Notice of Privacy Practices.

We are required by law to protect your health information.

WellMensRX and its affiliated medical group and compounding pharmacy partners are "covered entities" under HIPAA. That means we are legally required to maintain the privacy of your protected health information (PHI), give you this notice of our legal duties and privacy practices, and follow the terms of the notice that is currently in effect.

PHI is any information about your health, healthcare, or payment for healthcare that can identify you. It includes your intake answers, medical history, diagnosis, prescription records, communications with your care team, and anything else a provider documents about you.

How we use your information for treatment, payment, and operations.

HIPAA permits us to use and disclose your PHI without a separate authorization for the following purposes. These three are collectively called "TPO."

Treatment

We share your intake and medical history with the reviewing physician, your care team, and the compounding pharmacy so they can evaluate your case, write a prescription, and prepare your medication. If a consulting specialist is needed, we may share with them.

Payment

We use your PHI to bill you and process payments. If you ever submit an insurance claim (we currently do not bill insurance, but if that changes), we may share PHI with your insurer for eligibility, coverage, and payment.

Healthcare operations

We use PHI to operate our platform — quality improvement, provider credentialing, audits, training, accreditation, legal compliance, and managing our relationship with the compounding pharmacy.

Other disclosures we can make without your authorization.

• Required by law: court orders, subpoenas, public health reporting, child or elder abuse reporting.
• Public health activities: FDA adverse event reporting, disease prevention, product recall coordination.
• Health oversight: audits, investigations, inspections by regulators (e.g., state pharmacy boards, HHS).
• Judicial and administrative proceedings: in response to a valid court order, subpoena, or discovery request with notice.
• Law enforcement: in limited, specific circumstances (e.g., identifying a suspect, reporting a crime on the premises).
• Coroners, medical examiners, funeral directors: to identify a decedent or carry out their duties.
• Serious threat to health or safety: to prevent or lessen an imminent and serious threat.
• Military, national security, incarceration: in the narrow cases HIPAA permits.
• Workers' compensation: if your case involves a work-related injury.

Disclosures we will never make without your written authorization.

• Marketing using PHI: if we ever wanted to use your clinical information for marketing, we would need your express HIPAA authorization. We currently do not — our marketing uses only non-PHI identifiers (email address, website interaction data) and never references your intake, diagnosis, or prescription.
• Sale of PHI: we never sell your PHI. HIPAA prohibits it without explicit authorization, and it is not our business model.
• Psychotherapy notes: require separate authorization (not applicable to our current service).
• Any other disclosure not covered by TPO or the "other permitted uses" list above.

You can revoke any authorization you give us, in writing, at any time. Revocation does not affect disclosures already made in reliance on the authorization.

Your rights regarding your protected health information.

• Right to inspect and copy: request a copy of your medical record. We respond within 30 days (extensible once by 30 days with notice). Electronic copy in common format available.
• Right to amend: request we correct information you believe is incorrect or incomplete. We may deny if we did not create the record or the record is accurate.
• Right to an accounting of disclosures: get a list of disclosures we made of your PHI in the past six years, except those for TPO.
• Right to request restrictions: ask us not to use or disclose PHI for TPO, or to not disclose to a specific person. We are not required to agree, except we must honor a request to restrict disclosure to a health plan for services you paid for in full out-of-pocket.
• Right to confidential communications: ask us to contact you in a specific way (alternate phone, alternate email, alternate mailing address). We will accommodate reasonable requests.
• Right to a paper copy of this notice: even if you received it electronically.
• Right to be notified of a breach: we must notify you within 60 days of discovery of any breach of unsecured PHI (see HITECH section below).
• Right to choose someone to act for you: your personal representative, someone with medical power of attorney, or the parent/guardian of a minor can exercise your rights.

To exercise any of these rights, email our Privacy Officer at privacy@wellmensrx.com with the specific right you are invoking. Include enough detail for us to locate your record.

If your information is ever compromised.

The HITECH Act requires we notify you within 60 days of discovering a breach of unsecured PHI. Notification includes what happened, what information was involved, what steps you should take, what we are doing to investigate and mitigate, and how to contact us for more information. For breaches affecting 500 or more individuals, we also notify the U.S. Department of Health and Human Services and, where required, the media.

We maintain documented incident response, forensic investigation, and notification procedures. Breach response is overseen by our Privacy Officer.

Business Associate Agreements.

When we work with third parties who touch your PHI — our compounding pharmacy, our electronic health record vendor, our secure messaging provider, our cloud infrastructure vendor, our fax/shipping partners — each one is bound by a Business Associate Agreement (BAA) that contractually requires HIPAA-compliant safeguards, breach notification, and use only for the permitted purpose.

Marketing vendors (email service providers, advertising platforms like Meta and Google, analytics) receive only non-PHI data — hashed email addresses and non-health interaction data. They are not Business Associates and do not receive PHI.

State health privacy laws that supplement HIPAA.

Some states give you stronger protections than HIPAA. Where state law is more protective, we follow the state law.

• California: Confidentiality of Medical Information Act (CMIA), Medical Information Act, and CCPA/CPRA for non-PHI personal information.
• Texas: Texas Medical Records Privacy Act (TMRPA), which applies broader than HIPAA.
• New York: SHIELD Act for data security; mental health and genetic information protected separately.
• Washington: My Health My Data Act — consumer health data protections beyond HIPAA.
• Virginia, Colorado, Connecticut, Utah: state consumer privacy laws covering health-adjacent data.

To exercise rights that go beyond HIPAA (for example, California CCPA rights for non-PHI personal information), see our Your Privacy Choices page.

What we promise under HIPAA.

• Maintain the privacy of your PHI.
• Provide this notice of our legal duties and privacy practices.
• Follow the terms of the notice currently in effect.
• Train our workforce on HIPAA compliance.
• Require Business Associates to handle PHI per HIPAA.
• Notify you following a breach of unsecured PHI.
• Not retaliate against you for filing a complaint or exercising any right.

How to file a complaint.

If you believe your privacy rights have been violated, you can file a complaint with us or directly with the U.S. Department of Health and Human Services. You will not be retaliated against for filing a complaint.

If we revise this notice.

We reserve the right to change this notice and to make the revised notice effective for all PHI we already have about you as well as any information we receive in the future. We will post the revised notice on this page with an updated effective date. If you have an active account, we will also email you when material changes take effect.

Privacy Officer.

Quick reference: this Notice of Privacy Practices is the HIPAA-required document. For broader non-HIPAA privacy information, see our Privacy Policy. For CCPA/state-law opt-outs, see Your Privacy Choices.