THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Alto Pharmacy, LLC (“We”, “Alto”, “our” or “us”) is committed to protecting your privacy and protected health information (“PHI”). PHI is information about you, including basic demographic information, that may identify you and that relates to your past, present or future physical or mental health or condition and related health care services. This Notice of Privacy Practices (“Notice”) describes, in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), how we may use and disclose PHI about you to carry out treatment, payment or health care operations and for other specified purposes that are permitted or required by law.

Our Responsibilities

Alto is required by law to abide to the terms of this Notice, which explains our legal duties and privacy practices with respect to PHI that we collect and maintain. We are required by law to provide you with a copy of this Notice and to notify you following a breach of your unsecured health information. Alto will not use or disclose PHI about you without your written authorization, except as described in this Notice.

Changes to the Terms in this Notice

We reserve the right to change the privacy practices outlined in this Notice and make the new notice effective for PHI we maintain and for any PHI we receive in the future. Should we make such a change, we will display the revised notice to you online, and make it available to you upon request.

Your Rights

You have certain rights with respect to PHI about you that include the following:

Obtain a paper copy of this Notice upon request. You may request a copy of this Notice at any time. Even if you have agreed to receive this Notice electronically, you are still entitled to a paper copy. 

Request a restriction on certain uses and disclosures of PHI. You have the right to request additional restrictions on our use or disclosure of PHI about you. We are not required to agree to such restrictions unless they are regarding disclosure of health information to your health insurance company and: (1) the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law; and (2) the health information pertains solely to a health care item or service for which you or another person (other than your health insurance company) paid for in full. If we agree to your requested restriction, we will comply with your request unless the information is needed to provide you emergency treatment.

Inspect and obtain a copy of PHI. You have the right to access and copy PHI about you contained in a designated record set for as long as Alto maintains the PHI. The designated record set usually will include prescription and billing records. We may charge you a fee as authorized by law to fulfill your request. Upon receiving your request to access your PHI, we are required to respond to you no later than 30 days after the receipt of your request. We may deny your request to inspect and copy in certain limited circumstances. If you are denied access to PHI about you, you may request that the denial be reviewed. You may request access to your health information in a certain electronic form and format, if readily producible, or, if not readily producible, in a mutually agreeable electronic form and format. Further, you may request in writing that we transmit such a copy to any person or entity you designate. Your written, signed request must clearly identify such designated person or entity and where you would like us to send the copy.

Request an amendment of PHI. If you feel that PHI we maintain about you is incomplete or incorrect, you may request that we amend it. You may request an amendment for as long as we maintain the PHI (or someone maintains the PHI for us), and you must include a reason that supports your request. We will respond to your request within 60 days with up to a 30-day extension, if needed. In certain cases, we may deny your request for amendment. If we deny your request for amendment, you have the right to file a statement of disagreement with the decision and we may give a written rebuttal to your statement.

Receive an accounting of disclosures of PHI. You have the right to receive an accounting of the disclosures we have made of PHI about you for most purposes other than treatment, payment, or health care operations. The accounting will exclude certain disclosures, such as disclosures made directly to you, disclosures you authorize, disclosures to friends or family members involved in your care, and disclosures for notification purposes. The right to receive an accounting is subject to certain other exemptions, restrictions, and limitations. Your request must specify the time period, but it may not be longer than six years. We are required to provide you the accounting within 60 days plus one 30-day extension, if needed. The first accounting you request within a 12-month period will be provided free of charge, but you may be charged a reasonable fee for the cost of providing additional accountings. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs have been incurred.

Request communications of PHI by alternative means or at alternative locations. You have the right to request that we communicate your health information to you in a certain manner or at a certain location. For instance, you may request that we contact you about medical matters only in writing, or at a different residence or post office box. Your request must state how or where you would like to be contacted. We will attempt to accommodate all reasonable requests and will not request an explanation from you to be the basis for your request. To exercise any of your rights under this Notice, you may either send a request via Alto’s secure messaging within the Alto App, email us at privacy@alto.com, or call 1 (800) 874-5881 and leave a message for our Privacy Officer.  Please be specific in your request, as described above. To protect your privacy, Alto will take reasonable steps to verify your identity before reviewing and fulfilling such requests.

Uses and Disclosures for Treatment, Payment, or Health Care OperationsThe law permits or requires us to use or disclose your PHI for various reasons, which we explain in this Notice. We have included some examples, but we have not listed every permissible use or disclosure.

Treatment. We will use your PHI for treatment purposes, such as dispensing prescription medications, communicating with covered entities or business associates about your care, and reviewing and counseling you about your health and/or the appropriate usage of your medications. We will document in your record information related to the medications dispensed to you and services provided to you.

Payment. We will contact your health care payor, insurer or pharmacy benefit manager (or their designated agents or business associates) for payment purposes, such as determining payment for your prescription and the amount of your co-payments.  We will bill you or a third-party payer for the cost of prescription medications dispensed to you. The information on or accompanying the bill may include information that identifies you, as well as the prescriptions you are taking. We may also disclose your PHI to other HIPAA covered entities or business associates who may need it for processing of your health care payment activities.

Health care operations. We may use information in your health record for Alto’s operations, such as monitoring the performance of the care team providing treatment and care to you, monitoring and analyzing our operations and effectiveness, or communicating with you about opportunities to improve our service to you. This information will be used in an effort to continually improve the quality and effectiveness of the health care and services we provide. We may also use your PHI to create de-identified data, which removes identifiable data elements in a way that no longer identifies you.

Other Uses and Disclosures

We may share your information in other ways, usually for public health or research purposes or to contribute to the public good. For more information on permitted uses and disclosures, see www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html. For example, these other uses and disclosures may involve the following:

Business associates: There are some services provided by us through contracts with HIPAA business associates. When these services are contracted for, we may disclose PHI about you to our business associates so that they can perform the job we have asked them to do, and may bill you or your third-party payor for services rendered. To protect PHI about you, we require the business associate to appropriately safeguard the PHI.

Communication with individuals involved in your care or payment for your care: If you do not object to the disclosure, health professionals such as pharmacists, using their professional judgment, may disclose to a family member, other relative, close personal friend or any person you identify, PHI relevant to that person's involvement in your care or payment related to your care. We may also make these disclosures after your death unless doing so is inconsistent with any prior expressed preference. We may disclose PHI to your designated personal representative to make health care decisions for you, as we would treat him or her the same way we would treat you with respect to your PHI.

Health-related communications: We may contact you to provide refill reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to you, as permitted by law.

Food and Drug Administration (FDA): We may disclose to the FDA, or persons under the jurisdiction of the FDA, PHI relative to adverse events with respect to drugs, foods, supplements, products and product defects, or post marketing surveillance information to enable product recalls, repairs, or replacement.

Worker's compensation: We may disclose PHI about you as authorized by and as necessary to comply with laws relating to worker’s compensation or other similar programs established by law.

Public health: As required by law, we may disclose PHI about you to public health or legal authorities charged with preventing or controlling disease, injury, or disability.

Law enforcement: We may disclose PHI about you for law enforcement purposes, as required by law or in response to a valid subpoena or other legal process.

As required by law: We must disclose PHI about you when required to do so by law.

Health oversight activities: We may disclose PHI about you to an oversight agency for activities authorized by law. These oversight activities include pharmacy and other audits, investigations, credentialing and inspections, as necessary for our licensure and for the government to monitor the health care system, government programs, and compliance with civil rights laws.

Judicial and administrative proceedings: If you are involved in a lawsuit or a dispute, we may disclose PHI about you in response to a court or administrative order. We may also disclose PHI about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, if certain conditions are met.

Research: Under certain circumstances, we may disclose PHI about you to researchers when their research has been approved by an institutional review board that has reviewed the research proposal and established protocols to ensure the privacy of your information.

Coroners, medical examiners, and funeral directors: We may release PHI about you to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also disclose PHI to funeral directors consistent with applicable law to carry out their duties.

Organ or tissue procurement organizations: Consistent with applicable law, we may disclose PHI about you to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of organs for the purpose of tissue donation and transplant.

Notification: We may use or disclose PHI about you to notify or assist in notifying a family member, personal representative, or another person responsible for your care, your location, and general condition. We may also use or disclose your health information to disaster-relief organizations so that your family or other persons responsible for your care can be notified about your condition, status, and location.

Correctional institution: If you are or become an inmate of a correctional institution, we may disclose PHI to the institution or its agents when necessary for your health or the health and safety of others.

To avert a serious threat to health or safety: When necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person, we may use and disclose your health information in a very limited manner to someone able to help lessen the threat.

Military and veterans: If you are a member of the armed forces, we may release PHI about you as required by military command authorities. We may also release PHI about foreign military personnel to the appropriate military authority.

National security and intelligence activities: We may release PHI about you to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.

Protective services for the President and others: We may disclose PHI about you to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state or conduct special investigations.

Victims of abuse, neglect, or domestic violence: We may disclose PHI about you to a government authority, such as a social service or protective services agency, if we reasonably believe you are a victim of abuse, neglect, or domestic violence. We will only disclose this type of information to the extent required by law, if you agree to the disclosure, or if the disclosure is allowed by law and we believe it is necessary to prevent serious harm to you or someone else or the law enforcement or public official that is to receive the report represents that it is necessary and will not be used against you.

Uses and Disclosures that Require Authorization

Alto will obtain your written authorization before using or disclosing PHI about you for marketing purposes, to sell your PHI, or for purposes other than those provided above or as otherwise permitted or required by law. With your authorization, we may share PHI with manufacturers and their agents in order to request and obtain coupons or voucher discounts on your behalf. If you change your mind after authorizing a use or disclosure of your health information, you may withdraw your permission by revoking such authorization in writing at any time by sending a written request to Alto Pharmacy, LLC, 645 Harrison Street, Suite 200, San Francisco, California 94107, Attn: Privacy Officer. Upon receipt of the written revocation, we will stop using or disclosing PHI in the manner you had previously authorized. However, your decision to revoke the authorization will not affect or undo any use or disclosure of your health information that occurred before you notified us of your decision, or any actions that we have taken based upon your authorization.

Other Restrictions on Uses and DisclosuresYour state and other federal laws may have additional requirements that we must follow or that may be more restrictive than HIPAA on how we use and disclose your health information. If there are more restrictive requirements, even for some of the purposes listed above, we may not disclose your health information without your written permission as required by such laws. For example, we will not disclose your HIV test results without obtaining your written permission, except as permitted by state law. We may also be required by law to obtain your written permission to use and disclose your information related to treatment for a mental illness, developmental disability, or alcohol or drug abuse.

Contact Information for Questions or Complaints

If you have questions or would like additional information about Alto’s privacy practices, you may either send a request via Alto’s secure messaging within the Alto App, email us at privacy@alto.com, or call 1 (800) 874-5881 and leave a message for our Privacy Officer. You may also send your request to Alto Pharmacy, LLC, 645 Harrison Street, Suite 200, San Francisco, California 94107, Attn: Privacy Officer.

If you believe your privacy rights have been violated, please let us know as soon as possible by via Alto’s secure messaging within the Alto App, by emailing us at privacy@alto.com or by calling 1 (800) 874-5881 and leaving a message for the Privacy Officer, so that we can try to remedy the situation as quickly as possible. You also have the right to report a complaint to the Secretary of Health and Human Services. You can do so by sending it to 200 Independence Avenue, S.W. Washington, D.C. 20201, calling 1-877-696-6775, or visiting www.hhs.gov/ocr/privacy/hipaa/complaints/. Rest assured, there will be no retaliation or penalization for filing a complaint regarding our privacy practices.