HIPAA Notice of Privacy Practices

1. Our Duties

iConsult Health, Inc. ("iConsult Health") operates as a Business Associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Omnibus Rule. We are required by law to:

• Maintain the privacy and security of your Protected Health Information (PHI).
• Provide you with this Notice of our legal duties and privacy practices with respect to PHI.
• Follow the terms of this Notice that are currently in effect.
• Notify you if we are unable to agree to a requested restriction on how your information is used or disclosed.
• Notify affected individuals following a breach of unsecured PHI, as required by the HITECH Act Breach Notification Rule.

We reserve the right to change the terms of this Notice and to make new provisions effective for all PHI we maintain. If we make material changes, we will post the revised Notice on the Platform and make it available upon request.

2. How We May Use and Disclose Your PHI

The following describes the ways we may use and disclose your Protected Health Information. For each category, we provide an explanation and, where applicable, an example.

For Treatment

We may use and disclose your PHI to the healthcare Providers using our Platform who are involved in your care. For example, when you submit a health intake form describing a workplace injury, our Platform makes that information available to the Provider assigned to your case so they can evaluate your condition, make clinical decisions, and coordinate your care.

For Payment

We may use and disclose your PHI as necessary for payment activities related to your occupational health services. This includes sharing information with workers' compensation insurance carriers, third-party administrators, or your employer's benefits administration as needed to process claims and authorize treatment.

For Healthcare Operations

We may use and disclose your PHI for operational activities that support the quality and efficiency of healthcare services provided through the Platform. This includes quality improvement initiatives, clinical training, auditing, compliance monitoring, and the development of AI classification models using de-identified data.

With Your Authorization

For uses and disclosures not described in this Notice, we will obtain your written authorization before using or disclosing your PHI. You may revoke any authorization in writing at any time. Revocation will not affect any actions already taken in reliance on the authorization.

As Required by Law

We will disclose your PHI when required to do so by federal, state, or local law. This includes disclosures to the U.S. Department of Health and Human Services (HHS) for compliance investigations.

3. AI-Assisted Classification

As a core feature of our Platform, we use artificial intelligence (specifically, Anthropic's Claude large language models) to process PHI for the purpose of assisting licensed healthcare Providers with occupational health case management. This section describes how AI interacts with your health information.

What AI Processes

• Intake Text: The narrative you provide describing your injury, illness, or health concern is processed by AI to generate preliminary classification suggestions, including injury type, body parts involved, urgency level, and OSHA recordability assessment.
• Photographs: If you upload photographs with your intake, they are analyzed by AI (Claude Vision) to supplement the text-based classification. Photo analysis may include visual assessment notes and an authenticity score.
• Case Data: When Providers use the AI copilot feature, the AI accesses case data in combination with a curated occupational health knowledge base (OSHA regulations, ACOEM guidelines) to answer clinical questions.

Safeguards for AI Processing

• All AI classifications are reviewed by a licensed healthcare Provider before any clinical action is taken. AI does not make diagnoses or treatment decisions.
• AI processing occurs through our contracted AI provider (Anthropic) under a Business Associate Agreement that requires Anthropic to maintain HIPAA-compliant safeguards.
• PHI transmitted to the AI provider is encrypted in transit (TLS 1.3) and is not retained by the AI provider for model training purposes beyond the scope of our BAA.
• Provider corrections to AI classifications are stored as training signals to improve accuracy. These corrections are maintained within our Platform and are not shared outside the Business Associate relationship.
• All AI processing of PHI is logged in our audit trail with timestamps, User identifiers, and processing metadata for accountability and compliance review.

De-Identification for AI Improvement

We may use de-identified data (PHI from which all 18 HIPAA identifiers have been removed per the Safe Harbor method, or as confirmed by an Expert Determination) to improve AI classification accuracy and develop new Platform features. De-identified data is no longer considered PHI under HIPAA and is not subject to the restrictions in this Notice.

4. Special Situations

In addition to the uses and disclosures described above, we may use or disclose your PHI without your authorization in the following special circumstances, as permitted or required by law:

• Workers' Compensation: We may disclose your PHI as authorized by and to the extent necessary to comply with laws relating to workers' compensation or similar programs that provide benefits for work-related injuries or illness.
• OSHA Recordkeeping and Reporting: We may use and disclose your PHI to support your employer's compliance with Occupational Safety and Health Administration (OSHA) recordkeeping requirements, including OSHA 300 log entries, 300A annual summaries, and 301 incident reports. Severe injuries (hospitalization, amputation, loss of eye) are reported to OSHA as required by federal regulation.
• Public Health Activities: We may disclose your PHI to public health authorities for the purpose of preventing or controlling disease, injury, or disability, including reporting of communicable diseases, work-related illnesses, and other public health surveillance activities.
• Abuse and Neglect Reporting: We may disclose your PHI to appropriate government authorities if we believe you are a victim of abuse, neglect, or domestic violence, as required or authorized by law.
• Legal Proceedings: We may disclose your PHI in response to a court order, subpoena, or discovery request in a judicial or administrative proceeding, subject to applicable legal protections and notice requirements.
• Law Enforcement: We may disclose your PHI to law enforcement officials for law enforcement purposes as permitted by HIPAA, including to identify or locate a suspect, fugitive, material witness, or missing person.
• To Avert a Serious Threat: We may use and disclose your PHI when necessary to prevent a serious and imminent threat to health or safety of a person or the public.
• Military and Veterans: If you are a member of the Armed Forces, we may disclose your PHI as required by military command authorities.
• Health Oversight Activities: We may disclose your PHI to health oversight agencies for activities authorized by law, including audits, investigations, inspections, and licensure actions.

5. Your Rights Regarding Your PHI

Under HIPAA, you have the following rights with respect to your Protected Health Information:

• Right to Inspect and Copy: You have the right to inspect and obtain a copy of your PHI maintained by iConsult Health, including medical records, case files, and billing records. We may charge a reasonable, cost-based fee for copies. We will provide the requested information within thirty (30) days of receiving your written request. If the information is maintained electronically, you may request an electronic copy in a commonly used format.
• Right to Request Amendment: You have the right to request that we amend your PHI if you believe it is incorrect or incomplete. We may deny your request in certain circumstances (for example, if the information was not created by us, is not part of our records, or is accurate and complete). If we deny your request, we will provide a written explanation.
• Right to an Accounting of Disclosures: You have the right to request a list of certain disclosures we have made of your PHI. This accounting will not include disclosures made for treatment, payment, or healthcare operations, or disclosures made with your written authorization. We will provide one accounting per twelve-month period at no charge; subsequent requests may be subject to a reasonable fee.
• Right to Request Restrictions: You have the right to request restrictions on certain uses and disclosures of your PHI. We are not required to agree to your request unless you ask us to restrict disclosures to a health plan for services you paid for in full out of pocket. If we agree to a restriction, we will honor it unless the information is needed for emergency treatment.
• Right to Request Confidential Communications: You have the right to request that we communicate with you about health matters in a particular way or at a particular location. For example, you may ask that we only contact you at a specific email address. We will accommodate reasonable requests.
• Right to a Paper Copy of This Notice: You have the right to obtain a paper copy of this Notice at any time, even if you previously agreed to receive it electronically. To obtain a paper copy, contact us using the information in Section 10.

To exercise any of these rights, submit a written request to privacy@iconsult.health or to the mailing address listed in Section 10.

6. Data Breach Notification

In the event of a breach of unsecured PHI, iConsult Health will comply with the HITECH Act Breach Notification Rule (45 CFR Part 164, Subpart D) and any applicable state breach notification laws.

• Individual Notification: We will notify each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of a breach, without unreasonable delay and in no case later than sixty (60) days following the discovery of the breach. Notification will be sent by first-class mail or, if the individual has agreed to electronic notice, by email.
• HHS Notification: We will notify the U.S. Department of Health and Human Services (HHS) of the breach. If the breach affects 500 or more individuals, we will notify HHS without unreasonable delay and concurrently with individual notifications. If the breach affects fewer than 500 individuals, we will log the breach and report it to HHS annually.
• Media Notification: If a breach affects more than 500 residents of a single state or jurisdiction, we will provide notice to prominent media outlets serving that state or jurisdiction without unreasonable delay and no later than sixty (60) days following discovery.
• Content of Notification: Breach notifications will include a description of the breach, the types of information involved, steps individuals should take to protect themselves, what we are doing to investigate and mitigate the breach, and contact information for further inquiries.

7. Minimum Necessary Standard

iConsult Health applies the HIPAA Minimum Necessary standard to all uses, disclosures, and requests for PHI. This means we make reasonable efforts to limit the PHI used, disclosed, or requested to the minimum amount necessary to accomplish the intended purpose.

Our implementation of the Minimum Necessary standard includes:

• Role-Based Access Control (RBAC): The Platform enforces role-based access so that Users can only view and interact with PHI appropriate to their role. For example, an Employer Administrator may see case status and aggregate analytics but cannot access detailed clinical notes; a Provider has access to the full clinical record for cases assigned to them.
• Multi-Tenant Data Isolation: Each Tenant's data is logically isolated within the Platform. Users in one Tenant cannot access or view PHI belonging to another Tenant under any circumstances.
• Purpose-Based Disclosure: When disclosing PHI to Business Associates (such as our AI provider or hosting infrastructure), we limit the data transmitted to what is reasonably necessary for the specific processing purpose.
• Audit Trail: All PHI access is logged with the identity of the accessor, the data accessed, the timestamp, and the purpose, enabling post-hoc review of Minimum Necessary compliance.

The Minimum Necessary standard does not apply to disclosures made for treatment purposes, to the individual who is the subject of the information, pursuant to an individual's authorization, to HHS for compliance investigations, or as required by law.

8. Business Associates

iConsult Health engages certain third-party service providers ("Business Associates") who may receive, maintain, create, or transmit PHI on our behalf. We maintain Business Associate Agreements (BAAs) with all such entities, requiring them to:

• Implement appropriate safeguards to prevent unauthorized use or disclosure of PHI
• Report any security incidents or breaches of unsecured PHI
• Ensure that any subcontractors who access PHI agree to the same restrictions
• Make PHI available for individual access requests and amendment
• Return or destroy PHI upon termination of the agreement

Our current Business Associates include:

9. Complaints

If you believe your privacy rights have been violated or that iConsult Health has not followed the terms of this Notice, you have the right to file a complaint.

File a Complaint with iConsult Health

Contact our Privacy Officer at privacy@iconsult.health or by mail to the address listed in Section 10. We will investigate all complaints and respond within thirty (30) days.

File a Complaint with HHS

You also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights. Complaints can be filed online at www.hhs.gov/ocr/complaints or by contacting:

You will not be retaliated against in any way for filing a complaint.

10. Contact & Effective Date

If you have questions about this Notice, wish to exercise your rights, or need additional information about our privacy practices, please contact us:

Effective Date: This Notice is effective as of March 2026.

This Notice applies to all PHI created, received, maintained, or transmitted by iConsult Health on or after the effective date. We will make this Notice available on the Platform at /hipaa-notice and will provide a copy to any individual upon request.