Sleep Reset HIPPA Policy

Effective Date: Jan 31, 2025

THIS NOTICE DESCRIBES HOW YOUR MEDICAL INFORMATION MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

This Notice of Privacy Practices is mandated by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). It describes how we may use and disclose your protected health information (PHI) to carry out treatment, payment, or healthcare operations, and for other purposes that are permitted or required by law. It also describes your rights to access and control your protected health information. “Protected health information” is information about you, including demographic information, that may identify you and that relates to your past, present, or future physical or mental health or condition, related health care services, or related to the past, present, or future payment for the provision of health care to you.

We are required to abide by the terms of this Notice of Privacy Practices. We may change the terms of our notice at any time. Any such new notice will be effective for all protected health information that we maintain at that time. Upon your request, you may obtain any revised Notice of Privacy Practices by calling us and requesting that a revised copy be sent to you in the mail or by asking for one during your next telehealth consultation. You acknowledge receipt of this notice by accepting the Terms & Conditions for using the services provided by Sleep Reset.

1. Uses and Disclosures of Protected Health Information

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION BASED UPON YOUR WRITTEN CONSENT
Your protected health information may be used and disclosed by Sleep Reset and its affiliates (collectively, "Sleep Reset") and others involved in your care and treatment for the purpose of providing healthcare services to you. Your PHI may also be used and disclosed as necessary to pay healthcare bills and to support the operation of Sleep Reset.

Set forth below are examples of the types of uses and disclosures of your PHI that Sleep Reset is permitted to make. These examples are not meant to be exhaustive but are provided to describe the types of uses and disclosures that may be made by Sleep Reset:

Payment:
Your protected health information may be used, as needed, to obtain payment for your healthcare services. For example, obtaining approval for telehealth services may require that your relevant PHI be disclosed to our health plan to obtain approval for treatment.

Healthcare Operations:
We may use or disclose, as needed, your protected health information to support the normal business activities of Sleep Reset. These activities include, but are not limited to, quality assessment activities, employee review activities, training, licensing, and conducting or arranging for other business activities.

We may also need to share your PHI with certain of our “business associates” or third parties that perform various activities (e.g., billing, care coordination, telehealth consultation scheduling) for Sleep Reset. Whenever an arrangement between Sleep Reset and a business associate involves the use or disclosure of your PHI, we will have in place the legally required safeguards to protect the privacy of your health information.

Data Analytics and Quality Improvement: We may use or disclose de-identified health information derived from PHI for research, quality assessment, product development, and business intelligence purposes. This may include:

  • Aggregating and analyzing treatment outcomes and patterns
  • Developing and improving our services and technology
  • Training machine learning models to enhance care delivery
  • Conducting market research and business planning Any such use will comply with HIPAA de-identification standards and applicable laws.

ARTIFICIAL INTELLIGENCE AND MACHINE LEARNING SAFEGUARDS

AI Processing of PHI:
When using AI or machine learning with your PHI:
- All AI processing requires explicit patient authorization
- AI models are trained only on properly de-identified data
- Human oversight is maintained for all AI-generated insights
- AI recommendations do not replace clinical judgment

Automated Decision-Making Protections:
- You have the right to know when AI is used in your care
- You may request human review of AI-assisted decisions
- We maintain audit trails of all automated processing
- AI systems undergo regular bias and accuracy testing

Machine Learning Data Governance:
- PHI used for ML training is subject to enhanced security
- AI models are regularly tested for re-identification risks
- We maintain detailed records of all AI/ML data usage
- Patient data is never sold or shared for commercial AI training

Technology and Platform Operations: Your PHI may be processed through our telehealth platform, mobile applications, and associated technologies. This processing may include:

  • Secure cloud storage and transmission
  • Integration with electronic health record systems
  • Collection of usage data and technical metrics
  • Automated scheduling and care coordination All technology vendors and service providers are bound by Business Associate Agreements and required to maintain HIPAA compliance.

TELEHEALTH-SPECIFIC USES AND DISCLOSURES

For telehealth services delivered through our platform, additional uses and disclosures may occur:

Platform Operations: Your PHI may be processed through our secure telehealth technology platform, including:
- Real-time audio and video transmission during consultations
- Electronic health record integration and synchronization
- Automated appointment scheduling and care coordination
- Technical support and quality assurance monitoring

All platform processing is conducted under strict HIPAA compliance with appropriate technical safeguards.

Emergency Protocols: In telehealth emergency situations, we may disclose your PHI to:
- Emergency services (911) when you cannot communicate directly
- Local healthcare providers when immediate in-person care is required
- Family members or emergency contacts when you are incapacitated during a session

Telehealth Emergency Response Procedures:
During medical emergencies in telehealth sessions:
- Immediate activation of emergency services coordination
- Automatic documentation of emergency PHI disclosures
- Real-time communication with local emergency responders
- Post-emergency review of all PHI access and sharing

Emergency Contact and Notification:
- Pre-authorized emergency contact information on file
- Immediate notification to emergency contacts when appropriate
- Documentation of all emergency-related PHI disclosures
- Follow-up with patients after emergency situations resolved

Telehealth Research and Analytics: We may use de-identified PHI derived from telehealth sessions for:
- Clinical outcomes research and quality improvement studies
- Technology platform optimization and security enhancement
- Population health analytics for sleep disorder management
- Provider training and education programs

All research uses comply with HIPAA de-identification standards.

TELEHEALTH INFORMED CONSENT REQUIREMENTS

Enhanced Consent for Telehealth Services:
Before providing telehealth services, we obtain specific informed consent including:
- Acknowledgment of telehealth limitations compared to in-person care
- Understanding of technology risks and potential failures
- Agreement to environmental responsibilities during sessions
- Consent to emergency override procedures when necessary

Ongoing Consent Management:
- Consent verification at the beginning of each telehealth session
- Right to modify consent preferences between sessions
- Re-consent requirements for new telehealth technologies
- Documentation of all consent modifications in medical records

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION BASED UPON YOUR WRITTEN AUTHORIZATION
Other uses and disclosures of your PHI will be made only with your written authorization, unless otherwise permitted or required by law. You may revoke your authorization at any time in writing, except to the extent that Sleep Reset has already relied on the use or disclosure as indicated in the authorization.

OTHER USES AND DISCLOSURES THAT MAY BE MADE AND TO WHICH YOU MAY AGREE OR OBJECT
In the circumstances listed below, you may agree or object to the use or disclosure of your PHI in the manner described. If you do not object, Sleep Reset may determine, using professional judgment, whether disclosing health information is in your best interest. If such a determination is made, only the PHI relevant to your care will be disclosed.BUSINESS CONTINUITY AND CORPORATE TRANSACTIONS In the event of a merger, acquisition, or other corporate reorganization, your PHI may be transferred as part of the transaction, subject to the same protections and restrictions outlined in this policy. We may also transfer your PHI in connection with the sale of assets or similar corporate transaction, with appropriate safeguards in place.

Others Involved in Your Healthcare:
Unless you object, we may disclose to a family member, relative, close friend, or any other person you identify, your PHI that directly relates to that person’s involvement in your healthcare. If you are unable to agree or object to such a disclosure, we may disclose such information as necessary if we determine it is in your best interests based on our professional judgment. We may also disclose PHI to assist in notifying a family member or personal representative of your location, general condition, or death.

BUSINESS ASSOCIATES AND SUBCONTRACTORS

Sleep Reset works with various business associates to provide telehealth services. All business associates are required to:

Primary Business Associates:
- Execute HIPAA-compliant Business Associate Agreements (BAAs)
- Implement equivalent privacy and security safeguards
- Report any PHI breaches within required timeframes
- Provide regular compliance certifications

Subcontractor Protections:
- All subcontractors handling PHI must meet the same HIPAA standards
- Multi-tier business associate agreements extend protections throughout the service chain
- We conduct regular audits of business associate compliance
- We maintain ultimate responsibility for all PHI protection regardless of delegation

Technology Partners:
Our telehealth platform may involve multiple technology partners, including:
- Cloud hosting and data storage providers
- Video conferencing and communication platforms
- Electronic health record integration partners
- Billing and payment processing services

Each technology partner maintains HIPAA certification and executes appropriate BAAs.

Emergencies:
In an emergency treatment situation, we may use or disclose your PHI without your prior consent. If this happens, Sleep Reset will make reasonable efforts to obtain your consent as soon as possible after treatment. If we are unable to obtain consent, we may still use or disclose your PHI to treat you.

2. Your Rights

Set forth below is a statement of your rights with respect to your PHI and a brief description of how you may exercise these rights.

  • Accelerated Access Rights:
    You have the right to inspect and obtain copies of your PHI within 15 days of your request (reduced from 30 days). This includes:
    - Complete medical records and consultation notes
    - Telehealth session summaries and recommendations
    - Billing and payment information
    - Technical logs of platform usage (upon specific request)
  • In-Person Inspection Rights:
    You have the right to:
    - Inspect your PHI in person at our offices
    - Take notes during your inspection
    - Photograph or scan documents for personal use
    - Receive itemized fee schedules for any copying costs
  • Electronic Access Rights:
    For telehealth services, you may request:
    - Electronic copies of all PHI in commonly used formats
    - Direct transmission to third-party applications of your choice
    - Integration with personal health record systems
    - Export of historical telehealth data
  • Fee Transparency:
    We will provide:
    - Clear fee schedules for PHI access and copying
    - Notification when information can be accessed at no charge
    - Itemized estimates for complex requests
    - Options for full documentation versus summaries
  • Reproductive Health Protections (2025 Update):
    Your reproductive health information receives additional protections:
    - Cannot be used for investigations or liability proceedings
    - Requires special attestations before any disclosure
    - Enhanced confidentiality during telehealth consultations
    - Additional consent requirements for related disclosures

3. Electronic Communications

You may contact us at help@thesleepreset.com for any inquiries or to communicate with us electronically. However, we advise that email communication may not be encrypted and could potentially be intercepted. By communicating with us via email, you acknowledge the risk associated with email communication and agree to those risks.

Platform Security and Data Transmission

Our telehealth platform and mobile applications employ industry-standard encryption and security measures to protect your PHI. While we maintain appropriate technical safeguards, no electronic transmission system is guaranteed to be 100% secure. By using our services, you acknowledge:

  • Communications occur over internet and mobile networks
  • Technical processing and transmission may involve multiple networks and systems
  • Data may be stored in secure cloud environments
  • Automated systems may process your information for service delivery

Data Retention and Deletion

We maintain PHI in accordance with applicable laws and regulations. Unless otherwise required by law:

  • Active patient records are maintained for a minimum of 7 years
  • Inactive accounts may be archived after 2 years of inactivity
  • De-identified data may be retained indefinitely for quality improvement
  • You may request deletion of your PHI subject to legal requirements

TELEHEALTH PLATFORM SECURITY AND COMMUNICATIONS

Secure Communication Standards:
Our telehealth platform implements:
- End-to-end encryption for all video and audio communications
- Multi-factor authentication for provider and patient access
- Automatic session termination and timeout protections
- Real-time security monitoring and threat detection

Patient Environment Responsibilities:
When participating in telehealth sessions, you are responsible for:
- Ensuring a private, secure location for consultations
- Using secure internet connections (avoiding public Wi-Fi)
- Confirming your identity at the beginning of each session
- Reporting any technical issues or security concerns immediately

Session Recording and Documentation:
- Telehealth sessions are not recorded without explicit written consent
- Session notes and summaries are documented in your medical record
- You may request copies of all session documentation
- Technical metadata (connection quality, duration) may be retained for quality purposes

Technology Failure Protocols:
In the event of technology failures during telehealth sessions:
- Sessions may be resumed via secure alternative methods
- Critical information will be documented regardless of technical issues
- Emergency situations will be escalated to appropriate in-person care
- You will be notified of any potential PHI security implications

Data Transmission and Storage:
- All PHI transmission uses HIPAA-compliant encryption standards
- Data is stored in secure, geographically distributed cloud environments
- Backup and disaster recovery procedures protect against data loss
- International data transfers (if any) comply with applicable privacy laws

ENHANCED BREACH NOTIFICATION AND RESPONSE

Breach Definition and Assessment:
A breach is any impermissible use or disclosure of PHI that compromises security or privacy. We conduct immediate risk assessments for all potential incidents.

Notification Timelines (2025 Requirements):
For confirmed breaches involving your PHI:
- Individual notification: Within 60 days of breach discovery
- HHS Office for Civil Rights: Within 60 days of discovery
- Media notification: Within 60 days if breach affects 500+ individuals
- Business associate notification: Without unreasonable delay

Enhanced Notification Content:
Breach notifications will include:
- Clear description of what information was involved
- Steps taken to mitigate harm and prevent recurrence
- Contact information for questions and assistance
- Resources for identity monitoring when appropriate
- Timeline of discovery and response actions

Telehealth-Specific Breach Protections:
For breaches involving telehealth sessions:
- Immediate suspension of affected technology systems
- Review of all recent telehealth communications
- Enhanced monitoring of related patient accounts
- Coordination with technology partners for comprehensive response

Patient Support Services:
Following any breach affecting your information:
- Dedicated privacy officer contact for questions
- Free identity monitoring services when appropriate
- Assistance with credit report monitoring
- Support for reporting potential fraud or misuse

4. International Operations

If we expand services internationally, your PHI may be transferred to, stored, or processed in other countries, subject to appropriate safeguards and agreements to maintain HIPAA compliance and protect your privacy rights. Any international data transfers will comply with applicable laws and regulations.

Cross-Border PHI Safeguards:
If we expand services internationally, we implement enhanced protections:
- Adequacy determinations for destination countries
- Standard contractual clauses for international data transfers
- Regular assessment of foreign privacy law compliance
- Enhanced encryption for international transmissions

Specific International Frameworks:
- EU GDPR Article 49 derogations for health data transfers
- Canada PIPEDA cross-border health information requirements
- UK Data Protection Act post-Brexit healthcare provisions
- Australia Privacy Act health record transfer safeguards

Patient Notification for International Transfers:
We will notify you when your PHI may be:
- Processed in countries with different healthcare privacy standards
- Subject to foreign government access under local laws
- Transferred to international business associates or subcontractors
- Stored in overseas data centers or cloud facilities

5. Changes to Services and Technology

We may update our technology, platforms, and services over time. Any substantial changes affecting PHI handling will be reflected in updates to this policy. Changes may include:

  • New features or functionality
  • Integration with additional healthcare services
  • Implementation of new technologies
  • Modifications to data processing systems

We will maintain appropriate safeguards and compliance through any such changes.

6. Complaints

If you believe your privacy rights have been violated, you may file a complaint with Sleep Reset or the Secretary of Health and Human Services. Complaints should be directed to our Privacy Officer. We will not retaliate against you for filing a complaint. You can contact our Privacy Officer at:
Sleep Reset, Inc.
Attention: Privacy
2261 Market Street #4408
San Francisco, CA 94114
Email: help@thesleepreset.com

No Retaliation Policy:

We will not retaliate against you for:

- Filing privacy complaints with any authority

- Exercising your privacy rights under this policy

- Reporting suspected HIPAA violations

- Participating in compliance investigations

Complaint Response Procedures:

- Initial acknowledgment within 5 business days

- Investigation completion within 30 days

- Written response with findings and corrective actions

- Follow-up to ensure resolution effectiveness

7. REGULATORY COMPLIANCE AND FUTURE UPDATES

2025 HIPAA Compliance:
This policy incorporates all current HIPAA requirements, including:
- Updated Privacy Rule requirements effective 2025
- Enhanced Security Rule cybersecurity standards
- New reproductive health privacy protections
- Strengthened business associate compliance requirements

Ongoing Regulatory Monitoring:
We continuously monitor regulatory developments including:
- HHS Office for Civil Rights guidance updates
- State-specific privacy law requirements
- FTC health data enforcement actions
- Industry cybersecurity standards evolution

Policy Update Procedures:
- Annual review of all privacy practices and procedures
- Immediate updates for regulatory changes affecting patient rights
- 30-day notice for material policy changes
- Automatic distribution of updated policies to active patients

Audit and Compliance Verification:
We maintain comprehensive compliance programs including:
- Annual HIPAA Security Rule risk assessments
- Regular business associate compliance audits
- Continuous security monitoring and threat assessment
- Staff training and compliance certification programs

Last Updated: Jan 31, 2025

Start Sleeping
Better Today!

Take Your Sleep Quiz