HIPAA Privacy

Last Updated: June 11, 2025

NOTICE OF PRIVACY PRACTICES

Under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Cary Rx Incorporated (doing business as “CaryRx” and “CaryHealth”) is required to provide patients with this Notice of Privacy Practices that describes how we may use patient information for treatment, payment and other purposes that details patient rights regarding the privacy of patient health and medical information.

This Notice of Privacy Practices applies only to the pharmacy services provided by CaryRx. For broader data practices relating to CaryHealth’s digital platforms, apps, and websites, please see our Privacy Policy.

Effective Date: June 11, 2025

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

PLEASE REVIEW IT CAREFULLY.

Uses and Disclosures of Protected Health Information. There are two categories for the use and disclosure of our patients’ Protected Health Information: (A.) information that we can use and disclose without the patient’s prior consent; and (B.) information that we cannot use or disclose without the patient’s prior authorization.

A. Patients’ Prior Consent Not Required.

1) Treatment. In the first category, we are permitted to use and disclose our patients’ Protected Health Information in connection with their medical treatment in situations such as allowing a family member or other relative or a close personal friend or other person involved in the patient’s health care to pick up the patient’s prescriptions and to receive Protected Health Information that is directly related to the patient’s care. In doing so, we are to use our professional judgment and experience with common practice in determining what is in the patient’s best interest. Other examples include sending information about a patient’s prescriptions to the patient’s family doctor or to a specialist who is treating the patient or to a hospital where the patient is receiving care, particularly if the patient has suffered a health emergency.

2) Payment. If a patient is covered by a pharmacy benefit plan, we are entitled to send Protected Health Care Information to the plan or to another business entity involved in our billing system describing the medication or health care equipment we have dispensed so that we can be paid.

3) Health Care Operations. In addition, we can provide Protected Health Information for health care operations such as evaluations of the quality of our patients’ health care in order to improve the success of treatment programs. Other examples include reviews of health care professionals, insurance premium rating, legal and auditing functions, and business planning and management.

4) Other Permitted Uses and Disclosures. There are a number of other specified purposes for which we may disclose a patient’s Protected Health Information without the patient’s prior consent (but with certain restrictions). Examples include public health activities; situations where there may be abuse, neglect or domestic violence; in connection with health oversight activities; in the course of judicial or administrative proceedings; in response to law enforcement inquiries; in the event of death; where organ donations are involved; in support of research studies; where there is a serious threat to health and safety; in cases of military or veterans’ activities; where national security is involved; for determinations of medical suitability; for government programs for public benefit; for workers’ compensation proceedings; when our records are being audited; when medical emergencies occur; and when we communicate with our patients orally or in writing about refilling prescriptions, about generic drugs that may be appropriate for a patient’s treatment, or about alternative therapies. We will not use or disclose your protected health information for prohibited reproductive health purposes under HIPAA.

B. Patients’ Prior Authorization Required.

For purposes other than those mentioned above, we are required to ask for our patients’ written authorizations before using or disclosing any of their Protected Health Information. If we request an authorization, any of our patients may decline to agree, and if a patient gives us an authorization, the patient has the right to revoke the authorization and by doing so, stop any future uses and disclosures of the patient’s health information that the authorization covered. An example of a situation where the patient’s prior authorization would be required would be if we wish to conduct a marketing program that would involve the use of Protected Health Information. Certain PHI requests may require attestations confirming lawful use.

1) Patients’ Rights. HIPAA and the Regulations provide our patients with rights concerning their Protected Health Information. With limited exceptions (which are subject to review) each patient has the right to the following: 1) Patient’s Record. Each patient can obtain a copy of his or her Protected Health Information upon written request. The only charge will be based on our cost in responding to the request. The amount of the charge will vary depending on the format the patient requests and whether the patient wants the record or a summary, and whether it is to be delivered by mail or otherwise. The patient will be told of the fee when the patient’s request is received. If at the time of the patient’s request we maintain an electronic health record with respect to Protected Health Information, the patient has a right to obtain a copy of the patient’s Protected Health Information in electronic form and to direct that the copy directed to a clearly identified person or entity.

2) Accounting for Disclosures. Each patient can, upon written request, obtain a list of the disclosures of the patient’s Protected Health Information that have occurred within the 6 years preceding the request, except for disclosures made for the purposes of treatment, payment or health care operations and certain others. There will be no charge for the first request in any 12 month period, but we are entitled to charge a reasonable cost based fee for additional requests made in the same period of time. However, if at the time of the patient’s request we maintain an electronic health record with respect to Protected Health Information, the foregoing exception will not apply and the period covered for the accounting will be the 3 years preceding the request.

3) Amendments. Each patient may ask to change the record of his or her own Protected Health Information upon written request explaining why the change should be made. We will review the request, but may decline to make the change if in our professional judgment we conclude that the record should not be changed.

4) Communications. Upon written request, each patient can ask us to communicate with him or her about their own Protected Health Information in a confidential manner such as by sending mail to an address other than the home address or using a particular telephone number.

5) Special Restrictions. Upon written request, each patient can ask us to adopt special restrictions that further limit our use and disclosure of the patient’s Protected Health Information (except where use and disclosure are required of us by law or in emergency circumstances). We will consider the request; but in accordance with HIPAA we are not required to agree to with the request; provided, however, we will comply with a patient’s request to restrict the disclosure of Protected Health Information to a health plan if the disclosure is for payment or health care operations (excluding treatment), and the disclosure pertains solely to a health care item or service for which we have been paid out of pocket in full.

6) Complaints. If a patient believes that we have violated the patient’s rights as to the patient’s Protected Health Information under HIPAA or if a patient disagrees with a decision we made about access to the patient’s Protected Health Information, the patient has the right to file a written complaint with our Contact Person listed below. Our Contact Person is required to investigate, and if possible, to resolve each such complaint, and to advise the patient accordingly. The patient also has the right to send a written complaint to the U.S. Department of Health and Human Services. The patient may file a complaint with HHS at www.hhs.gov/ocr/privacy/hipaa/complaints/ or by calling 1-800-368-1019. Under no circumstances will any patient be retaliated against by this pharmacy for filing a complaint with us or with the Secretary of Health and Human Services.

7) Paper Copy of Notice. Each patient has the right to obtain a paper copy of this Notice of Privacy Practices from us upon request, even if the patient has agreed to receive the notice electronically. To request a paper copy, please contact us using the information provided at the end of this notice.

Breach Notification

We are required by law to notify the patient if a breach occurs that may have compromised the privacy or security of the patient’s unsecured protected health information. This notice will include a brief description of the breach, the types of information involved, steps the patient can take to protect themselves, and what we are doing to investigate and mitigate the breach.

Our Responsibilities

We are required by law to protect the privacy of our patients’ Protected Health Information, to provide this notice about our privacy practices, and follow the privacy practices that are described in this notice. We reserve the right to change our privacy practices and the terms of this notice at any time. Before we make a significant change in our privacy practices, we will change this notice and make the new notice available upon request. Please be aware that third parties who receive your PHI may further disclose it beyond our privacy protections.

CONTACT US

Please do not hesitate to contact us, if you would like to review the personal information that we hold about you, or if you have any questions about our policies, our websites and apps, or how we collect, use and disclose information, using the information below:

ATTN: Privacy Officer

c/o Cary Rx Incorporated

1444 I St NW

Suite 600

Washington, DC 20005

Email: privacy@caryrx.com

caryhealth logo whiteReach out to our team!  We're just a message away.
x whiteinstagram whitelinkedin white
Industry
Pharmaceutical ManufacturersHealth PlansHealthcare Professionals
Solutions
Rx Fulfillment &
Hub ServicesAutomated Clinical
InterventionsClinical Reference
& Decision SupportDigital Therapeutics
Products
CaryConnectOneDashClairOnLabelCaryRx
Company
aboutNews & InsightsEventsCareers
Integrations
DevelopersAPI Documentation
Legal
Terms &
ConditionsPrivacyNotice of privacy Practices