VeloMed OS
Sign inBook a demo
VeloMed OS · Legal

HIPAA Notice of Privacy Practices

v1Effective 2026-06-28Updated 2026-06-28 EN

Effective notice

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

VeloMed Infrastructure Group acts as a Business Associate under 45 CFR § 160.103 to covered entities ("Covered Entity") that deploy the VeloMed OS Platform. This Notice describes VeloMed's privacy practices with respect to Protected Health Information ("PHI"). Where Covered Entity has issued its own Notice of Privacy Practices, that Notice governs the patient relationship; this document supplements it for VeloMed-operated infrastructure.

1. Our obligations

VeloMed is required by law to:

  • Maintain the privacy and security of your PHI in accordance with the HIPAA Privacy Rule (45 CFR Part 164, Subpart E) and Security Rule (Subpart C).
  • Notify Covered Entity following a breach of unsecured PHI within the timelines mandated by 45 CFR § 164.410 (no later than 60 days from discovery).
  • Abide by the terms of the current Notice and any executed Business Associate Agreement ("BAA").

2. Permitted uses & disclosures

We may use or disclose PHI only as permitted by the BAA and HIPAA, including:

2.1 Treatment — to facilitate the delivery of emergency, remote-clinic, and follow-up care by credentialed clinicians.

2.2 Payment — to support Covered Entity in obtaining payment for services, including eligibility verification, claims submission, and remittance posting.

2.3 Health-care operations — for Covered Entity's quality assessment, accreditation, training, audit, and compliance activities.

2.4 Required by law — for public-health reporting, mandatory disease surveillance, and judicial or administrative proceedings.

2.5 De-identification — we may create de-identified data sets in accordance with the Safe Harbor method of 45 CFR § 164.514(b)(2) or Expert Determination method.

We will not use or disclose PHI for marketing, fundraising, or sale without your written authorisation.

3. Minimum necessary

We apply the minimum-necessary standard (45 CFR § 164.502(b)) through role-based access control, attribute-based segmentation, and field-level masking inside the Platform.

4. Safeguards

Administrative, physical, and technical safeguards include:

  • Workforce HIPAA training and confidentiality undertakings;
  • AES-256 encryption at rest and TLS 1.3 in transit;
  • Multi-factor authentication for all workforce accounts;
  • Continuous audit logging with tamper-evident storage;
  • Documented contingency, disaster recovery, and incident response plans;
  • Annual risk analysis under 45 CFR § 164.308(a)(1)(ii)(A).

5. Your rights with respect to PHI

You generally have the rights set out in 45 CFR § 164.520–528, exercisable through the Covered Entity:

  • Right to inspect and copy PHI in the designated record set;
  • Right to amend inaccurate or incomplete PHI;
  • Right to an accounting of disclosures;
  • Right to request restrictions on certain uses and disclosures;
  • Right to request confidential communications through alternate means or locations;
  • Right to a paper copy of this Notice;
  • Right to be notified of a breach affecting your PHI.

6. Complaints

You may file a complaint with the Covered Entity, with VeloMed at privacy@velomedos.com, or with the U.S. Department of Health & Human Services Office for Civil Rights at www.hhs.gov/ocr/privacy/hipaa/complaints. We will not retaliate against you for filing a complaint.

7. Cross-border applicability

For patients receiving care inside the Kingdom of Saudi Arabia and the GCC, the rights and obligations in the Privacy Policy and Patient Rights take precedence; this Notice applies where the Covered Entity is subject to HIPAA jurisdiction.

8. Subcontractors

Subcontractors that create, receive, maintain, or transmit PHI on our behalf are bound by written agreements imposing protections substantially the same as those in our BAA, consistent with 45 CFR § 164.502(e)(1)(ii).

9. Effective date & changes

This Notice is effective on the date shown above. We reserve the right to change this Notice and to make the revised Notice effective for PHI we already maintain. The current version will always be posted at /Privacy/HIPAA.

10. Contact

  • HIPAA Privacy Officer — privacy@velomedos.com
  • Security Officer — security@velomedos.com
  • Postal — VeloMed Infrastructure Group, Riyadh, Kingdom of Saudi Arabia