FULFILLRX HIPAA Notice of Privacy Practices

Effective Date: November 11th, 2022
In connection with your use of FULFILLRX’s pharmacy services, website, mobile application, products, and other technology platforms (collectively, the “Services”), you may provide us with health information and other identifiable information. This health information, paired with your identifiable information, is known as “protected health information” or “PHI”. Under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), FULFILLRX is required to provide you with this Notice of Privacy Practices (this “Notice”) that describes how we may use and share your PHI for treatment, payment, or other purposes, and how you can access your PHI that we collect. Please review this Notice carefully.
This Notice is effective with respect to you on or after, depending on when you use or access the Services, the Effective Date.
1. What are FULFILLRX’s responsibilities under HIPAA?
We’ve specific responsibilities under HIPAA with respect to your PHI, which include:
  • Maintaining the privacy and security of your PHI;
  • Following the duties and privacy practices described in this Notice;
  • Only using or sharing your PHI as described in this Notice unless you tell us in writing that we can use or share it in some other way; and
  • Promptly letting you know if an incident occurs that may have compromised the privacy or security of your PHI.
2. How do we typically use or share your protected health information?
We may use or share your PHI for the following reasons:
  • For Treatment. PHI may be used and shared in connection with your treatment and to provide you with treatment-related health care services. For example, we may disclose PHI to doctors, nurses, pharmacists, technicians, or other personnel who need the information to provide you with medical care.
  • For Payment. PHI may be used and shared so that we or others may bill and receive payment from you, an insurance company, or a third party for the treatment and services you received.
  • For Health Care Operations. PHI may be used and shared in connection with our health care operations so we can operate and manage our business and ensure that our customers receive the best possible care. We may share PHI with other entities that have a relationship with you, such as your health plan, for their own health care operation activities.
  • Reminders, Treatment Alternatives, and Health-Related Benefits and Services. PHI may be used to contact you to remind you that you have a prescription with us. We also may use and share PHI to tell you about treatment alternatives or health-related benefits and services that may be relevant to you.
  • Individuals Involved in Your Care or Payment for Your Care. When appropriate, we may share PHI with a person who’s involved in your medical care or payment for your care, such as your family or a close friend. If you prefer that we not share PHI in this way, please let us know. However, we’re still permitted to share PHI to these individuals even if you tell us otherwise if we determine that sharing PHI is in your best interest based on our professional judgment.
  • Business Associates. We may share PHI with our business associates that perform functions on our behalf or provide us with services if sharing that information is necessary for such functions or services. All of our business associates are obligated to protect the privacy of PHI and aren’t allowed to use or disclose any PHI other than as specified in a written agreement with each business associate.
3. How else can we use or share your protected health information?
We may be permitted or required to share your PHI in other ways (although we may have to meet certain conditions first) – usually these ways contribute to the public good, such as public health, research, and safety. Specifically, we may use or share your PHI for the following purposes:
  • Public Health and Safety Issues. PHI may be used and shared in connection with public health and safety issues such as helping with product recalls, preventing the spread of disease, reporting adverse reactions to medications, reporting suspected abuse or neglect, or preventing or reducing a serious threat to anyone’s health or safety.
  • Research. PHI may be used and shared for research purposes. For example, a research project may involve comparing the health of patients who received one medication to those who received another for the same condition.
  • Health Oversight Activities. PHI may be used and shared with a health oversight agency for oversight activities such as audits, investigations, inspections, and licensure.
  • Data Breach Notification Purposes. PHI may be used and shared to provide legally required notices of unauthorized access to or disclosure of PHI.
  • As Required by Law and Law Enforcement. PHI may be shared if state or federal laws require it to be shared in a given circumstance. For example, we may release PHI to a law enforcement agency if we’re required to respond to a court order or similar process. We may also share PHI in relation to criminal conduct, such as if criminal conduct occurred on our premises.
  • Lawsuits and Disputes. If you’re involved in a lawsuit or a dispute, we may be required to share PHI in response to a court or administrative order, subpoena, discovery request, or other lawful process by someone else involved in the dispute. To the extent not prohibited by law, we’ll first attempt to tell you about the order or request so you can decide whether to obtain an order protecting the information requested.
  • Workers’ Compensation. We may share PHI for workers’ compensation or similar programs. These programs provide benefits for work-related injuries or illness.
  • Organ or Tissue Donation. If you’re an organ donor, we may share PHI with organizations that handle organ procurement or other entities engaged in procurement, banking or transportation of organs, eyes or tissues to facilitate organ, eye or tissue donation and transplantation.
  • Coroners, Medical Examiners, and Funeral Directors. We may share PHI with a coroner, medical examiner, or funeral directors as necessary for their duties.
  • Specialized Government Functions. We may share PHI with departments or units of the government with special functions, such as the U.S. military or the U.S. Department of State, for intelligence, counterintelligence, and other national security activities authorized by law.
  • Inmates or Individuals in Custody. If you’re an inmate of a correctional institution or under the custody of a law enforcement official, we may share PHI with the correctional institution or law enforcement official.
4. Is your written permission required to use and share your protected health information?
We’re not required to obtain your written permission to use or share your PHI for the purposes outlined in Sections 2 and 3 of this Notice. In all other circumstances, we can only use or share your PHI with your written permission. For example, your written permission is required for the following purposes:
  • Marketing. We must obtain your written permission prior to using PHI for marketing purposes as defined in HIPAA. This does not apply to face-to-face communication about products or services that may be of benefit to you, or about prescriptions you have already been prescribed.
  • Sale of PHI. We do not sell PHI and under no circumstances will we sell your PHI without your written permission.
  • Psychotherapy Notes. To the extent we receive them from your provider, we will not use or share psychotherapy notes about you without your permission except to defend ourselves in a legal action or other proceeding brought by you.
5. Please note that you’re not required to provide your permission and you may later revoke your permission at any time by sending a written revocation to our Privacy Officer at the email or mailing address written under Section 6.
5. What are your rights under HIPAA?
HIPAA grants you the following rights with respect to your PHI collected by us:
  • Right to Inspect and Copy. You may ask to see or get an electronic or paper copy of your medical record and other PHI we’ve about you. We’ll provide a copy or a summary of your PHI within 30 days of your request. We may charge a reasonable, cost-based processing fee for these requests.
  • Right to Correct. You may ask us to correct your PHI that you think is incorrect or incomplete. We may say “no” to your request, but we’ll tell you why in writing within 60 days.
  • Right to Confidential Communications. You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address.
  • Right to Request Additional Restrictions. You may ask us not to use or share your PHI for treatment, payment, or our operations, with certain individuals (such as a family member or close personal friend) involved with your care or with payment related to your care, or in order to notify other individuals about your location and general condition. While we’ll consider all requests for additional restrictions carefully, we’re not required to agree to your request, and we may decline if it would affect your care. If you pay for a service out-of-pocket in full, you can ask us not to share that information for the purpose of payment or our operations with your health insurer.
  • Right to a List of Disclosures. You may ask for a list of the times we’ve shared your PHI in the previous six years, who we shared it with, and why. We’ll include all the disclosures except for those about treatment, payment, and health care operations, and certain other disclosures (such as any that you gave us permission to make). We’ll provide one list a year for free but may charge a reasonable, cost-based fee if you ask for another one within 12 months.
  • Right to Paper Copy of this Notice. You can ask for a paper copy of this notice at any time, even if you have agreed to receive the notice electronically.
6. What else do you need to know?
Changes to this Notice. We may change this Notice at any time. However, we’ll give you prior notice of any major changes by placing a notice on the Services, by sending you an email, or by some other manner, and we’ll let you know when the modified Notice will become effective.
Privacy Officer. If you would like further information about your privacy rights, want to make a specific request as detailed in this Notice, are concerned that we’ve violated your privacy rights, or disagree with a decision that we made about access to your PHI, you may contact our Privacy Officer at [email protected] or 151 N 8th Street, Lincoln, Nebraska, 68508 (Attention: Privacy Officer and Legal Department).
Complaints. If you believe your privacy rights have been violated, you may file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting www.hhs.gov/ocr/privacy/hipaa/complaints. We will not retaliate against you for filing a complaint.