Skip to main content

NOTICE OF PRIVACY PRACTICES 

Effective Date: April 27, 2026 

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. 

Holon Health, Inc. and its affiliates (collectively, “Holon,” “we,” “us,” or “our”) are committed to protecting the privacy of your protected health information (“PHI”). PHI is health information – including information about your physical health, mental health, substance use, and social needs – that identifies you or could be used to identify you. This Notice of Privacy Practices (“Notice”) describes how we may use and disclose your PHI, your rights regarding your PHI, and our legal duties under federal and state privacy law. 

We are required by law to (a) maintain the privacy of PHI, (b) provide you with this Notice of our legal duties and privacy practices, (c) notify you following a breach of unsecured PHI, and (d) abide by the terms of the Notice currently in effect. This Notice is issued under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and the regulations at 45 C.F.R. Parts 160, 162, and 164; the federal substance use disorder confidentiality regulations at 42 C.F.R. Part 2 (as amended by the Final Rule effective February 16, 2024, with a compliance date of February 16, 2026); and applicable state law. 

1. How We May Use and Disclose Your PHI Without Your Authorization 

We may use and disclose your PHI without your written authorization for the purposes listed below. For each category, we describe the purpose and give a brief example. 

  • Treatment: We use and disclose your PHI to provide, coordinate, or manage your health care and related services. Example: Your Holon clinician may share your PHI with another provider involved in your care (for example, a behavioral health therapist or specialist you are referred to). 
  • Payment: We use and disclose your PHI to bill and collect payment for the care you receive. Example: We may share your PHI with your health plan to obtain authorization for services or to submit a claim. 
  • Health Care Operations: We use and disclose your PHI for operational activities such as quality improvement, case review, credentialing, licensing, training, audits, and business planning. Example: We may use your PHI to evaluate the quality of care our clinicians deliver. 
  • Business Associates: We contract with outside individuals and companies, called “business associates,” to perform services on our behalf (for example, our billing vendor). We share PHI with business associates only under a written contract that requires them to safeguard PHI and use it only for the purposes of the contract. 
  • Individuals Involved in Your Care (Family, Friends, Care Partners): We may share PHI relevant to your care with a family member, friend, care partner, or other person you identify as involved in your health care or payment for your health care. When you are present and have the capacity to make decisions, we will either ask for your agreement, give you an opportunity to object, or reasonably infer from the circumstances that you do not object. If you are not present or are unable to agree or object due to incapacity or an emergency, we may disclose PHI if we determine that doing so is in your best interest. 
  • Public Health Activities: We may disclose PHI for public health activities including disease and injury reporting, reports of child abuse or neglect to authorized state or local authorities, reports to the Food and Drug Administration regarding products and their safety, and notifications to persons who may have been exposed to a communicable disease. 
  • Victims of Abuse, Neglect, or Domestic Violence: We may disclose PHI to government authorities when we reasonably believe a patient is a victim of abuse, neglect, or domestic violence, consistent with 45 C.F.R. § 164.512(c). 
  • Health Oversight: We may disclose PHI to a health oversight agency for audits, investigations, inspections, licensure, and other activities authorized by law (for example, to state Medicaid programs, the state departments of health, professional licensing boards, and the U.S. Department of Health and Human Services (HHS)). 
  • Judicial and Administrative Proceedings: We may disclose PHI in response to a court or administrative order, and, in certain circumstances, in response to a subpoena, discovery request, or other lawful process that includes satisfactory assurances that you have been notified or that a protective order has been obtained. 
  • Law Enforcement: We may disclose PHI for law enforcement purposes as required or permitted by law – for example, to respond to a valid court order, warrant, or subpoena; to identify or locate a suspect, fugitive, material witness, or missing person; or to report certain crimes or suspicious deaths. 
  • Coroners, Medical Examiners, and Funeral Directors: We may disclose PHI to coroners, medical examiners, and funeral directors to carry out their duties. 
  • Organ and Tissue Donation: If you are an organ donor, we may disclose PHI to organizations that handle organ procurement or transplantation. 
  • Research: We may use or disclose PHI for research under strict protocols approved by an Institutional Review Board or Privacy Board, or under a valid authorization, as permitted by 45 C.F.R. § 164.512(i). 
  • To Avert a Serious Threat to Health or Safety: We may disclose PHI to prevent or lessen a serious and imminent threat to a person or the public. 
  • Specialized Government Functions: We may disclose PHI for specialized government functions, including military and veterans’ activities, national security and intelligence activities, protective services for the President and others, medical suitability determinations, and matters involving inmates or correctional institutions when you are in custody. 
  • Workers’ Compensation: We may disclose PHI as authorized by, and to the extent necessary to comply with, workers’ compensation laws or similar programs that provide benefits for work-related injuries or illness. 
  • As Otherwise Required by Law: We will use and disclose PHI when required to do so by federal, state, or local law. 

2. Uses and Disclosures That Require Your Written Authorization 

Except as described in Section 1 or as otherwise permitted or required by law, we will use and disclose your PHI only with your written authorization. In particular, the following require your authorization: 

  • Psychotherapy notes (most uses and disclosures); 
  • Uses and disclosures for marketing purposes (with limited exceptions); 
  • Disclosures that constitute a sale of PHI; and 
  • Fundraising communications (to the extent we engage in fundraising) – you have the right to opt out. 

You may revoke a written authorization at any time by notifying us in writing, except to the extent we have already acted in reliance on it. 

3. Special Protections for Substance Use Disorder Information (42 C.F.R. Part 2) 

Federal regulations at 42 C.F.R. Part 2 protect the confidentiality of records that identify a patient as having a substance use disorder (“SUD”) when those records are created by a federally assisted SUD treatment program. As revised by the 2024 Final Rule (compliance date February 16, 2026), Part 2 permits Holon, where Holon operates as or receives records from a Part 2 program, to rely on a single written patient consent authorizing future uses and disclosures of Part 2 records for treatment, payment, and health-care-operations (TPO) purposes, subject to the following: 

  • SUD counseling notes require a separate, specific consent and cannot be used or disclosed based solely on a general TPO consent. 
  • Records protected by Part 2 remain subject to redisclosure limitations except as permitted by the 2024 Final Rule. 
  • Breach notification obligations under HIPAA apply to breaches of Part 2 records. 

Part 2 records will not, without specific written patient consent, be used in any civil, criminal, administrative, or legislative proceeding against the patient, except in very limited circumstances authorized by law (for example, pursuant to a court order meeting the heightened Part 2 standard). 

4. Your Rights Regarding Your PHI 

  • Right to Inspect and Obtain a Copy of Your PHI: You have the right to inspect and obtain a copy of PHI we maintain about you, including a copy in electronic form if we maintain your PHI electronically. You may also direct us to transmit a copy of your PHI to a person or entity you designate in a written, signed, and clearly identified request. We may charge a reasonable, cost-based fee permitted by law. In limited circumstances, we may deny access, and in some cases that denial is reviewable. 
  • Right to Request an Amendment: If you believe PHI in your record is incorrect or incomplete, you have the right to request that we amend it. Your request must be in writing and state the reason for the amendment. We may deny your request in certain circumstances (for example, if we did not create the record, or if we determine the record is accurate and complete), and if we deny your request, you may submit a written statement of disagreement that will be included in future disclosures. 
  • Right to an Accounting of Disclosures: You have the right to request an accounting of certain disclosures of your PHI that we have made during the six (6) years before your request (or a shorter period if you specify). Certain disclosures are excluded from accounting, including disclosures for treatment, payment, and health-care operations, disclosures made pursuant to your written authorization, and disclosures to you. 
  • Right to Request a Restriction: You have the right to request restrictions on how we use or disclose your PHI for treatment, payment, or health-care operations, or to persons involved in your care. We are not required to agree to most requested restrictions. However, we must agree to a request to restrict disclosure of PHI to a health plan if: (i) the disclosure is for the purpose of carrying out payment or health-care operations and is not otherwise required by law; and (ii) the PHI pertains solely to a health care item or service for which you (or another person on your behalf, not the health plan) have paid us in full out of pocket. See 45 C.F.R. § 164.522(a)(1)(vi). 
  • Right to Request Confidential Communications: You have the right to request that we communicate with you about PHI by alternative means or at alternative locations (for example, at work rather than at home). We will accommodate reasonable requests. 
  • Right to Be Notified of a Breach: You have the right to be notified if we (or a business associate acting on our behalf) discover a breach of your unsecured PHI, consistent with 45 C.F.R. §§ 164.400–414 and applicable state breach notification laws. 
  • Right to a Paper Copy of This Notice: You have the right to obtain a paper copy of this Notice, even if you have agreed to receive it electronically. 
  • Right to Revoke an Authorization: If you have given us a written authorization to use or disclose your PHI, you may revoke that authorization at any time by notifying us in writing, except to the extent we have already relied on it. 

5. Use of Automated and Artificial Intelligence Technologies 

Holon may use automated tools and artificial intelligence (“AI”) technologies to support the care we provide. Examples of how AI may be used include: 

  • Supporting clinical documentation, summarization, and note-taking by your Holon clinicians; 
  • Personalizing patient engagement – for example, appointment reminders and care-plan nudges delivered through the Vibe application; 
  • Verifying completion of activities eligible for recognition under the Vibe contingency-management program; 
  • Identifying patients who may benefit from outreach or additional services; and 
  • Supporting administrative and operational activities, such as billing, scheduling, and quality measurement. 

When AI tools handle your PHI, they do so for the same purposes described elsewhere in this Notice – most often treatment, payment, and health care operations. Any AI vendor that creates, receives, maintains, or transmits PHI on our behalf operates under a Business Associate Agreement, and the tool is configured to use only the minimum information necessary for its purpose, consistent with HIPAA’s Minimum Necessary Standard. 

Clinical decisions about your care, including diagnoses, treatment plans, prescriptions, referrals, and decisions about Vibe rewards eligibility, are made by Holon clinicians and Holon staff. AI tools support, but do not replace, the judgment of your care team. 

AI tools are an integral part of how Vibe operates and how Holon delivers and supports your care. AI is built into Vibe’s reminders, into Holon’s clinical documentation workflow, into the Rewards verification process, and into Holon’s compliance and quality programs. If you have questions about how AI is used in your care, please ask your Holon care team or contact our Privacy Officer using the information in Section 9. 

6. Complaints 

If you believe your privacy rights have been violated, you may file a written complaint with Holon or with the Secretary of the U.S. Department of Health and Human Services.  

We will not retaliate against you for filing a complaint or exercising any of your rights under this Notice. 

File a Complaint with Holon 

Holon Health, Inc. 

ATTN: Privacy Officer 

3540 Pump Rd, #1188 

Richmond, VA 23233-1115 

Phone: (877) 465-6650 

Email: compliance@holonhealth.com 

File a Complaint with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) 

U.S. Department of Health and Human Services 

Office for Civil Rights 

200 Independence Avenue, S.W. 

Room 509F, HHH Building 

Washington, D.C. 20201 

Phone: (800) 368-1019 (TDD: (800) 537-7697) 

OCR Complaint Portal: https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf 

7. Changes to This Notice 

We reserve the right to change the terms of this Notice at any time. Any revised Notice will be effective for PHI we already have about you, as well as any PHI we receive in the future. The current Notice will be posted at each Holon service-delivery site and on Holon’s website, and will include the effective date. Upon request, we will provide you with a copy of the current Notice at any time. 

8. State Law 

State law may provide additional or different protections for certain categories of information. Where state law is more protective, we comply with state law. If you would like more information about how state law applies in your state, please contact our Privacy Officer using the information in Section 9. 

9. Contact Us 

For questions about this Notice, for a paper copy of this Notice, or to exercise any of your rights, please contact: 

Holon Health, Inc. — Privacy Officer 

3540 Pump Rd, #1188 

Richmond, VA 23233-1115 

Phone: (877) 465-6650 

Email: compliance@holonhealth.com