HIPAA Notice of Privacy Practices

1. Our role under HIPAA

getMRI is a technology platform that helps patients request medical imaging online. The clinical services connected to your booking are delivered by:

• An independent licensed telehealth physician who reviews your intake and, when clinically appropriate, issues your imaging order; and
• An independent licensed imaging center (such as Advanced Medical Imaging in Seminole, Florida) that performs and interprets your scan.

The telehealth physician and the imaging center are HIPAA covered entities. With respect to PHI we create, receive, maintain, or transmit on their behalf, getMRI acts as a HIPAA business associate and operates under written Business Associate Agreements. To the extent any portion of getMRI’s own operations independently constitutes a covered health-care function, we operate as a hybrid entity and apply HIPAA safeguards to that portion. Whether we are acting as a business associate or a covered component, we maintain this Notice and the protections described in it.

The imaging center and telehealth physician each maintain their own Notice of Privacy Practices that describes their direct treatment, payment, and operations uses of your PHI. Those notices control as to their own uses and disclosures.

2. What PHI we handle

• Identity and contact information: name, date of birth, address, phone, email.
• Clinical intake: chief complaint, symptoms, relevant medical history, prior imaging, medications, allergies.
• MRI safety screening: implants, devices, pregnancy status, claustrophobia, weight (where required for the modality).
• The physician’s imaging order and any clinical notes the physician shares with us to coordinate the scan.
• Insurance and benefits information, where you elect to use insurance.
• Appointment and scan logistics: location, time, modality, results-delivery preferences.

3. How we may use and disclose PHI

We may use and disclose PHI for the following purposes, in each case consistent with HIPAA and the minimum-necessary standard:

3.1 Treatment

We transmit your intake and safety screening to the telehealth physician and the imaging center so they can evaluate, order, and perform your scan, and so the imaging center can deliver results to you and any provider you designate.

3.2 Payment

We use PHI to process your payment, issue refunds, support financing through partners such as Affirm, verify insurance eligibility, and assist with claims and patient-balance billing.

3.3 Health-care operations

We use PHI to operate the booking platform on behalf of the covered entities, including coordinating appointments, sending intake and safety questionnaires, handling patient-service requests, quality assurance, training, audits, compliance, and improving our technology in de-identified form.

3.4 Business associates and subcontractors

We use vetted vendors to host and operate the Services — for example, Vercel (hosting), Neon (database), Microsoft 365 (email and calendaring), and Stripe (payments). Where these vendors handle PHI, we have written contracts that require them to safeguard PHI consistent with HIPAA.

3.5 Communications with you

We may contact you by email, SMS, or phone for booking confirmations, intake links, safety questionnaires, appointment reminders, receipts, refund notices, and limited follow-up communications related to your care.

3.6 Required by law and public health

We may use or disclose PHI when required by law, including for public-health activities, reports of abuse or neglect, health oversight, judicial or administrative proceedings, law enforcement, coroners and medical examiners, organ procurement organizations, serious threats to health or safety, specialized government functions, workers’ compensation, and required reporting to the Secretary of the U.S. Department of Health and Human Services (“HHS”).

3.7 Other uses require your authorization

We will not use or disclose your PHI for marketing, will not sell your PHI, and will not disclose psychotherapy notes (if any) without your written authorization. Any authorization you sign can be revoked in writing at any time, except to the extent we have already acted in reliance on it.

4. Your rights

You have the following rights under HIPAA and applicable Florida law with respect to PHI we maintain about you:

• Right of access. You may request to inspect or receive a copy of PHI we maintain in a designated record set. We will respond within the time required by HIPAA (generally 30 days, extendable once by 30 days). Florida law (Fla. Stat. § 456.057) also requires licensed providers to furnish patient medical records on written request — your imaging center is the primary source for those records.
• Right to receive an electronic copy. If we maintain your PHI electronically, you may request an electronic copy in the form and format you request, if readily producible.
• Right to amend. If you believe PHI we maintain is incorrect or incomplete, you may request an amendment. We may deny the request in certain circumstances, in which case you may submit a written statement of disagreement to be included with the record.
• Right to an accounting of disclosures. You may request a list of certain disclosures of your PHI made by us in the six (6) years before the date of your request (excluding disclosures for treatment, payment, health-care operations, disclosures made to you, and certain others).
• Right to request restrictions. You may request that we restrict certain uses or disclosures of your PHI. We are not required to agree to all requested restrictions, except that we must agree to a request to restrict disclosure to a health plan of PHI relating to a health-care item or service that you paid for in full out-of-pocket.
• Right to confidential communications. You may ask us to contact you at a specific phone number, email address, or mailing address, and we will accommodate reasonable requests.
• Right to a paper copy of this Notice. You may request a paper copy of this Notice at any time, even if you have agreed to receive it electronically.
• Right to be notified of a breach. You have a right to be notified following a breach of unsecured PHI as required by HIPAA and Florida law.

To exercise any of these rights, submit a written request to privacy@getmri.com. We may need to verify your identity before fulfilling certain requests. Requests for medical records held by the imaging center or treating physician should be made directly to that provider.

5. Our responsibilities

• We are required by law to maintain the privacy and security of your PHI.
• We will notify you if a breach occurs that may have compromised the privacy or security of your PHI.
• We must follow the duties and privacy practices described in this Notice and give you a copy of it.
• We will not use or share your PHI other than as described here unless you tell us in writing that we may. If you tell us we may, you may change your mind at any time in writing.

6. Security safeguards

We maintain administrative, physical, and technical safeguards designed to protect PHI in compliance with the HIPAA Security Rule. These include:

• Encryption in transit (TLS) for data moving between you, the Services, and our vendors.
• Encryption at rest for stored data where supported by our infrastructure providers.
• Role-based access controls and least-privilege access for staff and contractors.
• Audit logging of access to systems that store or process PHI.
• Workforce training on HIPAA, security awareness, and our policies.
• Written Business Associate Agreements with vendors that handle PHI.
• Limited retention of PHI; de-identification of data used to improve the Services.

7. Minimum necessary

When using or disclosing PHI, or requesting PHI from another covered entity, we limit the information to the minimum necessary to accomplish the intended purpose, except for disclosures to or requests by a treating provider, disclosures to you, uses and disclosures made under a valid authorization, and other uses and disclosures required by law.

8. Florida-specific notices

Where Florida law is more protective than HIPAA, the stricter standard applies. In particular:

• Access to medical records. Fla. Stat. § 456.057 gives patients (and certain authorized representatives) the right to obtain copies of their medical records from a licensed Florida provider on written request, subject to reasonable charges set by rule. Your imaging center is the source for those records.
• Breach notification. The Florida Information Protection Act (FIPA), Fla. Stat. § 501.171, requires notification of affected individuals and, when thresholds are met, the Florida Department of Legal Affairs, generally within 30 days after a covered breach of security involving unencrypted personal information is determined.
• Telehealth. Florida law (Fla. Stat. § 456.47) regulates the telehealth services performed by physicians registered in Florida; the telehealth physician’s own notices and consents will describe those practices.

9. Complaints

If you believe your privacy rights have been violated, you may file a complaint with us or with the federal government.

To file a complaint with getMRI: email privacy@getmri.com. We will not retaliate against you for filing a complaint.

To file a complaint with HHS: contact the U.S. Department of Health and Human Services, Office for Civil Rights, 200 Independence Avenue, S.W., Washington, D.C. 20201; call 1-877-696-6775; or visit hhs.gov/ocr/complaints.

10. Changes to this Notice

We reserve the right to change this Notice and to make the revised Notice effective for all PHI we maintain. When we change this Notice, we will update the “Effective date” at the top and post the revised Notice at getmri.com/hipaa.

11. Contact

For questions about this Notice or to exercise any of the rights described above:

getMRI — Privacy Officer
Email: privacy@getmri.com