Skip to main content
The waitlist is open. Claim your spot as a Founding 500 member.

HIPAA Notice of Privacy Practices

Effective: June 20, 2026

1About this Notice

Issued by MDI Medical Group PC, the affiliated medical practice (the "Provider") and a HIPAA Covered Entity. Sipra LLC ("Sipra") operates the technology platform and provides administrative support to the Provider. Per Section 12 of the Sipra-MDI Network Agreement, no Business Associate relationship exists between Sipra and MDI Medical Group PC; MDI Medical Group PC remains the sole Covered Entity for the protected health information described in this Notice. References to "we," "us," or "the Provider" in this Notice mean MDI Medical Group PC.

This Notice tells you how your medical information may be used and shared by MDI Medical Group PC (the "Provider") and how you can see and control that information. If anything is unclear, contact the Privacy Officer at [email protected].

1.1Who Issues This Notice

The Provider is the licensed medical practice that provides clinical services to you through the Sipra platform, and is a HIPAA "Covered Entity", a healthcare provider that creates and holds your medical records.

When this Notice says "we," "us," or "our," it refers to the Provider.

1.2Sipra's Role As A Business Associate

Sipra LLC ("Sipra") is the technology and operations platform supporting the Provider. Sipra runs the website, patient app, intake, scheduling, billing, customer support, and pharmacy coordination. Under HIPAA, Sipra is a Business Associate of the Provider, a company that handles Protected Health Information ("PHI") on behalf of a Covered Entity.

Sipra has signed a Business Associate Agreement ("BAA") with the Provider that limits how Sipra may use or disclose PHI and requires Sipra to protect your PHI at the same level the Provider must. The BAA was executed on To be executed prior to launch.

When you communicate with Sipra (by email to [email protected], through the patient portal, or with customer support), Sipra is acting on behalf of the Provider. Patient HIPAA inquiries, including requests to exercise your rights and complaints, are routed through [email protected] and the patient portal so Sipra can triage and forward them to the Privacy Officer.

1.3What Is Protected Health Information

PHI is any information that identifies you and relates to your past, present, or future health, healthcare, or payment for healthcare. PHI includes:

  • Your name, date of birth, address, email, and phone number when tied to a health record.
  • Your medical history, conditions, and diagnoses.
  • Your prescriptions, dosages, and refill records.
  • Lab and test results.
  • Notes from your physician or licensed-clinician visits.
  • Billing and payment information for your care.

1.4Other Sipra Documents You Should Know About

This Notice covers your PHI held by the Provider. Information that is not PHI, for example, what you do on the Sipra website before signup, marketing email preferences, or device data, is covered by Sipra's Privacy Policy at https://sipra.com/privacy. Washington, Nevada, and Connecticut residents also have rights under Sipra's Consumer Health Data Privacy Policy at https://sipra.com/health-data-privacy. Treatment specifics are in the Telehealth and Medication Consent at https://sipra.com/telehealth-consent. The platform contract is in the Sipra Terms of Service at https://sipra.com/terms.

2The Provider's duties to you

Federal law requires the Provider to:

  • Keep your PHI private and secure.
  • Give you this Notice describing the Provider's legal duties and privacy practices.
  • Follow the terms of the Notice in effect.
  • Tell you if there is a breach of unsecured PHI.
  • Honor the rights described in Section 8.

The Provider will not use or share your PHI for purposes outside this Notice unless you give written authorization. You can take that authorization back at any time, in writing. Section 7 explains how.

3How the Provider may use and share your health information

Federal law lets the Provider use and share your PHI without written authorization for Treatment, Payment, and Healthcare Operations ("TPO") and for the public-policy reasons in Sections 5 and 6. Common examples follow.

3.1Treatment

The Provider uses and shares your PHI to provide, coordinate, and manage your healthcare. Example: A licensed clinician reviews your intake answers, lab results, and medical history to decide whether GLP-1 medication is right for you, then sends your prescription to one of Healthcare Prosoft, LLC (operating the VSDH One Platform), Epiq Scripts LLC, Valiant Compounding Pharmacy, and Perfect RX. Treatment also includes ongoing care between visits, physician review of your recurring check-ins, dose titration decisions, and treatment-continuation decisions made under a physician-pre-authorized titration schedule.

The 503A compounding pharmacies that fill prescriptions for the Provider are independent healthcare providers and HIPAA Covered Entities in their own right. Each pharmacy gives you its own Notice of Privacy Practices when you receive a medication from it. The Provider shares only the PHI needed to fill your prescription and coordinate your care.

3.2Payment

The Provider uses and shares your PHI to bill for services and process payments. Example: Sipra, acting as Business Associate, shares limited PHI with the payment processor to charge your subscription and handle disputes.

3.3Healthcare Operations

The Provider uses and shares your PHI for activities that keep the practice running well. Example: The Provider reviews treatment outcomes in de-identified form to improve clinical protocols, trains clinicians, audits records, and runs quality and safety reviews.

3.4With Business Associates

The Provider shares PHI with companies that perform services for the Provider, for example, cloud hosting, customer support tools, and CRM. Sipra is the principal Business Associate that runs the patient-facing platform. Each Business Associate signs a contract requiring it to protect your PHI at the same level the Provider must.

3.5To You And The People You Choose

The Provider shares your PHI with you on request, and with friends, family, or others you have authorized, but only the information that relates to their involvement in your care or payment for it.

3.6Required By Law

The Provider shares your PHI when federal, state, or local law requires it. The disclosure stays limited to what the law requires.

3.7Health Oversight, Judicial, And Law Enforcement Disclosures

The Provider may share your PHI with health oversight agencies for audits, inspections, and investigations, and in response to a court or administrative tribunal order. In response to a subpoena or other lawful process, the Provider shares PHI only after making reasonable efforts to notify you or after a qualified protective order is in place.

The Provider may share your PHI with law enforcement in limited situations: as required by law, in response to a court order or warrant, to identify or locate a suspect or missing person, or to report a death the Provider believes was caused by criminal conduct.

3.8Coroners, Medical Examiners, Funeral Directors, And Organ Donation

The Provider may share your PHI with a coroner or medical examiner to identify a deceased person or determine cause of death, with funeral directors as needed, and, if you are an organ donor, with organ procurement organizations.

3.9Research

The Provider may use or share your PHI for research only after an Institutional Review Board or Privacy Board approves the study and the privacy protections. The Provider will ask for your written authorization in most cases. The Provider may use your PHI to prepare for research as long as the PHI does not leave the organization.

3.10To Prevent A Serious Threat

The Provider may use and share your PHI to prevent or lessen a serious and imminent threat to your health or safety, or to someone else's, sharing only with someone who can prevent or lessen the threat.

3.11Workers' Compensation, Military, And Government Programs

The Provider may share your PHI as required by workers' compensation laws. If you are in the armed forces, the Provider may share your PHI as required by military command. The Provider may share your PHI with authorized federal officials for national security and protective services.

3.12Inmates And People In Custody

If you are an inmate or in the custody of law enforcement, the Provider may share your PHI with the institution or official as needed for your care or for the safety of others.

3.13Abuse, Neglect, Or Domestic Violence

The Provider may share your PHI with a government authority if it reasonably believes you are a victim of abuse, neglect, or domestic violence. The Provider shares only what the law requires or permits, and will tell you it made the disclosure unless doing so would put you at greater risk.

3.14Personal Representatives

A personal representative, for example, a parent of a minor patient, a court-appointed guardian, or a person you have authorized in writing or under state law, has the same right to access and authorize uses of your PHI that you do. The Provider follows state law on who qualifies.

3.15Fundraising And Marketing Limits

The Provider does not currently fundraise and does not use your PHI for marketing without your written authorization. Section 7 covers the narrow exceptions HIPAA allows. The Provider does not sell your PHI. If fundraising practices change, the Provider will update this Notice and give you a clear way to opt out of future fundraising communications, as required by 45 CFR §164.514(f).

4Highly confidential information (extra protections)

Some kinds of PHI get extra legal protection under federal or state law. The Provider will not share these unless you give written authorization or the law specifically allows or requires it:

  • Mental health treatment records and psychotherapy notes (45 CFR §164.508(a)(2)).
  • Substance use disorder ("SUD") records held by federally-assisted programs (42 CFR Part 2). The Provider does not currently offer SUD treatment, so 42 CFR Part 2 does not apply today. The 2024 HHS modifications to Part 2 took effect on February 16, 2026; if the Provider ever offers SUD services, the additional Part 2 protections, including the special patient consent, redisclosure, and segregation rules, will apply, and the Provider will update this Notice accordingly.
  • HIV and AIDS-related information.
  • Sexually transmitted disease information.
  • Genetic information, including information protected by the Genetic Information Nondiscrimination Act (GINA, 45 CFR §164.502(a)(5)(i); 42 USC §2000ff). The Provider never uses or shares your genetic information for underwriting.
  • Information about child abuse or neglect.
  • Information about domestic abuse.
  • Information about sexual assault.

5Public health activities

Federal law lets the Provider share your PHI with public health authorities (45 CFR §164.512(b)) to:

  • Report to a public health authority preventing or controlling disease, injury, or disability.
  • Report adverse events, product defects, or post-marketing safety information to the FDA.
  • Notify a person who may have been exposed to a communicable disease.
  • Report births, deaths, or vital statistics where state law requires.
  • Report to an employer about a work-related illness or injury when authorized by law.

You can also report a medication side effect directly to FDA MedWatch at 1-800-FDA-1088 or www.fda.gov/medwatch.

6Reproductive and sexual health protections

Reproductive and sexual health information is sensitive, and the Provider treats it that way.

State-law protections. Several states provide heightened protections beyond HIPAA, including California (AB 352, restricting disclosure through health information exchanges; Cal. Civ. Code §56.110 cross-state shield rules), New York (state shield law restricting compelled disclosure related to lawful reproductive care), and Washington (My Health My Data Act, RCW 19.373, governing consumer health data outside HIPAA TPO). Where state law gives you stronger protections than HIPAA, the Provider follows state law. Applicable protections are detailed in the state-specific addenda referenced in Section 14.

Sipra-platform commitment. As a voluntary commitment exceeding federal requirements, the Provider will not disclose reproductive or sexual health information to any government, agency, or party for the purpose of identifying, investigating, prosecuting, or imposing civil or criminal liability on a person for seeking, obtaining, providing, or facilitating reproductive or sexual health care that was lawful under the law of the state in which the care was provided. The Provider will require a written attestation under penalty of perjury, in a form the Provider may publish from time to time, before disclosing reproductive or sexual health PHI in response to any non-TPO request from a government, agency, or third party.

Status of the prior federal rule. A federal regulation that previously codified additional reproductive-health protections, 45 CFR §164.509 (the 2024 HIPAA Privacy Rule To Support Reproductive Health Care Privacy), was vacated nationwide by *Purl v. HHS*, No. 2:24-cv-228 (N.D. Tex. June 18, 2025), and the Fifth Circuit dismissed the appeal on September 10, 2025. The federal §164.509 attestation requirement is therefore no longer enforceable as a matter of federal law. The Provider's commitments above remain in effect under state law and as a Sipra-platform commitment.

7Uses and disclosures that need your written authorization

Other than uses and disclosures described in Sections 3 through 6, the Provider uses or shares your PHI only with your signed authorization. The law specifically requires written authorization for:

  • Most marketing communications that involve your PHI.
  • Sale of PHI. The Provider does not sell PHI.
  • Psychotherapy notes (when applicable to your care).
  • Any other use or disclosure not described in this Notice.

You can take an authorization back at any time, in writing, by emailing [email protected] or writing to the Privacy Officer at the address in Section 12. When you do, the Provider stops the use or disclosure that authorization covered. The Provider cannot undo something it already did while the authorization was in place.

8Your rights about your health information

Federal law gives you specific rights about your PHI. To exercise any right or ask a question, contact the Privacy Officer at [email protected], or write to 30 N Gould St, Ste R, Sheridan, WY 82801, c/o Privacy Officer.

8.1Right To See And Get A Copy Of Your PHI

You have the right to see and get a copy of your medical and billing records (45 CFR §164.524), and to ask the Provider to send a copy directly to a third party you name.

Submit a request by emailing [email protected] or through your patient portal. The Provider responds within 30 days, with one 30-day extension allowed in writing if the Provider tells you why. The Provider may charge a reasonable cost-based fee for paper copies as permitted by law.

8.2Information Blocking Rule (Electronic Access)

The Provider supports patient access to electronic health information through the Sipra patient portal in compliance with the 21st Century Cures Act and the ONC Information Blocking Rule (45 CFR Part 171). Lab results and clinical notes are released to your patient portal as soon as they are final, except where a delay is permitted by an applicable Information Blocking Rule exception (for example, a clinically necessary preventing-harm exception documented in your record). You can report a suspected information-blocking violation to the HHS Office of the Inspector General at oig.hhs.gov.

8.3Right To Ask For A Correction

You have the right to ask the Provider to correct PHI you believe is wrong or incomplete (45 CFR §164.526). Send your request to [email protected] and explain the reason. The Provider will respond within 60 days. If the Provider denies your request, it will tell you why in writing and explain how you can add a written statement of disagreement to your record.

8.4Right To An Accounting Of Disclosures

You have the right to a list of certain disclosures of your PHI the Provider has made in the past six years (45 CFR §164.528). The list does not include disclosures for treatment, payment, operations, or those you authorized. Your first request in any 12-month period is free; the Provider may charge a reasonable fee for additional requests.

8.5Right To Request Restrictions

You have the right to ask the Provider to restrict how it uses or shares your PHI for treatment, payment, or operations (45 CFR §164.522(a)). The Provider is not always required to agree, but if it agrees, it will follow the restriction except in an emergency. Section 9 describes one restriction the Provider must always honor.

8.6Right To Confidential Communications

You have the right to ask the Provider to contact you about your healthcare in a specific way or at a specific location, for example, calling only a particular phone number or emailing instead of calling. The Provider will agree to reasonable requests.

8.7Right To Receive Notice Of A Breach

You have the right to be notified of a breach of your unsecured PHI, as described in Section 10.

8.8Right To A Paper Copy Of This Notice

You can request a paper copy of this Notice at any time, even if you agreed to receive it electronically. Email [email protected].

8.9Right To File A Complaint

You have the right to file a complaint without being penalized. Section 12 explains how.

9Your right to restrict disclosure when you pay out of pocket

If you pay for a healthcare item or service in full out of pocket, you have a special right to ask that the Provider not share PHI about that item or service with a health plan (45 CFR §164.522(a)(1)(vi); HITECH §13405(a)(1)). The Provider must honor this request, except where the law requires the disclosure.

Sipra is a cash-pay platform. The Provider does not bill Medicare, Medicaid, TRICARE, or any private health insurer for the services described in this Notice. To use this restriction for a specific item or service, ask the Provider in writing at the time of the visit or fill, by emailing [email protected] or through the patient portal.

10Notice of breach

If your unsecured PHI is breached, federal law requires the Provider to notify you (45 CFR §164.404). Notice will be sent without unreasonable delay and no later than 60 days after discovery.

The notice will tell you what happened, the kinds of PHI involved, steps you can take to protect yourself, what the Provider is doing in response, and how to contact the Provider with questions.

11No retaliation for complaints

The Provider will not punish you for filing a complaint, asking the Provider to use one of your rights, refusing to authorize a use or disclosure, or participating in an HHS investigation (45 CFR §164.530(g)). You will receive the same care either way.

12Privacy Officer and how to file a complaint

The Provider has designated a Privacy Officer responsible for the Provider's HIPAA program.

To submit a complaint or exercise any right under this Notice, contact the Privacy Officer at [email protected] or by mail at the address above.

12.1File A Complaint With The Provider

If you think the Provider has violated your privacy rights, file a complaint with the Privacy Officer using the contact information above. The Privacy Officer responds promptly. No specific form is required, tell the Provider what happened, when, and what you want the Provider to do.

12.2File A Complaint With HHS

You can also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights:

  • Online: https://www.hhs.gov/hipaa/filing-a-complaint/
  • Mail: 200 Independence Avenue SW, Washington, DC 20201
  • Email: [email protected]
  • Phone: 1-877-696-6775 (TDD 1-800-537-7697)

Filing a complaint with the Provider or HHS will not change the care you receive. The Provider does not retaliate.

13Effective date and changes to this Notice

This Notice is effective on June 20, 2026 and stays in effect until replaced. The Provider may change this Notice. If it does, the new Notice applies to PHI the Provider already has and to any PHI it receives in the future.

The Provider will post the current Notice at https://sipra.com/hipaa-notice and email you the new version when there is a material change. You can ask for a paper copy at no cost.

14State-specific addenda

Some states give you stronger protections than HIPAA. Where state law gives you more rights, the Provider follows state law. Examples:

  • California, California Confidentiality of Medical Information Act (CMIA, Cal. Civ. Code §56 et seq.); reproductive-health shield protections (AB 352, Cal. Civ. Code §56.110). See NEEDS ATTORNEY REVIEW: California Confidentiality of Medical Information Act (CMIA) addendum to be drafted by outside counsel prior to launch.
  • New York, patient access and confidentiality of medical and mental-health records under PHL §18, PHL Article 27-F (HIV/AIDS), and MHL §33.13. The SHIELD Act (General Business Law §899-bb) is a data-security statute the Provider also follows. See NEEDS ATTORNEY REVIEW: New York SHIELD Act addendum to be drafted by outside counsel prior to launch.
  • Texas, Texas Medical Records Privacy Act (HB 300; Tex. Health & Safety Code Ch. 181). See NEEDS ATTORNEY REVIEW: Texas HB 300 addendum to be drafted by outside counsel prior to launch.
  • Washington, Uniform Health Care Information Act (UHCIA, RCW 70.02). See NEEDS ATTORNEY REVIEW: Washington Uniform Health Care Information Act (UHCIA) addendum to be drafted by outside counsel prior to launch.
  • Washington (consumer health data outside HIPAA TPO), My Health My Data Act (MHMD, RCW 19.373) covers consumer health data the Provider or Sipra collects outside HIPAA TPO and has a private right of action. See NEEDS ATTORNEY REVIEW: Washington My Health My Data Act overlap notice to be drafted by outside counsel; in the interim, consumer health data is governed by Sipra’s Consumer Health Data Privacy Policy and the Consumer Health Data Privacy Policy at https://sipra.com/health-data-privacy.

If you live in a state not listed, federal HIPAA still applies, plus any state law that gives you more rights. State-specific records-retention periods are at state-specific records retention periods are listed in the State Addenda available at https://sipra.com/hipaa-notice/state-addenda.

Acknowledgment of receipt

When you create a Sipra patient account, you confirm you have received and reviewed this Notice. You can request a paper copy at any time by emailing [email protected].

Questions? Email [email protected].