HIPAA Notice of Privacy Practices

Effective Date: March 1, 2026

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

1. Our Commitment to Your Privacy

MedFOLIO understands that your health information is personal and private. We are committed to protecting your Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other applicable laws.

This Notice of Privacy Practices describes how we may use and disclose your PHI and explains your rights regarding your health information.

2. What is Protected Health Information (PHI)?

PHI is individually identifiable health information that relates to:

  • Your past, present, or future physical or mental health condition
  • The provision of healthcare to you
  • Payment for healthcare services

This includes information such as your medical records, implant documentation, surgical history, prescriptions, and any other health-related documents you store in MedFOLIO.

3. How We May Use and Disclose Your PHI

3.1 With Your Authorization

We will only use or disclose your PHI with your explicit written authorization, except as described below. You may revoke your authorization at any time in writing.

3.2 Without Your Authorization

We may use or disclose your PHI without your authorization in the following limited circumstances:

  • As Required by Law: When required by federal, state, or local law
  • Public Health Activities: To report disease, injury, or vital statistics as required by law
  • Health Oversight: To health oversight agencies for activities authorized by law
  • Legal Proceedings: In response to a court order or lawful subpoena
  • Law Enforcement: For law enforcement purposes as required by law
  • Threats to Health or Safety: To prevent or lessen a serious and imminent threat to health or safety
  • National Security: For intelligence and national security activities authorized by law

3.3 Sharing You Control

MedFOLIO allows you to share specific records with healthcare providers, family members, or other individuals through secure, time-limited sharing links. You have complete control over:

  • Which documents to share
  • Who can access the shared information
  • How long the sharing link remains active
  • Revoking access at any time

4. Your Rights Regarding Your PHI

4.1 Right to Access

You have the right to inspect and obtain a copy of your PHI. You may request your information in electronic format.

4.2 Right to Amend

You have the right to request that we amend your PHI if you believe it is incorrect or incomplete.

4.3 Right to an Accounting of Disclosures

You have the right to request a list of disclosures we have made of your PHI, except for disclosures made with your authorization or for certain other purposes.

4.4 Right to Request Restrictions

You have the right to request restrictions on certain uses and disclosures of your PHI. We are not required to agree to your request, but if we do, we will honor it.

4.5 Right to Confidential Communications

You have the right to request that we communicate with you about your health information in a specific way or at a specific location.

4.6 Right to a Paper Copy

You have the right to obtain a paper copy of this Notice upon request.

5. Our Responsibilities

MedFOLIO is required to:

  • Maintain the privacy and security of your PHI
  • Provide you with this Notice of our legal duties and privacy practices
  • Follow the terms of this Notice currently in effect
  • Notify you if a breach occurs that may have compromised your PHI

6. Security Measures

We implement comprehensive security measures to protect your PHI, including:

  • Technical Safeguards: AES-256 encryption, secure authentication, automatic session timeouts
  • Physical Safeguards: SOC 2 Type II certified data centers with restricted access
  • Administrative Safeguards: Employee training, access controls, regular security audits
  • Zero-Knowledge Architecture: Your data is encrypted so that even our employees cannot access it

7. Breach Notification

In the event of a breach of your unsecured PHI, we will notify you as required by law. Notification will be made without unreasonable delay and no later than 60 days after discovery of the breach.

8. Changes to This Notice

We reserve the right to change this Notice and make the new provisions effective for all PHI we maintain. If we make material changes, we will post the revised Notice on our website and notify you through the Service.

9. Complaints

If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the U.S. Department of Health and Human Services. We will not retaliate against you for filing a complaint.

To file a complaint with us, contact our Privacy Officer at the address below.

10. Contact Information

For questions about this Notice or to exercise your rights, please contact:

MedFOLIO Privacy Officer
Email: hipaa@medfolio.app
Phone: 1-800-MED-FOLIO
Address: 123 Health Street, San Francisco, CA 94102

U.S. Department of Health and Human Services
Office for Civil Rights
Website: www.hhs.gov/ocr/privacy/hipaa/complaints