Part 0: Definitions

Affiliated Medical Groups: Independent professional corporations that provide licensed medical services on behalf of Prana Health.

AI/Artificial Intelligence: Automated decision-making technology, including machine learning and large language models.

Anonymous Data: Data presented without identifying information as part of marketing or user-facing communications, though technical collection may enable re-identification through IP address, device, or other identifiers.

Business Associate: Third-party vendor with access to protected health information on Prana Health's behalf.

De-identified Data: Data that has had all identifiers removed and cannot reasonably be re-identified, in compliance with HIPAA de-identification standards.

Electronic Protected Health Information (ePHI): Protected health information that is stored or transmitted electronically.

Health Risk Score: Algorithmic assessment of user health status based on wearable data, symptom input, and other collected information.

HIPAA: Health Insurance Portability and Accountability Act of 1996.

LLM (Large Language Model): Advanced artificial intelligence system trained on large amounts of text data.

MSO (Management Services Organization): Prana AI's model of providing management services to medical providers.

Notice of Privacy Practices: This document.

PHI/Protected Health Information: Any information about a patient that can identify them and relates to their health status, medical treatment, or payment.

Telehealth: Remote healthcare services provided via electronic communications.

Wearable Devices: Fitness trackers, smartwatches, continuous health monitoring devices, and health information aggregators (Apple Health, Google Fit, Fitbit, Oura Ring, etc.) that collect biometric and health data.

Introduction and Commitment

Prana Health (referred to as "Prana," "we," "us," "our," or "Company") is committed to protecting the privacy and security of your health information and personal data. This comprehensive Privacy Policy and Notice of Privacy Practices ("Notice") describes:

• How we collect, use, maintain, and disclose your information
• Your rights regarding your information
• Our obligations to protect your privacy
• How to exercise your privacy rights and file complaints

This Notice applies to all information we collect through:

• Our mobile application (Prana Health App)
• Our website (https://pranadoc.com)
• Our telehealth services and affiliated provider network
• Direct patient interactions and health record integrations
• Wearable device connections and health app integrations
• Continuous background monitoring of your health data

Part 1: Information We Collect

1.1 Information Collection by User Type

We collect different categories of information depending on whether you use our services as a Guest User or Registered Member.

A. Guest Users (Unregistered)

Guest Users may access our AI Triage and Symptom Checker features without creating an account. For Guest Users, we collect:

Health Information:

• Symptoms and medical history you input into the AI
• Chat logs and queries during your session
• Clinical summaries generated by our AI system
• Diagnostic information you voluntarily provide

Technical Information:

• Session identifiers and temporary cookies
• IP address and general location data (to route requests to appropriate local providers)
• Device type and operating system
• Browser information and usage analytics
• Timestamp of access and session duration

B. Registered Members (Account Holders)

To save your medical history, integrate wearable devices, connect electronic health records (EHRs), or escalate care to a human physician, you must create a secure Registered Member account. For Registered Members, we collect:

Identity Information:

• Full legal name
• Date of birth
• Email address
• Phone number (required for two-factor authentication and care coordination)
• Emergency contact information (if provided)
• Insurance information (if applicable)
• Professional credentials (if you are a healthcare provider using our platform)

Comprehensive Health Information:

• Complete and persistent chat history with our AI system
• Medical records you authorize us to access from your EHR provider (via HIPAA-compliant EHR integrations such as Epic, Cerner, Athena, and other health information exchanges)
• Wearable device data (from Apple Health, Google Fit, Fitbit, Oura Ring, and similar health integrations)
• Genetic information (if you choose to share ancestry or genetic test results)
• Mental health information and psychological evaluations
• Reproductive health information
• Medication history and prescription information
• Allergy and intolerance records
• Clinical notes from our affiliated providers
• Test results and imaging reports
• Vaccination records
• Chronic condition management data

Biometric and Inferred Data (Continuously Monitored):

• Heart rate, sleep patterns, activity levels, and fitness metrics
• Health risk scores and algorithmic health predictions
• Inferred health conditions based on symptom analysis
• Behavioral health indicators

Payment and Billing Information:

• Credit card or other payment method details (processed securely via our third-party payment processor, Stripe; we do not store full payment card information)
• Billing address and insurance information
• Transaction history and payment records
• Subscription plan and service level details

Communication Information:

• Email communications you send us
• SMS messages and two-factor authentication messages
• Customer support inquiries and resolution records
• Feedback and survey responses

Usage and Analytics Data:

• Pages and features accessed within the platform
• Time spent on specific features
• Click-through rates and interaction patterns
• Search queries within the application
• Feature adoption and user journey analytics

1.2 Special Categories of Protected Health Information (PHI)

We collect and maintain the following special categories of sensitive health information:

HIPAA-Protected Health Information (PHI): All health information that identifies you or could reasonably be used to identify you is protected under the Health Insurance Portability and Accountability Act (HIPAA).

Reproductive Health Information: Information related to pregnancy, fertility services, contraception, abortion, and related healthcare services. Per the HIPAA Reproductive Health Privacy Rule (effective June 25, 2024, with compliance deadline February 16, 2026), we implement enhanced protections for this information.

Mental Health and Behavioral Information: Psychiatric evaluations, mental health diagnoses, psychotherapy notes, substance use disorder treatment information, and behavioral health assessments.

Genetic Information: DNA results, genetic ancestry data, family medical history, and carrier status information.

Information Protected Under State Laws: Several states have enacted laws treating wellness, biometric, and inferred health data as sensitive, even when not explicitly covered by HIPAA:

• Washington My Health My Data Act (MHMDA): Protects data "collected, derived, or inferred" from health applications, including wearable metrics and location data near reproductive health facilities
• California (CCPA/CPRA): Treats sensitive personal information (including health status and genetic data) with heightened protection
• New York: Protects genetic information under specific statutes
• Massachusetts: Protects biometric data and health information

1.3 Children's Privacy

Age Restriction: You must be 18 years of age or older to use Prana Health, regardless of whether you access our services as a Guest or Registered Member. We do not knowingly collect information from individuals under 18 years of age.

If we discover that we have collected information from someone under 18, we will delete such information immediately upon notification and provide notice to the individual (or their parent/guardian if identifiable).

Parental Consent: Parents or legal guardians may not create accounts on behalf of minors. If a parent believes their minor child has created an account, they may contact us at privacy@pranahealth.io to request deletion.

Part 2: How We Use Your Information

2.1 Primary Uses of Your Information

A. Healthcare Service Delivery

AI Triage and Symptom Assessment: We use the health information you provide to our AI "Doctor" technology to:

• Generate preliminary clinical assessments
• Suggest appropriate next steps (self-care, provider consultation, emergency care)
• Create clinical summaries for your records
• Identify potential serious conditions requiring immediate attention

This processing occurs for both Guest Users and Registered Members.

Provider Routing and Referrals: For Guest Users, we use your symptom information, location data, and insurance information to:

• Recommend appropriate local healthcare providers
• Direct you to telehealth services
• Facilitate warm handoffs to urgent care or emergency services when medically appropriate
• Route your information to in-network providers (only with your explicit consent)

Care Coordination: For Registered Members who request escalation to a human physician, we:

• Share your clinical AI summary with our Affiliated Medical Groups
• Provide access to your integrated medical records for provider review
• Facilitate communication between you and our licensed healthcare providers
• Maintain continuity of care across our platform and traditional healthcare systems

Prescription and Medication Management: We use your health information to:

• Facilitate electronic prescriptions from affiliated providers
• Check for drug interactions and contraindications
• Track medication adherence and efficacy
• Manage refill requests

B. AI Model Training and Improvement

De-identified Data Use for AI Development: We may use de-identified and aggregated health information from both Guest and Registered Member interactions to:

• Train and fine-tune our clinical AI models
• Validate AI algorithm accuracy against known diagnoses
• Improve symptom recognition and differential diagnosis capabilities
• Enhance natural language processing for medical terminology
• Identify patterns in population health trends

Data De-identification Standards: All data used for AI training is de-identified in compliance with HIPAA de-identification standards (Safe Harbor or Expert Determination method). De-identified data:

• Has all direct identifiers removed (name, date of birth, MRN, etc.)
• Has all indirect identifiers removed or aggregated
• Cannot be re-identified through reverse engineering

Your Choice to Opt Out: You may opt out of having your de-identified data used for AI training by contacting us at privacy@pranahealth.io. Your opt-out will not affect your access to clinical care.

C. Operations and Service Improvement

Platform Operations: We use your information to:

• Maintain and troubleshoot our platform
• Provide customer support and technical assistance
• Process your payments and billing
• Manage your account and login credentials
• Respond to your inquiries and requests

Service Analytics and Improvement: We use aggregated and de-identified data to:

• Analyze usage trends and user behavior patterns
• Identify and fix software bugs and system errors
• Optimize user experience and interface design
• Measure feature adoption and platform performance
• Conduct usability testing and A/B testing

Security and Fraud Prevention: We use your information to:

• Detect unauthorized access and potential security breaches
• Prevent fraud and identity theft
• Investigate suspicious account activity
• Monitor for violations of our Terms of Service
• Protect against DDoS attacks and other cyber threats

D. Legal and Compliance Obligations

Regulatory Compliance: We use your information to:

• Comply with HIPAA Privacy and Security Rules
• Meet state privacy law requirements (including the 8 new state privacy laws effective 2025-2026)
• Maintain required medical records and business records
• Respond to lawful government requests and subpoenas
• Report adverse events to regulatory authorities when required
• Conduct mandatory compliance training and audits

Medical Quality and Reporting: We use your information to:

• Report quality metrics to accrediting bodies
• Comply with state medical board requirements
• Maintain standards for our Affiliated Medical Groups
• Document informed consent for treatments
• Track health outcomes for clinical research purposes

E. Communication with You

Service Communications: We use your contact information to:

• Send appointment reminders and clinical updates
• Notify you of important changes to this Notice or our services
• Provide customer support and technical assistance
• Send necessary account notifications

Health-Related Communications: We use your health information to:

• Send medication refill reminders
• Provide test results and clinical updates
• Alert you to potential health risks based on your conditions
• Coordinate with you regarding treatment recommendations

Promotional Communications (with Consent): Only if you opt in, we may use your contact information to:

• Send newsletters and educational content about health topics
• Notify you about new features or services
• Provide personalized health recommendations
• Send wellness tips or preventive care information

You may opt out of promotional communications at any time by clicking "unsubscribe" in any email or contacting us at marketing@pranahealth.io.

SMS and Text Message Consent: If you provide a phone number and consent to SMS communications, you agree to:

• Receive secure service messages, appointment reminders, and clinical updates
• Receive two-factor authentication codes
• Receive emergency health alerts (if applicable)
• Receive automated health alerts based on wearable monitoring

You may withdraw SMS consent by texting STOP at any time. Standard message and data rates apply.

2.2 Real-Time Continuous Wearable Monitoring and Automated Health Alerts

Background Health Monitoring: We continuously monitor your wearable device data in the background, including:

• Heart rate, sleep patterns, activity levels, and fitness metrics
• Detection of unusual patterns (e.g., "sustained elevated resting heart rate for 2+ nights," "significant sleep pattern disruption," "activity level decrease")
• Real-time algorithmic analysis of trends compared to your baseline

Automated Health Alert Generation: When our algorithms detect patterns we classify as "unusual" or potentially concerning, we:

• Generate automated health alerts and send them to you via app notification, email, or SMS
• Alert you to patterns that may warrant medical attention

Legal Basis for Alerts: Automated alerts are generated as part of our core service offering and are provided to improve your health awareness and engagement with our platform. Alerts may also be used to measure user engagement and feature effectiveness (analytics purposes). You may opt out of automated health alerts at any time by adjusting your notification settings in the app or contacting privacy@pranahealth.io, though this may reduce the value of our continuous monitoring service.

Data Retention for Alert Triggers: We retain data points that triggered alerts for a minimum of 7 years (consistent with medical record retention requirements) to support clinical documentation and quality improvement. We retain baseline wearable data for continuous analysis and AI improvement.

2.3 Secondary and Conditional Uses

Marketing and Business Development: Subject to applicable state privacy laws, we may use de-identified data to:

• Develop case studies and success stories (only with written patient consent)
• Market our services to healthcare providers and health plans
• Conduct market research on healthcare trends
• Develop business partnerships

Merger, Acquisition, or Sale: If Prana is acquired, merged with another entity, or its assets are sold, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

Clinical Research: If you consent to participate in clinical research, your health information may be used to:

• Conduct peer-reviewed studies on AI clinical decision-making
• Validate diagnostic algorithms against clinical outcomes
• Publish research findings (in de-identified form)
• Present data at medical conferences

Part 3: Sharing Your Information

3.1 Disclosure to Healthcare Providers and Treatment Team

Affiliated Medical Groups: When you request escalation to a human physician or authorize treatment through our platform, we disclose your health information to:

• Licensed physicians and nurse practitioners affiliated with Prana Health
• Other healthcare providers you authorize us to contact
• Your primary care physician (if you authorize and provide contact information)
• Specialists and consultants you reference during your care

Your Authorization Controls Sharing: You may authorize or revoke access to specific data sources in your Account Settings under "Manage Data Sharing." You may limit disclosure to specific providers or specific types of information (e.g., "share medical history but not mental health information").

EHR Integrations and Third-Party Providers: When you connect your electronic health records (EHR) from providers like Epic, Cerner, Athena, and other health information exchanges:

• We access only the data categories you authorize
• We share relevant clinical information with your providers to facilitate care coordination
• We do not automatically share data without your explicit permission
• You may disconnect third-party integrations at any time, which stops further data sharing and access

Multi-System Revocation: If you disconnect an EHR integration, data sharing stops immediately for that provider system, but you may need to separately revoke access within each connected provider's system for complete deletion.

3.2 Disclosure to Business Associates

HIPAA Business Associates: We share your information with third-party vendors who provide services on our behalf and are contractually bound to protect your privacy under HIPAA Business Associate Agreements (BAAs), including:

Cloud Infrastructure:

• Amazon Web Services (AWS) for secure data hosting and computing
• Backup and disaster recovery services

AI and Large Language Model (LLM) Services:

• OpenAI for natural language processing and AI model inference
• Google Cloud AI services for diagnostic support
• Anthropic for advanced language understanding

EHR Integration Partners:

• Health information exchanges (HIEs)
• EHR vendors (Epic, Cerner, Athena, etc.)
• Health data aggregators (Apple Health, Google Fit integrations)

Payment Processing:

• Stripe (payment processor) - receives only payment card information necessary for transactions; does not receive health information

Communication and Customer Support:

• Telehealth platform providers
• SMS and email service providers
• Customer support and ticketing systems

Analytics and Compliance:

• HIPAA compliance and privacy monitoring vendors
• Cybersecurity and breach notification services
• Healthcare analytics platforms

All Business Associates sign written agreements contractually obligating them to:

• Use data only for specified purposes
• Maintain administrative, physical, and technical safeguards
• Report any security breaches immediately
• Return or destroy data upon contract termination
• Restrict subcontracting to other vendors

3.3 Permitted Disclosures Without Your Authorization

Under HIPAA and applicable law, we may disclose your health information without your authorization in the following situations:

Public Health and Safety:

• Report suspected child abuse, adult abuse, or domestic violence to appropriate authorities
• Report communicable disease exposures required by state law
• Report adverse events associated with medical devices
• Report health threats to public health authorities
• Comply with FDA requirements for medication safety reporting

Court Orders and Subpoenas:

• Respond to valid court orders, subpoenas, warrants, and legal process
• We will notify you of such requests unless prohibited by law
• We will attempt to negotiate limitations on disclosures to minimize intrusion

Law Enforcement:

• Respond to law enforcement requests for information necessary to locate a fugitive or missing person
• Provide information about suspected criminal activity
• Comply with lawful government investigations

Workers' Compensation:

• Disclose information necessary for workers' compensation claims and proceedings

Correctional and Institutional Care:

• Disclose information to correctional institutions or law enforcement when you are in custody

National Security:

• Respond to national security letters and terrorism investigations
• Disclose information for intelligence purposes as required by law

3.4 Restrictions on Disclosure - Data We Do NOT Share

We explicitly do NOT share your information for:

• Direct marketing by unaffiliated third parties
• Sale of your health information to data brokers
• Sale of your information for commercial purposes (except as required by law)
• Behavioral advertising or tracking by social media companies
• Disclosure to employers without your explicit authorization (and only what you authorize)

Part 4: Your Privacy Rights and Choices

4.1 HIPAA-Granted Patient Rights

If you are a covered individual under HIPAA, you have the following rights:

Right to Access Your Information (Access Right)

You have the right to inspect and obtain a copy of your health information maintained by Prana.

How to Request: Submit your request in writing to privacy@pranahealth.io with the subject line "Access Request." Include:

• Your full name and date of birth
• Description of the records you want to access
• Preferred format (electronic, paper, or both)

Response Time: We will respond within 30 days, or 60 days if we need to prepare records.

Fees: We will provide your information at no charge for the first copy. Additional copies may incur reasonable copying and postage fees.

Right to Electronic Format: You have the right to receive your information in electronic format (e.g., PDF, CSV) that allows you to transmit it to another provider (Right to Portability). We will provide your data export within 30 days of request in commonly used electronic formats.

Right to Amendment (Correction Right)

If you believe your health information is inaccurate or incomplete, you may request that we amend it.

How to Request: Submit your request in writing to privacy@pranahealth.io with the subject line "Amendment Request." Include:

• Your full name and date of birth
• The specific information you believe is inaccurate
• Your explanation of why the information is inaccurate
• The corrected information you are requesting

Review Process: We will review your request and determine whether to grant or deny it.

Denial Process: If we deny your request, we will provide you with a written explanation and your right to request a review or submit a written statement of disagreement.

Right to Request Restrictions (Opt-Out Rights)

You may request that we restrict how we use or disclose your information for treatment, payment, operations, or other purposes.

Restrictions We MUST Respect:

• Restrictions on disclosure to health plans if you pay entirely out of pocket for a service
• Restrictions on reproductive health information per the Reproductive Health Privacy Rule

Restrictions We May Respect:

• Request that we limit use/disclosure to specific people (e.g., family members, providers)
• Request that we not contact you at a certain phone number or address
• Request limitation on use for AI training (we will honor opt-out requests)
• Request opt-out of automated health alerts based on continuous wearable monitoring

How to Request: Contact us at privacy@pranahealth.io.

Right to Receive Confidential Communications

You have the right to request that we communicate with you in a specific manner or location (e.g., email only, call your work phone instead of home phone).

How to Request: Contact us in writing at privacy@pranahealth.io.

Right to Accounting of Disclosures

You have the right to receive an accounting of disclosures—a list of who we have shared your information with and why—for the past six years.

How to Request: Submit your request in writing to privacy@pranahealth.io with the subject line "Accounting of Disclosures Request."

Response Time: Within 30 days (or 60 days if we need to generate the report).

Limitations: The accounting does not need to include:

• Disclosures for treatment, payment, or healthcare operations
• Disclosures you authorized
• Disclosures to you personally
• Incidental disclosures
• Government-mandated disclosures

Right to File a Complaint

You have the right to file a complaint if you believe we have violated your privacy rights.

File a Complaint With Us:

• Send a written complaint to privacy@pranahealth.io
• Include your name, the date of the alleged violation, and description of the problem
• We will investigate and respond within 30 days

File a Complaint With the Government:

• U.S. Department of Health and Human Services, Office for Civil Rights (OCR)
• Website: https://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html
• Mail: U.S. Department of Health and Human Services, Office for Civil Rights, 200 Independence Avenue, S.W., Washington, D.C. 20201
• Phone: 1-800-368-1019
• Email: ocrmail@hhs.gov
• You may file a complaint at any time; there is no time limit

4.2 State-Specific Privacy Rights and Multi-Jurisdictional Compliance

Prana Health Compliance Approach: We comply with the most restrictive state privacy laws applicable to our users and operations. If you are a resident of any of the following states or if we process your information as a resident of these states, you have enhanced privacy rights under applicable state law. We apply the highest standard of protection across all our operations.

California (CCPA/CPRA)

• Right to Know: You have the right to request what personal information we collect, the sources of that information, and our business or commercial purpose for collecting it.
• Right to Delete: You have the right to request that we delete personal information we have collected (subject to exceptions for medical retention laws).
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Opt-Out of Sale: You have the right to opt out of the "sale" or "sharing" of your personal information. We do not sell your health information.
• Right to Non-Discrimination: You have the right to receive non-discriminatory treatment for exercising your privacy rights.
• Right to Limit Use of Sensitive Personal Information: You may limit our use of sensitive personal information (including health data and genetic information) to providing you requested services.

How to Exercise: Submit a request to privacy@pranahealth.io. We will verify your identity and respond within 45 days.

Washington (My Health My Data Act - MHMDA)

• Right to Opt-In Consent: We must obtain your affirmative opt-in before using, sharing, or selling your health data collected, derived, or inferred from health applications and wearables.
• Prohibition on Geofencing: We will not use geofencing or location tracking within 1,750 feet of reproductive health facilities, drug treatment facilities, or other sensitive health locations.
• Right to Transparency: We must clearly disclose how your health data is used, shared, and sold.
• Right to Deletion: You have the right to request deletion of your health data.
• Right to Know Vendor Practices: We disclose our vendor list and their data practices.

How to Exercise: Contact privacy@pranahealth.io with your request. Effective March 31, 2024.

Additional State Privacy Laws

We also comply with privacy laws in New York (Genetic Information), Massachusetts (Biometric Information), Texas (Telemedicine Requirements), South Carolina (Remote Patient Monitoring), New Hampshire (SB 255 - effective January 1, 2025), Delaware (Personal Data Privacy Act - effective January 1, 2025), Iowa (Consumer Data Protection Act - effective January 1, 2025), Nebraska (Data Privacy Act - effective January 1, 2025), New Jersey (Data Protection Act - effective January 15, 2025), Tennessee (Privacy Act - effective July 1, 2025), Minnesota (Consumer Data Protection Act - effective July 15, 2025), and Maryland (Online Data Privacy Act - effective October 1, 2025).

Contact privacy@pranahealth.io for state-specific privacy information.

4.3 Exercising Your Rights

How to Submit Requests:

• Email: privacy@pranahealth.io
• Mail: Prana Health, Legal Department, 2261 Market Street STE 97240, San Francisco, CA 94114

What to Include:

• Your full name and date of birth
• Email address and phone number
• Type of request (access, amendment, deletion, opt-out, etc.)
• Specific details about your request
• Proof of identity (we may require this for verification)

Response Timeline:

• Access requests: 30 days (up to 60 days if complex)
• Deletion requests: 30 days
• Amendment requests: 30 days
• We will provide a copy of our response in writing

Appeal Process: If we deny your request, we will provide a written explanation and instructions for appealing the denial.

Part 5: Data Retention and Deletion

5.1 Guest User Data Retention

Guest Session Data: For Guest Users who do not create an account:

• Chat logs and symptom data are retained for 7-30 days for service delivery and quality assurance
• De-identified aggregate data may be retained indefinitely for AI model training
• Guest data is not persistent after session termination
• Re-identification Risk: IP address and device identifiers are retained with guest session data; users should not assume complete anonymity

5.2 Registered Member Data Retention

Medical Records: We retain clinical interaction records and medical information for a minimum of 7 years after your last encounter, as required by:

• State medical practice standards (varies by state; typically 5-7 years)
• HIPAA minimum requirements
• Medicare/Medicaid compliance requirements
• Medical malpractice statute of limitations

After 7 Years: Records may be destroyed after the minimum retention period, except:

• Records of patients under 18 at time of last encounter (retained until age 25)
• Records subject to pending litigation or investigation
• Records where the patient is deceased (retained per state law, typically 3-5 additional years)
• Records supporting ongoing care

5.3 Deletion Requests and Right to Be Forgotten

Right to Request Deletion: You may request deletion of your personal information, subject to legal retention requirements.

How to Request: Send a written request to privacy@pranahealth.io with the subject line "Deletion Request."

What We Will Delete:

• Personal identifiers (name, email, phone number)
• Payment information
• Account preferences and settings
• Non-medical information

What We Will NOT Delete:

• Medical records (required to be retained for 7 years minimum)
• Information required by law or regulation
• Information subject to ongoing litigation or investigation
• De-identified data used for AI training

Part 6: Data Security and Protection Measures

6.1 HIPAA Security Rule Compliance

Prana Health aligns with the HIPAA Security Rule and implements reasonable safeguards to protect your electronic protected health information (ePHI).

6.2 Administrative Safeguards

• Workforce Security: Unique user IDs and password requirements for all staff, mandatory privacy and security training, role-based access control
• Information Access Management: Minimum necessary principle, access logs, quarterly access reviews
• Security Awareness and Training: Annual HIPAA training, quarterly security awareness communications
• Security Incident Procedures: 24-hour security incident hotline, investigation protocol, risk assessment

6.3 Physical Safeguards

• Facility Access Controls: Restricted access to server rooms, biometric authentication, video surveillance
• Workstation Security: Automatic screen lockout, restrictions on downloading PHI to personal devices
• Device and Media Controls: Encryption of all portable devices, secure data removal before disposal

6.4 Technical Safeguards

• Encryption in Transit: All data transmitted to/from our platform uses Transport Layer Security (TLS 1.2 or higher)
• Encryption at Rest: All stored health information encrypted with Advanced Encryption Standard (AES-256)
• Unique User Authentication: Username and password required; multi-factor authentication (MFA) available and recommended
• Audit Controls: Comprehensive logging of all access to PHI, real-time monitoring, monthly audit log reviews

6.5 Network Security

• Advanced firewalls monitoring all network traffic
• Intrusion detection and prevention systems (IDS/IPS)
• DDoS protection and mitigation
• Regular vulnerability scanning (quarterly minimum)
• Annual penetration testing by third-party security firm

Part 7: Business Associate and Subcontractor Management

All third-party vendors that access PHI are bound by HIPAA Business Associate Agreements (BAAs) that require them to use PHI only for specified purposes, maintain safeguards, report breaches immediately, and return or destroy PHI upon contract termination.

Part 8: International Considerations

For EU, Swiss, and UK residents: Your health information is protected under applicable data protection laws (GDPR, UK GDPR). Contact privacy@pranahealth.io for jurisdiction-specific privacy terms.

Part 9: Consumer Health Data Breach Notification

If we discover a breach of security that compromises your personal health information, we will investigate immediately, assess scope, and notify affected individuals within required timeframes (typically within 60 days of discovery, or 24-48 hours for high-risk breaches). Notifications will include description of information involved, steps to protect yourself, and how to contact us.

Part 10: Medical Services and Affiliated Provider Disclaimers

10.1 MSO Model and Scope of Services

Prana AI Incorporated's Role: Technology platform operation, data security, HIPAA compliance, customer support, AI-powered symptom assessment, and continuous wearable monitoring.

Affiliated Medical Groups' Role: Medical diagnosis, clinical decision-making, prescription authorization, treatment recommendations, and licensed practice of medicine.

10.3 Clinical Validity Disclaimer

While our AI has been trained on extensive medical literature and clinical data, our AI is a tool to support, not replace, clinical judgment. Diagnoses and recommendations should be confirmed by a licensed healthcare provider. You should always consult with a licensed physician before making healthcare decisions. We are not liable for outcomes resulting from your reliance on AI recommendations without provider consultation.

Part 11: Policy Updates and Changes

We may update this Notice from time to time. We will indicate the date this Notice was last updated at the top.

Material Changes: If we make material changes to how we use or disclose your information, for Members we will notify you via email and provide 30 days to review before the change is effective. For Guests, we will display a website banner notifying you of changes. Your continued use of the platform after the effective date indicates your acceptance of the updated Notice.

Part 12: Contact Information

12.1 Privacy Questions and Requests

12.2 Data Protection Officer

12.3 Security Incident Reporting

12.4 Filing a Complaint

File a Complaint With Prana Health:

• Send written complaint to privacy@pranahealth.io
• Include your name, contact information, dates, and description of the complaint
• We will investigate and respond within 30 days
• You will not be retaliated against for filing a complaint

File a Complaint With the U.S. Department of Health and Human Services:

File a Complaint With State Attorneys General: Most states provide mechanisms for filing privacy complaints with the state's Attorney General. Contact your state's Attorney General office for procedures.

Related Documents

• Terms of Service