HIPAA Notice of Privacy Practices

Our HIPAA Commitment

Strong Health is committed to protecting the privacy and security of your health information. As a healthcare provider that delivers physician-supervised testosterone replacement therapy, peptide therapy, lab testing, and related medical services, we are required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations to:

• Maintain the privacy of your Protected Health Information (PHI)
• Provide you with this Notice describing our privacy practices
• Follow the terms of this Notice currently in effect
• Notify you in the event of a breach of your unsecured PHI

This Notice of Privacy Practices describes how medical information about you may be used and disclosed by Strong Health, and how you can access this information. Please review it carefully.

Protected Health Information

Protected Health Information (PHI) is individually identifiable health information that is created, received, maintained, or transmitted by Strong Health in connection with the provision of healthcare services. PHI includes, but is not limited to:

• Medical records and clinical notes from physician consultations and examinations
• Laboratory test results, including hormone panels, comprehensive metabolic panels, CBC, PSA, and all biomarkers tested as part of your treatment
• Treatment plans, prescriptions, and medication records related to testosterone replacement therapy, peptide therapy, and other prescribed treatments
• Billing records and insurance information associated with your healthcare services
• Demographic information such as name, address, date of birth, and Social Security number when linked to health information
• Communications between you and your physician, including telehealth session records

Uses & Disclosures of PHI

Strong Health may use and disclose your PHI without your written authorization for the following purposes:

Treatment

We may use and share your PHI to provide, coordinate, and manage your healthcare. This includes sharing information with physicians involved in your care, sending prescriptions to pharmacies, transmitting lab orders and results to CLIA-certified laboratories, and consulting with specialists when clinically appropriate.

Payment

We may use and disclose your PHI to obtain payment for services provided to you. This includes billing activities, claims processing, insurance verification, and collections. If you pay out of pocket in full, you have the right to restrict disclosures to your health plan for that specific service.

Healthcare Operations

We may use your PHI for activities necessary to operate our clinic and ensure quality care. This includes quality assessment and improvement, physician credentialing, staff training, compliance audits, business planning, and customer service.

Disclosures That Do Not Require Authorization

Federal and state law permit or require us to disclose your PHI without authorization in certain circumstances, including:

• As required by law, including court orders and subpoenas
• Public health activities and reporting
• Health oversight activities and government audits
• To avert a serious threat to the health or safety of a person or the public
• Workers' compensation as required by law
• To coroners, medical examiners, and funeral directors as required

Disclosures That Require Your Authorization

For uses and disclosures not described above, we will obtain your written authorization before using or disclosing your PHI. This includes marketing communications, sale of PHI, and most uses of psychotherapy notes. You may revoke your authorization at any time in writing, except to the extent that we have already acted on the previous authorization.

Your HIPAA Rights

Under HIPAA, you have the following rights with respect to your Protected Health Information:

• Right to access: You have the right to inspect and obtain a copy of your medical records and other PHI maintained by Strong Health. We will provide your records in the format you request if readily producible, or in a mutually agreed-upon alternative format. We may charge a reasonable, cost-based fee for copies.
• Right to request amendment: If you believe your PHI is inaccurate or incomplete, you may request an amendment to your records. We will respond within 60 days. We may deny the request if the information was not created by us, is not part of the records used to make decisions about you, or is already accurate and complete.
• Right to an accounting of disclosures: You have the right to receive a list of certain disclosures we have made of your PHI during the six years prior to your request. This accounting does not include disclosures made for treatment, payment, or healthcare operations.
• Right to request restrictions: You may request that we restrict how we use or disclose your PHI for treatment, payment, or healthcare operations. While we are not required to agree to most restrictions, we must comply with your request to restrict disclosures to a health plan for services you paid for entirely out of pocket.
• Right to confidential communications: You may request that we communicate with you about your health information by alternative means or at an alternative location. For example, you may ask that we contact you only at a specific phone number or send correspondence to a particular address.
• Right to a paper copy of this notice: You have the right to obtain a paper copy of this Notice of Privacy Practices at any time, even if you previously agreed to receive it electronically.
• Right to file a complaint: If you believe your privacy rights have been violated, you have the right to file a complaint with Strong Health or with the U.S. Department of Health and Human Services. See the Filing a Complaint section below.

Our Responsibilities

Strong Health is required by law to:

• Maintain the privacy and security of your PHI using appropriate administrative, physical, and technical safeguards
• Provide you with this Notice of our legal duties and privacy practices regarding your health information
• Follow the terms of this Notice currently in effect
• Notify you promptly if a breach occurs that may have compromised the privacy or security of your unsecured PHI, in accordance with the HIPAA Breach Notification Rule
• Ensure that all workforce members receive appropriate training on HIPAA privacy and security requirements
• Designate a Privacy Officer responsible for overseeing compliance with HIPAA and this Notice

We reserve the right to change the terms of this Notice and to make new provisions effective for all PHI that we maintain. If we make material changes, we will post the revised Notice on our website and make it available at our clinic.

Business Associates

Strong Health works with certain third-party vendors and service providers (known as "Business Associates" under HIPAA) who may have access to your PHI in the course of performing services on our behalf. These include:

• CLIA-certified laboratory partners that process your lab work
• Electronic health record (EHR) and practice management system vendors
• Billing and payment processing companies
• IT service providers who maintain and support our technology infrastructure
• Telehealth platform providers used for virtual follow-up appointments

Each Business Associate is required to sign a Business Associate Agreement (BAA) that obligates them to safeguard your PHI in accordance with HIPAA requirements. Business Associates are prohibited from using or disclosing your PHI for any purpose other than the services they perform for Strong Health.

Minimum Necessary Standard

Strong Health adheres to the HIPAA Minimum Necessary Standard, which requires that we make reasonable efforts to limit the use, disclosure, and requests for PHI to the minimum amount necessary to accomplish the intended purpose. This means:

• Staff members have access only to the PHI they need to perform their specific job functions
• When we disclose PHI to Business Associates or other parties, we share only the information relevant to the specific purpose of the disclosure
• Our role-based access controls ensure that each team member's access to patient records is limited to what is necessary for their role

The Minimum Necessary Standard does not apply to disclosures made for treatment purposes, disclosures made to you, disclosures made pursuant to your authorization, or disclosures required by law.

Electronic PHI Security

Strong Health implements comprehensive technical safeguards to protect electronic Protected Health Information (ePHI) in accordance with the HIPAA Security Rule. Our security measures include:

• Encryption: All ePHI is encrypted in transit using TLS/SSL protocols and encrypted at rest using AES-256 encryption
• Access controls: Unique user identification, automatic logoff, multi-factor authentication, and role-based permissions for all systems containing ePHI
• Audit controls: Comprehensive audit trails that record all access to, and activity within, systems containing ePHI, allowing us to monitor for unauthorized access or suspicious activity
• Secure messaging: Patient communications containing PHI are transmitted through encrypted, HIPAA-compliant messaging platforms
• Backup and disaster recovery: Regular encrypted backups of all ePHI with tested disaster recovery procedures to ensure data availability and integrity
• Risk assessments: Periodic security risk assessments to identify vulnerabilities and implement appropriate remediation measures

Filing a Complaint

If you believe that your privacy rights have been violated or that Strong Health has not followed the practices described in this Notice, you have the right to file a complaint. You will not be penalized, retaliated against, or otherwise disadvantaged for filing a complaint.

File a Complaint with Strong Health

You may file a complaint directly with our Privacy Officer by contacting:

• Email: privacy@stronghealth.com
• Mail: Privacy Officer, Strong Health, 1000 Brickell Plaza, Miami, FL 33131
• Phone: (305) 555-7876

File a Complaint with the U.S. Department of Health and Human Services

You may also file a complaint with the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services. Complaints must be filed in writing within 180 days of the date you knew or should have known about the alleged violation:

• Online: HHS Office for Civil Rights Complaint Portal
• Mail: Office for Civil Rights, U.S. Department of Health and Human Services, 200 Independence Avenue SW, Washington, DC 20201
• Phone: 1-800-368-1019 (TDD: 1-800-537-7697)

Privacy Officer Contact

For questions about this Notice, to exercise any of your HIPAA rights, or to file a privacy complaint, please contact our designated Privacy Officer:

• Privacy Officer
  Strong Health
  1000 Brickell Plaza
  Miami, FL 33131
• Email: privacy@stronghealth.com
• Phone: (305) 555-7876

For more information about how we handle your personal data beyond HIPAA requirements, please review our Privacy Policy.