The Kroger Co. and its affiliates and subsidiaries (the “Company”) is required to maintain the privacy of Protected Health Information (“PHI”) and to provide individuals with notice of our legal duties and privacy practices with respect to PHI. PHI is information that may identify you and that relates to your past, present or future physical or mental health or condition and related health care services. This Notice of Privacy Practices (“Notice”) describes how we may use and disclose PHI to carry out treatment, payment or health care operations and for other specified purposes that are permitted or required by law. The Notice also describes your rights with respect to PHI about you.

The Company is required to follow the terms of this Notice. We will not sell your name and address or other identifying information for any purpose without your express written consent. We will not use or disclose PHI about you without your written authorization, except as described in this Notice. We reserve the right to change our practices and this Notice and to make the new Notice effective for all PHI we maintain. Upon request, we will provide any revised Notice to you.

Effective Date

This Notice is effective as of September 1, 2020.

Your Health Information Rights

You have the following rights with respect to PHI about you:

Obtain a paper or electronic copy of the Notice upon request. You may request a copy of the Notice at any time. Even if you have agreed to receive the Notice electronically, you are still entitled to a paper copy. You may obtain a paper copy at any of the Company’s pharmacy or health clinic locations or by calling the Company’s HIPAA Privacy Office at 513-762-1161, or toll-free at 1-877-551-7953.

Request a restriction on certain uses and disclosures of PHI. You have the right to request additional restrictions on our use or disclosure of PHI about you for treatment, payment, health care operations, communication with individuals involved in your care or by our Business Associates by submitting a written request for the restriction. We are not required to agree to those restrictions. You have the right to restrict certain disclosures of PHI to a health plan where you pay out of pocket in full for the health care item or service. You may submit your request in person at any of the Company’s pharmacies or health clinics or by mail to the attention of the Company’s HIPAA Privacy Office*.

Inspect and obtain a copy of PHI. You have the right to access and copy PHI about you contained in a designated record set for as long as we maintain the PHI. You also have the right to an electronic copy of that information. The designated record set usually will include prescription. Treatment, and/or billing records. To inspect or copy the designated record set or to receive an electronic copy of PHI about you, you must send a written request. You may submit your request in person at any of the Company’s pharmacies or health clinics or by mail to the attention of our HIPAA Privacy Office*. We may charge you a fee for the costs of copying, mailing and supplies that are necessary to fulfill your request. We may deny your request in certain limited circumstances. If you are denied access to PHI about you, you may request that the denial be reviewed.

Request an amendment of PHI. If you believe that PHI we maintain about you is incomplete or incorrect, you may request that we amend it. You may request an amendment for as long as we maintain the PHI. To request an amendment, you must send a written request to the attention of our HIPAA Privacy Office*. You must include a reason that supports your request. In certain cases, we may deny your request for amendment. If we deny your request for amendment, you have the right to file a statement of disagreement with the decision and we may give a rebuttal to your statement.

Receive an accounting of disclosures of PHI. You have the right to receive an accounting of the disclosures we have made of PHI about you after April 14, 2003 for most purposes other than treatment, payment, or health care operations. The accounting will exclude certain disclosures, such as disclosures made directly to you, disclosures you authorize, disclosures to friends or family members involved in your care, and disclosures for notification purposes. The right to receive an accounting is subject to certain other exceptions, restrictions, and limitations. To request an accounting, you must submit a request in writing to the attention of our HIPAA Privacy Office*. Your request must specify the time period and must be limited to a period within six years of the date of the request. The first accounting you request within a 12-month period will be provided free of charge, but you may be charged for the cost of providing any additional accountings in the same 12-month period. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time.

Request communications of PHI by alternative means or at alternative locations. For instance, you may request that we contact you about medical matters only in writing or at a different residence or post office box. To request confidential communication of PHI about you by an alternative means or at an alternative location, you must submit a request in writing. You may submit your request in person at any of the Company’s pharmacies or health clinics or by mail to the attention of our HIPAA Privacy Office*. Your request must state how or where you would like to be contacted. We will accommodate all reasonable requests.

Receive Notification of a Breach. You will receive notification of a breach of any unsecured PHI.

Examples of How We May Use and Disclose PHI

The following are descriptions and examples of ways we use and disclose PHI:

We will use and disclose PHI for treatment. Examples: Information obtained by the Company’s pharmacists, health care providers or other personnel will be used to provide health care related services to you. We will document in your record information related to the medications dispensed to you and health care services provided to you. Some services could include disease management programs, such as diabetes education, osteoporosis screenings and influenza vaccinations. Our pharmacists, health care providers, other personnel and/or business associates may collect information about you in order to provide these services and monitor your progress within the program. We may also share this information with your physician and/or other health care providers as needed to coordinate your care.

We will use and disclose PHI for payment. Example: We will contact your third-party payer to determine whether it will pay for your services, prescription, and/or supplies, as applicable, and the amount of your copayment. We will bill you or a thirdparty payer for the cost of services, medications dispensed and/or supplies provided to you. We may submit a pricing request to the administrator of certain prescription discount card programs to verify the price of your prescription. The information on or accompanying the bill may include information that identifies you, as well as the prescriptions you are taking, and services and supplies received.

We will use and disclose PHI for health care operations. Examples: The Company may use information in your health record to monitor the performance of the pharmacists, health care providers and other personnel providing treatment to you. This information will be used in an effort to continually improve the quality and effectiveness of the health care and service we provide. Also, in the rare event that a pharmacy or health clinic is sold by the Company, we may transfer patient records to the purchaser.

We are likely to use or disclose PHI for the following purposes:

Central Fill prescriptions: Some prescriptions may be filled by a central fill pharmacy owned by the Company and returned to your local Company’s pharmacy for your pick-up. The central fill pharmacy is located at a different location than your local pharmacy. Your local pharmacy will provide information required to fill your prescription to our central fill pharmacy.

Health-related communications: The Company’s pharmacies and health clinics provide a special customer care service to its customers. Under this program, we may contact you, consistent with applicable law, to provide refill or appointment reminders, information about treatment alternatives (including the availability of clinical trials), or other health-related benefits and services that may be of interest to you. If you do not wish to participate in this special care service, you may notify us of this fact at any time in writing, by telephone or in person at one of our stores.

Communication with individuals involved in your care or payment for your care: Health professionals such as our pharmacists, nurse practitioners, and their staff, may, consistent with applicable law, disclose to a family member, other relative, close personal friend or any person you identify, PHI relevant to that person’s involvement in your care or payment related to your care if your pharmacist or nurse practitioner, in his or her professional judgment, determines that it is in your best interests.

Business associates: There are some services provided by us through contracts with business associates. Examples include the electronic transmission of prescription or health care claims to insurers and benefit managers, creation of paper billings for services that cannot be electronically transmitted, and payment reconciliation services. We may also contract with business associates to provide data aggregation services relating to our health care operations. When these services are contracted for, we may disclose PHI about you to our business associate so that they can perform the job we have asked them to do or to bill you or your third-party payor for services rendered. To protect PHI about you, we require our business associates to appropriately safeguard the PHI.

Food and Drug Administration (FDA): We may disclose to the FDA, or persons under the jurisdiction of the FDA, PHI relative to activities related to quality, safety or effectiveness of FDA-regulated products, including Risk Evaluation and Mitigation Strategies, reports of adverse events with respect to drugs, foods, supplements, products and product defects, or post marketing surveillance information to enable product recalls, repairs, or replacement.

Public health: As required by law, we may disclose PHI about you to public health or legal authorities charged with preventing or controlling disease, injury, or disability.

Health oversight activities: We may disclose PHI about you to an oversight agency for activities authorized by law. These oversight activities include audits, investigations, and inspections, as necessary for our licensure and for the government to monitor the health care system, government programs, and compliance with civil rights laws.

Worker’s compensation: We may disclose PHI about you as authorized by and as necessary to comply with laws relating to worker’s compensation or similar programs established by law.

Law enforcement: We may disclose PHI about you for law enforcement purposes to a law enforcement official as required by law, court order, warrant, or administrative request.

Judicial and administrative proceedings: If you are involved in a lawsuit or dispute, we may disclose PHI about you in response to a court or administrative order.

As required by law: We must disclose PHI about you when required to do so by law.

We are permitted to use or disclose PHI about you for the following purposes:

Research: We may disclose PHI about you to researchers when their research has been approved by an institutional review board that has reviewed the research proposal and established protocols to ensure the privacy of your information.

Coroners, medical examiners, and funeral directors: We may release PHI about you to a coroner or medical examiner. This disclosure may be necessary, for example, to identify a deceased person, determine the cause of death or other duties as authorized by law. We may also disclose PHI to funeral directors, consistent with applicable law, to carry out their duties.

Organ or tissue procurement organizations: Consistent with applicable law, we may disclose PHI about you to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of organs for the purpose of tissue donation and transplant.

Correctional institution: If you are or become an inmate of a correctional institution, we may disclose PHI to the institution or its agents when necessary for your health or the health and safety of others.

To avert a serious threat to health or safety: We may use and disclose PHI about you when we believe in good faith that disclosure is necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person and the disclosure is to a person reasonably able to prevent the threat. We may disclose your PHI for a medical emergency when we are unable to obtain your consent or authorization due to your condition or the nature of the medical emergency.

Victims of abuse, neglect, or domestic violence: We may disclose PHI about you to a government authority, such as a social service or protective services agency, if we reasonably believe, in our professional judgment, you are a victim of abuse, neglect, or domestic violence. We will only disclose this type of information (1) to the extent required by law, (2) if you agree to the disclosure, or (3) if the disclosure is allowed by law and we believe it is necessary to prevent serious harm to you or someone else or the law enforcement or public official that is to receive the report represents that it is necessary and will not be used against you.

Military and veterans: If you are a member of the armed forces, we may release PHI about you as required by military command authorities. We may also release PHI about foreign military personnel to the appropriate military authority.

National security and intelligence activities: We may release PHI about you to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.

Protective services for the President and others: We may disclose PHI about you to authorized federal official so they may provide protection to the President, other authorized persons or foreign heads of state or conduct special investigations.

Other Uses and Disclosures of PHI

Most uses and disclosures of PHI for marketing purposes and disclosures that constitute the sale of PHI require your authorization. The Company will obtain your written authorization before using or disclosing PHI about you for purposes other than those provided for above. You may revoke an authorization in writing at any time. Upon receipt of the written revocation, we will stop using or disclosing PHI about you, except to the extent that we have already taken action in reliance on the authorization.

For More Information or to Report a Problem

If you have questions or would like additional information about the Company’s privacy practices, you may call the Company’s HIPAA Privacy Office at 513-762-1161. Toll-free at 1-877-551-7953 or write to the attention of the Company’s HIPAA Privacy Office1. If you believe your privacy rights have been violated, you can file a complaint with our HIPAA Privacy Office or with the Secretary of Health and Human Services. There will be no retaliation for filing a complaint.


The Company:





















Revised 9/1/2020

*The Company’s HIPAA Privacy Office address: Kroger HIPAA Privacy Office, 1014 Vine Street, Cincinnati, OH 45202-1100