NOTICE OF HIPAA PRIVACY PRACTICES

THIS NOTICE DESCRIBES HOW YOUR MEDICAL INFORMATION MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE READ IT CAREFULLY.

A. SUMMARY

This is a summary of how we may use and disclose your protected health information and your rights and choices when it comes to your information. We will explain these in more detail on the following pages.

Our Uses and Disclosures

We may use and disclose your information as we:

• Treat you.
• Bill for services.
• Run our organization.
• Comply with the law.
• Address workers’ compensation, law enforcement, or other government requests.
• Respond to lawsuits and legal actions.

Your Choices

You have some choice about how we use and share information as we:

• Communicate with you.
• Tell family and friends about your condition.
• Market our services.

Your Rights

You have the right to:

• Get a copy of your paper or electronic protected health information.
• Correct your protected health information.
• Ask us to limit the information we share, in some cases.
• Get a list of those with whom we’ve shared your information.
• Request confidential communication.
• Get a copy of this HIPAA Notice.
• Choose someone to act for you.
• File a complaint if you believe we have violated your privacy rights.

B. PURPOSE

This Notice of HIPAA Privacy Practices (“HIPAA Notice”) describes the privacy practices of McCrory Sunny Hill Nursery, LLC (DBA: GrowHealthy) and its affiliates (hereinafter referred to as “GrowHealthy”, “us”, “we”, “our”, or “Company”). GrowHealthy respects patient privacy and is committed to maintaining the confidentiality of our patients’ private health information.

This HIPAA Notice describes our legal duties and organizational efforts to safeguard our patient health information from improper or unnecessary use or disclosure, our permitted uses and disclosures of your protected health information (“PHI”), as well as your rights regarding PHI and how you may obtain access this information. Nothing in this HIPAA Notice should be construed to voluntarily or involuntarily waive GrowHealthy’s requirement to protect your medical health information.

C. WHAT IS INFORMATION PROTECTED?

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as modified by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) were enacted to ensure the privacy and confidential handling of patient medical health information. HIPAA and HITECH apply to all medical and medical health service providers, and as such requires us to safeguard health information about our patients called “protected health information” (“PHI”) that is created, received, maintained or transmitted in the course of providing services to you through our medical cannabis entities and medical cannabis dispensaries. PHI is health information that can be used to identify you and relates to: (2) your physical and mental condition, (2) the provision of health care to you, or (3) payment for your health care.

GrowHealthy chooses to maintain the privacy of medical health information and PHI. As a result, all patients are provided with this HIPAA Notice of our duties and privacy practices with respect to medical health information. When patient PHI is used or disclosed, we are required to abide by the terms of this HIPAA Notice (or other notice in effect at the time of the use or disclosure).

This HIPAA Notice applies to the information and records we have about our patient’s health, health status, and heath care and service you receive from GrowHealthy. Patient health information may include information created and received by GrowHealthy, may be in the form of written or electronic records or spoken words, and may include information from patient’s internal profile about health-related information and related billing activity. A patient-specific log of medical cannabis products dispensed to the patient, including brand, administration form, dosage, dates dispensed, any return of product, will be provided to the patient’s designated caregiver, if applicable, or the patient’s healthcare practitioner upon request.

D. HOW WE COLLECT PATIENT INFORMATION

GrowHealthy and its employees collect patient data through a variety of means including but not limited to: phone calls, emails, voicemails, and from the submission of patient information that are either required by law or necessary to provide patient access to medical cannabis or other requests for assistance through our organization.

E. USE AND DISCLOSURES OF PHI

To protect the privacy of our patients, GrowHealthy guards the physical security of PHI, and limits the way PHI is used or disclosed to others. In certain situations, we must obtain written authorization from you in order to use and disclose your PHI.

The law permits or requires us to use or disclose your PHI for various reasons, which we explain in this HIPPA Notice. We have included some examples, but we have not listed every permissible use or disclosure. When using or disclosing PHI or requesting your PHI from another source, we will make reasonable efforts to limit our use, disclosure, or request about your PHI to the minimum we need to accomplish our intended purpose.

F. YOUR CHOICES

For certain health information, you can tell us your choices about what we share. If you have a clear preference for how we share your information in the situations described below, please contact us and we will make reasonable efforts to follow your instructions.

You have the both the right and choice to tell us whether to:

• Share information, such as your PHI, general condition, or location, with your family, close friends, or others involved in your care.
• Share information in a disaster relief situation, such as to a relief organization to assist with locating or notifying your family, close friends, or others involved in your care.

We may share your information if we believe it is in your best interest, according to our best judgment, and:

• If you are unable to tell us your preference, for example, if you are unconscious.
• When needed to lessen a serious and imminent threat to health or safety.

G. USES AND DISCLOSURES THAT DO NOT REQUIRE PATIENT’S AUTHORIZATION

Uses and Disclosures for Treatment, Payment, or Health Care Operations

• Treatment – We may use and/or disclose PHI in order to provide and coordinate treatment, goods, and services you receive. For example, a member of our dispensary team may ask you questions regarding your medical conditions for which medical cannabis aides in the treatment of to ensure that we provide you the best possible medical cannabis products for your condition(s).
• Payment – We may use and disclose PHI in order to obtain payment for the products and services that we provide you.
• Health Care Operations – We may use and disclose your PHI to run our practice and improve your care. For example, we may use your PHI to manage the services you receive, for numerous administrative or to monitor the quality of our health care services, such as quality control functions necessary for the proper operation of GrowHealthy’s organization.

Other Uses and Disclosures

We may share your information in other ways, usually for public health or research purposes or to contribute to the public good. For more information on permitted uses and disclosures, see www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html. For example, these other uses and disclosures may involve:

• Our Business Associates – We may use and disclose your PHI to outside persons or entities that perform services on our behalf, such as auditing, legal, or transcription (“Business Associates”). The law requires our business associates and their subcontractors to protect your PHI in the same way we do. We also contractually require these parties to use and disclose your PHI only as permitted and to appropriately safeguard your PHI.
• Legal Compliance – For example, we will share your PHI if the Department of Health and Human Services requires it when investigating our compliance with privacy laws.
• Public Health and Safety Activities – We may use or disclose PHI to prevent or lessen a serious and imminent threat to a person or the safety and/or health of the public. We may also share your PHI to: Report injuries, births, and deaths; prevent disease; report adverse reactions to medications; or report suspected child neglect or abuse or domestic violence.
• Responding to Legal Actions – We may disclose PHI to law enforcement officials, as required or permitted by law or in compliance with a court or administrative order or subpoena, discovery request, grand jury, or another lawful process.
• Research – For example, we may share your PHI for some types of health research that do not require your authorization, such as if an institutional review board (“IRB”) has waived the written authorization requirement because the disclosure only involves minimal privacy risks.
• Medical Examiners or Funeral Directors – For example, we may share PHI with coroners, medical examiners, or funeral directors when an individual dies.
• Workers’ Compensation, Law Enforcement, or Other Government Requests – For example, we may use and disclosure your PHI for: workers’ compensation claims; health oversight activities by federal or state agencies; law enforcement purposes or with a law enforcement official; or specialized government functions, such as military and veterans’ activities, national security and intelligence, presidential protective services, or medical suitability.
• As Required by Law – We may use and disclose PHI when required to do so by any other law not already referred to in the aforementioned categories.

H. USES AND DISCLOSURES THAT REQUIRE PATIENT’S AUTHORIZATION

We require your authorization for any purpose other than those described above, and as such, may only use or disclose PHI when you provide us such authorization to do so. See below examples of when your authorization is required in order to use and disclose PHI.

In these cases, we will only share your information if you give us written permission:

• Marketing our Services.
• Certain research activities
• Other uses and disclosures not described in this HIPAA Notice.

Disclosure to Relatives, Close Friends, and Other Caregivers – We may use and disclose PHI to a relative, close friend, or another person identified by you. We will only use and disclose PHI upon your agreement and consent to such disclosure, or upon receipt of such permission from you prior to the disclosure.

You may revoke your authorization at any time, but it will not affect the information that we already used and disclosed.

I. PATIENT PRIVACY RIGHTS

Federal law provides you with certain rights regarding PHI that pertains to you. This section explains your rights and some of our responsibilities to help you.

You have the right to:

• Inspect and Obtain a Copy of Your PHI. You have the right to see or obtain an electronic or paper copy of the PHI that we maintain about you (“right to request access”). Alternatively, you may request a summary of your PHI or an explanation of your PHI. Some clarification about your access rights:
  • We may require you to make access requests in writing or by submitting an electronically signed form.
  • We may charge a reasonable, cost-based fee for the costs of copying, mailing, or other supplies associated with your request. You will be notified of the costs before you incur any expenses.
  • You may request that we provide a copy of your PHI to a family member, another person, or a designated entity. We require that you submit these requests via an electronically signed form or in writing with your signature, and clearly identify the designated person and where to send the PHI and/or details about how to direct PHI to another person identified by you.
  • You may request that we direct a copy of your PHI to a third party of your choice on a standing, regular basis.
  • If you request a copy of your PHI, we will generally decide to provide or deny access within 30 days, however, if we cannot act within 30 days, we will give you a reason for the delay in writing and when you can expect us to act on your request.
  • We may deny your request for access in certain limited circumstances, however, if we deny your access request, we will provide a written denial with the basis for our decision and explain your rights to appeal or file a complaint.
• Inspect and Obtain a Copy of Your Purchase History. You may request access to your purchase history.
• Make Amendments. You may ask us to correct or amend PHI that we maintain about you that you think is incorrect or inaccurate. For these requests:
  • You must submit requests in writing or electronically, specify the inaccurate or incorrect PHI, and provide a reason that supports your request.
  • We will generally decide to grant or deny your request within 60 days. If we cannot act within 60 days, we will give you a reason for the delay in writing and include when you can expect us to complete our decision, which will be no longer than an additional 30 days. We will only ask for an extension once in response to a request.
  • We may deny your request for an amendment if you ask us to amend PHI that is not part of our record, that we did not create, that is not part of a designated record set, or that is accurate and complete.
  • If we deny your request, we will tell you why in writing. You will have the right to submit a written statement disagreeing with the denial and, if you opt not to submit this statement, you may request that we provide your original request for amendment and the denial with any future disclosures of PHI subject to the amendment. However, we may prepare a written rebuttal to any individual’s statement of disagreement.
  • We will append the material created or submitted in accordance with this paragraph to your designated record.
• Request Additional Restrictions. You have the right to ask us to limit what we use or share about your PHI (“right to request restrictions”) to individuals (such as a family member, other relative, close personal friend, or any other person identified by you) involved with you care or with payment related to your care. All requests for such restrictions must be made in writing. While all requests for additional restrictions will be considered carefully, we are not required to agree to a requested restriction. For these requests:
  • We may say “no” if it would affect your care; but
  • We will agree not to disclose information to a health plan for purposes of payment or heath care operations if the requested restriction concerns a health care item or service for which you or another person, other than the health plan, paid in full out-of-pocket, unless it is otherwise required by law.
• Request an Accounting of Disclosures. You have the right to request an accounting of certain PHI disclosures that we have made. For these requests:
  • We will respond no later than 60 days after receiving the request. We may ask for an additional 30 days during this 60-day period, but if we do, we will only do it once, provide a written statement of why, and indicate the date by which we intend to send the response;
  • We will include all the disclosures except for those about treatment, payment, and health care operations, and certain other disclosures, such as any you asked us to make; and
  • We will provide one accounting a year for free, but will charge a reasonable, cost-based fee if you ask for another one within 12 months. We will notify you about the costs in advance and you may choose to withdraw or modify your request at that time.
• Request Confidential Communications. You have the right to request that we communicate with you about health matter and PHI via alternative means of communication. You may request to receive written PHI by other means of communication or via alternate locations and can expect to be accommodated for any reasonable request. For example, you can ask that we only contact you at work or at a specific address. You may submit a written request for confidential communications to your local medical cannabis dispensary. For these requests:
  • You must specify how or where you wish to be contacted; and
  • We will accommodate reasonable requests.
• Revocation of Authorization. You may revoke your authorization, in writing, at any time. If you revoke your authorization, GrowHealthy will no longer use or disclose PHI except as described above or as permitted by any other authorization that have not been revoked.
• Request a Paper Copy of this HIPAA Notice. You may obtain a paper copy of this HIPAA Notice upon request, even if you agreed to receive such notice electronically.
• Make Complaints. If you are seeking further information about your privacy rights, or believe that your rights have been violated, or disagree with a decision that was made regarding access to your PHI, you should let us know immediately. Please contact our Privacy Officer, delineated below. We will take steps to remedy any violations of the HIPAA Notice and Privacy Policy.
• Caregivers for Minors. Registered caregivers for minors who are patients of GrowHealthy may exercise the above rights on behalf of such patients, consistent with state law.

DATA BREACH NOTIFICATION

We will promptly notify you if a data breach occurs that may have compromised the privacy or security of your PHI. We will notify you within the legally required time frame (i.e., no later than 60 days after we discover the breach). 

CHANGES TO THIS NOTICE

We may change the terms of this HIPAA Notice at any time. If we change this Notice, we may make the new HIPAA Notice terms effective for all PHI that we maintain, including any information created or received prior to issuing the new HIPAA Notice. If we change this HIPAA Notice, the new HIPAA Notice will be available on request, in our dispensaries, and on our website. You may also obtain any revised notice by contacting the manager at your location dispensary or by visiting our website www.growhealthy.local.

CONTACT

If you have any questions about this HIPAA Notice, please contact our Privacy Officer: Erin.mccarthy@ianthus.com.