Privacy Policy & Notice of Privacy Practices | Verasana
Verasana
Elizabeth Figa DO PLLC
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Legal & Compliance

Privacy Policy & Notice of Privacy Practices

Effective Date: June 15, 2026
Entity: Elizabeth Figa DO PLLC d/b/a Verasana
Applies To: All patients and prospective patients receiving services via verasana.life
Jurisdictions Served: California, Oregon, Hawaii, Colorado, Missouri, Indiana, Florida, Texas, New York, Vermont, Pennsylvania, Ohio, Michigan
Contents
  1. Who We Are
  2. HIPAA Notice of Privacy Practices
  3. Information We Collect
  4. How We Use and Share Your Information
  5. Your Rights
  6. Our Duties
  7. Data Security
  8. State-Specific Provisions
  9. Website & Cookie Data
  10. Changes to This Policy
  11. Contact & Complaints
Section 1

Who We Are

Elizabeth Figa DO PLLC, operating under the name Verasana, is a multi-state telemedicine practice providing functional and longevity medicine services to patients located in the states listed above. We are a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations.

Our designated Privacy Officer is Gian Tricomi, DO. Contact information for our Privacy Officer is provided in Section 11 of this policy.

This policy governs the privacy practices of Elizabeth Figa DO PLLC d/b/a Verasana, including all physicians, staff, and business associates acting on our behalf.

Section 2

HIPAA Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

We are required by law to maintain the privacy of your protected health information (PHI), to provide you with this Notice of our legal duties and privacy practices with respect to PHI, and to notify you following a breach of unsecured PHI. We are required to abide by the terms of this Notice currently in effect.

What Is Protected Health Information?

Protected health information (PHI) is individually identifiable health information that we create, receive, maintain, or transmit in connection with providing health care services. This includes information about your health conditions, treatment, medications, lab results, and payment for health care services, combined with information that identifies you or could reasonably be used to identify you.

Permitted Uses and Disclosures Without Your Authorization

We may use and disclose your PHI without your written authorization for the following purposes:

Treatment. We may use and disclose your PHI to provide, coordinate, or manage your health care and any related services. For example, we may share your medical records with a specialist to whom we refer you, or with a pharmacist filling your prescription.

Payment. We may use and disclose your PHI to obtain payment for your health care services. For example, we may submit claims to your insurance carrier or process your credit card payment through our payment processor.

Health Care Operations. We may use and disclose your PHI for our health care operations, including quality assessment and improvement activities, training, licensing, and administrative functions necessary to operate our practice.

As Required by Law. We will disclose your PHI when required to do so by federal, state, or local law, including in response to a court order, subpoena, or law enforcement request made in compliance with HIPAA.

Public Health Activities. We may disclose your PHI to public health authorities authorized to receive such information for activities including disease surveillance, vital statistics reporting, and FDA safety reporting.

Health Oversight Activities. We may disclose your PHI to health oversight agencies for activities authorized by law, such as audits, investigations, and inspections by state medical boards or the Department of Health and Human Services.

Judicial and Administrative Proceedings. We may disclose your PHI in response to a court order, subpoena, or discovery request, subject to applicable legal protections.

Law Enforcement. We may disclose your PHI to law enforcement officials under circumstances permitted by HIPAA, including to identify or locate a suspect, to report a crime, or in emergencies.

Serious Threat to Health or Safety. We may use or disclose your PHI to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.

Workers' Compensation. We may disclose your PHI as authorized by and to the extent necessary to comply with workers' compensation laws.

Uses and Disclosures Requiring Your Written Authorization

The following uses and disclosures will be made only with your written authorization, which you may revoke at any time in writing:

  • Most uses and disclosures of psychotherapy notes
  • Uses and disclosures of PHI for marketing purposes
  • Sales of PHI
  • Any other uses or disclosures not described in this Notice

We do not sell your protected health information.

Section 3

Information We Collect

Information You Provide Directly

  • Full name, date of birth, address, phone number, email address
  • Government-issued identification
  • Health history, current medications, allergies, and symptoms submitted via intake questionnaire or during clinical encounters
  • Laboratory results, diagnostic imaging, and prior medical records you upload or authorize us to receive
  • Insurance information and payment information
  • Communications with our providers and staff via secure messaging, phone, or video

Information Generated During Care

  • Clinical notes, diagnoses, treatment plans, and prescriptions created by your provider
  • Records of telehealth encounters, including date, time, and modality (video, audio, store-and-forward)
  • Prescription records submitted to pharmacies
  • Laboratory orders and results

Information Collected Automatically

  • IP address and approximate geographic location
  • Browser type, device type, and operating system
  • Pages visited on verasana.life, session duration, and referral source
  • Cookie and tracking data as described in Section 9
Section 4

How We Use and Share Your Information

Third-Party Vendors

We share your PHI with vendors who assist us in providing care and operating our practice. All vendors who receive PHI have executed Business Associate Agreements (BAAs) with us and are contractually required to safeguard your information in compliance with HIPAA. These vendors include our electronic health records platform, telehealth video platform, laboratory partners, compounding and retail pharmacies, and payment processors.

No Sale of PHI

We do not sell, rent, or trade your protected health information to any third party for any purpose, including marketing or advertising.

No Marketing Use Without Authorization

We do not use your PHI for marketing communications without your explicit written authorization. General practice newsletters or health information communications that do not involve your specific PHI are not subject to this restriction.

Minimum Necessary Standard

When using or disclosing your PHI, we make reasonable efforts to limit access to the minimum amount necessary to accomplish the intended purpose.

Section 5

Your Rights

You have the following rights with respect to your protected health information. To exercise any of these rights, contact our Privacy Officer using the information in Section 11.

Right to Access

You have the right to inspect and obtain a copy of your PHI held in our records. We will provide access within 30 days of your request. A reasonable cost-based fee may apply for copies.

Right to Amendment

You have the right to request that we amend PHI you believe is inaccurate or incomplete. We may deny the request under certain circumstances and will explain our decision in writing.

Right to Restriction

You have the right to request restrictions on certain uses and disclosures of your PHI. We are not required to agree to all requests but will honor restrictions we do accept.

Right to Accounting

You have the right to receive an accounting of certain disclosures of your PHI made in the six years prior to your request, other than disclosures for treatment, payment, and operations.

Right to Confidential Communications

You have the right to request that we communicate with you about your health care through alternative means or at alternative locations if the standard method creates a risk for you.

Right to Revoke Authorization

Where you have provided written authorization for a use or disclosure, you have the right to revoke that authorization at any time in writing. Revocation does not apply to actions already taken.

Right to Paper Copy

You have the right to receive a paper copy of this Notice upon request, even if you have agreed to receive it electronically.

Right to File a Complaint

You have the right to file a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights if you believe your privacy rights have been violated. You will not be retaliated against for filing a complaint.

To file a complaint with HHS OCR: ocrportal.hhs.gov/ocr/portal/lobby.jsf or call 1-800-368-1019.

Section 6

Our Duties

We are required by law to:

  • Maintain the privacy and security of your protected health information
  • Provide you with this Notice of our privacy practices
  • Abide by the terms of this Notice currently in effect
  • Notify you following a breach of your unsecured PHI as required under the HITECH Act, including written notification within 60 days of discovering a breach affecting 500 or more individuals, or within 60 days of the end of the calendar year for smaller breaches

We reserve the right to change the terms of this Notice. We will post the revised Notice on our website and make it available to you upon request. Changes will apply to PHI we already hold as well as PHI we receive in the future.

Section 7

Data Security

We maintain a comprehensive information security program in compliance with the HIPAA Security Rule (45 CFR Parts 160 and 164) encompassing the following safeguards:

Technical Safeguards

  • All PHI transmitted via TLS-encrypted connections (HTTPS)
  • PHI stored in HIPAA-compliant systems with encryption at rest
  • Patient portal access protected by unique credentials and session timeouts
  • Telehealth encounters conducted via HIPAA-compliant video platform covered by a Business Associate Agreement
  • PHI not transmitted via unsecured email

Administrative Safeguards

  • Business Associate Agreements executed with all vendors handling PHI
  • PHI access limited to treating providers and necessary staff on a minimum-necessary basis
  • Annual HIPAA privacy and security training completed by all workforce members
  • Designated Privacy and Security Officer: Gian Tricomi, DO
  • Written incident response and breach notification plan in place

Physical Safeguards

  • Devices accessing PHI use full-disk encryption, password protection, and automatic screen lock
  • PHI not accessed over unsecured public networks
  • Physical records and decommissioned electronic media disposed of in compliance with HIPAA standards
Section 8

State-Specific Provisions

In addition to HIPAA, our privacy practices comply with the applicable privacy laws of each state in which we provide services. Where state law affords greater privacy protections than HIPAA, the more protective state standard applies. The following provisions address specific requirements in our licensed states.

California — CMIA & CCPA

California Confidentiality of Medical Information Act (CMIA), Cal. Civ. Code § 56 et seq. California law provides additional protections for your medical information beyond HIPAA. We will not disclose your medical information without your written authorization except as permitted by California law. Under CMIA, you have the right to receive a copy of your medical records within 15 business days of a written request.

California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA). California residents have the following additional rights with respect to personal information:

  • Right to Know: You have the right to know what categories of personal information we collect, the purposes for which it is used, and whether it is shared with third parties.
  • Right to Delete: You have the right to request deletion of personal information we have collected, subject to certain exceptions including our legal obligations to retain health records.
  • Right to Correct: You have the right to request correction of inaccurate personal information.
  • Right to Opt Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out action is required.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your California privacy rights.

Categories of personal information collected: Identifiers; medical and health information; financial and payment information; internet and electronic activity; geolocation data (approximate). Purpose: Provision of telehealth services, clinical care, payment processing, and practice operations. Retention: Medical records retained for a minimum of 10 years from the date of service or 7 years following the age of majority for minor patients, per California law. To exercise California privacy rights, contact our Privacy Officer.

Oregon — Oregon Consumer Privacy Act & Medical Records Law

Oregon's medical records law (ORS § 192.553 et seq.) provides patients the right to access and receive copies of their medical records. We will provide copies within 30 days of a written request. A reasonable fee may apply.

Under the Oregon Consumer Privacy Act (OCPA), effective July 1, 2024, Oregon consumers have rights to access, correct, delete, and obtain a portable copy of personal data we process. PHI subject to HIPAA is exempt from OCPA; however, to the extent we process personal data outside of HIPAA's scope, we comply with OCPA requirements. To exercise Oregon privacy rights, contact our Privacy Officer.

Hawaii

Hawaii law (Haw. Rev. Stat. § 622-57 and § 323C) provides patients the right to access and obtain copies of their medical records. We will respond to medical record requests within a reasonable time. Hawaii's Uniform Health Care Information Act governs the disclosure of health care information and imposes restrictions on disclosure without patient authorization consistent with or exceeding HIPAA's requirements. We comply with all applicable Hawaii health information privacy statutes.

Colorado — Colorado Privacy Act

Under the Colorado Privacy Act (CPA), C.R.S. § 6-1-1301 et seq., Colorado consumers have the right to access, correct, delete, and obtain a portable copy of personal data we process. PHI subject to HIPAA is exempt from the CPA; however, to the extent we process personal data outside of HIPAA's scope, we honor CPA consumer rights. Colorado consumers also have the right to opt out of the processing of personal data for targeted advertising and the sale of personal data. We do not engage in these activities. To exercise Colorado privacy rights, contact our Privacy Officer.

Missouri

Missouri law (RSMo § 191.227) provides patients the right to access and obtain copies of their medical records within a reasonable time of written request. We comply with Missouri's medical records access requirements and all applicable Missouri health information privacy statutes. Reasonable copy fees may apply consistent with Missouri law.

Indiana — Indiana Consumer Data Protection Act

Under the Indiana Consumer Data Protection Act (INCDPA), effective January 1, 2026, Indiana consumers have rights to access, correct, delete, and obtain a portable copy of personal data. PHI subject to HIPAA is exempt. To the extent we process personal data outside of HIPAA's scope, we comply with INCDPA requirements. Indiana patients have the right to access their medical records under Indiana law (Ind. Code § 16-39-1 et seq.) within 30 days of a written request.

Florida

Florida law (Fla. Stat. § 456.057) governs the ownership and release of patient records by health care practitioners. You have the right to access and receive copies of your records within a reasonable time. We comply with Florida's patient records statutes and the Florida Information Protection Act (FIPA) (Fla. Stat. § 501.171) regarding the security and breach notification requirements for personal information. In the event of a breach of your personal information, we will notify you in compliance with Florida's breach notification requirements.

Texas — Texas Medical Records Privacy Act

Under the Texas Medical Records Privacy Act (Tex. Health & Safety Code § 181.001 et seq.), we are required to maintain the privacy of your protected health information and are prohibited from disclosing it without your written authorization except as permitted by Texas law. Texas law provides additional protections for sensitive health information including mental health records, HIV/AIDS status, and substance use disorder information. You have the right to access and obtain copies of your medical records under Texas law (Tex. Health & Safety Code § 241.154) within 15 business days of a written request. Reasonable fees may apply.

New York — SHIELD Act & Public Health Law

Under New York Public Health Law § 18, you have the right to access and obtain copies of your medical records within 10 days of a written request. A reasonable fee may apply.

The New York SHIELD Act (NY Gen. Bus. Law § 899-bb) requires us to implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of private information of New York residents. In the event of a breach of your private information, we will notify you in the most expedient time possible and without unreasonable delay, consistent with New York law. New York law also affords special protections for HIV-related information (NY Pub. Health Law § 2780 et seq.) and mental health records, which require specific authorization before disclosure.

Vermont

Vermont law (18 V.S.A. § 9419) provides patients the right to access and receive copies of their medical records within 30 days of a written request. Vermont's Security Breach Notice Act (9 V.S.A. § 2435) requires notification to affected Vermont residents in the event of a breach of personal information within 45 days of discovery. We comply with all applicable Vermont health information privacy and security statutes.

Pennsylvania

Pennsylvania law (28 Pa. Code § 115.28 and § 103.22) provides patients the right to access and obtain copies of their medical records within 30 days of a written request. Pennsylvania's Breach of Personal Information Notification Act (73 P.S. § 2301 et seq.) requires notification to affected Pennsylvania residents in the event of a breach of personal information without unreasonable delay. We comply with all applicable Pennsylvania health information privacy and security statutes.

Ohio

Ohio law (ORC § 3701.74) provides patients the right to access and obtain copies of their medical records within a reasonable time of written request. Ohio's data protection act provides safe harbor provisions for businesses that implement recognized cybersecurity frameworks. Ohio's breach notification statute (ORC § 1349.19) requires notification to affected Ohio residents in the most expedient time possible following discovery of a breach. We comply with all applicable Ohio health information privacy and security statutes.

Michigan

Michigan law (MCLA § 333.26265 and § 333.16213) provides patients the right to access and obtain copies of their medical records within 30 days of a written request. Reasonable fees may apply. Michigan's Identity Theft Protection Act (MCLA § 445.63 et seq.) governs breach notification requirements; we will notify affected Michigan residents in the most expedient time possible following discovery of a breach of personal information. Michigan law also affords specific protections for mental health records and substance use disorder records. We comply with all applicable Michigan health information privacy and security statutes.

Section 9

Website & Cookie Data

Our website verasana.life uses cookies and similar tracking technologies to support site functionality and analyze usage. We do not use cookies to collect protected health information or to serve targeted advertising based on your health status.

Types of Cookies We Use

  • Essential cookies: Required for the site to function, including session management and security features. Cannot be disabled.
  • Analytics cookies: Help us understand how visitors use the site, including pages visited and session duration. We use this data in aggregate form only.

Third-Party Analytics

We may use third-party analytics services (such as Google Analytics) that collect information about your use of our site. These services are subject to their own privacy policies. IP addresses collected via analytics are anonymized where technically feasible.

Do Not Track

Our website does not currently respond to browser Do Not Track signals. If you prefer not to be tracked via analytics cookies, you may use your browser settings to block or delete cookies.

Section 10

Changes to This Policy

We reserve the right to change the terms of this Privacy Policy and Notice of Privacy Practices at any time. Material changes will be posted on this page with an updated effective date. We will make the revised Notice available to you upon your next visit or upon request. Changes to our Notice of Privacy Practices will apply to PHI we already hold as well as information we receive in the future.

We encourage you to review this policy periodically. Your continued use of Verasana services following a posted change constitutes your acknowledgment of the updated policy.

Section 11

Contact & Complaints

To exercise any of your privacy rights, submit a records request, file a complaint, or ask questions about this policy, contact our Privacy Officer:

Privacy Officer: Gian Tricomi, DO

Practice: Elizabeth Figa DO PLLC d/b/a Verasana

Email: milo@verasana.life

Phone: +1 (305) 998-7277

Mailing Address: P.O.Box 6761 Bend OR 97708-6761

Filing a Complaint with HHS

If you believe your privacy rights under HIPAA have been violated, you have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights:

  • Online: ocrportal.hhs.gov/ocr/portal/lobby.jsf
  • Phone: 1-800-368-1019 (TDD: 1-800-537-7697)
  • Mail: Hubert H. Humphrey Building, 200 Independence Avenue SW, Room 509F, Washington, DC 20201

You will not be penalized, retaliated against, or denied services for filing a complaint with us or with HHS OCR.

Elizabeth Figa DO PLLC d/b/a Verasana  ·  Privacy Officer: Gian Tricomi, DO
Effective January 01, 2026  ·  milo@verasana.life