NOTICE OF PRIVACY PRACTICES

HomeNOTICE OF PRIVACY PRACTICES

Effective Date: April 18, 2026

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Notice of Privacy Practices pursuant to 45 C.F.R. § 164.520

This Notice is provided by Biohackr Health Corp (“Biohackr Health,” “we,” “us,” or “our”), with offices at 540 Bryant Street, Palo Alto, CA 94301 and 1877 Union Street, San Francisco, CA 94123.

Our Duties

We are required by law to maintain the privacy of your Protected Health Information (“PHI”), to provide you with this Notice of our legal duties and privacy practices with respect to your PHI, and to notify affected individuals following a breach of unsecured PHI.

PHI consists of individually identifiable health information, which may include demographic information we collect from you or create or receive from another health care provider, a health plan, your employer, or a health care clearinghouse, and that relates to: (1) your past, present, or future physical or mental health or condition; (2) the provision of health care to you; or (3) the past, present, or future payment for the provision of health care to you.

We are required to abide by the terms of our Notice of Privacy Practices currently in effect. We reserve the right to change this Notice at any time and to make the revised Notice effective for all PHI we maintain. We will provide you with a copy upon your request, keep a copy at the registration desk, and post the Notice on our website at biohackr.health.

In addition to HIPAA, California law, including the Confidentiality of Medical Information Act (CMIA), may provide additional protections for your medical information. Where California law is more protective than HIPAA, we will follow California law.

Examples of Uses and Disclosures of Your PHI Relating to Treatment, Payment, and Operations

HIPAA privacy regulations give us the right to use and disclose your PHI without your consent to carry out (i) treatment, (ii) payment, and (iii) health care operations.

Treatment. We use and disclose your PHI to provide, coordinate, and manage your health care and related services. We may disclose your PHI to other providers who may be treating you, including consulting physicians, specialists, laboratories, and pharmacies involved in your care.

Payment. We may use your PHI to bill and collect payment for the services you receive, including processing self-pay charges, providing receipts or billing statements, and working with collection agencies that assist us.

Health Care Operations. We use your PHI to support our business activities, including quality assessment, provider credentialing, training, accreditation, legal services, auditing, and general administration. This may include allowing our auditors, consultants, or attorneys access to your PHI to audit our claims and evaluate our staff.

Business Associates. We may share your PHI with Business Associates who perform services on our behalf, including billing, electronic health records and scheduling, customer relationship management, secure communications, and information technology vendors. Each Business Associate is bound by a written agreement requiring them to safeguard your PHI consistent with HIPAA.

Some categories of information, if we receive them, may be subject to more restrictive federal or California laws than general PHI, and we will follow the more protective law where required.

Potential for Redisclosure

Information we disclose as permitted or required by HIPAA may be redisclosed by the recipient and may no longer be protected by HIPAA. However, if the information is subject to other laws, including 42 C.F.R. Part 2 or California law, those laws may impose additional restrictions on redisclosure.

Other Required or Permitted Uses and Disclosures of Your PHI

Appointment Reminders. We may contact you by phone, text message, email, or mail to remind you of appointments. We may leave a message stating the name of our clinic, the date and time of the appointment, and the address of the clinic where the appointment is scheduled.

Treatment Alternatives and Health-Related Services. We may contact you with information about treatment alternatives, follow-up care, care coordination, refill-related information, or health-related services that are related to your care, as permitted by law. We will obtain your written authorization before using or disclosing your PHI for communications that constitute marketing when authorization is required by HIPAA.

As Required by Law. We may use or disclose your PHI when required by applicable federal or California law, but only to the extent the law requires and only after we verify that all legal conditions for the disclosure have been satisfied. Some requests involving reproductive health care or records subject to 42 C.F.R. Part 2 are prohibited or require additional protections, including an attestation, patient consent, or a qualifying court order.

To Avert a Serious Threat to Public Health or Safety. We may disclose your PHI to public health authorities for the purpose of controlling disease, injury, or disability, reporting births and deaths, and reporting reactions to medications.

Workers Compensation. We may disclose your PHI for workers compensation or similar programs that provide benefits for work-related injuries or illness.

Health Oversight Activities. We may disclose your PHI to a health oversight agency for activities authorized by law, including audits, investigations, inspections, and licensure.

Coroners, Medical Examiners, and Funeral Directors. We may disclose PHI to a coroner or medical examiner for purposes of identification, determining cause of death, or other duties as authorized by law.

Inmates. If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may disclose your PHI to the institution or official as permitted by HIPAA.

Reproductive Health Care Privacy

Federal law prohibits us from using or disclosing your PHI for any of the following purposes when the reproductive health care at issue was lawful under the circumstances in which it was provided:

To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care
To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care
To identify any person for either of those purposes

Example. If a law enforcement agency asks us for records to identify a patient who sought lawful contraception, fertility care, pregnancy-related care, or pregnancy-loss care for the purpose of investigating that patient, we will not use or disclose PHI for that prohibited purpose.

Attestation Requirement for Certain Requests. Before we disclose PHI potentially related to reproductive health care in response to certain requests, we are required by law to obtain a signed attestation from the requester that the requested use or disclosure is not for a prohibited purpose. The attestation requirement applies to requests made for:

Health oversight activities
Judicial and administrative proceedings
Law enforcement purposes
Disclosures to coroners or medical examiners

Example. If we receive a subpoena, law-enforcement demand, or oversight request seeking records that may relate to reproductive health care, we will require a signed attestation before making any disclosure when the law requires one.

For purposes of this Notice, reproductive health care includes, but is not limited to, contraception, pregnancy-related care, miscarriage management, fertility and infertility care, and other care affecting the reproductive system and its functions.

If the reproductive health care at issue was provided by someone other than Biohackr Health, we will presume the care was lawful unless we have actual knowledge that it was not lawful under the circumstances in which it was provided, or we receive factual information from the requester establishing a substantial factual basis that it was not lawful under those circumstances.

Substance Use Disorder Records Subject to 42 C.F.R. Part 2

Biohackr Health does not operate as a Part 2 program and does not directly provide substance use disorder diagnosis, treatment, or referral services as a Part 2 program. However, if we create, receive, or maintain records that are subject to 42 C.F.R. Part 2, those records receive additional federal confidentiality protections.

When Part 2 applies, uses and disclosures of those records are more limited than uses and disclosures of general PHI. In many cases, Part 2 records may be used and disclosed for treatment, payment, and health care operations if you have provided the consent required by Part 2. SUD counseling notes require a separate written consent except where specifically permitted by law.

If we disclose Part 2 records with your written consent, the disclosure will include a copy of your consent or a clear explanation of its scope, along with the following written notice required by federal law:

> “42 CFR part 2 prohibits unauthorized use or disclosure of these records.”

Part 2 records received from programs subject to Part 2, or testimony relaying the contents of such records, will not be used or disclosed in civil, criminal, administrative, or legislative proceedings against you unless the use or disclosure is based on your written consent or a court order after notice and an opportunity to be heard has been provided to you or the holder of the record, as required by Part 2. Any court order authorizing such use or disclosure must also be accompanied by a subpoena or other similar legal mandate before the record is used or disclosed.

Additional Rights Regarding Part 2 Records, If Applicable. If we receive or maintain records protected by 42 C.F.R. Part 2, you also have the right, as applicable by law, to:

Request restrictions on disclosures made with prior consent for treatment, payment, and health care operations
Request and obtain restrictions on disclosures to your health plan for services you paid for in full
Receive an accounting of disclosures of electronic Part 2 records for the past three years, and an accounting of other consent-based disclosures as required by law
Receive a list of disclosures by an intermediary for the past three years, where applicable
Obtain a paper or electronic copy of this Notice
Discuss this Notice with our Medical Director

Uses and Disclosures to Which You Have an Opportunity to Object

Others Involved in Your Care. We may disclose relevant portions of your PHI to a family member, relative, close friend, or any other person you identify as being involved in your medical care or payment for care. If you bring someone with you into an exam or treatment room, you will have identified that person to us as being involved in your care, and we may discuss your PHI in their presence unless you object. In an emergency, or when you are not capable of agreeing or objecting, we will use our professional judgment to disclose only PHI that is directly relevant to the person’s involvement in your care, and we will inform you and give you the opportunity to object to future disclosures as soon as possible.

Uses and Disclosures That Require Your Signed Authorization

Certain uses and disclosures of your PHI require your written authorization. These include:

Uses and disclosures of PHI for marketing purposes
Disclosures that constitute a sale of PHI
Any other use or disclosure not described in this Notice

Your Right to Revoke Your Authorization

If you sign an authorization allowing us to use or disclose your PHI outside of the uses and disclosures described in this Notice, you may revoke that authorization at any time by notifying our Medical Director in writing. Your revocation will become effective as soon as we are reasonably able to process it, typically within five business days after we receive your written revocation. Your revocation will not affect any prior use or disclosure we made in reliance on your authorization before the effective date of revocation.

Your Right to Restrict Certain PHI to a Health Plan

You have the right to require that we restrict any disclosure of your PHI to a health plan regarding an item or service for which you (or someone on your behalf, other than a health plan) paid out-of-pocket in full. You must make this request in writing to our Medical Director. If you make such a request, we are required to honor it.

Notification Following a Breach of Unsecured PHI

We are required by law to notify affected individuals following a breach of unsecured PHI, including a description of what occurred, what we have done to investigate and mitigate the breach, and how to best protect yourself from potential harm.

Your Rights Related to PHI

In addition to the rights described above, you have the following rights:

Request an Amendment. You have the right to request that we amend your PHI if you believe it is incomplete or inaccurate. Your request must be in writing to our Medical Director and must include the reasoning that supports your request. We may deny your request if the information was not created by us, is not part of our designated record set, or if we determine the information is accurate and complete.

Request Restrictions. You have the right to request a restriction on how we use or disclose your PHI for treatment, payment, or health care operations. Your request must be in writing to our Medical Director. We are not required to agree to your request, except as described above regarding restrictions to health plans for services paid out-of-pocket in full.

Inspect and Copy Your Records. You have the right to inspect and obtain a copy of your PHI in your designated record set, including medical and billing records, subject to limited exceptions. Information compiled in reasonable anticipation of, or for use in, legal proceedings are excluded. For California patients, we will generally permit inspection during business hours within five working days after receiving a proper request, and we will generally provide copies within fifteen days after receiving a proper request, as required by California law. If your records are maintained electronically, you have the right to request an electronic copy and to direct us to send the copy to a third party. We may charge a reasonable, cost-based fee as permitted by law.

Accounting of Disclosures. You have the right to request a list of disclosures of your PHI we have made for purposes other than treatment, payment, or health care operations. Your request must be in writing and must specify the time period, which may not exceed six years. Your first request within any 12-month period will be free; we may charge a reasonable fee for additional requests within the same period.

Request Confidential Communications. You have the right to request that we communicate with you in a specific manner or at a specific location. For example, you may request that we contact you only at your work number or by mail at a specific address. Your request must be in writing and must specify how or where you wish to be contacted. We will accommodate all reasonable requests.

File a Complaint. If you believe your privacy rights have been violated, you may file a complaint with us by contacting our Medical Director using the contact information below. You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights at 200 Independence Avenue SW, Washington, D.C. 20201, (877) 696-6775, or www.hhs.gov/ocr. We will not retaliate against you for filing a complaint.

Paper Copy of This Notice. You have the right to receive a paper copy of this Notice upon request, even if you have agreed to receive the Notice electronically.

California Privacy Rights

California law, including the Confidentiality of Medical Information Act, may provide additional protections for your medical information and may give you faster access rights to inspect or obtain copies of your records. To the extent your information is protected health information or medical information governed by HIPAA or California medical privacy law, certain rights under the California Consumer Privacy Act may not apply. If you have questions about your California privacy rights, please contact our Medical Director.

Changes to This Notice

We reserve the right to change this Notice at any time and to make the revised Notice effective for all PHI we maintain. If we make a material change, we will post the revised Notice at each of our clinic locations, on our website at biohackr.health, and provide a copy to any patient who requests one.

Contact Information

Medical Director: Lori Bluvas, MD

Biohackr Health Corp

540 Bryant Street, Palo Alto, CA 94301

1877 Union Street, San Francisco, CA 94123

Phone: (888) 551-6690

Email: [email protected]

You may contact our Medical Director with questions about this Notice, to exercise your rights, or to submit a privacy complaint.

Zenoti Intake Form — Acknowledgment Approach

The following is operational guidance, not part of the Notice itself.

Checkbox label to place on the Zenoti digital intake form:

☐ Notice of Privacy Practices — I acknowledge that Biohackr Health has provided its Notice of Privacy Practices to me, and that I have had the opportunity to review it. The full Notice is available at biohackr.health/notice-of-privacy-practices and upon request at the front desk.

How we handle it:

The checkbox is presented to every new patient at digital intake
If checked → acknowledgment is captured electronically and stored in the patient record (satisfies HIPAA § 164.520(c)(2)(ii)(A))
If a patient declines to acknowledge, we still provide care. Front-desk staff document the patient’s refusal and the date in their record (satisfies HIPAA § 164.520(c)(2)(ii)(B), which requires documenting good-faith efforts when acknowledgment is not obtained)
The NPP itself is always available to the patient on our website, in the waiting room, and upon request at the front desk, regardless of whether they check the box

Why we don’t block intake on an unchecked box: HIPAA does not permit a provider to refuse or delay treatment because a patient declines to sign the acknowledgment. We request it, document refusals, and move on.

The content on this page was co-authored and medically reviewed by the expert team of physicians at Biohackr Health, a leading San Francisco Bay Area practice specializing in longevity medicine, hormone optimization, and regenerative therapies. Our board-certified physicians include specialists in OB/GYN, plastic surgery, and anti-aging medicine, with advanced training and affiliations at leading academic medical centers and national recognition for clinical excellence, research, and patient care.

By leveraging more than 50 years of combined medical experience and a commitment to evidence-based protocols, our team strives to ensure all content reflects the most current and scientifically supported information in longevity medicine, hormone therapy, aesthetic rejuvenation, and whole-body optimization. Because this is a rapidly evolving field, some treatments discussed may be based on emerging research and should not be considered medical advice.