Notice of Privacy Practices

Last updated: 2026-05-21

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

GetPepWell, Inc. ("GetPepWell") is required by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and applicable regulations to maintain the privacy of your Protected Health Information ("PHI"), to provide you with this Notice of Privacy Practices, and to abide by the terms of the Notice currently in effect. This Notice applies to all PHI created, received, maintained, or transmitted by GetPepWell in connection with the telehealth services we provide.

Our Duties

We are required by law to:

Maintain the privacy and security of your Protected Health Information
Provide you with this Notice of our legal duties and privacy practices regarding your PHI
Follow the terms of the Notice that is currently in effect
Notify you following a breach of your unsecured Protected Health Information, as required by 45 CFR Part 164 Subpart D

We reserve the right to change the terms of this Notice and to make the new provisions effective for all PHI that we maintain. If we make a material change to this Notice, we will post the revised Notice on our website and make it available upon request.

Uses and Disclosures of Protected Health Information

The following describes the ways we may use and disclose your PHI. For each category, we provide an explanation and, where appropriate, examples. Not every use or disclosure will be listed, but all uses and disclosures will fall within one of the categories described below.

For Treatment

We use and disclose your PHI to provide, coordinate, or manage your healthcare and related services. This includes sharing your health information with physicians conducting your telehealth consultations, specialists to whom you may be referred, and compounding pharmacies that fulfill your prescriptions. For example, a physician reviewing your medical-intake questionnaire before your consultation is a use of PHI for treatment.

For Payment

We use and disclose your PHI to obtain payment for healthcare services we provide to you. This includes processing subscription billing, generating invoices, verifying insurance eligibility where applicable, and conducting payment-related utilization review. For example, we may share the minimum data needed with our payment processor to verify that your subscription is active.

For Healthcare Operations

We use and disclose your PHI for our healthcare operations - activities needed to run our platform and ensure that our patients receive quality care. These include:

Quality assessment and improvement
Reviewing the competence and qualifications of healthcare professionals
Training programs for clinical staff
Medical review, legal services, and auditing
Business planning, development, and general administrative activities
Compliance monitoring and fraud prevention

Required by Law

We may use or disclose your PHI when required to do so by federal, state, or local law. Such disclosures are made in compliance with the law and limited to the relevant requirements.

Public Health Activities

We may disclose your PHI for public health activities as permitted by law, including:

Reporting to a public health authority for the purpose of preventing or controlling disease, injury, or disability
Reporting adverse events, product defects, or problems with medications to the FDA
Notifying a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition

Health Oversight Activities

We may disclose your PHI to a health oversight agency for activities authorized by law, such as audits, investigations, inspections, licensure, and other proceedings. These activities are necessary for the government to monitor the healthcare system, government benefit programs, and compliance with civil rights laws.

Other Permitted Disclosures

We may also use or disclose your PHI for legal proceedings (such as response to a court order, subpoena, or discovery request, as permitted by 45 CFR § 164.512(e)), law enforcement purposes as required or permitted by law (45 CFR § 164.512(f)), to coroners or funeral directors (§ 164.512(g)), in connection with organ or tissue donation (§ 164.512(h)), for research activities subject to required approvals and safeguards (§ 164.512(i)), to avert a serious threat to health or safety (§ 164.512(j)), for specialized government functions including military, national security, and protective services (§ 164.512(k)), and for workers' compensation programs (§ 164.512(l)).

Uses and Disclosures Requiring Your Authorization

The following uses and disclosures will only be made with your written authorization, which you may revoke at any time:

Marketing communications: uses and disclosures of PHI for marketing purposes, except for face-to-face communications and certain promotional gifts of nominal value, require your authorization (45 CFR § 164.508(a)(3)).
Sale of PHI: any disclosure of PHI that constitutes a sale of PHI requires your authorization (45 CFR § 164.508(a)(4)).
Psychotherapy notes: most uses and disclosures of psychotherapy notes require your authorization (45 CFR § 164.508(a)(2)). GetPepWell's scope of practice is peptide therapy via telehealth and does not currently include psychotherapy services; psychotherapy-note safeguards are included for completeness.
Other uses not described above: any other use or disclosure of PHI not described in this Notice or otherwise required by law will be made only with your written authorization.

Your Rights Regarding Your PHI

You have the following rights with respect to your Protected Health Information. To exercise any of these rights, submit a written request to the GetPepWell Privacy Officer using the contact information at the end of this Notice.

Right to Access

You have the right to inspect and obtain a copy of your PHI maintained in our designated record set. This includes medical records, billing records, and other records used to make decisions about your care. We will provide your records in the format you request if it is readily producible, or in a mutually agreed-upon alternative format. We may charge a reasonable, cost-based fee for copies. We respond to access requests within 30 days.

Right to Amend

You have the right to request that we amend your PHI if you believe it is inaccurate or incomplete. We may deny your request in limited circumstances, including where the information was not created by us, is not part of the designated record set, or is accurate and complete. If we deny your request, we will provide you with a written explanation and your right to submit a statement of disagreement.

Right to an Accounting of Disclosures

You have the right to request a list (accounting) of certain disclosures of your PHI that we have made. This accounting will not include disclosures made for treatment, payment, or healthcare operations, disclosures made pursuant to your written authorization, or other categories excluded by HIPAA. The first accounting within a 12-month period is provided free of charge; additional requests within the same period may be subject to a reasonable, cost-based fee.

Right to Request Restrictions

You have the right to request restrictions on certain uses and disclosures of your PHI. We are not required to agree to your requested restriction except where the disclosure is to a health plan for payment or healthcare operations purposes and the PHI pertains solely to a healthcare item or service for which you have paid in full out of pocket (45 CFR § 164.522(a)(1)(vi)). In that case, we are required to agree.

Right to Request Confidential Communications

You have the right to request that we communicate with you about your health matters in a particular manner or at a certain location - for example, by a specific email address. We accommodate reasonable requests when possible.

Right to a Paper Copy

You have the right to obtain a paper copy of this Notice of Privacy Practices upon request, even if you have previously agreed to receive the Notice electronically.

Right to Be Notified of a Breach

You have the right to be notified following a breach of your unsecured PHI, as required by the HIPAA Breach Notification Rule (45 CFR Part 164 Subpart D).

Complaints

If you believe your privacy rights have been violated, you may file a complaint with GetPepWell or with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). You will not be retaliated against for filing a complaint.

Filing with GetPepWell

To file a complaint with GetPepWell, contact the GetPepWell Privacy Officer at privacy@getpepwell.com. Describe the conduct you believe violated your privacy rights, the date or time period involved, and any specific staff members or systems you believe were involved. We will acknowledge your complaint within 5 business days and investigate.

Filing with the Office for Civil Rights

You may also file a complaint with HHS OCR:

Online: HHS Complaint Portal
Phone: 1-800-368-1019 (TDD: 1-800-537-7697)
Mail: U.S. Department of Health and Human Services, 200 Independence Avenue S.W., Washington, D.C. 20201

Changes to This Notice

We reserve the right to change the terms of this Notice at any time. Any changes will apply to all PHI that we currently maintain, as well as any PHI we create or receive in the future. We will post the revised Notice on our website with a new effective date. You may request a copy of the current Notice at any time by contacting the GetPepWell Privacy Officer.

Effective Date

This draft Notice of Privacy Practices is effective as of May 21, 2026.

Contact Information

For questions about this Notice or to exercise your rights, contact the GetPepWell Privacy Officer:

Email: privacy@getpepwell.com