HIPAA Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

Please review it carefully. This notice takes effect on March 1, 2026, and remains in effect until we replace it.

Prometheuz (“we,” “our,” or “us”) is required by law to maintain the privacy of your Protected Health Information (“PHI”) and to provide you with notice of our legal duties and privacy practices with respect to that information. PHI is individually identifiable health information — including demographic data — that relates to your past, present, or future physical or mental health condition, the provision of healthcare to you, or payment for that care. We are required to follow the terms of this Notice.

How We May Use and Disclose Your PHI

The following categories describe the main ways we use and disclose your PHI. Not every permitted use or disclosure in a given category will be listed; we provide examples for illustrative purposes.

Treatment

We use and disclose your PHI to provide and coordinate healthcare services. For example, your provider may share relevant portions of your health history with a consulting specialist, a pharmacy fulfilling your prescription, or a laboratory processing your bloodwork. Electronic prescriptions, lab orders, and clinical notes shared with your care team are examples of treatment-related disclosures.

Payment

We use and disclose your PHI for billing and payment activities. For example, we may share information with our payment processor or, upon your request, with your insurer in connection with a claim for reimbursement.

Healthcare Operations

We use and disclose your PHI to support our business operations. This includes quality assessment and improvement activities, training and supervision of clinical staff, licensing and accreditation activities, and fraud and abuse detection. For example, we may review your records to evaluate the quality of care provided by a provider on our platform.

Other Permitted Uses and Disclosures

We may also use or disclose your PHI without your written authorization in the following circumstances, to the extent permitted or required by law:

Required by law: When mandated by federal, state, or local law (e.g., mandatory disease reporting).
Public health activities: To authorized public health authorities for purposes such as disease surveillance, reporting vital statistics, or reporting adverse drug reactions to the FDA.
Health oversight activities: To government agencies conducting audits, investigations, or inspections authorized by law.
Judicial and administrative proceedings: In response to a valid court order, subpoena, or other lawful process.
Law enforcement: For limited law enforcement purposes as permitted by law, including to identify or locate a suspect, missing person, or witness.
To avert serious threats: When necessary to prevent a serious and imminent threat to the health or safety of a person or the public.
Decedents: To coroners, medical examiners, and funeral directors to carry out their duties.
Research: Under specific conditions with appropriate oversight (e.g., IRB approval) or using de-identified data.
Workers’ compensation: As required by applicable workers’ compensation laws.

Uses and Disclosures Requiring Your Authorization

All other uses and disclosures of your PHI — including use for marketing purposes, sale of PHI, and most uses of psychotherapy notes — require your written authorization. You may revoke any authorization you have given us at any time in writing, except to the extent that we have already taken action in reliance on it.

Your Rights as a Patient

You have the following rights with respect to the PHI we maintain about you:

Right to Access Your Records

You have the right to inspect and obtain a copy of your PHI maintained in a designated record set, including your medical and billing records. We will provide a copy or summary in the form and format you request, if readily producible, within 30 days. We may charge a reasonable, cost-based fee. We may deny access in certain limited circumstances; if we do, we will explain the reason in writing.

Right to Request Amendment

If you believe your PHI is inaccurate or incomplete, you may request an amendment. We may deny your request if we determine the records are accurate and complete, were not created by us, are not part of the designated record set, or you would not otherwise have been permitted to access the information. We will provide a written explanation for any denial.

Right to an Accounting of Disclosures

You have the right to request a list of certain disclosures of your PHI made by us during the six years prior to your request. This list does not include disclosures made for treatment, payment, or healthcare operations, or disclosures you authorized, among other exceptions. We will provide the first accounting in any 12-month period at no charge. For additional requests within the same period, we may charge a reasonable fee.

Right to Request Restrictions

You may request restrictions on how we use or disclose your PHI for treatment, payment, or healthcare operations, or to certain family members or others involved in your care. We are not required to agree to most restrictions. However, if you pay for a service entirely out-of-pocket and request that we not disclose the related PHI to your health plan, we are required to honor that restriction.

Right to Request Confidential Communications

You may request that we communicate with you about health matters in a certain way or at a specific location (e.g., only by email or only at a particular phone number). We will accommodate reasonable requests. Please submit such requests in writing to our Privacy Team.

Right to a Paper Copy of This Notice

You have the right to receive a paper copy of this Notice upon request, even if you have agreed to receive it electronically.

Right to File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights. Filing a complaint will not result in any retaliation against you.

File a complaint with us: [email protected]
File a complaint with HHS: hhs.gov/ocr/privacy/hipaa/complaints

Our Duties

We are required by law to:

Maintain the privacy of your PHI.
Provide you with this Notice of our legal duties and privacy practices.
Notify you following a breach of your unsecured PHI, as required by the HIPAA Breach Notification Rule.
Abide by the terms of this Notice as currently in effect.

We reserve the right to change our privacy practices and the terms of this Notice at any time, provided such changes are permitted by applicable law. We reserve the right to make the revised Notice effective for PHI we already hold, as well as any information we receive in the future. The current effective date will always appear at the top of this Notice. A copy of the current Notice is available on our website and will be provided to you upon request.

How to Exercise Your Rights

To exercise any of the rights described in this Notice, please contact our Privacy Team:

Email: [email protected]
Mail: Prometheuz, Attn: Privacy Officer, [Address]

We may require that you submit your request in writing and verify your identity before processing. We will respond to all requests within 30 days. In some cases we may extend this period by up to 30 additional days, and we will notify you if an extension is needed.

This Notice is effective as of March 1, 2026. For related documents, see our Privacy Policy and Terms of Service.