HIPAA プライバシー慣行通知（NPP）

This Notice applies to Sky e-Clinic and its clinicians, workforce members, and business associates when they create, receive, maintain, or transmit protected health information (PHI) for treatment, payment, health care operations, or other purposes permitted or required by law.

• Get an electronic or paper copy of your medical record, subject to applicable law and verification.
• Ask us to correct your medical record if you believe it is incomplete or incorrect.
• Request confidential communications by a specific method or at a specific address.
• Ask us to limit what we use or share. We are not always required to agree, except where HIPAA requires compliance, such as certain paid-in-full out-of-pocket restrictions to a health plan.
• Get a list of certain disclosures of your PHI.
• Get a paper or electronic copy of this Notice at any time.
• Choose someone to act for you, such as a personal representative authorized by law.
• File a complaint with Sky e-Clinic or with the U.S. Department of Health and Human Services Office for Civil Rights if you believe your privacy rights have been violated. We will not retaliate against you for filing a complaint.

• You may tell us your preferences for sharing information with family, friends, caregivers, or others involved in your care or payment for care.
• You may authorize us to send records or visit summaries to your primary care provider, local clinician, specialist, pharmacy, caregiver, or another person or entity.
• We will obtain written authorization when HIPAA requires it, such as most uses of psychotherapy notes, marketing communications requiring authorization, sale of PHI, or disclosures not otherwise permitted by HIPAA.
• Other uses and disclosures not described in this Notice will be made only with your written authorization when required by HIPAA. You may revoke an authorization in writing at any time, except to the extent Sky e-Clinic has already relied on it.

Treatment: We may use and share your PHI to provide, coordinate, or manage your care, prescriptions, laboratory orders, referrals, follow-up instructions, and emergency escalation.

Payment: We may use and share your PHI to collect payment, process refunds, provide superbills, handle billing disputes, and manage financial records. Sky e-Clinic may not bill insurance directly unless separately stated.

Health care operations: We may use and share PHI to run our practice, improve quality, train workforce members, conduct audits, credential providers, manage compliance, investigate complaints, and maintain security.

Business associates: We may share PHI with vendors that perform services for us, such as EHR, telehealth, e-prescribing, payment, secure messaging, cloud hosting, legal, accounting, and support vendors, under required agreements when HIPAA applies. Website analytics for non-PHI public pages are described separately in the Website Privacy Policy; Sky does not intentionally disclose PHI to analytics vendors unless a HIPAA-compliant agreement and workflow are approved.

• Public health and safety, disease reporting, adverse event reporting, product recalls, or communicable disease prevention.
• Health oversight agencies, audits, investigations, inspections, licensing, and disciplinary actions.
• Law enforcement, court orders, subpoenas, legal proceedings, or other lawful processes when requirements are met.
• Abuse, neglect, domestic violence, or serious threat to health or safety reporting when permitted or required by law.
• Coroners, medical examiners, funeral directors, organ and tissue donation organizations, workers compensation, and specialized government functions when applicable.
• Research only when permitted by law and approved through required safeguards. Sky e-Clinic does not use PHI for research unless specifically approved and permitted.

Telehealth appointments, messages, photos, prescriptions, billing information, and clinical records may be PHI. We use approved platforms and safeguards intended to protect PHI. No electronic system is perfectly secure. Do not use public website forms, standard email, social-media direct-message channels (such as LINE), or text messages for emergencies or medical details. All clinical communication must occur through Elation Patient Passport (the approved HIPAA-compliant clinical channel). Standard email and other non-Passport channels are used only for neutral notifications (e.g., 'your visit summary is ready, log into Patient Passport') and never carry your clinical assessment, prescription details, or care instructions.

If a privacy breach affects your PHI, we will notify you in writing as required by HIPAA breach notification rules — generally within 60 days of discovery. If a breach affects 500 or more individuals, we also notify the U.S. Department of Health and Human Services and, where applicable, prominent media in your jurisdiction. Where contact information is insufficient for direct notice (10 or more individuals), we provide a substitute notice through prominent web posting (active for 90 days or more) and a toll-free telephone number (active for 90 days or more) so you can determine whether your information was involved.

• We are required by law to maintain the privacy and security of PHI.
• We will notify you if a breach occurs that may compromise the privacy or security of your PHI when required by law.
• We must follow the duties and privacy practices described in this Notice while it is in effect.
• We may change this Notice and make the new Notice apply to PHI we already have and new PHI. The current Notice will be posted on the website.

For unemancipated minor patients (under 18), a parent or legal guardian generally serves as the personal representative for purposes of accessing the minor's PHI. State law and certain HIPAA exceptions may modify this default — for example, where a minor is legally permitted to consent to specific health services without parental involvement, or where there is reasonable suspicion of abuse, neglect, or endangerment by the personal representative. Sky e-Clinic's launch scope does not include confidential adolescent services that require minor-only consent (such as confidential STI testing or contraception for patients under 18); for such services, please contact your local adolescent health clinic, Title X clinic, or school-based health center.

Sky e-Clinic does not use AI for clinical operations at launch. If Sky e-Clinic later uses a healthcare AI agent that handles PHI, the AI vendor will be treated as a business associate where required by HIPAA. Sky may use PHI collected through an approved AI agent for treatment, health care operations, and administrative support, subject to HIPAA, this NPP, vendor agreements, and applicable state law. AI does not replace physician review.

Privacy Officer: Taichi Imamura, MD. Phone: (808) 385-8760. Email: privacy-officer@skyeclinic.org. Medical-records access requests: records@skyeclinic.org. For clinical inquiries, please use Patient Passport. Phone and the email addresses above are for non-clinical privacy inquiries. Mailing address: SKY E-CLINIC LLC, 1164 Bishop St STE 940, Honolulu, HI 96813. Sky e-Clinic is a solo-physician practice at launch; role-based email addresses are forwarded to the Privacy Officer. You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights.