VeriPath — HIPAA Notice of Privacy Practices

For legal review: Whether a formal HIPAA Notice of Privacy Practices is legally required depends on whether VeriPath is a HIPAA “covered entity,” a “business associate,” or neither. VeriPath provides information and software tools and is not a healthcare provider, health plan, or clearinghouse. Counsel should confirm VeriPath’s status and tailor this Notice accordingly. This draft is written so members understand how their health information is handled regardless of that classification.

1. Our Commitment to Your Privacy

VeriPath understands that information about your health and your healthcare is personal, and we are committed to protecting it. When you use the Services, you may share health-related information with us — for example, medical bills, explanations of benefits, prescriptions, the services or procedures you are researching, and related account information (together, “Health Information”). This Notice explains how we may use and disclose your Health Information, the steps we take to protect it, and the rights you have regarding it.

2. Information This Notice Covers

This Notice applies to the Health Information you provide to or generate through the VeriPath website and mobile applications. It works together with our Privacy Policy, which describes our broader data practices, and our Terms of Service. Where this Notice and the Privacy Policy address the same topic, the more protective provision applies to your Health Information.

3. How We Use and Disclose Your Health Information

We use and disclose your Health Information only as needed to provide the Services to you, to operate responsibly, and as permitted or required by law. Specifically, we may use and disclose your Health Information:

To provide the Services. To estimate costs, compare providers, generate the VeriPath Score, review bills for potential errors, source prescriptions, and help you identify financial-assistance or pre-authorization options at your request.
At your direction. To share information with a provider, pharmacy, insurer, assistance program, or other party when you ask us to do so.
With service providers. To trusted vendors who perform functions on our behalf (such as hosting, payment processing, and analytics) under contracts that require them to protect your Health Information and use it only for those functions.
For our operations. To maintain, secure, troubleshoot, and improve the Services, and to communicate with you about your account.
As required by law. To comply with applicable laws, regulations, legal process, or governmental requests, and to protect the safety, rights, or property of members, the public, or VeriPath.

We do not sell your Health Information. We will obtain your written authorization before using or disclosing your Health Information for marketing that requires authorization, or for any purpose not described in this Notice or our Privacy Policy. You may revoke an authorization in writing at any time, which will stop future uses and disclosures made in reliance on it.

4. Your Rights Regarding Your Health Information

You have the following rights with respect to the Health Information we maintain about you:

Access and copies. You may request access to and a copy of your Health Information.
Amendment. You may request that we correct Health Information you believe is inaccurate or incomplete.
Restrictions. You may request limits on how we use or disclose your Health Information. We will consider all requests but are not always required to agree.
Confidential communications. You may ask us to communicate with you in a specific way or at a specific location.
Accounting of disclosures. You may request a list of certain disclosures we have made of your Health Information.
Deletion. You may request that we delete your Health Information, subject to legal and operational limits.
Paper or electronic copy of this Notice. You may request a copy of this Notice at any time, even if you agreed to receive it electronically.
Notification of a breach. You have the right to be notified if there is a breach of your unsecured Health Information.

To exercise any of these rights, contact us using the information in Section 8. We may need to verify your identity before acting on your request.

5. How We Protect Your Health Information

We maintain administrative, technical, and physical safeguards designed to protect your Health Information against unauthorized access, use, or disclosure, including encryption in transit and access controls. No system is perfectly secure, and we cannot guarantee absolute security, but we work to protect your information and to limit access to those who need it to provide the Services.

6. Our Duties

We are required to maintain the privacy of your Health Information, to provide you with this Notice of our legal duties and privacy practices, to follow the terms of the Notice currently in effect, and to notify you following a breach of unsecured Health Information as required by law.

7. Changes to This Notice

We may change this Notice and make the new terms effective for all Health Information we maintain. If we make a material change, we will post the updated Notice with a new effective date in the Services and, where appropriate, notify you. The current Notice will always be available on our website and within the app.

8. Complaints and Contact

If you have questions about this Notice or believe your privacy rights have been violated, please contact us first so we can address your concern:

VeriPath Privacy Officer
TNS Brokerage Services, LLC
Hahira, GA 31632
memberservices@veripath.health

You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights. Information about filing a complaint is available at hhs.gov/ocr [confirm current filing address and process with counsel]. We will not retaliate against you for filing a complaint.