Notice of Privacy Practices

Effective date: April 1, 2026 · Last updated: April 28, 2026

This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

MyPromise, Inc. ("MyPromise," "we," "us") is required by the Health Insurance Portability and Accountability Act (HIPAA) and applicable state laws to maintain the privacy of your protected health information ("PHI"), give you this Notice of our legal duties and privacy practices regarding PHI, and follow the terms of the Notice currently in effect. The clinicians, pharmacies, and service providers that participate in your care under the MyPromise platform operate under this Notice when handling PHI on our behalf.

1. Uses and disclosures of protected health information

For treatment

We use and share your PHI to provide, coordinate, and manage your care. For example, the licensed clinician who reviews your intake will share your PHI with the accredited compounding pharmacy that fills your prescription, with consulting clinicians where appropriate, and with laboratories that perform tests we order on your behalf.

For payment

We may use and share your PHI to bill and collect payment for the services you receive. For example, we may share information with our payment processor to charge your card, with HSA / FSA administrators to substantiate eligibility, and with you, to itemize the services on a receipt.

For health care operations

We may use and share your PHI to run our practice — for example, to evaluate the quality of care, train staff, audit pharmacy partners, and administer our services. We share only the minimum information necessary for these activities.

Other uses and disclosures permitted or required by law

Required by law: We will disclose PHI when required by federal, state, or local law.
Public health activities: We may disclose PHI to public health authorities to prevent or control disease, report adverse drug events, or comply with mandated reporting.
Health oversight: We may share PHI with health-oversight agencies for activities authorized by law, including audits, investigations, and licensure inspections.
Judicial and administrative proceedings: We may share PHI in response to a court or administrative order, subpoena, or similar lawful process, with notice to you where required.
Law enforcement: We may share PHI for limited law-enforcement purposes, such as identifying or locating a suspect, fugitive, or missing person, when required by law.
Serious threat to health or safety: We may share PHI to prevent or lessen a serious and imminent threat to a person or the public.
Workers' compensation: We may share PHI to comply with workers' compensation laws.
Coroners, medical examiners, funeral directors, and organ donation: We may share PHI for these limited, permitted purposes.
Research: We may use or share de-identified information for research; identifiable PHI will only be shared for research with your written authorization or under a process approved by an institutional review board or privacy board.
Specialized government functions: We may disclose PHI for national security, military, and other limited government functions described by law.

Uses and disclosures requiring your authorization

We will obtain your written authorization before using or disclosing PHI for any purpose not described in this Notice. Specifically, we will not, without your written authorization:

Use or share your PHI for marketing purposes
Sell your PHI
Share psychotherapy notes (if any are created)

You may revoke an authorization in writing at any time. Once we receive your written revocation, it will apply going forward, except to the extent we have already acted in reliance on it.

2. Your rights regarding your protected health information

Right to access and copy

You have the right to inspect and obtain a copy of your PHI in our designated record set. You may request your records in electronic form where they are readily producible in that form. We may charge a reasonable cost-based fee for copies in some circumstances.

Right to amend

You have the right to request that we amend PHI we maintain about you when you believe the information is incorrect or incomplete. We may deny the request in limited circumstances permitted by law and will provide a written explanation if we do.

Right to an accounting of disclosures

You have the right to request an accounting of certain disclosures of your PHI we have made over the six years preceding the request. The accounting will exclude disclosures for treatment, payment, and health care operations, and certain other categories permitted by law.

Right to request restrictions

You have the right to request a restriction on uses and disclosures of your PHI for treatment, payment, or operations, and on disclosures to family members or others involved in your care. We are not required to agree to all restriction requests, but we will agree to a request to restrict disclosure of PHI to a health plan when the disclosure is for payment or operations and the PHI pertains solely to a service for which you (or someone other than the health plan) have paid in full out of pocket.

Right to confidential communications

You have the right to request that we communicate with you about your PHI by alternative means or at alternative locations (for example, by email rather than postal mail, or to a workplace address). We will accommodate reasonable requests.

Right to receive a paper copy of this Notice

You have the right to receive a paper copy of this Notice on request, even if you have agreed to receive it electronically. To request one, contact us using the information in Section 6 below.

Right to be notified of a breach

You have the right to be notified in writing if there is a breach of unsecured PHI affecting you, in accordance with applicable law.

To exercise any of these rights, contact our Privacy Officer using the information in Section 6.

3. Our duties

MyPromise is required by law to maintain the privacy and security of your PHI, provide this Notice of our legal duties and privacy practices, follow the terms of the Notice currently in effect, and notify you of certain breaches of unsecured PHI.

We will not retaliate against you for exercising any rights described in this Notice or for filing a complaint about our privacy practices.

4. Changes to this Notice

We may change this Notice from time to time. A revised Notice will apply to PHI we maintain at the time of the revision, including PHI we created or received before the revision. We will post any revised Notice on our website and, on request, will provide you with a paper copy. The effective date of the most recent version is shown at the top of this Notice.

5. Complaints

If you believe your privacy rights have been violated, you may file a complaint with us using the contact information below or with the U.S. Department of Health and Human Services, Office for Civil Rights, at 200 Independence Avenue SW, Washington, D.C. 20201, by phone at 1-877-696-6775, or online at hhs.gov/ocr. We will not retaliate against you for filing a complaint.

6. Contact

To exercise a right, ask a question, or file a complaint with us, contact our Privacy Officer:

Email: privacy@mypromise.com
Mail: MyPromise, Inc. — Attn: Privacy Officer, 1 Cooper River Place, Charleston, SC 29403

You may also reach our member care team through the contact page, and your message will be routed to the Privacy Officer within one business day.