Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

If you have any questions about this Notice of Privacy Practices ("Notice"), please contact our Privacy Officer at [email protected].

This Notice describes the privacy practices of Circle Medical Technologies, Inc. and its affiliates, including Circle Medical Care Group, P.A., a Florida professional association; Circle Medical Group of California, a California professional corporation; Circle Medical Care Group of New Jersey, P.C.; and Circle Medical Care of New York, P.C., along with their physicians, other health care practitioners, and personnel (collectively, "Circle Medical"). It also describes the privacy practices of BRDG, Inc. and its affiliates, including Cloud Health Medical Group, P.A., a Florida professional association; Cloud Health Medical Group of Kansas, P.A.; Cloud Health Medical Group of California, P.C.; and Cloud Health Medical Group of New Jersey, along with their physicians, other health care practitioners, and personnel (collectively, "BRDG"). The terms "we" and "us" refer collectively to Circle Medical and BRDG.

Note for Authorized Representatives: Where an individual is authorized to act on behalf of a patient (e.g., personal representative as defined by applicable law), references to "you" throughout this Notice apply to the patient. The authorized representative may exercise the rights described in this Notice on the patient's behalf, subject to the scope of their legal authority and applicable law.

This Notice describes how we may use and disclose your protected health information ("PHI") for treatment, payment, and health care operations, and for other purposes permitted or required by law. It also describes your rights to access and control your PHI. PHI is information about you, including demographic information, that may identify you and relates to your past, present, or future physical or mental health or condition and related health care services.

Certain state and federal laws may provide additional privacy protections for your health information, and to the extent that applicable law is more restrictive than HIPAA, we will follow the more restrictive law. Certain types of health information, including information related to mental health, HIV/AIDS status, genetic testing, reproductive health care, and other sensitive health information, may be subject to additional protections under applicable law, and we will obtain your written authorization before using or disclosing such information except where otherwise permitted or required by law. Substance use disorder treatment records may be subject to additional protections under federal law, including 42 CFR Part 2. Further, we will not use or disclose your PHI for purposes of investigating or imposing liability related to the seeking, obtaining, providing, or facilitating lawful reproductive health care, except as required by applicable law.

We are required to abide by the terms of this Notice. We are also required to promptly notify you if a breach occurs that may have compromised the privacy or security of your information. We may change the terms of our Notice, at any time, with the new Notice effective for all PHI that we maintain at that time. Upon your request, we will provide you with any revised Notice. You may request a revised version by accessing our website, calling us, or requesting one at your next appointment.

1. Uses and Disclosures of PHI

We may use and disclose your PHI, including through our staff and others involved in your care and treatment, to provide health care services to you. Your PHI may also be used and disclosed to pay your health care bills and to support the operation of our practice. The following are examples of the types of uses and disclosures of your PHI that we are permitted to make. These examples are not meant to be exhaustive, but to describe the types of uses and disclosures that may be made by us.

Treatment

We may use and disclose your PHI to provide, coordinate, or manage your health care and related services, including through electronic and telehealth services and coordinating your care with other providers. For example, we may share your PHI with providers involved in your care, such as a home health agency, specialist, or laboratory, to ensure they have the information needed to diagnose or treat you. We may also discuss your prescription with another provider involved in your care to support appropriate treatment.

Payment

We may use and disclose your PHI, as needed, to obtain payment for your health care services provided by us or by another provider. This may include activities your health insurance plan undertakes before it approves or pays for services we recommend, such as determining eligibility or coverage, reviewing services for medical necessity, and conducting utilization review. For example, obtaining approval for a hospital stay may require disclosure of relevant PHI to the health plan.

Health Care Operations

We may use or disclose your PHI, as needed, to support the business activities of our practice. These activities include, but are not limited to, quality assessment, employee review, training, licensing, fundraising, and other administrative functions. We may share your PHI with third-party business associates that perform services for us (such as billing or transcription). When such arrangements involve the use or disclosure of PHI, we require written agreements that protect the privacy of your information. We may also use or disclose your PHI to provide you with information about treatment alternatives or other health-related benefits and services that may be of interest to you. You may contact our Privacy Officer to request that these communications not be sent to you.

Limitation on the Use of PHI for Paid Marketing

We will, in accordance with federal and state law, obtain your written authorization before using or disclosing your PHI for marketing purposes (e.g., using your photo in advertisements), except for activities that constitute treatment or health care operations. We will also obtain your written authorization before using your PHI to make treatment or health care recommendations if financial remuneration from a third party is involved. Financial remuneration does not include in-kind payments or payments to implement a disease management program. Promotional gifts of nominal value do not require authorization. The only exception to the authorization requirement is for "refill reminders," provided that any remuneration for such communications is reasonably related to our cost of making them (e.g., labor, supplies, and postage). Communications about generic equivalents, medication adherence, or self-administered drugs or delivery systems are considered refill reminders. Face-to-face marketing communications, such as providing a written product brochure or pamphlet, are also permitted under HIPAA.

Uses and Disclosures Without Your Authorization or Opportunity to Object

We may use or disclose your PHI in the following situations, as permitted or required by law:

  • Abuse or Neglect: To a public health authority authorized to receive reports of abuse or neglect of children, elders, or dependent adults. We may also disclose your PHI if we believe you have been a victim of abuse, neglect, or domestic violence, consistent with applicable law.
  • Communicable Diseases: To a person who may have been exposed to a communicable disease or may be at risk of contracting or spreading the disease or condition.
  • Coroners, Funeral Directors, and Organ Donation: To a coroner, medical examiner, or funeral director for identification, determining cause of death, or carrying out authorized duties. PHI may also be disclosed for cadaveric organ, eye, or tissue donation purposes.
  • Criminal Activity: If necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, or to assist law enforcement in identifying or apprehending an individual.
  • Food and Drug Administration: To persons or entities required by the FDA for purposes related to the quality, safety, or effectiveness of regulated products or activities, including reporting adverse events, product defects or problems, product recalls, or conducting post-marketing surveillance.
  • Health Oversight: To a health oversight agency for activities authorized by law, such as audits, investigations, inspections, and licensure.
  • Inmates: If you are an inmate of a correctional facility and your PHI was created or received in the course of providing care.
  • Law Enforcement: For law enforcement purposes, including in response to legal processes, identification and location requests, circumstances involving victims of a crime, or where a crime is suspected, as permitted by law.
  • Legal Proceedings: During judicial or administrative proceedings, such as in response to a court order, subpoena, or other lawful process, provided that applicable legal requirements have been met, including efforts to notify you or obtain a protective order when required.
  • Military Activity and National Security: For activities deemed necessary by military command authorities, for determining eligibility for veterans' benefits, or for national security and intelligence purposes, including providing protective services to authorized officials.
  • Public Health: For public health activities, such as preventing or controlling disease, injury, or disability.
  • Required by Law: When required to do so by applicable law, limited to the requirements of that law, with notice provided to you when required.
  • Research: To researchers whose studies have been approved by an institutional review board and who have established protocols to protect your PHI. Researchers may review PHI to prepare for a study but may not remove or take identifiable information from our systems.
  • Workers' Compensation: As authorized to comply with workers' compensation laws and other similar legally established programs.

Uses and Disclosures of PHI Based Upon Your Written Authorization

Other uses and disclosures of your PHI will be made only with your written authorization, unless otherwise permitted or required by law as described below. You may revoke this authorization in writing at any time. If you revoke your authorization, we will no longer use or disclose your PHI for the reasons covered by your written authorization. Please understand that we are unable to take back any disclosures already made with your authorization.

HIPAA Forms

If you would like us to share your PHI with anyone besides you, we will need you to complete and sign an Authorization for the Use/Disclosure of Health Information. If you previously provided us with an Authorization and would like to revoke it, please complete and sign a Revocation of Authorization to Disclose PHI. If you would like to request a copy of your medical records, please fill out and sign a Patient Request for Health Information.

Uses and Disclosures Requiring Your Agreement or Opportunity to Object

We may use or disclose your PHI with your agreement or where you have the opportunity to object. Unless you object, we may disclose your PHI to a family member, relative, close friend, or other person you identify, to the extent the information is directly relevant to that person's involvement in your health care or payment for your care. If you are not present or able to agree or object, we may use our professional judgment to determine whether the disclosure is in your best interest and disclose only the information necessary. We may also use or disclose your PHI to notify, or assist in notifying, a family member, personal representative, or other person responsible for your care of your location, general condition, or death. In addition, we may disclose your PHI to authorized public or private entities to assist in disaster relief efforts and to coordinate such disclosures to individuals involved in your care.

2. Your Rights

You have the following rights regarding your PHI and how it is used and disclosed:

  • Right to Inspect and Copy. You have the right to inspect and obtain a copy of your PHI for as long as we maintain it. This includes medical and billing records and other records used to make decisions about your care. As permitted by law, we may charge a reasonable fee for copies. Under federal law, you may not inspect or copy certain records, including psychotherapy notes, information compiled in anticipation of legal proceedings, and certain laboratory results. In some cases, a denial of access may be reviewable. If your information is maintained in an electronic health record, you may request an electronic copy and direct us to transmit it to a designated person or entity. Any fee for electronic copies will not exceed our labor costs.
  • Right to Request Restrictions. You have the right to request restrictions on how we use or disclose your PHI for treatment, payment, or health care operations, or to limit disclosures to individuals involved in your care. We are not required to agree to most requested restrictions. However, you have the right to request that we not disclose your PHI to a health plan for payment or health care operations if the PHI relates solely to a health care item or service that you, or someone on your behalf, has paid for out-of-pocket in full. We will comply with such requests unless disclosure is otherwise required by law.
  • Right to Request Confidential Communications. You have the right to request that we communicate with you about your health information by alternative means or at an alternative location. We will accommodate reasonable requests and will not require you to provide a reason for your request.
  • Right to Request Amendments. You have the right to request an amendment to your PHI if you believe it is incorrect or incomplete. Requests must be made in writing and submitted to our Privacy Officer. We may deny your request in certain cases. If we do, you have the right to submit a written statement of disagreement, and we may prepare a written response, which will be provided to you. We will respond to your request within 60 days (or up to 90 days if additional time is needed). Even if your request is denied, you may submit a written addendum of up to 250 words to be included in your record.
  • Right to an Accounting of Disclosures. You have the right to receive an accounting of certain disclosures of your PHI made by us. This right applies to disclosures for purposes other than treatment, payment, or health care operations. This excludes disclosures made to you, with your authorization, for a facility directory, to individuals involved in your care, for national security or intelligence purposes, to law enforcement or correctional institutions, and as part of a limited data set. You may request an accounting for disclosures made within the past six years. Requests must be submitted in writing to our Privacy Officer, and we will respond within 60 days (or up to 90 days if needed).
  • Right to Obtain a Paper Copy of This Notice. You have the right to obtain a paper copy of this Notice at any time, even if you have agreed to receive it electronically.

3. Complaints

If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the U.S. Department of Health and Human Services. To file a complaint with us, contact our Privacy Officer at [email protected]. We will not retaliate against you for filing a complaint. For Cloud Health Medical Group (BRDG) patients, PHI-related requests and complaints may also be directed to its Privacy Officer at [email protected].

Security of Your Information

We implement reasonable administrative, technical, and physical safeguards to protect your PHI. For example, we use industry-standard encryption to help secure data transmissions. While we strive to protect your information, no method of transmission over the internet or mobile networks is completely secure. You are responsible for maintaining the confidentiality of your login credentials.

Electronic Consent and Online Access

If you receive this Notice or related consent forms electronically and accept them online, your electronic acceptance is legally binding and carries the same force and effect as a handwritten signature under applicable law, including the Electronic Signatures in Global and National Commerce Act (E-SIGN) and applicable state electronic signature laws. By accepting this Notice electronically, you confirm that you have read and understood its contents and that you are authorized to do so on the patient's behalf, if applicable.

This Notice is effective as of April 30, 2026.