Important Summary

This Privacy Notice explains how Zhealus may collect, use, disclose, protect, and manage health-related information submitted through the Zhealus platform. It is intended to provide patient-facing transparency and describe Zhealus data practices. It does not replace the HIPAA Notice of Privacy Practices issued by a participating health care provider. When Zhealus is made available through a participating provider, Zhealus generally acts as a technology vendor and HIPAA business associate to that provider, not as the patient's treating provider or health plan.

Zhealus LLC ("Zhealus," "we," "our," or "us") provides a web-based patient follow-up and assessment platform that may be made available to patients through participating health care providers, clinics, urgent care centers, hospitals, or similar organizations ("Participating Providers"). Patients may submit information directly to Zhealus through the platform, including responses to follow-up questions after a health care encounter.

When Zhealus is offered through a Participating Provider and receives identifiable health information related to that provider's patient follow-up, quality, safety, care coordination, or operational activities, Zhealus treats that information as protected health information ("PHI") or electronic protected health information ("ePHI"), as applicable. Zhealus uses and discloses such information only as permitted by applicable law, its agreements with Participating Providers, and this Privacy Notice.

This notice is written in plain language where possible. It is not intended to create emergency medical services, replace direct communication with a clinician, or provide medical advice. Patients should contact their health care provider, call 911, or seek emergency care if they believe they are experiencing a medical emergency.

Quick Reference

1. When This Privacy Notice Applies

This Privacy Notice applies to information collected, received, maintained, used, or disclosed by Zhealus through its websites, applications, SMS-linked workflows, assessment tools, reporting tools, and related services.

This Privacy Notice is especially intended for patients who access Zhealus through a Participating Provider. If a Participating Provider makes Zhealus available to you, that provider may also maintain its own medical record and may issue its own HIPAA Notice of Privacy Practices. The provider's notice governs the provider's own uses and disclosures of information maintained by the provider.

This Privacy Notice does not apply to websites, systems, or services that Zhealus does not own, operate, or control, except where Zhealus uses approved subcontractors or service providers to support its platform under appropriate contractual safeguards.

2. Information We May Collect

Zhealus may collect or receive the following categories of information:

• Patient identifiers: such as name, phone number, unique patient or encounter identifiers, date of service, or other information needed to match a patient to the correct Participating Provider workflow.
• Contact information: such as mobile phone number, email address if used, communication preferences, and opt-in or opt-out records.
• Assessment responses: such as patient-reported recovery status, symptom updates, treatment response, positive or negative change selections, risk flags, or other answers submitted through the platform.
• Provider-related information: such as the Participating Provider, location, encounter context, or follow-up category if provided to or configured within Zhealus.
• Technical and operational data: such as time stamps, access logs, device/browser information, IP address, audit logs, message delivery status, and security event information.
• Reports and derived outputs: such as callback-priority summaries, risk stratification, status reports, quality reports, and operational analytics generated by the Zhealus platform.

Zhealus requests that patients submit only the information requested through the platform. Patients should not upload, copy, photograph, or transmit additional medical records, images, documents, or unrelated sensitive information unless Zhealus expressly enables and requests that function.

3. How We May Use Information

Zhealus may use patient information for the following purposes:

• Patient follow-up and provider support: to collect patient-reported information and make that information available to the Participating Provider or its designated care team.
• Risk detection and callback prioritization: to identify responses that may warrant review, follow-up, escalation, or prioritization by the Participating Provider.
• Quality improvement and health care operations support: to help Participating Providers evaluate service quality, recovery patterns, patient experience, follow-up needs, operational performance, and related care delivery processes.
• Platform operation and security: to operate, troubleshoot, monitor, secure, audit, and improve the Zhealus platform.
• Communication: to send general SMS notifications, reminders, secure links, service-related messages, or administrative communications.
• Compliance and legal obligations: to comply with applicable laws, contractual obligations, subpoenas, court orders, audits, investigations, or legally required reporting.
• De-identification and aggregation: to create de-identified, aggregated, or non-identifiable information that may be used to improve the platform, evaluate performance, support analytics, develop insights, and enhance proprietary technology, consistent with applicable law and contractual obligations.

4. How We May Disclose Information

Zhealus may disclose information in the following ways:

• To Participating Providers: Zhealus may share patient-specific assessment responses, callback-priority information, reports, risk flags, or related outputs with the Participating Provider that made the Zhealus workflow available to the patient.
• To authorized provider workforce members: Zhealus may disclose information to designated provider personnel who are authorized to receive follow-up reports or patient status information.
• To subcontractors and service providers: Zhealus may use technology vendors or subcontractors that support hosting, databases, secure transmission, messaging, authentication, analytics, logging, or other platform operations. Where such vendors may handle PHI/ePHI, Zhealus uses appropriate contractual and security safeguards.
• As required or permitted by law: Zhealus may disclose information when required by federal, state, or local law; in response to valid legal process; for health oversight; for public health activities; or to prevent or lessen a serious and imminent threat to health or safety.
• With authorization: Zhealus may use or disclose information for other purposes if the patient or authorized representative provides a valid written authorization, where required.
• In de-identified or aggregated form: Zhealus may use or disclose de-identified, aggregated, or non-identifiable information in a manner that does not identify an individual patient, consistent with applicable law and contractual commitments.

Zhealus does not sell identifiable patient PHI. Zhealus does not use patient PHI for unrelated advertising or marketing without authorization where authorization is required by law.

5. Treatment, Payment, and Health Care Operations Context

Zhealus is not generally the treating provider and does not bill patients or their insurers for clinical care. However, when Zhealus supports a Participating Provider, patient information may be used or disclosed in ways that support the provider's treatment, health care operations, quality assurance, care coordination, patient safety, risk management, and related activities.

Zhealus does not intend to use patient PHI to collect payment from patients. Zhealus generally contracts with Participating Providers or other business customers for use of the platform. Zhealus does not request patient insurance information unless a specific workflow requires it and appropriate safeguards are in place.

Zhealus may support treatment-related communication by transmitting patient responses, reports, or flags to the Participating Provider. The Participating Provider remains responsible for clinical judgment, treatment decisions, medical advice, diagnosis, prescribing, and patient care.

6. SMS and Electronic Communications

Zhealus may use SMS text messages to provide general notices, reminders, service updates, opt-in or opt-out communications, and links to the secure web-based platform.

Zhealus designs SMS messages so that the text message content itself does not include PHI whenever reasonably practicable. Patients should understand that ordinary SMS messaging may not provide the same level of privacy or security as a secure web-based application.

Patients should access the secure link to provide assessment responses. Patients should not reply to SMS messages with detailed medical information unless Zhealus expressly instructs them to do so through an approved workflow.

Message and data rates may apply depending on the patient's mobile carrier and plan. Patients may opt out of SMS messages according to the instructions provided in the message or by contacting Zhealus or the Participating Provider.

7. Data Protection and Security Practices

Zhealus uses administrative, technical, and physical safeguards intended to protect PHI/ePHI and other sensitive information. These safeguards may include:

• encryption in transit and, where appropriate, encryption at rest;
• role-based access controls;
• multi-factor authentication for administrative access where appropriate;
• audit logging and access monitoring;
• minimum necessary access practices;
• secure vendor and subcontractor management;
• incident response and breach notification procedures;
• data retention and deletion practices;
• periodic review of privacy and security controls.

No technology platform can guarantee absolute security. Zhealus works to reduce privacy and security risk through reasonable safeguards, contractual controls, workforce training, and security-conscious system design.

8. De-identified Data, Aggregated Data, and Proprietary Platform Rights

Zhealus independently develops and maintains its technology platform, software, assessment workflows, scoring logic, risk stratification methods, reporting formats, data structures, analytics processes, and related intellectual property.

Zhealus may use de-identified, aggregated, or non-identifiable information to improve services, develop analytics, evaluate platform performance, support quality improvement, identify trends, enhance proprietary technology, and create benchmarking or operational insights, consistent with applicable law and contractual obligations.

De-identified or aggregated information is intended to remove or avoid patient-identifiable information. Zhealus will not attempt to re-identify de-identified information except as permitted by law, contract, or compliance requirements.

Nothing in this Privacy Notice should be read to mean that Zhealus claims unrestricted ownership of identifiable patient PHI. Identifiable patient information is handled according to applicable law, the applicable provider relationship, and contractual obligations.

9. Patient Rights and Requests

Patients may have rights regarding their health information under HIPAA, state privacy laws, consumer health privacy laws, or other applicable laws. Some rights may need to be exercised through the Participating Provider because the provider maintains the legal medical record and directs certain uses of PHI.

Where applicable, and subject to legal and contractual limits, patients may request:

• access to information maintained by Zhealus;
• a copy of information maintained by Zhealus;
• correction or amendment of information believed to be incorrect or incomplete;
• limitations on certain uses or disclosures;
• an accounting of certain disclosures;
• confidential communication preferences where Zhealus supports such preferences;
• revocation of an authorization previously given, where applicable;
• information about how to file a privacy complaint.

Zhealus may direct the patient to the Participating Provider when the request relates to the provider's medical record, treatment record, billing record, or designated record set. Zhealus may also need to verify the identity and authority of the person making the request before responding.

10. Access, Amendment, and Accounting Requests

To request access, amendment, or an accounting of certain disclosures for information maintained by Zhealus, contact Zhealus in writing at admin@zhealushealth.com. The request should describe the information requested, the Participating Provider involved if known, the approximate date of service or assessment, and how Zhealus may contact the requester.

Zhealus may deny or limit a request where permitted by law, including where the information is accurate and complete, was not created by Zhealus, is not maintained by or for Zhealus, is not available for access under applicable law, or is controlled by the Participating Provider. If a request is denied, Zhealus will provide information about any review or appeal rights where legally required.

Zhealus may charge a reasonable, cost-based fee for copies where permitted by law. Zhealus will notify the requester before imposing a fee when required.

11. Required, Permitted, and Special Disclosures

Zhealus may use or disclose PHI when required or permitted by law, including in the following circumstances:

• Public health: to public health authorities authorized by law to receive information for preventing or controlling disease, injury, disability, or other public health activities.
• Health oversight: to health oversight agencies for audits, investigations, inspections, licensure, compliance reviews, or other legally authorized oversight activities.
• Legal proceedings: in response to a court order, administrative order, subpoena, discovery request, or other lawful process, subject to applicable protections.
• Law enforcement: to law enforcement officials when required or permitted by law.
• Serious threat to health or safety: to persons or organizations able to help prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
• Workers' compensation: as authorized by and to the extent necessary to comply with workers' compensation or similar laws.
• Coroners, medical examiners, and funeral directors: as permitted or required by law.
• Military, national security, and correctional institutions: as permitted or required by law for authorized governmental, correctional, or security purposes.

These disclosures are expected to be uncommon for Zhealus, but they are included for transparency and legal completeness.

12. Research, Product Development, and Analytics

Zhealus may conduct or support analytics, product development, quality improvement, and research-related activities consistent with applicable law and contractual obligations.

If identifiable PHI is used for research that requires patient authorization, Zhealus will obtain or rely on a valid authorization unless an Institutional Review Board, Privacy Board, or other legally recognized mechanism permits a waiver or alteration of authorization. Zhealus may use de-identified or aggregated information for analytics, improvement, benchmarking, and development where permitted by law and contract.

13. Data Retention and Deletion

Zhealus retains information for the period necessary to provide services, comply with legal and contractual obligations, support audit and security needs, resolve disputes, and operate the platform. Retention periods may vary depending on the Participating Provider relationship, applicable law, and the type of information involved.

When information is no longer needed, Zhealus will delete, return, de-identify, or securely retain it according to applicable law, contractual obligations, and operational requirements.

14. Relationship to Participating Provider Notices and Agreements

This Privacy Notice does not replace a Participating Provider's HIPAA Notice of Privacy Practices. Patients should contact their Participating Provider for questions about the provider's medical record, treatment decisions, billing records, clinical advice, provider privacy practices, or provider-controlled health information.

When Zhealus acts as a business associate, its use and disclosure of PHI is also governed by the applicable Business Associate Agreement or other written agreement with the Participating Provider. If this Privacy Notice and a Business Associate Agreement conflict regarding PHI handled for a Participating Provider, the Business Associate Agreement and applicable law will control.

15. Complaints and Questions

Patients may also contact the Participating Provider regarding information maintained by that provider. Patients will not be penalized or retaliated against for filing a privacy complaint.

If a patient believes their HIPAA rights have been violated, they may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, where applicable.

16. Changes to This Privacy Notice

Zhealus may revise this Privacy Notice from time to time. The revised notice will apply to information Zhealus already maintains as well as information received after the revision date, to the extent permitted by law and contract. Zhealus will make the current version available through its website or application and may provide additional notice where legally required or operationally appropriate.