Amazon Health Services Notice of Privacy Practices

Effective Date: October 20, 2025

Privacy and security are foundational to how we design and operate our products and services. We know your health information is important to you and we take the responsibility of safeguarding and protecting it seriously. This Notice of Privacy Practices (the “Notice”) describes how the Amazon Health Services Affiliated Covered Entity collects and processes your health information.

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

• What is the Amazon Health Services Affiliated Covered Entity?
• To What Information Does this Notice Apply?
• We May Use and Disclose Your PHI for Treatment, Payment, and Operations
• Other Uses and Disclosures of Your PHI
• Your Choices Regarding Your PHI
• Your Health Information Rights
• Changes to this Notice
• Complaints
• Contact Information
• One Medical’s Partners

What is the Amazon Health Services Affiliated Covered Entity?

The Amazon Health Services Affiliated Covered Entity (“Amazon Health Services”) includes pharmacies operated by PillPack LLC and its subsidiaries, dba Amazon Pharmacy, and One Medical Group, Inc. and its affiliated professional corporations. Amazon Health Services has designated itself as a single covered entity for purposes of compliance with the Health Insurance Portability and Accountability Act (“HIPAA”). By using Amazon Health Services, you are consenting to the practices described in this Notice.

To What Information Does this Notice Apply?

This Notice applies to your Protected Health Information (“PHI”), which is information that we collect and process that identifies you, or could be used to identify you, and relates to your past, present, or future health care, including medical conditions, medication history, or health insurance. Amazon Health Services is subject to HIPAA, which governs how we may use and disclose your PHI. Amazon Health Services is bound by this Notice. We have provided some demonstrative examples of how we may use and disclose your PHI, but this Notice does not list every permissible use or disclosure. Amazon Health Services is an affiliate of Amazon.com, and the Amazon.com Privacy Notice describes how we collect and process your personal information that is not PHI.

We May Use and Disclose Your PHI for Treatment, Payment, and Operations

Amazon Health Services may use or disclose your PHI without your written authorization as follows:

• Treatment: We may use your PHI to provide you medical treatment and to dispense your medications to you. For example, we may disclose your PHI to doctors, nurses, or other health care providers who coordinate your care or otherwise provide treatment to you. We may also obtain your PHI from other health care providers and Health Information Exchanges.
• Payment: We may use and disclose your PHI to bill and collect payment for products or services we provide you. For example, we may disclose your PHI to your health insurance plan, pharmacy benefit manager, or other third party to determine whether our services or your medications are covered by insurance or to obtain payment for services provided to you.
• Health Care Operations: We may use and disclose your PHI to carry out our own health care operations. For example, we may use your PHI to provide customer service to you, monitor the performance of our providers and pharmacists, or to improve the quality and effectiveness of our services.

Other Uses and Disclosures of Your PHI

Amazon Health Services may use or disclose your PHI without your written authorization as follows:

• Business Associates: We may contract with other entities to perform certain services for us, such as accounting, billing, or information technology services. If these entities need access to your PHI to perform these services, they are called Business Associates, and they are required by law and by contract to comply with HIPAA and protect your PHI.
• People Involved in Your Care, Including Payment: We may share your PHI with certain people involved in your care or payment for your care. This may include your family members, friends, or caregivers. If you are a legal minor, we may disclose your PHI to your parent(s) or legal guardian(s) consistent with applicable laws. For example, in certain states, parents may access a minor’s medical history. We may disclose your PHI to comply with workers’ compensation or similar programs.
• Required by Law: We will disclose your PHI when we are required to do so by law.
• Law Enforcement: We may disclose your PHI to law enforcement pursuant to a court order, subpoena, warrant, or similar process as required by applicable law. We will attempt to provide you with notice prior to disclosing your PHI to law enforcement if we are permitted to do so.
• Judicial and Administrative Proceedings: We may disclose your PHI pursuant to a court or administrative order, subpoena, discovery demand, or other lawful process. We will attempt to provide you with notice prior to disclosing your PHI unless such notice has been provided by another party to the dispute.
• Public Health and Safety: We may use or disclose your PHI as permitted or required to address certain public health and safety issues, for example, to report reactions to medications, product defects, or recalls. We may use and disclose your PHI to prevent a serious health and safety threat to you, the public, or another person. We may also use or disclose your PHI if we are required to do so by law, if you agree to the disclosure, or if we believe it necessary to prevent serious harm to you or someone else.
• Health Oversight Activities: We may disclose your PHI to a health oversight agency, such as a Board of Pharmacy or Medicine, or a Medicaid agency. Examples of these oversight activities include audits, investigations, credentialing, licensure, government monitoring of the health care system or government programs, and compliance with civil rights laws.
• Research: We may use your PHI to conduct research or disclose it to researchers as authorized by law. For example, we may use or disclose your PHI for a study approved by an authorized review body that establishes processes to ensure the privacy of your information.
• Emergency or Death: We may disclose your PHI to disaster relief groups, or in the event of your death, for example, to coroners, medical examiners, funeral directors, or organ procurement organizations.
• Government, Correctional Facilities, and Military: We may disclose your PHI to a correctional institution if you become an inmate, to the armed forces if you are a member of the military or a veteran, and to federal officials for national security or specialized government functions.

Your Choices Regarding Your PHI

Amazon Health Services may be required by law to obtain your consent before using or disclosing your PHI in certain circumstances. Where we’re required by law to obtain that consent, we must do so through an authorization, which you can revoke at any time by emailing our Privacy Office. Your revocation will be effective immediately, but will not impact PHI that has already been used or disclosed. For example:

• Marketing: We will use and disclose your PHI to provide you information about our programs and services, and we will obtain your authorization before using or disclosing your PHI for any marketing activity that requires authorization under HIPAA.
• Specific Medical Records: We will obtain your authorization before disclosing your psychotherapy notes, to the extent you have any. State and federal laws provide additional protections for medical records in certain circumstances, and we may ask for your consent before disclosing your medical records where and when required.
• Selling your PHI: We are not in the business of selling our customers’ personal information, including their PHI. However, HIPAA requires us to inform you that we would have to obtain your authorization before selling your PHI.
• Other: Any other use or disclosure of PHI that is not otherwise addressed in this Notice will require your written authorization.

Your Health Information Rights

You have the following rights with respect to your PHI:

• Obtain a Paper Copy of this Notice: You have the right to obtain a paper copy of this Notice by contacting our Privacy Office or by asking at any Amazon Pharmacy facility or One Medical office, even if you have previously consented to receiving electronic communications.
• Obtain a Copy of Your PHI: With a few exceptions, you have the right to get a copy of your PHI, or ask that we send a copy of your PHI to someone else, by contacting our Privacy Office.
• Request a Change to Your PHI: If you feel that your PHI is incorrect or incomplete, you may request that we change or amend it by contacting our Privacy Office and providing a reason supporting your request. If we deny this request, we will tell you the reason for the denial.
• Receive a Report of Past Disclosures of Your PHI: You have a right to request a list of our disclosures of your PHI in the past six years (except those disclosures made for Treatment, Payment, and Operations) by contacting our Privacy Office.
• Request a Restriction on Certain Uses and Disclosures of Your PHI: You have the right to request that we limit the way we use and disclose your PHI, by contacting our Privacy Office. We do not have to agree to your request, except if you request that we not disclose your PHI to your health insurance plan and that PHI relates to a product or service you paid for out of pocket in full.
• Specify How Amazon Health Services Contacts You: You have the right to direct us to contact you about your care at an alternative location (e.g., at work or a P.O. Box instead of at home) or by alternative means (e.g., by phone instead of email). To request confidential communications, please contact our Privacy Office and tell us how you would like to be contacted. We will accommodate all reasonable requests, but if we cannot contact you as you have requested, we may contact you using other contact information we have.
• Receive Notice of a PHI Breach: You have the right to be notified of a breach that has compromised your PHI, and we will provide this notice as required by law.

Changes to this Notice

We may change this Notice at any time, and if we do, the new notice will apply to your PHI that we already have as well as any PHI received or created in the future. We will post a copy of the new notice on our website, at Amazon Pharmacy facilities and in One Medical’s offices, with the date that change became effective.

Complaints

If you believe your privacy rights have been violated, you may file a complaint with Amazon Health Services by contacting our Privacy Office, or with the Secretary of the U.S. Department of Health and Human Services. All complaints must be submitted in writing. You will not be penalized or retaliated against for filing a complaint.

Contact Information

We take your privacy seriously and welcome your questions and feedback. All correspondence related to this Notice must be submitted in writing to the Amazon Health Services Affiliated Covered Entity Privacy Office by emailing privacy@amazon.health. You can also reach us by calling 877-281-9561.

One Medical’s Partners

In some locations, One Medical partners with health systems, academic health centers, and other third parties (“Partners”) listed here to provide certain services. One Medical may participate in an Organized Health Care Arrangement with these Partners, and your PHI may be disclosed to and used by One Medical and its Partners for clinical activities. In those instances, this is a joint Notice that applies to One Medical and our Partner.