PARTNER AND AFFILIATE VETTING AND COMPLIANCE

Partner and Affiliate Vetting and Compliance

Last updated: May 9, 2026

Partner and affiliate overview

Ody Health operates as a technology and administrative platform that connects patients with independent licensed providers, pharmacies, laboratories, and other service providers. These partners are essential to delivering services through Ody Health. This policy describes Ody Health’s standards and procedures for vetting, selecting, onboarding, and ensuring ongoing compliance of partners and service providers.

Partners and service providers are independent entities with their own governance, compliance obligations, and legal responsibilities. Ody Health does not control partner operations, clinical decisions, or regulatory compliance; however, Ody Health establishes contractual standards and conducts ongoing compliance monitoring to protect patient safety and data security.

Partner categories

Ody Health works with the following categories of partners:

Clinical Partners: Independent licensed medical providers and provider networks (such as Ola Digital Health) that provide telehealth consultations, clinical evaluations, prescriptions, and medical guidance to patients.

Pharmacy Partners: Independent licensed pharmacies that dispense medications, prepare prescriptions, provide patient counseling, and ship medications to patients.

Laboratory Partners: Independent laboratory facilities that conduct laboratory tests, provide testing services, and report results to providers and patients.

Service Providers: Technology vendors, infrastructure providers, payment processors, email service providers, and other service providers that support the operation of Ody Health and help deliver services to patients.

Partner vetting standards

Before engaging a clinical partner, pharmacy partner, or laboratory partner, Ody Health conducts due diligence to verify:

Licensure and Credentials: Valid state licensure for the relevant profession (medical provider, pharmacy, clinical laboratory); current DEA registration if handling controlled substances; professional liability insurance; and clean licensure records without disciplinary action or sanction.

Regulatory Compliance: Compliance with state and federal laws and regulations applicable to the partner’s profession; no current regulatory investigations or enforcement actions; and compliance with telehealth regulations in states where services are provided.

Data Security and Privacy: Reasonable safeguards for protecting patient information and health data; compliance with HIPAA or equivalent privacy protections; and willingness to sign Business Associate Agreements (BAAs) where required by law.

Service Quality Standards: Demonstrated ability to provide quality services consistent with Ody Health standards; responsiveness to patients and Ody Health; and willingness to comply with Ody Health protocols and communication standards.

Financial Stability: Reasonable evidence of financial stability to ensure the partner can reliably provide services over time.

Service provider vetting and security

Before engaging a service provider that processes personal information or health information, Ody Health conducts vetting including:

Security Assessment: Review of the service provider’s security practices, including encryption, access controls, audit logging, incident response procedures, and data retention practices.

Security Certifications: Review of available security certifications such as SOC 2 Type II, ISO 27001, or equivalent industry certifications demonstrating a commitment to security standards.

Security Questionnaires: Completion of Ody Health’s security questionnaire to document security practices, compliance standards, and any known vulnerabilities or past security incidents.

Contractual Commitments: Agreement to maintain appropriate safeguards, implement access controls, maintain audit logs, report security incidents, and allow Ody Health to audit compliance as permitted by law and contract.

Data Handling: Understanding of what data the service provider will access or process, how it will be used, where it will be stored, and how long it will be retained.

Business Associate Agreements

All partners and service providers that handle protected health information (“PHI”) on behalf of Ody Health or on behalf of covered health care entities are required to sign Business Associate Agreements (“BAAs”) in compliance with the Health Insurance Portability and Accountability Act (“HIPAA”).

BAAs establish that the partner or service provider will:

• Use and disclose PHI only for the purposes authorized by Ody Health or the covered entity
• Implement and maintain administrative, physical, and technical safeguards to protect PHI
• Maintain audit controls and audit logs of PHI access and use
• Restrict access to PHI to authorized individuals on a need-to-know basis
• Notify Ody Health promptly of any security incidents or suspected unauthorized access to PHI
• Return or securely destroy PHI upon termination of the relationship
• Allow Ody Health and regulators to audit compliance with the BAA
• Ensure any subcontractors also sign BAAs with equivalent obligations

BAAs are required before a partner or service provider begins processing PHI. No PHI is shared with a partner until a signed BAA is in place.

Ola Digital Health partnership

Ody Health partners with Ola Digital Health, a licensed provider network operating in all 50 states, to provide clinical services, prescription handling, and medical coordination.

Ola Digital Health is licensed to practice medicine in all 50 states and employs or contracts with independent licensed physicians to provide telehealth services. Ola Digital Health is subject to the same vetting standards, contractual requirements, and compliance monitoring as other clinical partners.

Ola Digital Health has signed a comprehensive partnership agreement with Ody Health that includes:

• Scope of services (telehealth consultations, clinical evaluations, prescriptions)
• Service quality standards and response time commitments
• HIPAA BAA requirements and data security obligations
• Compliance with telehealth regulations in each state
• Incident reporting and safety protocols
• Insurance and liability coverage
• Termination provisions and dispute resolution

The partnership agreement makes clear that Ola Digital Health physicians are independent providers making their own clinical decisions, and that Ody Health does not control clinical decisions or outcomes.

Ongoing compliance monitoring

After a partner or service provider is engaged, Ody Health conducts ongoing monitoring to ensure continued compliance with vetting standards and contractual obligations.

Compliance Reviews: Periodic reviews of partner compliance with contractual requirements, quality standards, and regulatory obligations. Reviews may include audits of partner practices, review of incident reports, and assessment of service quality feedback from patients.

Incident Monitoring: Monitoring of reports of patient safety concerns, adverse events, complaints, and service failures. Patterns of incidents may trigger additional review or enforcement action.

Regulatory Monitoring: Monitoring of partner licensure status, regulatory disciplinary actions, and enforcement activity to identify any compliance concerns or license suspensions/revocations.

Security Monitoring: For service providers, ongoing monitoring of security incidents, breach reports, and security certifications to ensure safeguards remain adequate.

Financial Monitoring: Periodic assessment of partner financial stability to ensure the partner remains viable and able to provide services.

Partner termination and offboarding

Ody Health may terminate a partnership if:

• The partner fails to maintain required licensure, credentials, or certifications
• The partner fails to comply with contractual obligations or vetting standards
• A pattern of patient safety concerns, complaints, or service failures emerges
• The partner is subject to regulatory sanctions, investigations, or disciplinary action
• The partner experiences a security incident or breach of patient data
• The partner is unable or unwilling to maintain appropriate safeguards
• Mutual agreement to terminate the relationship

Upon termination, Ody Health ensures:

• No new patients or services are directed to the terminated partner
• Existing patients are notified and provided with alternative providers or services
• All patient data and PHI held by the partner is returned or securely destroyed per contract and law
• Outstanding compliance issues are resolved
• Records of the termination and reasons are documented and retained

Patient communication about partners

Patients are informed that Ody Health is a platform connecting them with independent providers, pharmacies, laboratories, and other service providers. Patients understand that:

• Clinical providers are independent and make their own clinical decisions
• Pharmacies are independent and make their own dispensing decisions
• Partners maintain their own privacy practices and legal obligations
• Partners may change or terminate their relationships with Ody Health at any time
• Patients may seek services from providers, pharmacies, or laboratories outside Ody Health

Patients have access to information about their healthcare providers and service partners as available through the Ody Health platform.

Audit rights and inspections

Ody Health reserves the right to audit partner compliance with contractual obligations and vetting standards. Audit rights are specified in partnership agreements and may include:

• Review of partner policies, procedures, and documentation
• On-site inspections of partner facilities and operations
• Interview of partner staff and leadership
• Review of patient records and service delivery documentation
• Assessment of security controls and compliance with data protection standards
• Testing of incident response and emergency procedures

Partners are expected to cooperate with audits and provide necessary documentation and access. Audit findings are reviewed with partners, and corrective action plans are developed for any identified deficiencies.

Partner vetting inquiries

For questions about Ody Health’s partner vetting standards or to inquire about becoming a partner, contact:

Ody Health
Attn: Partnership and Compliance
1309 Coffeen Avenue STE 1200
Sheridan, Wyoming 82801
Email: info@odyhealth.co

This document is for informational purposes and does not constitute legal advice. Questions: legal@odyhealth.co.

Partner and Affiliate Vetting and Compliance | Ody Health