HIPAA Notice of Privacy Practices

1. Our Obligations

We are required by law to:

• Maintain the privacy of your Protected Health Information
• Provide you with this Notice of our legal duties and privacy practices regarding health information about you
• Follow the terms of the Notice that is currently in effect
• Notify you following a breach of unsecured Protected Health Information
• Notify you if we are unable to agree to a requested restriction on uses or disclosures of your PHI
• Apply the minimum necessary standard when using, disclosing, or requesting PHI for purposes other than treatment

2. How We May Use and Disclose Your Health Information

The following categories describe different ways we may use and disclose your PHI. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of these categories.

2.1 For Treatment

We may use and disclose your PHI for your treatment and to provide you with treatment-related health care services. For example:

• We may share your sleep test results with sleep specialists to establish a diagnosis
• We may disclose your health information to dentists or technicians involved in fabricating your custom oral appliance
• We may share your information with other healthcare providers involved in your care
• We may use your health information to send you appointment reminders or treatment recommendations
• We may use your health information during telehealth consultations conducted through our platform

2.2 For Payment

We may use and disclose your PHI so that we or others may bill and receive payment from you, an insurance company, or a third party for the treatment and services you received. For example:

• We may provide your insurer with information about your diagnosis and treatment to determine insurance coverage
• We may tell your health plan about a treatment you are going to receive to obtain prior authorization or determine coverage
• We may disclose information to others who may be responsible for payment, such as family members you have authorized
• We may use your information to send you statements and bills and to collect payment

2.3 For Health Care Operations

We may use and disclose your PHI for our health care operations, which are necessary to make sure that all of our patients receive quality care and to operate and manage our practice. For example:

• We may use your information to review our treatment and services and to evaluate the performance of our staff and providers
• We may combine information about many patients to decide what additional services we should offer, what services are no longer needed, and whether certain treatments are effective
• We may disclose information to doctors, dentists, nurses, technicians, and other personnel for review and learning purposes
• We may use information to conduct quality assessment and improvement activities, including outcomes evaluation and clinical protocol development
• We may use your information to improve and train our AI-powered tools and clinical decision support systems, with appropriate safeguards

2.4 Appointment Reminders, Treatment Alternatives, and Health-Related Benefits

We may use and disclose your PHI to:

• Contact you to remind you of an appointment or follow-up visit
• Tell you about treatment alternatives or options that may be available to you
• Provide information about health-related benefits and services that may be of interest to you

2.5 Individuals Involved in Your Care or Payment for Your Care

We may disclose your PHI to a family member, friend, or other person who is involved in your medical care or payment for your care, provided you have had an opportunity to agree or object. If you are unable to agree or object (for example, if you are unconscious or in an emergency), we may disclose information as necessary if we determine it is in your best interest based on our professional judgment.

2.6 Fundraising Activities

We may use limited PHI (such as your name, contact information, and dates of service) to contact you in an effort to raise money for our organization and its operations. You have the right to opt out of receiving fundraising communications. If you do not wish to be contacted for fundraising efforts, you may notify us in writing at any time using the contact information in Section 11 below, and we will honor your request.

3. Telehealth and Digital Health Services

DEEPdormir provides care through telehealth consultations and digital health tools. The following disclosures apply specifically to these services:

3.1 Telehealth Consultations

When you participate in a telehealth consultation through our platform, your PHI — including audio, video, and any clinical information shared during the session — is transmitted, stored, and protected in accordance with HIPAA requirements. We use encrypted, HIPAA-compliant telehealth technology, and all telehealth service providers operate under Business Associate Agreements.

3.2 AI-Powered Chatbot (AVA)

Our website features an AI-powered chatbot assistant named AVA. If you choose to share health-related information with AVA (such as symptoms, medical history, or treatment questions), that information may be considered PHI and is subject to the protections described in this Notice. Specifically:

• Conversations with AVA may be logged and stored securely for service improvement and quality assurance
• AVA's AI services are provided through a third-party technology provider operating under a Business Associate Agreement
• Information shared with AVA is not used for marketing purposes
• AVA does not provide medical diagnoses or replace professional medical advice

3.3 Home Sleep Testing Devices

Data collected by home sleep testing devices — including sleep study recordings, physiological measurements, and diagnostic data — is transmitted to our systems and to interpreting sleep specialists. This data is treated as PHI and protected accordingly. All device manufacturers and data transmission partners operate under Business Associate Agreements.

4. Special Situations

We may use or disclose your PHI without your authorization in the following special situations, as permitted or required by law:

4.1 As Required by Law

We will disclose your PHI when required to do so by federal, state, or local law.

4.2 Public Health Activities

We may disclose your PHI for public health activities, including:

• Preventing or controlling disease, injury, or disability
• Reporting reactions to medications or problems with products or devices to the FDA
• Notifying people of recalls of products they may be using
• Notifying a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition

4.3 Victims of Abuse, Neglect, or Domestic Violence

We may disclose your PHI to the appropriate government authority if we believe you are a victim of abuse, neglect, or domestic violence, as required or authorized by law. We will make every effort to obtain your consent before making such a disclosure, unless we believe that doing so would place you at risk of serious harm.

4.4 Health Oversight Activities

We may disclose PHI to a health oversight agency for activities authorized by law, such as audits, investigations, inspections, licensure, and other proceedings necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.

4.5 Lawsuits and Disputes

If you are involved in a lawsuit or dispute, we may disclose your PHI in response to a court or administrative order. We may also disclose your PHI in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested.

4.6 Law Enforcement

We may release PHI if asked by a law enforcement official:

• In response to a court order, subpoena, warrant, summons, or similar process
• To identify or locate a suspect, fugitive, material witness, or missing person
• About the victim of a crime if, under certain circumstances, we are unable to obtain the person's agreement
• About a death we believe may be the result of criminal conduct
• About criminal conduct on our premises
• In emergency circumstances to report a crime, the location of the crime or victims, or the identity, description, or location of the person who committed the crime

4.7 Coroners, Medical Examiners, and Funeral Directors

We may release PHI to a coroner, medical examiner, or funeral director so they may carry out their duties as authorized by law.

4.8 Organ and Tissue Donation

If you are an organ donor, we may release PHI to organizations that handle organ procurement or organ, eye, or tissue transplantation, or to an organ donation bank, as necessary to facilitate donation and transplantation.

4.9 Research

Under certain circumstances, we may use and disclose your PHI for research purposes, but only if the research has been specially approved by an Institutional Review Board or Privacy Board that has reviewed the research proposal and established protocols to ensure the privacy of your PHI.

4.10 Threats to Health or Safety

We may use and disclose your PHI when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure would only be to someone able to help prevent the threat.

4.11 National Security and Intelligence Activities

We may release your PHI to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.

4.12 Protective Services for the President and Others

We may disclose your PHI to authorized federal officials so they may provide protection to the President, other authorized persons, or foreign heads of state, or to conduct special investigations.

4.13 Inmates or Individuals in Custody

If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release your PHI to the correctional institution or law enforcement official if necessary for the institution to provide you with health care, to protect your health and safety or the health and safety of others, or for the safety and security of the correctional institution.

4.14 Workers' Compensation

We may release your PHI for workers' compensation or similar programs that provide benefits for work-related injuries or illness, as authorized by and to the extent necessary to comply with such laws.

4.15 Business Associates

We may disclose your PHI to our business associates who perform functions on our behalf or provide us with services if the information is necessary for such functions or services. Examples include billing companies, telehealth technology providers, AI service providers, oral appliance laboratories, and sleep test device manufacturers. All of our business associates are required to sign Business Associate Agreements that obligate them to protect the privacy of your PHI and restrict their use of your information.

4.16 Data Breach Notification

We may use or disclose your PHI to provide legally required notices of unauthorized access to or disclosure of your health information.

5. Substance Use Disorder Records

If we maintain records related to substance use disorder (SUD) diagnosis, treatment, or referral, those records receive additional protections under federal law (42 C.F.R. Part 2), in addition to the protections provided by HIPAA. Specifically:

• SUD records generally may not be used or disclosed without your written consent, except in limited circumstances authorized by law
• SUD records may not be used in civil, criminal, administrative, or legislative proceedings against you without a court order or your written consent
• SUD records receive heightened protections against redisclosure — recipients of your SUD records are prohibited from further disclosing them without your consent or as otherwise permitted by 42 C.F.R. Part 2

While DEEPdormir primarily provides sleep apnea diagnosis and treatment services, if in the course of providing care we create or receive records related to substance use disorders, those records will be protected in accordance with Part 2 requirements.

6. Redisclosure Notice

7. Uses and Disclosures That Require Your Written Authorization

The following uses and disclosures of your PHI will be made only with your written authorization:

1. Most uses and disclosures of psychotherapy notes (if applicable)
2. Uses and disclosures of PHI for marketing purposes (other than face-to-face communications and promotional gifts of nominal value)
3. Disclosures that constitute a sale of your PHI (where we receive direct or indirect remuneration in exchange for PHI)
4. Other uses and disclosures not covered by this Notice or the laws that apply to us

If you provide us with authorization to use or disclose your PHI, you may revoke that authorization, in writing, at any time. If you revoke your authorization, we will no longer use or disclose your PHI for the reasons covered by your written authorization. However, we are unable to take back any disclosures we have already made with your permission, and we are required to retain records of the care we provided to you.

8. Your Rights Regarding Your Health Information

You have the following rights regarding the PHI we maintain about you:

8.1 Right to Inspect and Copy

You have the right to inspect and obtain a copy of your PHI that may be used to make decisions about your care or payment for your care, including medical and billing records. To inspect and copy your PHI, you must submit your request in writing to our Privacy Officer. We may charge a reasonable, cost-based fee for the costs of copying, mailing, or other supplies associated with your request. We may deny your request in certain limited circumstances. If we deny your request, you have the right to have the denial reviewed by a licensed healthcare professional who was not directly involved in the denial, and we will comply with the outcome of the review.

8.2 Right to an Electronic Copy of Electronic Medical Records

If your PHI is maintained in an electronic format (known as an electronic medical record or electronic health record), you have the right to request that an electronic copy of your record be given to you or transmitted to another individual or entity. We will make every effort to provide access to your PHI in the form or format you request, if it is readily producible. If the PHI is not readily producible in the form or format you request, your record will be provided in either our standard electronic format or a readable hard copy form. We may charge you a reasonable, cost-based fee for the labor associated with transmitting the electronic medical record.

8.3 Right to Receive Notice of a Breach

You have the right to be notified upon a breach of any of your unsecured PHI. In the event of a breach, we will notify you as required by law, including information about what happened, what information was involved, what we are doing about it, and what you can do to protect yourself.

8.4 Right to Amend

If you feel that the PHI we have is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by or for our practice. To request an amendment, you must submit your request in writing to our Privacy Officer, including a reason that supports your request. We may deny your request if:

• The information was not created by us, unless the person or entity that created the information is no longer available to make the amendment
• The information is not part of the medical information kept by or for our practice
• The information is not part of the information which you would be permitted to inspect and copy
• The information is accurate and complete

If we deny your request, we will provide you with a written explanation of the denial and information about how you may file a statement of disagreement.

8.5 Right to an Accounting of Disclosures

You have the right to request an "accounting of disclosures." This is a list of the disclosures we made of your PHI for purposes other than treatment, payment, health care operations, and certain other purposes provided by law. To request an accounting, you must submit your request in writing to our Privacy Officer. Your request must state a time period, which may not be longer than six years and may not include dates before April 14, 2003. Your request should indicate in what form you want the list (for example, on paper or electronically). The first list you request within a 12-month period will be free. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request before any costs are incurred.

8.6 Right to Request Restrictions

You have the right to request a restriction or limitation on the PHI we use or disclose for treatment, payment, or health care operations. You also have the right to request a limit on the PHI we disclose to someone involved in your care or the payment for your care, like a family member or friend. For example, you could ask that we not share information about a particular diagnosis or treatment with your spouse.

To request a restriction, you must submit your request in writing to our Privacy Officer. We are not required to agree to your request unless you are asking us to restrict the use and disclosure of your PHI to a health plan for payment or health care operations purposes and such information pertains solely to a health care item or service for which you have paid us "out-of-pocket" in full (see Section 8.7 below). If we do agree to other restrictions, we will comply with your request unless the information is needed to provide you with emergency treatment.

8.7 Out-of-Pocket Payments

If you paid out-of-pocket in full for a specific item or service, you have the right to ask that your PHI with respect to that item or service not be disclosed to a health plan for purposes of payment or health care operations. We are required to honor this request.

8.8 Right to Request Confidential Communications

You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we only contact you by email, by mail, or at your work address. To request confidential communications, you must make your request in writing to our Privacy Officer. Your request must specify how or where you wish to be contacted. We will accommodate all reasonable requests.

8.9 Right to a Paper Copy of This Notice

You have the right to a paper copy of this Notice at any time. Even if you have agreed to receive this Notice electronically, you are still entitled to a paper copy. To obtain a paper copy, please contact our Privacy Officer using the information in Section 11 below.

8.10 Right to Opt Out of Fundraising Communications

If we use your PHI to contact you for fundraising purposes, you have the right to opt out of receiving such communications. To opt out, notify us in writing using the contact information in Section 11 below. We will honor your request and you will not receive further fundraising communications.

9. Changes to This Notice

We reserve the right to change this Notice and make the new Notice provisions apply to PHI we already have as well as any information we receive in the future. We will post a copy of our current Notice on our website at deepdormir.com/legal/hipaa-notice. The Notice will contain the effective date on the first page. We will also make copies of the current Notice available upon request.

10. Complaints

If you believe your privacy rights have been violated, you may file a complaint with our practice or with the Secretary of the U.S. Department of Health and Human Services. All complaints must be made in writing.

To file a complaint with our practice, contact our Privacy Officer using the information in Section 11 below.

To file a complaint with the U.S. Department of Health and Human Services:

11. Contact Information

For questions about this Notice, to make a privacy-related request, or to exercise any of your rights described in this Notice, please contact our Privacy Officer:

We will respond to your request within the timeframe required by law. For requests to access or copy your health records, we will respond within 30 days (with a possible 30-day extension upon written notice).