2. INFORMATION WE COLLECT

2.1 Protected Health Information (PHI)

As defined under 45 CFR §164.501, we collect, use, and maintain protected health information that individually identifies you and relates to your past, present, or future physical or mental health condition, the provision of healthcare services to you, or payment for such services. This includes:

Medical History and Clinical Information:

• Complete medical history, including past illnesses, surgeries, and hospitalizations

• Current medications, supplements, and treatment regimens

• Known allergies, adverse drug reactions, and contraindications

• Family medical history relevant to genetic predispositions and risk factors

• Mental health history, including psychological assessments and psychiatric medications

• Substance use history, including alcohol, tobacco, and controlled substances

Diagnostic and Laboratory Data:

• Blood work results, including comprehensive metabolic panels, lipid profiles, and hormone levels

• Biomarker analysis and genetic testing results where applicable

• Imaging studies, diagnostic reports, and specialist consultations

• Vital signs, physical examination findings, and clinical assessments

• Progress notes, treatment plans, and clinical decision-making documentation

Treatment and Prescription Information:

• Prescribed medications, including peptide therapies and compounded formulations

• Dosage instructions, administration protocols, and monitoring requirements

• Treatment responses, side effects, and adverse events

• Medication adherence and patient-reported outcomes

• Prescription fulfillment and pharmacy coordination records

2.2 Personal and Demographic Information

We collect personal information necessary for patient identification, communication, and healthcare delivery:

Identity and Contact Information:

• Full legal name, date of birth, and government-issued identification numbers

• Current and previous addresses, including temporary and seasonal residences

• Primary and secondary telephone numbers, including mobile and emergency contacts

• Email addresses for secure communication and patient portal access

• Emergency contact information and healthcare proxy designations

Insurance and Financial Information:

• Health insurance coverage details, including policy numbers and group identifiers

• Payment method information for services not covered by insurance

• Financial assistance applications and supporting documentation

• Billing addresses and authorized payment representatives

Employment and Lifestyle Information:

• Occupation and workplace exposures relevant to health assessment

• Lifestyle factors affecting treatment decisions, including diet, exercise, and sleep patterns

• Travel history and geographic risk factors for infectious diseases

• Social determinants of health affecting treatment planning and outcomes

2.3 Clinical and Diagnostic Data

We maintain comprehensive clinical records documenting all aspects of your medical care:

Clinical Documentation:

• Initial consultation notes and comprehensive health assessments

• Follow-up visit documentation and treatment progress evaluations

• Telehealth consultation records and remote monitoring data

• Clinical photographs for treatment documentation where applicable

• Patient-reported outcome measures and quality of life assessments

Laboratory and Diagnostic Results:

• Complete blood count, comprehensive metabolic panels, and lipid profiles

• Hormone level testing, including testosterone, growth hormone, and thyroid function

• Inflammatory markers, oxidative stress indicators, and metabolic biomarkers

• Genetic testing results for personalized medicine applications

• Specialized testing for longevity and performance optimization

3. HOW WE USE AND DISCLOSE HEALTH INFORMATION

3.1 Treatment, Payment, and Healthcare Operations

Under 45 CFR §164.506, we may use and disclose your protected health information without your written authorization for the following purposes:

Treatment Purposes:

• Providing, coordinating, and managing your healthcare services and related treatments

• Consulting with other healthcare providers involved in your care

• Referring you to specialists, laboratories, or other healthcare facilities

• Coordinating care transitions and continuity of treatment

• Emergency medical treatment when immediate care is necessary

• Quality assurance and clinical improvement activities

Payment Purposes:

• Processing insurance claims and determining coverage eligibility

• Collecting payment for services rendered and managing patient accounts

• Coordinating benefits with multiple insurance carriers

• Conducting utilization review and medical necessity determinations

• Fraud prevention and detection activities related to healthcare billing

• Financial assistance program administration and eligibility verification

Healthcare Operations:

• Quality assessment and improvement programs

• Clinical effectiveness research and outcomes measurement

• Healthcare provider credentialing and performance evaluation

• Medical staff peer review and clinical competency assessments

• Compliance monitoring and regulatory reporting requirements

• Business planning, development, and management activities

3.2 Required and Permitted Disclosures

Under 45 CFR §164.512, we may disclose your protected health information without your authorization when required or permitted by law:

Public Health Activities:

• Reporting communicable diseases to state and local health departments

• Reporting adverse drug events and medical device malfunctions to the FDA

• Workplace injury reporting to occupational safety authorities

• Vital statistics reporting for birth and death certificates

• Public health surveillance and disease prevention activities

Legal and Regulatory Requirements:

• Compliance with court orders, subpoenas, and legal discovery requests

• Law enforcement investigations involving healthcare fraud or abuse

• Regulatory inspections and compliance audits by government agencies

• Mandatory reporting of suspected abuse, neglect, or domestic violence

• National security and intelligence activities as authorized by law

Health Oversight Activities:

• State medical board investigations and disciplinary proceedings

• Medicare and Medicaid program integrity investigations

• Healthcare facility licensing and accreditation surveys

• Professional liability insurance investigations and claims processing

• Government audits of healthcare programs and services

3.3 Uses Requiring Authorization

Under 45 CFR §164.508, we will obtain your written authorization before using or disclosing your protected health information for:

Marketing Communications:

• Promotional materials for healthcare services not directly related to your treatment

• Third-party marketing communications and commercial endorsements

• Fundraising activities and charitable solicitations

• Research studies and clinical trials not directly related to your care

• Sale of protected health information to third parties for commercial purposes

Psychotherapy Notes:

• Disclosure of psychotherapy notes maintained separately from your medical record

• Mental health counseling session notes and therapeutic observations

• Psychological assessment details beyond diagnostic and treatment planning information

Other Specific Uses:

• Genetic information disclosure for non-treatment purposes

• Substance abuse treatment records subject to 42 CFR Part 2 requirements

• HIV/AIDS testing and treatment information subject to state confidentiality laws

• Workers’ compensation claims not directly related to your treatment

4. YOUR RIGHTS AS A PATIENT UNDER HIPAA

4.1 Right to Access Your Health Information

Under 45 CFR §164.524, you have the right to inspect and obtain copies of your protected health information maintained in our designated record sets. This right includes:

Access Timeframe and Process:

• We will provide access to your health information within fifteen (15) calendar days of receiving your written request

• If your information is maintained off-site or in electronic format requiring additional processing time, we may extend this timeframe by an additional thirty (30) days with written notice

• You may request access in the form and format you prefer, including electronic copies when feasible

• We will provide access at a convenient time and place or arrange for mail delivery of copies

Fees and Charges:

• We may charge reasonable, cost-based fees for copying, postage, and preparation of summaries

• Fee schedules are available upon request and comply with applicable state and federal regulations

• We will provide an estimate of charges exceeding fifty dollars ($50) before processing your request

• No fees will be charged for the first copy of your health information provided electronically

Limitations on Access:

• Psychotherapy notes maintained separately from your medical record

• Information compiled in reasonable anticipation of litigation or legal proceedings

• Laboratory results when disclosure is prohibited by the Clinical Laboratory Improvement Amendments

• Information obtained from someone other than a healthcare provider under a promise of confidentiality

4.2 Right to Request Amendment

Under 45 CFR §164.526, you have the right to request amendments to your protected health information when you believe it is inaccurate or incomplete:

Amendment Request Process:

• Requests must be submitted in writing and include the specific information you believe should be amended

• You must provide supporting documentation and a reason for the requested amendment

• We will respond to your request within sixty (60) days of receipt

• If additional time is needed, we may extend this timeframe by an additional thirty (30) days with written notice

Grounds for Denial:

• The information was not created by Soulera unless the originator is no longer available

• The information is not part of our designated record set

• The information is accurate and complete as documented

• You would not be permitted to inspect and copy the information under access rights

Amendment Documentation:

• Approved amendments will be incorporated into your medical record and shared with relevant parties

• Denied amendment requests will be documented with our written response and your right to submit a statement of disagreement

• Future disclosures will include amendment information or statements of disagreement as applicable

4.3 Right to Accounting of Disclosures

Under 45 CFR §164.528, you have the right to receive an accounting of disclosures of your protected health information made by Soulera for purposes other than treatment, payment, or healthcare operations:

Accounting Timeframe:

• You may request an accounting of disclosures made during the six (6) years prior to your request

• The first accounting in any twelve (12) month period will be provided free of charge

• Additional accountings may be subject to reasonable, cost-based fees

Information Included in Accounting:

• Date of each disclosure and name of the person or entity receiving the information

• Address of the recipient if known and brief description of the information disclosed

• Brief statement of the purpose of the disclosure or copy of written request for disclosure

• Contact information for recipients when available for your follow-up inquiries

Excluded Disclosures:

• Disclosures made for treatment, payment, or healthcare operations

• Disclosures made to you or your personal representative

• Disclosures made pursuant to your written authorization

• Disclosures for national security or intelligence purposes

• Disclosures to correctional institutions or law enforcement officials having lawful custody

4.4 Right to Request Restrictions

Under 45 CFR §164.522, you have the right to request restrictions on how we use or disclose your protected health information:

Types of Restrictions:

• Limitations on disclosures to family members, friends, or other persons involved in your care

• Restrictions on uses or disclosures for treatment, payment, or healthcare operations

• Limitations on specific types of information disclosed to particular recipients

• Restrictions on disclosures to health plans when you pay out-of-pocket in full for services

Restriction Request Process:

• Requests must be submitted in writing and specify the information, use, or disclosure you wish to restrict

• You must identify the persons or entities to whom the restriction applies

• We will consider your request but are not required to agree except in specific circumstances

• If we agree to a restriction, we will document it in your medical record and comply with the restriction

Mandatory Restrictions:

• We must agree to restrict disclosures to health plans when you pay out-of-pocket in full for healthcare items or services

• Restrictions do not apply when information is needed for emergency treatment

• We may terminate agreed-upon restrictions with written notice, though termination applies only to future uses and disclosures

4.5 Right to Request Alternative Communications

Under 45 CFR §164.522(b), you have the right to request that we communicate with you about your health information by alternative means or at alternative locations:

Communication Alternatives:

• Requesting communications at a different address or telephone number

• Specifying preferred times for telephone communications

• Requesting communications through secure email or patient portal systems

• Designating authorized representatives to receive communications on your behalf

Reasonable Accommodation:

• We will accommodate reasonable requests that do not impose an undue administrative or financial burden

• You do not need to provide an explanation for your request

• We may require information about how payment will be handled under alternative communication arrangements

• Alternative communication methods must maintain appropriate privacy and security safeguards

5. BUSINESS ASSOCIATE RELATIONSHIPS

5.1 Business Associate Agreement Requirements

Under 45 CFR §164.502(e) and §164.504(e), Soulera maintains Business Associate Agreements (“BAAs”) with all third-party service providers who may have access to protected health information in the course of providing services to us. These agreements ensure that business associates implement appropriate safeguards to protect your health information and comply with applicable HIPAA requirements.

5.2 Categories of Business Associates

We work with the following categories of business associates who may have access to your protected health information:

Laboratory and Diagnostic Services:

• Clinical laboratories performing blood work, hormone testing, and specialized diagnostics, including Superpower and other HIPAA-compliant laboratory service providers

• Pathology services and specialized testing facilities for advanced biomarker analysis

• Imaging centers and diagnostic facilities for radiological studies and medical imaging

• Genetic testing laboratories for personalized medicine and hereditary risk assessment

• Reference laboratories for specialized testing not available through primary laboratory partners

Pharmacy and Medication Services:

• Licensed retail pharmacies and specialty pharmacy providers for prescription fulfillment

• Compounding pharmacies specializing in peptide therapy and customized formulations

• Specialty medication distributors for regenerative medicine and advanced therapeutics

• Medication adherence monitoring services and patient support programs

• Pharmaceutical benefit management companies and insurance coordination services

Technology and Electronic Health Records:

• Electronic health record (EHR) system vendors and cloud-based medical record platforms

• Practice management software providers and clinical documentation systems

• Data backup and disaster recovery service providers maintaining secure off-site storage

• IT support services and cybersecurity monitoring for healthcare technology infrastructure

• Software vendors providing clinical decision support and medical reference tools

Telehealth and Communication Platforms:

• HIPAA-compliant telehealth platforms and secure video conferencing systems for remote consultations

• Patient portal providers and secure messaging platforms for patient-provider communication

• Appointment scheduling systems and automated reminder services

• Secure file transfer services for sharing medical records and diagnostic images

• Translation services and accessibility support for patient communications

Billing and Financial Services:

• Medical billing companies and revenue cycle management service providers

• Payment processing companies and merchant services for patient payments

• Insurance verification services and prior authorization support providers

• Collections agencies for outstanding patient accounts, subject to additional privacy restrictions

• Financial assistance program administrators and charity care coordinators

Legal and Compliance Services:

• Legal counsel and law firms providing healthcare regulatory and compliance advice

• Compliance consulting services and HIPAA risk assessment providers

• Medical malpractice insurance carriers and claims management companies

• Accreditation and certification bodies conducting facility and provider assessments

• Expert witnesses and medical consultants for legal proceedings involving patient care

5.3 Business Associate Safeguards and Limitations

All business associate agreements include the following minimum safeguards and limitations:

Use and Disclosure Restrictions:

• Business associates may only use or disclose protected health information as necessary to perform their designated functions

• Prohibited uses include marketing, fundraising, or any commercial purposes not directly related to healthcare services

• Sub-contracting arrangements require written agreements with equivalent privacy protections

• Business associates must implement administrative, physical, and technical safeguards equivalent to those required for covered entities

Breach Notification and Incident Response:

• Business associates must report any suspected or actual breaches of protected health information within twenty-four (24) hours of discovery

• Incident response procedures include immediate containment, investigation, and remediation measures

• Business associates must cooperate fully with breach investigations and regulatory reporting requirements

• Documentation of security incidents and breach response activities must be maintained for regulatory review

Termination and Return of Information:

• Upon termination of the business associate relationship, all protected health information must be returned or destroyed

• Certification of information destruction must be provided when return is not feasible

• Business associates may retain information only as required by law or regulation

• Ongoing monitoring ensures compliance with information return and destruction requirements

6. DATA SECURITY AND SAFEGUARDS

6.1 Comprehensive Security Framework

Soulera implements comprehensive administrative, physical, and technical safeguards as required under the HIPAA Security Rule (45 CFR Part 164, Subpart C) to protect the confidentiality, integrity, and availability of your protected health information. Our security framework is designed to prevent unauthorized access, use, disclosure, modification, or destruction of health information.

6.2 Administrative Safeguards

Under 45 CFR §164.308, we maintain the following administrative safeguards:

Security Management and Workforce Training:

• Designated Privacy Officer and Security Officer responsible for developing, implementing, and maintaining privacy and security policies

• Comprehensive workforce training programs covering HIPAA requirements, privacy practices, and security procedures

• Regular security awareness training and updates on emerging threats and regulatory changes

• Role-based access controls ensuring workforce members have access only to information necessary for their job functions

• Disciplinary procedures for workforce members who violate privacy and security policies

Access Management and User Authentication:

• Unique user identification and strong authentication requirements for all system access

• Regular review and updating of user access privileges based on job responsibilities and employment status

• Automatic session timeouts and screen locks to prevent unauthorized access to unattended workstations

• Audit trails and monitoring of user activities within electronic health record systems

• Prompt termination of system access for departing workforce members

Incident Response and Contingency Planning:

• Written incident response procedures for addressing security breaches and privacy violations

• Business continuity and disaster recovery plans ensuring continued access to patient information during emergencies

• Regular testing and updating of contingency plans to address evolving threats and operational changes

• Data backup procedures and secure off-site storage of critical patient information

• Emergency access procedures for obtaining patient information during system outages or disasters

6.3 Physical Safeguards

Under 45 CFR §164.310, we implement the following physical safeguards:

Facility Access and Workstation Security:

• Controlled access to facilities containing protected health information through keycard systems and visitor management

• Secure storage of physical medical records in locked filing systems with restricted access

• Workstation positioning and privacy screens to prevent unauthorized viewing of patient information

• Clean desk policies requiring secure storage of patient information when not in use

• Environmental controls protecting electronic systems from damage due to fire, flood, or other disasters

Device and Media Controls:

• Inventory and tracking of all devices containing or accessing protected health information

• Encryption of portable devices and removable media containing patient information

• Secure disposal and destruction of electronic media and hardware containing patient data

• Controls governing the receipt, removal, and disposal of hardware and electronic media

• Regular maintenance and updating of physical security systems and access controls

6.4 Technical Safeguards

Under 45 CFR §164.312, we employ the following technical safeguards:

Access Control and Encryption:

• Multi-factor authentication for access to electronic health record systems and patient information

• Encryption of protected health information both in transit and at rest using industry-standard protocols

• Secure network communications through virtual private networks and encrypted connections

• Regular security assessments and penetration testing to identify and address vulnerabilities

• Automatic logoff procedures and session management to prevent unauthorized access

Audit Controls and Integrity Monitoring:

• Comprehensive audit logging of all access to and modifications of protected health information

• Regular review of audit logs to detect unauthorized access attempts and suspicious activities

• Data integrity controls ensuring that protected health information is not improperly altered or destroyed

• Version control and change management procedures for electronic health record systems

• Monitoring and alerting systems for detecting potential security incidents and breaches

Transmission Security:

• Secure email systems and encrypted communication channels for transmitting patient information

• Network security controls including firewalls, intrusion detection systems, and malware protection

• Secure file transfer protocols for sharing patient information with authorized recipients

• End-to-end encryption for telehealth communications and remote patient monitoring

• Regular security updates and patch management for all systems handling patient information

7. BREACH NOTIFICATION PROCEDURES

7.1 Breach Definition and Assessment

Under the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D), Soulera maintains comprehensive procedures for identifying, assessing, and responding to breaches of protected health information. A breach is defined as the acquisition, access, use, or disclosure of protected health information in a manner not permitted under the HIPAA Privacy Rule that compromises the security or privacy of the information.

7.2 Breach Discovery and Risk Assessment

Discovery Procedures:

• Soulera conducts immediate investigations upon discovery of any potential unauthorized access, use, or disclosure of protected health information

• Discovery may occur through security monitoring systems, workforce reporting, patient complaints, or external notifications

• All potential incidents are documented and assessed within twenty-four (24) hours of discovery

• Risk assessment considers the nature and extent of information involved, unauthorized persons who accessed the information, whether information was actually acquired or viewed, and extent to which risk has been mitigated

Low Probability of Compromise Assessment:

• Incidents are evaluated to determine whether there is a low probability that protected health information has been compromised

• Factors considered include safeguards in place, nature of the information, who accessed the information, and whether information was actually acquired

• Documentation of risk assessment methodology and conclusions is maintained for regulatory review

• Independent review of risk assessments ensures objectivity and compliance with regulatory standards

7.3 Patient Notification Requirements

Under 45 CFR §164.404, when a breach affects your protected health information, we will provide notification as follows:

Notification Timeframe and Method:

• Written notification will be provided within sixty (60) calendar days of breach discovery

• Notification will be sent by first-class mail to your last known address or by email if you have agreed to electronic communications

• If contact information is insufficient or out-of-date, substitute notice will be provided through prominent posting on our website or major print or broadcast media

• Urgent situations requiring immediate action may warrant expedited notification by telephone or other rapid communication methods

Required Notification Content:

• Brief description of what happened and the date of the breach and date of discovery

• Types of protected health information that were involved in the breach

• Steps you should take to protect yourself from potential harm resulting from the breach

• Brief description of what Soulera is doing to investigate the breach, mitigate harm, and protect against future breaches

• Contact procedures for you to ask questions or learn additional information about the breach

7.4 Regulatory Reporting and Documentation

Department of Health and Human Services Reporting:

• Breaches affecting 500 or more individuals are reported to the Secretary of Health and Human Services within sixty (60) days of discovery

• Breaches affecting fewer than 500 individuals are reported annually by March 1st of the following year

• All required information is submitted through the HHS Office for Civil Rights breach reporting website

• Ongoing cooperation with regulatory investigations and compliance reviews is maintained

Media Notification Requirements:

• Breaches affecting 500 or more individuals in a state or jurisdiction require notification to prominent media outlets serving the affected area

• Media notification is provided without unreasonable delay and within sixty (60) days of breach discovery

• Notification includes the same information provided to affected individuals with appropriate modifications for public communication

• Coordination with public relations and legal counsel ensures accurate and appropriate media communications

Documentation and Record Keeping:

• Comprehensive documentation of all breach incidents, risk assessments, and response activities is maintained

• Records include timeline of discovery and response, individuals and entities notified, and remediation measures implemented

• Documentation is retained for a minimum of six (6) years from the date of creation or last effective date

• Regular review of breach response procedures and lessons learned informs continuous improvement of security practices

8. MARKETING AND COMMUNICATIONS

8.1 Marketing Authorization Requirements

Under 45 CFR §164.508, Soulera requires separate written authorization before using or disclosing your protected health information for marketing purposes. Marketing is defined as communication about a product or service that encourages recipients to purchase or use the product or service, with limited exceptions for treatment communications and health plan communications.

8.2 Treatment and Healthcare Operations Communications

The following communications do not require separate authorization as they are considered part of treatment or healthcare operations:

Treatment-Related Communications:

• Information about treatment alternatives, health-related benefits and services, or providers participating in your care

• Appointment reminders and follow-up care instructions related to your ongoing treatment

• Medication adherence reminders and safety information related to prescribed therapies

• Health maintenance and preventive care recommendations based on your medical history and risk factors

• Care coordination communications with other healthcare providers involved in your treatment

Healthcare Operations Communications:

• General health and wellness information relevant to your medical conditions or treatment

• Information about Soulera’s services, facilities, and healthcare providers

• Patient satisfaction surveys and quality improvement communications

• Educational materials about medical conditions, treatments, and health maintenance

• Communications about changes to our services, policies, or healthcare team

8.3 Marketing Authorization Process

When separate authorization is required for marketing communications:

Authorization Requirements:

• Written authorization must be obtained before any marketing communication is sent

• Authorization forms clearly describe the specific marketing purpose and types of communications

• You have the right to revoke authorization at any time by providing written notice

• Revocation applies to future marketing communications but does not affect communications already sent based on previous authorization

• No conditioning of treatment or payment on providing marketing authorization

Opt-Out Mechanisms:

• All marketing communications include clear and prominent opt-out instructions

• Multiple opt-out methods are provided, including email unsubscribe links, telephone numbers, and written requests

• Opt-out requests are processed within ten (10) business days of receipt

• Suppression lists are maintained to ensure opted-out individuals do not receive future marketing communications

• Periodic review of marketing lists ensures compliance with opt-out preferences

8.4 Third-Party Marketing Restrictions

Prohibited Third-Party Marketing:

• Soulera does not sell, rent, or otherwise provide patient contact information to third parties for marketing purposes

• Protected health information is not disclosed to pharmaceutical companies, medical device manufacturers, or other commercial entities for marketing purposes without specific written authorization

• Business associate agreements with marketing service providers include strict limitations on use and disclosure of patient information

• Marketing communications clearly identify Soulera as the sender and do not misrepresent third-party endorsements

Fundraising and Charitable Communications:

• Fundraising communications are limited to demographic information, dates of service, department of service, treating physician, outcome information, and health insurance status

• Fundraising communications include clear opt-out instructions and contact information for opting out of future fundraising communications

• Charitable solicitations and community health programs require separate authorization when they involve use of protected health information

• Partnership communications with charitable organizations comply with business associate agreement requirements

9. WEBSITE COOKIES AND TRACKING TECHNOLOGIES

9.1 Cookie Policy and Essential Functions

Soulera’s website uses cookies and similar tracking technologies in a limited manner to support essential website functions while protecting patient privacy. We do not use tracking pixels, web beacons, or other monitoring technologies on patient portal pages or areas of our website where protected health information may be accessed or transmitted.

9.2 Types of Cookies Used

Essential Cookies:

• Session management cookies necessary for website functionality and user authentication

• Security cookies that help identify and prevent security threats and unauthorized access

• Load balancing cookies that ensure optimal website performance and availability

• Preference cookies that remember your language and accessibility settings

• These essential cookies do not require consent as they are necessary for the website to function properly

Analytics Cookies (Limited Use):

• Basic website analytics to understand general usage patterns and improve user experience

• No personally identifiable information or protected health information is collected through analytics cookies

• Analytics data is aggregated and anonymized to prevent identification of individual users

• Analytics cookies are used only on public areas of our website, not on patient portal or secure communication pages

• You may opt out of analytics cookies through browser settings without affecting essential website functionality

9.3 Patient Portal and Secure Areas

Enhanced Privacy Protections:

• Patient portal and secure communication areas do not use any non-essential cookies or tracking technologies

• No third-party analytics, advertising, or social media tracking tools are implemented on secure pages

• Session cookies used in secure areas are encrypted and automatically deleted when you log out or close your browser

• Secure areas implement additional privacy safeguards including content security policies and strict transport security

• Regular security assessments ensure that patient portal areas maintain the highest privacy standards

9.4 Third-Party Services and Social Media

Limited Third-Party Integration:

• Social media plugins and sharing buttons are not implemented on pages containing or accessing protected health information

• Third-party services integrated with our website are limited to essential functions such as appointment scheduling and secure communications

• All third-party services with access to any patient information operate under business associate agreements with appropriate privacy safeguards

• We do not participate in cross-site tracking, advertising networks, or data sharing arrangements that could compromise patient privacy

Browser Controls and User Choice:

• You may control cookie settings through your web browser preferences and privacy settings

• Instructions for managing cookies in popular browsers are available on our website

• Disabling essential cookies may limit website functionality but will not affect your ability to receive medical care

• We respect “Do Not Track” browser signals and do not override user privacy preferences

• Regular updates to our cookie policy reflect changes in technology and privacy regulations

10. THIRD-PARTY SERVICES AND LINKS

10.1 Business Associate Third-Party Services

Soulera works with carefully selected third-party service providers who may have access to your protected health information in the course of providing services to support your healthcare. All such providers operate under comprehensive Business Associate Agreements that ensure HIPAA compliance and appropriate privacy safeguards.

Healthcare Service Providers:

• Laboratory and diagnostic service providers, including Superpower and other HIPAA-compliant testing facilities

• Pharmacy and compounding pharmacy partners for prescription fulfillment and medication management

• Specialist physicians and healthcare providers for referrals and collaborative care

• Telehealth platform providers and secure communication technology vendors

• Medical equipment and supply companies providing devices for remote monitoring and treatment

Technology and Administrative Services:

• Electronic health record system vendors and cloud-based medical record platforms

• Practice management software providers and billing service companies

• IT support services and cybersecurity monitoring providers

• Legal and compliance consulting services for healthcare regulatory matters

• Accreditation and quality assurance organizations conducting facility assessments

10.2 Non-Healthcare Third-Party Links

Our website may contain links to third-party websites, resources, and services that are not directly related to your healthcare or covered by our Business Associate Agreements. These links are provided for informational purposes only and do not constitute endorsements of the linked sites or services.

Educational and Informational Resources:

• Medical research organizations and professional medical associations

• Health education websites and patient advocacy organizations

• Government health agencies and regulatory bodies

• Medical journals and peer-reviewed research publications

• General wellness and lifestyle information resources

Disclaimer of Responsibility:

• Soulera is not responsible for the privacy practices, content, or security of third-party websites

• Third-party sites may have different privacy policies and terms of use that govern your interactions with those sites

• We encourage you to review the privacy policies of any third-party websites you visit

• Information you provide to third-party websites is not covered by this Privacy Policy or our HIPAA protections

• Links to third-party sites do not imply medical endorsement or recommendation of products or services

10.3 Social Media and Online Platforms

Limited Social Media Presence:

• Soulera maintains professional social media accounts for general health education and practice information

• Social media platforms are not used for patient communication, appointment scheduling, or sharing of any patient information

• Patients are advised not to communicate about their healthcare through social media platforms or public forums

• Social media interactions are not considered part of your medical record and do not establish a doctor-patient relationship

Patient Communication Guidelines:

• All healthcare-related communications should occur through secure, HIPAA-compliant channels such as our patient portal or secure email

• Public forums, social media comments, and online reviews may not receive timely responses and should not be used for urgent medical matters

• Patient testimonials and reviews on third-party platforms are voluntary and not solicited by Soulera

• We respect patient privacy and do not respond to or acknowledge patient information shared on public platforms

10.4 Data Sharing and Integration Limitations

Prohibited Data Sharing:

• Soulera does not sell, rent, or share protected health information with third parties for commercial, marketing, or non-healthcare purposes

• Patient information is not provided to data brokers, advertising networks, or commercial research organizations without specific written authorization

• Integration with third-party services is limited to healthcare operations and requires appropriate privacy safeguards

• Cross-platform data sharing is restricted to authorized healthcare purposes and complies with minimum necessary standards

Authorized Healthcare Integration:

• Health information exchanges and interoperability platforms used for care coordination and continuity

• Insurance verification and prior authorization systems for treatment approval and payment processing

• Quality reporting and regulatory compliance systems required by law or accreditation standards

• Emergency medical information systems for urgent and emergent care situations

• All authorized integrations maintain audit trails and comply with patient consent requirements

11. GEOGRAPHIC AND LICENSING RESTRICTIONS

11.1 Licensed States of Operation

Soulera provides medical services exclusively to patients located within states where our healthcare providers maintain active, unrestricted medical licensure. Our current licensed states of operation include:

Primary Licensed Jurisdictions:

• California - Licensed for comprehensive medical practice including telehealth services

• Nevada - Licensed for longevity medicine and specialized therapeutic services

• Washington - Licensed for medical practice with telehealth authorization

• Arizona - Licensed for medical practice including peptide therapy and regenerative medicine

• Georgia - Licensed for comprehensive medical services and telehealth practice

• Florida - Licensed for medical practice including specialized longevity and metabolic medicine

• Massachusetts - Licensed for medical practice with telehealth capabilities

• Maine - Licensed for comprehensive medical services and remote patient monitoring

• Texas - Licensed for medical practice including specialized therapeutic services

• Illinois - Licensed for medical practice with telehealth authorization

• Colorado - Licensed for comprehensive medical services including regenerative medicine

Licensing Verification and Compliance:

• All healthcare providers maintain current licensure in good standing with applicable state medical boards

• Regular monitoring of licensing requirements and renewal deadlines ensures continuous compliance

• Scope of practice limitations and state-specific regulations are strictly observed

• Continuing medical education requirements are met or exceeded in all licensed jurisdictions

• Professional liability insurance coverage is maintained for all licensed practice locations

11.2 Patient Location Verification

Mandatory Location Verification:

• Patient location verification is required before any medical services are provided

• Verification includes confirmation of physical address and current location at the time of service

• Patients must provide valid government-issued identification confirming residency in a licensed state

• Temporary visitors or travelers may receive limited services based on provider licensure and state regulations

• Location verification is documented in the patient’s medical record for compliance purposes

Interstate Practice Limitations:

• Medical services are not provided to patients located outside of our licensed jurisdictions

• Prescription medications cannot be prescribed to patients in states where providers are not licensed

• Telehealth consultations are restricted to patients physically located in licensed states at the time of service

• Laboratory orders and diagnostic testing are limited to facilities and providers authorized in the patient’s state of residence

• Referrals and care coordination are provided only within the scope of applicable state licensing laws

11.3 Telehealth and Interstate Compliance

Telehealth Licensing Requirements:

• Telehealth services comply with both originating site (patient location) and distant site (provider location) state regulations

• Provider licensure in the patient’s state of residence is required for all telehealth consultations

• Interstate medical licensure compact participation is utilized where applicable and beneficial for patient care

• Emergency consultation exceptions are limited to life-threatening situations and comply with Good Samaritan protections

• Telehealth platform selection ensures compliance with state-specific technology and security requirements

Prescription and Treatment Limitations:

• Controlled substance prescriptions comply with both federal DEA requirements and state-specific regulations

• Prescription drug monitoring program (PDMP) checks are conducted as required by state law

• Compounding pharmacy partnerships are limited to facilities licensed and authorized in the patient’s state

• Medical device prescriptions and durable medical equipment orders comply with state regulatory requirements

• Treatment protocols are adapted to meet state-specific scope of practice and regulatory standards

11.4 Expansion and Licensing Updates

Future Licensing Expansion:

• Soulera may seek additional state medical licenses based on patient demand and regulatory feasibility

• New licensing applications will be pursued in compliance with state medical board requirements and timelines

• Patients in non-licensed states may be placed on notification lists for future service availability

• Licensing expansion decisions consider regulatory complexity, practice sustainability, and patient access needs

• Regular review of licensing opportunities ensures optimal patient access while maintaining compliance

Regulatory Change Monitoring:

• Ongoing monitoring of state medical practice acts and telehealth regulations ensures continued compliance

• Changes in interstate practice requirements are evaluated for impact on service delivery and patient access

• Professional associations and regulatory updates are reviewed regularly for licensing and practice implications

• Legal counsel consultation ensures appropriate response to regulatory changes and licensing requirements

• Patient notification procedures are in place for any changes affecting service availability or delivery methods

12. TELEHEALTH AND REMOTE MONITORING

12.1 Telehealth Platform Security and Compliance

Soulera utilizes HIPAA-compliant telehealth platforms and secure video conferencing systems to provide remote medical consultations and ongoing patient care. All telehealth technologies meet or exceed federal and state requirements for healthcare communications and patient privacy protection.

Platform Security Features:

• End-to-end encryption for all video, audio, and text communications during telehealth sessions

• Multi-factor authentication requirements for both patients and healthcare providers accessing telehealth platforms

• Secure waiting rooms and session controls preventing unauthorized access to consultations

• Automatic session termination and data purging following completion of telehealth appointments

• Business Associate Agreements with all telehealth platform providers ensuring HIPAA compliance and appropriate safeguards

Technical Requirements and Support:

• Minimum technical specifications and internet connectivity requirements are provided to patients prior to telehealth appointments

• Technical support and troubleshooting assistance is available during business hours for platform-related issues

• Alternative communication methods are available when technical difficulties prevent successful telehealth sessions

• Platform compatibility testing ensures optimal performance across various devices and operating systems

• Regular security updates and platform maintenance are coordinated to minimize service disruptions

12.2 Recording Policies and Consent

Session Recording Restrictions:

• Telehealth sessions are not routinely recorded by Soulera unless specifically requested for medical documentation purposes

• When recording is medically necessary, explicit written consent is obtained from patients prior to session recording

• Recorded sessions are stored securely within our HIPAA-compliant systems and subject to the same privacy protections as other medical records

• Patients may request copies of recorded sessions in accordance with medical record access rights

• Unauthorized recording of telehealth sessions by patients or providers is prohibited and may result in termination of services

Documentation and Medical Records:

• Telehealth consultations are documented in patients’ electronic medical records with the same detail and accuracy as in-person visits

• Clinical notes include documentation of technology used, patient location verification, and any technical issues affecting the consultation

• Prescription and treatment decisions made during telehealth sessions are subject to the same clinical standards and documentation requirements as traditional office visits

• Follow-up care plans and patient instructions are provided through secure communication channels following telehealth appointments

• Quality assurance reviews of telehealth services ensure consistency with in-person care standards and regulatory requirements

12.3 Interstate Licensing and Regulatory Compliance

Multi-State Practice Requirements:

• Telehealth services are provided only when healthcare providers maintain active licensure in the patient’s state of residence

• Interstate medical licensure compact participation facilitates practice across multiple states while maintaining regulatory compliance

• State-specific telehealth regulations and scope of practice limitations are strictly observed during remote consultations

• Prescription authority and controlled substance prescribing comply with both originating and distant site state requirements

• Emergency consultation protocols ensure appropriate care while maintaining licensing and regulatory compliance

Patient Location and Verification:

• Patient location verification is required at the beginning of each telehealth session to ensure compliance with licensing requirements

• Patients must confirm their physical location and provide address verification for documentation purposes

• Services are not provided to patients located outside of licensed jurisdictions, even temporarily

• Location verification is documented in the medical record and maintained for regulatory compliance purposes

• Patients traveling outside of licensed states are advised of service limitations and alternative care arrangements

12.4 Remote Monitoring and Digital Health Tools

Remote Patient Monitoring Services:

• HIPAA-compliant remote monitoring devices and applications may be provided for ongoing health assessment and treatment optimization

• Data collected through remote monitoring devices is integrated into patients’ electronic medical records and subject to the same privacy protections

• Patient training and support are provided for proper use of remote monitoring equipment and applications

• Technical support and device troubleshooting are available during business hours for remote monitoring participants

• Remote monitoring data is reviewed regularly by healthcare providers and incorporated into treatment planning and clinical decision-making

Digital Health Integration:

• Wearable devices and health applications may be integrated with patient care plans when clinically appropriate and technically feasible

• Patient consent is obtained before integrating third-party health applications or devices with medical records

• Data accuracy and clinical relevance of digital health tools are evaluated before incorporation into treatment decisions

• Privacy and security assessments are conducted for all digital health tools and applications used in patient care

• Patients maintain control over digital health data sharing and may opt out of remote monitoring services at any time

Quality Assurance and Clinical Oversight:

• Telehealth and remote monitoring services are subject to the same quality assurance and clinical oversight standards as in-person care

• Regular review of telehealth outcomes and patient satisfaction ensures optimal service delivery and continuous improvement

• Provider training and competency assessment for telehealth services ensure appropriate clinical care and technology utilization

• Incident reporting and quality improvement processes address any issues or concerns related to telehealth service delivery

• Regulatory compliance monitoring ensures ongoing adherence to federal and state telehealth requirements and best practices

13. SUBSTANCE USE DISORDER RECORDS (PART 2 REQUIREMENTS)

13.1 Enhanced Confidentiality Protections

In accordance with 42 CFR Part 2, which governs the confidentiality of substance use disorder patient records, Soulera provides enhanced privacy protections for patients receiving substance use disorder diagnosis, treatment, or referral services. These protections are in addition to HIPAA requirements and provide stricter confidentiality standards for substance use disorder information.

13.2 Scope of Part 2 Protections

Covered Information and Services:

• Substance use disorder assessments, diagnoses, and treatment planning

• Medication-assisted treatment for opioid use disorder, including prescription monitoring

• Counseling and behavioral health services related to substance use disorders

• Laboratory testing and diagnostic services specifically related to substance use disorder treatment

• Referrals to specialized substance use disorder treatment programs and providers

Enhanced Consent Requirements:

• Specific written consent is required for most disclosures of substance use disorder information

• Consent forms must identify the specific information to be disclosed, the purpose of disclosure, and the recipient

• Consent must specify the duration of authorization and include the patient’s right to revoke consent

• General HIPAA authorizations are not sufficient for substance use disorder information disclosures

• Separate consent is required for each disclosure unless specifically authorized for multiple disclosures

13.3 Permitted Disclosures Without Consent

Medical Emergencies:

• Substance use disorder information may be disclosed without consent in bona fide medical emergencies when necessary to treat a condition posing an immediate threat to health

• Emergency disclosures are limited to medical personnel treating the emergency condition

• Documentation of emergency circumstances and medical necessity is maintained in the patient record

• Patients are notified of emergency disclosures as soon as reasonably possible following the emergency

Court Orders and Legal Proceedings:

• Substance use disorder information may be disclosed pursuant to court orders that meet specific legal standards

• Court orders must find good cause and include specific findings regarding the need for disclosure

• Patients have the right to participate in court proceedings regarding disclosure of their substance use disorder information

• Legal counsel consultation is obtained for all court-ordered disclosures of substance use disorder information

13.4 Integration with HIPAA Requirements

Coordinated Privacy Protections:

• When both HIPAA and Part 2 apply to the same information, the more restrictive privacy protection governs

• Part 2 requirements generally provide greater privacy protection than HIPAA for substance use disorder information

• Staff training ensures understanding of both HIPAA and Part 2 requirements and their interaction

• Policies and procedures address the coordination of HIPAA and Part 2 compliance requirements

• Regular compliance monitoring ensures adherence to both regulatory frameworks

Record Segregation and Access Controls:

• Substance use disorder information is maintained with enhanced access controls and segregation from other medical records when required

• Electronic health record systems implement role-based access controls limiting access to substance use disorder information

• Audit trails specifically monitor access to substance use disorder information and generate alerts for unauthorized access attempts

• Physical records containing substance use disorder information are stored with additional security measures

• Breach notification procedures include enhanced requirements for substance use disorder information incidents

14. DATA RETENTION AND RECORD MANAGEMENT

14.1 Medical Record Retention Requirements

Soulera maintains comprehensive medical records in accordance with federal regulations, state law requirements, and professional standards to ensure continuity of care, legal compliance, and patient access to health information.

Primary Retention Period:

• Adult patient medical records are retained for a minimum of seven (7) years from the date of last patient contact or service

• For patients who were minors at the time of treatment, records are retained for seven (7) years after the patient reaches the age of majority, whichever period is longer

• Records related to substance use disorder treatment are retained in accordance with both HIPAA and 42 CFR Part 2 requirements

• Prescription records and controlled substance documentation are maintained for the periods required by federal and state pharmacy regulations

• Laboratory results and diagnostic imaging are retained for the periods specified by applicable accreditation standards and state regulations

Extended Retention Circumstances:

• Medical records involved in ongoing legal proceedings are retained until final resolution of all legal matters

• Records related to workers’ compensation claims are maintained for extended periods as required by state workers’ compensation laws

• Research records and clinical trial documentation are retained for the periods specified in research protocols and federal regulations

• Quality assurance and peer review records are maintained in accordance with state medical practice acts and accreditation requirements

• Billing and financial records are retained for the periods required by federal and state healthcare reimbursement regulations

14.2 Secure Storage and Access Controls

Physical Record Security:

• Physical medical records are stored in locked, fireproof filing systems with restricted access controls

• Environmental controls protect records from damage due to fire, flood, humidity, and other environmental hazards

• Access to physical records is limited to authorized personnel with legitimate business needs

• Record retrieval and return procedures ensure accountability and prevent unauthorized access

• Off-site storage facilities meet healthcare record security standards and maintain appropriate environmental controls

Electronic Record Security:

• Electronic health records are stored on secure, HIPAA-compliant servers with encryption and access controls

• Regular data backups are performed and stored securely both on-site and off-site to ensure data availability

• Version control and audit trails maintain the integrity and authenticity of electronic medical records

• Access to electronic records is controlled through user authentication and role-based permissions

• System monitoring and intrusion detection protect electronic records from unauthorized access and cyber threats

14.3 Record Destruction and Disposal

Secure Destruction Procedures:

• Medical records are destroyed using methods that render the information unreadable and irretrievable

• Physical records are destroyed through certified shredding services that provide certificates of destruction

• Electronic records are destroyed using Department of Defense-approved data wiping standards

• Destruction activities are documented and maintained for regulatory compliance purposes

• Business associates involved in record destruction operate under appropriate agreements ensuring secure disposal

Destruction Timeline and Notification:

• Records eligible for destruction are identified through regular retention schedule reviews

• Patients are notified of pending record destruction when required by state law or when specifically requested

• Legal holds and ongoing litigation prevent destruction of records until all legal matters are resolved

• Destruction schedules account for extended retention requirements for specific types of records or circumstances

• Documentation of destruction activities is maintained for audit and compliance purposes

14.4 Patient Access During Retention Period

Ongoing Access Rights:

• Patients maintain the right to access their medical records throughout the entire retention period

• Record access procedures remain consistent regardless of whether records are stored on-site or off-site

• Fees for record access and copying remain reasonable and comply with applicable state and federal regulations

• Electronic access to records is maintained when technically feasible and requested by patients

• Record access timeframes may be extended for records stored off-site, with appropriate patient notification

Record Transfer and Continuity:

• Medical records are transferred to new healthcare providers upon patient request and appropriate authorization

• Record transfer procedures ensure completeness and accuracy of transferred information

• Patients receive copies of their records when transferring care or upon request

• Record transfer activities are documented and maintained for compliance and quality assurance purposes

• Coordination with new providers ensures continuity of care and appropriate record management

15. FLORIDA-SPECIFIC REQUIREMENTS

15.1 Florida Medical Record Confidentiality

In accordance with Florida Statute §456.057, Soulera implements additional privacy protections specific to Florida law requirements for medical record confidentiality and patient privacy rights.

Enhanced Written Authorization Requirements:

• Florida law requires specific written authorization for disclosure of medical records beyond what is permitted under HIPAA

• Written authorizations must include specific information about the records to be disclosed, the purpose of disclosure, and the recipient

• Authorizations must be signed and dated by the patient or authorized representative

• Separate authorization is required for each disclosure unless the patient specifically authorizes multiple disclosures

• Authorization forms comply with both Florida statutory requirements and HIPAA authorization standards

Patient Rights Under Florida Law:

• Patients have the right to inspect and copy their medical records as provided under Florida Statute §456.057

• Reasonable fees may be charged for copying medical records in accordance with Florida statutory fee schedules

• Patients may request amendments to their medical records when they believe information is inaccurate or incomplete

• Healthcare providers must respond to record requests within a reasonable time as specified by Florida law

• Patients have the right to receive a summary of their medical records when full records are not requested

15.2 Florida Digital Bill of Rights Compliance

Soulera complies with Florida’s Digital Bill of Rights, which provides additional privacy protections for personal information collected and processed by businesses operating in Florida.

Enhanced Privacy Disclosures:

• Clear and conspicuous disclosure of personal information collection, use, and sharing practices

• Specific information about the categories of personal information collected and the purposes for collection

• Disclosure of third parties with whom personal information is shared and the purposes for sharing

• Information about data retention periods and criteria used to determine retention periods

• Contact information for privacy inquiries and requests related to personal information

Consumer Rights and Controls:

• Right to know what personal information is collected and how it is used and shared

• Right to request deletion of personal information subject to legal and regulatory retention requirements

• Right to opt out of the sale of personal information to third parties

• Right to non-discrimination for exercising privacy rights under Florida law

• Reasonable security measures to protect personal information from unauthorized access and disclosure

15.3 Florida Electronic Health Records Exchange

Interoperability and Health Information Exchange:

• Participation in Florida’s health information exchange networks when clinically appropriate and technically feasible

• Compliance with Florida Electronic Health Records Exchange Act requirements for interoperability and data sharing

• Patient consent procedures for participation in health information exchange activities

• Security and privacy safeguards for health information exchange participation

• Quality assurance and data integrity measures for exchanged health information

Provider Network Integration:

• Coordination with Florida healthcare providers and health systems for continuity of care

• Referral and consultation processes that comply with Florida medical practice requirements

• Integration with Florida hospital systems and specialty care providers when clinically indicated

• Compliance with Florida telemedicine and telehealth regulations for interstate practice

• Participation in Florida quality improvement and patient safety initiatives

15.4 Florida Regulatory Compliance

State Medical Board Requirements:

• Compliance with Florida Board of Medicine regulations and practice standards

• Maintenance of Florida medical licensure in good standing for all practicing physicians

• Continuing medical education requirements specific to Florida licensure

• Professional liability insurance requirements as specified by Florida law

• Compliance with Florida controlled substance prescribing and monitoring requirements

Healthcare Facility Licensing:

• Compliance with Florida Agency for Health Care Administration licensing requirements

• Adherence to Florida healthcare facility standards and inspection requirements

• Participation in Florida healthcare quality assurance and improvement programs

• Compliance with Florida healthcare worker background screening requirements

• Maintenance of appropriate accreditation and certification for Florida healthcare operations

16. CHANGES TO THIS PRIVACY POLICY

16.1 Policy Update Procedures

Soulera reserves the right to modify this Privacy Policy as necessary to reflect changes in our privacy practices, regulatory requirements, clinical operations, technology platforms, and state licensing rules. Any material changes to our privacy practices will be implemented in accordance with applicable federal and state law requirements.

Types of Changes Requiring Updates:

• Changes in federal or state privacy and security regulations affecting healthcare providers

• Modifications to clinical services, treatment offerings, or scope of practice

• Updates to technology platforms, electronic health record systems, or business associate relationships

• Changes in state licensing, geographic service areas, or telehealth capabilities

• Regulatory guidance or enforcement actions affecting healthcare privacy practices

Implementation Timeline:

• Policy changes become effective on the date specified in the updated Privacy Policy

• Material changes affecting patient rights or information uses will be implemented with appropriate advance notice

• Emergency changes required by law or regulation may be implemented immediately with subsequent patient notification

• Routine updates and clarifications may be implemented without advance notice when they do not materially affect patient rights

• Annual review of privacy policies ensures ongoing compliance and accuracy

16.2 Patient Notification Requirements

Notification Methods and Timeline:

• Material changes to privacy practices will be communicated to patients through multiple channels including written notice, website posting, and patient portal announcements

• Written notification will be provided at the next scheduled appointment or mailed to patients’ last known address

• Website posting of updated Privacy Policy will occur simultaneously with implementation of changes

• Patient portal notifications will alert active users to privacy policy updates and provide access to updated documents

• Email notification may be provided to patients who have consented to electronic communications

Content of Change Notifications:

• Summary of material changes and their effective date

• Explanation of how changes may affect patient rights or information handling practices

• Instructions for accessing the complete updated Privacy Policy

• Contact information for questions or concerns about privacy policy changes

• Information about patient rights that remain unchanged despite policy updates

16.3 Regulatory Compliance and Legal Requirements

Federal Law Compliance:

• Privacy policy changes comply with HIPAA Privacy Rule requirements for notice of privacy practices modifications

• Updates reflect changes in federal healthcare regulations, including HITECH Act and other applicable laws

• Compliance with federal breach notification requirements and other privacy-related regulations

• Coordination with federal regulatory guidance and enforcement priorities

• Integration of new federal requirements affecting healthcare privacy and security

State Law Integration:

• Updates incorporate changes in Florida state privacy laws and medical practice regulations

• Compliance with multi-state licensing requirements and interstate practice regulations

• Integration of state-specific privacy requirements for all licensed jurisdictions

• Coordination with state medical board regulations and professional practice standards

• Adaptation to state telehealth and digital health privacy requirements

16.4 Continuous Improvement and Monitoring

Regular Review Process:

• Annual comprehensive review of privacy policies and practices to ensure ongoing compliance and effectiveness

• Quarterly assessment of regulatory changes and their impact on privacy practices

• Ongoing monitoring of industry best practices and privacy technology developments

• Regular consultation with legal counsel and compliance experts regarding privacy policy updates

• Integration of patient feedback and concerns into privacy policy improvement processes

Quality Assurance and Compliance Monitoring:

• Regular audits of privacy practices to ensure compliance with written policies and procedures

• Staff training updates to reflect privacy policy changes and new regulatory requirements

• Documentation of policy changes and implementation activities for regulatory compliance purposes

• Incident reporting and analysis to identify opportunities for privacy policy improvements

• Coordination with accreditation and certification requirements affecting privacy practices

17. CONTACT INFORMATION AND PRIVACY OFFICER

17.1 Privacy Officer and HIPAA Compliance

Soulera has designated a Privacy Officer responsible for developing, implementing, and maintaining our privacy policies and procedures in accordance with HIPAA requirements and other applicable privacy laws.

Privacy Officer Contact Information:

• Name: Jake Heimlicher

• Title: Privacy Officer and HIPAA Compliance Officer

• Email: jake@soulerawellness.com

• Mailing Address:

• Soulera Wellness LLC

• Attention: Privacy Officer

• 3375 Pine Ridge Rd, Suite 205

• Naples, FL 34109

• United States

Privacy Officer Responsibilities:

• Oversight of all privacy and security policies, procedures, and compliance activities

• Investigation and response to privacy complaints and potential violations

• Coordination of breach notification and incident response activities

• Staff training and education regarding privacy and security requirements

• Liaison with regulatory agencies and legal counsel on privacy matters

• Regular assessment and improvement of privacy practices and safeguards

17.2 Patient Privacy Rights and Complaints

Filing Privacy Complaints:

• Patients may file complaints regarding privacy practices or potential violations of their privacy rights

• Complaints may be submitted in writing, by email, or by telephone to the Privacy Officer

• Complaint forms are available upon request and on our website for patient convenience

• No retaliation will occur against patients who file good faith privacy complaints

• Complaints will be investigated promptly and appropriate corrective action will be taken when necessary

Complaint Investigation Process:

• All privacy complaints are acknowledged within five (5) business days of receipt

• Thorough investigation of complaint allegations is conducted with appropriate documentation

• Patients are notified of investigation findings and any corrective actions taken

• Complaint records are maintained confidentially and used for quality improvement purposes

• Serious privacy violations are reported to appropriate regulatory authorities as required by law

17.3 General Contact Information

Primary Business Contact:

• Business Name: Soulera Wellness LLC (d/b/a Soulera Wellness)

• Business Address:

• 3375 Pine Ridge Rd

• Suite 205

• Naples, FL 34109

• United States

• General Information: Available through our website contact forms and patient portal

• Business Hours: Monday through Friday, 8:00 AM to 5:00 PM Eastern Time

Patient Services and Support:

• Patient portal technical support and account assistance

• Appointment scheduling and care coordination

• Insurance verification and billing inquiries

• Medical record requests and patient access services

• General questions about services and treatment options

17.4 Regulatory Reporting and External Contacts

Department of Health and Human Services:

• Patients may file complaints with the U.S. Department of Health and Human Services Office for Civil Rights

• OCR complaint filing information is available at www.hhs.gov/ocr/privacy/hipaa/complaints/

• OCR complaints may be filed online, by mail, or by telephone

• No retaliation will occur against patients who file complaints with regulatory agencies

• Soulera cooperates fully with all regulatory investigations and compliance reviews

State Regulatory Authorities:

• Florida Department of Health and state medical board complaint procedures

• State insurance commissioner offices for insurance-related privacy concerns

• State attorney general offices for consumer privacy protection matters

• Professional licensing boards for provider-specific privacy complaints

• Other state regulatory agencies as applicable to specific privacy concerns

17.5 Emergency Contact Procedures

Medical Emergencies:

• For medical emergencies, patients should call 911 or go to the nearest emergency room

• Emergency departments have access to essential medical information as permitted by law

• Emergency contact information in patient records facilitates communication with family members or designated representatives

• Medical alert information and critical health conditions are documented for emergency access

• Emergency medical treatment may require disclosure of protected health information as permitted under HIPAA emergency provisions

After-Hours Privacy Concerns:

• Urgent privacy concerns may be reported through our secure patient portal messaging system

• Non-urgent privacy questions and complaints will be addressed during regular business hours

• Emergency privacy situations involving potential identity theft or fraud should be reported immediately to appropriate authorities

• After-hours technical support is available for patient portal access and security concerns

• Emergency breach notification procedures ensure prompt response to serious privacy incidents

ACKNOWLEDGMENT

This Privacy Policy is intended to be read in conjunction with Soulera’s Notice of Privacy Practices, patient consent forms, and applicable clinical agreements. Soulera may update its privacy practices as clinical operations, regulatory requirements, technology platforms, and state licensing rules evolve. Any material changes will be reflected in this Privacy Policy, and patients will be notified as required by applicable law.

By receiving medical services from Soulera Wellness LLC, you acknowledge that you have been provided with this Privacy Policy and understand your rights regarding your protected health information. If you have questions about this Privacy Policy or your privacy rights, please contact our Privacy Officer using the contact information provided above.

Effective Date: [January 1, 2026]

Document Version: 1.0

Next Scheduled Review: [January 1, 2027]

This Privacy Policy complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), applicable provisions of 42 CFR Part 2, Florida Statute §456.057, and other applicable federal and state privacy laws and regulations.