HIPAA Notice of Privacy Practices

Open Water Rx LLC ("Open Water Rx") is committed to protecting the privacy of your health information. This Notice of Privacy Practices ("Notice") describes how we and the healthcare providers who use our platform may use and disclose your Protected Health Information (PHI) and how you can access this information. We are required by law to maintain the privacy of your PHI, to provide you with this Notice of our legal duties and privacy practices, and to abide by the terms of this Notice.

This Notice applies to all PHI that we receive or facilitate in connection with services provided through our platform. "Protected Health Information" means individually identifiable health information, including demographic data, that relates to your past, present, or future physical or mental health condition, the provision of healthcare to you, or the past, present, or future payment for the provision of healthcare.

In addition to federal HIPAA requirements, Open Water Rx complies with applicable Florida state privacy laws, including the Florida Information Protection Act (FIPA), Fla. Stat. § 501.171, and Florida's telehealth privacy requirements under Fla. Stat. § 456.47. Where Florida law provides greater privacy protections than HIPAA, we apply the more protective standard.

We may use and disclose your PHI for the following purposes without your written authorization:

Treatment: We may use and disclose your PHI to facilitate your medical evaluation, coordinate care with independent licensed providers and affiliated medical groups, and support the prescribing and dispensing of medications. For example, we may share your health information with the licensed medical provider reviewing your case and with the licensed pharmacy fulfilling your prescription.

Payment: We may use and disclose your PHI to obtain payment for services rendered, including billing, claims processing, and collection activities.

Healthcare Operations: We may use and disclose your PHI for our internal operations, including quality assessment, compliance activities, training, and business management.

As Required by Law: We will disclose your PHI when required to do so by federal, state, or local law, including in response to a court order, subpoena, or government investigation.

Public Health Activities: We may disclose your PHI to public health authorities for activities such as disease surveillance, reporting of adverse events, or as required by the FDA.

Health Oversight Activities: We may disclose your PHI to health oversight agencies for audits, investigations, inspections, and licensure activities.

Serious Threats to Health or Safety: We may use or disclose your PHI if we believe it is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.

Business Associates: We may share your PHI with third-party service providers ("Business Associates") who perform services on our behalf, provided they have signed a Business Associate Agreement obligating them to protect your PHI.

For uses and disclosures not described in this Notice, we will obtain your written authorization before using or disclosing your PHI. This includes:

• Marketing communications (other than face-to-face communications or promotional gifts of nominal value)
• Sale of your PHI
• Most uses and disclosures of psychotherapy notes
• Any other use or disclosure not permitted by HIPAA without authorization

You have the right to revoke any authorization you have given us at any time, in writing. Revocation will not affect any actions we took in reliance on your authorization before we received your revocation.

Open Water Rx maintains a strict operational and technical separation between your Protected Health Information (PHI) and any marketing or analytics data we collect. This section explains exactly how those two categories of data are handled differently.

What is PHI? PHI includes any individually identifiable health information you provide in connection with your clinical evaluation, prescription, or ongoing care, including your health history, medications, diagnoses, lab results, and any communications with your licensed medical provider. PHI is governed exclusively by HIPAA and applicable state law.

What is marketing data? Marketing data includes non-health information collected through general website interactions, such as pages visited, quiz responses that do not constitute a clinical intake, email address provided for waitlist or newsletter enrollment, and general demographic information you voluntarily submit outside of a clinical context.

How we keep them separate: - PHI is stored in HIPAA-compliant, encrypted systems with strict access controls. It is never shared with advertising platforms, marketing automation tools, or analytics vendors without your explicit written authorization. - Marketing data collected through general website interactions (such as cookies, page views, or email sign-ups) is handled under our Privacy Policy and is never commingled with your clinical PHI. - Your email address or phone number collected during a clinical intake is treated as PHI and is not added to general marketing lists without your separate, explicit consent. - We do not use your PHI to target you with third-party advertising. We do not sell, rent, or license your PHI to any third party for marketing purposes. - Any third-party tools used for marketing analytics (such as website traffic measurement) operate only on non-PHI data and are contractually prohibited from accessing clinical information.

Your control: You may opt out of marketing communications at any time by emailing members@openwaterrx.com or using the unsubscribe link in any marketing email. Opting out of marketing communications does not affect your clinical care or your rights under this HIPAA Notice. Your PHI will continue to be used only as described in Sections 2 and 3 of this Notice, regardless of your marketing preferences.

Business Associate Agreements: Any third-party vendor that may incidentally access PHI in the course of providing services to us (for example, a HIPAA-compliant email delivery provider used for clinical communications) is required to execute a Business Associate Agreement (BAA) with Open Water Rx before accessing any PHI. Marketing vendors that operate solely on non-PHI data are not granted access to PHI systems and are not required to execute a BAA, but are contractually prohibited from accessing or processing PHI.

You have the following rights with respect to your PHI:

Right to Access: You have the right to inspect and obtain a copy of your PHI that we maintain in a designated record set. We may charge a reasonable, cost-based fee for copies. We will respond to your request within 30 days.

Right to Amend: You have the right to request that we amend your PHI if you believe it is inaccurate or incomplete. We may deny your request under certain circumstances and will explain any denial in writing.

Right to an Accounting of Disclosures: You have the right to request a list of certain disclosures we have made of your PHI during the six years prior to your request.

Right to Request Restrictions: You have the right to request restrictions on how we use or disclose your PHI. We are not required to agree to all requested restrictions, but we will comply with any restriction we do agree to.

Right to Confidential Communications: You have the right to request that we communicate with you about your PHI in a certain way or at a certain location.

Right to a Paper Copy of This Notice: You have the right to receive a paper copy of this Notice upon request, even if you have agreed to receive it electronically.

Right to Notification of Breach: You have the right to be notified in the event of a breach of your unsecured PHI, as required by the HITECH Act.

We are required by law to:

• Maintain the privacy and security of your PHI
• Provide you with this Notice of our legal duties and privacy practices
• Notify you promptly if a breach occurs that may have compromised the privacy or security of your PHI
• Abide by the terms of this Notice currently in effect

We reserve the right to change the terms of this Notice and to make the new Notice provisions effective for all PHI we maintain. We will post the revised Notice on our website and make it available upon request.

When using or disclosing PHI or when requesting PHI from another covered entity, we make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. This minimum necessary standard does not apply to disclosures to or requests by a healthcare provider for treatment purposes, disclosures to you, uses or disclosures made pursuant to your authorization, or disclosures required by law.

Health information may be stored and maintained in systems operated by affiliated medical groups and technology partners, including OpenLoop. Those entities may maintain their own privacy and security practices.

We implement and maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI (ePHI) that we create, receive, maintain, or transmit. These safeguards include:

• Encryption of ePHI in transit and at rest using industry-standard protocols
• Access controls limiting PHI access to authorized personnel only
• Audit controls to record and examine activity in systems containing ePHI
• Regular risk assessments and security evaluations
• Employee training on HIPAA privacy and security requirements
• Business Associate Agreements with all third-party vendors who access ePHI

To exercise any of your rights described in this Notice, or if you have questions about our privacy practices, please contact our Privacy Officer at:

Open Water Rx LLC, Privacy Officer Cape Coral, Florida Email: members@openwaterrx.com

If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights:

U.S. Department of Health and Human Services Office for Civil Rights 200 Independence Avenue, S.W. Washington, D.C. 20201 Toll Free: 1-877-696-6775 Website: hhs.gov/ocr

We will not retaliate against you for filing a complaint.

This Notice of Privacy Practices is effective as of April 4, 2026. We reserve the right to change this Notice at any time. Any revised Notice will be posted on our website and will apply to all PHI we maintain at that time.