THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY

Last Updated: July 14, 2025

OVERVIEW
This Notice of Privacy Practices (the “Notice”) will tell you about the ways Hera‑Affiliated Professional Entities (listed at the end of this Notice) and the licensed healthcare professionals providing professional services through such entities (“Hera Providers”) (collectively the “Practice”), together with Hera Health, Inc. and its affiliates (including Hera Health, Inc., acting as a HIPAA Business Associate to the Practice) (collectively, “Hera,” “we,” “us,” and “our”), may use and disclose health information about you. Hera is a care navigation and management platform that offers services (including professional services provided by Hera Providers) across multiple legal entities which are referred to by the HIPAA Privacy Rule as an "organized health care arrangement." Hera Providers listed on this website provide healthcare services and care navigation services via telehealth and at the service delivery sites of the Hera Providers. Hera's legal entities share protected health information with each other, only as necessary, to carry out Hera's treatment, payment and health care operations, and for other purposes that are permitted or required by law, as permitted by the Health Insurance Portability and Accountability Act (“HIPAA”). All of the legal entities that comprise Hera agree to comply with the terms of this Notice. This Notice applies only to health information that is “protected health information” as defined by HIPAA. It does not apply to information that is not covered by HIPAA. Please see Hera’s Privacy Policy for terms that apply to non‑HIPAA covered products and services.

We are required by law to: make sure that health information that identifies you is kept private; give you this notice of our legal duties and privacy practices with respect to your health information; notify you following a breach of your unsecured protected health information; and follow the terms of the notice that are currently in effect. Although this notice is being provided to you electronically, and by signing an acknowledgment of receipt of this notice, you consent to the provision of this notice electronically, you have the right to request a paper copy of this notice. We reserve the right to change our privacy practices and the terms of this Notice at any time and reserve the right to make any updated or new notice provisions effective for all protected health information that we maintain. In addition, updates described in this Notice are effective for all health information maintained by Hera, including any health information collected prior to the effective date hereof. You may obtain a copy of the revised notice on this website. This notice is effective as of July 14, 2025.

HOW YOUR INFORMATION IS USED We may use and disclose your health information for the purposes of providing services and quality care. For the avoidance of doubt, providing treatment services, collecting payment and conducting healthcare operations are all necessary activities for quality care. State and federal laws allow us to use and disclose your health information for these purposes.

Here are some helpful examples, but this list is not exhaustive:

1. Treatment. Provider may use or share your PHI to provide health services for you and manage and coordinate your care.  For example, PHI may be provided to another health care provider to whom you have been referred to ensure that the provider has the necessary information to diagnose or treat you.  If you participate in a virtual visit (telehealth), your information will be shared electronically via a secure transmission to facilitate the virtual visit.

2. Payment. Provider may use and disclose your PHI in order to bill for services provided and collect payment from health plans or other entities.

3. Health Care Operations. Provider may use and disclose your PHI to run our businesses, improve your care, and contact you when necessary. For example, we may use or disclose your PHI, as necessary, to contact you to remind you of your appointment, and inform you about treatment alternatives or other health related benefits and services that may be of interest to you.

4. Disclosures to Family or Friends. Provider may disclose your PHI to individuals involved in your care or treatment or responsible for payment of your care or treatment.

5. Disclosures Required by Law. Provider will use and disclose your PHI to a public health authority that is authorized by law to receive reports of child abuse or neglect. In addition, Provider may disclose your PHI to report a victim of abuse, neglect or domestic violence to the governmental entity or agency authorized to receive such information. In this case, the disclosure will be made consistent with the requirements of applicable federal and state laws.

For uses and disclosures for purposes other than treatment, payment and operations, we are required to have your written authorization, unless the use or disclosure falls within an exception, such as those described below. Most uses and disclosures of clinical notes (as that term is defined in the HIPAA Privacy Rule), uses and disclosures for marketing purposes, and disclosures that constitute the sale of Personal Information require your authorization. Authorizations can be revoked at any time to stop future uses/disclosures except to the extent that we may have already taken any action in reliance on your authorization.

DISCLOSURES THAT CAN BE MADE WITHOUT AN AUTHORIZATION
Emergencies. Sufficient information may be shared to address an immediate emergency you are facing.
Judicial and Administrative Proceedings. We may disclose your personal health information in the course of a judicial or administrative proceeding in response to a valid court order or other lawful process, including if you were to make a claim for Workers’ Compensation.
Public Health Activities. If we felt you were an immediate danger to yourself or others, we may disclose health information about you to the authorities, as well as alert any other person who may be in danger.
Child/Elder Abuse. We may disclose health information about you related to the suspicion of child and/or elder abuse or neglect.
Criminal Activity or Danger to Others. We may disclose health information if a crime is committed on our premises or against our personnel, or if we believe there is someone who is in immediate danger.
Health Oversight Activities. We may disclose health information to a health oversight agency for activities authorized by law. These activities might include audits or inspections and are necessary for the government to monitor the health care system and assure compliance with civil rights laws. Regulatory and accrediting organizations may review your case record to ensure compliance with their requirements. The minimum necessary information will be provided in these instances.
Business Associates. The Practice may disclose the minimum necessary health information to our business associates that perform functions on our behalf or provide us with services if the information is necessary for such functions or services. For example, the Practice contracts with a vendor for filing claims with insurance companies. In the process of filing claims, that organization will come into contact with your information. We also contract with a vendor that collects and manages internet or other electronic network activity on our sites and services and internally encodes it so that we can determine and manage information that might be health information. In addition, we have a vendor that collects and analyzes information about how our users interact with our website to support our health care operations. All of our business associates sign agreements to protect the privacy of your information and are not allowed to use or disclose any information other than as specified in our contract, and are obligated to promptly notify us in the event there is a breach of protected health information (as defined by HIPAA).
Trusted Exchange Framework and Common Agreement (“TEFCA”). The Practice or its business associates may disclose health information through a TEFCA for HIPAA-authorized treatment purposes, subject to contractual agreements to protect the privacy and security of health information as required by HIPAA, in order to manage or coordinate your health care, arrange for additional services, and/or for our health care operations.
Scheduling appointments. We may email or call you to schedule or remind you of appointments.

YOUR INDIVIDUAL RIGHTS
Right to Inspect and Copy. You have the right to look at or get copies of your health information, with limited exceptions. Your request must be in writing. If you request a copy of the information, a reasonable charge may be made for the costs incurred.
Right to Amend. You have the right to request that we amend your health information. Your request must be in writing, and it must explain why the information should be amended. We have the right to deny your request under certain circumstances.
Right to an Accounting of Disclosures. You have the right to receive a list of instances in which we have disclosed your health information for a purpose other than treatment, payment, or health care operations. To request an accounting of disclosures, you must submit your request in writing to the Privacy Officer. Such accountings remain available for six years after the last date of service at the Practice.
Right to Request Restrictions. You have the right to request a restriction or limitation on the health information we use or disclose about you. For example, you could ask that we not share information with an insurance company, in which case you would be responsible to pay in full for the services provided. While you are in treatment, a written request should be made with your therapist. We are not required to agree to your request, but we will consider the request very seriously. If we agree, we will abide by our agreement unless the information is needed in an emergency or by law.
Right to Request Confidential Communications. You have the right to request that we communicate with you about health matters in a certain way or at a certain location. For example, you may ask that we contact you only by mail or at work. You must make this request in writing and it must specify the alternative means or location that you would like us to use to provide you information about your health care. We will make every attempt to accommodate reasonable requests.
Right to File Complaints. You may complain to us and to the Secretary of Health and Human Services if you believe your privacy rights have been violated. You may file a complaint with us by contacting connect@hellohera.com. You will not be retaliated against for filing a complaint. You may also contact Hera for further information about this notice.

EMAIL AND TEXT MESSAGES
Some of our patients prefer to communicate with their provider via email or text message. Email and text messages have inherent privacy and security risks, and you should be aware of those before using emails and text messages. Errors in transmission or interception of messages can occur. Your email or text message is not a secure communication between you and your treating provider. At your health care provider’s discretion, your email or text message and any and all responses may become part of your medical record. Additionally, for urgent or emergency situations, you should not rely on email communication with providers affiliated with the Practice. In those situations, you should call 911.

ABOUT HERA AND ITS HERA‑AFFILIATED PROFESSIONAL ENTITIES
Hera Health, Inc. d/b/a Hera (and its subsidiaries and affiliated companies) does not provide professional healthcare services. Subject to applicable HIPAA Privacy Rule protections (including a Business Associate Agreement), it provides only administrative, billing, payment, technical, quality and compliance oversight, and other non‑clinical support services necessary for clients to receive professional healthcare services from a Hera Provider. These non‑clinical support services allow Hera Providers to concentrate on offering professional healthcare services to clients through one or more clinical practice entities often referred to as “Professional Corporations” or “P.C.s” (listed below) owned (where required by law) and overseen by a licensed medical director (e.g., Medical Doctor) under common Hera branding.

HERA‑AFFILIATED PROFESSIONAL ENTITIES
• East Coast Health Medical Services PC
• Care Navigation Medical Services West PC