HIPAA Notice of Privacy Practices

1. Who We Are

Suavo (operated by MKM LLC) provides pharmaceutical delivery services connecting pharmacies with certified drivers who deliver prescriptions to patients. As a business associate handling protected health information (PHI) on behalf of covered entities (pharmacies), we are required to comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

2. Protected Health Information We Handle

In the course of providing delivery services, we may receive, create, or maintain the following types of PHI: patient name and delivery address, prescription identifiers (Rx number), medication name (encrypted at rest), delivery status and chain-of-custody records, proof-of-delivery photos and signatures, and scheduling or timing information related to prescriptions.

3. How We Use and Disclose PHI

• •Treatment — To facilitate prescription delivery between pharmacies and patients.
• •Payment — To invoice pharmacies for delivery services rendered.
• •Health Care Operations — To manage quality assurance, compliance auditing, and driver training.
• •As Required by Law — To comply with federal, state, or local laws including the California Consumer Privacy Act (CCPA) and California Board of Pharmacy regulations.
• •Business Associates — We share PHI only with subcontractors who have signed a Business Associate Agreement (BAA), including our cloud infrastructure providers.

4. Your Rights Under HIPAA

• •Right to Access — You may request a copy of PHI we maintain about you.
• •Right to Amend — You may request corrections to your PHI if you believe it is inaccurate.
• •Right to an Accounting of Disclosures — You may request a list of certain disclosures we have made of your PHI.
• •Right to Request Restrictions — You may request restrictions on how we use or disclose your PHI, though we are not required to agree.
• •Right to Confidential Communications — You may request that we communicate with you in a specific way or at a specific location.
• •Right to a Paper Copy — You may request a paper copy of this notice at any time.

5. How We Protect PHI

• •Encryption — All PHI is encrypted in transit (TLS 1.3) and at rest (AES-256).
• •Access Controls — Role-based access ensures each user sees only the minimum data necessary for their function. Drivers see patient name and address only — not diagnosis or medical history.
• •Audit Logging — Every access to PHI is logged in an immutable audit trail retained for seven years.
• •Authentication — Multi-factor authentication is required for privileged roles. Biometric authentication (Face ID / Touch ID) is required for driver app access.
• •Session Management — Automatic session timeout enforced (5–30 minutes depending on role and activity).
• •Employee Training — All personnel complete mandatory HIPAA training with a minimum passing score of 80%.
• •Business Associate Agreements — BAAs are in place with all data processors that may access PHI, including AWS, Supabase, Stripe, and Twilio.

6. Breach Notification

In the event of a breach of unsecured PHI, we will notify affected individuals within 60 days of discovery as required by the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414). We will also notify the U.S. Department of Health and Human Services and, where required, the media. Our incident response plan is tested and updated annually.

7. Minimum Necessary Standard

We apply the minimum necessary standard to all uses and disclosures of PHI. Each role within the Suavo platform is configured to access only the data elements required for that role's function. For example, delivery drivers see only the patient's name, delivery address, and package handling requirements — never diagnosis codes, full medical history, or insurance information.

8. California-Specific Rights

California residents have additional rights under the CCPA/CPRA, including the right to know what personal information we collect, the right to delete personal information, the right to opt out of the sale or sharing of personal information (we do not sell PHI), and the right to non-discrimination for exercising these rights. See our Privacy Policy for full details.

9. Changes to This Notice

We reserve the right to change this notice and make the revised notice effective for PHI we already have as well as any we receive in the future. The current version is always available at this URL.

10. Contact Information

To exercise any of your rights, file a complaint, or ask questions about our privacy practices, contact our Privacy Officer: Privacy Officer: Joshua Henein Email: privacy@suavollc.com Security concerns: security@suavollc.com Phone: (501) 564-4235 You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights. We will not retaliate against you for filing a complaint.