Notice of Privacy Practices (HIPAA)

Effective Date: October 13, 2025
Applies To: Pothos Health, its workforce, and business associates

This Notice describes how your Protected Health Information (PHI) may be used and disclosed and how you can get access to this information. Please review it carefully.

Our Duties

• We are required by law to maintain the privacy and security of your PHI.
• We will let you know promptly if a breach occurs that may have compromised the privacy or security of your information.
• We must follow the duties and privacy practices described in this Notice and provide you a copy upon request.

How We May Use and Disclose Your PHI

We may use or share your PHI without your written authorization for:

Treatment

To provide, coordinate, or manage your care and related services (e.g., consultation between providers).

Payment

To obtain payment or reimbursement for services (e.g., eligibility, billing, claims management).

Health Care Operations

For quality assessment, training, licensing, accreditation, audits, and administrative activities.

Other Uses and Disclosures Permitted or Required by Law

• Public health and safety (e.g., reporting abuse/neglect, preventing serious threats)
• Health oversight activities
• Legal proceedings and law enforcement, as required
• Research under HIPAA-compliant protocols
• Workers' compensation and other government programs
• As otherwise required by federal, state, or local law

Uses and Disclosures Requiring Your Authorization

We will obtain your written authorization to use/share PHI for purposes not described in this Notice, including most psychotherapy notes, marketing, and sale of PHI. You can revoke your authorization at any time in writing.

Your Rights

You have the right to:

• Access PHI: Get an electronic or paper copy of your record. We will provide it within the timeframes required by law and may charge a reasonable fee.
• Correct (Amend) PHI: Request changes to your record if you think it's incorrect or incomplete.
• Request Restrictions: Ask us to limit how we use/share your PHI for treatment, payment, or operations. We'll consider your request, and we'll agree when required by law.
• Confidential Communications: Request we contact you in a specific way (e.g., at a different address or phone).
• Accounting of Disclosures: Get a list of certain disclosures of your PHI for the past six years.
• Get a Copy of this Notice: You can request a paper copy at any time by contacting us at the address above, or view it online at pothoshealth.com/legal/hipaa-notice.
• File a Complaint: If you believe your privacy rights have been violated, you can complain to us or to HHS/OCR. We will not retaliate.

Our Use of Technology & Business Associates

We use secure, HIPAA-compliant SaaS vendors and have Business Associate Agreements (BAAs) in place when those vendors create, receive, maintain, or transmit PHI on our behalf (e.g., EHR, telehealth, secure messaging, assessments).

Contact for Privacy Questions & Requests

Privacy Officer — Pothos Health
Email: contact@pothoshealth.com
Mail: 3839 McKinney Avenue, Suite 155, Dallas, Texas 75204
Phone: (469) 712-6710

Complaints to HHS

U.S. Department of Health & Human Services, Office for Civil Rights
https://www.hhs.gov/ocr/privacy/hipaa/complaints/

Changes to this Notice

We may change this Notice and the changes will apply to all PHI we maintain. The most current version will be posted at /legal/hipaa-notice with the "last updated" date.