Capsule HIPAA Notice of Privacy Practices

Last Updated: April 1, 2025

THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

In connection with your use of Capsule's pharmacy services, website, mobile application, products, and other technology platforms (collectively, the “Services”), we may collect your health information and other identifiable information. Individually identifiable health information is known as “protected health information” or “PHI”. Under the Health Insurance Portability and Accountability Act (“HIPAA”), Capsule is required to provide you with this Notice of Privacy Practices (this “Notice”) that describes how we may use and share your PHI for treatment, payment, or other purposes; how you can access your PHI that we collect; and a description of your HIPAA rights and how to exercise them. Please review this Notice carefully.

Note that when we say “us”, “we”, “our”, or “Capsule” in this Notice, we mean Capsule Corporation, a covered entity, and its wholly owned subsidiaries that are covered entities. These entities have designated themselves as an affiliated covered entity (the “Capsule Pharmacy ACE”) for purposes of complying with HIPAA. The designated covered functions of the Capsule Pharmacy ACE include pharmacies that receive and/or process prescriptions and/or dispense medications and related services. The affiliated covered entity HIPAA designation allows these entities to use and disclose your PHI in compliance with HIPAA. Each entity that is part of the Capsule Pharmacy ACE is an independent entity responsible for its own activities. We will share your PHI among these entities as permitted by HIPAA. For a complete list of the members of the Capsule Pharmacy ACE, contact the Capsule Privacy Officer.

  1. 1. What are Capsule's responsibilities under HIPAA?

    We have specific responsibilities under HIPAA with respect to your PHI, which include:

    • Maintaining the privacy and security of your PHI in accordance with HIPAA requirements;
    • Following the duties and privacy practices described in this Notice;
    • Only using or sharing your PHI as described in this Notice unless you tell us in writing that we can use or share it in some other way; and
    • Promptly letting you know if HIPAA requires us to notify you of a breach that may have compromised the privacy or security of your unsecured PHI.

  2. 2. How do we typically use or share your protected health information?

    We may use or share your PHI for the following reasons:

    • For Treatment. PHI may be used and shared in connection with your treatment and to provide you with treatment-related health care services. For example, we may disclose PHI to our health care providers including our pharmacists, technicians, or other personnel who need the information to provide you with medical care and to other health care sites including clinics, pharmacies, hospitals, or medical centers.
    • For Payment. PHI may be used and shared so that we or others may bill and receive payment from you, an insurance company, or a third party for the treatment and services you received.
    • For Health Care Operations. PHI may be used and shared in connection with our health care operations so we can operate and manage our business and ensure that our customers receive the best possible care. We may share PHI with other entities that have a relationship with you, such as your health plan, for their own health care operation activities.
    • Reminders, Treatment Alternatives, and Health-Related Benefits and Services. PHI may be used to contact you to remind you that you have a prescription with us. We also may use and share PHI to tell you about treatment alternatives or health-related benefits and services that may be relevant to you.
    • Individuals Involved in Your Care or Payment for Your Care. When appropriate, and subject to HIPAA's limitations, we may share PHI with a person who's involved in your medical care or payment for your care, such as your family or a close friend, but only to the extent the PHI is directly relevant to such person's involvement with your health care or payment for your health care. If you prefer that we not share PHI in this way, please let us know.
    • Disaster Relief. We may disclose your PHI to an authorized public or private entity to assist in disaster relief efforts to coordinate with those entities.
    • Business Associates. We may share PHI with our business associates, which are third parties that perform functions or activities on our behalf or provide us with certain services if sharing that information is necessary for such functions or services. Our business associates are obligated to protect the privacy of PHI and aren't allowed to use or disclose any PHI other than as specified in a written agreement with each business associate.

  3. 3. How else can we use or share your protected health information?

    We may be permitted or required to share your PHI in other ways (although we may have to meet certain conditions first) - usually these ways contribute to the public good, such as public health, research, and safety. Specifically, we may use or share your PHI for the following purposes:

    • Public Health and Safety Issues. Subject to HIPAA's limitations, we may use and share PHI in connection with public health and safety issues such as helping with product recalls, preventing the spread of disease, reporting adverse reactions to medications, reporting suspected abuse or neglect, or preventing or reducing a serious threat to anyone's health or safety.
    • Research. PHI may be used and shared for limited research purposes without your authorization. We may use your PHI as permitted by HIPAA to prepare for potential research and to contact you to see if you are interested or eligible to participate in a study. Also, if through an independent review a privacy board determines that the research conducted will pose minimal risk to your privacy, we may use and disclose your PHI according to the approved research protocol. Otherwise, we will seek your written authorization before using or disclosing your PHI to conduct research.
    • Health Oversight Activities. Subject to HIPAA's limitations, we may use and share PHI in connection with a health oversight agency's oversight activities such as audits, investigations, inspections, and licensure.
    • Data Breach Notification and Incident Response Purposes. PHI may be used and shared to investigate potential security incidents, privacy issues, or breaches and to provide legally required breach notices.
    • As Required by Law or Court Order, and Required or Requested by Law Enforcement. Subject to HIPAA's limitations, we may use and share PHI if local, state, or federal laws require or permit it to be shared in a given circumstance, if a law enforcement agency needs the PHI to carry out its duties, and if we're required to respond to a court order or similar process. We may also share PHI in relation to suspected or actual criminal conduct, such as if criminal conduct occurred on our premises.
    • Lawsuits and Disputes. Subject to HIPAA's limitations, we may use and share PHI to respond to lawsuits or disputes, and we may be required to share PHI in response to a court or administrative order, subpoena, discovery request, or other lawful process, including to someone else involved in the dispute.
    • Workers' Compensation. We may use and share PHI for workers' compensation or similar programs. These programs provide benefits for work-related injuries or illness.
    • Organ or Tissue Donation. If you're an organ donor, we may use and share PHI with organizations that handle organ procurement or other entities engaged in procurement, banking or transportation of organs, eyes or tissues to facilitate organ, eye or tissue donation and transplantation.
    • Coroners, Medical Examiners, and Funeral Directors. Subject to HIPAA's limitations, we may use and share PHI with a coroner, medical examiner, or funeral directors as necessary for their duties.
    • Specialized Government Functions. We may use and share PHI with departments or units of the government with special functions, such as the U.S. military or the U.S. Department of State, for intelligence, counterintelligence, and other national security activities authorized by law.
    • Inmates or Individuals in Custody. If you're an inmate of a correctional institution or under the custody of a law enforcement official, we may use and share PHI with the correctional institution or law enforcement official.
    • Fundraising. We may use your PHI to raise funds for our own purposes but only as permitted by HIPAA. We will not disclose your PHI for fundraising purposes except for a limited type of PHI to our related companies or if we have an agreement in place that protects your PHI.

  4. 4. When do you have the ability to opt out of a use or disclosure and when is your written permission required to use and share your protected health information?

    We're not required to obtain your written permission to use or share your PHI for the purposes outlined in Sections 2 and 3 of this Notice. We are permitted to use your PHI to contact you, but you have the right to opt out of those communications. In other circumstances, we can only use or share your PHI with your written permission. For example, your written permission is required for the following purposes:

    • Marketing. Sometimes we must obtain your written permission prior to using PHI for certain marketing purposes as defined in HIPAA. Other times we must provide you with the ability to opt out of certain marketing communications. For example, we do not need your written permission to discuss products or services that may be of benefit to you, but you may opt out of these communications.
    • Sale of PHI. HIPAA requires us to obtain your permission in some situations if we will receive something of value in exchange for PHI. In these situations, we will not do so without your written permission.
    • Research. While we can use your PHI for limited research purposes, we must obtain your written permission to include you in certain clinical trials.

    Please note that when you are asked for your permission to allow us to use or disclose your PHI for these reasons, you do not have to agree. Also, you may later revoke your permission at any time by sending a written revocation to our Privacy Officer at the email or mailing address written under Section 7.

  5. 5. What are your rights under HIPAA?

    HIPAA grants you the following rights with respect to your records with us and your PHI maintained by us:

    • Right to Inspect and Copy. You may ask to see or get an electronic or paper copy of your medical record and other PHI in our records about your billing and payment that we use to make decisions about you. We'll provide a copy or a summary usually within thirty days of your request, unless we need more time. We may charge a reasonable, cost-based processing fee for these requests.
    • Right to Correct. You may ask us to correct information in your medical record or other PHI in our records about your billing and payment and other records that we use to make decisions about you if you think it is incorrect or incomplete. We may say “no” to your request, but we'll tell you why in writing usually within sixty days, unless we need more time.
    • Right to Confidential Communications. You can ask us to contact you in a specific way (for example, home or office phone) or to send communications (e.g. mail, emails) to a different address.
    • Right to Request Additional Restrictions. You may ask us not to use or share your PHI for treatment, payment, or our operations, with certain persons (such as a family member or close personal friend) involved with your care or with payment related to your care, or in order to notify other people about your location and general condition. While we'll consider all verified requests for additional restrictions carefully, we're not required to agree to your request. If you pay for a service out-of-pocket in full, you can ask us not to share that information for the purpose of payment or our operations with your health insurer.
    • Right to a List of Disclosures. You may ask for a list of the times we've shared your PHI that we keep in the previous six years, who we shared it with, and why. We'll include the disclosures required by this HIPAA right; it will not include, for example, disclosures for treatment, payment, and health care operations, and certain other disclosures (such as any that you gave us permission to make). We'll provide one list a year for free but may charge a reasonable, cost-based fee if you ask for another one within twelve months. We will respond in writing usually within sixty days, unless we need more time.
    • Right to Paper Copy of this Notice. You can ask for a paper copy of this notice at any time, even if you have agreed to receive the notice electronically.

  6. 6. What additional protections apply to your health information?

    Other laws may further protect your health information, such as state mental health confidentiality laws or HIV/AIDS confidentiality laws. We will protect that information according to those laws.

    • If we have facilitated your reproductive health services (“RHS”) or provided you with RHS, then we provide additional protections to the PHI about that care.
      • For example, we will obtain promises from a requestor of your PHI potentially related to your RHS in response to certain law enforcement requests, for certain health oversight purposes, in certain legal proceedings, and at the request of a coroner. In some legal situations, such as certain investigations into our provision of RHS and your request for these services, HIPAA does not allow us to disclose your PHI.
      • We will be cautious before treating someone as your personal representative if we believe you or your health may be put in danger as related to your reproductive health.

  7. 7. What else do you need to know?

    Compliance with Laws. We will share information about you if state or federal laws require it.

    Who Follows this Notice. This Notice will be followed by the designated health care components of Capsule:

    • Capsule pharmacists and staff; and
    • Capsule personnel that support the health care activities of Capsule.

    Redisclosure. Some disclosures of PHI may be to those who do not have a legal obligation to keep it private. For example, if you give us permission to disclose your PHI to someone who is not regulated by HIPAA, that person does not have to protect your health information.

    Changes to this Notice. We reserve the right to change this Notice at any time and the changes will apply to the information we have about you. The new notice will be available upon request, in our office, and on our website.

    Privacy Officer. If you would like further information about your privacy rights, want to make a specific request as detailed in this Notice, are concerned that we've violated your privacy rights, or disagree with a decision that we made about access to your PHI, you may contact our Privacy Officer at privacy@capsule.com or 122 W 146th Street, New York, NY 10039 (Attention: Privacy Officer and Legal Department).

    Complaints. If you believe your privacy rights have been violated, you may file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, emailing OCRComplaint@hhs.gov, or visiting https://www.hhs.gov/hipaa/filing-a-complaint/index.html.

    No Retaliation. We will not retaliate against you for filing a complaint.