Legal

HIPAA Notice of Privacy Practices

Last Updated: March 2026

1. Our Commitment to Your Privacy

One Life Medicine is committed to protecting the privacy of your health information. This Notice of Privacy Practices ("Notice") describes how we may use and disclose your Protected Health Information ("PHI") and explains your rights regarding your health records.

PHI is information that identifies you and relates to your past, present, or future physical or mental health, the provision of healthcare to you, or payment for healthcare services. This includes information collected through in-person visits, the patient portal, secure messaging, lab results, and intake forms.

We are required by HIPAA to maintain the privacy of your PHI, provide you with this Notice, and follow the terms of the Notice currently in effect.

2. How We May Use and Disclose Your PHI

2.1 For Treatment

We may use and disclose your PHI to provide, coordinate, and manage your healthcare. This includes using your health history and lab results to develop treatment plans, sharing information with Dr. Jennifer Park and other members of your care team, and communicating with you about your care through the patient portal and secure messaging.

Example: Dr. Park reviews your intake form, MSQ scores, and lab results to develop your personalized treatment plan.

2.2 For Payment

We may use and disclose your PHI as necessary to bill and collect payment for your membership and services. This includes processing your membership payments through Stripe, billing covered services to your insurance, and providing you with receipts and billing statements.

Example: Your membership tier and billing status are linked to your patient record to manage your subscription.

2.3 For Healthcare Operations

We may use and disclose your PHI for our internal operations, including quality improvement, training, auditing, and compliance activities.

Example: We review audit logs to ensure that patient records are accessed only by authorized personnel.

2.4 With Your Authorization

Other uses and disclosures of your PHI not described in this Notice will be made only with your written authorization. You may revoke an authorization at any time in writing, except to the extent we have already acted in reliance on it.

2.5 Without Your Authorization (As Permitted or Required by Law)

We may use or disclose your PHI without your authorization in the following situations:

• As Required by Law: When disclosure is required by federal, state, or local law
• Public Health Activities: To report disease, injury, or vital events to public health authorities
• Victims of Abuse or Neglect: To report suspected abuse, neglect, or domestic violence to appropriate government authorities
• Health Oversight Activities: To a health oversight agency for audits, investigations, and inspections
• Judicial and Administrative Proceedings: In response to a court order or, in certain circumstances, a subpoena
• Law Enforcement: Under limited circumstances, such as in response to a court order or to report certain types of injuries
• To Prevent a Serious Threat: To prevent or lessen a serious and imminent threat to your health or safety or the health or safety of the public
• Workers' Compensation: As authorized by and necessary to comply with workers' compensation laws
• Coroners, Medical Examiners, and Funeral Directors: To identify a deceased person or determine cause of death
• Research: Under limited circumstances and with appropriate safeguards

3. Your Rights Regarding Your PHI

3.1 Right to Access

You have the right to inspect and obtain a copy of your PHI that we maintain in our records. To request access, submit a written request to thrive@onelifemedicine.com. We will respond within 30 days. We may charge a reasonable fee for copies.

3.2 Right to Request Amendment

If you believe that PHI we maintain about you is incorrect or incomplete, you may request an amendment. Submit a written request with the reason for the amendment to thrive@onelifemedicine.com. We may deny your request in certain circumstances and will provide you with a written explanation.

3.3 Right to an Accounting of Disclosures

You have the right to request a list of certain disclosures we have made of your PHI. This accounting does not include disclosures made for treatment, payment, or healthcare operations, or disclosures you authorized. Submit your request in writing to thrive@onelifemedicine.com.

3.4 Right to Request Restrictions

You have the right to request that we restrict how we use or disclose your PHI for treatment, payment, or healthcare operations. We are not required to agree to your request, except that we must agree to restrict disclosures to a health plan for services you paid for entirely out of pocket.

3.5 Right to Request Confidential Communications

You have the right to request that we communicate with you in a certain way or at a certain location. For example, you may request that we contact you only by email or only at a specific phone number. We will accommodate reasonable requests.

3.6 Right to a Paper Copy of This Notice

You have the right to a paper copy of this Notice at any time. Contact us at thrive@onelifemedicine.com to request a copy.

3.7 Right to Be Notified of a Breach

You have the right to be notified if your unsecured PHI is involved in a breach. We will notify you as required by HIPAA, and no later than 60 days after discovery of the breach.

4. Our Responsibilities

• We are required to maintain the privacy of your PHI and provide you with this Notice
• We will not use or disclose your PHI other than as described in this Notice without your written authorization
• We are required to notify you following a breach of your unsecured PHI
• We are required to abide by the terms of this Notice currently in effect
• We reserve the right to change the terms of this Notice at any time. Any changes will apply to all PHI we maintain. A revised Notice will be posted on our website and available upon request

5. How We Protect Your PHI

We implement the following safeguards to protect your PHI:

• Administrative Safeguards: HIPAA privacy and security policies, workforce training, Business Associate Agreements with all vendors who access PHI, designated Privacy Officer
• Technical Safeguards: Encryption of all data at rest (AES-256) and in transit (TLS/SSL), role-based access controls, row-level database security ensuring patients access only their own records, automatic session timeout after 30 minutes of inactivity, comprehensive audit logging of all PHI access
• Physical Safeguards: Secure hosting infrastructure maintained by SOC 2-compliant providers (Supabase, Vercel), no PHI stored on local devices or removable media

6. Our Technology Platform

Your PHI is stored and processed through our custom-built, HIPAA-compliant technology platform. Key components include:

• Database (Supabase): Encrypted PostgreSQL database with row-level security. HIPAA Business Associate Agreement in place.
• Patient Portal: Secure, authenticated access to your health records, lab results, MSQ scores, and messaging.
• File Storage (Supabase Storage): Lab results and medical documents stored in a private, encrypted bucket with time-limited access URLs.
• Payment Processing (Stripe): PCI-compliant payment processing. Stripe processes your payment information; we do not store full credit card numbers.
• Hosting (Vercel): Encrypted, secure application hosting with HTTPS enforced on all connections.

All technology vendors with access to PHI have signed HIPAA Business Associate Agreements.

7. Complaints

If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services.

To file a complaint with One Life Medicine:
Email: thrive@onelifemedicine.com

To file a complaint with HHS Office for Civil Rights:
Website: hhs.gov/ocr/complaints
Phone: 1-800-368-1019

You will not be penalized or retaliated against for filing a complaint.

8. Contact Information

Privacy Officer
One Life Medicine
Email: thrive@onelifemedicine.com

For questions about this Notice or your privacy rights, please contact us at the email address above.