This notice describes how medical information about you may be used and disclosed, and how you can get access to this information. Please review it carefully. This notice applies to Protected Health Information (PHI) collected and processed in connection with the Medical Track.
1. Roles and Responsibilities
The Medical Track is operated by an independent licensed medical services organization (the "Medical Entity") (MSO) that contracts with the prescribing physicians and a state-licensed 503A compounding pharmacy. The MSO, the medical group, and the pharmacy are independent third parties.
OS reboot is not a HIPAA covered entity. OS reboot operates the wellness program and the Wellpep platform, and to the extent it receives or processes Protected Health Information in the course of facilitating Medical Track intake or platform features, it does so under appropriate confidentiality and data protection obligations, including as a service provider or business associate where applicable under HIPAA.
The MSO and its affiliated medical group each maintain their own Notice of Privacy Practices, which apply to PHI in their custody. You will receive that Notice from the medical group as part of the Medical Track intake process.
2. What Information Is Covered
Protected Health Information (PHI) includes individually identifiable health information that relates to your past, present, or future physical or mental health; the provision of health care to you; or payment for health care. PHI collected through the Medical Track may include:
- Medical history, current conditions, allergies, and medications;
- Lab results you submit;
- Communications with the medical care team;
- Prescription and dispensing records;
- Demographic information used in connection with the above.
3. How PHI Is Used and Disclosed
The medical group and pharmacy may use and disclose your PHI without your specific authorization for the following purposes:
- Treatment — to evaluate your intake, write prescriptions, fulfill orders, and provide follow-up care.
- Payment — to obtain payment for services rendered.
- Health care operations — for quality improvement, care coordination, business management, and similar activities.
- Required by law — when disclosure is required by federal, state, or local law.
- Public health activities — including reporting adverse events to the FDA where applicable.
- Law enforcement — under limited circumstances permitted by law.
Other uses or disclosures (e.g., for marketing or research) require your written authorization, except where HIPAA specifically permits such uses without authorization.
4. Your Rights Regarding PHI
You have the right to:
- Inspect and copy your PHI held by the medical group or pharmacy;
- Request amendments to your PHI if you believe it is inaccurate or incomplete;
- Request an accounting of disclosures of your PHI made by the medical group or pharmacy;
- Request restrictions on certain uses and disclosures (the medical group is not always required to agree);
- Request confidential communications by alternative means or at alternative locations;
- Receive a paper copy of this Notice;
- File a complaint with the medical group, with OS reboot, or with the U.S. Department of Health and Human Services Office for Civil Rights without fear of retaliation.
To exercise these rights, contact the medical group directly using the channels provided during your intake, or contact OS reboot at privacy@osreboot.com and we will help route your request.
5. Our Privacy Obligations
OS reboot and its affiliated medical entities are committed to:
- Maintaining the privacy and security of your PHI;
- Providing you with this Notice and the medical group's separate Notice of Privacy Practices;
- Following the terms of these Notices currently in effect;
- Notifying you in the event of a breach of unsecured PHI affecting you;
- Using appropriate administrative, physical, and technical safeguards to protect PHI.
6. Breach Notification
In the event of a breach of unsecured PHI, you will be notified in accordance with the federal HIPAA Breach Notification Rule and any applicable state law. Notification will be provided without unreasonable delay and in any case no later than 60 days after discovery of the breach.
7. Authorization for Other Uses
Uses and disclosures of PHI not described in this Notice will be made only with your written authorization. You may revoke an authorization at any time in writing, except to the extent that we have already acted in reliance on it.
8. Marketing and Sale of PHI
We will not use or disclose your PHI for marketing purposes or sell your PHI without your written authorization, except as permitted by HIPAA (such as for face-to-face communications or promotional gifts of nominal value).
9. Psychotherapy Notes
The Medical Track does not provide mental health treatment or generate psychotherapy notes. If you have mental health concerns, please consult with an in-person provider.
10. Changes to This Notice
We may revise this Notice from time to time. Revised Notices will be effective for PHI we maintain at the time of the revision. The current version will always be available at this URL, and we will post a notice on the Site or send an email when material changes are made.
11. Complaints
If you believe your privacy rights have been violated, you may file a complaint with:
- OS reboot — email privacy@osreboot.com
- The medical group through the channels provided in your intake materials
- U.S. Department of Health and Human Services Office for Civil Rights — www.hhs.gov/ocr
No retaliatory action will be taken against you for filing a complaint.
12. Contact
For questions about this Notice or to exercise your rights:
OS reboot privacy contact: privacy@osreboot.com
For PHI in the custody of the medical group, contact the medical group directly using the channels provided during your intake.