Notice of Privacy Practices

This Notice of Privacy Practices ("Notice") is provided by Healing TMS Clinic (the "Covered Entity," "we," "us," or "our"), a healthcare provider located at 5475 East La Palma Avenue, Suite 204, Anaheim, California 92807. We are a Covered Entity under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended by the HITECH Act ("HIPAA").

This Notice applies to all Protected Health Information ("PHI") about you that is created, received, maintained, or transmitted by Healing TMS Clinic, its workforce members, and its Business Associates in connection with the services we provide.

We understand that information about you and your health is personal. We are committed to protecting your PHI. We are required by federal and California law to:

• Maintain the privacy of your PHI;
• Provide you with this Notice of our legal duties and privacy practices with respect to your PHI;
• Abide by the terms of the Notice currently in effect;
• Notify affected individuals following a breach of unsecured PHI as required by 45 CFR §§ 164.400–414;
• Comply with applicable provisions of California law, including the Confidentiality of Medical Information Act (CMIA, Cal. Civil Code § 56 et seq.), to the extent more protective than HIPAA.

HIPAA permits us to use and disclose PHI without your written authorization for the following purposes. The categories below describe each type of use or disclosure with examples; not every use or disclosure in a category will be listed.

a. Treatment

We may use and disclose your PHI to provide, coordinate, or manage your healthcare and related services. Examples include:

• A psychiatrist documenting your treatment-resistant depression history in your chart and consulting with the TMS technician about your motor threshold and treatment parameters;
• Sharing relevant clinical information with another physician you have asked us to consult or to whom we are referring you;
• Coordinating care with your primary care physician or other treating clinicians.

b. Payment

We may use and disclose your PHI to obtain payment for the healthcare services we provide. Examples include:

• Submitting claims and supporting clinical documentation to your insurance carrier for services rendered;
• Obtaining prior authorization for treatment, including TMS therapy, where required by your insurer;
• Verifying insurance benefits and eligibility;
• Coordinating with collection agencies for unpaid balances, subject to the minimum-necessary rule.

c. Healthcare Operations

We may use and disclose your PHI for healthcare operations — the activities necessary to run our practice and ensure quality care. Examples include:

• Quality assessment and improvement activities, including reviewing treatment outcomes;
• Clinician credentialing, competency evaluation, and training;
• Conducting audits, accreditation reviews, and licensing reviews;
• Business planning, development, and administrative activities.

d. Business Associates

Certain functions are provided by third-party vendors with whom we share PHI under written Business Associate Agreements that require them to safeguard PHI to the same standard we are required to maintain. Examples include electronic health record and billing vendors (currently Office Ally), telepsychiatry platforms (currently Doxy.Me), secure email services, IT support, and cloud storage. A current list of Business Associates is maintained internally by our Privacy Officer and available on written request.

e. Other Permitted Uses and Disclosures

Without your authorization, we may also use or disclose PHI:

• As required by law (federal, state, or local);
• For public-health activities — disease reporting, vital statistics, FDA-regulated adverse-event reporting (including device safety reporting for TMS systems);
• To report victims of abuse, neglect, or domestic violence to authorities permitted by law to receive such reports;
• For health oversight activities — audits, investigations, and licensure;
• For judicial and administrative proceedings — in response to a subpoena, court order, or other lawful process;
• For law-enforcement purposes within the limits and conditions of HIPAA;
• To coroners, medical examiners, and funeral directors as authorized by law;
• For organ and tissue donation (limited applicability to a psychiatric practice);
• For research under an IRB-approved protocol or a valid waiver of authorization;
• To avert a serious threat to health or safety — including but not limited to imminent risk of harm to self or others;
• For specialized government functions — military and veterans' activities, national security, intelligence;
• For workers' compensation programs as authorized by law.

We will obtain your written authorization before using or disclosing PHI for any of the following:

• Psychotherapy notes, as defined at 45 CFR § 164.501, except for very limited HIPAA-permitted exceptions (for example, use by the originator for treatment);
• Marketing communications, as defined under HIPAA;
• Sale of PHI, as defined under HIPAA;
• Most uses and disclosures of PHI not described elsewhere in this Notice.

You may revoke a written authorization at any time, in writing. Revocation is effective from the date we receive it but does not apply to disclosures we have already made in reliance on your prior authorization.

You have the following rights with respect to your PHI maintained by us:

a. Right to Inspect and Copy

You have the right to inspect and obtain a copy of your PHI in our designated record set, subject to limited exceptions (for example, psychotherapy notes). You may request a paper copy or an electronic copy in the form and format you request, if readily producible. We may charge a reasonable, cost-based fee as permitted by HIPAA and California law. We will respond to your request within 30 days, or notify you of an extension as permitted by HIPAA.

b. Right to Request Amendment

If you believe that PHI we maintain about you is inaccurate or incomplete, you may request that we amend it. Your request must be in writing and must state the reason for the requested amendment. We may deny your request under conditions permitted by HIPAA; if we deny, you may submit a written statement of disagreement that we will include with future disclosures of the disputed information.

c. Right to an Accounting of Disclosures

You have the right to request an accounting of disclosures of your PHI we have made for purposes other than treatment, payment, healthcare operations, and certain other excluded categories, for up to six years prior to the date of the request. We will provide one accounting per 12-month period without charge; we may charge a reasonable, cost-based fee for additional requests within the same 12-month period.

d. Right to Request Restrictions

You have the right to request a restriction on certain uses or disclosures of your PHI for treatment, payment, or healthcare operations, or to a family member or other person involved in your care. We are not required to agree to a requested restriction, except: we must agree to restrict disclosure of PHI to a health plan for purposes of payment or healthcare operations if (i) the disclosure is not otherwise required by law and (ii) the PHI pertains solely to a service for which you, or someone other than the health plan on your behalf, has paid out of pocket in full. Agreed restrictions will be honored unless emergency treatment requires otherwise.

e. Right to Request Confidential Communications

You have the right to request that we communicate with you about medical matters in a certain way or at a certain location — for example, by mail to a specific address, or only by telephone at a specific number. We will accommodate reasonable requests.

f. Right to a Paper Copy of This Notice

You have the right to receive a paper copy of this Notice at any time, even if you have agreed to receive it electronically.

g. Right to Be Notified of a Breach

You have the right to be notified following a breach of unsecured PHI affecting your information, as required by 45 CFR §§ 164.400–414 and applicable California law.

h. Right to File a Complaint

You may file a complaint with us or with the U.S. Department of Health and Human Services if you believe your privacy rights have been violated. You will not be retaliated against for filing a complaint. See Section 8 below.

In the event of a breach of unsecured PHI, we will notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery of the breach, in accordance with 45 CFR §§ 164.400–414. We will also notify the Secretary of the U.S. Department of Health and Human Services and, where the breach affects more than 500 residents of a state or jurisdiction, prominent media outlets serving that area. California-specific notification requirements under Cal. Civil Code § 1798.82 and the CMIA may also apply.

Our Privacy Officer (Nestor C., Practice Manager) serves as the designated incident lead for any suspected breach of unsecured PHI and coordinates required notifications to affected individuals, the U.S. Department of Health and Human Services, and (when applicable) prominent media outlets within the timeframes specified by 45 CFR §§ 164.404–164.408.

Questions about this Notice or your PHI should be directed to our designated Privacy Officer:

Healing TMS Clinic — Privacy Officer Nestor C., Practice Manager 5475 East La Palma Avenue, Suite 204 Anaheim, CA 92807 Email: nestor@htmsclinic.com Telephone: (657) 656-5611

If you believe your privacy rights have been violated, you may file a written complaint with us by contacting our Privacy Officer above. You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights:

U.S. Department of Health and Human Services Office for Civil Rights 200 Independence Avenue, S.W. Washington, D.C. 20201 Toll-free: 1-877-696-6775 Online: https://www.hhs.gov/ocr/complaints/

We will not retaliate against you for filing a complaint.

We reserve the right to change the terms of this Notice at any time. Any revised Notice will apply to all PHI we maintain, including PHI created or received before the revision. The revised Notice will be posted in our clinic and on our website at htmsclinic.com with an updated Effective Date. Paper copies will be available on request.

We will request your written acknowledgment of receipt of this Notice at your first visit and will document our good-faith effort to obtain it. Acknowledgment is not consent to treatment; it confirms only that you received the Notice.

Effective date and Privacy Officer designation confirmed by Healing TMS Clinic 2026-06-15. California minors' rights under Cal. Health & Safety Code § 124260 are honored as applicable.