4. HOW WE USE AND DISCLOSE YOUR PHI

A. USES AND DISCLOSURES WITH YOUR AUTHORIZATION

Except as described below, we will not use or disclose your PHI without your written authorization. You may revoke your authorization at any time by submitting a written request to our Privacy Officer. However, we cannot take back any disclosures already made with your authorization.

B. USES AND DISCLOSURES WITHOUT YOUR AUTHORIZATION

Federal and state privacy laws allow us to use and disclose your PHI without your authorization in the following circumstances:

1. Treatment, Payment, and Healthcare Operations

Treatment: We may use and disclose your PHI to provide, coordinate, or manage your healthcare services. For example:

• Coordinating specimen collection and laboratory testing
• Consulting with healthcare providers about test results
• Providing Medical Review Officer (MRO) services for drug testing

Payment: We may use and disclose your PHI to obtain payment for services. For example:

• Billing you, your employer, or your insurance company for testing services
• Verifying eligibility for payment
• Collection activities

Healthcare Operations: We may use and disclose your PHI for our business operations. For example:

• Quality assurance and improvement activities
• Training and education of staff
• Business planning and management
• Customer service activities

2. Required by Law

We may disclose your PHI when required by federal, state, or local law, including:

• Reporting suspected abuse, neglect, or domestic violence to appropriate authorities
• Responding to court orders, subpoenas, or legal proceedings
• Complying with workers' compensation laws
• Reporting certain communicable diseases to public health authorities
• Cooperating with law enforcement investigations (under specific circumstances)

3. Public Health and Safety

We may disclose your PHI to public health authorities for activities such as:

• Preventing or controlling disease, injury, or disability
• Reporting adverse events related to food, medications, or medical devices
• Notifying persons exposed to communicable diseases
• Preventing serious threats to public health or safety

4. Department of Transportation (DOT) Compliance

For DOT-mandated drug and alcohol testing, we may disclose your PHI to:

• Your employer (test results and chain of custody documentation)
• The Federal Motor Carrier Safety Administration (FMCSA) or other DOT agencies
• Medical Review Officers (MROs) for result verification
• Substance Abuse Professionals (SAPs) for return-to-duty evaluations

DOT regulations require disclosure of positive, adulterated, substituted, or refused test results to your employer.

5. Legal Proceedings

We may disclose your PHI in response to:

• Court orders or subpoenas in legal proceedings
• Discovery requests in lawsuits
• Requests from attorneys representing you (with your authorization)
• Administrative hearings or arbitration proceedings

For DNA paternity testing in custody or legal matters, results may be disclosed to:

• Courts and judges
• Attorneys representing parties in the case
• Child support agencies
• Immigration authorities (for immigration DNA testing)

6. Law Enforcement

We may disclose limited PHI to law enforcement officials:

• In response to a court order, subpoena, warrant, or summons
• To identify or locate a suspect, fugitive, material witness, or missing person
• About a victim of crime under limited circumstances
• About a death suspected to be the result of criminal conduct
• About criminal conduct at our facilities or involving our services

7. Workplace Testing Programs

For employer-mandated drug testing, we may disclose your PHI to:

• Your employer (test results and chain of custody documentation)
• Third-party administrators (TPAs) managing your employer's testing program
• Consortium pools for random testing selection
• Insurance companies administering workers' compensation claims

8. Business Associates

We work with business associates who perform services on our behalf. These include:

• SAMHSA-certified drug testing laboratories
• AABB-accredited DNA testing laboratories
• Medical Review Officers (MROs)
• Background check providers
• Technology service providers (website hosting, data storage)
• Billing and payment processing companies

We require all business associates to sign agreements protecting your PHI and using it only as necessary to perform their services.

5. YOUR RIGHTS REGARDING YOUR PHI

Under HIPAA, you have the following rights:

A. RIGHT TO ACCESS YOUR PHI

You have the right to inspect and obtain a copy of your PHI maintained in our records. This includes:

• Test results
• Chain of custody documentation
• Billing records
• Consent forms

How to Request: Submit a written request to our Privacy Officer. We will respond within 30 days. We may charge a reasonable fee for copying and mailing records.

Limitations: We may deny access in certain limited circumstances, such as when a licensed healthcare professional determines that access would endanger you or another person.

B. RIGHT TO AMEND YOUR PHI

If you believe your PHI is incorrect or incomplete, you may request an amendment.

How to Request: Submit a written request to our Privacy Officer explaining what information you believe is incorrect and why. We will respond within 60 days.

We may deny your request if:

• The information was not created by us
• The information is not part of our records
• The information is accurate and complete

If we deny your request, you may submit a statement of disagreement that will be included with your records.

C. RIGHT TO AN ACCOUNTING OF DISCLOSURES

You have the right to receive a list of certain disclosures of your PHI that we have made in the past six years (or a shorter period if requested).

How to Request: Submit a written request to our Privacy Officer. The first accounting in a 12-month period is free; we may charge a reasonable fee for additional requests.

This accounting does NOT include:

• Disclosures made with your authorization
• Disclosures for treatment, payment, or healthcare operations
• Disclosures to you about your own PHI
• Disclosures required by law (in some cases)

D. RIGHT TO REQUEST RESTRICTIONS

You have the right to request restrictions on how we use or disclose your PHI. For example, you may request that we not disclose certain information to your employer or family members.

We are NOT required to agree to your request, except in one situation: If you pay for a service out-of-pocket in full and request that we not disclose information to your health insurance plan solely for payment or healthcare operations (not for treatment), we must agree.

How to Request: Submit a written request to our Privacy Officer describing the restriction you are requesting.

E. RIGHT TO REQUEST CONFIDENTIAL COMMUNICATIONS

You have the right to request that we communicate with you about your PHI in a certain way or at a certain location.

How to Request: Submit a written request to our Privacy Officer. We will accommodate reasonable requests. For example:

• Sending test results to a P.O. Box instead of your home address
• Calling you at work instead of home
• Communicating via email instead of phone

F. RIGHT TO NOTIFICATION OF A BREACH

You have the right to be notified if we discover a breach of your unsecured PHI.

We will notify you:

• Within 60 days of discovering the breach
• By mail, email, or phone (depending on the contact information we have)
• With information about what happened, what information was involved, and what steps we are taking

G. RIGHT TO A PAPER COPY OF THIS NOTICE

You have the right to receive a paper copy of this Privacy Policy at any time, even if you have received it electronically.

How to Request: Contact our Privacy Officer or download it from our website at www.vitalchecklabs.com/privacy-policy

6. HOW WE PROTECT YOUR PHI

We implement physical, technical, and administrative safeguards to protect your PHI from unauthorized access, use, or disclosure:

Physical Safeguards:

• Locked storage for physical records and specimens
• Restricted access to areas where PHI is stored
• Secure transport of specimens in sealed, tamper-evident containers
• Proper disposal of PHI (shredding documents, sanitizing electronic devices)

Technical Safeguards:

• Encrypted electronic storage of PHI
• Password-protected computer systems
• Secure, HIPAA-compliant email for transmitting PHI
• Firewalls and antivirus software
• Regular security updates and patches
• Secure online portal for accessing test results

Administrative Safeguards:

• HIPAA training for all staff with access to PHI
• Written policies and procedures for handling PHI
• Business associate agreements with all third-party service providers
• Regular security risk assessments
• Designated Privacy Officer responsible for HIPAA compliance

Chain of Custody Protocols:

For forensic and legal testing, we maintain enhanced security measures:

• Tamper-evident seals on all specimens
• Continuous documentation of specimen handling
• Photographic documentation (when applicable)
• Restricted access to specimens
• Secure transport directly to laboratory partner

7. DATA RETENTION

We retain your PHI for the following periods:

Drug Testing Records (DOT): 5 years (as required by DOT regulations)
Drug Testing Records (Non-DOT): 3 years
DNA Testing Records: 7 years
Wellness Testing Records: 7 years
Fingerprinting Records: 3 years
Billing and Payment Records: 7 years (as required by IRS regulations)

After the retention period, we securely destroy PHI by:

• Shredding physical documents
• Permanently deleting electronic files
• Sanitizing electronic storage devices

Exception: We may retain de-identified information indefinitely for research, quality improvement, or business planning purposes.

8. MINORS AND PARENTAL RIGHTS

For services provided to minors (individuals under 18 years of age):

• We generally require parental or legal guardian consent before collecting PHI from minors
• Parents or legal guardians have the right to access their minor child's PHI
• In certain circumstances (e.g., emancipated minors, court orders, or state law exceptions), we may provide services to minors without parental consent

For DNA paternity testing involving minors, court orders or legal custody documents may be required.

9. WEBSITE AND ONLINE PRIVACY

Information Collected on Our Website:

Personal Information: When you use our website (www.vitalchecklabs.com), we may collect:

• Name, email address, phone number (when you contact us or schedule services)
• Scheduling and appointment information
• Payment information (processed securely through third-party payment processors)

Non-Personal Information: We automatically collect:

• IP address
• Browser type and version
• Pages visited and time spent on site
• Referring website
• Device information

Cookies: We use cookies to:

• Remember your preferences
• Improve website functionality
• Analyze website traffic and usage patterns

You can disable cookies in your browser settings, but some website features may not function properly.

How We Use Website Information:

• To provide requested services and respond to inquiries
• To improve website functionality and user experience
• To send appointment reminders and service updates
• To process payments
• For marketing purposes (only with your consent)

Third-Party Links:

Our website may contain links to third-party websites (e.g., laboratory partners, payment processors). We are not responsible for the privacy practices of these websites. Please review their privacy policies before providing any information.

Online Security:

• Our website uses SSL encryption to protect information transmitted online
• We use secure, HIPAA-compliant hosting services
• Payment information is processed through PCI-compliant payment processors
• We do not store credit card information on our servers

10. MARKETING AND COMMUNICATIONS

We may use your contact information (name, email, phone) to:

• Send appointment reminders
• Provide test results
• Send invoices and payment reminders
• Notify you of service updates or changes

Marketing Communications: We will NOT use your PHI for marketing purposes without your written authorization. However, we may send general service information, health tips, or promotional offers to your email address if you have opted in to receive marketing communications.

Opt-Out: You may opt out of marketing communications at any time by:

• Clicking "Unsubscribe" in any marketing email
• Contacting our Privacy Officer at info@vitalchecklabs.com
• Calling (972) 246-8745

Note: You cannot opt out of service-related communications (e.g., appointment confirmations, test results, invoices).

11. CHANGES TO THIS PRIVACY POLICY

We reserve the right to change this Privacy Policy at any time. Changes will be effective immediately upon posting to our website.

We will notify you of material changes by:

• Posting the updated policy on our website (www.vitalchecklabs.com/privacy-policy)
• Updating the "Last Updated" date at the top of this notice
• Providing a copy at your next service appointment (if applicable)

The current version of this Privacy Policy will always be available on our website. You may request a paper copy at any time.

12. COMPLAINTS

If you believe your privacy rights have been violated, you have the right to file a complaint.

You may file a complaint with:

VitalCheck Labs Privacy Officer:
Veronica [Last Name]
Email: info@vitalchecklabs.com
Phone: (972) 246-8745



U.S. Department of Health and Human Services:
Office for Civil Rights
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Washington, D.C. 20201
Phone: 1-877-696-6775
Website: www.hhs.gov/ocr/privacy/hipaa/complaints/

We will not retaliate against you for filing a complaint.

13. CONTACT INFORMATION

If you have questions about this Privacy Policy or our privacy practices, please contact:

VitalCheck Labs LLC
Privacy Officer: Veronica Johns, Chief Medical Officer
Phone: (972) 246-8745
Email: info@vitalchecklabs.com
Website: www.vitalchecklabs.com

14. ACKNOWLEDGMENT

By using VitalCheck Labs' services, you acknowledge that you have received, read, and understand this Privacy Policy. You acknowledge that we have explained your privacy rights and how we use and disclose your PHI.

If you have questions or need clarification about this Privacy Policy, please contact our Privacy Officer before receiving services.

VitalCheck Labs LLC
Last Updated: February 9, 2026