HIPAA Notice of Privacy Practices

1. Introduction

Adjuvex, Inc. ("Adjuvex"), a product of PrimeMind Labs, provides AI-powered Revenue Cycle Management services to healthcare organizations. In the course of providing these services, Adjuvex may receive, create, maintain, or transmit Protected Health Information (PHI) on behalf of covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

This Notice of Privacy Practices ("Notice") describes how Adjuvex uses and discloses PHI in its role as a Business Associate, the safeguards we maintain to protect PHI, and the rights that individuals have with respect to their health information.

This Notice applies to all PHI that Adjuvex receives, processes, or maintains in connection with the delivery of the Services, including claims data, explanation of benefits (EOB) data, FHIR R4 resources, and any other data containing individually identifiable health information.

2. Our Legal Duty

Adjuvex is required by law to:

• Maintain the privacy and security of PHI as required by HIPAA, HITECH, and applicable state laws.
• Provide this Notice describing our privacy practices and legal obligations.
• Abide by the terms of the current Notice.
• Notify affected individuals and covered entities in the event of a breach of unsecured PHI.
• Execute a Business Associate Agreement (BAA) with each covered entity before receiving or processing PHI on their behalf.

We are committed to maintaining the privacy of your health information and will not use or disclose PHI in any manner that violates applicable law or the terms of our BAAs. We reserve the right to change our privacy practices and to make the new practices effective for all PHI we maintain, provided that we do so in compliance with applicable law.

3. How We Use and Disclose PHI

As a Business Associate, Adjuvex uses and discloses PHI only as permitted or required by our BAAs and applicable law. Adjuvex does not use PHI for marketing or commercial purposes not authorized under HIPAA.

Permitted Uses and Disclosures

• Healthcare Payment: We use PHI to process insurance claims, verify coverage, analyze denial patterns, generate appeal letters, and support all billing and reimbursement activities on behalf of the covered entity.
• Healthcare Operations: We use PHI to provide quality assessment, competency assurance, accreditation support, and general administrative activities authorized under HIPAA for healthcare operations.
• Business Associate Functions: We use PHI as necessary to perform the specific services described in our BAA with each covered entity, including AI analysis, risk scoring, reporting, and decision support.
• Legal and Regulatory Compliance: We may disclose PHI as required by law, including in response to valid court orders, subpoenas, or requests from the Department of Health and Human Services (HHS) or other regulatory bodies.
• Subcontractors: We may disclose PHI to our sub-Business Associates (e.g., cloud infrastructure providers) solely to support our delivery of Services. All subcontractors are bound by BAAs with Adjuvex.

Uses and Disclosures Requiring Authorization

Any use or disclosure of PHI not described in this Notice or required by law will only occur with a valid written authorization from the individual or the covered entity on their behalf. Authorizations may be revoked in writing at any time, subject to actions already taken in reliance on the authorization.

4. Your Rights Under HIPAA

Individuals whose PHI Adjuvex processes have the following rights under HIPAA, typically exercised through their covered entity (provider or health plan). Where Adjuvex directly receives such requests, we will coordinate with the relevant covered entity:

Right of Access

You have the right to inspect and obtain a copy of your PHI contained in a designated record set. Requests for access should be directed to the covered entity (your healthcare provider or health plan). Adjuvex will cooperate with covered entities in responding to access requests within thirty (30) days.

Right to Amendment

You have the right to request amendment of PHI that you believe is inaccurate or incomplete. Requests for amendment must include a reason for the amendment. We may deny amendment requests if the information was not created by Adjuvex, is not part of a designated record set, is not available for inspection, or is accurate and complete.

Right to an Accounting of Disclosures

You have the right to request an accounting of disclosures of your PHI made by Adjuvex, other than disclosures made for treatment, payment, or healthcare operations, or disclosures made pursuant to an authorization. The accounting period covers the six (6) years prior to the request date.

Right to Request Restrictions

You have the right to request restrictions on how your PHI is used or disclosed for treatment, payment, or healthcare operations. We are not required to agree to requested restrictions except as required by law. However, if we agree to a restriction, we are bound by it except in emergency situations.

Right to Confidential Communications

You have the right to request that communications of your PHI be made through alternative means or at alternative locations. We will accommodate reasonable requests where the individual states that standard communication channels would endanger them.

Right to File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with: (1) Adjuvex at hipaa@adjuvex.com; or (2) the U.S. Department of Health and Human Services Office for Civil Rights (OCR) at hhs.gov/ocr/privacy. We will not retaliate against any individual for filing a complaint.

5. Our Responsibilities

Adjuvex is committed to the following privacy responsibilities:

• Maintain the privacy of PHI and not use or disclose it except as described in this Notice or as required by law.
• Implement and maintain appropriate administrative, physical, and technical safeguards to protect PHI from unauthorized access, use, or disclosure.
• Promptly notify covered entities of any breach of unsecured PHI in accordance with the HITECH Act Breach Notification Rule.
• Provide this Notice and make it available upon request and on our website.
• Follow the terms of this Notice while it is in effect.
• Train all workforce members who handle PHI on HIPAA privacy and security requirements.
• Designate a Privacy Officer responsible for overseeing HIPAA compliance.

6. Business Associate Agreements

Adjuvex operates as a Business Associate under HIPAA. A fully executed Business Associate Agreement (BAA) is required before any covered entity may submit PHI to the Adjuvex platform. The BAA governs:

• The permitted uses and disclosures of PHI by Adjuvex on behalf of the covered entity.
• Adjuvex's obligation to implement appropriate safeguards for PHI.
• Reporting requirements for breaches of PHI and unauthorized uses or disclosures.
• The covered entity's rights to access, amend, and obtain an accounting of PHI.
• Return or destruction of PHI upon termination of the BAA.

To request a Business Associate Agreement, please contact legal@adjuvex.com. BAAs are typically executed within five (5) business days. No PHI should be submitted until a fully executed BAA is in place.

7. De-identification of PHI

Where Adjuvex performs AI model training, benchmarking analytics, or publishes aggregate industry reports, PHI is de-identified before use. Adjuvex employs two HIPAA-recognized de-identification methods:

Safe Harbor Method (45 CFR §164.514(b)(2))

All 18 HIPAA identifiers are removed or generalized, including names, geographic subdivisions smaller than a state, dates (other than year) for individuals over 89, telephone numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, VINs, device identifiers, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number or code.

Expert Determination Method (45 CFR §164.514(b)(1))

A qualified statistical or scientific expert certifies that the risk of re-identification is very small prior to using data for analytics or model training purposes. De-identified data is not subject to HIPAA restrictions and does not constitute PHI.

8. Breach Notification

In the event of a breach of unsecured PHI, Adjuvex will comply with the HITECH Act Breach Notification Rule (45 CFR §§ 164.400–414):

• Notification to Covered Entity: Adjuvex will notify the affected covered entity within sixty (60) calendar days of discovery of the breach. Notification will include: the date of the breach, the date of discovery, a description of the PHI involved, the identities of individuals affected (if known), steps taken to investigate and mitigate harm, and steps taken to prevent future breaches.
• Covered Entity's Notification Obligations: The covered entity is responsible for notifying affected individuals and, where applicable, the HHS Secretary and prominent media outlets as required by the Breach Notification Rule. Adjuvex will provide reasonable cooperation and information to assist with these notifications.
• Unsecured PHI: Adjuvex uses AES-256 encryption at rest and TLS 1.3 in transit. PHI encrypted in accordance with HHS guidance is considered "secured" and a breach of such data may not require notification.

Adjuvex maintains a breach response plan, conducts regular tabletop exercises, and designates a Security Officer responsible for breach investigation and response.

9. Effective Date and Changes to This Notice

This Notice is effective as of January 1, 2025. We reserve the right to change the terms of this Notice at any time. Changes will apply to all PHI we maintain, including PHI created or received before the change. The revised Notice will be posted on our website and provided to covered entities via email with at least thirty (30) days' advance notice for material changes.

The most current version of this Notice will always be available at adjuvex.com/hipaa. Covered entities are encouraged to share this Notice with patients and plan members as appropriate.

10. Contact and Privacy Officer

For questions about this Notice, to exercise your rights, or to report a privacy concern, please contact our Privacy Officer: