HIPAA Privacy Notice
Statement of HIPAA Practices
Statement of HIPAA Practices
Business Associate model
CardioMetaboliQ Labs LLC dba CMiQHealth
187 Calle Magdalena, Suite 210, Encinitas, CA 92024
support@cmiqhealth.com
Effective Date: May 6, 2026
Important: This Statement describes how we handle Protected Health Information (PHI) under HIPAA. We act as a Business Associate of the licensed healthcare practitioners who order our Services. We are not a Covered Entity, and we do not provide treatment to patients directly. Patients should direct rights requests under HIPAA to their treating practitioner, who is the Covered Entity.
1. Our Role: Business Associate, Not Covered Entity, Not a Clinical Laboratory
CardioMetaboliQ Labs LLC dba CMiQHealth is a Business Associate as that term is defined at 45 CFR § 160.103. We provide test kits, sample-logistics support, the Bergapure dietary supplement, the MLR-90 program materials, analytical reports and iQ Scores, and educational materials to licensed healthcare practitioners ("Practitioners"). Practitioners are Covered Entities (or, in some cases, are themselves Business Associates). We perform our functions on behalf of Practitioners and pursuant to a Business Associate Agreement (BAA) executed with each Practitioner.
We are not a clinical laboratory. The assay portion of testing is performed by an independent third-party Reference Laboratory that is certified under the Clinical Laboratory Improvement Amendments (CLIA) and holds applicable state laboratory licenses. The Reference Laboratory may have its own direct Business Associate relationship with the Practitioner, or it may operate as our subcontractor under a downstream BAA. We will identify the Reference Laboratory upon written request and will document the applicable BAA chain in our compliance records.
Patients are not our customers. We do not provide medical advice, diagnose, treat, or prescribe. We do not establish a clinician–patient relationship with any Patient. The Practitioner is responsible for the patient relationship and for issuing the Notice of Privacy Practices that the Privacy Rule requires of Covered Entities.
2. Protected Health Information We Handle
In the course of providing the Services, we may receive, create, maintain, or transmit PHI from or about Patients, including:
3. Permitted Uses and Disclosures of PHI
We use and disclose PHI only as permitted by HIPAA and the applicable BAA, including:
We do not use or disclose PHI for marketing or sale of PHI as those terms are defined in 45 CFR §§ 164.501 and 164.508 without an appropriate authorization from the individual.
4. Safeguards
We maintain administrative, physical, and technical safeguards required by the HIPAA Security Rule (45 CFR Part 164, Subpart C), including encryption in transit and at rest, role-based access controls, logging, security training, vendor due diligence, and an incident response plan. We conduct periodic risk analyses and updates as required by 45 CFR § 164.308(a)(1)(ii)(A).
5. Subcontractors and the Reference Laboratory
We engage subcontractors that may create, receive, maintain, or transmit PHI on our behalf only where they have agreed in writing to substantially the same restrictions and conditions that apply to us under the BAA, as required by 45 CFR § 164.502(e)(1)(ii) and § 164.504(e)(5).
The Reference Laboratory that performs the assay portion of our testing is bound by a written agreement that includes the safeguards and obligations required by HIPAA. Where the Reference Laboratory has its own direct BAA with the Practitioner, that relationship is independent of this Statement; where the Reference Laboratory is our subcontractor, it is bound by a downstream BAA that flows down our obligations.
6. Breach Notification
In the event of a breach of unsecured PHI, we will notify the affected Practitioner without unreasonable delay and no later than sixty (60) days after discovery, in accordance with 45 CFR § 164.410 and the terms of the BAA. The Practitioner, as Covered Entity, is responsible for any required notifications to affected individuals, the Department of Health and Human Services, and where applicable the media.
7. Patient Rights Under HIPAA
Under HIPAA, Patients have rights to access, amend, request restrictions on, request confidential communications regarding, and receive an accounting of disclosures of their PHI. These rights are exercised through the treating Practitioner, who is the Covered Entity under HIPAA. If we receive a Patient request, we will direct the request to the appropriate Practitioner and will support the Practitioner's response as required under our BAA.
8. Complaints
A Patient who believes their HIPAA rights have been violated may file a complaint with the treating Practitioner, with us at support@cmiqhealth.com or 187 Calle Magdalena, Suite 210, Encinitas, CA 92024, or with the U.S. Department of Health and Human Services, Office for Civil Rights. We will not retaliate against any individual for filing a complaint.
9. State Medical Privacy Laws
Where state law provides protections more stringent than HIPAA, including the California Confidentiality of Medical Information Act (CMIA, California Civil Code §§ 56 et seq.), we comply with the more stringent law. The applicability and scope of state law is determined by the residence of the Patient and the location of the Practitioner.
10. Changes to this Statement
We may update this Statement from time to time. The "Effective Date" at the top of this Statement reflects the most recent version. We will post material changes on the Site and notify Practitioners with active accounts.
11. Contact
HIPAA-related questions: CardioMetaboliQ Labs LLC dba CMiQHealth, Attn: HIPAA Compliance, 187 Calle Magdalena, Suite 210, Encinitas, CA 92024, support@cmiqhealth.com.