Notice of Privacy Practices

1. Our Responsibilities

Modulus Health Group DE, LLC; Modulus Health Group CA, PC; Modulus Health Group NJ, PC; and Modulus Health Group KS, PA (collectively, "Modulus Health Group," "we," "our," or "us") are healthcare providers and HIPAA covered entities. We are required by law to:

• Provide you with this Notice of our legal duties and privacy practices with respect to your Protected Health Information ("PHI") as defined by the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations ("HIPAA");
• Maintain the privacy and security of your PHI;
• Abide by the terms of this Notice (or any subsequent notice in effect at the time of use or disclosure); and
• Notify you in the event of a breach of your unsecured PHI.

About Our Services

Modulus Health Group provides comprehensive diagnostic and treatment services via telehealth. Our Services include medical record retrieval and analysis, AI-assisted diagnostic analysis reviewed and approved by licensed physicians, diagnosis and treatment planning, prescribing of non-controlled medications, ongoing monitoring and care coordination, and virtual consultations. All clinical services are provided by or under the supervision of licensed healthcare providers.

Technology and Management Services

Modulus AI, Inc. provides technology and management services to Modulus Health Group as a HIPAA business associate under a Business Associate Agreement. Modulus AI, Inc. does not independently use or disclose your PHI except as directed by Modulus Health Group and as permitted under its Business Associate Agreement and HIPAA.

2. How We Use and Disclose Your PHI

We may use and disclose your PHI without your written authorization for the purposes described in this Section. In many cases, we must meet certain conditions before we can share your information for these purposes.

Some federal and state laws impose special privacy protections for certain health information, including mental health information, substance use disorder records (42 CFR Part 2), HIV/AIDS status, genetic information, and other health information given special privacy protection under laws other than HIPAA ("Sensitive Health Information"). We will obtain your specific authorization before disclosing Sensitive Health Information for purposes other than those permitted by applicable law.

Uses and Disclosures Without Your Authorization

Treatment. We use and disclose your PHI to provide, coordinate, and manage your healthcare. This includes using your PHI to:

• Retrieve your medical records from other healthcare providers, hospitals, laboratories, imaging centers, and pharmacies through electronic health information exchange networks and manual retrieval processes, as authorized by you;
• Conduct AI-assisted analysis of your medical records, which is reviewed, verified, and approved by licensed physicians before any clinical decisions are made;
• Prepare physician-reviewed diagnostic reports and treatment plans;
• Transmit prescriptions to pharmacies;
• Order laboratory tests and diagnostic imaging;
• Send referral letters and clinical summaries to specialists and your primary care provider;
• Provide ongoing monitoring, re-analysis, and care coordination; and
• Communicate with other providers involved in your care.

Payment. We may use and disclose your PHI to obtain payment for healthcare services provided to you. Because Modulus Health Group is a cash-pay practice that does not accept health insurance, Medicare, Medicaid, or other third-party payors, our use of PHI for payment purposes is generally limited to:

• Processing your membership fees and service charges;
• Generating superbills that you may voluntarily submit to your insurance company or HSA/FSA administrator for potential reimbursement; and
• Communicating with you about billing matters.

If you pay for a service out-of-pocket in full (as all Modulus Health Group patients do), you have the right to request that we not disclose PHI related to that service to a health plan for payment or healthcare operations purposes. See Section 4 (Your Rights) for details.

Healthcare Operations. We may use and disclose your PHI for our healthcare operations, which include activities that improve the quality and effectiveness of the care we provide. Examples include:

• Quality assessment and improvement activities;
• Evaluating the performance and competence of our Providers;
• Conducting or arranging for medical review, legal services, and auditing;
• Training healthcare professionals;
• Resolving complaints and ensuring patient satisfaction; and
• Business planning, development, and general administrative activities.

Electronic Health Information Exchange. We participate in electronic health information exchange networks (such as those operating under the Trusted Exchange Framework and Common Agreement, or "TEFCA") to retrieve your medical records from and share clinical information with other healthcare providers involved in your care. Information exchanged through these networks is used for treatment, payment, and healthcare operations purposes as described above. We comply with all applicable interoperability and information sharing requirements, including bidirectional data exchange obligations where applicable.

AI-Assisted Analysis. As part of our clinical workflow, your PHI is processed using artificial intelligence tools to assist our physicians in analyzing your medical records, identifying patterns, and preparing diagnostic assessments. All AI-generated analysis is reviewed, verified, edited, and approved by a licensed physician before it becomes part of your medical record or is used for any clinical decision. The AI tools operate as part of our treatment and healthcare operations; they do not independently make medical decisions.

Disclosure to Relatives, Close Friends, and Other Caregivers. We may disclose your PHI to a family member, other relative, close personal friend, or any other person you identify, when you are present and either: (1) you agree to the disclosure or do not object after being given the opportunity; or (2) we reasonably infer that you do not object. If you are not present or available, we may exercise professional judgment to determine whether disclosure is in your best interest, and would disclose only information directly relevant to that person's involvement with your care.

As Required by Law. We may use and disclose your PHI when required to do so by applicable federal, state, or local law.

Public Health Activities. We may disclose your PHI to public health authorities for purposes including: preventing or controlling disease, injury, or disability; reporting child abuse and neglect; reporting information about products under the jurisdiction of the FDA; alerting a person who may have been exposed to a communicable disease; and reporting information to employers as required under laws addressing work-related illnesses and injuries or workplace medical surveillance.

Victims of Abuse, Neglect, or Domestic Violence. We may disclose your PHI if we reasonably believe you are a victim of abuse, neglect, or domestic violence to a government authority authorized by law to receive such reports.

Health Oversight Activities. We may disclose your PHI to an agency responsible for overseeing the healthcare system and ensuring compliance with government health programs.

Judicial and Administrative Proceedings. We may disclose your PHI in the course of a judicial or administrative proceeding in response to a court order, subpoena, discovery request, or other lawful process.

Law Enforcement. We may disclose your PHI to law enforcement officials as required by law, pursuant to a court order, or in certain other limited circumstances as permitted by HIPAA.

Coroners and Medical Examiners. We may disclose your PHI to a coroner or medical examiner as authorized by law.

Organ and Tissue Procurement. We may disclose your PHI to organizations that facilitate organ, eye, or tissue procurement, banking, or transplantation.

Research. We may use and disclose your PHI for research purposes pursuant to a valid authorization from you or when an institutional review board (IRB) or privacy board has waived the authorization requirement. Under certain circumstances, we may disclose your PHI to researchers preparing to conduct a research project, for research on decedents, or as part of a limited data set that omits direct identifiers. See Section 5 (De-Identified Data and Outcomes Research) for information about our de-identified outcomes research registry.

Health or Safety. We may use or disclose your PHI to prevent or lessen a serious and imminent threat to a person's or the public's health or safety.

Specialized Government Functions. We may use and disclose your PHI to units of the government with special functions, such as the U.S. military or the U.S. Department of State, under certain circumstances as permitted by HIPAA.

Workers' Compensation. We may disclose your PHI as authorized by and to the extent necessary to comply with state law relating to workers' compensation or similar programs.

Once your PHI has been disclosed as described in this Notice, it may be subject to redisclosure by the recipient and may no longer be protected by HIPAA.

3. Uses and Disclosures Requiring Your Authorization

We will only make the following uses and disclosures of your PHI with your written authorization:

• Marketing. We must obtain your written authorization before using your PHI for marketing purposes under HIPAA. We will not accept payment from other organizations in exchange for making communications to you about treatments, products, or services unless you have authorized us to do so, or the communication is otherwise permitted by law. We may, however, provide you with refill reminders or communicate with you about a medication currently prescribed to you, so long as any payment we receive for making the communication is reasonably related to our cost.
• Sale of PHI. We will not make any disclosure of PHI that constitutes a sale of PHI without your written authorization. We do not sell PHI.
• Genetic information. If you use our genomic sequencing services (Modulus Bio), we will obtain your specific written consent before collecting, analyzing, or storing your genetic data. See Section 6 (Genetic Data) for additional protections.
• Psychotherapy notes. We will not use or disclose psychotherapy notes (if any) without your written authorization, except as permitted by HIPAA.
• Other uses and disclosures. Any uses or disclosures of your PHI not described in this Notice will be made only with your written authorization.

If you provide your authorization, you may revoke it at any time by delivering a written revocation to our Privacy Officer at the contact information in Section 10. Your revocation will take effect when we receive it, but it will not affect any action we took in reliance on your authorization prior to revocation.

4. Your Rights Regarding Your PHI

You have the following rights regarding your PHI. To exercise any of these rights, contact our Privacy Officer using the information in Section 10.

• Right to Access Your Records. You have the right to inspect and obtain a copy of your PHI maintained by us, including medical records, diagnostic reports, laboratory results, and billing records. We will provide a copy or summary of your PHI, usually within thirty (30) days of your request. We may charge a reasonable, cost-based fee for copies. You may request records in an electronic format, and we will provide them in the format you request if readily producible, or in another mutually agreed-upon electronic format.
• Right to Amend Your Records. You have the right to request that we correct PHI about you that you believe is incorrect or incomplete. We will respond within sixty (60) days. We may deny your request under certain circumstances (for example, if the information was not created by us, or if we determine the information is accurate and complete), but we will explain the reason for any denial in writing and inform you of your right to submit a statement of disagreement.
• Right to Request Confidential Communications. You have the right to request that we communicate with you about health matters using a particular method or at a certain location. For example, you may request that we contact you only at a specific email address or phone number. We will accommodate all reasonable requests.
• Right to Request Restrictions. You have the right to request that we restrict certain uses and disclosures of your PHI for treatment, payment, or healthcare operations. We are not required to agree to your request, except in one situation: if you pay for a service out-of-pocket in full, you have the right to request that we not disclose PHI related to that service to a health plan for payment or healthcare operations purposes, and we must honor that request. Because Modulus Health Group is a cash-pay practice, this right is inherently satisfied for all services — we do not submit claims to health plans.
• Right to an Accounting of Disclosures. You have the right to request a list of certain disclosures we have made of your PHI during the six (6) years prior to your request. This accounting will include disclosures other than those made for treatment, payment, healthcare operations, and certain other exceptions. We will provide one accounting per year free of charge and may charge a reasonable fee for additional accountings within the same twelve-month period.
• Right to a Paper Copy of This Notice. You have the right to obtain a paper copy of this Notice at any time, even if you agreed to receive it electronically. Contact our Privacy Officer to request a paper copy.
• Right to Be Notified of a Breach. You have the right to be notified if there is a breach of your unsecured PHI. See Section 7 (Breach Notification) for details.
• Right to File a Complaint. If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights. To file a complaint with us, contact our Privacy Officer. To file a complaint with HHS, visit www.hhs.gov/hipaa/filing-a-complaint or call 1-877-696-6775. We will not retaliate against you for filing a complaint.

5. De-Identified Data and Outcomes Research

With your separate, voluntary consent, we may include de-identified data derived from your medical records in our outcomes research registry. This registry is used to measure the effectiveness of our diagnostic methods, improve clinical quality, and contribute to medical knowledge.

De-identified data has had all identifiers removed as required by the HIPAA Safe Harbor or Expert Determination methods, including:

• Removal of all eighteen (18) HIPAA-defined identifiers (names, addresses, dates more specific than year, Social Security numbers, medical record numbers, etc.)
• Application of random date shifting (plus or minus 1-5 days on all dates, including dates of birth) to prevent temporal re-identification
• Removal or generalization of any information that could reasonably be used to identify an individual

De-identified data is no longer PHI under HIPAA and is not subject to this Notice. We do not attempt to re-identify de-identified data, and we contractually prohibit recipients of de-identified data from attempting re-identification.

Participation in the outcomes research registry is entirely voluntary. You may opt in or opt out at any time without affecting your membership, the quality of your care, or your access to our Services.

6. Genetic Data

If you use our genomic sequencing services (Modulus Bio), we will collect, process, and store genetic data as part of your PHI. Genetic data receives enhanced protections under federal and state law:

• Federal protections. The Genetic Information Nondiscrimination Act ("GINA") prohibits health insurers and employers from discriminating based on genetic information. Your genetic data will not be disclosed to employers or health insurers for underwriting, eligibility, or employment purposes.
• California residents. The California Genetic Information Privacy Act ("GIPA") requires your express written consent before we collect, analyze, retain, or disclose your genetic data. You may revoke consent at any time.
• Washington state residents. The Washington My Health My Data Act ("MHMDA") provides additional protections for consumer health data, including genetic data. Consent defaults to off for Washington residents and requires affirmative opt-in before any collection or processing.

For all patients, regardless of state of residence:

• Genetic data is collected only with your express, informed consent
• Genetic data is encrypted and stored with the same security controls as all PHI
• We do not sell genetic data
• We do not disclose genetic data to employers, insurers, or any third party for underwriting, employment, or eligibility purposes
• You may request deletion of your genetic data at any time, subject to medical record retention obligations

If you are located in Washington state or California, genetic data consent defaults to off and requires your affirmative opt-in before any collection or processing occurs. For all other states, you will be asked to provide consent during the Modulus Bio enrollment process.

7. Breach Notification

In the event of a breach of your unsecured PHI, we will notify you as required by HIPAA and applicable state law. Our breach notification process includes:

• Individual notification. We will notify affected individuals without unreasonable delay and no later than sixty (60) days after discovery of a breach. Notification will be sent by first-class mail to your last known address, or by email if you have agreed to receive electronic communications and have not withdrawn that agreement.
• Content of notification. The notification will describe the nature of the breach, the types of information involved, the steps you should take to protect yourself, what we are doing to investigate and mitigate the breach, and how to contact us for more information.
• HHS notification. We will notify the U.S. Department of Health and Human Services as required by HIPAA. For breaches affecting 500 or more individuals, notification to HHS and prominent media outlets will occur without unreasonable delay. For breaches affecting fewer than 500 individuals, notification to HHS will occur within sixty (60) days of the end of the calendar year in which the breach was discovered.
• Breach assessment. We conduct a four-factor risk assessment for all potential breaches, considering: (1) the nature and extent of the PHI involved; (2) the unauthorized person who used or received the PHI; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk has been mitigated.

8. Medical Record Retention

We retain your medical records, including all PHI, for a minimum of ten (10) years from the date of your last encounter with us, or longer if required by applicable state law. After the applicable retention period, records are securely destroyed in accordance with HIPAA requirements.

Upon termination of your membership, your records remain available to you for the duration of the retention period. You may request copies at any time by contacting our Privacy Officer.

9. Changes to This Notice

We reserve the right to change the terms of this Notice at any time. Any changes will apply to all PHI we maintain, including information created or received before the change. The revised Notice will be posted on our website at modulus.ai and will be available upon request from our Privacy Officer. We will provide you with a copy of the revised Notice upon request, and will make reasonable efforts to notify you of material changes via email.

10. Contact Us

If you have questions about this Notice, wish to exercise any of your rights, or would like to file a complaint, please contact our Privacy Officer:

To file a complaint with the U.S. Department of Health and Human Services: