HIPAA Notice of Privacy Practices

01About this Notice

This Notice of Privacy Practices (the "Notice") describes how protected health information ("PHI") about you may be used and disclosed by SwitzerHealth and its medical team in connection with the clinical services delivered with SwitzerHealth's support, and how you can get access to this information. PHI is information that identifies you, or could reasonably be used to identify you, and that relates to your past, present, or future physical or mental health, the healthcare you receive, or the payment for that healthcare.

We are required by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended by the Health Information Technology for Economic and Clinical Health Act and subsequent rulemaking (collectively, "HIPAA"), to maintain the privacy of your PHI, provide you with this Notice of our legal duties and privacy practices with respect to your PHI, notify you following a breach of unsecured PHI, and abide by the terms of the Notice currently in effect.

Please read this Notice carefully. If you have questions after reading it, contact our Privacy Officer using the information at the end of this Notice.

02Who this Notice covers

This Notice describes how protected health information (PHI) is handled in connection with clinical services delivered with the support of SwitzerHealth.

SwitzerHealth and its medical team

SwitzerHealth, LLC and the physicians and licensed clinicians who provide medical services in connection with SwitzerHealth operations are the entities to which this Notice applies. Where SwitzerHealth, LLC acts as a business associate of a covered medical practice, it does so under a written business associate agreement that requires it to safeguard PHI consistent with HIPAA.

Facility and clinic clients (Covered Entities)

Skilled nursing facilities, assisted living communities, medical clinics, and other healthcare organizations that engage SwitzerHealth services are separately covered entities under HIPAA. Their own notices of privacy practices govern how they handle your PHI. This Notice does not replace or override the notice provided by your facility or clinic.

Deceased individuals

HIPAA protections apply to PHI of a deceased person for fifty (50) years after the date of death, as required by 45 CFR 164.502(f). During that period, we treat the PHI of a deceased patient with the same standards of confidentiality, use, and disclosure that apply to PHI of living patients, subject to the limited disclosures that HIPAA permits for coroners, medical examiners, funeral directors, organ procurement organizations, law enforcement in specified circumstances, and personal representatives of the decedent's estate. After fifty (50) years have passed from the date of death, information about the deceased is no longer considered PHI under HIPAA, although other confidentiality obligations may still apply.

03How we may use and disclose your PHI

The following categories describe the ways we may use and disclose your PHI without your written authorization. For each category, we provide examples. Not every use or disclosure in a category is listed, but all permitted uses and disclosures fall within one of the categories below or are otherwise permitted or required by law.

For Treatment

We may use and disclose your PHI to provide, coordinate, or manage your healthcare and related services. For example, our clinicians may review your vital signs transmitted by a remote monitoring device, document a telehealth encounter, communicate with your primary care physician or specialists, coordinate care with your facility's nursing staff, or share information with a pharmacist or laboratory to fulfill an order. We may also use PHI to refer you to another provider or to arrange transport or diagnostic services.

For Payment

We may use and disclose your PHI to support payment for the healthcare services you receive, including communications with third-party payers and the verification of eligibility, benefits, medical necessity, and prior authorizations. If you ask us not to share information with a health plan for an item or service that you paid for in full out of pocket, we will honor that request to the extent required by 45 CFR 164.522.

For Healthcare Operations

We may use and disclose your PHI for activities that are necessary to run the Practice and to support our facility clients, such as quality assessment and improvement, case management and care coordination, credentialing and peer review, training of clinical and non clinical staff, accreditation and licensing activities, compliance monitoring, patient safety activities, internal audits, planning and administration, and general business management. For example, we may review monitoring data to evaluate the effectiveness of our clinical workflows or to train staff on new equipment.

To Business Associates

We may disclose PHI to vendors and service providers that perform functions on our behalf, including device manufacturers and distributors, cloud hosting and analytics providers, electronic health record vendors, third party administrative service providers, telecommunications providers, secure messaging platforms, and document shredding services. Every business associate must sign a written agreement that requires them to safeguard PHI consistent with HIPAA.

To Family, Friends, and Others Involved in Your Care

Unless you object, we may share PHI with a family member, personal representative, or other person you identify as involved in your care or in payment for your care. We may also share limited PHI with a person responsible for your care to notify them of your location, general condition, or death. If you are incapacitated, in an emergency, or otherwise unable to agree or object, we will use professional judgment to determine whether disclosure is in your best interest.

Appointment, Monitoring, and Care Reminders

We may use or disclose your PHI to remind you of an appointment or scheduled telehealth visit, to confirm device wear time, to prompt you to respond to a clinical question, or to inform you about a health condition, treatment alternative, or service available from the Practice or a facility client.

04Uses and disclosures that require your authorization

Most uses and disclosures of PHI that are not described above require your written authorization. Unless you give us written authorization, we will not use or disclose your PHI for the following purposes:

• Marketing. Most communications that encourage you to purchase or use a product or service require your authorization. Face to face communications about treatment options, care management services covered by your plan, and products or services of nominal value are generally exempt.
• Sale of PHI. We will not sell your PHI, or accept payment in exchange for disclosing your PHI, without your written authorization. Limited exceptions apply for activities such as public health, research with individual or waiver authorization, treatment and payment, sale of a business that includes the transfer of records, and disclosures to business associates for services they provide to us.
• Psychotherapy notes. Where applicable, psychotherapy notes that a mental health professional records and maintains separately from the medical record will not be used or disclosed without your written authorization, except for certain narrow purposes permitted by HIPAA.
• Other uses not described in this Notice. Any use or disclosure of your PHI not otherwise permitted or required by law will be made only with your written authorization.

You may revoke a written authorization at any time by notifying our Privacy Officer in writing. Revocation is effective going forward and does not apply to uses or disclosures already made in reliance on your authorization.

05Other uses and disclosures permitted or required by law

We may use or disclose your PHI without your authorization in the following circumstances, subject to conditions and limits set by HIPAA and other law:

• Required by law. When required by federal, state, or local law, including mandatory reporting obligations.
• Public health activities. To public health authorities for disease control, to the U.S. Food and Drug Administration about adverse events and product recalls involving a regulated medical device, or to persons who may have been exposed to a communicable disease.
• Victims of abuse, neglect, or domestic violence. To appropriate authorities in accordance with law.
• Health oversight. To health oversight agencies for activities authorized by law, such as audits, investigations, inspections, licensure, and other government oversight.
• Judicial and administrative proceedings. In response to a court or administrative order, or in response to a subpoena, discovery request, or other lawful process, subject to the assurances required by 45 CFR 164.512(e).
• Law enforcement. To law enforcement officials for purposes permitted by HIPAA, including responding to lawful process, identifying or locating a suspect or witness, reporting crimes on our premises, and reporting certain deaths.
• Coroners, medical examiners, and funeral directors. For identification of a deceased person, determination of cause of death, or to allow a funeral director to carry out duties.
• Organ, eye, and tissue donation. To organ procurement organizations and related entities.
• Research. For research purposes approved by an Institutional Review Board or Privacy Board, under a waiver or alteration of authorization, or with your authorization.
• Serious threats to health or safety. To prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
• Specialized government functions. For military and veterans activities, national security and intelligence activities, protective services for the President and others, and correctional or custodial situations.
• Workers' compensation. As authorized by and to the extent necessary to comply with state workers' compensation laws.

Reproductive healthcare information (2024 HIPAA Final Rule)

Under the 2024 HIPAA Privacy Rule to Support Reproductive Health Care Privacy Final Rule (codified at 45 CFR 164.502(a)(5)(iii) and 45 CFR 164.509), we are prohibited from using or disclosing PHI for any of the following purposes:

• Conducting a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that was lawful under the circumstances in which it was provided.
• Imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating such reproductive health care.
• Identifying any person for the purpose of initiating either type of activity above.

This prohibition applies when the reproductive health care was lawful in the state in which it was provided at the time it was provided, or when the reproductive health care is protected, required, or authorized by federal law, regardless of the state in which the patient is located. It also applies where there is a presumption that reproductive health care was lawful absent actual knowledge or a factual basis to the contrary.

Before we disclose PHI that is potentially related to reproductive healthcare in response to a request for health oversight activities, judicial and administrative proceedings, law enforcement purposes, or disclosures to coroners and medical examiners, we will obtain a signed, written attestation from the requester confirming that the requested use or disclosure is not for a prohibited purpose. Requests that do not include a valid attestation will be denied.

06Your rights regarding your PHI

You have the following rights regarding your PHI. To exercise any of these rights, follow the instructions in the next section.

07How to exercise your rights

To exercise any right described above, submit a written request to our Privacy Officer using the contact information at the end of this Notice. We may provide you with a specific request form to help you describe what you are seeking.

We will respond within the timeframes required by HIPAA. For most access requests, we will respond within thirty (30) days of receiving the request, with one permitted thirty (30) day extension if we provide you a written explanation. For amendment requests, we will respond within sixty (60) days of receiving the request, with one permitted thirty (30) day extension.

If we deny all or part of a request, we will provide you with a written explanation of the reason for the denial, any rights you have to request review, and the process for filing a complaint with us or with the U.S. Department of Health and Human Services.

You may have your personal representative, such as someone with a valid power of attorney, a parent or guardian of a minor, an executor or administrator of an estate, or a person authorized under state law, exercise these rights on your behalf. We may request documentation confirming the authority of a personal representative.

08Breach notification

In the event of a breach of your unsecured PHI, we will notify you without unreasonable delay and in no case later than sixty (60) days after the breach is discovered, consistent with the HITECH Act and 45 CFR Part 164, Subpart D. Notification will include, to the extent available, a description of what happened, the date the breach occurred and the date it was discovered, the types of information involved, the steps you should take to protect yourself, what we are doing to investigate the breach and mitigate harm, and how you can contact us for more information.

If the breach involves more than five hundred (500) residents of a single state or jurisdiction, we will also notify prominent media outlets serving that area and the Secretary of the U.S. Department of Health and Human Services as required by law. Smaller breaches will be reported to the Secretary on the annual schedule specified in the regulations.

In addition to HIPAA breach notification, we will notify the attorney general, department of health, department of consumer protection, or other state regulators of each state in which affected individuals reside, and any consumer reporting agencies, to the extent and within the timeframes required by applicable state breach notification statutes. This includes, without limitation, the Utah Protection of Personal Information Act, the California Consumer Privacy Act, the Washington My Health My Data Act, the Texas Business and Commerce Code breach statute, and comparable laws in other states where we or our clients operate. Where a state law imposes more stringent notification timing, content, or recipient requirements than HIPAA, we will follow the more stringent rule.

09Our duties under HIPAA

We are required by law to:

• Maintain the privacy and security of your PHI in accordance with the HIPAA Privacy Rule and Security Rule.
• Provide you with this Notice describing our legal duties and privacy practices with respect to your PHI.
• Abide by the terms of the Notice currently in effect.
• Notify you if we are unable to agree to a requested restriction on how we use or disclose your PHI.
• Accommodate reasonable requests you may have to communicate PHI in a particular way or at a particular location.
• Notify affected individuals and regulators of a breach of unsecured PHI as required by law.

10Business associate arrangements

Where SwitzerHealth acts as a business associate of a covered entity for which it handles PHI, it does so under a written business associate agreement (BAA) that meets the requirements of HIPAA. Each BAA addresses permitted uses and disclosures of PHI, administrative, physical, and technical safeguards, subcontractor flow down requirements, breach reporting timelines, and the return or destruction of PHI on termination.

SwitzerHealth flows down all applicable HIPAA safeguards to any subcontractor that creates, receives, maintains, or transmits PHI on our behalf. Each subcontractor must sign a subcontractor business associate agreement before it handles PHI.

11Monitoring technology and connected devices

Clinical services provided by the Practice may involve connected medical devices and remote monitoring technology, including contactless vital sign sensors, cellular hubs, and similar equipment installed in patient rooms or common areas. The following practices apply to data generated by these systems.

What data is collected

Clinical devices may collect biometric signals such as heart rate, respiratory rate, activity, and presence in the room. Operational telemetry such as device status, connectivity, and diagnostic codes may also be collected. Audio recording, video imaging, and facial recognition are not used as part of standard SwitzerHealth monitoring.

How the data is used

Clinical data is used by the Practice's clinicians for treatment and care coordination, by SwitzerHealth for monitoring workflow, alerting, and administrative support under the BAA, and by facility staff for nursing coordination within the scope of their separate HIPAA obligations.

Data minimization and security

We apply administrative, physical, and technical safeguards appropriate to the sensitivity of the data, including encryption in transit and at rest, role based access controls, audit logging, network segmentation, vulnerability management, and workforce training. We retain clinical data only as long as needed for the purposes described in this Notice and consistent with applicable retention requirements.

12State law and more protective rules

Some state laws, including the Utah Medical Records Act and provisions of the Utah Health Code, may provide privacy protections that are stricter than HIPAA or that address categories of information such as mental health records, substance use disorder records, HIV status, genetic information, or minors' records. Federal laws, including 42 CFR Part 2 for substance use disorder records and the Genetic Information Nondiscrimination Act, may also impose additional requirements.

Where a state or federal law is more protective than HIPAA, we will follow the more protective rule. If the laws of your state of residence apply and provide additional rights or protections, those rights and protections are also available to you.

13Complaints

If you believe your privacy rights have been violated, you may file a complaint with us or with the United States Department of Health and Human Services, Office for Civil Rights. You will not be retaliated against, penalized, or denied care for filing a complaint.

File a complaint with SwitzerHealth

File a complaint with the U.S. Department of Health and Human Services

File a complaint with the Utah Attorney General's Office

14Changes to this Notice

We reserve the right to change this Notice. We reserve the right to make the revised or changed Notice effective for PHI we already have about you as well as any PHI we receive in the future. We will post a copy of the current Notice on switzerhealth.com. Each Notice will contain an effective date on the first page. You may request a paper copy of the most current Notice at any time by contacting our Privacy Officer.

15Contact our Privacy Officer

If you have any questions about this Notice, your rights, or our privacy practices, or if you would like to file a complaint or submit a request to exercise a right, please contact us.