Our Role as a Covered Entity

MyRxWallet North America Corporation ("MyRxWallet," "we," "our") is a Wyoming corporation operating a Health Information Technology platform that qualifies as a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. We operate an ONC (g)(10) standardized API-tested Electronic Health Record (EHR) platform accessible at https://myrxwallet.io and its subdomains.

As a covered entity, we are legally required to protect the privacy of your Protected Health Information (PHI) and to provide you with this Notice explaining our privacy practices.

Contact Information

We collect and maintain the following categories of PHI in the course of providing our health information technology services:

• →
  Demographic Information: Name, date of birth, address, phone number, email, gender identity, race/ethnicity (as required by UDS+ reporting).
• →
  Clinical Information: Diagnoses (ICD-10 codes), medications (RxNorm), allergies, immunizations, procedures (CPT), lab results (LOINC), vital signs, and clinical notes.
• →
  Insurance & Payment Information: Health plan information, insurance policy numbers, claims data, and eligibility verification records.
• →
  Identity Credentials: MyRx-ID (blockchain-based patient identifier), National Patient Identifier (pending ONC implementation), and MRN assigned by treating providers.
• →
  Consent Records: Authorization history, consent grants and revocations, access logs — all anchored to our Hyperledger Fabric blockchain with SHA-256 audit trails.
• →
  Device & Telemetry Data: Data from connected medical devices (if linked), including glucose monitors, pulse oximeters, and other DME devices you authorize.
• →
  Communication Records: Secure messages between you and your care team transmitted through the MyRxWallet platform.

The HIPAA Privacy Rule permits us to use and disclose your PHI for the following purposes without requiring your written authorization:

Treatment

We may use and disclose your PHI to facilitate your treatment. This includes sharing records with your primary care physician, specialists, pharmacists, laboratories, hospitals, and other members of your care team who need access to your health information to provide care. For example, we may transmit your medication list to a pharmacist processing a new prescription, or share your lab results with a referring specialist.

Payment

We may use and disclose your PHI to obtain payment for services. This includes submitting claims to your health insurance plan, verifying insurance eligibility, obtaining pre-authorization for services, and processing payments. We use the minimum necessary PHI required for billing purposes consistent with 45 CFR §164.502(b).

Healthcare Operations

We may use and disclose your PHI for our own healthcare operations, including quality assessment, competency evaluations, training programs, business planning, and legal compliance. We apply the minimum necessary standard to all operational uses.

Other Permitted Uses (Without Authorization)

• !
  Public Health Activities: Reporting to public health authorities (CDC, state health departments) as required by law, including communicable disease reporting and vital statistics.
• !
  Health Oversight: Disclosures to the HHS Office for Civil Rights, ONC, CMS, or other government agencies conducting lawful oversight audits or investigations.
• !
  Court Orders & Legal Proceedings: Pursuant to a valid court order, subpoena, or other lawful process.
• !
  Law Enforcement: Limited disclosures permitted under 45 CFR §164.512(f) in response to lawful law enforcement requests.
• !
  Serious Threats to Health or Safety: When necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
• !
  Research: With appropriate IRB or Privacy Board approval and data use agreements meeting HIPAA standards.
• !
  Workers' Compensation: As authorized by and to the extent necessary to comply with workers' compensation laws.

Disclosures Without Your Written Authorization

Except as described above for Treatment, Payment, and Healthcare Operations, we will not disclose your PHI without your written authorization, except as required or permitted by law as described in Section 3 above.

Disclosures Requiring Your Written Authorization

The following disclosures require your written authorization and may be revoked by you at any time, except to the extent we have taken action in reliance on it:

• ✗
  Marketing: We will not use or disclose your PHI for marketing purposes without your explicit written authorization. We do not sell your health data to advertisers or marketing companies.
• ✗
  Sale of PHI: We do not sell your PHI. Any data monetization through our MyRx-Royalty program requires your explicit prior authorization and you retain 85% of any proceeds.
• ✗
  Psychotherapy Notes: Separately maintained psychotherapy notes require separate authorization even for treatment purposes.
• ✗
  Research (beyond IRB-approved): Use of PHI for research not covered by a valid IRB waiver requires your authorization.

Business Associates

We share PHI with Business Associates (third-party service providers) only under written Business Associate Agreements (BAAs) that require them to protect your PHI in accordance with HIPAA. Our Business Associates include cloud infrastructure providers, AI vendors (with PHI Zero-Touch architecture), and laboratory data exchange networks. A list of current Business Associates is available upon request.

Right to Inspect and Copy (45 CFR §164.524)

You have the right to inspect and receive a copy of your PHI that we maintain in our designated record set. You may request access directly through the Patient Portal (Medical Records section) or by submitting a written request to our Privacy Officer. We will provide access within 30 days (extendable once by 30 days with written notice). We may charge a reasonable cost-based fee for copies. We may deny access in limited circumstances, and you may request review of a denial.

Right to Request Amendment (45 CFR §164.526)

If you believe PHI we maintain about you is incorrect or incomplete, you may request an amendment. Submit your request in writing through the Patient Portal or to our Privacy Officer, stating the reason for the amendment. We will respond within 60 days. If we deny your request, you have the right to submit a statement of disagreement.

Right to an Accounting of Disclosures (45 CFR §164.528)

You have the right to receive an accounting of disclosures of your PHI made by us for purposes other than Treatment, Payment, and Healthcare Operations during the previous 6 years. All disclosures are logged on our Hyperledger Fabric blockchain audit trail, accessible directly in your Patient Portal under the Blockchain tab. You may request a formal accounting by written request to our Privacy Officer.

Right to Request Restrictions (45 CFR §164.522)

You have the right to request restrictions on how we use or disclose your PHI for Treatment, Payment, or Healthcare Operations. We are not required to agree to your request (except as noted below). If we agree, we will honor the restriction except in emergency situations. Exception: We must agree to restrict disclosure to a health plan for services you paid for out-of-pocket in full.

Right to Request Confidential Communications (45 CFR §164.522(b))

You have the right to request that we communicate with you about your health matters in a certain way or at a certain location (e.g., only by email, only at a specific address). We will accommodate reasonable requests. Submit requests through the Patient Portal Settings or in writing to our Privacy Officer.

Right to Data Portability (ONC 21st Century Cures Act)

Under the 21st Century Cures Act and ONC's Information Blocking Rules, you have the right to access your electronic health information in a standardized digital format (FHIR R4). Our platform provides your complete health record via our FHIR R4 API endpoint (https://ehr.myrxwallet.io/fhir/r4). You may authorize any SMART on FHIR-compatible application to access your data directly. We do not engage in information blocking as defined at 45 CFR Part 171.

Right to a Paper Copy of This Notice

You have the right to receive a paper copy of this Notice upon request, even if you have agreed to receive it electronically. Contact us at info@myrxwallet.io or 702.546.8686 to request a paper copy.

MyRxWallet is required by law to:

• ✓
  Maintain the privacy of your PHI.
• ✓
  Provide you with this Notice of our legal duties and privacy practices.
• ✓
  Abide by the terms of the Notice currently in effect.
• ✓
  Notify you in the event of a breach of your unsecured PHI.
• ✓
  Implement and maintain reasonable and appropriate administrative, physical, and technical safeguards to protect your PHI.
• ✓
  Refrain from engaging in information blocking as defined under 45 CFR Part 171.

We reserve the right to change this Notice and make the new Notice effective for all PHI we currently maintain, as well as PHI we receive in the future. We will post the current Notice prominently at https://myrxwallet.io/legal/hipaa-notice.html and will notify you of material changes through the Patient Portal.

In the event of a breach of your unsecured PHI, MyRxWallet will notify you without unreasonable delay and no later than 60 days following discovery of the breach, as required by 45 CFR §§164.400–414 (HITECH Breach Notification Rule). Notification will include:

• →
  A description of the breach, including the date of the breach and the date of discovery.
• →
  The types of unsecured PHI involved.
• →
  Steps you should take to protect yourself from potential harm.
• →
  What we are doing to investigate, mitigate, and prevent future breaches.
• →
  Contact information for our Privacy Officer.

We will also notify HHS and, if the breach affects 500 or more individuals in a state, the prominent media outlets in that state, as required by law.

If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). We will not retaliate against you for filing a complaint.

Certain categories of health information receive enhanced legal protections beyond standard HIPAA requirements:

Category	Applicable Law	Protection Level
Substance Use Disorder (SUD) Records	42 CFR Part 2	Requires patient-specific written consent for most disclosures; stricter than HIPAA
Mental Health Records	State law + HIPAA	Enhanced protection in most states; psychotherapy notes require separate authorization
HIV/AIDS Status	State law	State-specific consent requirements apply
Genetic Information	GINA + HIPAA	Cannot be used for insurance underwriting; heightened disclosure restrictions
Reproductive Health	HIPAA (2024 Final Rule)	Additional protections for reproductive health information; restrictions on disclosure for criminal investigations
Minor's Records	State law varies	Some adolescent services (family planning, SUD treatment) may be maintained confidential from parents per state law