HIPAA Notice of Privacy Practices

1. Understanding Your Protected Health Information (PHI)

Protected Health Information (“PHI”) is information about you — including demographic data — that may identify you and relates to your past, present, or future physical or mental health condition, the provision of healthcare to you, or payment for that care. Examples include:

• Your name, address, date of birth, and Social Security Number
• Medical records, diagnoses, and treatment plans
• Lab results and imaging reports
• Prescription and medication information
• Insurance and billing information
• Notes from appointments and telehealth consultations
• Information stored in our electronic medical records system (Healthie)
• Health data accessed through the NOW Optimal mobile application

2. How We May Use and Disclose Your PHI

2.1 Uses and Disclosures That Do Not Require Your Authorization

We may use and disclose your PHI without your written authorization for the following purposes:

Other Permitted Uses Without Authorization:

• As Required by Law: We may disclose PHI when required by federal, state, or local law.
• Public Health Activities: We may disclose PHI for public health purposes, including reporting communicable diseases, adverse drug reactions, and vital statistics.
• Health Oversight Activities: We may disclose PHI to government agencies for audits, investigations, inspections, and licensure activities.
• Judicial and Administrative Proceedings: We may disclose PHI in response to a court order, subpoena, or other lawful process.
• Law Enforcement: We may disclose PHI to law enforcement officials as required or permitted by law (e.g., reporting certain injuries or crimes).
• Coroners and Funeral Directors: We may disclose PHI to coroners, medical examiners, or funeral directors as necessary.
• Organ and Tissue Donation: We may disclose PHI to organizations involved in organ procurement.
• Research: We may use or disclose PHI for research purposes, subject to approval by an Institutional Review Board or Privacy Board, or as otherwise permitted by HIPAA.
• Serious Threat to Health or Safety: We may disclose PHI to prevent or lessen a serious, imminent threat to a person’s health or safety or to public safety.
• Workers’ Compensation: We may disclose PHI as authorized by workers’ compensation laws.
• Military and Veterans: We may disclose PHI of military personnel as required by armed forces authorities.
• Inmates: We may disclose PHI of inmates to correctional institutions or law enforcement as necessary for health and safety.
• Business Associates: We may disclose PHI to business associates who perform services on our behalf, provided they agree to safeguard your information through a Business Associate Agreement. Our current Business Associates include Healthie (EMR), Amazon Web Services (hosting), Snowflake (data warehouse), and Stripe (payments).

2.2 Uses and Disclosures That Require Your Written Authorization

We will not use or disclose your PHI without your written authorization for purposes other than those described above, including:

• Marketing communications (except face-to-face communications or promotional gifts of nominal value)
• Sale of your PHI
• Most uses of psychotherapy notes (if applicable)
• Any other use or disclosure not described in this Notice

You may revoke any written authorization at any time by submitting a written request to our Privacy Officer. Revocation will not affect actions already taken in reliance on your authorization.

3. Your Rights Regarding Your PHI

Under HIPAA, you have the following rights regarding your Protected Health Information:

3.1 Right to Access Your Records

You have the right to inspect and obtain a copy of your PHI maintained by the Practice, including medical records and billing records. Requests must be made in writing to our Privacy Officer. We will respond within 30 days (or 60 days with a written extension notice). We may charge a reasonable fee for copying costs. You may access much of your health information directly through the NOW Optimal App.

3.2 Right to Request Amendment

You have the right to request that we amend your PHI if you believe it is inaccurate or incomplete. Requests must be made in writing with a reason supporting the amendment. We may deny the request if the information was not created by us, is not part of your records, is already accurate, or is not available for inspection. If denied, you may submit a written statement of disagreement.

3.3 Right to an Accounting of Disclosures

You have the right to receive an accounting of certain disclosures of your PHI made by the Practice in the six years prior to the request. This accounting does not include disclosures for treatment, payment, healthcare operations, or disclosures authorized by you. The first accounting in any 12-month period is free; subsequent requests may incur a reasonable fee.

3.4 Right to Request Restrictions

You have the right to request restrictions on certain uses and disclosures of your PHI for treatment, payment, or healthcare operations. We are not required to agree to most restriction requests, but we must comply with a request to restrict disclosure to a health plan if you have paid for a service entirely out of pocket.

3.5 Right to Confidential Communications

You have the right to request that we communicate with you about medical matters through a particular method or at a certain location. For example, you may request that we contact you only at your work phone number or via secure messaging through the App. We will accommodate reasonable requests.

3.6 Right to a Paper Copy of This Notice

You have the right to obtain a paper copy of this Notice at any time, even if you have previously agreed to receive it electronically. Contact our Privacy Officer to request a paper copy.

3.7 Right to Be Notified of a Breach

You have the right to be notified if we discover a breach of your unsecured PHI. In the event of a breach, we will notify you in writing without unreasonable delay, and no later than 60 days after discovery. The notification will include a description of the breach, the types of information involved, recommended steps to protect yourself, what we are doing in response, and contact information for further questions.

4. Our Duties

The Practice is required to:

• Maintain the privacy and security of your PHI
• Provide you with this Notice of our legal duties and privacy practices
• Abide by the terms of this Notice currently in effect
• Notify you if a breach occurs that may have compromised the privacy or security of your PHI
• Obtain your written authorization before using your PHI for marketing purposes or before selling your PHI
• Follow the minimum necessary standard when using or disclosing your PHI for purposes other than treatment

We reserve the right to change the terms of this Notice and to make the new provisions effective for all PHI that we maintain, including information created or received before the changes. If we make material changes, we will post the revised Notice on our Website and make it available through the App.

5. Electronic Health Information & the NOW Optimal App

The Practice uses the NOW Optimal mobile application and electronic medical records (via Healthie) to maintain and provide access to your health information. Regarding electronic PHI (ePHI):

• Access: You may view your health records, lab results, appointment information, and provider messages through the App.
• Security: All ePHI is protected with enterprise-grade encryption (AES-256 at rest, TLS 1.2+ in transit), role-based access controls, and audit logging.
• Authentication: Access to ePHI through the App requires authentication. Credentials are stored in platform-native secure storage (iOS Keychain / Android Keystore).
• AI Processing: Our JARVIS AI system may process your ePHI to provide clinical decision support to your care team. AI processing is performed on HIPAA-compliant infrastructure, and your data is not used to train external AI models.
• Third-Party Transfer: You may request that your ePHI be transferred to a personal health application. We will inform you of any privacy and security risks associated with such transfers, as the receiving application may not be subject to HIPAA protections.

6. Complaints

If you believe your privacy rights have been violated, you have the right to file a complaint with us and with the U.S. Department of Health and Human Services (HHS). You will not be retaliated against for filing a complaint.

7. Contact Information

For questions about this Notice, to exercise any of your rights, or to request additional information about our privacy practices, please contact:

This Notice applies to the following affiliated entities (collectively, the “Practice”):

• NOW Optimal Network LLC
• NOW Men’s Health (nowmenshealth.care)
• NOW Primary Care (nowprimary.care)