HIPAA Authorization Notice for myCARI

Introduction

This HIPAA Authorization Notice explains how MLPipes LLC ("we," "our," or "us") collects, uses, and protects your Protected Health Information ("PHI") when you use the myCARI mobile application (the "App").

By checking the HIPAA authorization checkbox during account setup, you provide your express written consent for us to collect, use, and disclose your PHI as described in this notice.

What is Protected Health Information (PHI)?

Protected Health Information includes any individually identifiable health information that we collect, create, or receive through the App, including but not limited to:

• Medical conditions and diagnoses
• Medications and dosages
• Vital signs and health measurements
• Lab results and medical test data
• Medical appointment information
• Healthcare provider information
• Treatment and care plans

PHI We Collect

Health Data You Enter Manually

• Vital Signs: Blood pressure, heart rate, blood glucose, temperature, oxygen saturation, respiratory rate, weight
• Medications: Names, dosages, schedules, refill information, pharmacy details
• Medical History: Conditions, diagnoses, allergies, procedures, immunizations
• Appointments: Healthcare provider visits, scheduled procedures, follow-ups
• Medical Documents: Scanned documents, uploaded records, notes

Health Data from Apple HealthKit

With your permission, we collect:

• Heart rate and resting heart rate
• Blood pressure readings
• Blood glucose levels
• Oxygen saturation (SpO2)
• Respiratory rate
• Body measurements (weight, height, BMI)
• Sleep data (duration, stages, quality)
• Step count and activity data
• Workout and exercise data
• Electrocardiogram (ECG) readings
• Active energy burned
• Stand hours and activity rings

Health Data from Healthcare Providers (FHIR)

When you connect your healthcare provider accounts (Epic MyChart, Cerner, etc.), we import:

• Laboratory results and reference ranges
• Medication lists and prescriptions
• Diagnoses and problem lists
• Immunization records
• Allergy and intolerance information
• Clinical notes and summaries
• Imaging and procedure reports

AI-Analyzed Health Data

Our AI features process:

• Meal Photos: Images of food you photograph are analyzed for nutritional content (calories, macronutrients, ingredients)
• Health Patterns: Your vitals, activity, sleep, and medication data are analyzed to generate personalized health insights
• Trends and Anomalies: AI identifies patterns and potential concerns in your health data

Care Team Communications

• Messages exchanged with care team members about health topics
• Shared health data and updates
• Care coordination notes

How We Use Your PHI

We use your Protected Health Information to:

Provide Health Tracking Services

• Display your health metrics on dashboards
• Track medication schedules and adherence
• Monitor vital sign trends over time
• Generate health history timelines
• Provide appointment reminders

Generate AI Health Insights

• Analyze your health data patterns
• Provide personalized health recommendations
• Generate daily health coaching and goals
• Identify potential health concerns for discussion with your provider
• Analyze meal photos for nutritional information

Enable Care Team Collaboration

• Share health data with care team members you authorize
• Enable secure messaging about your health
• Provide care team members with relevant health updates
• Support coordinated care activities

Send Health Reminders

• Medication reminders and alerts
• Appointment notifications
• Health check-in prompts
• Refill reminders

Improve Our Services

• Develop better health tracking features
• Improve AI accuracy and recommendations
• Fix bugs and enhance performance
• (All improvement activities use de-identified or aggregated data when possible)

Who Can Access Your PHI

You

You always have full access to all your health information in the App.

Care Team Members

You control which care team members can access your PHI:

You can modify or revoke care team access at any time in App settings.

Our Service Providers

We share PHI with service providers who help operate the App:

All service providers are bound by Business Associate Agreements (BAAs) or equivalent contractual protections.

Legal and Emergency Disclosures

We may disclose PHI without your authorization when:

• Required by law (court orders, subpoenas)
• Necessary to prevent serious threat to health or safety
• Required for public health activities
• Needed for healthcare oversight activities

We will notify you of such disclosures when legally permitted.

Your HIPAA Rights

You have the following rights regarding your PHI:

Right to Access

• View all your health data in the App
• Export your health records in standard formats (PDF, FHIR)
• Request a complete copy of your health information

Right to Amendment

• Request corrections to inaccurate health data
• Add notes or clarifications to your records
• Update outdated information

Right to Restriction

• Request limits on how we use or share your PHI
• Restrict sharing with specific care team members
• Opt out of certain data processing activities

Right to Accounting

• Receive a list of disclosures of your PHI
• See who has accessed your health data
• Review care team access logs

Right to Confidential Communications

• Request communications through specific channels
• Set notification preferences for health alerts

Right to Revoke Authorization

• Withdraw this authorization at any time
• Revocation applies to future uses only
• Prior uses based on your authorization remain valid

To exercise any of these rights, contact us at privacy@carihealth.ai or use the Privacy settings in the App.

Security Measures

We protect your PHI with enterprise-grade security:

Encryption

• At Rest: AES-256 encryption for all stored health data
• In Transit: TLS 1.3 encryption for all data transmission
• End-to-End: Care team messages encrypted between devices

Access Controls

• Biometric authentication (Face ID, Touch ID)
• Strong password requirements
• Session timeout for inactive sessions
• Multi-factor authentication available

Audit Logging

• All PHI access is logged with timestamps
• Care team member access is tracked
• Login attempts and security events monitored
• Logs retained for compliance purposes

Data Isolation

• Each user's data stored in isolated containers
• Care team access controlled per-user
• Professional caregivers have separate audit trails

Message Retention and Deletion

Care Team Messages

• Messages are stored securely for care coordination
• You can delete messages from your view
• HIPAA Compliance Note: Original message content may be retained in audit logs even after deletion to maintain complete health records
• Unsent messages preserve original content for compliance

Message Audit Trail

• All messages are logged for HIPAA compliance
• Audit logs include sender, recipient, timestamp, and content hash
• Logs are retained for the legally required period (minimum 6 years)

Data Retention

Active Account

• Your PHI is retained while your account is active
• You can delete specific health records at any time
• Medication logs and vital history preserved for continuity of care

Account Deletion

• Upon account deletion, PHI is removed from active systems within 30 days
• Backup copies may be retained for up to 90 days
• Audit logs and compliance records retained for 6 years as required by law

Legal Holds

• If subject to legal proceedings, data may be retained beyond normal periods
• You will be notified if legally permitted

Authorization Term

Duration

This authorization is effective from the date you provide consent and remains in effect while you maintain an active myCARI account.

Revocation

You may revoke this authorization at any time by:

1. Deleting your account in the App
2. Emailing privacy@carihealth.ai with subject "Revoke HIPAA Authorization"
3. Contacting us at the address below

Revocation takes effect upon processing (within 5 business days) and applies to future uses only. We cannot undo uses or disclosures made in reliance on your prior authorization.

Electronic Signature

By checking the HIPAA authorization checkbox during account creation or when accepting updated terms, you are providing your electronic signature pursuant to the Electronic Signatures in Global and National Commerce Act (E-SIGN Act) and the Uniform Electronic Transactions Act (UETA).

Your electronic signature is associated with:

• Your email address
• Your Firebase user ID
• The timestamp of your consent
• The version of this authorization you accepted
• Your device identifier and IP address (for verification)

This electronic signature has the same legal effect as a handwritten signature.

Changes to This Notice

We may update this HIPAA Authorization Notice to reflect changes in our practices or legal requirements. When we make changes:

• We will update the "Last Updated" date
• For material changes, we will notify you in the App
• You may be required to re-authorize for significant changes
• Your continued use after notification constitutes acceptance

Contact Information

For questions about this HIPAA Authorization Notice or to exercise your rights:

MLPipes LLC

• Privacy Inquiries: privacy@carihealth.ai
• HIPAA Rights Requests: hipaa@carihealth.ai
• General Support: support@carihealth.ai
• Website: https://carihealth.ai
• Mailing Address: 5725 S Valley View Blvd Ste 5 PMB 471045
  Las Vegas, Nevada 89118-3122 US

Privacy Officer: Alfeo A. Sabay

Acknowledgment

By checking the HIPAA authorization checkbox, you acknowledge that:

1. You have read and understand this HIPAA Authorization Notice
2. You voluntarily consent to the collection, use, and disclosure of your PHI as described
3. You understand your rights regarding your PHI
4. You understand you may revoke this authorization at any time
5. You are at least 18 years of age (or the age of majority in your jurisdiction)