HIPAA Notice of Privacy Practices

Effective Date: January 1, 2025

1. What Is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law that establishes national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. HIPAA is especially relevant for telehealth services, where health-related information is transmitted electronically.

HIPAA's Privacy Rule gives individuals rights over their health information and sets rules on who can access it. The Security Rule sets standards for protecting electronic protected health information (ePHI).

2. How Nutriairé Maintains HIPAA Compliance

Nutriairé takes a comprehensive approach to HIPAA compliance. Here is how we protect your protected health information:

2.1 Secure Video Consultations

All nutrition consultations are conducted via HIPAA-compliant video conferencing platforms that provide end-to-end encryption. No third party can intercept or access your consultation sessions.

2.2 Data Encryption

• Encryption in transit: All data transmitted between your device and our servers is protected using TLS 1.3 encryption.
• Encryption at rest: Stored protected health information is encrypted using AES-256 encryption, the same standard used by financial institutions and government agencies.

2.3 Access Controls

• Access to PHI is granted on a strict need-to-know basis.
• Each staff member with access to PHI receives HIPAA training and is bound by confidentiality agreements.
• Access logs are maintained and regularly audited.
• Multi-factor authentication is required for all systems that store or process PHI.

2.4 Audit and Monitoring

We conduct regular internal audits and risk assessments to identify and address potential vulnerabilities. Security incidents are documented, investigated, and reported in accordance with HIPAA breach notification requirements.

3. Business Associate Agreements (BAAs)

Nutriairé enters into Business Associate Agreements with all third-party service providers who may have access to your protected health information. These agreements legally bind our partners to:

• Use PHI only for the specific purposes authorized by Nutriairé.
• Implement appropriate safeguards to protect PHI.
• Report any security incidents or breaches involving PHI.
• Ensure any subcontractors also agree to the same restrictions and safeguards.
• Return or destroy all PHI upon termination of the agreement, if feasible.

Examples of service providers covered by BAAs include our video conferencing platform, scheduling system, and cloud storage provider.

4. Your Rights Under HIPAA

As a Nutriairé client, you have the following rights regarding your protected health information:

4.1 Right to Access

You have the right to inspect and obtain a copy of your PHI maintained in our designated record set. Requests must be made in writing. We will respond within 30 days (with one 30-day extension available if we provide written notice).

4.2 Right to Amend

If you believe the PHI we hold about you is incorrect or incomplete, you have the right to request an amendment. We will respond to your request within 60 days. If we deny the amendment, we will provide a written explanation.

4.3 Right to an Accounting of Disclosures

You have the right to request a list of certain disclosures we have made of your PHI. This accounting covers disclosures made within the six years prior to your request, excluding disclosures made for treatment, payment, or healthcare operations, and those authorized by you.

4.4 Right to Request Restrictions

You have the right to request restrictions on how we use and disclose your PHI for treatment, payment, or healthcare operations. While we are not required to agree to every restriction request, we will carefully consider each one.

4.5 Right to Confidential Communication

You may request that we communicate with you about health matters in a particular way or at a specific location. We will accommodate reasonable requests.

4.6 Right to a Paper Copy of This Notice

You may request a paper copy of this notice at any time, even if you have agreed to receive it electronically.

5. How We May Use and Disclose Your PHI

Under HIPAA, Nutriairé may use and disclose your PHI for the following purposes without your written authorization:

• Treatment: To provide, coordinate, and manage your nutrition consultation services.
• Payment: To bill and collect payment for services provided.
• Healthcare operations: For quality assessment, practitioner evaluation, and business management.

Any other use or disclosure of your PHI requires your written authorization, which you may revoke at any time.

6. Breach Notification

In the event of a breach of unsecured PHI, Nutriairé will notify affected individuals without unreasonable delay and no later than 60 days after discovery. Notifications will describe the nature of the breach, the types of information involved, steps we are taking, and steps you should take to protect yourself.

7. Contact for HIPAA Questions

If you have questions about this HIPAA Notice or wish to exercise your rights, please contact our Privacy Officer:

• Email: hipaa@nutriaire.com
• Subject line: "HIPAA Inquiry — Nutriairé"

You also have the right to file a complaint with the U.S. Department of Health and Human Services if you believe your privacy rights have been violated. We will not retaliate against you for filing a complaint.

8. Changes to This Notice

We reserve the right to change the terms of this notice. Any revised notice will apply to all PHI we maintain at that time. Updated notices will be posted on this page with a revised effective date.