Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Contact Information & Privacy Officer

If you have questions about this notice, want to exercise your rights, or wish to file a complaint, please contact:

Keith Ray, Privacy Officer

ThriveWell Women's Health

1223 Higuera Street, Suite 203

San Luis Obispo, CA 93401

Phone: (805) 864-5330

Email: [email protected]

A paper copy of this notice is available upon request.

Overview of Your Rights, Choices & Our Practices

Your Rights

Your Choices

Our Uses & Disclosures

•      Get a copy of your medical record

•      Correct your medical record

•      Request confidential communication

•      Ask us to limit what we share

•      Get a list of those with whom we've shared info

•      Get a copy of this privacy notice

•      Choose someone to act for you

•      File a complaint

•      Sharing with family/friends

•      Disaster relief

•      Hospital directory

•      Mental health care

•      Treat you

•      Run our organization

•      Bill for services

•      Help with public health & safety

•      Conduct research

•      Comply with the law

•      Other legally permitted purposes

Detailed Explanation of Your Rights

Get an Electronic or Paper Copy of Your Medical Record

You can ask to see or get an electronic or paper copy of your medical record and other health information we have about you. We will provide a copy or summary usually within 30 days of your request. We may charge a reasonable, cost-based fee.

Ask Us to Correct Your Medical Record

You can ask us to correct health information about you that you think is incorrect or incomplete. We may say no to your request, but we will tell you why in writing within 60 days.

Request Confidential Communications

You can ask us to contact you in a specific way (home, office, or cell phone) or to send mail to a different address. We will say yes to all reasonable requests.

Ask Us to Limit What We Use or Share

You can ask us not to use or share certain health information for treatment, payment, or operations. We are not required to agree, and we may say no if it could affect your care. If you pay out-of-pocket in full, you can ask us not to share that information with your health insurer for payment or operations purposes.

Get a List of Those With Whom We've Shared Information

You can ask for an accounting of the times we've shared your health information for six years prior to the date you ask. We'll provide one accounting per year for free; additional requests within 12 months may incur a reasonable fee.

Choose Someone to Act for You

If someone has medical power of attorney or is your legal guardian, that person can exercise your rights and make choices about your health information. We will verify their authority before taking action.

File a Complaint

You can complain if you feel we have violated your rights by contacting us at the information above. You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights, 200 Independence Avenue S.W., Washington, D.C. 20201 | 1-877-696-6775 | www.hhs.gov/hipaa/filing-a-complaint. We will not retaliate against you for filing a complaint.

Detailed Explanation of Your Choices

For certain health information, you can tell us your choices about what we share. Talk to us and we will follow your instructions in these situations:

•      Share information with family, close friends, or others involved in your care or payment for your care

•      Share information in a disaster relief situation

•      Include your information in a hospital directory

If you are unable to tell us your preference (e.g., if you are unconscious), we may share your information if we believe it is in your best interest, or when needed to lessen a serious and imminent threat.

We Never Share Without Your Written Permission:

•      Marketing purposes

•      Sale of your information

•      Most sharing of psychotherapy notes

How We Typically Use or Share Your Health Information

Treat You

We can use your health information and share it with other professionals who are treating you. Example: A physician treating you for one condition consults with another provider about your overall health.

Run Our Organization

We can use and share your health information to run our practice, improve your care, and contact you when necessary.

Bill for Your Services

We can use and share your health information to bill and receive payment from health plans or other entities.

Other Permitted Uses and Disclosures

We are allowed or required to share your information in other ways that contribute to the public good. We must meet legal conditions before sharing for these purposes:

•      Public health and safety issues (preventing disease, product recalls, reporting adverse reactions, reporting suspected abuse or neglect, preventing serious threats to health or safety)

•      Health research

•      Compliance with state or federal law, including HIPAA and California's CMIA

•      Organ and tissue donation requests

•      Work with a medical examiner or funeral director

•      Workers' compensation, law enforcement, and other authorized government functions

•      Response to lawsuits, court orders, or administrative orders

Special Note on Substance Use Disorder (SUD) Records: To the extent we have your substance use disorder patient records subject to 42 CFR Part 2, we will not share that information for investigations or legal proceedings against you without (1) your written consent or (2) a court order and a subpoena.

Our Responsibilities

•      We are required by law to maintain the privacy and security of your protected health information.

•      We will notify you promptly if a breach occurs that may have compromised the privacy or security of your information.

•      We must follow the duties and privacy practices described in this notice and give you a copy of it.

•      We will not use or share your information other than as described in this notice unless you tell us we can in writing. You may change your mind at any time.

For more information: www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/noticepp.html

Changes to the Terms of This Notice

We can change the terms of this notice, and the changes will apply to all information we have about you. The new notice will be available upon request, in our office, and on our website. We will post the revised notice in a clear and prominent location.

Additional Information Specific to Our Practice — California Privacy Protections

ThriveWell Women's Health is located in California and complies with the California Confidentiality of Medical Information Act (CMIA), Civil Code §§ 56 et seq., in addition to HIPAA. Where California law provides greater privacy protections than federal law, we follow the California standard.

Sensitive Services — Enhanced Protections

Under California law, the following categories of health information are considered 'sensitive services' and receive heightened privacy protections. We will not share records related to these services without your specific written authorization, except as required by law:

•      Reproductive and sexual health care (including contraception, pregnancy, abortion, and fertility services)

•      Mental and behavioral health treatment

•      Substance use disorder treatment

•      Sexually transmitted infection (STI) diagnosis and treatment

•      Gender-affirming care

•      Intimate partner violence services

Confidential Communications for Sensitive Services

You have the right to request that communications regarding sensitive services be sent to an address, phone number, or email address of your choosing to protect your privacy. We will honor all reasonable requests.

Minor Consent Records

California law permits minors to consent to certain health care services independently, including reproductive health care, contraception, pregnancy-related care, and STI services. Records related to services a minor consented to independently are generally not available to parents or guardians without the minor's written authorization.

No Disclosure for Out-of-State Law Enforcement Purposes

We will not disclose your medical information — including information related to reproductive health, gender-affirming care, or other sensitive services — in response to out-of-state subpoenas, warrants, or law enforcement requests seeking to investigate or prosecute conduct that is lawful in California.

California Law Protections

In addition to your rights under federal HIPAA, California's Confidentiality of Medical Information Act (CMIA) provides additional protections for your medical information. You may have the right to bring a civil action for damages if your medical information is improperly used or disclosed in violation of state law.

Record Access Timelines Under California Law

Under California Health & Safety Code § 123110, you may inspect your medical records within 5 business days of a written request, and receive copies within 15 business days.

Electronic Health Records and Sensitive Data

Our electronic health record system is configured to limit access to sensitive service records in compliance with California AB 352, which requires restricted access controls for records related to mental health, reproductive health, substance use disorder, gender-affirming care, STIs, and intimate partner violence.

Patient Portal & Digital Communications

Patient Portal — Powered by Athenahealth

ThriveWell Women's Health offers secure online access to your health information through our patient portal, powered by Athenahealth. Through the portal you can:

•      View your medical records and visit summaries

•      View lab results

•      Request appointments

•      Message the care team securely

•      Request prescription refills

•      Pay your bills online

To enroll or for assistance, contact our office at (805) 864-5330 or [email protected]. Your portal activity is protected under HIPAA and the California CMIA. Sensitive service records may have restricted visibility within the portal consistent with California law.

Secure Communications — Spruce Health

We use Spruce Health, a HIPAA-compliant communication platform, to communicate with patients. Spruce may be used for:

•      Secure messaging between you and our care team

•      Appointment reminders and scheduling notifications

•      Telehealth and video visits

Spruce Health is a business associate of ThriveWell Women's Health and is contractually required to protect your health information under HIPAA. You may opt out of certain communication types — please contact our office to update your preferences. Standard messaging or data rates from your carrier may apply to text notifications.