.

• We may deny your request in some cases (e.g., if the information is accurate or we did not create it), but we will tell you why in writing.

c. Right to an Accounting of Disclosures

You may request a list (“accounting”) of certain disclosures of your PHI made in the past six years, excluding those related to treatment, payment, healthcare operations, and certain other disclosures (for example, those you authorized).

d. Right to Request Restrictions

You may ask our partner providers or us to limit how your PHI is used or disclosed for treatment, payment, or healthcare operations.

• We are not required to agree to all requested restrictions, but if we do agree, we will comply except in emergencies or where the law requires disclosure.

e. Right to Request Confidential Communications

You may request that we communicate with you in a specific way (e.g., at a different email address, phone number, or mailing address).

We will accommodate reasonable requests.

f. Right to a Paper Copy of This Notice

You may request a paper copy of this Notice at any time, even if you have agreed to receive it electronically.

7. Our Responsibilities

We are required by law to:

• Maintain the privacy and security of your PHI.

• Provide you with this Notice of Privacy Practices.

• Follow the terms of the Notice currently in effect.

• Notify you following a breach of unsecured PHI, as required by law.

We may update this Notice from time to time. When we do, we will post the updated version on our website with a new “Effective Date.”

8. How We Work With Partner Physicians and Pharmacies

• Independent providers: The licensed physicians and pharmacies you interact with through our platform are independent of [Your Company Name]. They are responsible for their own HIPAA Notices of Privacy Practices and their own compliance.

• Information we share: We share your information with them only as needed to help them provide services, process prescriptions, and conduct payment and operations activities consistent with this Notice and with HIPAA.

• Questions about their policies: For questions about how a specific physician or pharmacy handles your PHI, you should review their own Notice of Privacy Practices or contact them directly.

9. How to Exercise Your Rights or Ask Questions

To exercise your rights or ask questions about this Notice or our privacy practices, please contact:

Privacy Officer
VITL Healthcare
5900 Balcones Drive
STE 100
Austin, TX, 78731
Email: [email protected]

10. How to File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with:

• Us: Using the contact information above; and/or

• The U.S. Department of Health and Human Services, Office for Civil Rights (OCR).

We will not retaliate against you for filing a complaint.

11. Online & Website-Specific Privacy

In addition to HIPAA, our collection and use of personal information through this website (including non-medical information like cookies, IP addresses, and browser data) is described in our separate Website Privacy Policy. Please refer to that policy for more details on:

• Cookies and tracking technologies

• Analytics and advertising

• Non-health personal data we collect

When health information is combined with identifiers and used in connection with healthcare services, it is treated as PHI as described in this Notice.