Privacy Policy & HIPAA Notice of Privacy Practices

1. Information We Collect

Revive Low T Clinic collects information necessary to provide high-quality, HIPAA-compliant men's health care. We collect:

Personal & Contact Information

• Full name, date of birth, address, phone number, and email address
• Emergency contact information
• Preferred pharmacy name and location

Health & Medical Information

• Medical history, current symptoms, and prior diagnoses
• Laboratory test results (hormone panels, CBC, CMP, lipids, PSA, and other analytes)
• Medications, supplements, and allergy information
• Treatment protocols and clinical notes from physician visits
• Physical examination findings

Insurance & Payment Information

• Health insurance carrier, plan name, member ID, and group number (for pharmacy billing)
• Payment method and billing address
• FSA/HSA account information (when provided)

Website & Usage Data

• IP address, browser type, device type, and operating system
• Pages visited, time on site, and referral source
• Form submissions (appointment requests, quiz responses)
• Cookies and similar tracking technologies (see Section 8)

2. How We Use Your Information

We use your information to:

• Provide clinical care: Physician consultations, lab ordering, diagnosis, treatment planning, and follow-up monitoring
• Process billing and payments: Submitting pharmacy benefit claims on your behalf and collecting payment for clinical services
• Clinical operations: Scheduling, medical records management, quality improvement, and care coordination
• Communications: Appointment reminders, lab result notifications, and treatment updates via phone, email, or secure message
• Legal compliance: Meeting obligations under HIPAA, Washington state law, and applicable healthcare regulations
• Safety: Responding to emergencies and protecting the health and safety of patients and staff
• Website improvement: Analyzing site usage to improve content and user experience (see Section 8)

We do not use your health information for marketing purposes without your explicit written authorization.

3. HIPAA & Protected Health Information

Permitted Uses and Disclosures Without Your Authorization

HIPAA permits us to use and disclose your PHI without authorization for:

• Treatment: Sharing information with healthcare providers involved in your care
• Payment: Billing your pharmacy's insurance plan for covered medications
• Healthcare Operations: Internal quality assurance, compliance audits, and practice management
• Public Health Activities: Required disease reporting to public health authorities
• Legal Requirements: Responding to court orders, subpoenas, or law enforcement requests as required by law
• Emergencies: Disclosures necessary to prevent serious harm

Uses Requiring Your Authorization

We will obtain your written authorization before using or disclosing your PHI for:

• Marketing communications using your health information
• Sale of your PHI
• Any other use not permitted by HIPAA

You may revoke an authorization at any time in writing, except where we have already acted in reliance on it.

Minimum Necessary Standard

We make reasonable efforts to limit access to the minimum amount of PHI necessary to accomplish the purpose of any use or disclosure.

4. AI & Automated Tools Disclosure

Specific uses include:

• Clinical documentation assistance: AI tools may assist with summarizing visit notes or structuring lab interpretations. All outputs are reviewed by the ordering physician.
• Administrative operations: Scheduling optimization, billing code suggestion, and patient communication drafting.
• Website personalization: Anonymized behavioral data may inform content recommendations.

AI tools used by Revive operate under Business Associate Agreements (BAAs) where PHI is involved. We use only de-identified or aggregate data for any AI-related analytics. Individual patient PHI is never submitted to third-party AI services for model training without explicit patient authorization.

5. Information Sharing

Revive Low T Clinic does not sell your personal information or PHI to any third party. We share information only as follows:

Business Associates

We share PHI with vendors and service providers who assist our operations under written Business Associate Agreements (BAAs) that require HIPAA-compliant protection. These include EHR/practice management vendors, reference labs, pharmacy benefit processors, secure messaging platforms, and payment processors (PCI-DSS compliant).

Insurance & Pharmacy Billing

With your authorization (provided at intake), we share necessary PHI with your pharmacy's insurance plan to process medication coverage on your behalf. This is a standard healthcare billing function permitted under HIPAA.

Other Providers

We may share relevant PHI with other treating physicians for care coordination, with your consent or as permitted by HIPAA.

Legal Disclosures

We may disclose information as required by law, including in response to valid legal process, to comply with reporting obligations, or to prevent serious harm.

6. Your Patient Rights Under HIPAA

As a Revive patient, you have the following rights regarding your Protected Health Information:

Right to Access

You have the right to inspect and obtain a copy of your medical records. Requests must be submitted in writing. We will respond within 30 days and may charge a reasonable, cost-based fee for copies.

Right to Amendment

You have the right to request amendment of PHI you believe is inaccurate or incomplete. We may deny the request if the information is accurate and complete.

Right to an Accounting of Disclosures

You have the right to receive a list of certain disclosures we have made of your PHI for purposes other than treatment, payment, or healthcare operations, for up to six years prior to your request.

Right to Request Restrictions

You may request restrictions on how we use or disclose your PHI. We must honor requests to restrict disclosure to a health plan when you have paid out-of-pocket in full for a service.

Right to Confidential Communications

You may request that we communicate with you by a specific means or at a specific location. We will accommodate reasonable requests.

Right to File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with Revive Low T Clinic or with the U.S. Department of Health and Human Services Office for Civil Rights at www.hhs.gov/ocr. We will not retaliate against you for filing a complaint.

How to Exercise Your Rights

Contact our Privacy Officer in writing at privacy@revivelowt.com or by mail to Revive Low T Clinic, Attn: Privacy Officer, 4500 9th Ave NE, Seattle, WA 98105.

7. Washington State — My Health MY Data Act (MHMDA)

Washington State's My Health MY Data Act (MHMDA), effective March 31, 2024, provides additional protections for consumer health data. As a HIPAA-covered entity, our patient health information is primarily governed by HIPAA. To the extent MHMDA applies to any health-related data we collect outside the HIPAA context (such as website interaction data relating to health conditions), we comply with MHMDA requirements.

Your MHMDA Rights (where applicable)

• Right to access consumer health data we hold about you
• Right to deletion of consumer health data (subject to legal retention requirements)
• Right to withdraw consent for collection and sharing of consumer health data
• Right to be free from health-condition-based geofencing — we do not engage in this practice

To exercise MHMDA rights, contact us at privacy@revivelowt.com. Washington residents may appeal our response to a rights request.

8. Website Analytics

Our website uses the following analytics tools:

• Google Analytics 4 (GA4): Collects anonymized data on page views, session duration, traffic sources, and user demographics. IP addresses are anonymized. Governed by Google's Privacy Policy and our Data Processing Agreement.
• Microsoft Clarity: Session recording and heatmap tool capturing anonymized user interaction patterns. Configured to mask form inputs to prevent capture of personal data.

You may opt out of analytics tracking by installing the Google Analytics Opt-out Browser Add-on, adjusting your browser's cookie settings, or using a privacy-focused browser extension. We do not link anonymized website data to your medical records.

9. Data Security

We implement administrative, physical, and technical safeguards including:

• Encryption of PHI in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls limiting PHI access to personnel who need it
• Workforce training on HIPAA privacy and security requirements
• Regular security risk assessments as required by the HIPAA Security Rule
• Incident response procedures for potential data breaches

In the event of a breach of unsecured PHI, we will notify affected individuals and HHS as required by the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D).

10. Changes to This Notice

We reserve the right to change this Notice of Privacy Practices at any time. We will post the revised notice on our website and make it available in our clinics. The effective date at the top of this notice reflects the date of the most recent revision. Material changes will be communicated to current patients by email or in-clinic notice.