Effective Date: April 9, 2026

Security & Privacy Practices

THIS NOTICE DESCRIBES HOW YOUR CHILD'S HEALTH INFORMATION IS PROTECTED ON OUR PLATFORM AND WHAT SECURITY MEASURES WE HAVE IN PLACE. PLEASE REVIEW IT CAREFULLY.

Who We Are

WellCub operates a cloud-based pediatric patient portal. We are committed to protecting your child's health information using industry-standard security practices. We are actively working toward full HIPAA compliance and aim to execute Business Associate Agreements with healthcare practices.

Our Legal Responsibilities

WellCub is required by law to:

Maintain the privacy and security of your child's protected health information (PHI)
Provide you with this Notice of our legal duties and privacy practices regarding PHI
Notify you following a breach of your child's unsecured PHI (within 60 days federally; within 30 days under Florida law)
Follow the terms of this Notice while it is in effect
Not use or disclose PHI in ways not described in this Notice without your written authorization
Maintain documentation of privacy policies for 6 years from creation or last effective date (45 CFR § 164.530(j))

Your Rights Regarding Health Information

Right to Access Your Records (45 CFR § 164.524)

You have the right to inspect and receive copies of your child's health records maintained in WellCub. Requests will be fulfilled within 30 days (one 30-day extension permitted with written notice). Under HITECH, if records are maintained electronically, you may request an electronic copy. Contact hello@wellcub.com to request records.

Right to Request Amendments (45 CFR § 164.526)

If you believe information in your child's records is incorrect or incomplete, you may request an amendment. We will respond within 60 days (one 30-day extension permitted). We may deny requests when the record is accurate and complete, was not created by WellCub, or is not part of the records available for inspection. Denied requests will include a written explanation and instructions to file a statement of disagreement.

Right to an Accounting of Disclosures (45 CFR § 164.528)

You have the right to receive a list of disclosures of your child's PHI made in the past 6 years, excluding disclosures for treatment, payment, and healthcare operations; disclosures made to you; disclosures made with your authorization; and certain other categories permitted by law. Contact hello@wellcub.com.

Right to Request Restrictions (45 CFR § 164.522(a))

You may request restrictions on certain uses and disclosures of your child's PHI. We are not required to agree to most requests, but we are required to agree to restrict disclosure to a health plan for services you have paid for entirely out-of-pocket (HITECH requirement).

Right to Confidential Communications (45 CFR § 164.522(b))

You may request that we communicate with you using specific methods (e.g., only by email) or at a specific location. We will honor all reasonable requests without requiring you to explain the reason.

Right to a Paper Copy of This Notice

You may request a printed copy of this Notice at any time, even if you previously agreed to receive it electronically. Email hello@wellcub.com or use the print button above.

Right to Opt Out of Fundraising Communications

We do not engage in fundraising. This section is included for completeness under 45 CFR § 164.514(f).

How We May Use and Disclose Health Information

Permitted Uses Without Your Authorization (45 CFR § 164.502)

Treatment (45 CFR § 164.506):Sharing your child's information with treating providers, nurses, and administrative staff involved in your child's care.
Healthcare Operations (45 CFR § 164.506): Quality assessment, platform improvement using de-identified aggregate data, and training using de-identified case examples.
Required by Law: Disclosures required by applicable federal or Florida state law, including mandatory reporting obligations.
Public Health Reporting (45 CFR § 164.512(b)): Mandatory reporting of certain communicable diseases (e.g., measles, pertussis) to the Florida Department of Health.
Child Abuse Reporting (F.S. § 39.201): Mandatory reporting of suspected child abuse or neglect to the Florida Department of Children and Families (DCF) Abuse Hotline (1-800-962-2873).
Serious Threat to Health or Safety (45 CFR § 164.512(j)): Disclosure to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
Appointment Reminders: We may contact you to remind you of upcoming appointments via email. You may opt out of reminder emails at any time.

Uses Requiring Your Written Authorization (45 CFR § 164.508)

We will not use or disclose your child's PHI for the following without your signed authorization:

Marketing or advertising communications
Sale of PHI to any third party
Psychotherapy notes (most uses)
Research (unless approved by an Institutional Review Board with a valid waiver of authorization)
Any use not described in this Notice

You may revoke any authorization at any time in writing by contacting hello@wellcub.com, except to the extent we have already taken action based on the authorization.

The Three HIPAA Safeguard Categories

Administrative Safeguards (45 CFR § 164.308)

Designated Privacy & Security Officer (contact: hello@wellcub.com)
Workforce training on HIPAA policies and procedures
Annual risk analysis and risk management program
Contingency plan for data backup and disaster recovery
Business associate agreements with all vendors who handle PHI
Audit controls: all access to PHI is logged and reviewed

Physical Safeguards (45 CFR § 164.310)

All data stored in SOC 2 Type II certified facilities (via Supabase/AWS us-east-1)
No PHI stored on portable devices or local workstations
Screen lock and session timeout enforced for all portal sessions

Technical Safeguards (45 CFR § 164.312)

Unique user IDs — no shared credentials permitted
Automatic session timeout (15 minutes inactivity)
AES-256 encryption at rest; TLS 1.3 in transit
Audit logs for all PHI access (view, create, update, delete)
Row-Level Security (RLS) enforces access control at the database level
Emergency access procedure documented in our internal HIPAA policy

HITECH Act — Enhanced Protections (2009, Omnibus Rule 2013)

The HITECH Act extended and strengthened HIPAA. Key provisions that protect you:

Business associates (including WellCub) are directly liable for HIPAA violations — not just the covered entity
Minimum necessary standard applies to all disclosures — we only share the minimum PHI needed
You have the right to receive electronic copies of electronically maintained records
Marketing restrictions apply to us the same as to covered entities
Civil penalties: $100–$50,000 per violation, up to $1.9M per violation category per year
Criminal penalties: up to $250,000 and 10 years imprisonment for willful disclosure with malicious intent

How to Exercise Your Rights

Email hello@wellcub.com with “HIPAA Rights Request” in the subject line
Include your full name, account email, child's name, and a clear description of your request
We will acknowledge receipt within 5 business days and respond within 30 days
For complex requests (e.g., full record export), we may take up to 60 days with written notice

How to File a HIPAA Complaint

You will not be penalized, retaliated against, or denied services for filing a complaint.

WellCub Privacy Officer: hello@wellcub.com
Response within 30 days. Complaints must describe the alleged violation.
U.S. HHS Office for Civil Rights: hhs.gov/hipaa/filing-a-complaint
Phone: 1-800-368-1019 · TDD: 1-800-537-7697
Must be filed within 180 days of the suspected violation.
Florida AHCA: 1-888-419-3456 · ahca.myflorida.com

Changes to This Notice

We reserve the right to change this Notice. Material changes will be communicated via email at least 30 days before the effective date and will require re-acknowledgment on next login. The current effective date is shown at the top of this page.

Contact Our Privacy Officer

Privacy & Security Officer · WellCub, Inc.
Email: hello@wellcub.com
For medical emergencies: Call 911 — do not email us.
Florida, United States