HIPAA Policy

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

FancyMeds is committed to protecting the privacy of your health information. This Notice describes how we may use and disclose your protected health information (“PHI”), your rights regarding your PHI, and our legal duties under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and applicable state law. HIPAA requires covered health care providers to provide a notice explaining privacy practices and patient rights.

For purposes of this Notice, “FancyMeds,” “we,” “us,” and “our” mean FancyMeds, LLC, together with its workforce members and, where applicable, affiliated licensed medical providers and business associates acting on our behalf.

1. Our Responsibilities

We are required by law to:

• Maintain the privacy and security of your protected health information;
• Provide you with this Notice of our legal duties and privacy practices;
• Follow the terms of the Notice currently in effect; and
• Notify you if a breach occurs that may have compromised the privacy or security of your information.

We reserve the right to change this Notice and make the revised Notice apply to all PHI we maintain. The updated Notice will be posted on our website and made available upon request. HIPAA requires notices to be revised when there is a material change affecting privacy practices or individual rights.

2. What Information This Notice Covers

This Notice applies to “protected health information” or “PHI,” which generally means individually identifiable health information that we create, receive, maintain, or transmit in connection with the health care services we provide. HIPAA protects medical records and other individually identifiable health information held by covered entities and their business associates.

Examples of PHI may include:

• Your name, address, phone number, email address, and date of birth;
• Intake forms, medical history, symptoms, diagnoses, treatment plans, prescriptions, and lab results;
• Communications with providers or care coordinators;
• Payment and billing information related to your care; and
• Telehealth visit records and related documentation.

3. How We May Use and Disclose Your PHI Without Your Written Authorization

HIPAA allows us to use and disclose PHI for treatment, payment, and health care operations, and for certain other purposes permitted or required by law.

A. For Treatment

We may use and disclose your PHI to provide, coordinate, or manage your health care and related services.

Examples:

• Reviewing your intake, symptoms, and medical history;
• Communicating with licensed providers, pharmacies, laboratories, or other treatment participants;
• Coordinating prescriptions, refills, follow-up care, and telehealth services.

B. For Payment

We may use and disclose your PHI to bill and collect payment for services and products we provide.

Examples:

• Determining eligibility for services;
• Submitting charges;
• Collecting payment or resolving billing questions.

C. For Health Care Operations

We may use and disclose your PHI for our business and operational activities.

Examples:

• Quality assessment and improvement;
• Care coordination and patient support;
• Training, credentialing, licensing, and compliance activities;
• Audits, legal services, and fraud prevention;
• Business planning and administrative management.

D. Appointment Reminders, Treatment Alternatives, and Health-Related Services

We may contact you with appointment reminders, follow-up communications, refill reminders, care coordination messages, or information about treatment alternatives or health-related products or services that may be relevant to your care, as permitted by law.

E. Individuals Involved in Your Care or Payment for Your Care

We may disclose PHI to a family member, personal representative, caregiver, or another person involved in your care or payment for your care when appropriate, if you agree, if you do not object when given the opportunity, or if we reasonably infer from the circumstances that you do not object.

F. Business Associates

We may disclose PHI to third parties that perform services for us and require access to PHI to do so, such as technology vendors, telehealth platform providers, pharmacies, laboratories, billing vendors, legal counsel, cloud storage providers, and consultants. HIPAA requires covered entities to contractually limit business associates’ uses and disclosures of PHI.

G. As Required by Law

We may use or disclose your PHI when required to do so by federal, state, or local law.

H. Public Health and Safety

We may disclose PHI for public health activities and certain safety-related purposes, including:

• Reporting adverse events or product problems;
• Reporting disease, injury, or disability;
• Preventing or lessening a serious and imminent threat to health or safety when permitted by law.

I. Health Oversight Activities

We may disclose PHI to health oversight agencies for activities authorized by law, such as audits, investigations, inspections, licensure, and regulatory oversight.

J. Judicial and Administrative Proceedings

We may disclose PHI in response to a court order, subpoena, discovery request, or other lawful process when permitted by law.

K. Law Enforcement

We may disclose PHI to law enforcement officials for certain law enforcement purposes permitted by law.

L. Coroners, Medical Examiners, Funeral Directors, and Organ Donation

We may disclose PHI as permitted for decedents, organ donation, and related purposes.

M. Workers’ Compensation

We may disclose PHI as authorized by workers’ compensation laws and similar programs.

N. Research

We may use or disclose PHI for research only when permitted by law, including with your authorization when required, or with an institutional review board or privacy board waiver, or in limited circumstances involving de-identified or limited data sets.

O. Specialized Government Functions

We may disclose PHI for certain military, national security, correctional institution, or protective services functions when permitted by law.

4. Uses and Disclosures Requiring Your Written Authorization

For uses and disclosures not described in this Notice, we will obtain your written authorization when required by law. In most cases, you may revoke an authorization in writing at any time, except to the extent we have already relied on it.

We will obtain your authorization when required for:

• Most uses and disclosures of psychotherapy notes, if any;
• Most uses and disclosures of PHI for marketing purposes, where required by law; and
• Disclosures that constitute a sale of PHI, where prohibited without authorization under HIPAA.

5. Additional Protections for Certain Sensitive Information

Certain categories of information may receive additional protection under federal or state law, depending on the information and the jurisdiction, including information related to substance use disorder treatment records, reproductive health care, HIV/AIDS, sexually transmitted infections, mental health, or genetic information.

HHS updated model notices in 2026 to reflect the 2024 Part 2 Final Rule and related HIPAA Privacy Rule changes, and HHS also finalized additional protections for certain reproductive health information in 2025. If these laws apply, we will comply with the stricter standard.

6. Your Rights Regarding Your PHI

HIPAA gives individuals important rights regarding their PHI, and notices must explain those rights.

A. Right to Get a Copy of Your Records

You have the right to inspect and obtain a copy of PHI we maintain about you in a designated record set, with certain limited exceptions. You may request an electronic or paper copy. HIPAA requires access in the form and format requested if readily producible.

To request access, contact us using the contact information below. We may charge a reasonable, cost-based fee as permitted by law.

B. Right to Request an Amendment

If you believe information we maintain about you is incorrect or incomplete, you may request that we amend it. We may deny your request in certain circumstances, but we will explain the reason in writing.

C. Right to Request Confidential Communications

You have the right to ask us to contact you in a specific way or at a specific location. For example, you may ask that we contact you only by email, through a secure portal, or at a different mailing address. We will accommodate reasonable requests when required by law.

D. Right to Request Restrictions

You have the right to request restrictions on certain uses or disclosures of your PHI. We are not required to agree to most requested restrictions, but if we do agree, we will comply except in emergencies.

If you pay for a service or item out of pocket in full, you may request that we not disclose related PHI to your health plan for payment or health care operations, and we will honor that request when required by HIPAA unless disclosure is otherwise required by law.

E. Right to an Accounting of Disclosures

You have the right to request an accounting of certain disclosures of your PHI made by us during the six years prior to your request, excluding disclosures for treatment, payment, health care operations, and certain other exceptions.

F. Right to Receive a Copy of This Notice

You have the right to receive a paper copy of this Notice at any time, even if you agreed to receive it electronically.

G. Right to Choose a Personal Representative

You may authorize someone to act for you with respect to your PHI, subject to our ability to verify that person’s authority under applicable law.

H. Right to Be Notified of a Breach

You have the right to be notified following a breach of unsecured PHI when notification is required by law.

7. Telehealth, Electronic Communications, and Patient Portal

FancyMeds may provide services through telehealth, secure messaging, patient portals, text messaging, email, or similar remote communication technologies. HHS has specific guidance addressing privacy and security risks in telehealth communications.

When using telehealth or electronic communications:

• We take reasonable steps to protect your information;
• You should use private, secure devices and networks when possible;
• Standard email or SMS may not always be fully secure unless specifically designated secure;
• You are responsible for providing current contact information and notifying us if your preferred communication method changes.

If you consent to receive communications by text or email, those communications may include appointment reminders, order updates, refill reminders, or limited care-related information, subject to applicable law and your communication preferences.

8. Online Tracking, Analytics, and Website Tools

If FancyMeds uses online tracking technologies on pages where PHI may be collected or inferred, HIPAA obligations may apply. HHS has specifically warned covered entities and business associates about privacy and security risks related to online tracking technologies.

Accordingly:

• We seek to limit the use of tracking technologies in patient-facing health contexts;
• Vendors that handle PHI on our behalf must be appropriately contracted where required;
• Non-health website data practices, cookies, and analytics may also be described in our separate Website Privacy Policy.

9. State Law

Where state privacy laws provide greater protection or greater patient rights than HIPAA, we will follow the more protective law.

10. Complaints

If you believe your privacy rights have been violated, you may file a complaint with FancyMeds and/or with the U.S. Department of Health and Human Services, Office for Civil Rights. Filing a complaint will not affect the quality of care you receive and we will not retaliate against you for filing a complaint. HIPAA notices must inform individuals how to complain.

To file a complaint with FancyMeds, contact:

FancyMeds Privacy Officer

FancyMeds Privacy Department

Mailing Address: 710 Lakeway Dr # 200, Sunnyvale, CA 94085

Email: [email protected]

You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights.

11. Contact Information

If you have questions about this Notice or wish to exercise your privacy rights, contact:

FancyMeds Privacy Officer

FancyMeds Privacy Department

Mailing Address: 710 Lakeway Dr # 200, Sunnyvale, CA 94085

Email: [email protected]

12. Effective Date and Changes to This Notice

This Notice is effective as of the date listed above. We may change this Notice from time to time. Any revised Notice will apply to all PHI we maintain and will be posted on our website and made available upon request.