Notice of Privacy Practices

Heartili Inc. is generally a technology platform and not a healthcare provider.

However, when we work with covered entities, we may act as a Business Associate under HIPAA.

In those situations:

• We handle PHI only as permitted by our Business Associate Agreement (BAA)
• We follow HIPAA's Privacy, Security, and Breach Notification Rules
• The covered entity remains responsible for your care and primary HIPAA notices

If you use Heartili directly as a consumer without a provider partnership, this Notice does not apply. Please refer to our general Privacy Policy instead.

When acting as a Business Associate, we may receive or create PHI such as:

• Identifying information (name, date of birth, contact details)
• Health and wellness data
• Care coordination information
• Reports, summaries, or visit preparation materials
• Device-generated or user-entered health data

We may use or disclose PHI only as permitted by HIPAA and our agreements.

• Provide care coordination tools
• Generate summaries, insights, or reports requested by providers
• Support quality improvement and system performance
• Enable secure communication and data exchange

• Maintain and operate our technology
• Ensure security and compliance
• Respond to support requests from covered entities

• Federal or state law
• Court orders or lawful processes
• Health oversight activities

De-identified data may be used for analytics, research, or product improvement.

We use appropriate administrative, technical, and physical safeguards, including:

• Encryption of PHI in transit and at rest where appropriate
• Role-based access controls
• Audit logging and monitoring
• Workforce training and compliance procedures

When Heartili acts as a Business Associate, you have rights under HIPAA, which are generally exercised through the covered entity (your provider or health plan).

These rights include:

Right to Access

You may request access to your PHI through your healthcare provider.

Right to Amend

You may request corrections to your PHI if you believe it is inaccurate or incomplete.

Right to an Accounting of Disclosures

You may request a list of certain disclosures of your PHI.

Right to Restrict Uses and Disclosures

You may request restrictions on certain uses or disclosures, subject to provider approval.

If a breach of unsecured PHI occurs:

• We will notify the covered entity without unreasonable delay
• The covered entity is responsible for notifying affected individuals as required by HIPAA
• We will cooperate fully in investigation and mitigation efforts

When acting as a Business Associate, we are required to:

• Maintain the privacy and security of PHI
• Use PHI only as permitted by law and contract
• Ensure subcontractors also protect PHI
• Report privacy or security incidents as required

We may update this Notice from time to time to reflect changes in law or operations.

Updated versions will be made available to covered entity partners.

If you believe your privacy rights have been violated:

• Contact your healthcare provider or health plan directly
• You may also contact us using the information below

You may file a complaint with the U.S. Department of Health and Human Services without fear of retaliation.