HIPAA Notice of Privacy Practices

This Notice of Privacy Practices describes how HealthMesh™, a PluralFusion™ product, may use and disclose health information in connection with our platform and services, and how you can exercise your rights regarding that information. Please review it carefully.

Who This Notice Applies To

This notice applies to HealthMesh’s platform and services used by healthcare organizations, providers, and their patients. HealthMesh operates as a Business Associate under the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations (the HIPAA Privacy Rule and Security Rule). We handle Protected Health Information (PHI) solely on behalf of our Covered Entity clients pursuant to Business Associate Agreements (BAAs).

If you are a patient, your primary rights regarding your health information are governed by the Notice of Privacy Practices provided to you by your healthcare provider (the Covered Entity), not by HealthMesh directly. Please contact your provider with questions about how your health information is used.

What Is Protected Health Information (PHI)

PHI is individually identifiable health information that relates to:

• Your past, present, or future physical or mental health or condition
• The provision of health care to you
• Past, present, or future payment for the provision of health care to you

How We Use and Disclose PHI

As a Business Associate, HealthMesh may use and disclose PHI only as permitted or required by our Business Associate Agreements with Covered Entities, and only to the extent necessary to perform our contracted services. Permitted uses and disclosures include:

• Platform Operations: Processing, transmitting, and storing PHI to provide our remote patient monitoring, care coordination, and engagement services on behalf of Covered Entities.
• Treatment, Payment, and Operations: Supporting Covered Entities in delivering care, billing, and operating their healthcare programs.
• Required by Law: Disclosing PHI when required to do so by applicable federal, state, or local law.
• Public Health Activities: As directed by a Covered Entity, reporting to public health authorities as required by law.
• Subcontractors: Sharing PHI with our subcontractors and agents who assist us in providing services, provided they are bound by equivalent Business Associate Agreements.

We do not use or disclose PHI for marketing purposes, and we do not sell PHI.

How We Protect Your Information

HealthMesh maintains administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of PHI in accordance with the HIPAA Security Rule. These safeguards include:

• Encryption of PHI at rest and in transit
• Role-based access controls and audit logging
• Regular security risk assessments
• Employee training on HIPAA obligations
• Incident response procedures for potential breaches

Your Rights Regarding PHI

To the extent HealthMesh holds PHI about you on behalf of a Covered Entity, you may have the following rights under HIPAA. These rights must be exercised through your healthcare provider, not directly through HealthMesh:

• Right to Access: Request a copy of your PHI.
• Right to Amend: Request corrections to your PHI.
• Right to an Accounting of Disclosures: Request a list of certain disclosures of your PHI.
• Right to Restrict: Request restrictions on certain uses and disclosures of your PHI.
• Right to Confidential Communications: Request that communications about your PHI be sent to an alternate location or by an alternate method.
• Right to a Copy of This Notice: You have the right to a paper copy of this notice upon request.

Breach Notification

In the event of a breach of unsecured PHI, HealthMesh will notify the affected Covered Entity as required by the HIPAA Breach Notification Rule. The Covered Entity is responsible for notifying affected individuals and, where applicable, the U.S. Department of Health and Human Services (HHS) and the media.

Changes to This Notice

We reserve the right to change the terms of this notice at any time. Changes will apply to PHI we already hold as well as PHI we receive in the future. We will post the revised notice on this page with an updated effective date.

Complaints

If you believe your privacy rights have been violated, you may file a complaint with your healthcare provider or directly with the U.S. Department of Health and Human Services, Office for Civil Rights:

• Online: hhs.gov/ocr/privacy/hipaa/complaints
• By Phone: 1-800-368-1019

You will not be penalized for filing a complaint.

Contact Us

For questions about this notice or our HIPAA compliance practices, please contact us at: privacy@pluralfusion.com