Milu Health HIPAA Notice of Privacy Practices

Effective date: July 16, 2025

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

At Milu Health, We Take Privacy Seriously

As a healthcare company, we operate in accordance with applicable privacy and data protection laws. Doing so is core to our principles as an organization and our ability to positively impact the lives of our members. We take the trust that you put in us seriously and protect your privacy through our use of policies and data protection technologies for handling your protected health information. If you have any questions or concerns about our privacy practices, please contact us in any of the manners described at the end of this Notice.

Entities and Individuals Covered by this Notice

Milu Health, Inc. (“Milu Health”) offers online medication review, care gap identification and care management services enabling our Members to report their health history and share their healthcare information and engage independent healthcare professionals (“Healthcare Professionals”) to obtain healthcare services to help them better manage their medications and care (“Healthcare Services”). For Healthcare Services, we work with independent licensed providers in the United States who provide asynchronous and synchronous medication review, care gap identification and care management services online. 

This notice (this “Notice”) describes the privacy practices of Milu Health, including:

  • All Healthcare Professionals who provides services to you from Milu Health, including contracted or full-time pharmacists, contracted or full-time registered nurses, or others; and
  • All Milu Health employees, contractors, and volunteers with access to your medical records.

These people, entities, and sites may share health information with each other for treatment, payment, or health care operations purposes described in this Notice. In addition, we also use and share your information for other reasons as allowed and required by law.

Your other health care providers and any plan that provides health benefits or insurance to you (“your health plan”) may have different practices or notices about their use and sharing of health information. We encourage you to contact them with any questions about their privacy practices.

If you have any questions about this Notice, you may contact us in any of the manners described at the end of this Notice. We will gladly explain this Notice to you or your family member.

Information Covered by this Notice

Milu Health is regulated by the federal Health Information Portability and Accountability Act of 1996 (“HIPAA”). Regulations under HIPAA establish how we may use and disclose individually identifiable health information about you (“protected health information” or “PHI”) and how we must secure that information.

This Notice applies to all of the PHI we create or receive in connection with the Healthcare Services we provide. For example, if you authorize or engage with our contracted pharmacists to review your medications, we treat all identifiable information that we receive from you in that clinical assessment as PHI governed by this Notice. In other circumstances, we may use and disclose PHI about you while providing certain administrative services to your health plan that is our customer . When this is the case, your health plan’s notice of privacy practices and our agreements with your health plan govern how we can use and disclose that PHI. 

Please review our Privacy Policy to learn more about how we handle personal information we collect about you that is not PHI. 

Our Commitment to Your Privacy

We understand that health information about you is private and personal. We are dedicated to maintaining the privacy of  your PHI.

We are required by law to maintain the privacy of your PHI and to provide you with notice of our legal duties and privacy practices related to that information. When we use or disclose your PHI, we are required to abide by the terms of this Notice (or any other Notice in effect at the time of the use or disclosure). We will let you know promptly in the event of a breach of your unsecured PHI.

How We May Use and Disclose PHI Without Your Written Authorization

The list below includes examples of ways that we may use and disclose PHI about you without a written authorization from you unless a state or federal law other than HIPAA requires an authorization. If we disclose your PHI as described in this section, the PHI may be subject to redisclosure by the recipient and may no longer be protected by HIPAA. 

  • Treatment. We may use and disclose your PHI to provide treatment to you. For example, we may use or disclose your PHI to provide medication review, care gap identification and care management services to you or disclose it to a physician or other health care provider who may provide treatment to you.
  • Payment. We may use and disclose your PHI to obtain or facilitate payment for healthcare services that are provided to you or your dependents. For example, we may disclose PHI to claim and obtain payment from your health plan that pays for your health care. We may also disclose PHI to your other healthcare providers when such PHI is required for them to receive payment for services they render to you.  
  • Health Care Operations. We may use and disclose your PHI for our health care operations. For example, we may use or disclose PHI for the operation of our program and technology, training clinical personnel, improving the quality of our platform and services and other internal management functions. We may also disclose your PHI to other healthcare providers or health plans for their health care operations activities.  For example, we may disclose PHI about you to your health plan to enable the health plan’s case management or nurse navigation programs that recommend care options to you.
  • Business Associates. We provide some aspects of our Healthcare Services through contracts with service providers that handle PHI on our behalf. These service providers are called “business associates” and include companies that host our platform and provide quality assurance and billing and collection services. We may disclose your PHI to our business associates so that they can perform the jobs that we have asked them to perform. To protect your PHI, we require our business associates to sign written agreements requiring that they appropriately safeguard your PHI and use it only as we permit.
  • Communications with Family and Others When You Are Present. Sometimes a family member or other person involved in your care will be present when we are discussing your PHI with you. We may use your PHI or disclose it to a relative, a close friend, or any other person that you identify when you are present for that disclosure or you agree to prior to the disclosure, if we provide you with the opportunity to object to the disclosure and you do not object, or if we reasonably infer that you do not object to the disclosure.
  • Communications with Family and Others When You Are Not Present or Are Incapacitated. If you are not present, or you cannot practically agree or object to a use or disclosure because of your incapacity or an emergency, we may exercise our professional judgment to determine whether a disclosure is in your best interest. If we disclose information to a relative, a close friend, or any other person in this context, we will disclose only the information that we believe is directly relevant to that person’s involvement with your health care or health care payment. We may also disclose your PHI in order to notify or assist in notifying these people of your location, your general condition, or your death.
  • Threat to Health or Safety. We may use and disclose your PHI when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person but only to someone who may be able to help prevent that threat, as we determine in good faith.
  • Health Information Exchange. We may receive, use, and disclose your PHI through one or more health information exchanges (HIE) with other healthcare organizations for treatment, payment, and/or health care operations purposes. You may opt out of participation by contacting us in any of the manners described at the end of this Notice.
  • Public Health Activities. We may disclose your PHI for public health activities, including: (1) to report to public health authorities for the purpose of preventing or controlling disease, injury, or disability; (2) to report child abuse or neglect; (3) to report information about products under the jurisdiction of the U.S. Food and Drug Administration; (4) to notify people who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; and (5) to report information to your employer as required under laws addressing work-related illnesses and injuries or workplace medical surveillance.
  • Victims of Abuse, Neglect, or Domestic Violence. If we reasonably believe you are a victim of abuse, neglect, or domestic violence, we may disclose your PHI to a governmental authority authorized by law to receive reports of such abuse, neglect, or domestic violence, including a social service or protective services agency.
  • Health Oversight Activities. We may disclose your PHI to a health oversight agency for activities authorized by law. One example of a health oversight agency is a state health insurance regulator or Medicaid program. These oversight activities include, for example, audits, investigations, inspections, licensure, and other activities necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.
  • Lawsuits and Administrative Proceedings. We may use and disclose PHI in responding to a court or administrative order, a subpoena, or a discovery request. We may also use and disclose your PHI without your authorization to the extent permitted by law in any other way related to our legal disputes, such as to defend against a lawsuit or in arbitration.
  • Law Enforcement Officials. We may disclose your PHI to the police or other law enforcement officials as required or permitted by law, including: (1) in response to a court order, subpoena, warrant, summons, or similar process; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) in response to requests about the victim or suspected victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement; (4) about a death we believe may be the result of criminal conduct; (5) about criminal conduct at Milu Health; and (6) in emergency circumstances to report a crime, the location of the crime, or victims or to report the identity, description, or location of the person who committed the crime.
  • Coroners and Medical Examiners. We may disclose your PHI to a coroner or medical examiner as authorized by law.
  • Organ and Tissue Donation. We may disclose your PHI to organizations that facilitate organ, eye, or tissue procurement, tissue banking, or transplantation.
  • Research.  We may use and disclose your PHI for research purposes when an institutional review board or privacy board has waived HIPAA’s authorization requirement.  Under certain circumstances, we may also disclose your PHI to researchers preparing to conduct a research project, for research on decedents, or as part of a data set that omits your name and other information that can directly identify you.
  • Specialized Government Functions. We may use and disclose your PHI to units of the government with special functions, such as the U.S. military or the U.S. Department of State, under certain circumstances. 
  • Correctional Institutions. If you are an inmate of a correctional institution or under custody of a law enforcement official, we may disclose PHI about you to the correctional institution or the law enforcement official to enable the correctional institution to provide you with health care, to protect your health and safety and the health and safety of others, and to protect the safety and security of the correctional institution.
  • Workers’ Compensation. We may disclose your PHI as authorized by and to the extent necessary to comply with state laws relating to workers’ compensation or other similar programs.
  • As Required by Law. We may use and disclose your PHI when required to do so by any other law not already referred to above. For example, the Secretary of the Department of Health and Human Services may review our compliance efforts, which may include access to your PHI.

Uses or Disclosures That Require Your Authorization

If we need to use your PHI for reasons that have not been described in the sections above, we will obtain your written permission, which is referred to as an “authorization.” If you authorize us to use or disclose PHI about you, you may revoke that authorization in writing at any time. If you revoke your authorization, we will no longer use or disclose PHI about you for the reasons stated in that written authorization, except to the extent we have already acted in reliance on your authorization. Examples of disclosures that require your authorization include:

  • Special Categories of Treatment Information. Some federal and state laws require your written authorization or the written authorization of your representative for disclosures of substance use disorder treatment, test results for Human Immunodeficiency Virus (HIV) and Acquired Immune Deficiency Syndrome (AIDS), mental health treatment, genetic information, and other information afforded special privacy protections under federal or state laws other than HIPAA. If these laws apply to any PHI about you that we maintain, we will comply with them and obtain your authorization to use or disclose such information unless otherwise permitted by those laws.
  • Marketing. We must obtain your written authorization prior to using your PHI to send you any communications that are marketing under HIPAA. For example, HIPAA considers communications about a product or service that encourage you to purchase or use that product or service to be marketing when we are paid to communicate with you about another company’s product or service. 
  • Sale of PHI. We must obtain your written authorization prior to any disclosure of PHI that is considered a sale of PHI under HIPAA. 

Your Rights Regarding Your PHI

You have the following rights regarding PHI that we maintain about you. You may exercise these rights by submitting a request in writing on paper, via the messaging feature of your Milu Health account, via an email where we have the means to confirm your identity, or through contacting support@miluhealth.com in a manner that allows our support team to confirm your identity. If you would like your attorney or other legal representative to request PHI about you on your behalf, he or she must request the copy in writing on paper or via email where we have the means to confirm their identity. We reserve the right to reject an online request as inauthentic. You may contact us in any of the manners described at the end of this Notice to obtain additional information about these rights.

  • Right to Request Additional Restrictions. You may request restrictions on our use and disclosure of your PHI for treatment, payment, and health care operations. You may also request restrictions on our use and disclosure of your PHI to relatives, close friends, or other people identified by you and involved with your care or with payment related to your care, or to notify or assist in notifying those individuals regarding your location and general condition. This request must be in writing, and we will send you a written response. While we will consider all requests for additional restrictions carefully, we are not required to agree to a requested restriction except where you request that we not disclose PHI to a health plan, the disclosure is not required by law, and the PHI relates solely to a health care item or service for which you personally have paid in full.
  • Right to Receive Confidential Communications. You may request to receive your PHI by alternative means of communication or at alternative locations. For example, you can request that we only contact you at work or by mail. You must make your request in writing. We will accommodate any reasonable request. We note, however, that as our Healthcare Services work best through an online digital platform, a request for alternative communications may negatively impact how you experience the Healthcare Services.
  • Inspection and Copies. You may request access to the medical records, billing records, and other PHI about you that we maintain in records used to make decisions about you. Under limited circumstances, we may deny you access to a portion of your records. If you request copies, we may charge you a reasonable copy fee.. Right to Amend Your Records. You have the right to request that we amend PHI that we maintain in records used to make decisions about you. If you desire to amend your records, you must submit your request in writing, which may include an email or a message that we believe is from you. We will comply with your request unless we believe that the PHI that would be amended is already accurate or other special circumstances apply. If we deny your request, you will be permitted to submit a statement of disagreement for inclusion in your records.
  • Right to Receive an Accounting of Disclosures. You can request a list of certain disclosures of your PHI made by us during any period of time within the six years preceding the date of your request. If you request more than one accounting of disclosures during any 12-month period, we may charge you the costs of fulfilling your request, and we will supply you with an estimate before proceeding.
  • Copy of this Notice. You are entitled to a copy of this Notice. You may obtain a copy of this Notice at our website: https://www.miluhealth.com. You may print out a paper copy of this Notice from our website at any time. If you request a paper copy of this Notice, we will mail it to you. 

Changes to this Notice

We may change the terms of this Notice from time to time, but not in a way that would violate HIPAA. Changes will apply to all PHI that we maintain, including PHI that we created or received prior to issuing the new notice. If we change this Notice, we will post the new notice on our website at www.miluhealth.com. You may also contact us in any of the manners described at the end of this Notice to obtain a copy of our current Notice.

Concerns or Complaints

If you desire further information about your privacy rights, if you are concerned that we have violated your privacy rights, or if you disagree with a decision that we made about access to your PHI, you may contact our Privacy Officer in any of the manners described at the end of this Notice. You also may send a written complaint to the U.S. Department of Health and Human Services, Office of Civil Rights  (and we can provide you with the office’s current address).  We will not take any action against you for filing a complaint.

Contact Us

If you have questions, want to submit a request, have concerns about this Policy or Milu Health’s Privacy Practices, or would like to report a violation, see the below contact options:

You may contact us by mail at:

Milu Health, Inc.
135 West 50th Street,
New York, NY, 10020

You may email us at privacy@miluhealth.com.

Solutions

For EmployersFor BrokersFor Individuals & Families

Company

About usCareersPrivacy PolicyTerms and ConditionsHIPAA Notice of Privacy Practices

Members

Login