HIPAA Notice of Privacy Practices

KiteMD is committed to protecting the privacy and security of your Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the HITECH Act, and applicable state laws. This notice describes how medical information about you may be used and disclosed, and how you can access this information.

PHI includes any individually identifiable health information that we create, receive, maintain, or transmit. On the KiteMD platform, this includes:

• Your legal name, date of birth, and contact information submitted during intake
• Health history, current conditions, medications, and allergies
• Photos uploaded as part of the clinical intake
• Clinical decisions (approval or denial) and provider notes
• Messages exchanged between you and your assigned provider
• Subscription and billing information linked to your care

KiteMD implements the following safeguards:

Technical safeguards

• Encryption at rest: all PHI columns are encrypted using AES-256 equivalent column-level encryption (pgp_sym_encrypt) with keys stored in a hardware-backed vault
• Encryption in transit: all communications use TLS 1.2 or higher
• Access controls: Row-Level Security (RLS) at the database layer ensures patients can only see their own data, providers can only see data for patients assigned to them, and business partners never see PHI
• Authentication: passwordless authentication (OTP + OAuth) with rate limiting and lockout after failed attempts
• Session controls: provider and admin sessions expire after 30 minutes of inactivity
• Signed URLs: patient photos are served only via time-limited signed URLs (7-day expiry)

Administrative safeguards

• Audit logging: every access to PHI, clinical decision, authentication event, and administrative action is recorded in an append-only audit log retained for 6 years
• PHI access justification: administrators must provide a documented reason before viewing any patient's PHI, with a 15-minute scoped access window
• Minimum necessary: business partner dashboards display only masked identifiers (initials, PT-xxx) and aggregate data — never patient names, health history, photos, or messages
• Workforce training: all KiteMD personnel with access to PHI receive HIPAA training

Physical safeguards

• Infrastructure is hosted on Supabase (AWS us-east-1) and Vercel with SOC 2 Type II compliance
• No PHI is stored on local devices or removable media

We may use or disclose your PHI for the following purposes:

• Treatment: sharing your intake data with your assigned licensed physician for clinical review and decision-making
• Payment: processing subscription payments and communicating billing status
• Healthcare operations: quality assurance, provider credentialing, and platform improvement
• As required by law: responding to court orders, subpoenas, or regulatory inquiries
• With your authorization: any use not described in this notice requires your written authorization, which you may revoke at any time

KiteMD maintains Business Associate Agreements (BAAs) with all third-party service providers that may access PHI in the course of providing services to the Platform, including:

• Supabase (database, authentication, and storage)
• Stripe (payment processing)
• Resend (transactional email)
• Twilio (SMS delivery)
• Vercel (application hosting)

Under HIPAA, you have the right to:

• Access: request a copy of your PHI maintained by KiteMD
• Amendment: request correction of PHI you believe is inaccurate or incomplete
• Accounting of disclosures: request a list of certain disclosures of your PHI
• Restriction: request restrictions on certain uses or disclosures of your PHI
• Confidential communications: request that we communicate with you through alternative means or at alternative locations
• Breach notification: receive notification if your unsecured PHI is breached

To exercise any of these rights, contact our Privacy Officer at privacy@kitemd.com.

• PHI is retained for the duration of active care plus 6 years for compliance
• Audit logs are retained for a minimum of 6 years in append-only, tamper-resistant storage
• When a patient requests account deletion, a 30-day soft-delete period begins, after which PHI is cryptographically redacted; audit log entries are preserved with anonymized references

In the event of a breach of unsecured PHI, KiteMD will notify affected individuals, the Department of Health and Human Services, and, where required, the media, in accordance with HIPAA Breach Notification Rule requirements (45 CFR §§ 164.400–414). Notification will occur without unreasonable delay and no later than 60 days after discovery of the breach.

If you believe your privacy rights have been violated, you may file a complaint with KiteMD at privacy@kitemd.com or with the U.S. Department of Health and Human Services Office for Civil Rights. We will not retaliate against you for filing a complaint.

We reserve the right to change this notice and make the revised notice effective for PHI we already have as well as any PHI we receive in the future. The current notice will always be available on our website.

KiteMD, Inc. — Privacy Officer
Email: privacy@kitemd.com
General: hello@kitemd.com