Back to Home

HIPAA Notice & Privacy Practices

Omigenix LLC — Effective Date: April 19, 2026

This HIPAA Notice describes the privacy practices of Omigenix LLC (“Omigenix,” “we,” “us,” or “our”) as they relate to protected health information (PHI) that may be handled in connection with your use of the Omigenix platform (the “Platform”), including 503A compounded prescription ordering.

PHI Data Architecture — Compliance Summary

All patient PHI collected through 503A prescription orders is stored exclusively in Supabase (our HIPAA-eligible database infrastructure) and is never transmitted via email or any third-party messaging service. Order confirmation emails contain only order numbers and product information — no patient names, addresses, dates of birth, or clinical data are included.

1. Omigenix's HIPAA Status

Omigenix LLC is a management services organization (MSO) that provides administrative, operational, and technology services to licensed healthcare providers. The Platform serves as a B2B ordering tool for licensed healthcare providers, including the submission of 503A compounded prescription orders on behalf of identified patients.

Because 503A prescription orders require patient-identifying information (including patient name, date of birth, and shipping address), Omigenix acknowledges that it may function as a Business Associate under HIPAA with respect to those transactions. Omigenix is committed to handling all such information in accordance with applicable HIPAA requirements and is actively pursuing a Business Associate Agreement (BAA) with its infrastructure providers.

2. What PHI We Collect and Why

For 503A compounded prescription orders, the Platform collects the following patient-level information, which constitutes PHI under HIPAA:

  • Patient full name (first and last) — required for prescription labeling;
  • Date of birth — required for patient identification and dispensing compliance;
  • Gender — required for clinical and dosing context;
  • Patient home address — required for direct-to-patient shipping of compounded medications;
  • Medication and dosing instructions (Sig) — required for compounding and dispensing.

For 503B non-prescription orders, no patient PHI is collected. Only provider practice information (name, license, practice address) and order details are processed.

3. How PHI Is Stored and Protected

Storage — Supabase Only

All patient PHI is stored exclusively in Supabase, a HIPAA-eligible cloud database platform. PHI is stored in the orders table under the patient_info and shipping_address columns. Data is encrypted in transit via TLS and at rest via AES-256 encryption. Access is restricted to authenticated, authorized personnel only via Row Level Security (RLS) policies.

Email — Zero PHI Transmitted

Order confirmation emails sent to providers and internal administrators contain no patient PHI. Emails include only the order reference number, product names, and a secure link directing the recipient to log into the Platform to view patient details. Patient names, addresses, dates of birth, and clinical information are never included in any email communication.

Access Controls

PHI is accessible only through the authenticated Platform portal. Providers may view patient information associated with their own orders only. Administrative access is restricted to authorized Omigenix personnel. No PHI is exposed via public-facing APIs or unauthenticated endpoints.

4. Third-Party Services and PHI Exposure

The following table documents which third-party services are used by the Platform and whether any PHI is transmitted to each:

ServicePurposePHI Transmitted?BAA Status
SupabaseDatabase & authentication Yes — PHI storedIn Progress
ResendTransactional email delivery No — PHI excludedNot required (no PHI)
StripePayment processing No — billing onlyNot required (no PHI)

Note on Supabase BAA: Omigenix is actively pursuing a Business Associate Agreement with Supabase via their HIPAA add-on program. Until the BAA is executed, providers are advised that PHI storage is on a HIPAA-eligible infrastructure but the formal BAA is pending. Contact us at info@synagenix.com for the current status.

5. Provider Responsibilities Regarding PHI

As a licensed healthcare provider, you are a covered entity or business associate under HIPAA and are solely responsible for:

  • Ensuring that only necessary and accurate patient PHI is submitted through the Platform for 503A orders;
  • Obtaining all required patient authorizations and consents before submitting patient information;
  • Maintaining HIPAA compliance in your own practice and clinical operations;
  • Maintaining appropriate clinical documentation in accordance with HIPAA and applicable state law;
  • Notifying Omigenix immediately if you become aware of any unauthorized access to patient information.

6. Business Associate Agreements

Omigenix acknowledges that its handling of patient PHI in connection with 503A prescription orders may require a Business Associate Agreement (BAA) with covered entity providers. We are prepared to enter into a mutually acceptable BAA upon request.

To request a BAA or discuss your specific compliance requirements, please contact us at info@synagenix.com.

7. Data Security Practices

Omigenix applies the following technical and administrative safeguards to protect PHI:

  • Encryption in transit: All data transmitted between the Platform and Supabase is encrypted using TLS 1.2 or higher;
  • Encryption at rest: PHI stored in Supabase is encrypted at rest using AES-256;
  • Access controls: Row Level Security (RLS) policies ensure providers can only access their own patient data; administrative access is role-restricted;
  • Email PHI exclusion: No PHI is included in any outbound email communication — order emails reference only order numbers and product names;
  • Authentication: All access to PHI requires authenticated sessions via Supabase Auth;
  • Audit logging: Database access and modifications are logged for security review;
  • Minimum necessary standard: Only PHI required for prescription fulfillment is collected and retained.

8. Incident Notification

In the event of a data security incident that may affect PHI stored on the Platform, Omigenix will notify affected providers promptly and take appropriate remediation steps in accordance with HIPAA Breach Notification Rule requirements and applicable state law. Notifications will be made without unreasonable delay and no later than 60 days following discovery of the breach.

9. Questions and Contact

If you have questions about this HIPAA Notice, our data practices, wish to request a Business Associate Agreement, or need to report a potential security incident, please contact us:

Omigenix LLC — Privacy & Compliance

Email: info@synagenix.com

Website: www.synagenix.com

Document Version: 2.0  • Last Updated: April 19, 2026  • Change Summary: Updated to reflect 503A PHI collection, Supabase-only storage architecture, and email PHI exclusion policy. Previous version incorrectly stated the Platform does not collect patient PHI.

© 2026 Omigenix LLC. All rights reserved.

Questions? Contact us at info@synagenix.com