Notice of Privacy Practices

About This Notice

Neuvora LLC ("Neuvora," "we," "us," or "our") is committed to protecting the privacy and security of your Protected Health Information ("PHI"). This Notice of Privacy Practices ("Notice") describes how we may use and disclose your PHI and your rights regarding that information under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and applicable state laws.

Neuvora provides healthcare technology services including Remote Patient Monitoring (RPM), Remote Therapeutic Monitoring (RTM), Chronic Care Management (CCM), telemedicine consultations, cognitive assessments, and related services to healthcare providers. In many cases, we operate as a Business Associate under HIPAA, processing PHI on behalf of your healthcare provider (the "Covered Entity"). Your healthcare provider maintains its own Notice of Privacy Practices that governs how it uses your PHI.

This Notice applies to all PHI that Neuvora creates, receives, maintains, or transmits in connection with our Services. It supplements our general Privacy Policy, which addresses non-PHI data.

1. Our Obligations

We are required by law to:

• Maintain the privacy and security of your PHI.
• Provide you with this Notice of our legal duties and privacy practices regarding your PHI.
• Follow the terms of this Notice that are currently in effect.
• Notify you and the applicable Covered Entity in the event of a breach of your unsecured PHI.
• Abide by the terms of our Business Associate Agreements with your healthcare providers.

2. How We May Use and Disclose Your PHI

We may use and disclose your PHI for the following purposes, as permitted or required by HIPAA and as directed by your healthcare provider:

2.1 Treatment

We may use and disclose your PHI as necessary to facilitate the provision of treatment by your healthcare provider. This includes processing remote monitoring data (vital signs, medication adherence, patient-reported outcomes), facilitating telemedicine consultations, coordinating care management services, and delivering cognitive assessment results to your provider.

2.2 Payment

We may use and disclose your PHI as needed to support billing and payment activities on behalf of your healthcare provider. This includes submitting claims to health insurance plans, verifying insurance coverage, and processing payments for healthcare services delivered through our platform.

2.3 Healthcare Operations

We may use and disclose your PHI to support the healthcare operations of your provider, including quality assessment and improvement activities, conducting or arranging for audits, compliance programs, business planning, and other operational activities permitted under HIPAA.

2.4 As Required by Law

We may use or disclose your PHI when required to do so by federal, state, or local law, including disclosures to:

• Public health authorities for disease prevention and control.
• Government agencies authorized to receive reports of abuse, neglect, or domestic violence.
• The U.S. Food and Drug Administration (FDA) for activities related to the quality, safety, or effectiveness of regulated products.
• A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease.
• An employer, as permitted by workers' compensation or similar laws.

2.5 Health Oversight Activities

We may disclose your PHI to health oversight agencies for activities authorized by law, such as audits, investigations, inspections, and licensure activities necessary for the government to monitor the healthcare system, government programs, and compliance with civil rights laws.

2.6 Judicial and Administrative Proceedings

We may disclose your PHI in response to a court order, subpoena, discovery request, or other lawful process, subject to the requirements and limitations of HIPAA.

2.7 Law Enforcement

We may disclose your PHI to law enforcement officials in limited circumstances, including in response to a court order, warrant, or grand jury subpoena; to identify or locate a suspect, fugitive, material witness, or missing person; or when necessary to report certain types of wounds or physical injuries.

2.8 To Avert a Serious Threat

We may use and disclose your PHI when necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.

2.9 Decedents

We may disclose PHI of a deceased individual to a coroner, medical examiner, or funeral director, and to organ procurement organizations, as permitted by law.

2.10 De-identified Data

We may use and disclose de-identified health information (information from which all identifiers have been removed in accordance with HIPAA standards) for any purpose without restriction, as de-identified data is not considered PHI.

3. Uses and Disclosures Requiring Your Authorization

Except as described above, we will not use or disclose your PHI without your written authorization. The following uses and disclosures require your written authorization:

• Sale of your PHI.
• Most uses and disclosures of psychotherapy notes (if applicable).
• Uses and disclosures for marketing purposes.
• Any other uses and disclosures not described in this Notice.

You may revoke any authorization you have given in writing at any time by contacting our Privacy Officer, except to the extent that we have already acted in reliance on the authorization.

4. Your Rights Regarding Your PHI

Under HIPAA, you have the following rights with respect to your PHI. To exercise these rights, contact our Privacy Officer at the address below. Note that as a Business Associate, some requests may need to be directed to your healthcare provider (the Covered Entity), and we will assist in facilitating your request.

• Right to an Accounting of Disclosures: You have the right to request a list (accounting) of certain disclosures of your PHI that we have made, other than disclosures for treatment, payment, healthcare operations, and certain other exceptions. The accounting will cover disclosures made during the six (6) years prior to your request (or a shorter period if requested). The first accounting in a twelve-month period is provided at no charge; subsequent requests may be subject to a reasonable fee.
• Right to Request Restrictions: You have the right to request restrictions on how we use or disclose your PHI for treatment, payment, or healthcare operations. We are not required to agree to your request, except that we must comply with a request to restrict disclosures to a health plan for items or services that you have paid for in full out of pocket.
• Right to Request Confidential Communications: You have the right to request that we communicate with you about your PHI through alternative means or at alternative locations (for example, sending correspondence to a specific address or phone number).
• Right to a Paper Copy of This Notice: You have the right to obtain a paper copy of this Notice at any time, even if you have previously agreed to receive it electronically.
• Right to Notification of a Breach: You have the right to be notified in the event of a breach of your unsecured PHI. We will notify both you and your healthcare provider as required by HIPAA and the HITECH Act.

5. How We Protect Your Information

We implement comprehensive administrative, technical, and physical safeguards to protect your PHI as required by the HIPAA Security Rule:

6. Business Associate Relationships

We maintain Business Associate Agreements (BAAs) with all subcontractors and third-party vendors who may access PHI in connection with the services they provide to us. These BAAs require our business associates to:

• Implement appropriate safeguards to protect PHI.
• Report any security incidents or breaches involving PHI.
• Ensure that any subcontractors they engage also agree to the same restrictions and conditions.
• Make PHI available to support individuals' rights under HIPAA.
• Make their internal practices, books, and records available to the U.S. Department of Health and Human Services (HHS) for compliance verification.
• Return or destroy PHI upon termination of the agreement, where feasible.

Our key business associate relationships include cloud infrastructure providers (Amazon Web Services), communication service providers, and our cognitive assessment partner (CogniFit). Each has a BAA in place that meets HIPAA requirements.

7. Breach Notification

In the event of a breach of your unsecured PHI, we will comply with all applicable breach notification requirements under HIPAA and the HITECH Act:

• Individual Notification: We will notify affected individuals without unreasonable delay and no later than sixty (60) days after discovery of the breach, unless a law enforcement delay is requested.
• Covered Entity Notification: As a Business Associate, we will notify the applicable Covered Entity (your healthcare provider) of any breach of PHI without unreasonable delay.
• HHS Notification: Breaches affecting 500 or more individuals will be reported to the U.S. Department of Health and Human Services without unreasonable delay. Breaches affecting fewer than 500 individuals will be reported annually.
• Media Notification: For breaches affecting more than 500 residents of a state or jurisdiction, we will provide notice to prominent media outlets in that area.

Breach notifications will include a description of the breach, the types of information involved, steps individuals should take to protect themselves, what we are doing to investigate and mitigate the breach, and contact information for further inquiries.

8. State Privacy Laws

In addition to HIPAA, certain state laws may provide additional protections for your health information. Where state law is more protective than HIPAA, we will comply with the stricter requirement. This may include:

• Shorter breach notification timelines required by certain states.
• Additional protections for substance abuse treatment records, mental health records, HIV/AIDS-related information, genetic information, or reproductive health information under applicable state laws.
• More restrictive consent requirements for certain types of health information.
• Additional rights provided under state consumer privacy laws (such as the CCPA/CPRA for California residents). Note: PHI that is governed by HIPAA is generally exempt from state consumer privacy laws, but where both apply, we will comply with the more protective standard.

9. Changes to This Notice

We reserve the right to change the terms of this Notice at any time. Any changes will apply to all PHI we maintain at the time of the change, as well as PHI we create or receive after the change takes effect. The revised Notice will be posted on our website and will be available upon request. The effective date of the current Notice is listed at the top of this page.

10. Complaints

If you believe your privacy rights have been violated, you have the right to file a complaint:

• With Neuvora: Contact our Privacy Officer at the address below. We will investigate your complaint and respond within thirty (30) days.
• With Your Healthcare Provider: You may also file a complaint with the Covered Entity (your healthcare provider) that directed us to process your PHI.
• With HHS: You may file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by visiting www.hhs.gov/ocr/privacy/hipaa/complaints, calling 1-877-696-6775, or writing to: Office for Civil Rights, U.S. Department of Health and Human Services, 200 Independence Avenue S.W., Washington, D.C. 20201.