HIPAA Privacy Practices

UniversalMed Supply HIPAA Notice of Privacy Practices

Effective Date: March 25, 2026

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

PLEASE REVIEW IT CAREFULLY.

This notice applies to all health information about you that UniversalMed Supply obtains in connection with providing you with durable medical equipment, supplies, and related services.

You may request a paper copy of this Notice at any time, even if you have agreed to receive it electronically. We will provide a paper copy promptly upon request.

If you have any questions about this notice, please contact the UniversalMed Supply’s Security Officer and Compliance Officer at:

Email: privacyofficer@universalmedsupply.com
Mailing Address: UniversalMed Supply, 1329 W Walnut Hill Ln Ste 100, Irving, TX 75038

Our Obligations:

We are required by law to:

Maintain the privacy and security of your protected health information ("PHI");
Provide you with this Notice describing our legal duties and privacy practices;
Follow the terms of this Notice currently in effect;
Notify you promptly if a breach of your unsecured PHI occurs in accordance with applicable federal and state law.

How We May Use and Disclose Your Health Information

The following describes the ways we may use and share your health information without your written authorization.

PERMITTED USES & DISCLOSURES

Treatment

We use PHI to provide you with medical equipment, supplies, and related services. We may disclose PHI to doctors, nurses, technicians, and other personnel involved in your care or healthcare decisions. For example, information provided by your physician will be recorded in your record and used to determine the equipment or supplies that will work best for you. We routinely share information with your healthcare providers to coordinate your care. We may also contact you to provide reminders or information about treatment alternatives or other health-related benefits.

Payment
We use and disclose your PHI to bill and receive payment from you, your insurance company, or other third-party payors. For example, we disclose PHI to make a claim and obtain payment from your health insurer. We may also use and disclose your PHI to verify that your payor will pay for healthcare, including disclosures to eligibility databases.

Healthcare Operations
We use and disclose your PHI to run our business and help ensure you receive quality, cost-effective care. This includes:

Sharing outcomes data with referring hospitals for population health and quality improvement purposes;
Conducting cost-management and business planning activities;
Creating de-identified data (stripped of all identifiers) for analytical purposes;
We use secure technology platforms for remote qualification appointments to ensure the privacy of our clinical discussions;
Disclosing PHI to third-party business associates who help us operate our business, subject to written agreements that protect your PHI.

Contracted Workforce
Our workforce includes authorized contracted employees (such as 1099 intake specialists and delivery drivers). These individuals are bound by the same privacy and security obligations as our regular employees. Access to PHI is limited based on their specific role — intake personnel require broader access than delivery personnel.

Website Tracking Technologies
Our website uses tracking technologies (such as pixels and cookies). Information submitted during your online qualification inquiry may be collected to support our healthcare operations. You have the right to opt out of certain data sharing associated with these technologies; see the State-Specific Addendum for California-specific rights.

DISCLOSURES TO OTHERS

Family Members and Others Involved in Your Care

With your agreement — or when we can reasonably infer your agreement under the circumstances — we may share PHI with a family member, relative, close personal friend, or other person identified by you who is involved in your care or payment for your care. We may only disclose PHI that is directly relevant to their involvement. We may also notify such persons of your location, general condition, or in a disaster relief situation.

Manufacturers and Recalls

We may share your contact information with equipment manufacturers for mandatory warranty registration and product safety recalls as required by law or regulation.

LEGALLY REQUIRED & AUTHORIZED DISCLOSURES

Public Health and Safety Activities

We may share PHI for certain public health activities, including:

Preventing or controlling disease, injury, or disability;
Reporting child abuse or neglect to appropriate authorities;
Reporting adverse events or product defects to the U.S. Food and Drug Administration;
Reporting work-related illness or injuries to employers for workplace safety purposes;
Preventing or reducing a serious and imminent threat to a person’s or the public’s health or safety.

Health Oversight Activities

We may disclose PHI to health oversight agencies for activities authorized by law, such as audits, investigations, and licensure inspections.

Research

We may use or share your PHI for health research, provided that special privacy protections and approval processes by an Institutional Review Board or Privacy Board are followed.

Legal Proceedings

We may share PHI in response to a court or administrative order, subpoena, discovery request, or other lawful process, in accordance with applicable law.

Law Enforcement

We may disclose PHI to law enforcement officials for law enforcement purposes as required or permitted by applicable law, including in response to a court order, grand jury subpoena, or investigative demand.

Workers’ Compensation and Government Functions

We may use or share PHI:

For workers’ compensation claims or similar programs established by law;
With health oversight agencies for activities authorized by law;
For special government functions such as military activities, national security, and presidential protective services;
When required by federal, state, or local law.

Organ and Tissue Donation

We may share PHI with organ procurement organizations and similar entities as necessary to facilitate organ, eye, or tissue donation and transplantation.

Coroner, Medical Examiner, and Funeral Director

We may share PHI with a coroner, medical examiner, or funeral director when an individual dies, as authorized by law and as necessary to carry out their duties.

Abuse, Neglect, or Domestic Violence

We may share PHI to a government authority, including a social service or protective services agency, if we reasonably believe you are a victim of abuse, neglect, or domestic violence. We will only disclose this information to the extent required or permitted by law.

Fundraising

We may contact you for fundraising efforts, but you have the right to opt out of receiving such communications. If you do not wish to be contacted for fundraising, please contact our Privacy Officer via the email or address listed in Section 5 with the subject line ‘Fundraising Opt-Out’.

USES REQUIRING YOUR WRITTEN AUTHORIZATION

Marketing and Sale of PHI

We will never use or disclose your PHI for marketing purposes or sell your PHI without your prior written authorization. Please be aware that we never market or sell personal information.

Highly Confidential Information

Federal and state laws provide additional protections for certain categories of health information. We will abide by the most protective applicable laws for the following categories:

Substance Use Disorder (SUD) Records (42 CFR Part 2): Records relating to substance use disorder treatment that we receive from referral sources are protected under federal law. We will not use or disclose these records in legal proceedings against you without your specific written consent or a valid court order, except as otherwise permitted by law. Information disclosed pursuant to your authorization may be subject to redisclosure by the recipient and may no longer be protected by federal confidentiality protections in some circumstances.;
Reproductive healthcare: PHI related to lawful reproductive healthcare (including maternity supplies) is protected from disclosure to non-healthcare entities for the purpose of investigating or prosecuting such care;
HIV/AIDS status and other communicable diseases;
Mental health and developmental disability records;
Genetic testing results;
Substance abuse treatment records;
Sexual assault, abuse, and family planning services.

We will obtain your specific written authorization before disclosing any of the above categories to the extent required by applicable law.

All Other Uses and Disclosures

All uses and disclosures of your PHI not described in this Notice or otherwise permitted by law will be made only with your prior written authorization. You may revoke an authorization in writing at any time. Upon receipt of your written revocation, we will stop using or disclosing your PHI, except to the extent we have already taken action in reliance on the authorization.

Unencrypted Communications

If you choose to communicate with us via standard SMS text message or unencrypted email, you acknowledge that these channels are not fully secure and carry a risk of unauthorized interception. We recommend using our secure patient portal for sensitive communications. If you request communication by these means, we will accommodate your preference.

Your Rights Regarding Your Health Information

You have the following rights with respect to your PHI. To exercise any of these rights, please submit a written request to our Privacy Officer using the contact information in Section 5.

Right to Access Your Records

You have the right to inspect and obtain a copy of the PHI we maintain about you, including electronic records. You may also direct us to transmit a copy of your PHI to a designated third party.

We will provide access or a copy within 15 business days of receiving your written request (stricter than the federal 30-day standard).
We may deny access in limited circumstances; if denied, you may request that the denial be reviewed.
We may charge a reasonable, cost-based fee for paper copies or certain electronic media (e.g., USB drives), but no fee will be charged for the standard electronic transmission of records to you or your designated third-party application.
A schedule of standard fees for record production is available upon request.

Right to Request Amendment

You have the right to request that we correct PHI about you that you believe is incorrect or incomplete.

Submit your request in writing, explaining why the information should be amended.
We will comply with your request unless we believe the information is accurate and complete or another exception applies.
We will notify you of our determination in writing within 60 days.

Right to Request Restrictions

You may request, in writing, that we restrict how we use or disclose your PHI for treatment, payment, or healthcare operations purposes.

We are not generally required to agree to your request and will notify you of our determination in writing.
Exception — Out-of-Pocket Payment: If you pay for a service or health care item entirely out-of-pocket, you may request that we not disclose that PHI to your health insurer for payment or operations purposes. We must agree to this request unless a law requires us to share that information.

Right to Confidential Communications

You may request that we contact you by specific means (e.g., at a work phone rather than a home phone) or send correspondence to an alternative address, including a specific email address. We will accommodate all reasonable requests.

Right to an Accounting of Disclosures

You may request a list of certain disclosures of your PHI made during the six-year period prior to your request, including who we shared it with and why.

We will include all disclosures except those for treatment, payment, healthcare operations, and certain other disclosures.
We will provide one accounting per year at no charge. We may charge a reasonable, cost-based fee for additional requests within a 12-month period.

Right to Choose a Personal Representative

If you have granted someone medical power of attorney, or if someone is your legal guardian, that person may exercise your rights and make choices about your health information on your behalf. We will verify the authority of any individual claiming to act as your personal representative before taking any action.

Right to a Paper Copy of This Notice

You may request a paper copy of this Notice at any time, even if you have initially agreed to receive an electronic version. We will provide one promptly at no charge.

Right to File a Complaint

See Section 5 for complaint filing instructions. We will never retaliate against you for filing a complaint.

Special Situations

As Required by Law. We will disclose Health Information when required to do so by international, federal, state or local law.

To Avert a Serious Threat to Health or Safety. We may use and disclose Health Information when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Disclosures, however, will be made only to someone who may be able to help prevent the threat.

Business Associates. We may disclose Health Information to our business associates that perform functions on our behalf or provide us with services if the information is necessary for such functions or services. For example, we may use another company to perform billing services on our behalf. All of our business associates are obligated to protect the privacy of your information and are not allowed to use or disclose any information other than as specified in our contract.

Organ and Tissue Donation. If you are an organ donor, we may use or release Health Information to organizations that handle organ procurement or other entities engaged in procurement, banking or transportation of organs, eyes or tissues to facilitate organ, eye or tissue donation and transplantation.

Military and Veterans. If you are a member of the armed forces, we may release Health Information as required by military command authorities. We also may release Health Information to the appropriate foreign military authority if you are a member of a foreign military.

Workers’ Compensation. We may release Health Information for workers’ compensation or similar programs. These programs provide benefits for work-related injuries or illness.

Public Health Risks. We may disclose Health Information for public health activities. These activities generally include disclosures to prevent or control disease, injury or disability; report births and deaths; report child abuse or neglect; report reactions to medications or problems with products; notify people of recalls of products they may be using; a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; and the appropriate government authority if we believe a patient has been the victim of abuse, neglect or domestic violence. We will only make this disclosure if you agree or when required or authorized by law.

Health Oversight Activities. We may disclose Health Information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.

Data Breach Notification Purposes. We may use or disclose your Protected Health Information to provide legally required notices of unauthorized access to or disclosure of your health information.

Lawsuits and Disputes. If you are involved in a lawsuit or a dispute, we may disclose Health Information in response to a court or administrative order. We also may disclose Health Information in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested.

Law Enforcement. We may release Health Information if asked by a law enforcement official if the information is: (1) in response to a court order, subpoena, warrant, summons or similar process; (2) limited information to identify or locate a suspect, fugitive, material witness, or missing person; (3) about the victim of a crime even if, under certain very limited circumstances, we are unable to obtain the person’s agreement; (4) about a death we believe may be the result of criminal conduct; (5) about criminal conduct on our premises; and (6) in an emergency to report a crime, the location of the crime or victims, or the identity, description or location of the person who committed the crime.

Coroners, Medical Examiners and Funeral Directors. We may release Health Information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We also may release Health Information to funeral directors as necessary for their duties.

National Security and Intelligence Activities. We may release Health Information to authorized federal officials for intelligence, counter-intelligence, and other national security activities authorized by law.

Protective Services for the President and Others. We may disclose Health Information to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state or to conduct special investigations.

Inmates or Individuals in Custody. If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release Health Information to the correctional institution or law enforcement official. This release would be if necessary: (1) for the institution to provide you with health care; (2) to protect your health and safety or the health and safety of others; or (3) the safety and security of the correctional institution.

Changes to This Notice

We reserve the right to change the terms of this Notice at any time. Any changes will apply to all PHI we maintain, including information created or received before the effective date of the revised Notice. The revised Notice will be:

Posted at our places of service and on our website;
Made available upon request in paper form;
Effective for all PHI that we maintain.

If we make a material change, we will notify you as required by applicable law.

Contact Information and Complaints

Privacy Officer Contact

UniversalMed Supply — Privacy Officer

Address: UniversalMed Supply, 1329 W Walnut Hill Ln Ste 100, Irving, TX 75038

Phone: 972-228-1820

Fax: 972-572-1112

Email: privacyofficer@universalmedsupply.com

Spanish-language assistance is available upon request

How to File a Complaint

If you believe your privacy rights have been violated, you may:

Contact our Privacy Officer: Submit a written complaint to the address or email above.
Contact the U.S. Department of Health and Human Services: File a complaint with the Office for Civil Rights (OCR) by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting www.hhs.gov/ocr/privacy/hipaa/complaints/.

We will never retaliate against you for filing a complaint with us or with HHS.

Language Assistance Services

UniversalMed Supply provides free language assistance services to patients whose primary language is not English. Interpreter services and translated materials are available at no cost.

Español (Spanish):

ATENCIÓN: Si habla español, tiene a su disposición servicios gratuitos de asistencia lingüística. Llame al 972-228-1820.

中文 (Chinese): 注意：如果您说中文，我们可免费为您提供语言协助服务。请致电 972-228-1820.

To request language assistance services, please contact our Privacy Officer or customer service department.

STATE-SPECIFIC RIGHTS ADDENDUM

Effective Date: March 25, 2026

UniversalMed Supply serves patients in all 50 states. We comply with all applicable state privacy laws and apply the most protective standard where state law is stricter than HIPAA. If you reside in one of the states listed below, the following additional rights and protections apply to your PHI.

For all states not specifically listed, federal HIPAA standards and the protections in this Notice apply. If you have questions about state-specific rights in your state, please contact our Privacy Officer.

Texas Residents

Texas Health & Safety Code, Chapter 181 (Texas Medical Records Privacy Act / HB 300)

15-Business-Day Access: We will provide you with access to your electronic health records within 15 business days of receiving your written request.
Data Sovereignty: All electronic health records containing the PHI of Texas residents are physically maintained on secure servers located within the United States.
Employee Training: Every employee and contractor receives specific training on Texas state privacy laws within the first 60 days of employment or engagement.
Broader Coverage: Texas law applies to all entities that handle PHI, not just HIPAA-covered entities. We comply with Texas law in all relevant business activities.

California Residents

California Confidentiality of Medical Information Act (CMIA); California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)

Private Right of Action: Under the CMIA, you may have the right to seek legal damages if your PHI is negligently disclosed.
Right to Opt Out of Data Sharing: We do not sell your PHI; however, website tracking technologies may share limited data as defined by state law, and you have the right to request that we do not “sell” or “share” your personal information for cross-context behavioral advertising, including information collected through cookies or pixels, by contacting our Privacy Officer.
Sensitive Data Protections: California law requires separate, explicit written authorization for the release of certain sensitive information, including genetic testing results and specific mental health records, unless otherwise permitted by law.
Right to Know and Delete: Under CCPA/CPRA, you have the right to request disclosure of the categories of personal information we collect, the right to request deletion of your personal information (subject to certain exceptions), and the right to correct inaccurate personal information.
Non-Discrimination: We will not discriminate against you for exercising any of your California privacy rights.

Florida Residents

Florida Information Protection Act (FIPA); Florida Medical Records Law

Expedited Breach Notification: In the event of a data breach affecting your PHI or personal information, we will notify you and the Florida Department of Legal Affairs within 30 days of our discovery of the breach — stricter than the federal 60-day HIPAA standard.
Medical Records Access: Under Florida law, you have the right to access and obtain copies of your medical records within a reasonable time.

Other States — General Principles

While we do not enumerate every state law here, UniversalMed Supply is committed to complying with all applicable state privacy and medical records laws in the states where we operate. For states with stricter requirements than HIPAA (including but not limited to New York, Illinois, Washington, Colorado, and Virginia), we apply the more protective standard. Key principles we follow in all states include:

Applying the more stringent of federal or state law in all cases;
Providing special protections for sensitive categories (mental health, SUD, reproductive health, HIV, genetics) as required by state law;
Honoring state-specific breach notification timelines where stricter than federal requirements;
Respecting state-specific rights to access, correct, and restrict use of your health information.

Contact our Privacy Officer to inquire about specific rights applicable in your state.

Special Protections for Sensitive Information — All States

Regardless of state of residence, the following heightened protections apply to all patients:

Substance Use Disorder (SUD) — 42 CFR Part 2: SUD records we receive from referral sources will not be used in any legal proceedings against you without your specific written consent or a court order.
Reproductive Healthcare: PHI related to lawful reproductive healthcare is protected from disclosure to non-healthcare entities for the purpose of investigating or prosecuting such care.
Mental Health Records: We will apply the most protective applicable state or federal standard before disclosing mental health records.
Genetic Information: We will not disclose genetic testing results without specific written authorization except as required by law.