Reliable Medical Courier Services!

Medical Courier Service
Privacy Policy

HIPAA-Compliant Privacy Notice & Policy Statement

Effective Date: May 6, 2026

Last Updated: May 6, 2026

Issued By: Queen Me Transportation, llc| San Bernardino, CA

Important Notice: This Privacy Policy describes how Queen Me Transportation, LLC collects, uses, maintains, and discloses information obtained in connection with its medical courier and healthcare logistics services. Please read this document carefully. If you have questions, contact our Privacy Officer at QueenMeTransportation@Gmail.com or (844) 783-3663.

1. Introduction & Overview

Queen Me Transportation, LLC (hereinafter referred to as "the Company," "we," "us," or "our") is a professional medical courier and healthcare logistics service provider. We operate as a HIPAA Business Associate under the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, and applicable regulations at 45 C.F.R. Parts 160 and 164.

We are deeply committed to protecting the privacy, confidentiality, integrity, and security of all Protected Health Information (PHI) and personal information that we receive, access, transmit, or maintain in the course of providing our services. Safeguarding sensitive health information is not only a legal obligation — it is a core value of our organization and a foundational element of the trust placed in us by our clients, partners, and the individuals whose information we handle.

This Privacy Policy is effective as of May 6, 2026, and applies to all information processed by the Company in the course of its operations. Specifically, this policy applies to:

• Healthcare      clients and covered entities who engage our services (hospitals,      clinics, laboratories, physician practices, and other healthcare      facilities);
• Patients      and individuals whose Protected Health Information we access,      transport, or handle on behalf of covered entities;
• Healthcare      partners and subcontractors who collaborate with us in service      delivery;
• Website      visitors who access our company website(s) or digital platforms;      and
• Employees,      contractors, and drivers who work for or with the Company.

This policy supplements, and does not replace, any Business Associate Agreement (BAA) executed between the Company and a covered entity. In the event of a conflict between this policy and the terms of a signed BAA, the terms of the BAA shall govern with respect to the specific relationship addressed therein.

2. Definitions

The following key terms are used throughout this Privacy Policy. Understanding these definitions will assist in interpreting our obligations and your rights under applicable law.

• Protected      Health Information (PHI): Any individually identifiable health      information that is created, received, maintained, or transmitted by the      Company on behalf of a covered entity. PHI includes information relating      to an individual's past, present, or future physical or mental health      condition; the provision of healthcare to an individual; or the past,      present, or future payment for the provision of healthcare. PHI may exist      in any form — electronic (ePHI), paper, or verbal. PHI includes, but is      not limited to, names, dates of birth, medical record numbers, specimen      identifiers, diagnostic codes, treatment information, and any other data      element that could reasonably be used to identify an individual.
• Business      Associate: A person or entity that performs functions or      activities on behalf of, or provides certain services to, a covered entity      that involve the use or disclosure of Protected Health Information. The      Company functions as a Business Associate in its capacity as a medical      courier handling PHI.
• Covered      Entity: A healthcare provider that transmits health information      electronically, a health plan, or a healthcare clearinghouse as defined      under HIPAA (45 C.F.R. § 160.103). Our clients — hospitals, physician      practices, laboratories, and other healthcare facilities — are typically      covered entities.
• Business      Associate Agreement (BAA): A written contract between a covered      entity and a business associate, required by HIPAA, that establishes the      permitted and required uses and disclosures of PHI by the business      associate and sets forth the obligations of both parties with respect to      PHI. The Company requires an executed BAA before providing services that      involve access to PHI.
• Personal      Information: Information that identifies, relates to, or could      reasonably be linked to an identified or identifiable individual that does      not qualify as PHI under HIPAA. This includes, for example, general      contact information collected from website visitors, employee employment      records unrelated to healthcare, and vendor business contact information.
• De-identified      Information: Health information from which all 18 HIPAA-specified      identifiers have been removed and for which there is no reasonable basis      to believe the information could be used to identify an individual (per 45      C.F.R. § 164.514). De-identified information is not subject to HIPAA's      privacy protections and is not considered PHI.

3. Information We Collect

The Company collects only the minimum information necessary to perform its medical courier and logistics services and to fulfill its legal and contractual obligations.

3.1 Protected Health Information (PHI) from Covered Entities

In the course of providing medical courier services, we may receive or access PHI provided to us by or on behalf of covered entities. This may include:

• Patient      names, dates of birth, and demographic identifiers;
• Medical      record numbers and patient account numbers;
• Specimen      identifiers, laboratory order numbers, and specimen descriptions;
• Diagnostic      information, test requisition details, and associated clinical notes      necessary for proper handling and chain of custody;
• Delivery      addresses, facility names, and care site information tied to patient care      activities; and
• Any      other information included on manifests, chain-of-custody documents, or      specimen labels provided by the covered entity.

The Company acts solely as a conduit for this information and does not create, maintain, or independently use PHI beyond what is necessary to perform the services requested by the covered entity.

3.2 Business and Client Information

We collect business and operational information from our clients and healthcare partners, including:

• Contact      names, titles, and departmental information for client representatives;
• Facility      names, mailing addresses, and physical location details;
• Billing      information, invoicing details, and payment records;
• Healthcare      facility license numbers, NPI numbers, or other professional identifiers      where required by the scope of service; and
• Contract      and service agreement details.

3.3 Website and Operational Data

When individuals visit our website or interact with our digital platforms, we may automatically collect limited technical and usage data, including:

• Internet      Protocol (IP) addresses and general geographic location derived from IP      data;
• Browser      type, operating system, and device information;
• Pages      visited, time spent on pages, and referring URLs;
• Form      submission data (e.g., contact inquiries, service requests); and
• Cookie      data, where applicable (see our Cookie Notice, if separately published).

No PHI should be transmitted through general website contact forms. Clients handling PHI must use secure, designated communication channels established under a signed BAA.

3.4 Employee and Driver Information

For individuals employed by or contracted with the Company, we collect employment-related information necessary for operations, compliance, and workforce management, including:

• Full      legal name, government-issued identification details, and contact      information;
• Driver's      license information, vehicle registration, and motor vehicle records (for      drivers);
• HIPAA      training records, compliance certifications, and background check results;
• Route      assignments, delivery logs, and chain-of-custody records associated with      individual drivers; and
• Emergency      contact information.

4. How We Use Information

The Company uses the information it collects only for lawful, legitimate, and necessary purposes. The following describes the primary uses of information we process:

• Service      Delivery: To perform medical courier, specimen transport,      pharmaceutical delivery, and related healthcare logistics services on      behalf of covered entities, including pickup scheduling, routing,      temperature monitoring, and timely delivery to designated facilities or      recipients.
• Chain      of Custody Records: To create, maintain, and provide to covered      entities accurate chain-of-custody documentation and delivery confirmation      records, which are required for compliance, patient safety, and legal      accountability in healthcare logistics.
• Legal      and Regulatory Compliance: To comply with HIPAA, HITECH,      applicable state privacy laws, federal and state transportation      regulations, Department of Transportation (DOT) requirements, and any      other laws governing our operations.
• Billing      and Internal Operations: To process invoices, manage accounts      receivable, operate payroll systems for employees, maintain contractual      relationships with clients, and manage general business administration.
• Safety,      Security, and Quality Assurance: To monitor, audit, and improve      the security and quality of our services; to investigate incidents; to      conduct internal compliance reviews; and to train workforce members in      HIPAA and operational best practices.
• Workforce      Management: To manage employment records, assign routes, document      training, and ensure that all personnel comply with applicable legal      requirements and company policies.

We Do Not Use PHI for Marketing or Sell Personal Information. The Company does not use Protected Health Information for marketing purposes, for the development of commercial products, or for any purpose not authorized by the originating covered entity and applicable law. We do not sell, rent, license, or otherwise commercially exploit PHI or personal information to any third party.

5. Disclosures of Information

The Company discloses information only as permitted or required by HIPAA, applicable law, or a signed Business Associate Agreement. The following describes the circumstances under which we may disclose PHI or personal information:

5.1 Disclosures Permitted Under HIPAA

As a Business Associate operating under the direction of covered entities, we may use or disclose PHI to the extent necessary to carry out healthcare operations as authorized, including:

• Disclosures      for treatment purposes, such as delivering specimens or      pharmaceutical products to treating providers;
• Disclosures      for payment purposes, such as providing delivery confirmation      records to support client billing processes; and
• Disclosures      for healthcare operations as directed and authorized by      the covered entity client under the applicable BAA.

5.2 Disclosures to Subcontractors

The Company may engage subcontractors or agents who perform functions on our behalf that require access to PHI (e.g., secondary courier services, technology vendors who process ePHI). All such subcontractors are required to execute a Business Associate Agreement with the Company prior to receiving any access to PHI, and they are contractually obligated to protect PHI to the same standard required by HIPAA and this policy.

5.3 Disclosures Required by Law

We may be required to disclose PHI or personal information without prior authorization in certain circumstances, including:

• In      response to a valid court order, subpoena, or judicial process;
• To      comply with a government investigation or law enforcement request, where      legally authorized;
• To      public health authorities for public health activities as authorized by      law (e.g., disease reporting, vital statistics); and
• As      otherwise required by applicable federal, state, or local law.

Where permitted, the Company will notify the relevant covered entity prior to making any such disclosure.

5.4 Emergency Disclosures

In emergency circumstances where disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, the Company may disclose PHI to appropriate persons or authorities, consistent with 45 C.F.R. § 164.512(j). Any such emergency disclosure will be documented and reported to the relevant covered entity as promptly as practicable.

5.5 No Commercial Sharing of PHI

The Company does not sell, rent, trade, or otherwise share PHI for commercial purposes. We do not disclose PHI to advertisers, data brokers, marketing firms, or any party not directly involved in providing authorized healthcare services under a valid BAA.

6. Business Associate Agreements

6.1 BAA Requirement

The Company requires a fully executed Business Associate Agreement (BAA) with every covered entity client prior to receiving, accessing, or otherwise handling any PHI in connection with the provision of services. No medical courier services involving PHI will commence until a BAA is in place. This requirement is non-negotiable and reflects our commitment to HIPAA compliance.

6.2 Our Obligations Under BAAs

Under each BAA, the Company agrees to, among other obligations:

• Use      and disclose PHI only as permitted or required by the BAA and applicable      law;
• Implement      appropriate administrative, physical, and technical safeguards to protect      PHI;
• Report      any breaches of unsecured PHI or security incidents to the covered entity      in the manner and timeframe required by HIPAA and the BAA;
• Ensure      that any subcontractors or agents that access PHI on our behalf agree to      the same restrictions and conditions through a subcontractor BAA;
• Return      or destroy PHI upon termination of the BAA, to the extent feasible; and
• Make      our internal practices, books, and records relating to PHI available to      the Secretary of the U.S. Department of Health and Human Services (HHS)      upon request.

6.3 Client Obligations

Covered entity clients retain obligations under HIPAA that are not transferred to the Company as a Business Associate. Clients are responsible for:

• Providing      the Company with only the minimum necessary PHI required for service      performance;
• Ensuring      their own compliance with applicable HIPAA privacy and security rules;
• Promptly      notifying the Company of any restrictions on PHI use or disclosure that      may affect our service activities;
• Informing      the Company of any changes in patient authorization status that may affect      our handling obligations; and
• Maintaining      patient authorization or other legal basis for the use or disclosure of      PHI provided to the Company.

7. Security Measures

The Company has implemented a comprehensive, layered security program designed to protect PHI and personal information against unauthorized access, use, disclosure, alteration, or destruction. Our security program encompasses physical, administrative, and technical safeguards consistent with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C).

7.1 Physical Safeguards

• Tamper-evident      packaging: All specimens and sensitive materials are transported      using tamper-evident, sealed packaging that provides visible evidence of      unauthorized access or interference;
• Locked      vehicle compartments: Company vehicles are equipped with locked,      secure compartments for the storage of PHI-containing materials during      transport;
• Chain      of custody protocols: A documented chain of custody is maintained      for every pickup and delivery involving PHI, including time-stamped      records, driver identification, and recipient confirmation;
• Temperature-controlled      transport: Where required by the nature of the specimen or      material (e.g., biological specimens, pharmaceuticals), refrigerated or      temperature-monitored transport solutions are utilized to protect specimen      integrity and comply with applicable handling standards; and
• Facility      access controls: Access to physical locations where PHI is stored      or processed (e.g., dispatch offices, storage areas) is restricted to      authorized personnel only.

7.2 Administrative Safeguards

• HIPAA      Compliance Officer: The Company has designated a Privacy      Officer and a Security Officer responsible for      overseeing HIPAA compliance, developing policies and procedures, and      responding to privacy and security incidents;
• Workforce      training: All employees, contractors, and drivers who access or      handle PHI receive mandatory HIPAA training prior to service commencement      and at least annually thereafter, with training records maintained;
• Access      controls: Access to PHI is restricted to workforce members who      require it to perform their specific job functions, consistent with the      principle of minimum necessary access;
• Policies      and procedures: Written HIPAA privacy and security policies and      procedures are maintained, reviewed at least annually, and updated in      response to regulatory changes or operational developments; and
• Sanction      policy: Workforce members who violate this policy or applicable      privacy and security rules are subject to disciplinary action, up to and      including termination of employment or contract.

7.3 Technical Safeguards

• Encrypted      digital records: Electronic PHI (ePHI) is encrypted at rest and      in transit using industry-standard encryption protocols (minimum AES-256      for storage; TLS 1.2 or higher for transmission);
• Secure      software systems: Our dispatch, routing, and logistics management      software platforms are evaluated for HIPAA compliance, and we enter into      BAAs with applicable software vendors;
• Access      logging and audit controls: Systems that store or process ePHI      generate and maintain audit logs recording access, modification, and      transmission events for review and incident response purposes; and
• Authentication      requirements: Multi-factor authentication or equivalent access      controls are required for workforce members accessing systems containing      ePHI.

7.4 Breach Response Protocol

The Company maintains a documented Breach Response Plan consistent with the HIPAA Breach Notification Rule (45 C.F.R. §§ 164.400–414). In the event of a known or suspected breach of unsecured PHI, the Company will:

• Detection      and Assessment: Promptly investigate and assess the event to      determine whether a breach of unsecured PHI has occurred, identifying the      nature and scope of the incident;
• Containment: Take      immediate steps to contain the breach and prevent further unauthorized use      or disclosure of PHI;
• Notification      to Covered Entity: Notify the relevant covered entity of the      breach without unreasonable delay and in no case later than 60      days from the date of discovery, as required by 45 C.F.R. § 164.410,      providing all information required for the covered entity to fulfill its      own breach notification obligations; and
• Documentation: Maintain      a written record of all breaches, whether or not notification was      required, and of the actions taken in response, for a minimum of six (6)      years.

8. Data Retention

The Company retains PHI and associated records only for as long as necessary to fulfill the purposes for which the information was collected, to perform our contractual obligations, and to comply with applicable legal requirements.

• Minimum      HIPAA Retention Period: In accordance with 45 C.F.R. §      164.530(j), the Company retains its HIPAA-related policies, procedures,      documentation, and records (including BAAs, training records, breach      documentation, and chain-of-custody logs) for a minimum of six (6)      years from the date of creation or the date the record was last      in effect, whichever is later;
• State      Law Requirements: Where applicable state law requires a longer      retention period for medical records or health information records, we      comply with the more stringent requirement;
• PHI      in Transit: PHI associated with transport manifests and      chain-of-custody records is retained for the minimum period required by      law or the applicable BAA, and is not retained beyond that period absent a      legitimate legal or operational basis; and
• Secure      Destruction: Upon the expiration of the applicable retention      period, PHI and personal information are destroyed using secure methods      appropriate to the medium, including:
• Paper      records: Cross-cut shredding or incineration by a HIPAA-compliant      document destruction vendor;
• Electronic      media and storage devices: Secure electronic wiping, degaussing,      or physical destruction to prevent recovery of data; and
• Physical      specimens or materials: Disposal in compliance with applicable      biohazard, OSHA, and state medical waste regulations.

9. Your Rights (Patient & Individual Rights)

As a Business Associate, the Company does not independently possess patients' PHI — rather, we access PHI on behalf of and under the direction of covered entities (e.g., your hospital, clinic, or laboratory). Accordingly, most individual rights requests related to PHI must be directed to the originating covered entity that is responsible for your care and the primary custodian of your health records. The Company will cooperate with covered entities in facilitating any rights requests as required by our BAA.

Under HIPAA, individuals generally have the following rights with respect to their PHI:

• Right      to Access PHI: You have the right to inspect and obtain a copy of      your PHI held by a covered entity. Please direct access requests to [COVERED      ENTITY NAME / YOUR HEALTHCARE PROVIDER]. The Company will support      the covered entity in responding to access requests as required by our      BAA.
• Right      to Request Amendment: You may request that a covered entity amend      your PHI if you believe it is inaccurate or incomplete. Requests for      amendment must be submitted directly to the covered entity holding your      records.
• Right      to an Accounting of Disclosures: You have the right to receive an      accounting of certain disclosures of your PHI made by the covered entity      or its business associates. The Company maintains disclosure records as      required by HIPAA and will provide them to the covered entity upon request      to facilitate an accounting.
• Right      to Request Restrictions: You may request that a covered entity      restrict how your PHI is used or disclosed. The covered entity is      responsible for evaluating and responding to such requests. If the covered      entity grants a restriction that affects our services, the Company will      honor the restriction as communicated by the covered entity.
• Right      to File a Complaint: If you believe your privacy rights have been      violated, you have the right to file a complaint with the covered entity's      Privacy Officer or directly with the U.S. Department of Health and Human      Services (HHS) Office for Civil Rights (OCR). Filing a complaint will not      result in retaliation.

HHS Office for Civil Rights (OCR) Contact Information:

Website: www.hhs.gov/ocr

Telephone: 1-800-368-1019  |  TDD: 1-800-537-7697

Mailing Address: U.S. Department of Health & Human Services, 200 Independence Avenue S.W., Washington, D.C. 20201

Online Complaint Portal: ocrportal.hhs.gov

10. Children's Privacy

The Company does not knowingly or intentionally collect personal information directly from children under the age of 18 through our website or digital platforms. Our website is not directed to children, and we do not offer services or content intended for direct use by minors.

The Company recognizes, however, that PHI received from covered entities may include health information pertaining to minor patients. All such PHI involving minors is handled with the same level of care and in full compliance with HIPAA, applicable state minor privacy laws, and any additional protections specified by the originating covered entity. Access to PHI involving minors is restricted to workforce members with a specific, authorized need to handle such information in connection with the requested courier service.

Parents and legal guardians who have concerns about PHI pertaining to their minor child should contact the covered entity (e.g., the treating healthcare provider or facility) that provided the information to the Company.

11. State-Specific Considerations

In addition to federal HIPAA requirements, the Company operates in compliance with applicable state privacy laws in each jurisdiction where we provide services. State laws governing health information privacy may be more stringent than HIPAA in certain respects; in such cases, the Company applies the more protective standard.

Examples of state-specific laws that may be applicable include, but are not limited to:

• California: The      California Confidentiality of Medical Information Act (CMIA), Cal. Civ.      Code §§ 56–56.37, which provides additional protections for medical      information, and the California Consumer Privacy Act (CCPA), as amended by      the California Privacy Rights Act (CPRA), Cal. Civ. Code §§ 1798.100 et      seq., to the extent applicable to personal information not covered by      HIPAA;
• State      Medical Records Laws: Various states impose specific requirements      governing the retention, release, and destruction of medical records and      health information;
• State      Breach Notification Laws: Many states have enacted breach      notification statutes with requirements that may differ from or supplement      HIPAA's breach notification rule; and
• Other      State Regulations: Requirements applicable to specific categories      of sensitive health information (e.g., mental health, substance use      disorder, HIV/AIDS status, genetic information) may impose more stringent      protections under state law.

Clients operating in jurisdictions with applicable state health privacy regulations are encouraged to identify any state-specific requirements to the Company at the time of engagement so that appropriate accommodations may be incorporated into our BAA and service protocols. The Company will disclose PHI in compliance with both federal and applicable state law, applying whichever standard affords greater protection to the individual.

12. Changes to This Policy

The Company reserves the right to update, amend, or revise this Privacy Policy at any time to reflect changes in our business practices, applicable law, regulatory guidance, or technology. We encourage clients, partners, and other stakeholders to review this policy periodically.

• Material      Changes: In the event of a material change to this Privacy Policy      — particularly any change that affects how we use, disclose, or protect      PHI — we will provide advance written notice to our covered entity      partners no fewer than thirty (30) days prior to the      effective date of such change, unless a shorter notice period is required      by law;
• Non-Material      Changes: Updates that are minor, clarifying, or administrative in      nature (e.g., contact information updates, formatting corrections) may be      made without advance individual notice and will be reflected in the      "Last Updated" date at the top of this document; and
• Continued      Use: Continued use of the Company's services following the      effective date of any revised Privacy Policy constitutes acceptance of the      updated terms. If a covered entity does not agree with a material change      to this policy, it should notify the Company's Privacy Officer in writing      prior to the effective date.

The current version of this Privacy Policy is always available upon request from the Company's Privacy Officer. All prior versions of this policy are archived and available for review upon written request.

13. Contact Us

Questions, concerns, or complaints regarding this Privacy Policy, our HIPAA compliance practices, or the handling of PHI or personal information should be directed to our designated Privacy Officer. We are committed to responding to all privacy-related inquiries promptly and in good faith.

Contact    Detail Information

Company Name

Queen Me Transportation, LLC

Privacy Officer Name & Title

Privacy Officer, Queen Me Transportation, LLC

Mailing Address

1353 W. Mill St. Ste 111 Unit 5085
 San Bernardino, CA 92410

Email Address

QueenMeTransportation@Gmail.com

Phone Number

(844) 783-3663

Business Hours

Monday–Friday, 8:00 AM – 5:00 PM Pacific Time

All PHI-related complaints, breach reports, or requests from covered entities should be submitted in writing to the Privacy Officer via the contact information above. Verbal complaints may be accepted but will be documented in writing by the Privacy Officer as required by HIPAA.

Individuals (patients) seeking to exercise rights with respect to their PHI should direct requests to the covered entity (healthcare provider or facility) that is the primary custodian of their health records. The Company will cooperate fully with covered entities in facilitating the exercise of individual rights.

Response Timeframe: The Company will acknowledge all privacy-related written inquiries within five (5) business days of receipt and will provide a substantive response within thirty (30) days, or within the timeframe required by applicable law, whichever is sooner.

Acknowledged and Approved By:

Queen Me Transportation, llc

Date: May 6, 2026

Organization: Queen Me Transportation, LLC