top of page



HIPAA Notice of Privacy Practices for Swell Health and Its Affiliated Covered Entities

Effective date: May 22th, 2024


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides standards for how medical information should be used and disclosed by healthcare providers, health plans, and other covered entities. Swell Health, which operates as an affiliated covered entity under HIPAA, is a health care provider that both directly delivers laboratory and medical services through its personnel as well as contracts with licensed providers to deliver health care services. We provide each of our users with this information and ask each of our users to acknowledge receipt of our HIPAA Notice of Privacy Practices for Swell Health, which discloses our practices for personal information gathering and dissemination. Please note that by registering on the website (the “Site”) or by using the services provided by Swell Health, together with any independent contracted affiliates or affiliated covered entities (together “Swell Health”, “we”, “our” or “us”), you accept the practices described in this Notice of Privacy Practices. If you do not agree to this Notice, please do not use the Site or Swell Health’s services. IF YOU ARE UNDER 13 YEARS OF AGE OR RESIDE OUTSIDE OF THE UNITED STATES, PLEASE DO NOT USE OR ACCESS OUR SITE.

What information do we collect from users and how is it used?

Registration. Before using some of our services, we need you to register with the Site and provide your name, email address, your home address, and other personal details. We request this information for identification purposes, to communicate with you, and to improve the functioning of certain services. In some cases, we (through our service provider) may create biometric information or collect information from third party databases to verify your identity prior to your use of our services. We will ask for your consent prior to creating biometric information. By providing us with your email address, you consent to receiving information from us through the email you provide us, with may include some protected health information which is private to you and protected under HIPAA. For more information on the information we collect, you can also review our Terms of Use and Privacy Policy, which can be found on our website. You may also be asked to complete other forms (e.g. intake forms, medical record unification, informed consent, etc.) depending on the services you choose.

Enrollment Forms. To fully use our offerings, you may need to fill out forms and input information that ask for or contain personal information such as your name, contact information, health, health history, medical providers, and other personal information.

Medical Records. In order for us to get you the best care, we may ask you to provide us with a list of your providers, patient portal information which you may have access in the past or will access in the future, and the health systems you’ve visited. We may also ask you for a description of symptoms, a medical history, lifestyle descriptions and information regarding your interest and past experiences at prior health entities, participation in clinical trials and research. In addition, if you see a provider that orders labs through Pluto Health, we will maintain a medical record that contains the details of the care you receive through Pluto Health or it’s affiliated business associates involved in your care.

Correspondence. If you correspond with us via email, secure message, or text, we may gather in a file specific to you the information that you submit.

Health Recommendations. We will use your information to provide insights regarding your healthcare and recommend services that may assist in your care, such as provider referrals and access to labwork. It is always recommended that you also notify and consult your primary care provider or other relevant health practitioners for any test results, lab work questions or results, health related questions, or changes to your care plans.

Recordings. If you contact our care team by phone or by email, we may record and retain copies of the interaction for, among other things, quality assurance and training purposes. If you access any apps or other services we offer, we may record your interactions with our software or our providers.

We will store the above described categories of information for as long as needed to provide our services, and as required to comply with our legal obligations (including those under HIPAA), resolve potential or actual disputes, improve the quality of our services, or enforce our agreements. Biometric information will be kept no longer than three years. 

How does Swell Health use and disclose protected health information about you that we collect?

We are required to maintain the confidentiality of your protected health information (“PHI”), and we have implemented policies, procedures, and other safeguards to help protect your PHI from improper use and disclosure. We protect your PHI in accordance with HIPAA and all other applicable laws and regulations. Where an applicable state law or any other applicable law or regulation requires more protection for your PHI than HIPAA, we comply with that law or regulation as well.

Below, we describe different ways that we may use your PHI amongst ourselves and disclose your PHI to other persons and entities. We have not listed every possible use or disclosure in the list below, but all of the ways that may use and disclose PHI fall within one of the categories below. As we describe below, some uses and disclosures will require your specific authorization.

Treatment. We can use your PHI and share it with other professionals or programs that are treating you, such as when you visit a new health care provider or are offered services related to your health by other entities. By using our services, you hereby explicitly consent to the sharing of information like your name, age, gender, problems you are seeking help for, including alcohol and substance use, care preferences, health plan coverage, and progress of your treatment with current and potential providers to promote good outcomes.

Run our Organization. We can use and share your PHI to support our business operations, which include caring for you. This means your information may be shared to run our offerings, improve our offerings to clients, improve your care and the coordination of your care, and contact you when necessary, such as using your PHI to manage your treatment and services.

Billing and Payment. We may use and share your PHI to confirm eligibility for services and to receive and ensure proper payment. For example, we may request your information from your health plan or employer in order to confirm eligibility for laboratory services.

Disclosure at Your Request. If you ask us to send PHI about you to a third party, such as a friend, family member, health care provider, or health care company, we will do so if we believe that your request is authentic. We may ask you to prove your identity before we honor this request. We may need up to 60 days to honor a request like this, depending on the information that you would like us to disclose, but in most cases, we can honor this request in seven or fewer days.

Business Associates. We provide some aspects of our services through contracts with business associates for whom we are legally responsible. Examples of our business associates include companies involved in your care, for secure cloud hosting, management consultants, quality assurance reviewers, identity verification providers, accreditation agencies, and billing and collection services. We may disclose your PHI to our business associates so that they can perform the jobs that we have asked them to perform. To protect your PHI, we require our business associates to sign written agreements requiring that they appropriately safeguard your PHI and use it only as we permit.

Affiliated Covered Entity. Our healthcare company is part of an Affiliated Covered Entity (ACE).  An ACE is a collective designation under HIPAA for a group of legally distinct covered entities that are affiliated. These entities may choose to function as a single entity for compliance with HIPAA regulations. This designation allows for the seamless sharing of your protected health information (PHI) among the affiliated entities for the purposes of treatment, payment, and healthcare operations. As an ACE, our healthcare company may collaborate with Pluto Health, allowing us to provide coordinated care and services to our patients. This designation allows entities to share protected health information (PHI) among themselves facilitating coordinated care and efficient healthcare operations.  ACE arrangements are common among healthcare groups and many health systems that operate nationally, sometimes to maintain compliance with state regulations. (see other health system samples: Cigna and Stanford)

ACE purpose and benefits. The ACE designation enables us to:

  1. Enhance coordination and quality of care.

  2. Improve efficiency in healthcare operations.

  3. Maintain consistent application of privacy and security measures across all entities.

  4. Provide expanded health and health-related services

  5. Assist in caring for patients for broader access to treatment options and health services


Information Sharing and Use. As part of our ACE, we may share your personal health information (PHI) with Pluto Health for treatment, payment, and healthcare operations. Pluto Health may assist in providing health services and health-related services, such as, but not limited to access to laboratory testing, clinical services, and medication delivery.  This sharing of information helps us to enhance the quality of care you receive and to operate more efficiently and comprehensively. 

This relationship enables us to provide you with comprehensive and coordinated healthcare services while ensuring your information is handled in compliance with HIPAA privacy and security rules. As part of an ACE, we may share your PHI with other entities in the ACE to provide you with coordinated and comprehensive healthcare services. This is done in compliance with HIPAA regulations to ensure your privacy and the security of your health information.

Other Uses. We are allowed or required to share your information in other ways – usually in ways that contribute to your benefit or public good, such as public health and research. We have to meet many conditions in the law before we can share your information for these purposes. For more information see: “Your Rights Under HIPAA”. The following are ways we may share your information:

  • Help with public health and safety issues: We can share health information about you for certain situations such as reporting suspected abuse, neglect, or domestic violence; preventing or reducing a serious threat to anyone’s health or safety; reporting adverse reactions to medications; preventing disease; and helping with product recalls.

  • Do research: When you participate in a research study that involves your treatment, we may disclose your PHI to researchers, provided that you have signed a specific authorization for us to do so or an Institutional Review Board has approved the disclosure in connection with its review and approval of the research proposal and the procedures that the research organization has established to protect the privacy of your PHI.

  • Comply with the law: We will share information about you if state or federal laws require it, including with the Department of Health and Human Services if it wants to see that we’re complying with federal privacy law.

  • Work with a medical examiner or funeral director: We can share health information with a coroner, medical examiner, or funeral director when an individual dies.

  • Help improve your care. For your benefit, we may share information to help optimize care coordination and improve insights into your health related conditions.

  • Address workers’ compensation, law enforcement, and other government requests: We can use or share health information about you for workers’ compensation claims; for law enforcement purposes or with a law enforcement official; with health oversight agencies for activities authorized by law; for special government functions such as military, national security, and presidential protective services.

  • Respond to lawsuits and legal actions: We can share health information about you in response to a court or administrative order, or in response to a subpoena.

You have both the right and the choice to tell us to share your PHI with your family, close friends, or others involved in your care; share your PHI in a disaster relief situation; and other health related functions. If you are not able to tell us your preference, we may go ahead and share your information if we believe it is in your best interest.

We will never share your PHI, unless you give us written permission to. You may revoke or restrict the authorization to disclose your PHI at any time.

We reserve the right to release collected information to law enforcement or other government officials, as we, in our sole and absolute discretion, deem necessary or appropriate.

What are your rights regarding your protected health information?

You have certain rights regarding protected health information that we maintain about you, including rights to:

  • Get an electronic or paper copy of your medical record. You can ask to see or get an electronic or paper copy of your medical record and other health information we have about you. Contact us at the information below to ask us how to do this. We will provide a copy or a summary of your health information, usually within 30 days of your request. We may charge a reasonable, cost-based fee.

  • Ask us to correct your medical and other records. You can ask us to correct health or other information about you that you think is incorrect or incomplete. Contact us at the information below to ask us how to do this. We may say “no” to your request, but we’ll tell you why in writing within 60 days.

  • Request confidential communications. You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address. We will say, “yes” to all reasonable requests.

  • Ask us to limit what we use or share. You can ask us not to use or share certain health information for treatment, payment, or our operations. We are not required to agree to your request, and we may say “no” if it would affect your care.

  • Get a list of those with whom we’ve shared information. You can ask for a list (accounting) of the times we’ve shared your health information for 6 years prior to the date you ask, who we shared it with, and why. We will include all disclosures except for those about treatment, payment, and health care operations, and certain other disclosures (such as any you asked us to make). We’ll provide one accounting a year for free but will charge a reasonable, cost-based fee if you ask for another one within 12 months.

  • Get a copy of this privacy notice. You can ask for a paper copy of this notice at any time, even if you have agreed to receive the notice electronically. We will provide you with a paper copy promptly.

  • Choose someone to act for you. If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information. We will make sure the person has this authority and can act for you before we take any action.

  • File a complaint if you feel your rights are violated. You can complain if you feel we have violated your rights by contacting us using the information below. You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting “What to Expect”. We will not retaliate against you for filing a complaint.

What are Swell Health’s responsibilities with my information?

We are required by federal law (HIPAA) and state law to maintain the privacy and security of your protected health information. We will let you know promptly if a breach occurs that may have compromised the privacy or security of your protected health information. We must follow the duties and privacy practices described in this notice and give you a copy of it. We will not use or share your information other than as described here unless you tell us we can in writing. If you tell us we can, you may change your mind at any time. Let us know in writing if you change your mind.

How will I know about changes in the Notice of Privacy Practices?

We reserve the right to update this Notice of Privacy Practices from time to time, but we may not change this Notice in a way that would violate HIPAA. Please visit this page periodically so that you can be updated of any changes. The policies indicated in this Notice will remain effective, even if you are no longer using our Site or services.

At times, Swell Health may work with its affiliates or a third party contracted provider to deliver services to you. To the extent that there is a conflict between Swell Health’s Notice of Privacy Practices and that of a third party contracted provider regarding how your PHI will handled, the Notice of Privacy Practices for Swell Health, Inc will take in effect if you signed up directly through Swell or the Notice of Privacy Practices or Privacy policy of the health care entity you signed up for first will take in effect.

How to contact us? If you have questions, or need to reach us for any other reason, you may contact the team at

bottom of page