Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

DRAFT FOR ATTORNEY REVIEW. This Notice contains content required by HIPAA (45 C.F.R. § 164.520) and must be reviewed by counsel and conformed to your actual practices before it goes live in production.

Our Commitment to Your Privacy

Biomarker Health Holdings LLC, doing business as Biomarker Health ("we," "us," or "our"), is required by law to maintain the privacy of your protected health information ("PHI"), to provide you with this Notice of our legal duties and privacy practices regarding PHI, and to notify you following a breach of unsecured PHI. We are required to follow the terms of the Notice currently in effect. PHI is information that identifies you and relates to your past, present, or future health, the care you receive, or payment for that care.

This Notice applies to all PHI created or maintained by Biomarker Health and by the licensed providers and workforce members who deliver care through our clinic and telehealth platform.

How We May Use and Disclose Your Health Information Without Your Authorization

We may use and disclose your PHI for the following purposes:

Treatment. We use and share your PHI to provide, coordinate, and manage your care. For example, a nurse practitioner may review your biomarker lab results to develop a hormone, peptide, or GLP-1 plan, and we may share information with a laboratory, pharmacy, or another provider involved in your care.

Payment. We use and share your PHI to bill and collect payment for the Services. For example, we may share information with a payment processor or document the services provided for billing purposes.

Health Care Operations. We use and share your PHI to run our practice and improve care. For example, we may use information for quality review, training, scheduling, business planning, and administration.

Business Associates. We may share PHI with third parties ("business associates") that perform services for us — such as cloud-hosting and infrastructure providers, laboratories, and software vendors — under written agreements requiring them to protect your PHI.

Appointment Reminders and Health Information. We may contact you to provide appointment reminders or information about treatment alternatives or health-related benefits and services that may interest you.

As Required or Permitted by Law. We may use or disclose PHI when required or permitted by law, including for:

• Public health activities (for example, reporting to public-health authorities to prevent disease);
• Reporting suspected abuse, neglect, or domestic violence as required by law;
• Health oversight activities (audits, investigations, inspections, and licensure);
• Judicial and administrative proceedings (for example, in response to a court order, subpoena, or lawful discovery request);
• Law enforcement purposes as permitted by law;
• Coroners, medical examiners, and funeral directors;
• Organ, eye, and tissue donation;
• Research, subject to required approvals and protections;
• Averting a serious and imminent threat to health or safety;
• Specialized government functions (such as military and veterans' activities and national security);
• Workers' compensation as authorized by law.

Uses and Disclosures That Require Your Written Authorization

Other uses and disclosures of your PHI will be made only with your written authorization, including:

• Marketing that requires authorization under the law;
• Sale of PHI;
• Psychotherapy notes, where applicable;
• Most other uses not described in this Notice.

You may revoke an authorization in writing at any time, except to the extent we have already acted in reliance on it.

Special Protections for Certain Information

Substance use disorder records. If we receive or create records protected by federal substance use disorder confidentiality rules (42 C.F.R. Part 2), those records receive additional protections. Such records generally may not be used or disclosed in legal proceedings against you without your written consent or a court order, and other special restrictions may apply. (Note for counsel: confirm whether Part 2 applies to Biomarker Health and tailor this section.)

State law. Some information may receive greater protection under Florida law or the law of the state where you receive care, and we will follow the more protective rule. (Note for counsel: confirm current state-law obligations, including any state protections relating to reproductive or other sensitive health information. Federal special protections for reproductive health information are not currently in effect following Purl v. HHS.)

Your Rights Regarding Your Health Information

You have the following rights regarding PHI we maintain about you:

• Right to access and obtain a copy. You may inspect and obtain a copy of your PHI, including in electronic form where we maintain it electronically. We may charge a reasonable, cost-based fee. We may deny access in limited circumstances, some of which are reviewable.
• Right to request an amendment. You may ask us to amend PHI you believe is inaccurate or incomplete. We may deny your request under certain conditions, and you may submit a statement of disagreement.
• Right to an accounting of disclosures. You may request a list of certain disclosures we made of your PHI, subject to legal limits.
• Right to request restrictions. You may request restrictions on certain uses and disclosures. We are not required to agree, except that we must agree to your request to restrict disclosure to a health plan for a service you paid for in full out of pocket, where the disclosure is for payment or operations and not otherwise required by law.
• Right to request confidential communications. You may ask us to communicate with you in a specific way or at a specific location (for example, by a particular phone number or address). We will accommodate reasonable requests.
• Right to a paper copy of this Notice. You may request a paper copy at any time, even if you agreed to receive it electronically.
• Right to be notified of a breach. You have the right to be notified following a breach of your unsecured PHI.
• Right to revoke an authorization in writing, as described above.

To exercise any of these rights, contact us using the information below. We may ask you to submit your request in writing.

Our Duties

We are required to:

• Maintain the privacy and security of your PHI;
• Provide you this Notice of our legal duties and privacy practices;
• Follow the terms of the Notice currently in effect;
• Notify you if we are unable to agree to a requested restriction;
• Notify affected individuals following a breach of unsecured PHI as required by law.

Changes to This Notice

We reserve the right to change this Notice and to make the revised Notice effective for PHI we already have as well as for information we receive in the future. We will post the current Notice on biomarker-health.web.app with its effective date, and a copy will be available at our clinic and upon request.

Complaints

If you believe your privacy rights have been violated, you may file a complaint with us by contacting our Privacy Officer, or with the U.S. Department of Health and Human Services, Office for Civil Rights:

U.S. Department of Health and Human Services Office for Civil Rights 200 Independence Avenue, S.W., Washington, D.C. 20201 1-877-696-6775 | www.hhs.gov/ocr/privacy/hipaa/complaints/

We will not retaliate against you for filing a complaint.

Contact / Privacy Officer

Privacy Officer: (to be designated) Biomarker Health Holdings LLC d/b/a Biomarker Health Orlando, Florida Email: legal@biomarkerhealth.com

Acknowledgment of Receipt of Notice of Privacy Practices

I acknowledge that I have received, or have been given the opportunity to receive, a copy of Biomarker Health's Notice of Privacy Practices.

Patient name: ______________________________

Signature: ______________________________ Date: ____________

(For telehealth, this acknowledgment may be captured electronically. We are required to make a good-faith effort to obtain acknowledgment; if we cannot, we will document the good-faith effort and the reason it was not obtained.)