THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
1. Introduction and Effective Date
This Notice of Privacy Practices (“Notice”) describes the legal duties and privacy practices of ByAven LLC (“ByAven,” “we,” “us,” or “our”) with respect to your Protected Health Information (“PHI”). We are required by federal law — specifically the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations at 45 C.F.R. Parts 160 and 164 — to maintain the privacy of your PHI and to provide you with notice of our legal duties and privacy practices with respect to PHI.
Effective Date: May 1, 2026.This Notice is effective as of the date above and applies to all PHI we create, receive, maintain, or transmit in connection with your use of ByAven's telehealth services.
We are required to abide by the terms of this Notice while it is in effect. We reserve the right to change the terms of this Notice and to make the new terms effective for all PHI we maintain, including PHI created or received before the revised notice date. If we revise this Notice, we will post the revised version at byaven.com/hipaa-notice and provide the revised Notice upon request.
2. Who This Notice Applies To
This Notice applies to ByAven LLC and its affiliated licensed healthcare providers who use the ByAven platform to furnish telehealth services. This Notice also covers the entities and persons that operate under our direction and control, including contracted Business Associates who handle PHI on our behalf pursuant to written Business Associate Agreements.
PHI is individually identifiable health information that relates to your past, present, or future physical or mental health or condition; the provision of healthcare to you; or the past, present, or future payment for the provision of healthcare to you. PHI includes information transmitted in any form — electronic, paper, or verbal.
This Notice covers PHI collected through the ByAven website, intake questionnaires, provider consultations, messages, prescription records, payment information related to healthcare, and any other information generated in connection with your care.
3. Treatment, Payment, and Healthcare Operations
Federal law permits us to use and disclose your PHI without your authorization for the following core purposes:
Treatment
We may use and disclose your PHI to provide, coordinate, or manage your healthcare and related services. This includes sharing your information with licensed healthcare providers on the ByAven platform who are reviewing your intake form and creating your treatment plan. It also includes disclosures to specialists, referring providers, pharmacies, or laboratories involved in your care.
Example: We share your health intake questionnaire and symptom information with the licensed clinician assigned to review your case so that provider can make a prescribing decision.
Payment
We may use and disclose your PHI to obtain payment for services rendered. This includes sharing information with payment processors, billing platforms, and — if applicable — insurers or health plans. It also includes activities such as determining eligibility and processing your subscription payments.
Example: We transmit billing information to our secure payment processor to charge your subscription fee.
Healthcare Operations
We may use and disclose your PHI for healthcare operations — internal activities necessary to run our business and improve quality of care. These include:
- Quality assessment and improvement activities
- Provider performance evaluation and credentialing
- Training of healthcare staff and students
- Accreditation, certification, and compliance activities
- Business planning and management activities
- Customer service activities
- De-identified data analysis and research (using data from which all identifiers have been removed in accordance with HIPAA)
Example: We review a sample of provider-patient communications to assess the quality of care and ensure adherence to clinical protocols.
4. Other Permitted Uses and Disclosures
In addition to Treatment, Payment, and Operations, federal law permits or requires us to use or disclose your PHI without your authorization in the following circumstances:
As Required by Law
We will disclose your PHI when required to do so by federal, state, or local law, including court orders, subpoenas, warrants, and mandatory reporting requirements.
Public Health Activities
We may disclose your PHI to authorized public health authorities for purposes such as preventing or controlling disease, reporting adverse events, or tracking product defects. We may also disclose PHI to the FDA to report serious adverse events related to medications.
Health Oversight Activities
We may disclose your PHI to health oversight agencies (such as state licensing boards or the U.S. Department of Health and Human Services) for audits, investigations, inspections, and other oversight activities authorized by law.
Judicial and Administrative Proceedings
We may disclose your PHI in response to a court or administrative order, or in response to a subpoena, discovery request, or other lawful process, subject to applicable safeguards.
Law Enforcement
We may disclose your PHI to law enforcement officials for limited purposes, including identifying suspects or victims, responding to valid legal requests, or reporting crimes on our premises.
Serious Threats to Health or Safety
We may use or disclose your PHI to prevent or lessen a serious and imminent threat to your health or safety, or to the health or safety of another person or the public, to persons reasonably able to prevent or lessen the threat.
Decedents
We may disclose PHI to coroners, medical examiners, and funeral directors as necessary to carry out their legal duties.
Organ and Tissue Donation
If you are an organ donor, we may share relevant PHI with organ procurement organizations to facilitate organ, eye, or tissue donation and transplantation.
Research
We may use or disclose PHI for research purposes when a waiver of authorization has been approved by an institutional review board (IRB) or privacy board, or when the research involves only de-identified information.
Workers' Compensation and Government Programs
We may disclose your PHI to the extent necessary to comply with workers' compensation laws or special programs such as military activities, veterans affairs, national security, or intelligence activities as permitted by law.
Inmates
If you are an inmate of a correctional institution, we may disclose PHI to the correctional institution or a law enforcement official as necessary for your health and safety or the health and safety of others.
6. Your Right to Access and Receive Copies
Right to Inspect and Copy Your PHI. You have the right to inspect and obtain a copy of your PHI that is maintained in a designated record set — which includes your medical records and billing records — for as long as we maintain this information.
We may deny your request to access PHI only in limited circumstances, such as:
- When access could endanger your life or safety or the life or safety of another person
- When the PHI was compiled in anticipation of civil or criminal litigation
- Information obtained under a promise of confidentiality from a third party
Electronic Access. If your PHI is maintained electronically, you have the right to obtain a copy in an electronic format of your choice, where readily producible, and to direct us to transmit a copy to a third party you designate.
We may charge a reasonable, cost-based fee for copies. To request your records, contact us at privacy@byaven.com. We will respond to your request within 30 days (with one possible 30-day extension if we notify you).
7. Your Right to Request Amendment
Right to Request Amendment. If you believe that your PHI maintained in our records is incorrect or incomplete, you have the right to request that we amend it. Your request must be made in writing and must explain why the information should be amended.
We may deny your request if:
- The information was not created by us, unless the originating source is no longer available
- The information is not part of the designated record set we maintain
- The information is accurate and complete in our assessment
- You would not have the right to inspect and copy the PHI
We will act on your request within 60 days of receipt. If we deny the amendment, we will provide you with a written explanation and information on how to file a disagreement statement. We will append any agreed-upon amendment to your record and notify persons who received the incorrect information where practicable.
To request an amendment, contact privacy@byaven.com.
8. Your Right to an Accounting of Disclosures
Right to Accounting.You have the right to receive a list (an “accounting”) of disclosures of your PHI that we have made in the six years prior to your request. This right applies to disclosures made for purposes other than treatment, payment, or healthcare operations, and to disclosures you specifically authorized.
The accounting will include:
- The date of each disclosure
- The name and address (if known) of the recipient
- A brief description of the PHI disclosed
- A brief statement of the purpose of the disclosure
We will provide the first accounting in any 12-month period free of charge. We may charge a reasonable fee for additional requests. We will respond to your request within 60 days (with one 30-day extension if we notify you).
To request an accounting, contact privacy@byaven.com.
9. Your Right to Request Restrictions
Right to Request Restrictions on Use and Disclosure
You have the right to request restrictions on how we use or disclose your PHI for Treatment, Payment, or Healthcare Operations, or to restrict disclosure to individuals involved in your care. We are not required to agree to a requested restriction unless:
- The restriction relates to a disclosure to a health plan for payment or operations purposes, and
- The PHI pertains solely to a healthcare item or service that you (or someone other than the health plan) paid for in full
If we agree to a restriction, we will comply with it except in an emergency situation. Once agreed, a restriction remains in effect until you request its termination in writing or we notify you of our termination.
Right to Request Confidential Communications
You have the right to request that we communicate your PHI to you by alternative means or at an alternative location — for example, by requesting that we contact you only at a specific phone number or email address. We will accommodate all reasonable requests. Requests must be in writing and specify how or where you wish to be contacted.
To request restrictions or confidential communications, contact privacy@byaven.com.
10. Your Right to Confidential Communications and Breach Notification
Right to a Paper Copy of This Notice
You have the right to receive a paper copy of this Notice at any time, even if you previously agreed to receive it electronically. To request a paper copy, contact us at the address below or email privacy@byaven.com.
Right to Notification of a Breach
In the event of a breach of unsecured PHI, we are required by law to notify you without unreasonable delay and no later than 60 calendar days after discovery of the breach. We will notify you by first-class mail at your last known address, or by email if you have indicated a preference for electronic communication. If the breach involves more than 500 residents of a state or jurisdiction, we will also provide notice to prominent media outlets and to the Secretary of HHS.
Right to Authorize a Personal Representative
You may designate an individual to act as your personal representative with authority to act on your behalf with respect to your PHI and HIPAA rights, in accordance with applicable law. Contact us to provide written authorization for a personal representative.
11. Our Duties and Obligations Under HIPAA
We are required by law to:
- Maintain the privacy of your PHI
- Provide you with this Notice describing our legal duties and privacy practices with respect to PHI
- Notify you following a breach of unsecured PHI
- Abide by the terms of this Notice while it is in effect
- Not use or disclose your PHI other than as described in this Notice or as otherwise required by law
- Obtain your written authorization before using your PHI in ways not covered by this Notice
Our Minimum Necessary Standard
When using or disclosing PHI, or requesting PHI from another covered entity, we make reasonable efforts to limit PHI to the minimum amount necessary to accomplish the intended purpose of the use, disclosure, or request. This standard does not apply to disclosures to providers for Treatment purposes or to disclosures you have authorized.
Business Associates
We work with third-party service providers (“Business Associates”) who may need access to your PHI to perform services on our behalf. Examples include our hosting infrastructure provider, pharmacy fulfillment partners, laboratory services, and billing systems. We require all Business Associates to enter into written Business Associate Agreements that obligate them to implement appropriate safeguards to protect your PHI and to comply with applicable HIPAA requirements.
Safeguards
We implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of your PHI, including:
- Encryption of PHI in transit (TLS/HTTPS) and at rest (AES-256)
- Role-based access controls limiting PHI access to authorized personnel
- Regular risk assessments and security audits
- Staff training on HIPAA Privacy and Security Rules
- Incident response and breach notification procedures
- Secure, HIPAA-compliant cloud infrastructure
Changes to This Notice
We reserve the right to change this Notice and to make the revised Notice effective for PHI we already have about you, as well as any information we receive in the future. We will post the current Notice on our website at byaven.com/hipaa-notice. You may request a copy of any revised Notice at any time.
12. How to File a Complaint / Contact Us
Filing a Complaint With ByAven
If you believe your privacy rights have been violated, you may file a complaint with our Privacy Officer. We will not retaliate against you for filing a complaint.
ByAven LLC — Privacy Officer
30 N Gould St Ste R
Sheridan, WY 82801
United States
Email: privacy@byaven.com
General inquiries: hello@byaven.com
Filing a Complaint With the U.S. Department of Health and Human Services
You also have the right to file a complaint directly with the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) if you believe your privacy rights under HIPAA have been violated. You will not be penalized or retaliated against for filing a complaint.
U.S. Department of Health and Human Services
Office for Civil Rights — HIPAA Complaints
200 Independence Avenue, S.W.
Washington, D.C. 20201
- Phone: 1-800-368-1019 (toll-free)
- TDD: 1-800-537-7697
- Online: hhs.gov/ocr/complaints
- Mail: Send written complaints to the address above, Attn: Office for Civil Rights
Complaints to HHS OCR must be filed within 180 days of when you knew or should have known that the act or omission complained of occurred. HHS OCR may extend this deadline for good cause.
Questions about this HIPAA Notice? privacy@byaven.com