Limited time: First month $197 (save $100). Your transformation starts here.

ZenOryva.
ZenOryva.
Take the Assessment

HIPAA Notice of Privacy Practices

Effective date:

Last updated:

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

Please review this notice carefully. It describes your rights under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and explains how ZenOryva and its affiliated healthcare providers handle your Protected Health Information (PHI).

1. Overview

Federal law requires us to maintain the privacy of your Protected Health Information (PHI), provide you with this Notice of Privacy Practices, and follow the terms of the notice currently in effect. This notice applies to PHI created or received by ZenOryva in connection with your use of our telehealth platform and related services.

We are required by law to give you this notice and to abide by the terms described herein. We reserve the right to change the terms of this notice and to make new provisions effective for all PHI we maintain. If we make a material change to this notice, we will provide updated notice to you by email and post the revised notice on this page.

2. ZenOryva's Role Under HIPAA

ZenOryva operates as a business associate in connection with its telehealth platform. In this capacity, ZenOryva creates, receives, maintains, and transmits PHI on behalf of covered entities -- specifically the independently licensed healthcare providers and licensed pharmacies that deliver care through our platform.

Your clinical care is provided entirely by independently licensed healthcare providers who are solely responsible for all medical decisions, diagnoses, and prescriptions. Your medications are dispensed by licensed compounding pharmacies. ZenOryva's role is to facilitate the secure connection between you, your provider, and the dispensing pharmacy -- and to ensure that PHI is handled in a manner consistent with HIPAA requirements throughout that process.

Where required, ZenOryva maintains signed Business Associate Agreements (BAAs) with all third-party vendors and service providers that handle PHI on our behalf.

3. What Is Protected Health Information (PHI)?

Protected Health Information is any information that relates to your past, present, or future physical or mental health condition, the provision of healthcare to you, or the payment for that healthcare -- when that information can be used to identify you.

In the context of ZenOryva's platform, PHI includes but is not limited to:

  • Your medical history and reported health conditions
  • Health intake quiz responses, including information about weight, symptoms, and medical history
  • Weight, height, BMI, and body measurement data
  • Medication logs, dosing records, and injection history
  • Progress photos submitted for clinical review
  • Communications with your assigned healthcare provider or health coach that reference health conditions or treatment
  • Prescription information, including medication name, dosage, and prescribing provider
  • Lab results or health documents you upload to our platform

Information such as your name, email address, phone number, and billing information -- when not combined with health data -- is treated as personal information under our Privacy Policy rather than as PHI.

4. How We Use and Disclose Your PHI

We may use and disclose your PHI in the following ways without requiring your separate written authorization:

Treatment

We share your PHI with the licensed healthcare provider who reviews your intake and, where clinically appropriate, with the compounding pharmacy responsible for dispensing your medication. This includes your health history, intake responses, and prescription information necessary to provide safe and coordinated care.

Payment

We may use your PHI to process your subscription, verify eligibility, and handle billing for services rendered. This includes communicating with payment processors where limited PHI context is necessary (such as confirming a service was rendered for billing purposes).

Healthcare Operations

We may use your PHI for internal quality improvement activities, clinical protocol review, provider performance evaluation, and staff training -- all for the purpose of improving the quality and safety of services delivered through our platform. De-identified or aggregate data may also be used for research and product development.

With Your Authorization

For uses and disclosures not described in this notice -- in particular, any use of your PHI for marketing purposes or the sale of your PHI to third parties -- we will request your written authorization before proceeding. You may revoke any such authorization at any time by contacting us in writing at privacy@ZenOryva.com. Revocation will not affect uses or disclosures already made in reliance on your authorization.

As Required by Law

We may disclose your PHI when required to do so by federal, state, or local law, including in response to valid legal process such as a court order, subpoena, or regulatory inquiry.

Public Health Activities

We may disclose PHI to public health authorities as required or permitted by law for purposes such as preventing or controlling disease, reporting adverse events related to medications, or responding to public health emergencies.

To Avert Serious Threat to Health or Safety

We may use or disclose PHI when necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the general public, and the disclosure is to a person or organization reasonably able to prevent or lessen that threat.

5. Your Rights Under HIPAA

You have the following rights with respect to your PHI. To exercise any of these rights, contact our Privacy Officer at privacy@ZenOryva.com. We will respond to all written requests within 30 days.

Right to Access Your PHI

You have the right to inspect and obtain a copy of PHI that we maintain about you in a designated record set. We will provide access in a mutually agreed upon format, including electronic format where available. We may charge a reasonable cost-based fee for copies.

Right to Request Amendment

If you believe that PHI we hold about you is incorrect or incomplete, you may request an amendment. We will consider your request and notify you of our decision. We may deny your request if the information was not created by us, is not part of a designated record set, or is accurate and complete as maintained.

Right to an Accounting of Disclosures

You have the right to request an accounting of certain disclosures of your PHI made by ZenOryva during the six years prior to your request. This right does not apply to disclosures made for treatment, payment, or healthcare operations, or disclosures made with your authorization.

Right to Request Restrictions

You have the right to request restrictions on how we use or disclose your PHI for treatment, payment, or healthcare operations. We are not required to agree to your request except where the restriction concerns disclosures to a health plan for services you have paid for entirely out-of-pocket.

Right to Receive Confidential Communications

You have the right to request that we communicate with you about your health information in a specific way or at a specific location. For example, you may request that we contact you only via email or only at a particular address. We will accommodate reasonable requests.

Right to a Paper Copy of This Notice

You have the right to receive a paper copy of this Notice of Privacy Practices at any time, even if you have agreed to receive it electronically. Contact us at privacy@ZenOryva.com to request a printed copy.

Right to File a Complaint

If you believe your privacy rights have been violated, you have the right to file a complaint. See Section 8 for details.

6. Our Responsibilities

ZenOryva is required by law to:

  • Maintain the privacy and security of your PHI in accordance with applicable HIPAA regulations
  • Provide you with this Notice of Privacy Practices and adhere to its terms while it is in effect
  • Notify you without unreasonable delay -- and no later than 60 days following discovery -- in the event of a breach of unsecured PHI that affects you, in accordance with the HIPAA Breach Notification Rule
  • Not use or disclose your PHI in a manner inconsistent with this notice without your written authorization, except as required by law
  • Follow the terms of any restriction we have agreed to regarding your PHI

7. How We Protect Your PHI

We implement administrative, physical, and technical safeguards to protect your PHI in accordance with the HIPAA Security Rule:

  • HIPAA-compliant infrastructure -- PHI is stored exclusively within systems covered by signed Business Associate Agreements. Our primary data infrastructure (Supabase) is operated under a BAA
  • Encryption -- all PHI is encrypted in transit using TLS 1.2 or higher and encrypted at rest using AES-256
  • Access controls -- access to PHI is restricted to authorized personnel with a demonstrated need for the information. All access is logged and subject to audit
  • Segregation of marketing systems -- marketing and communications platforms (such as email and SMS tools) do not receive or store PHI. These systems contain only non-clinical identifiers such as name, email, and subscription status. Marketing communications never reference specific medications, dosages, diagnoses, or health conditions
  • Workforce training -- all ZenOryva personnel with access to PHI receive HIPAA privacy and security training
  • Vendor management -- all third-party service providers that handle PHI are required to execute a BAA and demonstrate appropriate safeguards before receiving any PHI

8. Complaints

If you believe that ZenOryva or any affiliated provider has violated your HIPAA privacy rights, you have the right to file a complaint. You will not be retaliated against for filing a complaint in good faith.

You may file a complaint in either of the following ways:

  • With ZenOryva -- contact our Privacy Officer in writing at privacy@ZenOryva.com. Please describe the nature of your concern in as much detail as possible. We will acknowledge your complaint within 5 business days and investigate promptly.
  • With the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) -- you may file a complaint online at hhs.gov/hipaa/filing-a-complaint, by mail to the HHS Office for Civil Rights, 200 Independence Avenue SW, Washington, D.C. 20201, or by phone at 1-800-368-1019 (TDD: 1-800-537-7697)

9. Contact Our Privacy Officer

For questions, requests, or concerns related to this Notice or your PHI, please contact our designated Privacy Officer:

Privacy Officer, ZenOryva

9017 Reseda Blvd, Suite 210

Northridge, CA 91324

Email: privacy@ZenOryva.com

Phone: (TBD)

Related policies: Privacy Policy · Terms of Service · Medical Disclaimer

← Back to ZenOryva