Effective Date: January 4, 2025
KP Innovations LLC “dba DrWell” and its subsidiaries (hereinafter “DrWell,” “we,” “our,” or “us”), a corporation with its principal place of business at 2100 Webster St, Suite 429, San Francisco, CA 94115, hereby establishes this Consumer Health Data Privacy Policy (“Policy”). This Policy governs all operations and services provided through www.drwell.com and any associated mobile applications, web services, or digital platforms (collectively, the “Platform”).
This Policy specifically addresses the collection, processing, storage, and transmission of consumer health data (“Consumer Health Data”) as defined by applicable state laws and regulations. Consumer Health Data encompasses any personal information that relates to an individual’s past, present, or future physical or mental health condition, including but not limited to treatment records, prescription information, diagnostic data, and health-related behavioral data.
This Policy operates in conjunction with, but distinct from, the following DrWell policies and practices:
a) General Privacy Policy: This Policy supplements our general Privacy Policy. In instances of conflict between policies, this Consumer Health Data Privacy Policy shall take precedence regarding matters specifically pertaining to Consumer Health Data, to the extent permitted by applicable law.
b) HIPAA Compliance: This Policy expressly excludes protected health information (“PHI”) governed by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations. Such information is instead governed by our Notice of Privacy Practices, available separately on our Platform.
This Policy applies to all Consumer Health Data collected, processed, or maintained by DrWell, regardless of the jurisdiction in which such data originates, to the extent permitted by applicable law. Where state-specific requirements exist, this Policy shall be interpreted and applied in accordance with such requirements.
By accessing or using the Platform, users acknowledge and agree to the terms set forth in this Policy. This acknowledgment represents a binding agreement between the user and DrWell regarding the handling of Consumer Health Data.
For purposes of this Policy, the following terms shall have the meanings set forth below:
a) “Platform” refers to www.drwell.com, its subdomains, mobile applications, and any other digital services operated by DrWell.
b) “Consumer Health Data” encompasses any personal information that relates to an individual’s physical or mental health, healthcare services, or payment for such services, excluding information protected under HIPAA.
c) “Processing” includes any operation performed on Consumer Health Data, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available.
d) “Consent” means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of their Consumer Health Data.
This Policy is established pursuant to applicable federal and state laws governing the privacy and security of consumer health information, including but not limited to state-specific consumer privacy laws, healthcare privacy regulations, and consumer protection statutes.
DrWell employs comprehensive methodologies to collect Consumer Health Data through authorized channels. These collection practices adhere to all applicable state and federal regulations, with specific attention to data minimization principles and purpose limitation requirements. Our collection methods ensure the security and privacy of all Consumer Health Data while maintaining compliance with regulatory frameworks.
A. Direct Consumer Submission DrWell collects Consumer Health Data through direct consumer input, including personal identification information such as legal name, previous names, and government-issued identification numbers. This encompasses date of birth, contact information including residential and billing addresses, and emergency contact details when provided by the consumer.
Health-related information collected includes current and historical medical conditions, treatment histories, medication records, and healthcare provider relationships. We maintain records of physical measurements, vital statistics, family medical history, and current health concerns as reported by the consumer.
Financial and insurance information necessary for service delivery includes payment methods, healthcare insurance details, and billing history. We collect only the minimum necessary financial responsibility documentation required for service provision.
Authentication and security information encompasses account credentials, security verification data, and access logs required to maintain the security and integrity of consumer accounts.
Our Platform utilizes automated systems to collect technical data that may constitute Consumer Health Data. This includes device and browser information such as Internet Protocol addresses, device characteristics, and network connection data. The Platform also records interaction data including access patterns and service utilization history to improve service delivery and maintain system security.
DrWell may obtain Consumer Health Data from authorized third-party sources when necessary for service provision. This includes healthcare providers and systems that may share electronic health records, laboratory results, and prescription histories with proper authorization. Insurance and payment processors may provide coverage verification and claims processing information within regulatory boundaries.
Through our service delivery, DrWell may generate additional Consumer Health Data through analytics and processing. This includes treatment effectiveness analysis, health trend identification, and risk assessment calculations performed to improve service quality. We may also aggregate and synthesize data to understand population health statistics and treatment outcomes, always maintaining individual privacy and confidentiality.
DrWell maintains stringent standards for ensuring the accuracy and reliability of collected Consumer Health Data. Our validation procedures include comprehensive data entry verification, information cross-referencing, and regular accuracy audits. We provide mechanisms for data updates through consumer self-service corrections, provider-initiated updates, and systematic data refreshes.
Certain categories of Consumer Health Data receive enhanced protection measures under our security protocols. This includes genetic information, reproductive health data, mental health records, substance use information, and sexual health information. These categories are subject to additional safeguards and handling requirements as prescribed by applicable laws and regulations.
DrWell processes Consumer Health Data exclusively for authorized purposes that are essential to service delivery and platform operations. All data processing activities adhere to applicable state and federal regulations while maintaining the highest standards of privacy and security.
DrWell utilizes Consumer Health Data to facilitate core platform functionality and service delivery. This encompasses user authentication, appointment scheduling, treatment coordination, and prescription management. Our systems process payment information and maintain accounting records in accordance with financial regulations and security standards.
Consumer Health Data informs our continuous service improvement initiatives through systematic analysis of treatment outcomes and service efficiency. This includes identifying opportunities for enhancement in care delivery, streamlining administrative processes, and optimizing the patient experience. All analysis maintains strict privacy controls and data protection measures.
Our platform employs Consumer Health Data in quality assurance protocols to maintain high standards of care and patient safety. This includes monitoring treatment outcomes, identifying potential adverse events, and ensuring compliance with clinical guidelines. These activities support our commitment to patient safety and care quality.
DrWell processes Consumer Health Data to facilitate essential communications between healthcare providers and patients. This encompasses appointment reminders, treatment instructions, prescription notifications, and other care-related communications. All communications adhere to privacy requirements and patient preferences.
When utilized for research and analytics purposes, Consumer Health Data undergoes de-identification procedures in accordance with applicable regulations. Research activities focus on improving healthcare delivery, understanding treatment outcomes, and advancing medical knowledge while maintaining individual privacy.
Consumer Health Data supports platform functionality improvements and technical operations, including:
A. System Performance Monitoring The platform utilizes technical data to maintain optimal performance and identify areas requiring enhancement. This monitoring ensures reliable service delivery while protecting data security.
B. Security Operations Consumer Health Data processing includes security measures to detect and prevent unauthorized access, maintain system integrity, and protect against potential threats to data privacy.
DrWell processes Consumer Health Data for marketing communications only with explicit consumer consent and in compliance with applicable regulations. This includes:
A. Service Updates Communications regarding platform updates, new features, and service improvements that may benefit the consumer’s healthcare experience.
B. Educational Content Distribution of relevant health education materials and resources tailored to consumer health interests and needs.
Consumer Health Data processing supports compliance with legal obligations and regulatory requirements, including:
A. Mandatory Reporting Fulfillment of required reporting obligations to regulatory authorities while maintaining appropriate privacy protections.
B. Legal Proceedings Processing necessary for the establishment, exercise, or defense of legal claims as required by applicable law.
DrWell maintains strict limitations on data processing activities to ensure alignment with stated purposes and regulatory requirements. This includes:
A. Purpose Limitation Processing activities remain strictly within the scope of authorized purposes and legitimate business needs.
B. Data Minimization Processing is limited to Consumer Health Data necessary for specified purposes, avoiding unnecessary data collection or processing.
DrWell acknowledges and upholds fundamental consumer privacy rights regarding Consumer Health Data. Every consumer maintains specific rights concerning their personal health information, which DrWell is committed to protecting and facilitating.
Consumers maintain the right to access their Consumer Health Data maintained by DrWell. This includes the right to:
Obtain confirmation regarding whether DrWell processes their Consumer Health Data. Consumers may request and receive a comprehensive copy of their Consumer Health Data in a readily usable format. DrWell provides access to records describing any sharing or disclosure of Consumer Health Data to third parties.
Consumers possess the right to request correction of inaccurate Consumer Health Data. DrWell maintains systematic procedures for processing correction requests, including verification protocols and documentation of changes. When corrections are made, DrWell ensures updates propagate to all relevant systems and authorized third parties who received the original information.
Consumers may request the deletion of their Consumer Health Data from DrWell’s systems. Upon verification of such requests, DrWell implements comprehensive deletion protocols across all relevant databases and systems. However, certain information may be retained as required by law or necessary for legitimate business purposes, which will be clearly communicated to the requesting consumer.
Consumers maintain the right to withdraw previously granted consent for the collection, processing, or sharing of their Consumer Health Data. Upon receipt of consent withdrawal, DrWell ceases all discretionary processing activities while maintaining necessary records as required by law.
To exercise any of these rights, consumers may contact DrWell through the following channels:
Email: [email protected] Phone: 833-837-9355 (8DR-WELL) Mail: 2100 Webster St, Suite 429, San Francisco, CA 94115
DrWell implements robust verification procedures to ensure the security of Consumer Health Data when processing rights requests. These procedures may include:
Identity verification through government-issued identification, verification of account credentials, or other secure authentication methods. Additional verification steps may be required for sensitive information or high-risk requests.
DrWell responds to consumer rights requests within the timeframes prescribed by applicable state laws. We acknowledge receipt of requests promptly and provide regular updates regarding request status when processing requires extended time.
Consumers maintain the right to appeal any DrWell decision regarding the exercise of their privacy rights. The appeal process includes:
A formal review by designated privacy personnel, documentation of appeal decisions and rationale, and clear communication of appeal outcomes to the consumer.
Certain limitations may apply to consumer rights based on legal requirements, security considerations, or technical constraints. DrWell clearly communicates any such limitations and provides alternative solutions when possible.
DrWell maintains a strict non-discrimination policy regarding the exercise of consumer privacy rights. No consumer shall face adverse treatment or service limitations for exercising their rights under this policy.
DrWell implements a comprehensive security framework designed to protect Consumer Health Data throughout its lifecycle. Our multi-layered security approach incorporates industry-standard practices, regulatory requirements, and advanced technological safeguards to maintain data confidentiality, integrity, and availability.
Our platform employs sophisticated technical controls to protect Consumer Health Data during collection, transmission, storage, and processing. We utilize enterprise-grade encryption for data in transit and at rest, implementing secure protocols for all data transfers. Access to Consumer Health Data occurs only through authenticated, secure connections that meet regulatory standards for healthcare information protection.
DrWell maintains rigorous administrative controls governing Consumer Health Data access and handling. Our personnel undergo regular privacy and security training specific to healthcare data protection. We enforce role-based access controls, ensuring employees access only the minimum necessary information required for their job functions. Regular security assessments and compliance audits validate the effectiveness of these controls.
Our infrastructure resides in secure facilities with stringent physical access controls. We maintain redundant systems and regular backup procedures to ensure data availability while preventing unauthorized access. Environmental controls protect against physical threats to data integrity, including power failures, natural disasters, and other potential disruptions.
DrWell maintains a comprehensive incident response plan for addressing potential security incidents involving Consumer Health Data. This includes prompt investigation of suspected breaches, appropriate notification procedures, and systematic response measures to contain and remediate any security events. We conduct regular testing and updates of these protocols to ensure effectiveness.
Our security framework extends to third-party relationships through systematic vendor management procedures. We conduct thorough security assessments of potential vendors, implement strict contractual security requirements, and maintain ongoing monitoring of third-party compliance with our security standards.
DrWell conducts continuous compliance monitoring to ensure adherence to security requirements across all systems handling Consumer Health Data. This includes regular security assessments, penetration testing, and vulnerability scanning. We maintain detailed logs of system activities and conduct periodic reviews to identify potential security concerns.
Our security framework includes specific provisions for secure data retention and disposal. We maintain Consumer Health Data only for the duration necessary for legitimate business purposes or as required by law. When data disposal is appropriate, we employ secure deletion methods that prevent unauthorized recovery of disposed information.
All personnel with access to Consumer Health Data receive comprehensive security training upon hiring and regular updates thereafter. Our training program covers privacy regulations, security procedures, and incident reporting requirements. We maintain documentation of all training activities and regularly assess employee security awareness.
DrWell maintains detailed business continuity and disaster recovery plans to ensure the availability of Consumer Health Data during adverse events. These plans undergo regular testing and updates to maintain effectiveness and address emerging threats.
DrWell maintains strict compliance with applicable federal and state regulations governing Consumer Health Data. Our compliance program incorporates requirements from healthcare privacy laws, consumer protection regulations, and industry-specific mandates. We regularly review and update our practices to reflect evolving regulatory requirements.
Our platform implements state-specific requirements for Consumer Health Data protection across all jurisdictions where we operate. We maintain current documentation of varying state requirements and ensure our systems enforce appropriate controls based on consumer location. This includes specific consent requirements, data handling procedures, and consumer rights provisions mandated by individual states.
DrWell maintains comprehensive documentation of all privacy and security practices affecting Consumer Health Data. This includes detailed records of consumer consent, data processing activities, and rights request fulfillment. Our documentation procedures support both operational consistency and regulatory compliance verification.
Our compliance program includes systematic monitoring of internal practices, regular staff training, and periodic compliance assessments. We maintain a dedicated compliance team responsible for overseeing adherence to regulatory requirements and implementing necessary program updates. This team coordinates with legal counsel to ensure alignment with current regulatory interpretations.
While maintaining separation from HIPAA-governed information, our platform implements appropriate controls to ensure compliance with applicable healthcare regulations. This includes proper handling of prescription information, maintenance of appropriate provider-patient relationships, and adherence to healthcare marketing restrictions.
DrWell adheres to consumer protection regulations governing online healthcare services. Our practices incorporate requirements for clear disclosure, informed consent, and fair business practices. We maintain transparent communication regarding service terms, pricing, and consumer rights.
Although primarily operating within the United States, DrWell maintains awareness of international privacy requirements that may affect our operations. We implement appropriate controls to address cross-border data transfer requirements when applicable.
Our compliance framework includes procedures for fulfilling regulatory reporting requirements. This encompasses regular compliance assessments, incident reporting, and responses to regulatory inquiries. We maintain systems for tracking and documenting all regulatory communications and submissions.
DrWell maintains processes for monitoring regulatory changes and implementing necessary updates to our compliance program. This includes regular review of regulatory guidance, participation in industry compliance forums, and consultation with legal experts regarding evolving requirements.
Our compliance framework includes provisions for supporting both internal and external audits of Consumer Health Data practices. We maintain organized documentation of compliance activities and implement systematic responses to audit findings.
DrWell maintains strict protocols governing the sharing of Consumer Health Data with third parties. Our framework ensures all data sharing activities comply with regulatory requirements while supporting necessary business operations and consumer care delivery. We share Consumer Health Data only when legally permitted and necessary for providing requested services.
The primary categories of third parties with whom DrWell may share Consumer Health Data include healthcare providers directly involved in consumer care, pharmacy partners for prescription fulfillment, and payment processors for transaction completion. Each recipient undergoes thorough security assessment and must maintain appropriate safeguards for handling Consumer Health Data.
When engaging service providers who may access Consumer Health Data, DrWell implements comprehensive contractual protections. These agreements establish clear limitations on data use, require appropriate security measures, and ensure compliance with applicable privacy regulations. We maintain active oversight of service provider practices through regular assessments and compliance monitoring.
DrWell may disclose Consumer Health Data when required by law, including responses to valid legal process, court orders, or regulatory requirements. Such disclosures occur only after verification of the request’s validity and limitation of disclosure to the minimum necessary information. We maintain detailed records of all legally required disclosures.
In the event of any business transaction affecting DrWell’s operations, such as a merger or acquisition, we implement appropriate protections for Consumer Health Data. This includes ensuring continued compliance with privacy obligations and providing notice to affected consumers as required by law.
Any sharing of Consumer Health Data for research or analytics purposes occurs only after appropriate de-identification or aggregation. We maintain strict controls over such sharing to prevent re-identification of individual consumers while supporting legitimate research activities that may benefit healthcare delivery.
DrWell maintains protocols for appropriate sharing of Consumer Health Data in emergency situations where immediate disclosure may be necessary to prevent serious harm. Such disclosures are limited to the minimum necessary information and occur only under circumstances permitted by applicable law.
We provide clear notice to consumers regarding our data sharing practices through this Policy and other appropriate communications. Consumers maintain rights to limit certain sharing activities as provided by applicable law, and we honor such requests while maintaining necessary records of sharing limitations.
While primarily operating within the United States, DrWell implements appropriate safeguards for any international transfer of Consumer Health Data that may occur. This includes ensuring compliance with cross-border data transfer requirements and maintaining appropriate protection mechanisms.
We maintain comprehensive records of all Consumer Health Data sharing activities, including the purpose of sharing, categories of data shared, and recipient identities. This documentation supports both operational oversight and compliance verification.
DrWell implements a comprehensive data retention framework governing the maintenance and deletion of Consumer Health Data throughout its lifecycle. This framework ensures compliance with legal requirements while supporting legitimate business needs and consumer care delivery.
Consumer Health Data is retained for the minimum duration necessary to fulfill the purposes for which it was collected and to comply with applicable regulations. Standard retention periods vary based on data type, regulatory requirements, and business necessity. Medical records and prescription histories maintain longer retention periods as required by healthcare regulations, while technical data may be retained for shorter periods based on operational needs.
Our storage architecture implements appropriate security controls for Consumer Health Data throughout the retention period. Information is maintained in encrypted, access-controlled systems with appropriate backup and recovery capabilities. We regularly assess storage system security and implement updates to address emerging threats.
When Consumer Health Data exceeds active retention requirements but must be maintained for legal or regulatory purposes, we transfer such information to secure archive systems. Archived data remains subject to all applicable security controls while being separated from active operational systems.
DrWell maintains systematic procedures for secure deletion of Consumer Health Data when retention is no longer necessary or required. Our deletion protocols ensure complete removal of information from all relevant systems, including backup and archive storage. We maintain documentation of deletion activities to support compliance verification.
When consumers exercise their right to deletion, we implement appropriate procedures while maintaining necessary records as required by law. Our systems track deletion requests and ensure proper handling across all relevant databases and systems.
When retiring or replacing systems that have contained Consumer Health Data, we implement appropriate procedures to ensure complete data removal or secure transfer to replacement systems. This includes verification of successful data migration and secure disposal of decommissioned hardware.
We maintain comprehensive documentation of retention periods, deletion procedures, and actual deletion activities. This documentation supports both operational consistency and compliance verification while providing clear audit trails of data lifecycle management.
Our retention framework includes regular monitoring of compliance with established retention periods and deletion requirements. We conduct periodic audits to verify proper implementation of retention procedures and address any identified issues.
Retention practices incorporate appropriate provisions for business continuity, ensuring availability of necessary Consumer Health Data during system failures or other adverse events while maintaining security controls.
DrWell reserves the right to modify this Consumer Health Data Privacy Policy as necessary to reflect changes in legal requirements, business operations, or service offerings. We implement a systematic approach to policy updates that ensures continued compliance while maintaining transparency with consumers.
When making material changes to this Policy, DrWell provides appropriate notice to affected consumers. Substantial modifications are communicated through prominent notices on our Platform and direct communications to consumers when required by law. Such notifications include summaries of significant changes and their potential impact on consumer privacy rights.
Material policy changes become effective after a reasonable review period, allowing consumers to understand the modifications and make informed decisions about their continued use of our services. During this review period, consumers may submit questions or concerns about policy changes through our designated communication channels.
Each policy revision maintains detailed documentation of modifications, including the nature of changes, implementation dates, and rationale for updates. We preserve historical versions of the Policy to support compliance verification and maintain clear records of our privacy practices over time.
Policy modifications incorporate evolving regulatory requirements across all jurisdictions where DrWell operates. Our legal and compliance teams regularly review regulatory changes and ensure policy updates reflect current compliance obligations.
When implementing policy changes, DrWell ensures systematic updates across all affected systems, procedures, and documentation. This includes training relevant personnel on modified requirements and updating technical controls as necessary to support new policy provisions.
Before implementing material changes, DrWell conducts assessments to evaluate potential impacts on consumer privacy and service delivery. These assessments inform implementation strategies and help identify necessary consumer communications or operational adjustments.
Policy updates include coordination with operational teams to ensure practical implementation of modified requirements. This encompasses updates to training materials, procedural documentation, and technical systems supporting Consumer Health Data protection.
Our policy amendment process incorporates feedback from various sources, including consumer communications, operational experience, and compliance monitoring. This enables continuous refinement of our privacy practices while maintaining strong consumer privacy protections.
DrWell maintains strict version control for all policy documents, ensuring clear tracking of modifications and implementation dates. This supports both operational consistency and compliance verification while providing clear documentation of our privacy practice evolution.
DrWell maintains dedicated channels for privacy-related communications. Consumers may contact our Privacy Office regarding this Policy, their privacy rights, or related concerns through:
Email:
[email protected]
Phone:
833-837-9355 (8DR-WELL)
Mail:
DrWell Privacy Office
2100 Webster St, Suite 429
San Francisco, CA 94115
Our Privacy Office implements systematic procedures for handling privacy-related inquiries. We acknowledge receipt of communications promptly and maintain appropriate documentation of all privacy-related correspondence. Each inquiry receives thorough review and response from qualified personnel familiar with privacy requirements and operational procedures.
When processing consumer rights requests, our Privacy Office coordinates with relevant operational teams to ensure comprehensive response. We maintain clear procedures for verifying requestor identity, documenting request details, and tracking request fulfillment through completion.
DrWell designates specific channels and procedures for regulatory communications regarding Consumer Health Data. Our compliance team maintains appropriate documentation of all regulatory correspondence and ensures timely response to regulatory inquiries.
We maintain dedicated procedures for reporting and responding to potential security incidents involving Consumer Health Data. These procedures include clear escalation protocols and appropriate notification mechanisms for affected consumers and regulatory authorities.
Our Privacy Office coordinates communications with business partners regarding Consumer Health Data protection requirements. This includes maintaining clear channels for addressing privacy concerns, coordinating compliance activities, and managing privacy-related contractual obligations.
All privacy-related communications receive appropriate documentation supporting both operational needs and compliance verification. We maintain secure systems for tracking communication history and ensuring appropriate follow-up on privacy matters.
DrWell commits to responding to privacy-related communications within reasonable timeframes, as specified by applicable regulations. We maintain systematic tracking of response timelines and implement appropriate procedures for managing complex inquiries requiring extended response time.
Our communication procedures include provisions for addressing language accessibility needs, ensuring effective communication with consumers regardless of preferred language. We maintain appropriate resources for providing privacy-related communications in commonly requested languages.
The Privacy Office implements quality assurance procedures for privacy-related communications, ensuring accuracy, completeness, and appropriate tone in all privacy-related correspondence. Regular reviews assess communication effectiveness and identify opportunities for improvement.