Notice of Privacy Practices

Embirwell (“we,” “us,” or “our”) is required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations to maintain the privacy of your Protected Health Information (PHI), to provide you with this Notice of our legal duties and privacy practices with respect to your PHI, and to abide by the terms of this Notice. PHI is information that identifies you and relates to your past, present, or future physical or mental health condition, the provision of healthcare to you, or payment for healthcare services.

1. How We May Use and Disclose Your Protected Health Information

We may use and disclose your PHI without your written authorization for the following purposes:

For Treatment

We may use and disclose your PHI to provide, coordinate, or manage your healthcare. This includes sharing information with clinicians involved in your care, consulting with other healthcare providers, referring you to specialists, and communicating with pharmacies to fill your prescriptions. For example, your treating clinician may share your symptom history and current medications with a pharmacy to ensure safe prescription fulfillment.

For Payment

We may use and disclose your PHI to bill and collect payment for the services we provide. This may include sharing information with payment processors, billing services, or, if applicable in the future, insurance companies or health plans.

For Healthcare Operations

We may use and disclose your PHI for activities necessary to run our practice and ensure quality care. These activities include quality assessment and improvement, clinical training, credentialing, auditing, compliance activities, and business planning.

Other Uses and Disclosures Without Authorization

We may also use or disclose your PHI without your authorization in the following situations, as permitted or required by law:

• As required by law: when federal, state, or local law requires disclosure.
• Public health activities: to public health authorities for the purpose of preventing or controlling disease, injury, or disability, and to report adverse events related to medications.
• Victims of abuse, neglect, or domestic violence: to appropriate government authorities if we reasonably believe you are a victim of abuse, neglect, or domestic violence.
• Health oversight activities: to health oversight agencies for activities authorized by law, such as audits, investigations, and inspections.
• Judicial and administrative proceedings: in response to a court order, subpoena, or other lawful process.
• Law enforcement purposes: to law enforcement officials under limited circumstances, such as in response to a court order or to report certain types of wounds or injuries.
• To avert a serious threat: to prevent or lessen a serious and imminent threat to your health or safety or the health or safety of others.
• Workers' compensation:as authorized by and necessary to comply with workers' compensation laws.
• Coroners and funeral directors: to coroners, medical examiners, or funeral directors as necessary for them to carry out their duties.

Uses and Disclosures Requiring Your Written Authorization

For uses and disclosures not described above, we will obtain your written authorization before using or disclosing your PHI. This includes, but is not limited to, most uses of psychotherapy notes (if applicable), uses of PHI for marketing purposes, and the sale of PHI. You may revoke your authorization at any time in writing, except to the extent that we have already taken action in reliance on it.

2. Your Rights Regarding Your Protected Health Information

You have the following rights with respect to your PHI:

• Right to access: you have the right to inspect and obtain a copy of your PHI maintained by Embirwell. We may charge a reasonable, cost-based fee for providing copies. Requests must be submitted in writing.
• Right to request an amendment: if you believe that your PHI is incorrect or incomplete, you may request that we amend it. We may deny the request under certain circumstances, such as if the information was not created by us or if we determine the information is accurate.
• Right to an accounting of disclosures: you have the right to receive a list of certain disclosures we have made of your PHI. This does not include disclosures made for treatment, payment, or healthcare operations, or disclosures you authorized in writing.
• Right to request restrictions: you may request that we restrict certain uses or disclosures of your PHI for treatment, payment, or healthcare operations. We are not required to agree to your request unless the disclosure is to a health plan for payment or healthcare operations purposes and the PHI pertains solely to a service for which you have paid out of pocket in full.
• Right to request confidential communications: you may request that we communicate with you about your health information in a specific way or at a specific location. For example, you may ask that we only contact you by email at a particular address. We will accommodate reasonable requests.
• Right to a paper copy of this Notice: you have the right to obtain a paper copy of this Notice at any time, even if you previously agreed to receive it electronically.
• Right to be notified of a breach: you have the right to be notified if there is a breach of your unsecured PHI.

3. Our Duties

Embirwell is required to:

• Maintain the privacy and security of your PHI.
• Provide you with this Notice of our legal duties and privacy practices with respect to your PHI.
• Abide by the terms of this Notice currently in effect.
• Notify you if we are unable to agree to a requested restriction on how your information is used or disclosed.
• Notify you in the event of a breach of your unsecured PHI, as required by law.
• Not use or disclose your PHI for marketing purposes or sell your PHI without your written authorization.

4. Minimum Necessary Standard

When using or disclosing your PHI or when requesting PHI from another entity, we will make reasonable efforts to limit the information to the minimum necessary to accomplish the intended purpose. This standard does not apply to disclosures made for treatment purposes or disclosures made to you.

5. Business Associates

We may share your PHI with third-party service providers (known as “Business Associates”) who perform functions on our behalf that involve access to PHI. Examples include cloud hosting providers, electronic health record vendors, and payment processors. All Business Associates are required to sign a Business Associate Agreement that obligates them to safeguard your PHI in accordance with HIPAA.

6. Changes to This Notice

We reserve the right to change the terms of this Notice at any time. Any changes will apply to all PHI we maintain, including information created or received before the change. The revised Notice will be posted on our website and made available upon request. The effective date of the current Notice is listed at the top of this page.

7. Complaints

If you believe your privacy rights have been violated, you may file a complaint with Embirwell or with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights. We will not retaliate against you for filing a complaint.

• To file with Embirwell: contact our Privacy Officer using the information below.
• To file with HHS: visit www.hhs.gov/ocr/complaints or call 1-877-696-6775.

8. Contact Information — Privacy Officer

If you have questions about this Notice, would like to exercise any of your rights, or wish to file a complaint, please contact our Privacy Officer:

• Email: contact@embirwell.com