Notice of Privacy Practices

2.1 Treatment

Your PHI may be used and disclosed to provide, coordinate, or manage your healthcare and related services. This includes sharing clinical charts, SOAP notes, clinical notes, diagnoses (ICD-10 codes), medications, allergies, vital signs, lab results, treatment plans, and care team information among the healthcare providers involved in your care through the Rymeda platform. For example, a physician may access your clinical chart to review your problem list, medication history, and prior clinical notes when providing follow-up treatment. Care team members (physicians, nurse practitioners, physician assistants, registered nurses, and therapists) may access relevant portions of your clinical record based on their role and the minimum necessary standard.

2.2 Payment

Your PHI may be used and disclosed for payment-related activities. This includes billing, claims management, insurance verification, and collections. Specifically, the platform processes invoices containing CPT codes and line items, insurance claims with ICD-10 diagnosis codes and CPT procedure codes, and payment records. Billing staff may access payment-related information (but not clinical chart data) to submit claims to your insurance provider, process co-payments, and manage accounts receivable. PHI disclosed for payment purposes is limited to the minimum necessary to accomplish the payment activity.

2.3 Healthcare Operations

Your PHI may be used and disclosed for healthcare operations activities, including quality assessment and improvement, credentialing and peer review, compliance auditing, business management and administration, and training. The platform generates immutable audit trails for all PHI access events and supports provider credential verification through NPI/NPPES validation. Organization administrators and owners may access operational data (but not clinical chart data) for practice management purposes.

2.4 As Required By Law

We will disclose your PHI when required to do so by federal, state, or local law, including compliance with court orders, subpoenas, or other legal process. This includes disclosures required under HIPAA (45 CFR §164.512(a)), the California Confidentiality of Medical Information Act ("CMIA") (Cal. Civ. Code §56.10), and other applicable laws.

2.5 Public Health Activities

Your PHI may be disclosed for public health activities and purposes to a public health authority authorized by law to collect or receive the information for the purpose of preventing or controlling disease, injury, or disability (45 CFR §164.512(b)). This includes reporting to the Centers for Disease Control and Prevention (CDC), state and local health departments, and the Food and Drug Administration (FDA).

2.6 Health Oversight Activities

Your PHI may be disclosed to a health oversight agency for activities authorized by law, including audits, civil or criminal investigations, inspections, licensure, and disciplinary actions (45 CFR §164.512(d)). This includes oversight by the Department of Health and Human Services (HHS) Office for Civil Rights, the California Department of Public Health (CDPH), and state medical boards.

2.7 Judicial and Administrative Proceedings

Your PHI may be disclosed in the course of any judicial or administrative proceeding, in response to an order of a court or administrative tribunal (45 CFR §164.512(e)), or in certain conditions in response to a subpoena, discovery request, or other lawful process that is not accompanied by a court order, provided that reasonable efforts have been made to notify you or to secure a qualified protective order.

2.8 Law Enforcement

We may disclose your PHI to a law enforcement official for law enforcement purposes as required by law or in compliance with a court order, court-ordered warrant, subpoena, or summons issued by a judicial officer; a grand jury subpoena; or an administrative request (45 CFR §164.512(f)).

2.9 To Avert a Serious Threat to Health or Safety

We may use and disclose your PHI when necessary to prevent or lessen a serious and imminent threat to your health or safety or the health or safety of the public or another person (45 CFR §164.512(j)). Any disclosure will be made to a person reasonably able to prevent or lessen the threat, including the target of the threat.

2.10 Government Functions

We may disclose your PHI for specialized government functions, including military and veterans' activities, national security and intelligence activities, protective services for the President, and medical suitability determinations (45 CFR §164.512(k)).

2.11 Workers' Compensation

We may disclose your PHI as authorized by and to the extent necessary to comply with workers' compensation laws and other similar legally established programs (45 CFR §164.512(l)).

2.12 Research

We may use or disclose your PHI for research purposes only with your written authorization or when the use involves de-identified data in accordance with 45 CFR §164.514 or a limited data set with a data use agreement in accordance with 45 CFR §164.514(e). Research use of PHI requires approval by an Institutional Review Board (IRB) or privacy board in accordance with 45 CFR §164.512(i).

2.13 Decedents

We may disclose PHI to a coroner, medical examiner, or funeral director as necessary to carry out their duties (45 CFR §164.512(g)).

2.14 Organ and Tissue Donation

If you are an organ donor, we may disclose PHI to organizations involved in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue (45 CFR §164.512(h)).

3.1 Marketing

We will not use or disclose your PHI for marketing purposes without your prior written authorization, as required by 45 CFR §164.508(a)(3) and 42 USC §17936(a). We will not sell your PHI without your written authorization, as required by 42 USC §17935(d).

3.2 Sale of PHI

We will not sell your PHI to any third party without your prior written authorization. This prohibition applies regardless of the form or medium in which the PHI is maintained, in accordance with 42 USC §17935(d)(2).

3.3 Psychotherapy Notes

Uses and disclosures of psychotherapy notes, as defined in 45 CFR §164.501, require your written authorization except for limited purposes set forth in 45 CFR §164.508(a)(2), including use by the originator of the notes for treatment, for use in training programs, and for defense in legal proceedings.

3.4 AI Processing of Clinical Data

Rymeda's platform includes AI-assisted clinical documentation features that process your health information. You will be asked for separate, specific consent before any AI processing of your clinical data occurs. The following AI processing activities require your authorization:

• Voice recording of clinical encounters: Clinical encounters may be audio-recorded using the Rymeda platform. Recording requires your explicit, per-encounter consent in compliance with California Penal Code §632 (two-party consent). You may refuse or withdraw consent for any individual encounter without affecting your care.
• AI transcription: Audio recordings are transmitted to AI language model services (including OpenAI Whisper and Google Gemini) for transcription. Recordings are encrypted in transit (TLS 1.3) and at rest (AES-256) and processed through our PHI redaction pipeline before reaching third-party AI services where technically feasible.
• AI-generated clinical documentation: Transcriptions are processed by AI models to generate structured SOAP notes (Subjective, Objective, Assessment, Plan), suggested ICD-10 diagnosis codes with confidence scores, visit summaries, suggested problem list entries, and follow-up recommendations.
• AI model versioning: All AI-generated content includes the AI model version identifier and generation timestamp for full provenance tracking.

See Section 5 below for detailed disclosures about AI-assisted clinical documentation, including your right to opt out.

4.1 Right to Inspect and Copy (45 CFR §164.524)

You have the right to inspect and obtain a copy of your PHI contained in a designated record set, including clinical charts, clinical notes, voice note transcriptions, AI-generated medical reports, billing records, and insurance claims. We will respond to your request within thirty (30) days of receipt. If we are unable to respond within thirty (30) days, we may extend the response period by up to an additional thirty (30) days, provided we give you written notice of the extension. You may request your PHI in electronic format, and we will provide it in the electronic form and format you request if it is readily producible, or in a mutually agreed-upon alternative electronic format. We may charge a reasonable, cost-based fee for copies, in accordance with 45 CFR §164.524(c)(4).

We may deny your request in limited circumstances as permitted by 45 CFR §164.524(a)(2) and (a)(3). If we deny your request, we will provide you with a written explanation and information about how to request a review of the denial.

4.2 Right to Amend (45 CFR §164.526)

You have the right to request an amendment to your PHI in a designated record set if you believe the information is incorrect or incomplete. You must provide a reason for your amendment request. We will act on your request within sixty (60) days. If we are unable to act within sixty (60) days, we may extend the response period by up to an additional thirty (30) days, provided we give you written notice. We may deny your request if the information was not created by us, is not part of the designated record set, is not available for inspection as a matter of law, or is accurate and complete. If we deny your request, we will provide you with a written explanation of the denial and your right to submit a statement of disagreement.

4.3 Right to an Accounting of Disclosures (45 CFR §164.528)

You have the right to request an accounting of certain disclosures of your PHI made by Rymeda during the six (6) years prior to the date of your request (or since the effective date of this Notice, whichever is shorter). The accounting will not include disclosures made for treatment, payment, or healthcare operations; disclosures made to you or authorized by you; disclosures made incident to an otherwise permitted use or disclosure; or other disclosures for which an accounting is not required by law. The Rymeda platform maintains immutable, append-only audit trails for all PHI access events, which support the generation of disclosure accountings. The first accounting in any twelve (12) month period is provided free of charge. We may charge a reasonable, cost-based fee for subsequent accountings within the same period.

4.4 Right to Request Restrictions (45 CFR §164.522(a))

You have the right to request a restriction on the use or disclosure of your PHI for treatment, payment, or healthcare operations. You also have the right to request a restriction on disclosures to persons involved in your care or the payment for your care. We are not required to agree to your request unless the restriction involves a disclosure to a health plan for payment or healthcare operations purposes and the PHI relates solely to a healthcare item or service for which you have paid in full out of pocket (42 USC §17935(a)). If we agree to a restriction, we will comply with it except in an emergency.

4.5 Right to Confidential Communications (45 CFR §164.522(b))

You have the right to request that we communicate with you about your health information in a particular way or at a particular location. For example, you may request that we contact you only at a specific email address or phone number. We will accommodate reasonable requests. The Rymeda platform supports secure messaging through encrypted communication threads.

4.6 Right to a Paper Copy of This Notice

You have the right to obtain a paper copy of this Notice upon request, even if you have agreed to receive the Notice electronically. To request a paper copy, contact legal@rymeda.com.

4.7 Right to Breach Notification (45 CFR §164.404)

You have the right to be notified in the event of a breach of your unsecured PHI. Notification will be provided without unreasonable delay, and in no event later than sixty (60) calendar days after discovery of the breach. For additional details, see Section 8 below and our Breach Notification Policy.

5.1 Voice Recording and Consent

Clinical encounters may be recorded using the Rymeda platform's voice note feature. Because California is a two-party consent state (Cal. Penal Code §632), explicit consent from all parties must be obtained before recording begins. Consent for recording is obtained separately from all other consents and authorizations. Consent is requested on a per-encounter basis — you may refuse recording for any individual encounter without affecting your care or your ability to use other platform features. Recorded audio is uploaded in supported formats (WebM, MP4, MPEG, WAV, OGG), encrypted at rest using AES-256, and stored in AWS S3 with per-tenant encryption keys managed by AWS KMS.

5.2 Transcription Pipeline

Voice recordings are processed through an AI transcription pipeline. Audio is transmitted via TLS 1.3 encrypted connections to AI transcription services, including OpenAI Whisper. The transcription service converts audio to text. Transcription status is tracked through the lifecycle: pending, processing, completed, or failed. Transcripts are stored alongside the original voice note record and are accessible only to authorized clinical staff with appropriate role-based permissions.

5.3 AI-Generated Medical Reports

Once a transcript is available, AI models (including OpenAI GPT and Google Gemini, accessed via LiteLLM) generate structured medical reports containing:

• Structured SOAP notes — Subjective, Objective, Assessment, and Plan sections generated from the clinical encounter transcript.
• Visit summary — A narrative summary of the clinical encounter.
• Suggested ICD-10 diagnosis codes — Including description and confidence score for each suggested code.
• Suggested problem list entries — Clinical problems identified from the encounter.
• Follow-up recommendations — Including action, timeframe, and suggested assignee.
• AI model version identifier — Tracked for full provenance and reproducibility.
• Generation timestamp — The exact date and time the AI content was generated.

5.4 Human-in-the-Loop: Provider Review Requirement

All AI-generated clinical content is flagged with status "AI_DRAFT — REQUIRES PROVIDER REVIEW" and cannot be incorporated into the medical record until a licensed healthcare provider has reviewed, edited (if necessary), and signed the content.

The report lifecycle follows a strict workflow: AI-generated reports begin in "draft" status, advance to "reviewed" status when a provider edits or confirms the content, and reach "signed" status only when a provider with full clinical chart access (Physician, Nurse Practitioner, or Physician Assistant) affirmatively signs the report. Signing is irreversible. The signed report, along with the original voice recording, full transcript, and audit trail, is preserved as part of the clinical record.

AI-generated content does not constitute medical advice, clinical diagnosis, or treatment recommendation. Healthcare providers retain full responsibility for all clinical decisions, and AI outputs are intended solely as assistive tools subject to independent professional judgment.

5.5 Original Recording Preservation

The original audio recording is preserved in its entirety alongside the AI-generated transcript and report. Audio duration, file format, and storage location are tracked. The original recording serves as the authoritative source record and is retained in accordance with applicable medical record retention requirements (see Section 7 of our Privacy Policy).

5.6 Your Right to Opt Out of AI Processing

You have the right to opt out of AI processing of your clinical data at any time. If you opt out:

• Your clinical encounters will not be recorded unless you provide separate, explicit recording consent.
• No AI transcription or report generation will be performed on your clinical data.
• Your healthcare provider will document your encounter using manual methods.
• Your decision to opt out will not affect the quality of care you receive or your access to any other platform features.
• You may opt out on a per-encounter basis or globally for all future encounters.

To opt out, inform your healthcare provider before the encounter begins or contact legal@rymeda.com.

5.7 Provenance and Audit Trail

Every action in the voice note and AI documentation lifecycle is recorded in an immutable, append-only audit trail. The audit trail captures: the user ID and clinical role of the actor, the timestamp and IP address, the entity type and entity ID, and the action performed (uploaded, transcribed, report_generated, report_edited, signed). The full provenance chain — from recording upload to final signature — is available to authorized clinical staff through the platform and is retained for a minimum of six (6) years in accordance with 45 CFR §164.530(j).