Notice of Privacy Practices

About This Notice

BloomPath Health, Inc. ("BloomPath") is required by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations to maintain the privacy of your Protected Health Information ("PHI"), to provide you with this Notice of our legal duties and privacy practices, and to abide by the terms of this Notice.

This Notice applies to all PHI created, received, maintained, or transmitted by BloomPath in connection with your care. PHI is information that identifies you and relates to your past, present, or future health condition, the provision of healthcare to you, or payment for that healthcare.

How We May Use and Disclose Your PHI

Uses and Disclosures That Do Not Require Your Authorization

We may use and disclose your PHI without your written authorization for the following purposes:

Treatment

We may use and disclose your PHI to provide, coordinate, and manage your healthcare. This includes sharing information among the members of your BloomPath care team (registered dietitians, behavioral health specialists, health coaches, and supervising physicians) for the purpose of delivering your program. We may also disclose your PHI to your referring pediatrician or primary care provider to coordinate your care, with appropriate consent documentation on file.

Payment

We may use and disclose your PHI to bill for our services and collect payment. This includes sharing information with your health insurance plan to verify coverage, obtain prior authorization, submit claims, and process payments. It also includes sharing information necessary for utilization review or quality improvement activities required by your payer.

Healthcare Operations

We may use and disclose your PHI for our internal healthcare operations. This includes quality assessment and improvement activities, outcomes evaluation, care coordination, clinician training and credentialing, compliance programs, auditing, and other business activities necessary to run our organization.

As Required by Law

We may disclose your PHI when required to do so by federal, state, or local law. This includes disclosures to comply with court orders, administrative orders, subpoenas, or other legal processes.

Public Health Activities

We may disclose your PHI for public health activities permitted or required by law, including reporting to public health authorities for the purpose of preventing or controlling disease, injury, or disability.

Abuse, Neglect, or Domestic Violence

We may disclose your PHI to appropriate authorities if we reasonably believe you or a child are a victim of abuse, neglect, or domestic violence, as required or permitted by law.

Health Oversight Activities

We may disclose your PHI to a health oversight agency for activities authorized by law, including audits, investigations, inspections, and licensure proceedings.

Judicial and Administrative Proceedings

We may disclose your PHI in response to a court order, subpoena, discovery request, or other lawful process.

Law Enforcement

We may disclose your PHI for law enforcement purposes as required by law, including in response to a court order, warrant, or administrative request.

To Prevent a Serious Threat to Health or Safety

We may use or disclose your PHI when necessary to prevent or lessen a serious and imminent threat to your health or safety or the health or safety of the public or another person.

Research

Under certain circumstances, we may use and disclose your PHI for research purposes, subject to approval by an Institutional Review Board (IRB) or privacy board, or when the research involves only de-identified information.

Uses and Disclosures That Require Your Written Authorization

We will obtain your written authorization before using or disclosing your PHI for purposes other than those described above. You may revoke an authorization at any time by submitting a written revocation to our Privacy Officer. Revocation will not affect any uses or disclosures made in reliance on the authorization before it was revoked.

Certain uses and disclosures will always require your written authorization, including:

• Marketing communications (other than face-to-face communications or promotional gifts of nominal value)
• Sale of your PHI
• Most uses of psychotherapy notes, if applicable

Your Rights Regarding Your PHI

You have the following rights with respect to your PHI:

Right to Access

You have the right to inspect and obtain a copy of your PHI that we maintain in our records. To request access, submit a written request to our Privacy Officer. We may charge a reasonable fee for copies. We will respond within 30 days of receiving your request.

Right to Amend

You have the right to request an amendment to your PHI if you believe it is incorrect or incomplete. To request an amendment, submit a written request to our Privacy Officer explaining the reason for the amendment. We may deny your request under certain circumstances, but we will provide a written explanation of the denial.

Right to an Accounting of Disclosures

You have the right to receive a list of certain disclosures we have made of your PHI. This accounting does not include disclosures made for treatment, payment, healthcare operations, or disclosures you authorized in writing. To request an accounting, submit a written request to our Privacy Officer. The request must specify a time period of no more than six years.

Right to Request Restrictions

You have the right to request restrictions on certain uses and disclosures of your PHI for treatment, payment, or healthcare operations. We are not required to agree to your request, except that we must comply with a request to restrict disclosure to a health plan for services you paid for in full out of pocket.

Right to Request Confidential Communications

You have the right to request that we communicate with you about your healthcare in a certain way or at a certain location. For example, you may request that we contact you only at a specific phone number or email address. We will accommodate reasonable requests.

Right to a Copy of This Notice

You have the right to receive a paper copy of this Notice at any time, even if you previously agreed to receive it electronically. You may request a copy by contacting our Privacy Officer.

Right to File a Complaint

If you believe your privacy rights have been violated, you have the right to file a complaint with us and with the U.S. Department of Health and Human Services Office for Civil Rights. We will not retaliate against you for filing a complaint.

• To file a complaint with BloomPath, contact our Privacy Officer at privacy@bloompathhealth.com
• To file a complaint with the Office for Civil Rights, visit hhs.gov/ocr/complaints or call 1-800-368-1019

Our Responsibilities

• We are required by law to maintain the privacy and security of your PHI
• We are required to provide you with this Notice of our legal duties and privacy practices
• We are required to abide by the terms of this Notice currently in effect
• We are required to notify you if a breach of your unsecured PHI occurs
• We will not use or disclose your PHI without your authorization except as described in this Notice

Breach Notification

In the event of a breach of your unsecured PHI, we will notify you as required by federal and state law. Notification will be made without unreasonable delay and in no event later than 60 days after discovery of the breach. Notification will include a description of the breach, the types of information involved, steps you should take to protect yourself, what we are doing to investigate and mitigate the breach, and contact information for further questions.

Minors

BloomPath provides clinical services to children and adolescents ages 6-17. In most cases, a parent or legal guardian has the right to access and control the PHI of their minor child. However, in certain circumstances under state or federal law, a minor may consent to their own healthcare, and their PHI may be protected from parental access. We will follow applicable state law regarding parental access to a minor's PHI.

Changes to This Notice

We reserve the right to change the terms of this Notice and to make the new provisions effective for all PHI that we maintain. If we make a material change to this Notice, we will post the revised Notice on our website and make it available upon request. The revised Notice will include the effective date of the changes.

Contact Information

For questions about this Notice, to exercise your rights, or to file a complaint, contact our Privacy Officer: