Karpa Health LLC ("Karpa," "we," "us," "our") is a healthcare technology company headquartered in Tampa, Florida that facilitates access to licensed healthcare providers for telehealth consultations and health optimization services. We are committed to protecting the privacy of our members ("you," "your") and complying with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and applicable state privacy laws.
Privacy Officer Contact: Email: [email protected] Phone: (813) 590-4462 Address: Tampa, FL 33603
"Protected Health Information" (PHI) is individually identifiable health information that relates to your past, present, or future physical or mental health, the provision of healthcare to you, or the payment for such care. PHI includes information in any form — written, electronic, or oral.
We collect PHI that you provide, including:
We use and disclose your PHI only as permitted or required by law. Primary uses include:
Treatment: Sharing your PHI with affiliated Providers to facilitate your consultations and care coordination.
Payment: Sharing your PHI with payment processors (e.g., Stripe) and, where applicable, with payers, to process charges for services rendered.
Healthcare Operations: Using PHI for quality improvement, auditing, compliance monitoring, and Provider credentialing activities.
Required by Law: Disclosing PHI when required by federal or state law, including to public health authorities, law enforcement (in limited circumstances), or the Department of Health and Human Services (HHS) for compliance investigations.
Business Associates: We share PHI with third-party vendors ("Business Associates") who assist in our operations — including our patient relationship management platform and communications tools — under written Business Associate Agreements (BAAs) that require them to protect your PHI to the same standard we do.
We do not sell your PHI. We do not use your PHI for marketing purposes without your separate written authorization.
You have the following rights regarding your PHI:
Right to Access: You may request a copy of your PHI held by Karpa or affiliated Providers. Requests will be fulfilled within 30 days. We may charge a reasonable fee for copies.
Right to Amend: If you believe PHI in your record is incorrect or incomplete, you may request an amendment. We may deny the request if we determine the record is accurate.
Right to an Accounting of Disclosures: You may request a list of disclosures of your PHI made by Karpa, other than disclosures for treatment, payment, or healthcare operations.
Right to Request Restrictions: You may request restrictions on how we use or disclose your PHI. We are not always required to agree to your request, but we will consider it.
Right to Receive Confidential Communications: You may request that we contact you in a specific way (e.g., by email only) or at a specific location.
Right to Receive a Notice of Privacy Practices: You have the right to receive a paper copy of this Notice upon request.
Right to Opt Out of Fundraising: We do not currently conduct fundraising campaigns. If we do in the future, you will have the right to opt out.
To exercise any of these rights, contact our Privacy Officer at [email protected].
We implement administrative, physical, and technical safeguards to protect your PHI from unauthorized access, use, or disclosure, including:
In the event of a breach of unsecured PHI, we will notify affected individuals without unreasonable delay and within 60 days of discovery, as required by HIPAA's Breach Notification Rule. Notification will include a description of the breach, the types of information involved, steps you should take to protect yourself, and steps we are taking to investigate and mitigate the breach.
We retain PHI for a minimum of seven (7) years from the date of service, or as otherwise required by applicable state law. When PHI is no longer needed, it is securely destroyed.
If you believe your privacy rights have been violated, you may file a complaint with:
Karpa Health Privacy Officer: [email protected]
U.S. Department of Health and Human Services, Office for Civil Rights: https://www.hhs.gov/hipaa/filing-a-complaint
You will not be retaliated against for filing a complaint.
We reserve the right to change the terms of this Notice at any time. Updated versions will be posted at withkarpa.com/hipaa and will apply to all PHI we maintain. If we make a material change, we will notify you by email.
This HIPAA Notice of Privacy Practices is effective as of June 1, 2026.