HIPAA Notice of Privacy Practices
Effective Date: February 27, 2026 | Last Updated: February 27, 2026THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Who This Notice Applies To
This Notice of Privacy Practices ("Notice") describes the privacy practices of 1stRX and the independent licensed healthcare providers who treat you through our platform (collectively, "we," "us," or "our"). It applies to all protected health information ("PHI") we create, receive, maintain, or transmit about you in connection with your care.
We are required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations (45 CFR Parts 160 and 164) to maintain the privacy of your PHI, to provide you with this Notice, and to abide by the terms of this Notice currently in effect.
What Is Protected Health Information (PHI)?
PHI is information about you — including demographic information — that may identify you and that relates to your past, present, or future physical or mental health condition, the provision of healthcare to you, or the payment for that care.
How We May Use and Disclose Your PHI
Treatment: We may use and disclose your PHI to provide, coordinate, or manage your healthcare. For example, we share your health information with the licensed Provider conducting your consultation and with the compounding pharmacy fulfilling your prescription.
Payment: We may use and disclose your PHI to process payment for services, verify insurance (if applicable), or facilitate billing between providers and payers.
Healthcare Operations: We may use and disclose your PHI for internal operations including quality assessment, training, compliance audits, and business management activities.
As Required by Law: We will disclose your PHI when required by federal, state, or local law, including reporting to public health authorities, responding to court orders, or cooperating with law enforcement investigations.
Business Associates: We may share your PHI with our "Business Associates" — vendors and partners who provide services on our behalf (e.g., cloud storage, billing). We require all Business Associates to protect your PHI under a written agreement.
Other Permitted Uses: Additional permitted uses and disclosures under HIPAA include: public health activities, health oversight activities, research (with appropriate safeguards), averting serious threats to health or safety, and organ/tissue donation.
Uses and Disclosures That Require Your Authorization
Other than as described above, we will not use or disclose your PHI without your written authorization. Uses and disclosures requiring authorization include:
- Marketing communications
- Sale of your PHI
- Most uses of psychotherapy notes
You may revoke your authorization at any time in writing, except to the extent we have already acted in reliance on it.
Your Rights Regarding Your PHI
| Your Right | Description |
|---|---|
| Access | You have the right to inspect and obtain a copy of your PHI in our records. We may charge a reasonable fee for copies. |
| Amendment | You may request that we amend PHI you believe is inaccurate or incomplete. We may deny your request if we did not create the information or if the information is accurate and complete. |
| Accounting of Disclosures | You may request a list of certain disclosures we have made of your PHI over the past six years (excluding disclosures for treatment, payment, operations, or those you authorized). |
| Restriction | You may request restrictions on certain uses and disclosures of your PHI. We are not required to agree, but if we do, we are bound by that agreement (with exceptions for emergencies). |
| Confidential Communications | You may request that we communicate with you in a specific way or at a specific location (e.g., only via email, not postal mail). |
| Copy of This Notice | You may request a paper copy of this Notice at any time, even if you agreed to receive it electronically. |
To exercise any of the above rights, please submit a written request to our Privacy Officer at privacy@1strx.com.
How We Protect Your PHI
We maintain administrative, technical, and physical safeguards to protect the privacy and security of your PHI, including encrypted transmission, access controls, and regular security assessments. Our staff are trained on HIPAA privacy and security requirements.
Breach Notification
If there is a breach of your unsecured PHI, we are required by law to notify you. We will send notification without unreasonable delay and in no case later than 60 days after discovery of the breach, as required by the HITECH Act and applicable regulations.
Changes to This Notice
We reserve the right to change this Notice and to make the revised Notice effective for PHI we already hold about you, as well as any new PHI we receive after the effective date. We will post the updated Notice on our website and make it available upon request.
Complaints
If you believe your privacy rights have been violated, you may:
- File a written complaint with our Privacy Officer at privacy@1strx.com
- File a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights:
Online: hhs.gov/ocr/privacy/hipaa/complaints
Phone: 1-800-368-1019 (TDD: 1-800-537-7697)
We will not retaliate against you for filing a complaint.
Contact Our Privacy Officer
- Email: privacy@1strx.com
- Mailing address: 1stRX, Privacy Officer, [Address on file]