Patient Consent & Authorization Forms

1.1 Purpose

This consent authorizes the use of the Rymeda platform to facilitate healthcare services provided to you by your healthcare provider(s). By consenting, you acknowledge that you have been informed of and agree to the terms described below regarding the delivery of healthcare services through a digital platform.

1.2 Nature of the Platform

Rymeda, Inc. is a healthcare technology company. Rymeda is NOT a healthcare provider. Rymeda does not diagnose, prescribe, recommend treatments, or provide medical advice. Rymeda provides a technology platform that enables licensed healthcare providers to deliver, document, and manage clinical care. Your healthcare provider — not Rymeda — is responsible for all clinical decisions regarding your care. Use of the Rymeda platform does not create a provider-patient relationship between you and Rymeda, Inc.

1.3 Services Provided Through the Platform

The Rymeda platform may be used by your healthcare provider to deliver the following services:

• Clinical documentation, including SOAP notes, progress notes, intake notes, and discharge summaries.
• Maintenance of your clinical chart, including problem lists, medications, allergies, vital signs, lab results, and treatment plans.
• Scheduling of appointments (initial, follow-up, urgent, and telehealth).
• Secure messaging between you and your care team.
• Billing and insurance claims processing, including invoices, CPT codes, and ICD-10 diagnosis codes.
• AI-assisted clinical documentation (subject to separate consent — see Consent 2 below).
• Telehealth services (subject to separate consent — see Consent 4 below).
• Care team coordination and provider-to-provider communication regarding your care.
• Document storage and management related to your care.

1.4 Your Data

Your personal and health information will be collected, stored, and processed through the Rymeda platform. This includes demographic information (name, date of birth, gender, contact information, address), emergency contact information, insurance information (provider, plan, member ID, group number), and clinical data as described above. All data is protected by AES-256 encryption at rest, TLS 1.3 encryption in transit, role-based access controls, and tenant data isolation. For complete details on how your information is handled, see our Privacy Policy and Notice of Privacy Practices.

1.5 Provider Responsibility

Your healthcare provider retains full clinical responsibility for your care, including all diagnoses, treatment decisions, prescriptions, and clinical judgments. Your provider's credentials are verified through NPI/NPPES validation and ongoing license monitoring through the Rymeda platform. Only providers with "verified" credential status may access clinical data or provide care through the platform.

1.6 Your Rights

You have the right to withdraw this consent at any time by notifying your healthcare provider or contacting legal@rymeda.com. Withdrawal of this consent may affect your provider's ability to deliver services through the platform but will not affect your right to receive care through other means. Your rights regarding your Protected Health Information are described in our Notice of Privacy Practices.

2.1 Purpose

This consent authorizes the use of artificial intelligence ("AI") and machine learning technologies to assist in the documentation of your clinical encounters. This consent is separate from and independent of your general consent for digital health services (Consent 1) and your consent for voice recording (Consent 3). You may refuse this consent without affecting your care.

2.2 AI Systems and Third-Party Processors

You are informed that the following third-party AI systems may process your clinical data:

• OpenAI, Inc. — Provides AI language models (GPT) for clinical note generation, and Whisper for voice transcription. Location: United States. BAA: executed.
• Google LLC — Provides Gemini AI models for clinical note generation and analysis. Location: United States.
• ORIS — A clinical AI system providing healthcare-specific decision support, task prioritization, and clinical workflow automation with safety guardrails (emergency detection, content blocking, off-topic filtering, rate limiting). Location: United States.

AI services are accessed through LiteLLM, a unified API gateway. A complete list of all data processors is maintained on our Subprocessor List page.

2.3 What AI Does With Your Data

When AI-assisted documentation is used for your encounter, the following processing occurs:

• Transcription: If your encounter is recorded (with separate consent — see Consent 3), the audio is transcribed to text using AI speech recognition (OpenAI Whisper).
• Clinical note generation: AI generates structured SOAP notes (Subjective, Objective, Assessment, Plan) from the transcript or encounter data.
• Diagnostic suggestions: AI suggests ICD-10 diagnosis codes with confidence scores based on the encounter content. These are suggestions only — your provider makes all diagnostic decisions.
• Visit summaries: AI generates a narrative summary of your clinical encounter.
• Problem list suggestions: AI may suggest additions to your clinical problem list based on the encounter.
• Follow-up recommendations: AI may suggest follow-up actions, timeframes, and assignees.
• Task prioritization: ORIS AI generates daily task runbooks for your care team, prioritizing clinical actions based on patient needs.

2.4 Human Review Requirement

All AI-generated clinical content is labeled "AI_DRAFT — REQUIRES PROVIDER REVIEW" and CANNOT become part of your medical record until a licensed healthcare provider has reviewed and signed it. AI-generated reports progress through a mandatory lifecycle: draft → reviewed → signed. Only providers with full clinical chart access (Physician, Nurse Practitioner, or Physician Assistant) can sign AI-generated reports. Signing is irreversible and indicates that the provider has reviewed the content and accepts clinical responsibility for its accuracy.

In accordance with California AB 3030 (Cal. Health & Safety Code §1279.6), AI-generated outputs are intended to assist — not replace — licensed healthcare professionals in clinical decision-making.

2.5 Data Protection for AI Processing

Before your clinical data reaches third-party AI services, it is processed through Rymeda's PHI redaction pipeline, which uses multi-stage machine learning-powered entity recognition to detect and redact Protected Health Information where technically feasible. All data transmitted to AI services is encrypted using TLS 1.3. Rymeda does not authorize any third-party AI provider to use your data for model training purposes. AI model version identifiers and generation timestamps are tracked for full provenance.

2.6 Your Right to Opt Out

You have the right to opt out of AI processing at any time — either on a per-encounter basis or globally for all future encounters. If you opt out:

• No AI transcription, note generation, or diagnostic suggestion will be performed on your encounter data.
• Your provider will document your encounter manually.
• You will continue to receive the same quality of care.
• Your access to all other platform features is unaffected.

You may also contest any AI-generated content in your medical record and request that it be amended or removed. Contact your provider or legal@rymeda.com.

2.7 Limitations

AI technology has limitations. AI-generated content may contain errors, omissions, or inaccuracies. AI does not understand context the way a human clinician does. AI-generated ICD-10 codes and diagnoses are suggestions with confidence scores and may not reflect the full clinical picture. This is why all AI content requires human provider review before it becomes part of your medical record. Rymeda disclaims all warranties regarding the accuracy of AI-generated clinical content. Your provider — not Rymeda and not the AI — is responsible for clinical decisions.

4.1 What Is Telehealth

Telehealth is the delivery of healthcare services through electronic communication technologies when you and your healthcare provider are not in the same physical location. In accordance with California Business and Professions Code §2290.5, this consent is required separately from your consent for voice recording (Consent 3) and all other consents before telehealth services begin.

4.2 Nature of Telehealth Services

Through the Rymeda platform, your healthcare provider may offer telehealth appointments for initial visits, follow-ups, urgent consultations, and ongoing care. Telehealth services may include real-time audio and video consultations, asynchronous secure messaging, review and discussion of clinical records, and remote monitoring and follow-up.

4.3 Benefits and Risks

Potential benefits include improved access to care (especially in underserved areas), reduced travel time and expense, and greater scheduling flexibility.

Potential risks and limitations include:

• Telehealth cannot fully replicate an in-person examination. Some conditions may require in-person evaluation.
• Technology failures (internet disruption, audio/video issues) may interrupt or prevent the encounter.
• Despite encryption and security measures, electronic communications carry some inherent risk of interception.
• Your provider may determine during a telehealth encounter that an in-person visit is necessary.
• In an emergency, telehealth is not a substitute for calling 911 or going to your nearest emergency department.

4.4 Technology Requirements

Telehealth services require a device with audio and video capability, a stable internet connection, and a private location where you can speak freely. You are responsible for ensuring your technology meets these requirements. The Rymeda platform encrypts all telehealth communications using TLS 1.3 and implements the security measures described on our Security page.

4.5 Emergency Protocols

Telehealth is NOT appropriate for medical emergencies. If you experience a medical emergency during or outside of a telehealth encounter, call 911 immediately or go to your nearest emergency department. Before your telehealth encounter begins, confirm your physical location with your provider so that emergency services can be dispatched if necessary.

4.6 Provider Licensing

Your healthcare provider must be licensed in the state where you are physically located at the time of the telehealth encounter. Provider credentials are verified through Rymeda's NPI/NPPES validation system and ongoing license monitoring. You may request to see your provider's credentials and licensing information at any time.

4.7 Recording During Telehealth

If your provider wishes to record a telehealth encounter, separate recording consent (Consent 3) is required. Telehealth consent does NOT authorize recording. These are two separate consents that cannot be combined, in compliance with California Penal Code §632 and California Business and Professions Code §2290.5.

4.8 Your Rights

You have the right to withdraw this consent at any time, either before or during a telehealth encounter, and request an in-person visit instead. You have the right to all information you would receive during an in-person visit. Your medical records from telehealth encounters are part of your medical record and are subject to the same protections and your same rights as described in our Notice of Privacy Practices. Telehealth services may also be eligible for reimbursement under California Health and Safety Code §1374.13.

5.1 Purpose

This authorization permits the disclosure of your Protected Health Information (PHI) to a specific recipient for a specific purpose. This authorization complies with the requirements of 45 CFR §164.508 and, for California residents, the Confidentiality of Medical Information Act (Cal. Civ. Code §56.11).

5.2 Required Elements

A valid authorization for release of information must include all of the following:

• Specific information to be disclosed: Description of the PHI authorized for release (e.g., clinical notes, lab results, medication list, specific date range, specific diagnosis).
• Recipient: The name and address of the person or entity authorized to receive the PHI.
• Purpose: A description of the purpose of the disclosure (e.g., continuity of care, insurance claim, legal proceeding, personal request).
• Expiration: An expiration date or event after which the authorization is no longer valid. If no expiration is stated, the authorization expires one (1) year from the date of signature.
• Signature and date: Your signature (or your authorized representative's signature) and the date of signing.

5.3 Your Right to Revoke

You may revoke this authorization at any time by submitting a written request to your healthcare provider or to legal@rymeda.com. Revocation is effective upon receipt and applies prospectively only — it does not apply to information already disclosed in reliance on your authorization.

5.4 Non-Conditioning

Your treatment, payment, enrollment, or eligibility for benefits will NOT be conditioned on providing this authorization, except (a) where the authorization is for research-related treatment, or (b) where the disclosure is for the purpose of creating PHI for a third party and the authorization relates to that purpose (45 CFR §164.508(b)(4)).

5.5 Re-Disclosure Warning

Once your PHI is disclosed pursuant to this authorization, it may no longer be protected by HIPAA if the recipient is not a Covered Entity or Business Associate. Information disclosed may potentially be subject to re-disclosure by the recipient and may no longer be protected by federal privacy regulations.

6.1 Purpose

This consent authorizes the sharing of your clinical information among the members of your care team for the purpose of coordinating your care. On the Rymeda platform, providers within the same organization may access your clinical data based on the relationship type (primary, consulting, or referred) established between you and each provider, subject to role-based access controls.

6.2 Scope of Shared Information

The following information may be shared among your authorized care team members within the same organization:

• Clinical chart: problem lists, medications, allergies, vital signs, lab results, and treatment plans.
• Clinical notes: SOAP notes, progress notes, intake notes, and discharge summaries.
• Voice note transcripts and AI-generated reports (if you have consented to Consents 2 and 3).
• Appointment history and scheduling information.
• Secure messages related to your care.
• Documents and attachments in your clinical record.

6.3 Access by Role

Not all care team members have the same level of access. Clinical chart access follows the role matrix described in our Notice of Privacy Practices: Physicians, NPs, and PAs have full access; RNs and Therapists have scoped access (own notes and assigned patients); Billers access billing data only; Front Desk accesses scheduling only; Org Admins and Owners have no clinical chart access. The minimum necessary standard applies to all sharing.

6.4 Cross-Organization Sharing

Data is NOT shared between organizations. The Rymeda platform enforces complete tenant data isolation with separate compute, storage, and network boundaries. There is zero cross-tenant data visibility. If you receive care from providers in different organizations on the Rymeda platform, your data in each organization is completely separate. Sharing between organizations requires a separate Authorization for Release of Information (Consent 5 above).

6.5 Your Right to Restrict

You have the right to request restrictions on the sharing of your clinical information with specific care team members. To request a restriction, contact your healthcare provider or legal@rymeda.com. While providers are not required to agree to all restriction requests, they must honor restrictions for disclosures to health plans for payment or operations when you have paid out of pocket in full (42 USC §17935(a)).

7.1 Purpose

When a patient is a minor (under 18 years of age), a parent or legal guardian must provide consent for healthcare services delivered through the Rymeda platform on behalf of the minor. This consent covers all applicable consents described on this page (Consents 1 through 6 and Consent 8) as applicable to the minor patient's care.

7.2 Guardian Requirements

The consenting individual must be the minor patient's:

• Biological or adoptive parent, or
• Court-appointed legal guardian, or
• Other individual with legal authority to consent to medical treatment on behalf of the minor under applicable state law.

Rymeda may request documentation of legal guardianship or parental authority if there is any question regarding the consenting individual's authority.

7.3 California-Specific: Age of Consent Exceptions

Under California law, minors may consent to certain healthcare services without parental authorization. These exceptions include, but are not limited to:

• Age 12 and older: May consent to mental health treatment and counseling (Cal. Fam. Code §6924), outpatient drug and alcohol treatment (Cal. Fam. Code §6929), and HIV testing and treatment (Cal. Health & Safety Code §121020).
• Age 15 and older: May consent to medical care related to a sexually transmitted infection (Cal. Fam. Code §6926).
• Emancipated minors: May consent to any medical treatment (Cal. Fam. Code §7050).
• Mature minor doctrine: California courts may recognize the right of a sufficiently mature minor to consent to medical treatment in certain circumstances.

Where a minor consents to care under one of these exceptions, the minor's PHI related to that care may be protected from parental access in accordance with applicable law. Healthcare providers using the Rymeda platform are responsible for determining whether a minor may consent independently under applicable state law.

7.4 Record Retention for Minors

Medical records for minor patients are retained for a minimum of seven (7) years from the date of creation or until the patient reaches age nineteen (19), whichever is later, in accordance with California medical record retention requirements.

7.5 Voice Recording for Minor Patients

Consent for voice recording (Consent 3) of a minor patient's clinical encounter must be provided by the parent or legal guardian. The two-party consent requirement under California Penal Code §632 applies to all parties present during the recorded encounter.

8.1 How to Revoke

You may revoke any consent or authorization described on this page at any time by submitting a written request to:

• Email: legal@rymeda.com
• Through your provider: Notify your healthcare provider directly, who will communicate the revocation through the platform.

Your revocation request should specify which consent(s) you are revoking (Consent 1, 2, 3, 4, 5, 6, or 7) or state that you wish to revoke all authorizations.

8.2 Effect of Revocation

Revocation applies prospectively only. It does not affect any use or disclosure of your PHI that occurred in reliance on your authorization before the revocation was received. Specific effects by consent:

• Consent 1 (General): Your provider may no longer deliver services through the Rymeda platform on your behalf. Alternative care arrangements should be discussed with your provider.
• Consent 2 (AI): No further AI processing of your clinical data. Your provider will document encounters manually.
• Consent 3 (Recording): No further recordings of your encounters. Prior recordings are retained per applicable retention schedules.
• Consent 4 (Telehealth): No further telehealth services; you may request in-person visits.
• Consent 5 (ROI): No further disclosures under the specific authorization. Information already disclosed cannot be retrieved.
• Consent 6 (Provider Sharing): Information already shared with your care team cannot be "un-shared," but future sharing will be restricted.

8.3 Data Retention After Revocation

Revocation of consent does not require deletion of PHI already collected. Clinical records, including voice recordings, transcripts, and AI-generated reports that were created while your consent was active, are retained in accordance with applicable medical record retention requirements and HIPAA (45 CFR §164.530(j)). You may separately request deletion of your personal data under applicable privacy laws — see our Privacy Policy for details.

8.4 Independence of Consents

Each consent on this page is independent. You may revoke any consent without affecting the others. For example, you may revoke your AI consent (Consent 2) while keeping your general consent (Consent 1) and telehealth consent (Consent 4) active. The only exception is that revoking Consent 1 (General) effectively prevents the delivery of services through the platform, which would make the other consents moot for platform-based care.