HIPAA Notice of Privacy Practices

Last Updated: March 23, 2026 | Vigil Health LLC, El Reno, Oklahoma

1. Introduction

This Notice of Privacy Practices ("Notice") describes how Vigil Health LLC ("Vigil Health," "we," "us," or "our") collects, uses, and protects your Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). This Notice applies to all individuals who use our service and whose health information we maintain.

2. Our Privacy Officer

Privacy Officer: Blake Dewberry

Contact: blake@vigil.healthcare

3. Protected Health Information We Collect

Vigil Health collects and maintains the following Protected Health Information:

Continuous glucose monitoring (CGM) readings from your Dexcom device
Glucose trend data and patterns
Custom alert thresholds you configure
Your name, date of birth, and contact information
Phone number for SMS alert delivery
Medical information you voluntarily provide (comorbidities, medication list, healthcare provider)
Your Dexcom authentication credentials and API tokens
Timestamps and frequency of alert acknowledgments

4. Uses and Disclosures of PHI

4.1 Uses for Treatment

We use your PHI to:

Monitor your glucose levels in real-time
Send SMS alerts based on your configured thresholds
Generate glucose trend reports and summaries
Provide you with notifications about your glucose status
Respond to questions about your alerts and glucose data

4.2 Uses for Operations

We use your PHI for business operations, including:

Billing and payment processing
Account maintenance and technical support
Quality assurance and service improvement
Compliance with legal obligations
Fraud prevention and security
De-identified research with appropriate safeguards

4.3 Uses for Health Care Operations Without Your Authorization

HIPAA permits us to use and disclose your PHI for health care operations without your specific written authorization for the purposes listed above.

4.4 Disclosures Requiring Your Authorization

We will obtain your written authorization before disclosing your PHI for any purpose other than treatment, operations, or payment, except as required by law.

5. Business Associates

Vigil Health contracts with Business Associates who may have access to your PHI. All Business Associates are required to maintain strict confidentiality and are bound by HIPAA Business Associate Agreements (BAAs):

Business Associate	Purpose	PHI Access
Dexcom Inc.	CGM data retrieval via API	Glucose readings, trends, timestamps
Twilio Inc.	SMS alert delivery	Phone number, alert messages, delivery status
Amazon Web Services (AWS)	Secure data hosting and storage	Encrypted glucose data, account info, encrypted API tokens
Heroku (Salesforce)	Application hosting	Encrypted glucose data, user accounts

All Business Associates sign HIPAA Business Associate Agreements confirming they will safeguard your PHI.

6. How We Protect Your PHI

Vigil Health implements comprehensive administrative, physical, and technical safeguards:

6.1 Technical Safeguards

End-to-end encryption for all data in transit (TLS 1.2+)
AES-256 encryption for data at rest
Secure authentication with multi-factor authentication options
Secure API connections with Dexcom (OAuth 2.0)
Regular security audits and penetration testing
Intrusion detection and prevention systems

6.2 Administrative Safeguards

Role-based access controls limiting employee access to PHI
Employee HIPAA training and confidentiality agreements
Background checks for employees with PHI access
Privacy and security incident response procedures
Written policies and procedures for PHI handling

6.3 Physical Safeguards

Secure data centers with restricted physical access
Environmental controls (temperature, humidity monitoring)
Visitor access logs and security procedures
Secure disposal of media containing PHI

7. Breach Notification

In the event of a breach of your unsecured PHI, Vigil Health will:

Notify you without unreasonable delay, typically within 30 days
Describe the nature and scope of the breach
Explain steps you should take to protect yourself
Describe measures we are taking to prevent future breaches
Provide contact information for questions

8. Your HIPAA Rights

8.1 Right to Access Your PHI

You have the right to access, review, and obtain a copy of your PHI. You may request your records in electronic or paper format. We will provide access within 30 days of your request.

8.2 Right to Request Amendment

If you believe information in your PHI is inaccurate or incomplete, you may request amendment. Vigil Health will review your request and, if approved, will amend your records and notify relevant parties.

8.3 Right to Accounting of Disclosures

You have the right to request an accounting of all disclosures of your PHI made by Vigil Health for the past 6 years (or as long as records are maintained). We will provide this accounting within 30 days.

8.4 Right to Request Restrictions

You may request restrictions on uses and disclosures of your PHI. However, Vigil Health is not required to agree to all restrictions. If we do agree, we will follow your requested restrictions.

8.5 Right to Confidential Communication

You may request that we communicate with you about your PHI using alternative methods or locations (for example, sending SMS alerts to a different number).

8.6 Right to Complain

You have the right to lodge a complaint with Vigil Health or with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights if you believe your privacy rights have been violated.

9. Exercising Your Rights

To exercise any of your HIPAA rights, send a written request to:

Email: blake@vigil.healthcare
Include: Your name, account details, and specific request
Response Time: We aim to respond within 10 business days

10. Data Retention and Destruction

Vigil Health retains your PHI as follows:

Glucose Data: Retained for 24 months for trend analysis and backup recovery
Alert Logs: Retained for 12 months for audit and compliance purposes
Account Information: Retained for the duration of your account plus 7 years for legal compliance
Upon Account Deletion: All personal health information will be securely destroyed within 30 days

11. HIPAA Compliance Commitment

Vigil Health is committed to HIPAA compliance. We maintain comprehensive safeguards, conduct regular risk assessments, provide employee training, and maintain documentation of our privacy and security practices. We regularly review and update our policies to ensure continued compliance with HIPAA regulations.

12. Effective Date and Changes

This Notice is effective as of March 23, 2026. Vigil Health may change this Notice as required by law. We will notify you of material changes to this Notice and will post the revised Notice on our website. Your continued use of our service indicates acceptance of the updated Notice.

13. Contact Information for Privacy Concerns

For any questions or concerns about this Notice, your privacy rights, or to file a complaint:

Vigil Health Privacy Officer: Blake Dewberry
Email: blake@vigil.healthcare
Company: Vigil Health LLC, El Reno, Oklahoma
Response Time: We aim to respond to privacy inquiries within 10 business days

You also have the right to file a complaint with the U.S. Department of Health and Human Services:

Office for Civil Rights
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Washington, D.C. 20201
https://www.hhs.gov/hipaa/filing-a-complaint/index.html