Notice of privacy practices.

Last Updated: March 15, 2026

1. Who is covered by this notice.

This HIPAA Notice of Privacy Practices is issued by Q.I.M. Solutions LLC doing business as QIM Health. This Notice applies to all Protected Health Information created, received, maintained, or transmitted by QIM Health in connection with healthcare services provided to you. Independent licensed Providers who deliver clinical services through the QIM Health platform may issue their own separate Notice of Privacy Practices.

2. What is Protected Health Information (PHI)?

PHI means individually identifiable health information relating to your past, present, or future physical or mental health; the provision of healthcare to you; or payment for healthcare. PHI includes identifiers, medical history, diagnostic and laboratory results, clinical assessments, health optimization data, payment information, telehealth session data, and portal data.

3. How QIM Health uses and discloses your PHI.

3.1 Treatment

Share PHI with Providers and Health Coaches to coordinate care and review lab results.

3.2 Payment

Use PHI to process payments and generate invoices. QIM Health does not bill insurance.

3.3 Healthcare Operations

Quality assurance, staff training, auditing, compliance, and customer service.

3.4 Business Associates

Share PHI with vendors under Business Associate Agreements (BAAs) including EHR vendors, labs, payment processors, and technology providers. QIM Health does not sell PHI.

3.5 Required by Law

We may use or disclose PHI as required by law, including for:

• Court orders and judicial proceedings;
• Public health activities;
• Health oversight activities;
• Law enforcement purposes;
• Serious threats to health or safety;
• Workers’ compensation;
• Decedents, coroners, and funeral directors;
• Research subject to IRB-approved protocols;
• Specialized government functions (military, national security).

3.6 Authorization Required

The following require your express written authorization: psychotherapy notes, marketing disclosures requiring authorization, sale of PHI, genetic information for underwriting purposes, and any use or disclosure not described in this Notice.

3.7 Minimum Necessary

QIM Health limits PHI to the minimum necessary for the intended purpose for all uses and disclosures not made for treatment purposes.

4. How QIM Health safeguards your information.

4.1 Administrative Safeguards

Privacy Officer and Security Officer designated. Workforce training on HIPAA policies. Access management controls. Sanction policies for violations. Audit log reviews. Contingency planning and disaster recovery.

4.2 Physical Safeguards

Facility access controls. Workstation security policies. Device and media controls for all systems containing PHI.

4.3 Technical Safeguards

Access controls limiting PHI access to authorized personnel. Audit controls tracking system activity. Integrity controls to prevent unauthorized alteration. TLS encryption for all PHI in transmission. Role-based access and multi-factor authentication (MFA).

4.4 Business Associates

All vendors with access to PHI must execute BAAs and implement equivalent HIPAA safeguards before receiving any PHI from QIM Health.

4.5 Retention

Medical records are retained for a minimum of 7 years. PHI is disposed of using HIPAA-compliant methods that render the information unreadable and unreconstructable.

5. Your rights under HIPAA.

5.1 Right to Access

You have the right to request copies of your PHI. We will respond within 30 days. Electronic format is available upon request.

5.2 Right to Amendment

You may request corrections to PHI you believe is inaccurate or incomplete. We will respond within 60 days and explain in writing any denial.

5.3 Right to Accounting of Disclosures

You have the right to request an accounting of certain disclosures of your PHI made during the past 6 years, excluding disclosures made for treatment, payment, or healthcare operations (TPO) or those you authorized.

5.4 Right to Restrict

You may request restrictions on certain uses and disclosures of your PHI. We are not required to agree, except we must honor requests to restrict disclosure to a health plan for PHI related to services you paid for in full out of pocket.

5.5 Right to Confidential Communications

You may request that we communicate with you via a specific phone number or mailing address. We will accommodate reasonable requests.

5.6 Right to Breach Notification

You have the right to be notified following a breach of your unsecured PHI, within 60 days of our discovery of the breach.

5.7 Right to Opt Out of Fundraising

You have the right to opt out of any fundraising communications from QIM Health at any time.

5.8 Right to a Paper Copy of This Notice

You have the right to obtain a paper copy of this Notice at any time, even if you have agreed to receive it electronically. Contact us at support@qimhealth.com to request a copy.

6. Special categories of PHI.

6.1 Genetic Information

Genetic information is handled with heightened protection under HIPAA and the Genetic Information Nondiscrimination Act (GINA). QIM Health does not use genetic information for underwriting purposes and does not sell genetic information.

6.2 Mental Health

Mental health information is handled with heightened care and sensitivity. Psychotherapy notes require specific written authorization separate from general treatment authorization.

6.3 Substance Use Disorder

Substance use disorder records may be subject to 42 C.F.R. Part 2 in addition to HIPAA, which imposes stricter restrictions on disclosure. We comply with the more protective standard.

6.4 State-Law Protections

Where applicable state law provides greater privacy protection than HIPAA, QIM Health complies with the more protective standard.

7. Uses and disclosures not covered by this notice.

QIM Health will obtain your written authorization before any use or disclosure of your PHI not described in this Notice. You may revoke any such authorization in writing at any time, except to the extent QIM Health has already acted in reliance on it. QIM Health will never sell PHI or use it for advertising or marketing purposes without your explicit written authorization.

8. Complaints and enforcement.

8.1 File a Complaint with QIM Health

If you believe your privacy rights have been violated, you may file a complaint with QIM Health by emailing support@qimhealth.com with the subject line “HIPAA Privacy Complaint.” QIM Health will not retaliate against you for filing a complaint.

8.2 File a Complaint with the Federal Government

You may also file a complaint with the U.S. Department of Health and Human Services:

8.3 Non-Retaliation

QIM Health is strictly prohibited from retaliating against any individual who exercises their rights under HIPAA, files a complaint, or participates in any investigation or proceeding.

9. Breach notification policy.

• Individual notification within 60 days of breach discovery by first-class mail or email;
• HHS notification for breaches affecting 500 or more individuals within 60 days of discovery;
• Media notification for breaches affecting 500 or more residents of a single state or jurisdiction;
• Notification includes: description of the breach, types of information involved, protective steps you should take, QIM Health’s response and mitigation measures, and contact information for questions;
• Business Associates are required to notify QIM Health within 60 days of their discovery of a breach involving QIM Health PHI.

10. HIPAA compliance program.

• Designated Privacy Officer and Security Officer;
• Written HIPAA policies and procedures, reviewed and updated regularly;
• Regular workforce training on HIPAA requirements and QIM Health policies;
• Annual risk assessments and risk management planning;
• BAA management and vendor due diligence processes;
• Incident response and breach notification procedures;
• Sanction policies for workforce members who violate HIPAA;
• Regular review and updates to this Notice and all related policies.

11. Governing law and effective date.

This Notice is governed by HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) Act, and 45 C.F.R. Parts 160 and 164. Where applicable state law provides greater protection than HIPAA, QIM Health complies with the more protective standard. This Notice is effective December 23, 2025 and supersedes all prior versions. The most current version is always available at www.qimhealth.com.

12. Acknowledgment of receipt.

Your signature or electronic acknowledgment of this Notice confirms that you have received a copy of QIM Health’s HIPAA Notice of Privacy Practices. Acknowledgment does not constitute authorization for QIM Health to use or disclose your PHI beyond what is described herein.

13. Provider / staff attestation.

The undersigned Provider or QIM Health staff member attests that the Patient was provided with this HIPAA Notice of Privacy Practices and that the Patient voluntarily provided electronic acknowledgment of receipt. This attestation is maintained in the patient record in accordance with QIM Health’s HIPAA policies and applicable recordkeeping requirements.

14. Contact information and privacy officer.