HIPAA Notice of Privacy Practices

This Notice of Privacy Practices ("Notice") is provided by Elite Performance Institute San Diego, Dr. Peter Mackay D.C., and all staff and students acting under their supervision (collectively, "EPI," "we," "us," or "our"). This Notice describes how we may use and disclose your Protected Health Information (PHI) and how you can access and control your PHI. It is required by the federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations at 45 CFR Parts 160 and 164.

Effective Date: This Notice is effective as of January 1, 2025.

We reserve the right to change the terms of this Notice. We reserve the right to make the revised or changed Notice effective for health information we already have about you as well as any information we receive in the future. We will post a copy of the current Notice at our office and on our website. You may request a copy of the current Notice at any time.

We are required by law to:

• Maintain the privacy and security of your PHI
• Provide you with this Notice of our legal duties and privacy practices
• Notify you following a breach of your unsecured PHI
• Abide by the terms of the Notice that is currently in effect

PHI is any individually identifiable health information — including demographic data — that relates to your past, present, or future physical or mental health condition; the provision of health care to you; or the past, present, or future payment for such care.

Protected health information includes many forms of information, including information in your paper medical record, information stored electronically (electronic PHI or ePHI), and verbal communications involving your health information.

2.1 For Treatment
We may use and disclose your PHI to provide, coordinate, or manage your healthcare and any related services. This includes the sharing of PHI with other healthcare providers who are involved in your care. For example, we may share your PHI with a referring physician, specialist, or physical therapist involved in your treatment, or with an attorney working on your personal injury case who requires medical records and documentation.

2.2 For Payment
We may use and disclose your PHI so that treatment and services you receive from us may be billed to and collected from you, your insurance company, workers' compensation carrier, or a third-party payer. For example, we may need to give your health plan information about chiropractic services you received so your plan can pay us or reimburse you for those services.

2.3 For Healthcare Operations
We may use and disclose your PHI for our business activities, such as quality assessment and improvement activities, reviewing the competence or qualifications of healthcare professionals, employee review activities, training programs, accreditation, licensing, legal services, and business planning and development.

2.4 Appointment Reminders and Health Information
We may contact you to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to you.

2.5 As Required by Law
We will disclose PHI when required to do so by applicable federal, state, or local law, including in response to a valid court order, subpoena, or administrative process.

2.6 For Public Health Activities
We may disclose PHI to public health authorities authorized to collect information for the purpose of preventing or controlling disease, injury, or disability.

2.7 To Avert a Serious Threat to Health or Safety
We may use and disclose PHI when necessary to prevent or lessen a serious and imminent threat to the health or safety of you, another person, or the public.

2.8 For Workers' Compensation
We may disclose your PHI as authorized by and as necessary to comply with laws related to workers' compensation and other similar programs.

2.9 Other Uses — Authorization Required
All other uses and disclosures of your PHI not described above will be made only with your written authorization. You may revoke your authorization in writing at any time, except to the extent that we have already taken action relying on your authorization.

3.1 Right to Access and Obtain a Copy of Your PHI
You have the right to inspect and obtain a copy of PHI that may be used to make decisions about your care, including medical and billing records. To request access, submit a written request to our Privacy Officer. We may charge a reasonable cost-based fee for copies. We will respond within 30 days. In some limited circumstances, we may deny a request; if so, we will explain the reason and describe your right to have the denial reviewed.

3.2 Right to Request an Amendment
If you feel that PHI we have about you is incorrect or incomplete, you may request that we amend the information. Submit a written request that identifies the information you want amended and the reason for the amendment. We will respond within 60 days. We may deny the request if the information was not created by us, is not part of the PHI we maintain, is not part of information you would be permitted to inspect, or is accurate and complete.

3.3 Right to an Accounting of Disclosures
You have the right to receive an accounting of disclosures of your PHI that we have made in the six years prior to the date of your request, for purposes other than treatment, payment, or healthcare operations. This accounting will not include disclosures made prior to April 14, 2003, disclosures made for national security or intelligence purposes, disclosures to law enforcement officials or correctional facilities, or disclosures you authorized.

3.4 Right to Request Restrictions on Uses and Disclosures
You have the right to request a restriction on uses and disclosures of your PHI for treatment, payment, or health care operations purposes, or to restrict disclosures to persons involved in your care. We are not required to agree to your request except: if you request that we restrict disclosure of PHI to a health plan for payment or health care operations purposes and the PHI pertains solely to a service for which you have paid us in full out of pocket.

3.5 Right to Request Confidential Communications
You have the right to request that we communicate with you about PHI in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail. We will accommodate reasonable requests. Such requests must be made in writing.

3.6 Right to a Paper Copy of This Notice
You have the right to a paper copy of this Notice at any time. You may also obtain a copy from our website at episandiego.com/hipaa.

We implement comprehensive administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of your PHI:

Administrative Safeguards
- Designation of a Privacy Officer responsible for HIPAA compliance
- Workforce training on HIPAA Privacy and Security Rules
- Access management and authorization protocols
- Business Associate Agreements with all vendors handling PHI
- Incident response and breach notification procedures

Physical Safeguards
- Locked filing cabinets and secure storage of paper records
- Controlled access to areas containing PHI
- Secure disposal of paper records and physical media (shredding)

Technical Safeguards
- Encryption of ePHI in transit (TLS/SSL) and at rest
- Unique user identification and multi-factor authentication
- Automatic session logoff for electronic systems
- Audit controls and access logging
- Regular security risk assessments

In the event of a breach of unsecured PHI, we will notify affected individuals without unreasonable delay and in no case later than 60 days following discovery of the breach, as required by the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D).

Notification will include:
- A brief description of what happened
- A description of the types of PHI involved
- Steps you should take to protect yourself from potential harm
- Steps we are taking to investigate the breach, mitigate harm, and prevent future occurrences
- Contact information for questions or concerns

If the breach affects 500 or more individuals, we will also notify the U.S. Department of Health and Human Services and prominent media outlets in California, as required by law.

If you believe your privacy rights have been violated, you may file a complaint with:

Our Privacy Officer
Elite Performance Institute San Diego
444 West C St STE 190
San Diego, CA 92101
Phone: +1 (619) 232-4030
Email: EPI@SANDIEGO.COM

U.S. Department of Health and Human Services
Office for Civil Rights (OCR)
200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll-free: 1-877-696-6775
Website: www.hhs.gov/ocr/privacy/hipaa/complaints/

We will not retaliate against you in any way for filing a complaint. Retaliation in any form is strictly prohibited.

For any questions, concerns, or requests regarding this Notice or our HIPAA compliance practices, please contact our Privacy Officer:

Elite Performance Institute San Diego
Privacy Officer — Dr. Peter Mackay D.C.
444 West C St STE 190
San Diego, CA 92101
United States

Phone: +1 (619) 232-4030
Email: EPI@SANDIEGO.COM
Website: https://episandiego.com

This Notice is effective as of January 1, 2025. Elite Performance Institute San Diego reserves the right to change this Notice. A copy of any revised Notice will be posted on our website and available at our office.