Your health information is protected.

At a glance

If you'd rather not read 9 pages of HIPAA-language: here's the short version.

• We collect only the health information we need to fill your prescriptions, bill your insurance, and provide pharmacist care.
• We share PHI only with your prescriber, your insurer, and entities you authorize. Never with marketers. Never for advertising.
• You have the right to see, copy, correct, and request restrictions on your PHI — and to know who we've shared it with.
• Our data is encrypted at rest and in transit, stored in HIPAA-compliant systems, and accessed only by trained, authorized TFC staff.
• If anything ever goes wrong, we'll notify you within 60 days as required by law.

What we collect

To dispense medications safely and legally, we collect and maintain the following categories of information about you:

How we use it

HIPAA permits us to use your PHI without your explicit authorization for the following:

Treatment

To fill your prescriptions, check for drug interactions, prepare compounded medications, and consult with your prescriber about your therapy.

Payment

To bill your insurance, submit prior authorizations, and collect payment.

Operations

To maintain our pharmacy records, train our staff, manage our facility, and improve the quality of care we provide.

When we share your information

We may disclose your PHI without your authorization in these specific situations, all defined by HIPAA:

• To your prescriber — drug therapy issues, adherence reports, prior-auth coordination.
• To your insurer — to process claims and submit prior authorizations.
• To public health authorities — to report vaccinations, communicable diseases, or adverse drug events as required by law.
• To the FDA — for medication safety reporting.
• For law enforcement — only when compelled by court order, subpoena, or warrant, and only the minimum necessary.
• To family / caregivers — only those you've authorized in writing or are listed as your healthcare proxy.
• To LTC facilities — for residents we serve, to fulfill orders and coordinate care, with a Business Associate Agreement in place.
• To Business Associates — vendors who help us operate (e.g. e-MAR integration providers), only under signed BAAs that bind them to the same privacy standards.

What we never do

• We never sell your PHI to anyone for any reason.
• We never use your PHI for marketing without your explicit written authorization.
• We never share your information with social media platforms or ad networks.
• We never use your information to make decisions about your insurance eligibility or pricing.
• We do not use third-party advertising trackers (Facebook Pixel, Google Ads conversion, etc.) on pages where PHI may be discussed.

Your rights

Under HIPAA, you have eight specific rights regarding your PHI:

1. Right to inspect and copy. You may review and request copies of your record. We respond within 30 days; we may charge a reasonable copy fee per California law.
2. Right to amend. If you believe information is incorrect, you may request a correction in writing.
3. Right to an accounting of disclosures. You may request a list of when we've disclosed your PHI (other than for treatment/payment/operations) in the last six years.
4. Right to request restrictions. You may ask us to limit how we use or disclose information. We will accommodate reasonable requests where possible.
5. Right to confidential communications. You may ask us to contact you only at a specific phone, address, or time.
6. Right to a paper copy of this notice. Always. On request, no charge.
7. Right to opt out of fundraising and certain communications. (We don't fundraise — but the right exists.)
8. Right to file a complaint. See contact section below.

How we keep it safe

The technical and administrative safeguards we maintain:

• Encryption at rest (AES-256) and in transit (TLS 1.3).
• Multi-factor authentication on all staff accounts; 2FA required for prescribers and facilities.
• Audit logs of every PHI access, retained for seven years.
• Annual HIPAA training for all staff, with documented completion.
• Background checks for everyone with PHI access.
• Vendor BAAs with every third-party service that touches PHI.
• Physical safeguards — locked cabinets for paper records, secure shredding, controlled access to the pharmacy back-of-house.
• Tested incident response plan reviewed annually.

Breach notification

If a breach of unsecured PHI affecting you ever occurs, we will notify you in writing within 60 days of discovery, as required by the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414). The notification will include what happened, what information was involved, what we're doing about it, and what you can do to protect yourself.

Changes to this notice

We reserve the right to change this notice. Any new terms apply to all PHI we maintain — including information we collected before the change. The current version is always posted at tfcpharmacy.com/privacy, with a "last revised" date at the top. You can request a paper copy of the current notice any time.

Questions, requests, or complaints

To exercise any of your rights or file a complaint with TFC, contact our Privacy Officer.