HIPAA Privacy Policy

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Effective Date: [Current Date - Please Update]

1. Our Commitment to Your Privacy

Family Roots ("we," "us," or "our") is committed to protecting the privacy and security of your Protected Health Information (PHI). PHI is information about you, including demographic information, that may identify you and that relates to your past, present, or future physical or mental health or condition, the provision of health care to you, or the past, present, or future payment for the provision of health care to you.

This Notice of Privacy Practices (NPP) describes how we may use and disclose your PHI to carry out our services, and for other purposes that are permitted or required by law, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

This Notice applies to PHI that you may provide in the course of using our services, particularly features such as the Healing Tales generator, where you might input information that could be considered PHI.

2. Our Responsibilities

We are required by law to:

• Maintain the privacy and security of your PHI.
• Provide you with this Notice of our legal duties and privacy practices with respect to your PHI.
• Notify you if a breach occurs that may have compromised the privacy or security of your unsecured PHI.
• Follow the terms of the Notice that is currently in effect.

3. How We May Use and Disclose Your Protected Health Information (PHI)

The following categories describe different ways that we may use and disclose your PHI. For each category, we will explain what we mean and try to give some examples. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of these categories.

• For Our Services (e.g., Healing Tales Generation): We will use your PHI to provide you with our services. For example, if you provide information about personal situations, therapeutic goals, or other health-related details for the purpose of generating a Healing Tale, we will use this information, including processing it with Artificial Intelligence (AI) services (such as Anthropic), to create the requested tale. The generated tale itself may then contain or reflect this PHI.
• For Our Health Care Operations: We may use and disclose your PHI for our operations. These uses and disclosures are necessary to run our platform and make sure that our users receive quality service. For example, we may use PHI for:
  • Quality assessment and improvement activities.
  • Customer service and support, if your query involves PHI.
  • Internal training purposes (using de-identified data where possible).
  • Conducting or arranging for other business activities.
• As Required By Law: We will disclose PHI about you when required to do so by federal, state, or local law.
• To Business Associates: We may disclose PHI to our third-party service providers (Business Associates) that perform functions on our behalf or provide us with services if the PHI is necessary for such functions or services. For example, we may use Business Associates for AI processing (Anthropic), data storage (DigitalOcean), or email services. We require our Business Associates to appropriately safeguard your PHI through a Business Associate Agreement.

Other Permitted and Required Uses and Disclosures That May Be Made Without Your Authorization or Opportunity to Object:

We may use or disclose your PHI in the following situations without your authorization. These situations include:

• Public Health Risks: For public health activities, such as to prevent or control disease, injury, or disability.
• Health Oversight Activities: To a health oversight agency for activities authorized by law, such as audits, investigations, inspections, and licensure.
• Lawsuits and Legal Actions: In response to a court or administrative order, or in response to a subpoena, discovery request, or other lawful process.
• Law Enforcement: To law enforcement officials if certain legal conditions are met (e.g., in response to a warrant, for identifying or locating a suspect, or about a crime victim).
• To Avert a Serious Threat to Health or Safety: To prevent a serious threat to your health and safety or the health and safety of the public or another person.
• National Security and Intelligence Activities: As required by federal law for intelligence, counterintelligence, and other national security activities.

(Note: Many of the above categories may not be directly applicable to Family Roots. They are included for comprehensiveness and should be reviewed for relevance.)

Uses and Disclosures of PHI Requiring Your Written Authorization:

Other uses and disclosures of PHI not covered by this Notice or the laws that apply to us will be made only with your written authorization. If you provide us with authorization to use or disclose PHI about you, you may revoke that authorization, in writing, at any time. If you revoke your authorization, we will no longer use or disclose PHI about you for the reasons covered by your written authorization, except to the extent that we have already taken action in reliance on your authorization.

Note: If you opt in to browser push notifications, your browser push subscription information (such as endpoint and public key) is collected and stored securely, but is not considered PHI. It is used solely to deliver browser push notifications and is not shared except as required for notification delivery.

4. Your Rights Regarding Your Protected Health Information

You have the following rights regarding PHI we maintain about you:

• Right to Inspect and Copy: You have the right to inspect and obtain a copy of PHI that may be used to make decisions about your care or services. Usually, this includes medical and billing records, but does not include psychotherapy notes if applicable (Family Roots does not currently create or store psychotherapy notes). To inspect and copy PHI, you must submit your request in writing to the Contact Information listed below. If you request a copy of the information, we may charge a fee for the costs of copying, mailing, or other supplies associated with your request.
• Right to Amend: If you feel that PHI we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by or for us. To request an amendment, your request must be made in writing and submitted to the Contact Information listed below. You must provide a reason that supports your request.
• Right to an Accounting of Disclosures: You have the right to request an "accounting of disclosures." This is a list of certain disclosures we made of your PHI for purposes other than treatment, payment, or health care operations, and for which you did not provide authorization. To request this list or accounting of disclosures, you must submit your request in writing to the Contact Information listed below.
• Right to Request Restrictions: You have the right to request a restriction or limitation on the PHI we use or disclose about you for treatment, payment, or health care operations. You also have the right to request a limit on the PHI we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend. We are not required to agree to your request, except where disclosure is to a health plan for purposes of carrying out payment or health care operations, and the PHI pertains solely to a health care item or service for which you, or a person on your behalf, has paid in full out-of-pocket.
• Right to Request Confidential Communications: You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail. To request confidential communications, you must make your request in writing to the Contact Information listed below.
• Right to a Paper Copy of This Notice: You have the right to a paper copy of this Notice. You may ask us to give you a copy of this Notice at any time. Even if you have agreed to receive this Notice electronically, you are still entitled to a paper copy.

To exercise any of these rights, please contact us using the information below.

5. Changes to This Notice

We reserve the right to change this Notice and our privacy practices. We reserve the right to make the revised or changed Notice effective for PHI we already have about you as well as any information we receive in the future. We will post a copy of the current Notice on our website. The Notice will contain the effective date on the first page.

6. Complaints

If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the Department of Health and Human Services. To file a complaint with us, please contact us using the information below. All complaints must be submitted in writing. You will not be penalized for filing a complaint.

7. Contact Information

If you have any questions about this Notice or wish to exercise your rights, please contact:

Piotr Zalewa Family Roots, Kamykowa 6, 87-134 Rozgarty, Poland contact@fam-roots.com

8. Effective Date

This Notice is effective as of [Current Date - Please Update].

---

This Notice of Privacy Practices is a draft and requires legal review and customization to ensure full compliance with HIPAA and other applicable laws and regulations based on Family Roots' specific operations and services.