Notice of Privacy Practices

About This Notice

Crimson Performance Healthcare Inc. (“Crimson”) is committed to protecting the privacy of your health information. This Notice of Privacy Practices (“Notice”) describes how we may use and disclose your Protected Health Information (“PHI”) and explains your rights regarding that information.

PHI is information about you that can be used to identify you and that relates to your past, present, or future health condition, the healthcare services you receive, or payment for those services.

We are required by law to maintain the privacy of your PHI, to provide you with this Notice, and to follow the terms of the Notice that is currently in effect. We reserve the right to change the terms of this Notice at any time. Any revised Notice will apply to PHI we already have about you as well as any information we receive in the future. The most current version of this Notice will always be available on our website at crimson.healthcare and upon request at our office.

How We May Use and Disclose Your Health Information

The following describes the ways we may use and disclose your PHI without your written authorization:

Treatment

We may use and disclose your PHI to provide, coordinate, or manage your healthcare. This includes sharing information with other healthcare providers involved in your care, our clinical team, and our care coordination platform to ensure continuity of your treatment program.

Payment

We may use and disclose your PHI to bill and collect payment for the healthcare services we provide. This may include sending claims to your health insurance plan, verifying coverage, and related billing activities.

Healthcare Operations

We may use and disclose your PHI for our internal operations. This includes quality assessment, staff training, compliance activities, business planning, and administrative functions necessary to run our organization and serve you better.

Other Permitted Uses and Disclosures

We may also use or disclose your PHI without your authorization in the following situations, as permitted or required by law:

• When required by federal, state, or local law.
• For public health activities, such as reporting disease or injury.
• To report suspected abuse, neglect, or domestic violence.
• For health oversight activities, such as audits or investigations.
• In response to a court order, subpoena, or other lawful process.
• For limited law enforcement purposes.
• To coroners, funeral directors, or organ procurement organizations.
• For research purposes, subject to applicable approvals and safeguards.
• To avert a serious threat to your health or safety, or the health or safety of others.
• For specialized government functions, including military and veterans' activities.
• For workers' compensation claims as authorized by law.

Uses and Disclosures That Require Your Written Authorization

We will obtain your written authorization before using or disclosing your PHI for purposes other than those described above. These include:

• Marketing communications (except face-to-face communications and promotional gifts of nominal value).
• Sale of your PHI.
• Most uses of psychotherapy notes, if applicable.
• Any other use or disclosure not described in this Notice.

If you provide us with written authorization to use or disclose your PHI, you may revoke that authorization at any time by submitting a written request to our Privacy Officer. Your revocation will not affect any uses or disclosures made before we received your request.

Your Rights Regarding Your Health Information

You have the following rights with respect to your PHI. To exercise any of these rights, please submit a written request to our Privacy Officer at the contact information listed at the end of this Notice.

Right to Access Your Information

You have the right to inspect and obtain a copy of your PHI in your medical and billing records. We will provide your records within 30 days of your request. If your records are maintained electronically, you may request an electronic copy in a readily producible format. We may charge a reasonable, cost-based fee for copies.

Right to Request Amendments

You have the right to request that we amend your PHI if you believe it is incorrect or incomplete. We will respond within 60 days. We may deny your request in certain circumstances, and if we do, we will provide you with a written explanation. You may submit a written statement of disagreement.

Right to an Accounting of Disclosures

You have the right to request a list of certain disclosures we have made of your PHI during the six years prior to your request. This list will not include disclosures made for treatment, payment, or healthcare operations, or disclosures you authorized in writing.

Right to Request Restrictions

You have the right to request that we limit the ways we use or disclose your PHI. We are not required to agree to your request, except in one situation: if you pay for a service or item entirely out of pocket, you have the right to request that we not disclose information about that service to your health plan, and we are required to honor that request.

Right to Confidential Communications

You have the right to request that we communicate with you about your health information in a certain way or at a certain location. For example, you may ask that we contact you only by mail or only at a specific phone number. We will accommodate all reasonable requests.

Right to a Paper Copy of This Notice

You have the right to request a paper copy of this Notice at any time, even if you previously agreed to receive it electronically. You may obtain a copy by contacting our Privacy Officer or visiting our website.

Right to Be Notified of a Breach

You have the right to be notified if a breach of your unsecured PHI occurs. We will notify you as required by law.

Our Responsibilities

• We are required by law to maintain the privacy and security of your PHI.
• We will promptly notify you if a breach occurs that may have compromised the privacy or security of your information.
• We will not use or disclose your Protected Health Information for marketing or fundraising purposes, or sell your Protected Health Information, without your written authorization.
• We must follow the terms of this Notice as currently in effect.
• We will not retaliate against you for filing a complaint.

Health Information Technology

Crimson uses secure, HIPAA-compliant technology systems to store and manage your health information. Your data may be processed through our secure electronic health record and clinical platforms, electronic prescribing services that transmit prescriptions to your pharmacy, laboratory and pharmacy partners, and — where applicable and only with your consent — wearable health device data that you choose to share with us. All systems and service providers that handle your PHI are covered by Business Associate Agreements that require the same level of protection described in this Notice.

Where Crimson uses artificial intelligence or automated tools in connection with your care, any identifiable health information is either protected under the same security requirements described in this Notice or de-identified before processing. Automated tools do not make treatment decisions on their own. All clinical decisions are reviewed and validated by a licensed healthcare provider.

Service Providers and Business Associates

To deliver and coordinate your care, Crimson works with a number of trusted service providers — known under HIPAA as “business associates” — that perform functions on our behalf. Before any of these providers handle your PHI, we require a Business Associate Agreement that legally obligates them to safeguard your information to the same standards described in this Notice and to use it only for the purposes for which we engaged them. They are not permitted to use or disclose your PHI for their own purposes.

These providers fall into the following categories:

• Electronic health record and clinical platform — the system our providers use to document your care, manage your treatment plan, and maintain your medical record.
• Electronic prescribing services — used to securely transmit prescriptions from your provider to your pharmacy.
• Pharmacy and fulfillment partners — that prepare and ship the medications and supplies you are prescribed.
• Laboratory and at-home testing partners — that process the samples you provide and return results to your care team.
• Identity-verification provider — used, where applicable, to confirm your identity and help protect your account against fraud.
• Payment processing — used to securely handle billing and process payments for the services you purchase.
• Secure cloud hosting and infrastructure — that store and process your information in HIPAA-compliant environments.
• Communication and notification services — including our email and text-message delivery providers, used to send you care-related and account updates.
• Connected-device and wearable data services — used, only with your consent, to incorporate health data from devices you choose to connect.

We periodically review and update the service providers we work with. The categories above describe the types of partners that may handle your information; the specific providers within each category may change over time as we improve our services. A current list of our key service providers is available upon request from our Privacy Officer.

Text Messaging (SMS) Communications

If you provide your mobile phone number and opt in to text messages from Crimson Health, you may receive SMS messages related to your care — including appointment reminders, lab result notifications, prescription and shipping updates, care-team messages, and account or billing alerts. Message frequency varies based on your activity and care plan.

Message and data rates may apply. You can reply HELP for help or STOP at any time to opt out of further messages.

We do not sell, rent, share, or otherwise transfer your mobile phone number or SMS opt-in consent to any third party for their own marketing purposes. Mobile information is used only by Crimson Health and the service providers that help us operate the texting program (for example, our SMS gateway), under contracts that restrict use to delivering messages on our behalf.

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Information sharing to subcontractors in support services, such as our SMS gateway and fulfillment partners, is permitted solely to deliver messages on our behalf. All other use case categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

Changes to This Notice

We reserve the right to change the terms of this Notice at any time. Any changes will apply to PHI we already maintain as well as information we receive in the future. When we make a material change to this Notice, we will post the revised Notice on our website at crimson.healthcare and make it available at our office. The revised Notice will include a new effective date.

Complaints

If you believe your privacy rights have been violated, you may file a complaint with Crimson or with the U.S. Department of Health and Human Services. We will not retaliate against you for filing a complaint.

To file a complaint with Crimson:

Contact our Privacy Officer at the information below.

To file a complaint with the U.S. Department of Health and Human Services:

Contact Information

If you have questions about this Notice, wish to exercise any of your rights, or want to file a complaint, please contact: