Skip to main content

Health Data Privacy Notice

Effective Date: 2026-03-04 • Last Updated: 2026-03-24

Hollis Health LLC operates as a HIPAA Business Associate. We receive, maintain, and transmit Protected Health Information (PHI) on behalf of covered entities, specifically the licensed physicians and laboratories with whom we coordinate your care through Business Associate Agreements. This notice explains our obligations and your rights.

DRAFT - FOR ATTORNEY REVIEW

Health Data Privacy Notice

Effective Date: March 4, 2026

This Health Data Privacy Notice ("Notice") explains Hollis Health LLC's role when we handle protected health information ("PHI") on behalf of independently licensed physicians, partner laboratories, or other healthcare providers that qualify as Covered Entities under HIPAA.

This Notice is narrower than our general Privacy Policy. It is intended to address PHI that Hollis Health may receive, maintain, display, or transmit in Business Associate or similar service-provider workflows for clinical partners.

This Notice does not serve as a Notice of Privacy Practices ("NPP") for Hollis Health or for any clinical partner. Each independently licensed physician, laboratory, or other Covered Entity remains responsible for its own NPP and its own direct clinical privacy obligations.

1. Hollis Health's HIPAA Role

1.1 Business Associate and Service-Provider Functions. In certain workflows, Hollis Health may create, receive, maintain, or transmit PHI on behalf of one or more independently licensed physicians, partner laboratories, or other healthcare providers pursuant to Business Associate Agreements ("BAAs") or comparable service arrangements.

1.2 Limited Scope. This Notice applies only to PHI handled in those partner-clinical workflows. Information you provide directly to Hollis Health through consumer-facing wellness features may be governed by our general Privacy Policy and by laws other than HIPAA.

1.3 No Direct Clinical Practice Representation. Nothing in this Notice means that Hollis Health is itself your physician or a Covered Entity for all Services. Hollis Health's role depends on the workflow and the relationship under which the information was collected or received.

2. Categories of PHI We May Handle

When received from or on behalf of a Covered Entity, PHI handled by Hollis Health may include categories such as:

  • laboratory and biomarker results;
  • body composition or imaging summaries transmitted by a clinical partner;
  • diagnoses, impressions, and clinician-authored directives;
  • medication, supplement, or protocol instructions issued by an independently licensed clinician;
  • scheduling, ordering, coordination, and administrative records tied to clinical workflows;
  • secure messages or records transmitted through covered clinical coordination workflows.

3. How We Use and Disclose PHI in Those Workflows

Where PHI is handled on behalf of a Covered Entity, Hollis Health may use or disclose that PHI only as permitted by:

  • the applicable BAA or services agreement;
  • HIPAA and other applicable law; and
  • instructions of the Covered Entity where required.

Examples may include:

  • routing and displaying results;
  • care coordination support;
  • scheduling and administrative support;
  • technical hosting, security, storage, and access management;
  • audit logging, incident response, and lawful compliance activities.

Hollis Health does not use PHI handled on behalf of a Covered Entity for unrelated advertising or data sale.

4. Your Rights

4.1 Rights Through the Covered Entity. If your request concerns PHI maintained by Hollis Health on behalf of an independently licensed physician, laboratory, or other Covered Entity, your HIPAA rights are generally exercised through that Covered Entity.

4.2 Requests We May Route or Coordinate. For convenience, you may send an access, amendment, accounting, restriction, or confidential communications request to Hollis Health. We may forward, route, or coordinate the request with the appropriate Covered Entity rather than responding independently where the law or applicable agreement requires that workflow.

4.3 Direct-to-Consumer Data Is Different. If your request concerns information you provided directly to Hollis Health in a consumer-facing wellness workflow, that request may instead be handled under our general Privacy Policy and other applicable law.

5. Safeguards

Hollis Health applies administrative, technical, and physical safeguards designed to protect PHI in partner-clinical workflows, which may include:

  • encryption in transit and at rest where appropriate;
  • role-based access controls;
  • audit logging and access monitoring;
  • identity and authentication controls;
  • vendor contractual controls, including BAAs where applicable;
  • incident response and workforce training.

No safeguard can guarantee absolute security, but Hollis Health is committed to using commercially reasonable and legally appropriate measures for PHI handled in these workflows.

6. Subcontractors and Vendors

Hollis Health may use subcontractors and vendors to support PHI-handling workflows, including cloud hosting, secure communications, infrastructure, monitoring, and other operational services. Where a vendor creates, receives, maintains, or transmits PHI on behalf of Hollis Health in a HIPAA-governed workflow, Hollis Health will seek to have appropriate contractual protections in place, including a BAA where required.

7. Breach and Incident Handling

If Hollis Health discovers a breach of unsecured PHI in a workflow where we are acting on behalf of a Covered Entity, we will respond in accordance with applicable law and the governing BAA or service arrangement, including notice to the affected Covered Entity where required.

Where a single incident affects both:

  • PHI handled on behalf of a Covered Entity; and
  • direct-to-consumer data collected by Hollis Health,

different notification laws may apply to different parts of the incident. In that situation, Hollis Health may provide or support multiple notice workflows under HIPAA, state breach law, consumer privacy law, or other applicable law.

8. Complaints

If you believe your HIPAA rights have been violated in connection with PHI handled in a Covered Entity workflow, you may:

  • contact the applicable Covered Entity directly;
  • contact Hollis Health so that we can route or coordinate the concern where appropriate; or
  • file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights.

HHS OCR complaint information is available at:

https://www.hhs.gov/hipaa/filing-a-complaint

Hollis Health will not retaliate against any person for making a good-faith privacy complaint.

9. Contact Information

For questions or requests related to this Notice, please contact:

Hollis Health LLC
Attn: Privacy Team
691 S Seguin
New Braunfels, TX 78130
(Current administrative office; not a representation that member services are provided at this address.)

Email: legal@hollis.health
Phone: (210) 891-9005

This Health Data Privacy Notice was last updated on March 24, 2026.

DRAFT - FOR ATTORNEY REVIEW. NOT FOR PUBLIC DISTRIBUTION UNTIL ATTORNEY APPROVAL.

Privacy PolicyTerms of ServiceContact Us