HIPAA Notice of Privacy Practices

1. Our Duties

Affinity Direct, a division of Affinity Whole Health LLC, is required by law to:

• Maintain the privacy and security of your protected health information (PHI)
• Provide you with notice of our legal duties and privacy practices with respect to PHI
• Notify you in the event of a breach of unsecured PHI
• Follow the terms of the notice currently in effect

2. How We May Use and Disclose Your PHI

Treatment

We may use and share your PHI to provide you with medical treatment and services. For example, your intake information will be shared with the licensed provider assigned to review your case so they can evaluate your health history and issue a prescription if appropriate. We may also share PHI with pharmacies that dispense your medication.

Payment

We may use and disclose your PHI to collect payment for our services. For example, we may share relevant information with your payment processor to verify and process your transaction.

Healthcare Operations

We may use and share your PHI to support our healthcare operations, including quality assessment and improvement activities, training and oversight of our clinical team, and ensuring compliance with applicable laws and regulations.

Required by Law

We will disclose your PHI when required to do so by federal, state, or local law, including in response to a court order, subpoena, or other legal process.

Public Health Activities

We may disclose your PHI to public health authorities for activities such as reporting communicable diseases, adverse drug events, or as otherwise required by applicable public health laws.

Law Enforcement

Under specific circumstances required by law, we may disclose limited PHI to law enforcement officials, such as to identify or locate a suspect or to report certain types of wounds.

2a. Business Associates

We may share your PHI with vendors and service providers ("Business Associates") who perform functions on our behalf, such as cloud hosting, communications, identity verification, payment support, and pharmacy fulfillment. Where required by HIPAA, these Business Associates are required to enter into a Business Associate Agreement (BAA) that obligates them to appropriately safeguard your PHI and use it only for authorized purposes. We do not sell your PHI.

3. Uses and Disclosures Requiring Your Authorization

Other than as described above, we will not use or disclose your PHI without your written authorization. This includes:

• Most uses and disclosures of psychotherapy notes
• Uses and disclosures of PHI for marketing purposes
• Disclosures that constitute a sale of your PHI

You may revoke any authorization you have provided in writing at any time, except to the extent that we have already taken action in reliance on your authorization.

4. Your Rights Regarding Your PHI

Right to Access

You have the right to inspect and obtain a copy of your PHI that we maintain, including your medical records and billing records, subject to limited exceptions permitted by law. To request access, submit a written request to our privacy officer. We may charge a reasonable, cost-based fee where permitted by law.

Right to Request Amendment

You have the right to request that we amend PHI that you believe is incorrect or incomplete. We may deny your request under certain circumstances, but we will explain our reasons in writing.

Right to an Accounting of Disclosures

You have the right to receive a list of certain disclosures of your PHI that we have made. This right applies to disclosures made for purposes other than treatment, payment, healthcare operations, and certain other purposes.

Right to Request Restrictions

You have the right to request that we restrict how we use or disclose your PHI. We are not required to agree to all requested restrictions, but we will consider reasonable requests and comply where required by law.

Right to Request Confidential Communications

You have the right to request that we communicate with you about your PHI using a particular method or at a particular location (e.g., only by email, not by phone). We will accommodate reasonable requests.

Right to a Paper Copy of This Notice

You have the right to receive a paper copy of this notice at any time, even if you have agreed to receive it electronically. Contact us to request a paper copy.

4a. Right to Receive Breach Notification

In the event of a breach of your unsecured PHI, we are required by law to notify you within 60 days of discovering the breach. Notification will be provided by first-class mail or email (if you have agreed to electronic notice). If the breach affects 500 or more individuals in a state, we will also notify prominent media outlets in that state.

5. How to Exercise Your Rights

To exercise any of the rights described above, submit a written request to:

Affinity Direct — HIPAA Privacy Officer
Email: virtual@affinitywholehealth.com
Affinity Whole Health LLC
Columbus, Ohio

We will respond within the time period required by applicable law. If additional time is permitted and needed, we will notify you as required by law.

6. How to File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights. To file a complaint with us, contact our Privacy Officer at the address above. We will not retaliate against you for filing a complaint.

To file a complaint with the Office for Civil Rights: www.hhs.gov/ocr or call 1-800-368-1019.

7. Changes to This Notice

We reserve the right to change the terms of this notice and to make the revised notice effective for PHI we already hold as well as any PHI we receive in the future. We will post the updated notice on our website and make paper copies available upon request. The effective date will be listed at the top of the notice.