PHI Disclosure Notice

Overview

PactRX, LLC ("PactRX") is committed to safeguarding your Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. This notice explains what PHI we collect, how we protect it, and under what circumstances it may be disclosed.

What PHI We Collect

In the course of providing pharmacy services, PactRX may collect and maintain the following PHI:

Patient name, date of birth, address, phone number, and email
Social Security Number (when required for insurance billing)
Insurance information, group numbers, and member IDs
Prescription and medication history
Allergy and adverse reaction information
Diagnosis codes (ICD-10) and medical conditions
Prescriber information and clinical orders
Lab results and clinical notes relevant to medication therapy
Payment and claims history
Communication records (calls, messages, faxes)
Voicemail recordings and transcriptions

How We Protect Your PHI

PactRX implements comprehensive safeguards to protect your PHI:

Administrative Safeguards

Designated Privacy Officer responsible for HIPAA compliance
Workforce training on privacy and security policies
Business Associate Agreements (BAAs) with all third-party service providers
Regular risk assessments and compliance audits
Incident response and breach notification procedures
Sanctions policy for workforce members who violate privacy policies

Technical Safeguards

Encryption of all PHI in transit (TLS 1.3) and at rest (AES-256)
Role-based access controls — staff access only the minimum PHI necessary
Multi-factor authentication (MFA) for all system access
Comprehensive audit logging of all PHI access and modifications
Automatic session timeouts and screen locks
HIPAA-compliant cloud hosting infrastructure (SOC 2, HITRUST)

Physical Safeguards

Controlled access to pharmacy facilities and workstations
Secure disposal of physical documents containing PHI
Workstation use policies for all devices accessing PHI

Minimum Necessary Standard

PactRX applies the HIPAA Minimum Necessary Standard to all uses, disclosures, and requests for PHI. This means we make reasonable efforts to limit PHI access to the minimum amount necessary to accomplish the intended purpose. Our role-based access control system ensures that staff members can only access the PHI required for their specific job functions.

Electronic PHI (ePHI)

Our electronic health record systems and digital platforms comply with the HIPAA Security Rule requirements for electronic PHI (ePHI). This includes:

Patient portals and mobile applications use end-to-end encryption
SMS and email communications containing PHI are sent via secure, compliant platforms
All electronic systems maintain detailed access logs for a minimum of six years
Regular penetration testing and vulnerability assessments
Data backup and disaster recovery procedures to ensure availability

Artificial Intelligence & PHI

PactRX utilizes AI-powered tools to improve patient care, including medication management, communication assistance, and operational efficiency. When AI systems process PHI:

All AI service providers have executed Business Associate Agreements (BAAs)
PHI is transmitted and processed using encrypted channels only
AI-generated recommendations are always reviewed by licensed pharmacists
Patient data is never used to train third-party AI models without explicit consent
AI interactions involving PHI are logged and auditable

Third-Party Disclosures

PactRX may share your PHI with the following categories of Business Associates, all of whom are bound by BAAs to protect your information:

Shipping carriers: Name and address for medication delivery (no clinical data)
Payment processors: Billing information for payment processing
Cloud hosting providers: Encrypted data storage and processing (HIPAA-compliant infrastructure)
Communication platforms: Secure phone, SMS, and messaging services
Transcription services: Audio-to-text conversion for voicemails and call recordings
Insurance companies: Claims submission and eligibility verification

We do not sell your PHI to any third party, and we do not disclose PHI for marketing purposes without your explicit written authorization.

PHI Retention & Disposal

We retain your PHI for the minimum period required by applicable federal and state laws:

Prescription records: minimum 6–10 years (varies by state)
HIPAA-related documentation: minimum 6 years
Financial and billing records: minimum 7 years
Audit logs: minimum 6 years

When PHI is no longer required, we securely destroy it using methods appropriate to the media type (e.g., degaussing, overwriting, shredding, incineration).

Your Rights

For a complete description of your rights regarding your PHI, please see our HIPAA Notice of Privacy Practices. Your rights include the right to access, amend, restrict, and receive an accounting of disclosures of your PHI.