HIPAA Compliance

Notice of Privacy Practices

Effective Date: March 1, 2026 · Last Updated: March 9, 2026

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

This Notice of Privacy Practices (“Notice”) is provided pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), and their implementing regulations at 45 CFR Parts 160 and 164.

1. About This Notice

ADONIS Health is required by law to maintain the privacy of your Protected Health Information (PHI), to provide you with this Notice of our legal duties and privacy practices, and to follow the terms of this Notice currently in effect. “Protected Health Information” (PHI) means individually identifiable health information that is created, received, maintained, or transmitted by ADONIS Health, including demographic data, medical histories, lab results, treatment plans, prescriptions, clinical notes, and billing information.

2. How We May Use and Disclose Your PHI

Uses and Disclosures That Do Not Require Your Authorization

We may use and disclose your PHI without your written authorization for the following purposes:

Treatment

We may use your PHI to provide, coordinate, and manage your healthcare. This includes sharing information with your prescribing physician, consulting specialists, pharmacies (including licensed 503A compounding pharmacies and FDA-registered 503B outsourcing facilities), CLIA-certified laboratories, and other providers involved in your care. Peptides are sourced exclusively through 503A compounding pharmacies; other compounded medications may be fulfilled through either 503A or 503B pharmacies. For example, your provider may share your lab results with a consulting endocrinologist, or we may send your prescription to a compounding pharmacy.

Payment

We may use and disclose your PHI to bill and collect payment for the services provided to you. This may include providing information to payment processors, billing services, or your health plan for reimbursement purposes if applicable.

Healthcare Operations

We may use and disclose your PHI for our internal operations, including quality improvement, clinical audits, staff training, compliance monitoring, licensing, and business management activities necessary to run our practice.

Other Permitted Uses Without Authorization

  • As Required by Law: When disclosure is mandated by federal, state, or local law
  • Public Health Activities: To public health authorities for preventing or controlling disease, injury, or disability; reporting births, deaths, and suspected abuse or neglect; and FDA-regulated activities
  • Health Oversight: To government agencies authorized to oversee healthcare systems, including audits, investigations, inspections, and licensure activities
  • Judicial and Administrative Proceedings: In response to a court order, subpoena, or other lawful process
  • Law Enforcement: Under specific circumstances as permitted by law, such as in response to a court order, warrant, or to report certain types of wounds or injuries
  • Coroners and Funeral Directors: To identify a deceased person, determine cause of death, or carry out their duties as authorized by law
  • Research: For research purposes when approved by an Institutional Review Board (IRB) or privacy board, or when the information has been de-identified
  • Serious Threats: To prevent or lessen a serious and imminent threat to a person's health or safety, or the health or safety of the public
  • Workers' Compensation: As authorized by and necessary to comply with workers' compensation laws
  • Military and Veterans: If you are a member of the Armed Forces, as required by military command authorities

Uses and Disclosures That Require Your Written Authorization

Except as described above, we will not use or disclose your PHI without your written authorization. Specifically, we will obtain your written authorization before:

  • Using your PHI for marketing purposes (other than face-to-face communications or promotional gifts of nominal value)
  • Selling your PHI
  • Using or disclosing psychotherapy notes, if applicable
  • Any other use or disclosure not described in this Notice

You may revoke any authorization in writing at any time by contacting our Privacy Officer. Revocation will not affect any actions we took in reliance on your authorization before we received your revocation.

3. Your Rights Regarding Your PHI

You have the following rights with respect to your Protected Health Information:

Right to Inspect and Copy (45 CFR § 164.524)

You have the right to inspect and obtain a copy of your PHI contained in a designated record set (medical and billing records used to make decisions about your care). We will provide the requested information within 30 days of your written request. If we need additional time, we may extend the response period by up to 30 additional days with written notice. We may charge a reasonable, cost-based fee for copies. You may request your records in electronic format, and we will provide them in the format you request if readily producible.

Right to Amend (45 CFR § 164.526)

You have the right to request an amendment to your PHI if you believe it is inaccurate or incomplete. Your request must be in writing and include the reason for the amendment. We may deny your request if the PHI: was not created by us; is not part of the designated record set; is not available for inspection (e.g., it is subject to an exception); or is already accurate and complete. If we deny your request, we will provide you with a written explanation.

Right to an Accounting of Disclosures (45 CFR § 164.528)

You have the right to receive a list of certain disclosures we have made of your PHI. This accounting will not include disclosures made for treatment, payment, or healthcare operations, or disclosures made with your authorization. The accounting will cover up to six (6) years prior to your request. The first accounting in any 12-month period will be provided free of charge; a reasonable fee may apply for additional requests within the same period.

Right to Request Restrictions (45 CFR § 164.522(a))

You have the right to request restrictions on certain uses and disclosures of your PHI for treatment, payment, or healthcare operations. We are not required to agree to your request, except in one case: if you pay for a service entirely out of pocket (in full, not submitted to a health plan), you have the right to request that we not disclose PHI related to that service to your health plan, and we must honor that request.

Right to Confidential Communications (45 CFR § 164.522(b))

You have the right to request that we communicate with you about your health information in a specific way or at a specific location. For example, you may ask that we only contact you by email at a specific address, or that we send correspondence to a particular mailing address. We will accommodate all reasonable requests.

Right to a Paper Copy of This Notice

You have the right to obtain a paper copy of this Notice of Privacy Practices at any time, even if you have previously agreed to receive it electronically. Contact our Privacy Officer to request a paper copy.

Right to Be Notified of a Breach

You have the right to be notified in the event that we discover a breach of your unsecured PHI, as described in Section 5 of this Notice.

4. Our Duties

  • We are required by law to maintain the privacy and security of your PHI
  • We are required to provide you with this Notice of our legal duties and privacy practices
  • We are required to abide by the terms of this Notice currently in effect
  • We will notify you if a breach occurs that may have compromised the privacy or security of your PHI
  • We will not use or disclose your PHI for marketing or fundraising purposes, or sell your PHI, without your explicit written authorization
  • We apply the minimum necessary standard when using or disclosing your PHI, limiting access to only the information needed to accomplish the intended purpose

5. Breach Notification

In the event of a breach of your unsecured PHI, we will comply with the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414):

  • We will notify you without unreasonable delay, and in no case later than 60 calendar days following discovery of the breach
  • Notification will be sent by first-class mail to your last known address, or by email if you have agreed to electronic notice
  • The notice will describe: the nature of the breach; the types of PHI involved; steps you should take to protect yourself; what we are doing to investigate and mitigate harm; and how to contact us for more information
  • If a breach affects 500 or more individuals, we will also notify the U.S. Department of Health and Human Services (HHS) and prominent media outlets in the affected jurisdiction
  • If we have insufficient contact information for you, we will post a substitute notice on our website for at least 90 days and provide a toll-free number for affected individuals

6. Security Safeguards

We implement the following safeguards to protect your PHI as required by the HIPAA Security Rule:

Administrative Safeguards

  • Designated Privacy Officer and Security Officer responsible for developing and implementing privacy and security policies
  • Workforce training on HIPAA privacy and security upon hire and annually thereafter
  • Sanctions policy for workforce members who violate privacy or security policies
  • Regular risk assessments to identify and mitigate vulnerabilities
  • Business Associate Agreements (BAAs) with all third-party service providers who access PHI
  • Incident response and breach notification procedures

Technical Safeguards

  • AES-256 encryption for all ePHI at rest
  • TLS 1.2+ encryption for all ePHI in transit
  • Unique user identification and role-based access controls (RBAC)
  • Automatic session timeout and account lockout after failed login attempts
  • Comprehensive audit logging of all access to ePHI, including user identity, timestamp, and action performed
  • Multi-factor authentication for provider and administrative accounts

Physical Safeguards

  • Cloud infrastructure hosted in SOC 2 Type II certified data centers with physical access controls
  • Workstation use policies for all workforce members
  • Device and media controls for hardware and electronic media containing ePHI

7. Business Associates

We engage third-party service providers (“Business Associates”) who create, receive, maintain, or transmit PHI on our behalf. Each Business Associate is required to sign a Business Associate Agreement (BAA) that obligates them to:

  • Implement appropriate safeguards to prevent unauthorized use or disclosure of PHI
  • Report any security incidents or breaches to ADONIS Health
  • Ensure that their subcontractors who access PHI agree to the same restrictions
  • Make PHI available for patient access and amendment requests
  • Return or destroy PHI upon termination of the agreement

Categories of Business Associates include: cloud hosting providers, payment processors, compounding pharmacies (503A and 503B), laboratory partners, telehealth video platforms, communication services, and IT security vendors.

8. Minimum Necessary Standard

When using or disclosing your PHI, or when requesting PHI from another entity, we make reasonable efforts to limit the information to the minimum amount necessary to accomplish the intended purpose. This standard does not apply to disclosures for treatment purposes, disclosures to you about your own PHI, disclosures authorized by you, disclosures required by law, or disclosures to HHS for compliance investigations.

9. Data Retention

We retain medical records and PHI in accordance with applicable state and federal retention requirements. Medical records are retained for a minimum of six (6) to ten (10) years from the date of the last patient encounter, or longer as required by the law of the state in which you were treated. HIPAA requires that we retain documentation of our privacy and security policies and procedures for at least six (6) years from the date of creation or the date last in effect, whichever is later.

10. Changes to This Notice

We reserve the right to change this Notice at any time and to make the revised Notice effective for all PHI we already maintain, as well as any PHI we create or receive in the future. When we make a material change to this Notice, we will post the revised Notice on our website and make it available at your next visit or upon request. The revised Notice will include the new effective date.

11. Filing a Complaint

If you believe your privacy rights have been violated or that we have not followed the terms of this Notice, you have the right to file a complaint. We will not retaliate against you for filing a complaint.

You may file a complaint with:

ADONIS Health — Privacy Officer

Email: privacy@adonis.health

Website: adonis.health/contact

U.S. Department of Health and Human Services

Office for Civil Rights

200 Independence Avenue, S.W.

Washington, D.C. 20201

Toll-Free: 1-800-368-1019

TDD: 1-800-537-7697

Website: hhs.gov/ocr/complaints