Transform your health journey — Take the Quiz →
Scripts Rx Direct

HIPAA Notice of Privacy Practices

This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

Effective Date: March 24, 2026

Your Information. Your Rights. Our Responsibilities.

This notice applies to the privacy practices of ScriptsRx Direct (operated by Breakthrough Health LLC) and the healthcare providers and pharmacy partners who provide services through our platform. We are required by law to maintain the privacy of your Protected Health Information (PHI), provide you with this notice, and follow the terms of this notice currently in effect.

1. What Is Protected Health Information (PHI)?

Protected Health Information (PHI) is individually identifiable health information that is created, received, maintained, or transmitted in connection with the provision of healthcare services. This includes information about your past, present, or future physical or mental health condition, the provision of healthcare to you, or payment for healthcare services. PHI includes information in any form — electronic, paper, or oral.

2. How We May Use and Disclose Your PHI

2.1 For Treatment

We may use and disclose your PHI to provide, coordinate, or manage your healthcare and related services. This includes sharing your medical information with:

  • Licensed healthcare providers who conduct your telehealth consultations and make prescribing decisions
  • Licensed 503A compounding pharmacy partners that prepare and dispense your medications, including VitaScripts Pharmacy (Tampa, FL), VIOS Compounding (Livonia, MI), Empower Pharmacy (Houston, TX), Hallandale Pharmacy (Hallandale Beach, FL), and other licensed pharmacies as applicable
  • Other healthcare providers involved in your care, as necessary
  • CLIA-certified laboratory services for ordering and receiving test results

2.2 For Payment

We may use and disclose your PHI for payment activities, including processing your payments, verifying insurance eligibility (if applicable), and billing-related activities. As a self-pay service, payment-related disclosures are generally limited to payment processing and fraud prevention.

2.3 For Healthcare Operations

We may use and disclose your PHI for our healthcare operations, including:

  • Quality assessment and improvement activities
  • Reviewing the competence and qualifications of healthcare providers
  • Conducting or arranging for medical reviews, legal services, and auditing functions
  • Business planning and development
  • Customer service and complaint resolution

2.4 With Your Authorization

Other uses and disclosures of your PHI not described in this notice will be made only with your written authorization. You may revoke an authorization at any time, in writing, except to the extent that we have already taken action in reliance on the authorization.

2.5 Without Your Authorization (As Permitted or Required by Law)

We may use or disclose your PHI without your authorization in the following circumstances:

  • As Required by Law: When required by federal, state, or local law
  • Public Health Activities: To public health authorities for preventing or controlling disease, injury, or disability; reporting births, deaths, and disease; reporting child abuse or neglect; reporting adverse reactions to medications or products
  • Health Oversight Activities: To health oversight agencies for activities authorized by law, including audits, investigations, inspections, and licensure
  • Judicial and Administrative Proceedings: In response to a court order, subpoena, discovery request, or other lawful process
  • Law Enforcement: For law enforcement purposes as required or permitted by law
  • Coroners, Medical Examiners, and Funeral Directors: To identify a deceased person, determine cause of death, or carry out duties as authorized by law
  • Organ and Tissue Donation: To organizations involved in organ, eye, or tissue procurement, banking, or transplantation
  • Research: For research purposes under specific conditions approved by an Institutional Review Board or Privacy Board
  • Serious Threats to Health or Safety: To prevent or lessen a serious and imminent threat to your health or safety or the health or safety of the public
  • Workers' Compensation: As authorized by and to the extent necessary to comply with workers' compensation laws
  • Military and Veterans: For activities deemed necessary by appropriate military command authorities
  • National Security: To authorized federal officials for intelligence, counterintelligence, and other national security activities
  • Inmates: To correctional institutions or law enforcement officials having lawful custody of an inmate

3. Your Rights Regarding Your PHI

3.1 Right to Access

You have the right to inspect and obtain a copy of your PHI that is maintained in a designated record set. Your request must be in writing. We may charge a reasonable fee for the cost of copying, mailing, or other supplies associated with your request. We will respond to your request within 30 days (or 60 days with a written extension notice).

3.2 Right to Request Amendment

You have the right to request that we amend your PHI if you believe it is incorrect or incomplete. Your request must be in writing and must include the reason for the amendment. We may deny your request under certain circumstances, including if the information was not created by us, is not part of the designated record set, is not available for inspection, or is accurate and complete.

3.3 Right to an Accounting of Disclosures

You have the right to request a list (accounting) of certain disclosures of your PHI that we have made. This accounting does not include disclosures made for treatment, payment, or healthcare operations, or disclosures made with your authorization. Your request must be in writing and must specify the time period (not to exceed six years prior to the date of the request).

3.4 Right to Request Restrictions

You have the right to request restrictions on certain uses and disclosures of your PHI. We are not required to agree to your request, except that we must agree to restrict disclosures to a health plan for payment or healthcare operations purposes if you have paid for the service in full out of pocket.

3.5 Right to Request Confidential Communications

You have the right to request that we communicate with you about your PHI in a certain way or at a certain location. For example, you may request that we contact you only by email or at a specific phone number. We will accommodate reasonable requests.

3.6 Right to a Paper Copy of This Notice

You have the right to obtain a paper copy of this Notice of Privacy Practices at any time, even if you have previously agreed to receive it electronically. You may request a paper copy by contacting us using the information at the end of this notice.

3.7 Right to Be Notified of a Breach

You have the right to be notified in the event of a breach of your unsecured PHI. We will notify you of any breach as required by the HIPAA Breach Notification Rule.

4. Our Responsibilities

  • We are required by law to maintain the privacy and security of your PHI
  • We are required to provide you with this notice of our legal duties and privacy practices
  • We are required to notify you if a breach of your unsecured PHI occurs
  • We will not use or disclose your PHI for marketing purposes without your written authorization
  • We will not sell your PHI without your written authorization
  • We must follow the duties and privacy practices described in this notice

5. Business Associates

We may share your PHI with our Business Associates — companies that perform services on our behalf that involve access to PHI. All Business Associates are required to sign Business Associate Agreements (BAAs) that obligate them to protect your PHI in accordance with HIPAA requirements. Our Business Associates include:

  • Healthcare technology platform providers: Gen-Health (electronic health record and practice management platform)
  • Pharmacy partners: VitaScripts Pharmacy (Tampa, FL), VIOS Compounding (Livonia, MI), Empower Pharmacy (Houston, TX), Hallandale Pharmacy (Hallandale Beach, FL), and other licensed 503A compounding pharmacies
  • Cloud hosting and data storage providers: HIPAA-compliant infrastructure and hosting services
  • Payment processing services: PCI-compliant payment processors (Stripe)
  • Communication and messaging platforms: Secure email and notification services
  • Administrative support services: Care coordination and customer support partners

6. Minimum Necessary Standard

When using or disclosing PHI, or when requesting PHI from another covered entity, we make reasonable efforts to limit the information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. This standard does not apply to disclosures for treatment purposes, disclosures to you about your own PHI, disclosures made with your authorization, or disclosures required by law.

7. Breach Notification

In the event of a breach of unsecured PHI, we will notify affected individuals as required by the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D). Notification will be provided without unreasonable delay and no later than 60 days after discovery of the breach. The notification will include a description of the breach, the types of information involved, steps individuals should take to protect themselves, what we are doing to investigate and mitigate the breach, and contact information for further inquiries.

If a breach affects 500 or more individuals, we will also notify the U.S. Department of Health and Human Services and prominent media outlets as required by law.

8. Telehealth Consent and Data Sharing

By using our telehealth services, you consent to the sharing of your PHI as described in our Telehealth Consent & Authorization. This includes sharing your information with the treating Provider, Provider group, administrative staff, healthcare technology platform (Gen-Health), pharmacy partners, and laboratory partners for the purposes of treatment, care coordination, and administrative support.

9. Changes to This Notice

We reserve the right to change this notice and make the new provisions effective for all PHI we maintain. If we make a material change to this notice, we will post the revised notice on our website and make it available upon request. The effective date of the current notice is listed at the top of this page.

10. Complaints

If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights. We will not retaliate against you for filing a complaint.

To file a complaint with HHS:

11. Contact Information

For questions about this HIPAA Notice or to exercise your rights, please contact our Privacy Officer:

Privacy Officer
ScriptsRx Direct (operated by Breakthrough Health LLC)
6051 Mid Rivers Mall Drive
Cottleville, MO 63304
Email: [email protected]