HIPAA Notice

Effective Date: April 21, 2026

Silverforge Holdings LLC, doing business as Compounding Finder (“Compounding Finder,” “we,” “our”), provides a referral and price-comparison service that connects patients and prescribers with licensed compounding pharmacies. This notice explains our role under the Health Insurance Portability and Accountability Act (“HIPAA”), how we handle Protected Health Information (“PHI”), and the rights you have with respect to it.

1. Our Role Under HIPAA

Compounding Finder is not a covered entity under HIPAA. We are not a pharmacy, not a healthcare provider, and do not operate a health plan or healthcare clearinghouse.

In the course of helping patients obtain quotes from our pharmacy partners, we may create, receive, maintain, or transmit PHI on behalf of those pharmacies. To the extent we do so, we operate as a Business Associate as defined at 45 CFR 160.103 and are bound by the Business Associate provisions of the HIPAA Privacy and Security Rules.

We enter into written Business Associate Agreements (“BAAs”) with pharmacy partners whose patients' PHI is routed through our systems, and with any subcontractor that creates, receives, maintains, or transmits PHI on our behalf.

2. Information We Handle

In connection with a quote request, we may collect and transmit:

  • Name, email address, and phone number.
  • ZIP code or shipping state.
  • Medication, dosage, strength, form, and quantity requested.
  • Allergy information provided by the patient.
  • Prescription details provided by the patient or prescriber, when applicable.

We do not collect Social Security numbers, insurance claim data, or diagnostic records. We do not request, collect, or transmit payment card data — all payments occur between the patient and the dispensing pharmacy.

3. How We Use and Disclose PHI

We use and disclose PHI only as permitted by the applicable BAA and by HIPAA, including:

  • To provide the service: routing quote requests to pharmacy partners and returning pharmacy responses to the patient.
  • For operations: customer support, troubleshooting, fraud prevention, audit logging, and service improvement.
  • As required by law: in response to valid legal process, court orders, or governmental requests.

We do not sell PHI, and we do not use or disclose PHI for marketing, advertising, or any purpose that would require an authorization under HIPAA without first obtaining one.

4. Safeguards

We maintain administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of PHI, including:

  • Access controls limiting PHI to personnel with a need to know.
  • Encryption of PHI in transit over public networks (TLS) and at rest in our production data stores.
  • Authentication and audit logging for systems that access PHI.
  • Written policies governing workforce training, incident response, and secure disposal of data.
  • Periodic review of these controls as our systems evolve.

5. Subcontractors

Certain cloud and infrastructure providers process PHI on our behalf. We execute Business Associate Agreements with any subcontractor whose services involve PHI before PHI is shared with them, and we obtain written assurances that those subcontractors apply substantially the same safeguards required of Compounding Finder.

We do not transmit PHI through any service that has not executed a BAA with us.

6. Breach Notification

If we discover a breach of unsecured PHI, we will notify the affected covered entity (our pharmacy partner) without unreasonable delay and no later than 60 calendar days following discovery, as required by 45 CFR 164.410. The covered entity is then responsible for any required notifications to affected individuals, the U.S. Department of Health and Human Services, and — where applicable — the media.

7. Your Rights

HIPAA gives individuals certain rights over their PHI. These rights are typically exercised through the covered entity that maintains the designated record set (usually your pharmacy or prescriber). To the extent we hold a copy of your PHI as a Business Associate, you may ask us to:

  • Confirm what information we hold about you.
  • Correct information you believe is inaccurate.
  • Delete information that is no longer needed.
  • Restrict certain uses or disclosures, where permitted.
  • Receive an accounting of disclosures we have made, where required by HIPAA.

We will respond to verifiable requests in accordance with our BAAs and applicable law, and will coordinate with the relevant covered entity where appropriate.

8. Retention

We retain PHI only as long as necessary to provide the service, meet our BAA obligations, and satisfy legal retention requirements. When retention is no longer required, PHI is returned to the covered entity or securely destroyed.

9. Changes to This Notice

We may update this notice from time to time to reflect changes in our practices or in applicable law. The “Effective Date” at the top of this page indicates when the notice was last revised.

Contact

To request a Business Associate Agreement, report a potential breach, or ask a question about this notice, contact us at contact@compoundingfinder.com.