Notice of Privacy Practices

Who this notice applies to

This Notice of Privacy Practices ("Notice") describes how Nuvara ([TBD: legal entity name — e.g., Nuvara LLC]) may use and disclose health-related information about you, and your rights with respect to that information. It applies when Nuvara receives or holds information that qualifies as "protected health information" (PHI) under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations ("HIPAA"), whether directly or in the course of supporting an affiliated healthcare provider or compounding pharmacy.

For information that is not PHI — including the name, email address, ZIP code, and general goal selections you submit through the Nuvara waitlist — please see our Privacy Policy.

Nuvara's HIPAA status

Nuvara is not a "Covered Entity" as that term is defined under HIPAA. Nuvara does not itself provide healthcare, operate a health plan, or function as a healthcare clearinghouse.

In certain circumstances — for example, if Nuvara performs services on behalf of an affiliated provider or pharmacy that involve the handling of PHI — Nuvara may act as a "Business Associate" of a Covered Entity. In those circumstances, Nuvara will handle PHI in accordance with HIPAA's Business Associate provisions, applicable Business Associate agreements, and this Notice.

Even where not strictly required to do so, Nuvara voluntarily follows the substantive standards set forth in HIPAA when handling health information described in this Notice.

Information you submit through the Site

When you join the Nuvara waitlist or otherwise submit information through the Site, the information you provide — including your name, email address, ZIP code, and the health goals or concerns you select on our intake form — is not PHI under HIPAA and is not governed by this Notice. It is governed by our Privacy Policy.

When health information becomes "protected health information"

PHI is individually identifiable health information that relates to your past, present, or future physical or mental health, the healthcare provided to you, or the payment for that care. PHI includes demographic information that identifies you in the context of receiving healthcare.

Information typically becomes PHI when it is created, received, maintained, or transmitted in connection with the provision of healthcare. In the Nuvara context, this generally occurs when you engage with a licensed healthcare provider or a compounding pharmacy through our affiliated partner network. The specific Covered Entity — in most cases the affiliated provider or pharmacy — will maintain its own Notice of Privacy Practices, which governs the PHI that entity creates or holds about you. Nuvara may receive or hold PHI when it is acting as a Business Associate of one of those entities, in which case this Notice applies to Nuvara's handling of that PHI.

How protected health information may be used and disclosed

Where Nuvara holds PHI, we may use and disclose it for the following purposes, consistent with HIPAA and any applicable Business Associate agreement:

Treatment

We may use and disclose PHI to support the provision, coordination, or management of healthcare on behalf of an affiliated provider. For example, PHI may be provided to another provider to whom you have been referred so that provider has the information needed to diagnose or treat you.

Payment

We may use and disclose PHI to support billing and collection for healthcare services provided through an affiliated provider, including eligibility determinations and review of services for medical necessity.

Health care operations

We may use and disclose PHI in support of the business activities of an affiliated provider, including activities such as quality assessment and improvement, training, legal services, auditing, and compliance activities.

Uses and disclosures that do not require your authorization

HIPAA permits certain uses and disclosures of PHI without your authorization. These include:

• When required by law.
• For public health activities (for example, reporting to public health authorities to prevent or control disease).
• For health oversight activities (including audits and investigations).
• For reporting abuse, neglect, or domestic violence where permitted or required by law.
• Pursuant to Food and Drug Administration requirements (for example, reporting adverse events).
• In connection with judicial or administrative proceedings.
• For law enforcement purposes, subject to HIPAA requirements.
• To coroners, medical examiners, funeral directors, and organ donation organizations.
• For research, subject to HIPAA requirements and institutional review.
• To avert a serious and imminent threat to health or safety.
• For specified military, veteran, national security, and protective-service activities.
• For workers' compensation programs.
• To correctional institutions in limited circumstances.

State law may further restrict any of these uses and disclosures.

Uses and disclosures that require your authorization

Other uses and disclosures of PHI will be made only with your written authorization, unless otherwise permitted or required by law. In particular:

• We will not use or disclose PHI for marketing purposes without your authorization.
• We will not sell PHI without your authorization.
• We will not use PHI for fundraising.
• We will not use or disclose psychotherapy notes (if any) without your authorization, subject to the exceptions permitted under HIPAA.

You may revoke an authorization in writing at any time, except to the extent we have already taken action in reliance on your authorization.

Your rights

With respect to PHI Nuvara holds about you, you have the following rights under HIPAA, subject to certain exceptions permitted by law:

Right to access and obtain a copy

You have the right to inspect and obtain a copy of PHI we hold about you in a designated record set. Where PHI is maintained electronically, you may request an electronic copy in the form and format you prefer, if it is readily producible in that form.

Right to request correction

You have the right to request that we amend PHI we hold about you if you believe it is inaccurate or incomplete. We may deny your request in limited circumstances permitted by HIPAA; if we do, we will notify you in writing and explain your options.

Right to request restrictions

You have the right to request a restriction on the use or disclosure of PHI for treatment, payment, or health care operations, and on disclosures to individuals involved in your care. We are not required to agree to every requested restriction, except in the specific circumstances required by HIPAA (for example, a requested restriction on disclosures to a health plan regarding a service paid in full out-of-pocket).

Right to confidential communications

You have the right to request that we communicate with you about PHI in a specific way or at a specific location (for example, by email rather than phone). We will accommodate reasonable written requests.

Right to an accounting of disclosures

You have the right to request an accounting of certain disclosures of PHI we have made, excluding disclosures made pursuant to your authorization, disclosures for treatment, payment, or health care operations, and other exceptions permitted by HIPAA.

Right to a paper copy of this notice

You have the right to obtain a paper copy of this Notice upon request, even if you have received it electronically.

Breach notification

If we discover a reportable breach of your unsecured PHI, we will notify you in accordance with HIPAA and applicable law, typically within sixty (60) days of discovery. Notification will include a brief description of how the breach occurred, the PHI involved, and contact information so you can ask follow-up questions.

Affiliated providers and pharmacies

When you engage with a licensed healthcare provider or a compounding pharmacy through Nuvara's affiliated partner network, that provider or pharmacy is typically a Covered Entity under HIPAA. Their own Notice of Privacy Practices describes how they use and disclose PHI, and the rights you have with respect to the PHI they hold. You should receive a copy of that Notice from the affiliated provider or pharmacy at the time you begin care.

This Notice does not modify or supersede any Notice of Privacy Practices provided by an affiliated provider or pharmacy with respect to PHI held by that entity.

Changes to this notice

We reserve the right to revise this Notice at any time and to apply the revised Notice to PHI we already hold as well as PHI we receive in the future. Any material changes will be posted on the Site. You are entitled to a copy of the Notice currently in effect.

Complaints

If you believe your privacy rights as described in this Notice have been violated, you may file a complaint with Nuvara using the contact information below. Nuvara will not retaliate against you for filing a complaint.

You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services, Office for Civil Rights:

• By mail: 200 Independence Avenue, S.W., Washington, D.C. 20201
• By phone: 1-877-696-6775
• Online: hhs.gov/ocr/privacy/hipaa/complaints

Contact us

To exercise any of the rights described in this Notice, or to submit a privacy question or complaint, please contact us: