HIPAA Notice of Privacy Practices & Patient Consent

1. What is Protected Health Information (PHI)?

“Protected Health Information” or “PHI” means individually identifiable health information that is created, received, maintained, or transmitted by MOCEAN in any form or medium — electronic, paper, or oral — that relates to (i) your past, present, or future physical or mental health or condition; (ii) the provision of health care to you; or (iii) the past, present, or future payment for the provision of health care to you. See 45 CFR § 160.103.

In the context of the MOCEAN Health platform, PHI includes, but is not limited to, the following categories of information:

Body Composition Data

InBody bioelectrical impedance assessment results, including skeletal muscle mass, body fat percentage, segmental lean analysis, basal metabolic rate, intracellular and extracellular water ratios, and visceral fat level scores.

Treatment Records

Physical therapy session notes, acupuncture treatment records, clinical assessments, SOAP notes, functional outcome measures, and provider-authored care plan documentation.

Health Assessments

Body system scores, wellness screening questionnaire responses, movement assessments, postural evaluations, and longitudinal health progression data.

Wearable Device Metrics

Oura Ring biometric data including sleep architecture (REM, deep, light cycles), resting heart rate, heart rate variability (HRV), SpO2, skin temperature deviation, respiratory rate, activity data, and readiness scores synchronized to the MOCEAN platform under your authorization.

Appointment History

Booking records, attendance logs, cancellation history, check-in and check-out timestamps, session frequency, and appointment-linked provider assignments.

Provider-Patient Communications

In-platform chat messages, telehealth session transcripts, and any written or electronic correspondence between you and your MOCEAN care team.

Billing and Insurance

Insurance plan identifiers, claim submission records, payment transaction history, membership tier, invoices, and any financial data linked to your care episodes.

2. How We May Use and Disclose Your PHI

The Privacy Rule (45 CFR § 164.502) permits covered entities to use and disclose PHI without patient authorization for the following purposes. MOCEAN uses your PHI only in the ways described below.

Treatment

We may use and disclose your PHI for your treatment and to coordinate care among MOCEAN providers. For example, your physical therapist may share your InBody assessment results and session notes with your acupuncturist to ensure integrated, whole-body care. Providers may access your complete care record through the MOCEAN platform to deliver clinically informed services.

Payment

We may use and disclose your PHI to obtain payment for services rendered. This includes submitting claims to your insurance carrier, processing membership billing through our payment processor (Stripe), verifying insurance eligibility, and collecting outstanding balances. Billing information may be shared with your insurer as required to adjudicate claims.

Healthcare Operations

We may use your PHI for internal business activities necessary to operate our practice, including: quality assessment and improvement activities; staff training and credentialing; compliance audits; legal and regulatory reviews; accreditation activities; and business planning. These activities are authorized under 45 CFR § 164.506 and are essential to maintaining high standards of clinical care.

Appointment Reminders

We may contact you by email, SMS text message, or in-app notification to remind you of scheduled appointments, notify you of cancellations or rescheduling, and send follow-up wellness check-ins. You may request a preferred communication method under your right to confidential communications (see Section 4).

Health-Related Benefits and Services

We may use your PHI to inform you of health-related benefits, wellness programs, and services that may be relevant to your care. For example, we may notify you when a new program becomes available based on your current treatment modality or health assessment results.

Business Associates

We may disclose PHI to third-party vendors and service providers (collectively, “Business Associates”) who assist us in operating our practice and who have executed a Business Associate Agreement (“BAA”) with MOCEAN as required by 45 CFR § 164.504(e). Current Business Associates include:

• Stripe, Inc. — payment processing and subscription billing
• Twilio / SendGrid — transactional email and SMS communications
• Daily.co — HIPAA-compliant telehealth video infrastructure
• Amazon Web Services (AWS) — encrypted cloud storage and compute infrastructure for PHI
• Oura Health Oy — wearable biometric data synchronization (under separate authorization)

Business Associates may only use your PHI as permitted under their BAA and may not further disclose your PHI except as required by law.

Required by Law

We may use or disclose your PHI when required to do so by applicable federal or state law, including in response to a valid court order, subpoena, or administrative order; to public health authorities to prevent or control disease or injury; to law enforcement officials under specific statutory authority; and to oversight agencies conducting audits, investigations, or licensure activities. See 45 CFR § 164.512.

Prevention of Serious Threat to Health or Safety

We may use or disclose your PHI if we, in good faith, believe it is necessary to prevent or lessen a serious and imminent threat to the health or safety of you, another person, or the public, and the disclosure is to a person reasonably able to prevent or lessen the threat. See 45 CFR § 164.512(j).

3. Uses and Disclosures Requiring Your Written Authorization

The following uses and disclosures of your PHI require your specific written authorization under 45 CFR § 164.508. You may revoke any such authorization in writing at any time, except to the extent that we have already taken action in reliance on it.

• Marketing communications (beyond appointment reminders and health-related benefits described above)
• Sale of PHI — MOCEAN does not and will not sell your protected health information under any circumstances
• Psychotherapy notes, if generated in connection with mental health services
• Sharing PHI with any third party not covered by an executed Business Associate Agreement
• Research involving PHI, unless a waiver of authorization is granted by an Institutional Review Board (IRB) or Privacy Board under 45 CFR § 164.512(i)
• Any other use or disclosure not described in this Notice

4. Your Individual Rights Under HIPAA

The Privacy Rule (45 CFR §§ 164.522–164.528) grants you the following rights with respect to your PHI. To exercise any of these rights, submit a written request to our Privacy Officer (see Section 9).

5. Digital Health Data — Specific Provisions

MOCEAN operates a digital health platform that collects and processes PHI through modern health technologies. The following provisions govern specific categories of digital health data.

Wearable Device Data — Oura Ring Integration

If you choose to connect your Oura Ring account to the MOCEAN platform, MOCEAN will receive access to your biometric data including sleep stages, resting heart rate, heart rate variability (HRV), blood oxygen saturation (SpO2), skin temperature deviations, respiratory rate, step count, activity levels, and readiness scores. This integration requires your explicit authorization through the Oura Health OAuth2 authorization flow. You may revoke MOCEAN’s access to your Oura data at any time through your Oura account settings or by contacting our Privacy Officer. Disconnection from the Oura integration does not automatically delete previously synchronized data; you must submit a separate deletion request.

Virtual Telehealth Sessions

MOCEAN offers virtual physical therapy and wellness consultations via video through Daily.co, a HIPAA-compliant telehealth platform covered by an executed BAA. By scheduling and attending a virtual session, you acknowledge and consent that:

• Your video session data is transmitted using end-to-end encryption
• Session recordings, if made, will be stored as PHI in your clinical record and will not be shared without your authorization except as permitted by this Notice
• You have the right to refuse session recording at any time by notifying your provider before or during the session
• Telehealth is not appropriate for emergency situations — if you are experiencing a medical emergency, call 911 immediately

Electronic Communications Consent

By using the MOCEAN platform, you consent to the use of electronic communications — including in-platform chat, email via SendGrid, and SMS via Twilio — for the purposes described in this Notice. All messages containing PHI transmitted through the MOCEAN platform are encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption. Standard carrier messaging rates may apply to SMS communications.

Cloud Storage of PHI

All PHI collected and processed by the MOCEAN platform is stored on Amazon Web Services (AWS) infrastructure hosted in the United States. AWS has executed a BAA with MOCEAN and maintains compliance with HIPAA Security Rule requirements, including physical, technical, and administrative safeguards. All PHI at rest is encrypted using AES-256; all PHI in transit is encrypted using TLS 1.2+. Regular security audits and penetration testing are conducted to maintain the integrity of your data.

Data Synchronization

The MOCEAN platform synchronizes health data across provider-facing and patient-facing interfaces in real time. Access to synchronized data is governed by role-based access controls (RBAC) — your provider may view data synchronized from your wearable device only to the extent necessary to support your treatment. Raw device data is never sold or shared with third parties for advertising purposes.

6. Data Breach Notification

In the event of a breach of unsecured PHI, MOCEAN will comply with the notification requirements of the HIPAA Breach Notification Rule, 45 CFR Part 164, Subpart D.

• Affected individuals will be notified without unreasonable delay and no later than 60 calendar days following our discovery of the breach
• Notification will be provided by first-class mail (or email if you have elected electronic communications) and will describe the nature of the breach, the categories of PHI involved, steps you should take to protect yourself, and the steps MOCEAN has taken to investigate and mitigate harm
• We will notify the U.S. Department of Health and Human Services (HHS) as required — breaches affecting 500 or more individuals will be reported to HHS within 60 days of discovery and posted to the HHS Breach Portal
• Breaches affecting fewer than 500 individuals will be logged and reported annually to HHS
• Where required by state law, MOCEAN will also notify the applicable state attorney general and other authorities

MOCEAN maintains a comprehensive incident response plan, conducts regular security risk assessments as required by 45 CFR § 164.308(a)(1), and maintains breach simulation exercises to ensure operational readiness.

7. Minimum Necessary Standard

MOCEAN applies the minimum necessary standard (45 CFR § 164.502(b)) to all uses, disclosures, and requests for PHI. This means we make reasonable efforts to limit access to PHI to the minimum information necessary to accomplish the intended purpose.

• Workforce members are granted access to PHI only to the extent required by their specific job function and responsibilities
• The MOCEAN platform enforces role-based access controls (RBAC) — a front-desk staff member cannot access clinical session notes; a provider cannot access billing account credentials
• All access to PHI within the MOCEAN platform is logged in a tamper-evident audit trail, including the user identity, timestamp, record accessed, and action taken
• Audit logs are retained for a minimum of six years in accordance with the HIPAA record retention standard (45 CFR § 164.530(j))
• MOCEAN conducts periodic access reviews to ensure workforce members retain only necessary privileges

8. Patient Acknowledgment

By creating a MOCEAN Health account and accepting this Notice, you acknowledge and agree that:

• You have received, read, and had an opportunity to review this Notice of Privacy Practices
• You understand how MOCEAN may use and disclose your protected health information as described herein
• MOCEAN reserves the right to change its privacy practices and the terms of this Notice at any time, provided that such changes are permitted under applicable law
• Any revised Notice will be made available on the MOCEAN Health platform and at our physical location at 315 Madison Ave, New York NY 10017, and will apply to PHI we already maintain as well as any PHI we create or receive going forward
• You have the right to request a paper or electronic copy of the current Notice at any time by contacting hello@moceanpt.com or calling 917-715-4665
• This acknowledgment does not constitute a waiver of any of your rights under HIPAA or applicable state law

9. Contact Information for Privacy Concerns

To exercise any right described in this Notice, to request information, or to file a privacy complaint, please contact MOCEAN’s designated Privacy Officer: