Notice of Privacy Practices

Our Pledge Regarding Your Health Information

Navara Health, PLLC ("Navara Health," "we," "us," or "our") understands that medical information about you and your health is personal. We are committed to protecting your medical information. We create a record of the care and services you receive at Navara Health. We need this record to provide you with quality care and to comply with legal requirements.

This Notice of Privacy Practices ("Notice") applies to all records of your care generated by Navara Health, PLLC and any associated providers, nurses, contractors, and staff. It describes how we may use and disclose your protected health information (PHI) to carry out treatment, payment, and healthcare operations, and for other purposes that are permitted or required by law. It also describes your rights to access and control your PHI.

"Protected health information" is information about you, including demographic information, that may identify you and that relates to your past, present, or future physical or mental health condition and related healthcare services.

We are required by law to:

• Maintain the privacy and security of your PHI
• Provide you with this Notice of our legal duties and privacy practices
• Notify you promptly if a breach occurs that may compromise the privacy or security of your information
• Follow the terms of the Notice currently in effect

How We May Use and Disclose Your PHI

The following categories describe different ways that we use and disclose your PHI. Not every use or disclosure is listed, but all permitted uses and disclosures fall within one of these categories.

Treatment

We will use and disclose your PHI to provide, coordinate, or manage your healthcare and any related services. This includes coordination of your care with third-party providers. For example, your PHI may be shared with:

• A specialist, primary care provider, or gynecologist to whom you are referred
• The compounding pharmacy filling your prescriptions
• The laboratory processing your lab orders
• An emergency department if you require urgent care
• Other clinicians or staff at Navara Health involved in your care, including Rocio Gonzalez, RN, when performing services under APRN delegation

Payment

Your PHI will be used as needed to obtain payment for your healthcare services. Because Navara Health is a self-pay practice and does not bill insurance, payment activities typically involve:

• Processing credit card, debit card, ACH, or other patient payments
• Generating receipts for HSA/FSA reimbursement that you submit to your plan
• Issuing superbills (where requested) for self-submission to insurance
• Verifying eligibility for payment plans or refunds

Healthcare Operations

We may use and disclose your PHI to support our business activities, including:

• Quality assessment and improvement activities
• Provider review, credentialing, and licensing activities
• Auditing and compliance review
• Business management and general administrative activities
• Contacting you to remind you of appointments (text, email, phone, portal)
• Customer service and patient satisfaction surveys
• Conducting or arranging legal services, including risk management and audit

Appointment Reminders, Lab Results & Practice Communications

We may contact you using the contact information you have provided to remind you of upcoming appointments, deliver lab results, notify you of prescription readiness, or share other practice-related communications via:

• Secure patient portal messages
• Email
• SMS / text message
• Telephone calls and voicemails

You may revoke authorization for any specific communication channel in writing.

Other Permitted Uses and Disclosures Without Your Authorization

The following uses and disclosures may be made without your authorization in specific circumstances permitted by law:

• Required by Law — when federal, state, or local law mandates disclosure
• Public Health Activities — disease prevention, vaccine reporting, FDA-regulated product safety reporting
• Communicable Disease Reporting — when required to prevent disease spread
• Health Oversight Activities — audits, investigations, licensure, and disciplinary actions
• Abuse or Neglect Reporting — when we suspect abuse, neglect, or domestic violence as required by law
• Food and Drug Administration (FDA) — adverse event reporting, product recalls, post-market surveillance
• Legal Proceedings — in response to a court or administrative order, subpoena, or discovery request (subject to applicable protective provisions)
• Law Enforcement — as required by law, in response to legal process, or to identify or locate a suspect, fugitive, material witness, or missing person
• Coroners, Medical Examiners, and Funeral Directors — to perform their duties
• Organ and Tissue Donation — where applicable
• Workers' Compensation — as authorized by and to the extent necessary to comply with workers' compensation laws
• Military and Veterans Activities — for members of the armed forces
• National Security and Intelligence Activities — to authorized federal officials
• Protective Services for the President and Others — as authorized by law
• Inmates / Correctional Facilities — as authorized by law
• Research — when reviewed and approved by a privacy board or institutional review board, or as otherwise permitted by law
• To Avert Serious Threat — to health or safety of an individual or the public

Special Protections for Reproductive Healthcare Information

Substance Use Disorder Records (42 CFR Part 2)

Uses and Disclosures Requiring Your Written Authorization

Certain uses and disclosures of your PHI require your written authorization. These include:

• Marketing communications — communications that promote a product or service (beyond appointment reminders and direct treatment communications)
• Sale of PHI — Navara Health does not sell PHI
• Psychotherapy notes — generally require authorization for any disclosure
• Disclosures to non-health-related family or friends beyond what is permitted by law
• Photography, video, or testimonial use — see separate Photography & Marketing Consent
• Other uses not described in this Notice

You may revoke a written authorization at any time, except to the extent that we have already taken action in reliance on that authorization. Revocation must be submitted in writing to Navara Health.

Your Rights Regarding Your PHI

To exercise any of these rights, please submit your request in writing to our Privacy Officer (see Section 11).

Texas-Specific Privacy Protections (HB 300)

Key Texas protections include:

• Faster access to electronic records — Navara Health will provide electronic PHI within 15 business days of a written request (federal HIPAA allows 30 days)
• Mandatory employee training — all Navara Health employees and contractors who handle PHI complete privacy and security training within 90 days of hire and biennially thereafter, with documentation maintained
• Enhanced authorization requirements — for marketing communications and other authorized disclosures
• Texas Attorney General enforcement — Texas patients may file complaints with the Texas Attorney General's office in addition to HHS Office for Civil Rights
• Sale of PHI prohibited — Texas law specifically prohibits the sale of PHI without patient authorization
• Breach notification — Texas law requires notification to affected individuals consistent with federal HITECH Act timelines

Patients located in our other licensed states (Colorado, Connecticut, Florida, Iowa, Oklahoma, Vermont, Virginia, Washington) are protected by federal HIPAA standards and the privacy laws of their state of residence, where applicable.

Electronic Communications & Telehealth Privacy

Navara Health uses electronic systems for healthcare delivery, including:

• Electronic Medical Records (EMR) — OptiMantra, a HIPAA-compliant medical records platform
• Telehealth platforms for video and audio visits
• Secure patient portal for messaging and document exchange
• Compounding pharmacy partners who receive prescription information
• Laboratory partners who process labs
• Payment processors who handle billing

All vendors with access to PHI operate under Business Associate Agreements (BAAs) that contractually require HIPAA-compliant handling of your information.

If Navara Health adopts AI-assisted clinical documentation tools (AI scribes, ambient transcription), these vendors will operate under HIPAA Business Associate Agreements. See the Navara Telemedicine Informed Consent for the AI scribe opt-in/opt-out framework.

Communication channel limitations: Email and SMS are not fully secure channels by their nature. Navara Health uses these channels for non-sensitive communications and at your authorization. The patient portal is the most secure channel for sensitive communications.

Photography, Video & Marketing

Photography, video, audio recording, and marketing use of any patient information requires separate written authorization, captured in the Navara Health Photography, Video & Marketing Master Consent. That consent uses a four-tier opt-in structure (medical use only / identifiable marketing / de-identified marketing / provider education).

Navara Health does not:

• Sell patient PHI to any third party
• Use patient PHI for marketing without specific written authorization
• Disclose your photos or identifiable information for advertising without your explicit consent

Changes to This Notice

Navara Health reserves the right to change this Notice at any time. The revised Notice will apply to all PHI we maintain, including PHI created or received before the revision. When the Notice is revised, we will:

• Post the revised Notice in our office
• Post the revised Notice on our website at www.navarahealthtx.com
• Update the effective date at the top of the Notice
• Provide a paper copy upon request
• For material changes, notify patients at their next visit and/or via the patient portal

The current Notice in effect supersedes all prior versions.

Website Posting

This Notice is publicly posted at www.navarahealthtx.com in compliance with HIPAA requirements for covered entities maintaining a website with information about customer services or benefits. The effective date is displayed at the top of this Notice.

Privacy Officer & How to File a Complaint

How to File a Complaint

If you believe your privacy rights have been violated, you may file a complaint:

• With Navara Health — submit a written complaint to the Privacy Officer at the address or email above. We will respond within 30 days.
• With the U.S. Department of Health and Human Services Office for Civil Rights — file online at hhs.gov/ocr, by mail to HHS Office for Civil Rights, 200 Independence Avenue SW, Washington DC 20201, or by phone at 1-800-368-1019 (TDD: 1-800-537-7697)
• With the Texas Attorney General(Texas patients) — file online at texasattorneygeneral.gov or by phone at 1-800-621-0508

You will not be retaliated against for filing a complaint. Your continued access to care at Navara Health will not be affected.

Acknowledgment of Receipt

A separate Acknowledgment of Receipt of Notice of Privacy Practices form is provided alongside this Notice. Your signature on the Acknowledgment confirms you have received this Notice. If you decline to sign, Navara Health will document a good-faith effort to obtain your acknowledgment, as required by HIPAA. Your refusal to sign does not affect your right to receive care.