HIPAA Notice of Privacy Practices

This Notice describes how Vektor Health may use and disclose your Protected Health Information (PHI) and your rights regarding that information. We are required by the federal Health Insurance Portability and Accountability Act (HIPAA) to maintain the privacy of PHI, provide this Notice of our legal duties and privacy practices, and follow the terms of the Notice currently in effect.

Important scope note. This Notice applies to PHI created or maintained by Vektor Health in the course of providing clinical care. The marketing site at vektor.health does not collect PHI; activity on the website is governed by our separate Privacy Policy.

PHI is information about you that may identify you and that relates to: (a) your past, present, or future physical or mental health or condition; (b) the provision of healthcare to you; or (c) the past, present, or future payment for healthcare services provided to you.

Examples include your name and contact information when paired with health data, your medical history, lab results, prescription records, and notes from your video visits.

Without your written authorization

We may use and disclose your PHI without your written authorization for the following purposes:

• Treatment. To provide, coordinate, and manage your healthcare. Example: your physician shares your lab results with our pharmacy partner so the right medication and dose is dispensed.
• Payment. To bill and collect payment for services. Example: processing your monthly membership fee through Stripe.
• Healthcare operations. To run our practice — quality reviews, training, credentialing, licensing, audits, and similar internal functions.
• Business associates. We share PHI with vendors who support our clinical operations (e.g., the telehealth platform, the compounding pharmacy, the laboratory). Each vendor is bound by a HIPAA Business Associate Agreement (BAA) requiring the same level of protection.
• Required by law. When disclosure is mandated by federal, state, or local law (e.g., controlled-substance prescription monitoring program reporting, mandatory abuse reporting, public health reporting).
• Public health and safety. To prevent or control disease, report adverse drug events to the FDA, or address serious threats to health or safety.
• Health oversight activities. For audits, investigations, inspections, and licensure activities authorized by law.
• Judicial and administrative proceedings. In response to a court order, subpoena, or other lawful process, with appropriate notice and protective conditions where required.
• Law enforcement. Where required or permitted by law, including responding to a court order or warrant, identifying a suspect, or in cases of suspected crime on our premises or against our personnel.
• Research. Only with Institutional Review Board (IRB) approval and appropriate privacy safeguards. We will not share PHI for research without IRB oversight.
• Specialized government functions. For military, national security, or correctional purposes, where applicable.
• Workers' compensation. As authorized by state workers' compensation laws.
• To you. Disclosure of your own PHI to you upon request.
• To family or friends involved in your care, only if you have agreed or do not object, and only the minimum necessary.

With your written authorization

For any use or disclosure not described above — including most uses and disclosures of psychotherapy notes, marketing communications, and any sale of PHI — we will obtain your written authorization before sharing. You may revoke an authorization at any time in writing.

You have the following rights with respect to PHI we maintain about you. To exercise any of these rights, submit a written request to our Privacy Officer (contact below).

• Right to inspect and copy. You may request access to or a copy of your medical and billing records. We will respond within 30 days. We may charge a reasonable cost-based fee for copies. We may deny your request in limited circumstances permitted by law (e.g., where access would endanger you).
• Right to request amendment. If you believe PHI we have about you is incorrect or incomplete, you may request that we correct it. We will respond within 60 days. We may deny your request in limited circumstances; you may file a written statement of disagreement.
• Right to an accounting of disclosures. You may request a list of certain disclosures of your PHI we have made in the past six years (excluding disclosures for treatment, payment, healthcare operations, or those you authorized).
• Right to request restrictions. You may request that we restrict the way we use or disclose your PHI. We are not required to agree to all requests, but we will agree to restrict disclosure to a health plan when you have paid out-of-pocket in full for the related service (HIPAA Omnibus Rule).
• Right to confidential communications. You may ask us to communicate with you in a specific way or at a specific location (e.g., only by encrypted email, only at your mobile phone). We will accommodate reasonable requests.
• Right to a paper copy of this Notice. Even if you have agreed to receive this Notice electronically, you may request a paper copy at any time.
• Right to be notified of a breach. We are required to notify you in writing if there is a breach of unsecured PHI affecting you, in accordance with the HIPAA Breach Notification Rule (45 CFR § 164.400 et seq.).
• Right to opt out of marketing communications and any sale of your PHI. We do not sell PHI.

We are required by law to:

• Maintain the privacy and security of your PHI
• Provide this Notice of our legal duties and privacy practices with respect to PHI we collect and maintain about you
• Follow the terms of the Notice currently in effect
• Notify you in writing if a breach of unsecured PHI affects you

We reserve the right to change the terms of this Notice. Any revised Notice will apply to PHI we already have about you and to PHI we receive in the future. The current Notice will always be posted on this page; the “Effective” date at the top reflects when the most recent version took effect.

If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services. We will not retaliate against you for filing a complaint.

To file a complaint with us

Contact our Privacy Officer (placeholder pending entity formation):

• Email: hello@vektor.health
• Mail: Privacy Officer, [Vektor Health PC, NY entity], [Street Address], [City, State, ZIP]

To file a complaint with HHS

U.S. Department of Health and Human Services, Office for Civil Rights: hhs.gov/ocr. You may also call 1-800-368-1019.

When we use, disclose, or request PHI for purposes other than treatment, we limit the information to the minimum necessary to accomplish the intended purpose, in accordance with the HIPAA Minimum Necessary Standard.

Where state law provides greater protection than HIPAA — for example, New York's requirements for disclosure of HIV status, mental health records, or substance-use treatment — we will follow the more-protective state law. This Notice does not waive any state-law right you may have.

Most uses and disclosures of psychotherapy notes (notes recorded by a mental-health professional documenting the contents of a counseling session) require your written authorization, except for limited circumstances permitted by HIPAA (e.g., the originating provider's own treatment, training, defense in legal proceedings, oversight of the originator).

We will not use or disclose your PHI for marketing purposes without your written authorization, except in narrow circumstances permitted by HIPAA (e.g., face-to-face communication, a promotional gift of nominal value).

We do not sell your PHI under any circumstances. If we ever needed to do so, we would obtain your written authorization first, as required by HIPAA.

We do not currently engage in fundraising activities. If we begin fundraising in the future, we will notify you and provide a clear opt-out method on each fundraising communication, in accordance with HIPAA.

We retain medical records for the period required by applicable state law — typically six to ten years from the date of the last patient encounter for adult records, longer for minors. After the retention period, records are securely destroyed.

• Email: hello@vektor.health
• Privacy Officer: placeholder pending entity formation; reach the office above
• Mailing address (placeholder): [Vektor Health PC, NY entity], [Street Address], [City, State, ZIP]

You acknowledge receipt of this Notice when you sign your patient intake forms at the time of your first clinical visit. By using our services, you confirm that this Notice is part of the relationship between you and Vektor Health.