Notice of Privacy Practices (NPP)

This Notice Describes How Your Medical Information May Be Used and Disclosed, and How You Can Access This Information. Please Review It Carefully.

Effective Date: February 16, 2026 Issued By: PharmAdva, LLC (MedaCube)

Our Role and Legal Duties

PharmAdva, LLC (“PharmAdva,” “MedaCube,” “we,” “us,” or “our”) operates as a business associate under the Health Insurance Portability and Accountability Act (HIPAA) and its related Privacy, Security, and Breach Notification Rules. As a business associate, we do not provide direct healthcare services but instead support covered entities—such as healthcare providers, pharmacies, or U.S. Department of Veterans Affairs (VA) facilities—in managing medication through the MedaCube device and online portal. We handle Protected Health Information (PHI), which includes any information about your health, treatment, or payment for healthcare that identifies you or could reasonably be used to identify you.

We are required to:

Protect the privacy and security of PHI in accordance with our Business Associate Agreements (BAAs) with covered entities, HIPAA regulations, and other applicable laws.
Use and disclose PHI only as permitted by our BAAs, HIPAA, and relevant federal or state laws.
Notify the appropriate covered entity without unreasonable delay (and no later than 60 days) in the event of a breach of unsecured PHI.
Provide this Notice of Privacy Practices (NPP) for transparency, although it is not strictly required for business associates like us.

When applicable, we also comply with additional federal regulations, including:

42 CFR Part 2 for records related to substance use disorder (SUD) diagnosis, treatment, or referral, which impose stricter confidentiality protections than standard HIPAA rules.
Federal requirements for veterans' records, such as those under 38 U.S.C. § 7332 (covering information about drug abuse, alcoholism, HIV, or sickle cell anemia), which may require specific written authorization for disclosures and limit uses more stringently than HIPAA.

MedaCube Use and Intended Users

The MedaCube is a medication dispensing device purchased by adults nationwide, including through VA entities or facilities. It is designed to support medication adherence and dispensing for users of all ages, including children under the supervision of an adult caregiver (e.g., a parent, guardian, or authorized family member).

Data Transmission and Security: Communications between the MedaCube device and our cloud-based systems (including secure environments like AWS GovCloud) use strong encryption. To minimize privacy risks, these transmissions routinely include only a unique device identifier, not full personal details.

· Communication Methods: The device-to-portal connection is secure. However, outbound communications to users or caregivers (such as email, SMS/text messages, or voice calls) are not considered fully secure due to potential access by third-party providers or intermediaries. By providing contact information and consenting to these methods, you acknowledge the risks. We recommend using the secure portal for any sensitive PHI. We may use your contact information to send promotional materials, newsletters, product updates, or invitations to participate in surveys or feedback about your experience with our products and services. We may filter these lists using non-health device metadata (such as whether the device is online or has recently synced) to ensure messages are relevant. You can opt out of marketing emails at any time via the unsubscribe link in any promotional email.

Information We Collect and Handle

We collect and maintain PHI primarily to support medication management services. This may include:

Medication adherence and dispensing records generated by the MedaCube device.
Prescription information shared through the portal or from covered entities.
Other limited health-related parameters if enabled by your provider or caregiver.

This PHI is used to provide, maintain, protect, and improve our services. Non-health personal information (e.g., buyer contact details, shipping addresses, or payment info from purchases) is handled separately under our General Privacy Policy, available at www.medacube.com.

How We May Use and Disclose Your PHI

We may use and disclose PHI without your specific written authorization only as permitted by our BAAs, HIPAA, and applicable law. Common categories include:

Treatment, Payment, and Healthcare Operations (TPO)

Treatment: To coordinate medication dispensing, adherence monitoring, and support with your physicians, pharmacies, authorized caregivers, and other healthcare providers (e.g., sharing adherence data to help adjust prescriptions or treatment plans).
Payment: To assist covered entities with billing, claims processing, or reimbursement activities, if applicable.
Healthcare Operations: For internal activities like quality assessment and improvement, device performance monitoring, care coordination, compliance auditing, accreditation, staff training, and general business management.

To Our Business Associates

We may disclose PHI to our subcontractors or vendors (e.g., cloud providers like AWS GovCloud) who perform services on our behalf. These business associates are required to sign BAAs that obligate them to safeguard PHI and comply with HIPAA (and additional rules like Part 2 or VA requirements, if applicable).

As Required or Permitted by Law

We may disclose PHI without authorization for:

Public health activities (e.g., reporting adverse events or product defects).
Health oversight (e.g., audits or investigations by government agencies).
Law enforcement purposes, as authorized (e.g., in response to a valid warrant or subpoena).
Judicial or administrative proceedings (e.g., court orders).
Reporting abuse, neglect, or domestic violence.
Other legally mandated purposes (e.g., workers' compensation claims, coroner investigations, or national security needs).

Special Protections for Certain Records

Substance Use Disorder (SUD) Records (42 CFR Part 2, if applicable): If we receive or maintain SUD-related records (e.g., diagnosis, treatment, or referral information), they receive additional federal protections. We generally require your written consent for uses or disclosures related to treatment, payment, or healthcare operations (unless a specific exception applies, such as medical emergencies, research under a waiver, or court orders). Disclosures are limited to what Part 2 permits. For minors, consent follows state law regarding parental or guardian involvement. Once disclosed with consent, the recipient may further use or disclose the information as permitted by HIPAA, and it may no longer be protected by Part 2.
Veterans' Records (if applicable): If PHI includes VA-related data or information about conditions like drug abuse, alcoholism, HIV, or sickle cell anemia (from VA purchases, providers, or facilities), stricter federal protections under 38 U.S.C. § 7332 and related regulations apply. These often require specific written authorization for disclosures and impose more limitations than standard HIPAA rules.

With Your Authorization

For any uses or disclosures not described above (e.g., marketing unrelated to our services or sharing with third parties for non-TPO purposes), we will obtain your written authorization. You may revoke this authorization at any time in writing, except to the extent we have already taken action based on it.

De-Identified or Aggregated Data

We may use or disclose de-identified (anonymous) or aggregated (non-personally identifiable) data for purposes like research, analytics, public reporting, or business development without restrictions, as it no longer qualifies as PHI.

Safeguards We Use

We implement comprehensive measures to protect PHI:

Administrative Safeguards: Policies, procedures, employee training, and workforce oversight to ensure compliance and confidentiality.
Physical Safeguards: Secure facilities, device controls, and restricted access to prevent unauthorized physical entry or tampering.
Technical Safeguards: Encryption for data at rest and in transit, access controls (e.g., role-based permissions), audit logging, firewalls, and secure transmission protocols to prevent unauthorized electronic access or breaches.

Access to PHI is limited to a strict "need-to-know" basis. All employees, contractors, and vendors with access are bound by confidentiality agreements and receive regular training. Violations may result in disciplinary action (up to and including termination) and potential civil or criminal penalties under federal and state laws.

Your Rights Regarding Your PHI

To the extent applicable under HIPAA and our BAAs with covered entities, you (or your authorized personal representative) have the following rights, subject to certain limitations:

Right to Access: Request to inspect or obtain copies of your PHI we maintain (in electronic or paper form).
Right to an Accounting of Disclosures: Request a list of certain disclosures of your PHI made in the prior 6 years (or longer for Part 2 records, if applicable).
Right to a Copy of This Notice: Obtain a paper or electronic copy of this NPP at any time.

Special Notes on Minors

The MedaCube may be used by minors (under 18) under adult caregiver supervision. Parents or legal guardians typically serve as the personal representative for unemancipated minors, exercising these rights on their behalf. This is subject to state law exceptions (e.g., when minors can consent to certain care independently, such as reproductive health services, or in cases involving abuse or safety concerns). In limited situations, minors may exercise rights independently under HIPAA or state law.

To exercise these rights, submit a written request to our Privacy Officer (contact details below). We will respond as required by law and coordinate with the relevant covered entity (e.g., your healthcare provider) as needed. We may deny requests in certain cases (e.g., if access could endanger someone), but you have the right to appeal such denials.

Breach Notification

In the event of a breach of unsecured PHI (e.g., unauthorized access or loss), we will notify the affected covered entity(ies) without unreasonable delay and no later than 60 days from discovery. The covered entity is typically responsible for notifying you and the U.S. Department of Health and Human Services (HHS) if required. We will fully cooperate in any investigation or mitigation efforts.

Complaints

If you believe your privacy rights have been violated, you may file a complaint without fear of retaliation by contacting: Privacy Officer PharmAdva, LLC Email: privacy@medacube.com

You may also complain directly to the U.S. Department of Health and Human Services Office for Civil Rights (OCR) at www.hhs.gov/ocr/privacy/hipaa/complaints/.

Changes to This Notice

We reserve the right to update this NPP at any time to reflect changes in our practices or legal requirements. Revised versions will apply to all PHI we maintain, regardless of when it was created or received. We will not reduce your rights under this Notice without your explicit consent where required by law. Updated Notices will be posted on www.medacube.com, and we will make them available upon request.

Questions or More Information

For any questions about this NPP, our privacy practices, or your rights, please contact our Privacy Officer at policy@medacube.com.