HIPAA Notice of Privacy Practices
1. Our pledge regarding PHI
GoodLife Health is committed to protecting your medical information. Protected Health Information ("PHI") is information about you, including demographic data, that may identify you and relates to your past, present, or future physical or mental health, the provision of healthcare, or payment for that healthcare.
We are required by law to:
- Maintain the privacy and security of your PHI
- Provide you with this Notice describing our legal duties and privacy practices
- Follow the terms of the Notice currently in effect
- Notify you in the event of a breach affecting your unsecured PHI
2. Uses and disclosures without your authorization
We may use and disclose your PHI without your written authorization for the following purposes:
2.1 Treatment
We use your PHI to provide and coordinate your care. For example, your clinician may review your labs to develop a treatment plan, share information with a partnered clinician in another state who is collaborating on your care, or send a prescription to our partnered licensed pharmacy.
2.2 Payment
We use your PHI to obtain payment for services. For example, we may verify your identity and process your membership payment through Stripe, our payment processor.
2.3 Healthcare Operations
We use your PHI to operate and improve our practice. This includes quality improvement, clinician training, care coordination, audit logging, and clinical protocol development. We use de-identified data (with HIPAA identifiers removed) for internal analytics and AI-assisted decision support tools to improve the quality and consistency of clinical care.
2.4 Required by law
We may disclose PHI when required by federal, state, or local law, including reporting communicable diseases, suspected abuse, or in response to lawful subpoenas, court orders, or government investigations.
2.5 Public health and safety
We may disclose PHI for public health activities, to report adverse events to the FDA, to prevent serious threats to health or safety, or for other public health purposes permitted by HIPAA.
2.6 Health oversight
We may disclose PHI to health oversight agencies authorized by law to audit, investigate, license, or inspect healthcare operations.
2.7 Coroners, medical examiners, and funeral directors
We may disclose PHI to identify a deceased person, determine cause of death, or as authorized by law.
2.8 Workers' compensation
We may disclose PHI as permitted by workers' compensation laws.
2.9 Business Associates
We may disclose PHI to vendors who perform services on our behalf, under written Business Associate Agreements that require them to protect your PHI. See Section 6.
3. Uses and disclosures requiring your written authorization
Other uses and disclosures of your PHI require your written authorization. These include:
- Marketing communications that involve your PHI (we use only non-PHI marketing identifiers for general marketing)
- Sale of your PHI (we do not sell PHI)
- Use or disclosure of psychotherapy notes (where applicable)
- Most disclosures to family members, friends, or others not involved in your care
- Research uses of identifiable PHI (de-identified data does not require authorization)
You may revoke any authorization in writing at any time, except to the extent we have already acted on it.
4. Your rights regarding PHI
4.1 Right to access
You have the right to inspect and obtain a copy of your PHI maintained in our designated record set. Requests should be made in writing to our Privacy Officer. We will respond within 30 days. We may charge a reasonable cost-based fee for copies.
4.2 Right to amend
You have the right to request that we amend PHI you believe is inaccurate or incomplete. We will respond within 60 days. We may deny the request in certain circumstances, in which case you may submit a statement of disagreement.
4.3 Right to an accounting of disclosures
You have the right to request a list of disclosures of your PHI made by us for purposes other than treatment, payment, or healthcare operations, for the six years preceding the request.
4.4 Right to request restrictions
You have the right to request restrictions on certain uses and disclosures. We are not required to agree to a request, except where you pay in full out of pocket for an item or service and request that information not be disclosed to a health plan.
4.5 Right to request confidential communications
You have the right to request that we communicate with you in a specific way or location (for example, only by secure portal message rather than text). We will accommodate reasonable requests.
4.6 Right to a paper copy
You have the right to a paper copy of this Notice on request, even if you have agreed to receive it electronically.
4.7 Right to notice of breach
You have the right to be notified in the event of a breach of your unsecured PHI.
5. Our responsibilities
We will:
- Maintain the privacy and security of your PHI through administrative, technical, and physical safeguards, including encryption, access controls, and audit logging
- Notify you promptly if a breach occurs that may have compromised your PHI
- Follow the duties and privacy practices described in this Notice
- Not use or share your information other than as described here, unless you tell us in writing that we may
- Provide you with this Notice no later than the date of first service delivery, and post it prominently on our website
6. Business Associates
We work with Business Associates that may receive your PHI to help us provide services. Each Business Associate has signed a HIPAA Business Associate Agreement requiring them to protect your information consistent with HIPAA.
Our current Business Associates include:
| Business Associate | Service provided |
|---|---|
| Supabase | Patient data platform and audit log infrastructure |
| Vercel | Web application hosting |
| Elation Health | Electronic Health Record (legal chart of record) |
| Anthropic | AI infrastructure under Enterprise BAA (operates on de-identified data only) |
| Stripe | Payment processing and identity verification |
| Twilio | SMS notification delivery |
| Licensed pharmacy partner | Prescription fulfillment |
Marketing platforms (such as Customer.io) do not receive PHI. We use a non-PHI architecture for marketing and lifecycle communications: marketing systems receive only marketing identifiers (such as name, email address, signup date, membership tier, and lifecycle stage), and never receive clinical information, lab results, or protocol data.
7. Breach notification
In the event of a breach of your unsecured PHI, we will notify you in writing within 60 days of discovering the breach. If a breach affects more than 500 individuals, we will also notify the U.S. Department of Health and Human Services and, where required, the media.
8. How to file a complaint
If you believe your privacy rights have been violated, you may file a complaint with us by contacting our Privacy Officer (see Section 10). You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights:
U.S. Department of Health and Human Services
Office for Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll-free: 1-877-696-6775
www.hhs.gov/ocr/privacy/hipaa/complaints
You will not be retaliated against for filing a complaint.
9. Changes to this Notice
We reserve the right to change this Notice and to make the revised Notice effective for all PHI we maintain. The revised Notice will be posted on our website and made available in the patient portal. You may request a copy of the current Notice at any time.
10. Contact information
For questions about this Notice or to exercise any of your rights:
Privacy Officer: Kristin Makinajyan, FNP, DNP
Security Officer: Dev Chatterjee
Email: info@goodlifehealth.ai
Mail: GoodLife Health · Attn: Privacy Officer · Arizona