Notice of Privacy Practices

Mindfulous Inc. ("Mindfulous," "we," "us," or "our") is required by federal and California law to maintain the privacy of your Protected Health Information (PHI), to give you notice of our legal duties and privacy practices regarding PHI, and to follow the terms of the Notice currently in effect. This Notice describes how we may use and disclose your PHI to carry out treatment, payment, and health care operations, and for other purposes permitted or required by law.

This Notice applies to all PHI maintained by Mindfulous, including information in your medical record, billing records, and any other records containing health information about you. This Notice complies with the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the California Confidentiality of Medical Information Act (CMIA), and other applicable federal and California privacy laws.

1. Our Commitment to Your Privacy

We are committed to protecting the privacy and security of your PHI. We will only use or disclose your PHI as permitted or required by law, with your written authorization when required, or as described in this Notice.

2. How We May Use and Disclose Your PHI Without Your Authorization

The following categories describe the ways we may use and disclose your PHI. Not every permitted use or disclosure is listed, but every use or disclosure we make will fall into one of these categories.

A. For Treatment

We may use your PHI to provide, coordinate, and manage your healthcare and related services. For example, Dr. Chaabo may review your medication list before prescribing a new medication, consult with a specialist about your care, or send your prescription to your pharmacy. We may also share your PHI with other healthcare providers involved in your care, including labs performing tests Dr. Chaabo has ordered, imaging centers performing ordered studies, and specialists receiving Dr. Chaabo's referrals.

B. For Payment

We may use and disclose your PHI to bill and collect payment for services you receive. For example, we may share your PHI with your insurance company to obtain authorization for services, verify coverage, submit claims, and receive payment. We may also use your PHI to determine eligibility, coordinate benefits with other payers, and for utilization review.

C. For Health Care Operations

We may use and disclose your PHI for activities necessary to run our practice. Examples include quality assessment and improvement activities, clinician performance review, staff training, credentialing, compliance and risk management, business planning, customer service, and resolving internal grievances.

D. Permitted Disclosures Required or Allowed Without Your Authorization

Federal and California law permit or require us to disclose your PHI without your authorization in specific circumstances:

• Public health activities — including reporting of communicable diseases, adverse medication reactions, vaccination information, and child abuse or neglect to authorized public health authorities
• Victims of abuse, neglect, or domestic violence — as required by California mandatory reporting laws
• Health oversight activities — including audits, investigations, inspections, licensure and disciplinary actions
• Judicial and administrative proceedings — in response to a court order, subpoena, or other lawful process
• Law enforcement purposes — as permitted or required by applicable law
• Coroners, medical examiners, and funeral directors — as necessary to carry out their duties
• Organ and tissue donation — for purposes of facilitating donation or transplantation
• Research — with Institutional Review Board approval and appropriate privacy protections
• Serious threat to health or safety — when disclosure is necessary to prevent a serious and imminent threat
• Specialized government functions — including military, national security, and protective services
• Workers' compensation — to the extent necessary to comply with California workers' compensation laws
• Inmates or those in custody — to correctional institutions or law enforcement when applicable
• Business associates — to third parties performing services on our behalf (e.g., billing services, electronic health record vendors, AI scribe vendors, IT services) under signed Business Associate Agreements
• Required by law — any disclosure mandated by federal, state, or local law not listed above

3. Uses and Disclosures Requiring Your Written Authorization

The following uses and disclosures of your PHI require your specific written authorization, which you may revoke at any time in writing:

• Most uses and disclosures of psychotherapy notes (as defined by HIPAA)
• Uses and disclosures for marketing purposes
• Disclosures that constitute a sale of your PHI
• Other uses and disclosures not described in this Notice

If you provide authorization, you may revoke it at any time by notifying Mindfulous in writing. Revocation does not affect any action we took in reliance on your authorization before we received your revocation notice.

4. Special Protections for Sensitive Information

California and federal law provide additional protections for certain categories of sensitive information. We will handle these categories with the additional care required by law:

A. Mental Health and Psychiatric Records

California Welfare and Institutions Code §§5328 et seq. and the Lanterman-Petris-Short Act provide enhanced confidentiality protections for mental health records. These protections apply to the mental health and psychiatric services provided by Dr. Chaabo, who is trained in primary care psychiatry. Disclosure of mental health records generally requires your specific written authorization, with limited exceptions specified by law.

B. Substance Use Disorder Records (42 CFR Part 2)

Records relating to the identification, diagnosis, prognosis, or treatment of any patient for a substance use disorder are protected under the federal regulation 42 CFR Part 2. This includes records from any of Dr. Chaabo's addiction medicine services (including medication-assisted treatment for opioid use disorder). These records may not be disclosed without your specific written authorization, except in very limited circumstances specified by that regulation.

C. HIV and AIDS-Related Information

California Health and Safety Code §120980 provides heightened confidentiality protections for HIV test results and AIDS-related information. Disclosure of such information requires your specific written authorization, with narrowly defined legal exceptions.

D. Genetic Information

Genetic information is protected under the California Genetic Information Nondiscrimination Act (CalGINA) and the federal Genetic Information Nondiscrimination Act (GINA). Genetic information will not be used for underwriting purposes by any health plan and is protected from discrimination in employment and insurance.

E. Reproductive Health Information

California law (including Health and Safety Code §123110 and related provisions) provides additional confidentiality protections for information relating to reproductive health services, including for minor patients seeking these services without parental involvement in situations permitted by law.

5. Your Right to Restrict Disclosure to Health Plans When You Pay Out-of-Pocket

6. AI Tools and Your PHI

Mindfulous uses artificial intelligence (AI) tools in specific, HIPAA-compliant ways to enhance your care, described in detail in our separate AI Use and Patient Consent Agreement. In summary:

• AI scribe during visits: if you consent, an AI-powered clinical documentation tool may process audio from your visit to generate a draft clinical note, reviewed and signed by Dr. Chaabo before entering your record
• Backend administrative AI: AI tools hosted in HIPAA-compliant Amazon AWS / Amazon Bedrock environments (including Claude models by Anthropic) assist with administrative tasks such as intake summarization, billing categorization, and care coordination

All AI vendors that process your PHI operate under signed Business Associate Agreements. Your PHI is never used to train AI models, is processed only within the United States, and is subject to all the privacy protections described in this Notice. You may opt out of AI scribe use without any impact on your care.

Per California Assembly Bill 3030, any communication from Mindfulous that is generated by AI and concerns clinical information will include a disclaimer identifying it as AI-assisted and will provide clear instructions for contacting a human member of your care team.

7. Your Rights Regarding Your PHI

You have the following rights regarding the PHI we maintain about you:

A. Right to Access and Inspect

You have the right to inspect and obtain a copy of PHI maintained in your designated record set. Requests must be made in writing. We will provide the records within fifteen (15) business days, as required by California Health and Safety Code §123110. We may charge a reasonable copying fee as permitted by law.

B. Right to Amend

If you believe information in your medical record is inaccurate or incomplete, you have the right to request an amendment. Requests must be made in writing and include a reason for the amendment. We may deny your request in certain circumstances; if denied, you have the right to submit a written statement of disagreement that will be included in your record.

C. Right to an Accounting of Disclosures

You have the right to request an accounting of disclosures of your PHI made by Mindfulous during the six (6) years preceding the request (with certain exceptions). The first accounting in any twelve-month period is free; subsequent requests may be subject to a reasonable fee.

D. Right to Request Restrictions

You have the right to request that we restrict certain uses or disclosures of your PHI for treatment, payment, or health care operations, or to certain family members or friends involved in your care. We are not generally required to agree to such restrictions (except the right to restrict disclosure to health plans when you pay out-of-pocket described above).

E. Right to Request Confidential Communications

You have the right to request that we communicate with you about your PHI by alternative means or at an alternative location (for example, at a specific phone number, at your home instead of your work address). We will accommodate reasonable requests.

F. Right to a Paper Copy of This Notice

You have the right to receive a paper copy of this Notice at any time upon request, even if you have agreed to receive this Notice electronically.

G. Right to Be Notified of a Breach

You have the right to receive notification if we discover a breach of your unsecured PHI, as defined under HITECH and applicable regulations. We will provide notification in the manner and timeframe required by federal and California law.

H. Right to Revoke Authorization

If you provide written authorization for a use or disclosure of your PHI, you have the right to revoke that authorization at any time in writing, except to the extent we have already taken action in reliance on it.

8. Complaints

If you believe your privacy rights have been violated, you may file a complaint with Mindfulous or directly with the U.S. Department of Health and Human Services Office for Civil Rights. You will not be retaliated against for filing a complaint.

To file a complaint with Mindfulous:

Contact our Privacy Officer at hello@mindfulous.com or by mail at the address below. Complaints must be in writing and should describe the incident, including the date and the individuals involved.

To file a complaint with HHS:

U.S. Department of Health and Human Services
Office for Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll-free: 1-877-696-6775
Online complaint portal

9. Changes to This Notice

We reserve the right to change this Notice at any time and to make the revised Notice effective for all PHI we maintain, including PHI we received or created before the change. If we make material changes, we will post the revised Notice in our patient portal, on our website, and provide a copy to patients upon request or at their next visit.

10. Language Access

Mindfulous provides qualified medical interpreter services free of charge to patients with Limited English Proficiency, in accordance with Title VI of the Civil Rights Act and applicable California law. Patients may request interpretation in 300+ languages, including American Sign Language, by notifying the Mindfulous care team.

11. Contact Us

For questions about this Notice, to exercise any of your rights, or to request a paper copy, please contact our Privacy Officer: