Features Pricing Find a Vendor Blog Help Login Contact Us
Legal

HIPAA Notice

Effective April 1, 2026 · Terms of Use · Privacy Policy

THIS NOTICE OF PRIVACY PRACTICES (THE “NOTICE”) DESCRIBES HOW CLOVI INC. (“CLOVI,” “WE,” OR “US”) MAY USE AND DISCLOSE PROTECTED HEALTH INFORMATION (“PHI”) ABOUT YOU WHEN WE CREATE, RECEIVE, MAINTAIN, OR TRANSMIT PHI IN CONNECTION WITH OUR SOFTWARE, PLATFORM, AND RELATED SERVICES FOR EMPLOYERS, WELLNESS VENDORS, SCREENING COMPANIES, HEALTH PLANS, HEALTH CARE PROVIDERS, AND OTHER CUSTOMERS. CLOVI IS NOT YOUR PERSONAL DOCTOR; CLINICAL SERVICES YOU RECEIVE ARE PROVIDED BY YOUR OWN PROVIDERS OR PROGRAM VENDORS. PLEASE REVIEW THIS NOTICE CAREFULLY.

1. Who Must Follow This Notice. Clovi Inc. and members of our workforce (including contractors and volunteers acting under our direction) follow this Notice when they handle PHI subject to HIPAA in connection with the Services. We may also use subcontractors who are required by contract to safeguard PHI. Your doctor, clinic, employer wellness vendor, or other covered entity may have separate notices governing information they hold outside the Services.

When we act as a business associate for a covered entity, we use and disclose PHI as permitted by HIPAA, our business associate agreement with that entity, and this Notice (except where the agreement or law requires a different description). When we are not acting as a business associate, other privacy laws and our Privacy Policy may apply instead of, or in addition to, this Notice.

If you have questions about this Notice, contact the Privacy Officer at [email protected] or use the mailing address at the end of this Notice.

2. Our Commitment to Your Privacy. We understand that medical information about you and your health is private and personal. We are dedicated to maintaining the privacy and integrity of protected health information (“PHI”). PHI is information about you that may be used to identify you (such as your name, social security number, or address), and that relates to (a) your past, present, or future physical or mental health or condition, (b) the provision of health care to you, or (c) your past, present, or future payment for the provision of health care. When you participate in programs that use our Services, we may receive, create, or maintain PHI as permitted by HIPAA, our business associate agreements, and other contracts with covered entities or customers. When HIPAA applies, we are required to maintain the privacy of PHI and to provide you with notice of our legal duties and privacy practices with respect to that information. When we use or disclose your PHI, we are required to abide by the terms of this Notice (or another notice in effect at the time of the use or disclosure, if we substitute one as permitted by law). This Notice describes our HIPAA-related practices for PHI held by Clovi Inc. in connection with the Services. Your employer, screening vendor, physician, or other provider may use different notices for information they maintain outside our platform. We will explain this Notice to you or your family member upon request.

3. How We May Use and Disclose Medical Information About You. This section of the Notice tells how we may use medical information about you. We will protect medical information to the fullest extent required by the law. Sometimes state law gives more protection to medical information than federal law. Sometimes federal law gives more protection than state law. In each case, we will apply the laws that protect medical information the most. We are required to maintain the confidentiality of the PHI of individuals whose information we maintain, and we have policies and procedures and other safeguards to help protect your PHI from improper use and disclosure. The following categories describe different ways that we use your PHI within Clovi and disclose your PHI to persons and entities outside of Clovi. We have not listed every use or disclosure within the categories below, but all permitted uses and disclosures will fall within one of the following categories. In addition, there are some uses and disclosures that will require your specific authorization. How much PHI is used or disclosed without your written permission will vary depending, for example, on the intended purpose of the use or disclosure. Sometimes we may only need to use or disclose a limited amount of PHI, such as to send you an appointment reminder or to confirm your health insurance coverage. At other times, we may need to use or disclose more PHI such as when a doctor is providing medical treatment.

Disclosure at your request. We may disclose information when requested by you. This disclosure at your request may require written authorization by you.

Health care operations. We may use and disclose your PHI for our health care operations, which include internal administration and planning and various activities that improve the quality and cost effectiveness of the care that we deliver to you. Examples are using information about you to improve quality of care, for disease management programs, patient satisfaction surveys, compiling medical information, de-identifying medical information and benchmarking. Business associates. There are some services provided in our organization through contracts with business associates and covered entities. Examples of business associates include accreditation agencies, management consultants, quality assurance reviewers, and billing and collection services. We may disclose your PHI to our business associates so that they can perform the job we have asked them to do. To protect your PHI, we require our business associates to sign a contract or written agreement stating that they will appropriately safeguard your PHI. Examples of covered entities include hospitals, clinics and insurance companies.

Appointment reminders. We may use and disclose your PHI to contact you as a reminder that you have an appointment for a consultation or other service.

Threat to your or the public’s health or safety. We may use and disclose your PHI when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.

4. Special Situations That Do Not Require Your Authorization. The following categories describe unique circumstances in which Clovi may use or disclose your PHI without your authorization.
• Public health activities. We may disclose your PHI for the following public health activities to: (1) prevent or control disease, injury or disability; (2) report births and deaths; (3) report regarding the abuse or neglect of children, elders and dependent adults; (4) report reactions to medications or problems with products; (5) notify people of recalls of products they may be using; (6) notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; and (7) notify emergency response employees regarding possible exposure to HIV/AIDS, to the extent necessary to comply with state and federal laws.
• Victims of abuse, neglect or domestic violence. If we reasonably believe you are a victim of abuse, neglect, or domestic violence, we may disclose your PHI to a governmental authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence.
• Health oversight activities. We may disclose your PHI to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.
• Lawsuits and other legal disputes. We may use and disclose PHI in responding to a court or administrative order, a subpoena, or a discovery request. We may also use and disclose your PHI to the extent permitted by law without your authorization, for example, to defend a lawsuit or arbitration.
• Law enforcement officials. We may disclose your PHI to the police or other law enforcement officials as required or permitted by law: (1) in response to a court order, subpoena, warrant, summons or similar process; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) about the victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement; (4) about a death we believe may be the result of a criminal conduct; (5) about criminal conduct at Clovi; and (6) in emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime.
• Decedents. We may disclose your PHI to a coroner or medical examiner as authorized by law.
• Organ and tissue donation. We may disclose your PHI to organizations that facilitate organ, eye or tissue procurement, banking or transplantation.
• Research that does not involve your treatment. When a research study does not involve any treatment, we may disclose your PHI to researchers. To do this, we will either ask your permission to use your PHI or we will use a special process that protects the privacy of your PHI. In addition, we may use information that cannot be identified as your PHI, but that includes certain limited information (such as your date of birth and dates of service). We will use this information for research, quality assurance activities, and other similar purposes and we will obtain special protections for the information disclosed.
• Specialized government functions. We may use and disclose your PHI to units of the government with special functions, such as the U.S. military or the U.S. Department of State, under certain circumstances. We may use and disclose your PHI to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law. We may use and disclose your PHI to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state, or conduct special investigations.
• Inmates. If you are an inmate of a correctional institution or under custody of a law enforcement official, we may disclose PHI about you to the correctional institution or the law enforcement official. This is necessary for the correctional institution to provide you with health care, to protect your health and safety and the health and safety of others, and to protect the safety and security of the correctional institution.
• Workers’ compensation. We may disclose your PHI as authorized by and to the extent necessary to comply with state laws relating to workers’ compensation or other similar programs.
• As required by law. We may use and disclose your PHI when required to do so by any other law not already referred to in the preceding categories. For example, the Secretary of the Department of Health and Human Services may review our compliance efforts, which may include seeing your PHI.

5. Situations Requiring Your Written Authorization.
• Unique Situations. If there are reasons we need to use your PHI that have not been described in the sections above, we will obtain your written permission. This permission is described as a written “authorization.” If you authorize us to use or disclose PHI about you, you may revoke that authorization in writing at any time. If you revoke your authorization, we will no longer use or disclose PHI about you for the reasons stated in your written authorization, except to the extent we have already acted in reliance on your authorization. You understand that we are unable to take back any disclosures we have already made with your permission, and we are required to retain our records of the care we provide to you. Some typical disclosures that require your authorization are:
• Special categories of treatment information. In most cases, federal or state law requires your written authorization or the written authorization of your representative for disclosures of drug and alcohol abuse treatment, Human Immunodeficiency Virus (HIV) and Acquired Immune Deficiency Syndrome (AIDS) test results, and mental health treatment.
• Research involving your treatment. When a research study involves your treatment, we may disclose your PHI to researchers only after you have signed a specific written authorization. In addition, an Institutional Review Board (IRB) will already have reviewed the research proposal, established appropriate procedures to ensure the privacy of your PHI and approved the research. You do not have to sign the authorization, but if you refuse you cannot be part of the research study and may be denied research-related treatment.
• Marketing. We must also obtain your written authorization (“Your Marketing Authorization”) prior to using your PHI to send you any marketing materials. We can, however, provide you with marketing materials in a face-to-face encounter without obtaining Your Marketing Authorization. We are also permitted to give you a promotional gift of nominal value, if we so choose, without obtaining Your Marketing Authorization. In addition, we may communicate with you about products or services relating to your treatment, case management or care coordination, or alternative treatments, therapies, providers or care settings without Your Marketing Authorization. If we receive any direct or indirect payment for making such a communication, however, we would need your prior written permission to contact you. The only exceptions for seeking such permission are when our communication (i) describes only a drug or medication that is currently being prescribed for you and our payment for the communication is reasonable in amount; or (ii) is made by one of our business partners consistent with our written agreement with the business partner.

6. Your Rights Regarding Medical Information About You. You have the following rights regarding health information we maintain about you. You may contact [email protected] for additional information and instructions for exercising the following rights.
• Right to request additional restrictions. You may request restrictions on our use and disclosure of your PHI (1) for treatment, payment and health care operations, (2) to individuals (such as a family member, other relative, close personal friend or any other person identified by you) involved with your care or with payment related to your care, or (3) to notify or assist in the notification of such individuals regarding your location and general condition. While we will consider all requests for additional restrictions carefully, we are not required to agree to a requested restriction, unless the request is regarding a disclosure to a health plan for a payment or health care operation purpose and the medical information relates solely to a health care item or service for which we have been paid out-of-pocket in full. This request must be in writing. We will send you a written response. If we agree with the request, we will comply with your request except to the extent that disclosure has already occurred or if you are in need of emergency treatment and the information is needed to provide the emergency treatment.
• Right to receive confidential communications. You may request to receive your PHI by alternative means of communication or at alternative locations. For example, you can request that we only contact you at work or by mail. To request confidential communications, you must make your request in writing. We will not ask you for the reason for your request. We will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted.
• Inspection and copies. You may request access to your medical record file and billing records maintained by us. You may inspect and request copies of the records. Under limited circumstances, we may deny you access to a portion of your records. If you are denied access to PHI, you may request that the denial be reviewed. Another licensed health care professional chosen by us will review your request and the denial. The person conducting the review will not be the person who denied your request. We will comply with the outcome of the review. If you desire access to your records, you must submit your request in writing. If your medical information is maintained in an electronic health record, you may obtain an electronic copy of your medical information and, if you choose, instruct us to transmit such copy directly to an entity or person you designate in a clear, conspicuous, and specific manner. If you request paper copies, we will charge you for the costs of copying, mailing, labor and supplies associated with your request. Our fee for providing you an electronic copy of your medical information will not exceed our labor costs in responding to your request for the electronic copy (or summary or explanation). You should take note that, if you are a parent or legal guardian of a minor, certain portions of the minor’s PHI will not be accessible to you (e.g., records pertaining to health care services for which the minor can lawfully give consent and therefore for which the minor has the right to inspect or obtain copies of the record; or the health care provider determines, in good faith, that access to the client records requested by the representative would have a detrimental effect on the provider’s professional relationship with the minor client or on the minor’s physical safety or psychological well-being).
• Right to amend your records. You have the right to request that we amend PHI maintained in your medical record file or billing records. If you desire to amend your records, your request must be in writing. We will comply with your request unless we believe that the information that would be amended is accurate and complete or other special circumstances apply. If we deny your request, you will be permitted to submit a statement of disagreement for inclusion in your records.
• Right to addendum. You have the right to add a 250-word document (“addendum”) to your PHI.
• Right to receive an accounting of disclosures. Upon written request, you may obtain an accounting of certain disclosures of your PHI made by us during any period of time six years prior to the date of your request, except that for requests made on or after January 1, 2011 that relate to treatment, payment or health care operation disclosures from our electronic health record system, the accounting period is three years. Your written request should indicate in what form you want the list (for example, on paper or electronically). If you request an accounting more than once during a twelve (12) month period, we will charge you for the costs involved in fulfilling your additional request. We will inform you of such costs in advance, so that you may modify or withdraw your request to save costs. In addition, we will notify you as required by law if there has been a breach of the security of your PHI.
• Paper copy. Upon request, you may obtain a paper copy of this Notice. Even if you have agreed to receive such notice electronically, you are still entitled to a paper copy of this Notice. To obtain a paper copy of this Notice, contact us using the contact information at the end of this Notice.

7. Minimum Necessary. To the extent required by law, when using or disclosing your PHI or when requesting your PHI from another covered entity, we will make reasonable efforts not to use, disclose, or request more than a limited data set (as defined below) of your PHI or, if needed by us, no more than the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, taking into consideration practical and technological limitations. For purposes of this Notice, a “limited data set” means medical information that excludes the following items:
• Names
• Postal address information, other than town or city, State, and zip code
• Telephone numbers
• Fax numbers
• Electronic mail addresses
• Social security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voice prints
• Full face photographic images and any comparable images

8. Changes to this Notice. We may change our practices from time to time. Changes will apply to current PHI, as well as new PHI after the change occurs. If we make an important change, we will change our Notice, and email you a copy of the changes. If our Notice has changed, we will offer you a copy of the current Notice when you next use the Services or access our website, or we will post the updated Notice online as required by law.

9. Concerns or Complaints. If you desire further information about your privacy rights, are concerned that we have violated your privacy rights, or disagree with a decision that we made about access to your PHI, you may contact our Privacy Officer (listed below). In addition, you may send a written complaint to the U.S. Department of Health and Human Services, Office for Civil Rights. Our Privacy Officer can provide you the current address. We will not take any action against you for filing a complaint.

10. How to Contact Us. Privacy Officer: [email protected]. General support: [email protected]. Mailing address for written requests: Clovi Inc., Attn: Privacy Officer, San Francisco, CA, United States.