HIPAA Notice of Privacy Practices

This Notice of Privacy Practices ("Notice") describes the privacy practices of NXRX PLLC and its affiliated healthcare providers (collectively, "the Practice"), as well as VeinLife Direct, LLC in its capacity as a Business Associate of the Practice. This Notice explains how we may use and disclose your protected health information ("PHI"), your rights regarding your PHI, and our obligations under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations.

Effective Date: April 19, 2026

We are required by law to: - Maintain the privacy of your PHI - Provide you with this Notice of our legal duties and privacy practices - Follow the terms of the Notice currently in effect - Notify you following a breach of unsecured PHI

Protected Health Information (PHI) is individually identifiable health information that relates to: - Your past, present, or future physical or mental health or condition - The provision of healthcare to you - The past, present, or future payment for the provision of healthcare to you

PHI includes information that identifies you or could reasonably be used to identify you, such as your name, address, date of birth, Social Security number, and medical record numbers, when combined with health information.

PHI that is transmitted or maintained electronically is referred to as "electronic PHI" or "ePHI" and is subject to the same protections as paper PHI.

We may use and disclose your PHI for the following purposes without your written authorization:

Treatment: We may use and disclose your PHI to provide, coordinate, or manage your healthcare and related services. For example, we may share your intake information and prescription with the licensed healthcare provider reviewing your case, and transmit your prescription to the compounding pharmacy for fulfillment.

Payment: We may use and disclose your PHI to obtain payment for healthcare services. For example, we may use your information to process your payment and maintain billing records.

Healthcare Operations: We may use and disclose your PHI for our internal operations, including quality assessment, training, compliance activities, and business management.

As Required by Law: We may disclose your PHI when required to do so by federal, state, or local law, including reporting requirements for certain communicable diseases or injuries.

Public Health Activities: We may disclose your PHI to public health authorities authorized to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability.

Health Oversight Activities: We may disclose your PHI to health oversight agencies for activities authorized by law, such as audits, investigations, and inspections.

Law Enforcement: We may disclose your PHI to law enforcement officials for limited law enforcement purposes, including to identify or locate a suspect, fugitive, material witness, or missing person.

Judicial and Administrative Proceedings: We may disclose your PHI in response to a court or administrative order, subpoena, discovery request, or other lawful process.

Serious Threat to Health or Safety: We may use or disclose your PHI if we believe it is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.

Business Associates: We may share your PHI with our business associates — companies that perform services on our behalf, such as GEN-Health (our EHR platform), our compounding pharmacy partners, and our IT service providers. All business associates are required to enter into Business Associate Agreements (BAAs) with us and are obligated to protect your PHI.

For uses and disclosures of your PHI not described in Section 2 above, we will obtain your written authorization before using or disclosing your PHI. This includes:

• Most uses and disclosures of psychotherapy notes
• Uses and disclosures of PHI for marketing purposes
• Disclosures that constitute a sale of PHI
• Other uses and disclosures not permitted or required by law

You have the right to revoke your authorization at any time by submitting a written revocation to us. Your revocation will be effective for future uses and disclosures, but will not affect any uses or disclosures already made in reliance on your authorization.

You have the following rights regarding your PHI:

Right to Access: You have the right to inspect and obtain a copy of your PHI maintained in our designated record set, with limited exceptions. You may request access by contacting us at [email protected]. We will respond to your request within 30 days. We may charge a reasonable cost-based fee for copies.

Right to Amend: If you believe that PHI we maintain about you is incorrect or incomplete, you may request that we amend it. We will respond to your request within 60 days. We may deny your request if the PHI was not created by us, is not part of our designated record set, or is accurate and complete.

Right to an Accounting of Disclosures: You have the right to request a list of disclosures of your PHI that we have made for purposes other than treatment, payment, healthcare operations, and certain other activities. You may request an accounting for disclosures made in the six years prior to your request.

Right to Request Restrictions: You have the right to request restrictions on how we use or disclose your PHI for treatment, payment, or healthcare operations. We are not required to agree to your requested restriction, except that we must agree to a restriction on disclosure to a health plan if you pay out of pocket in full for the item or service and the disclosure is not required by law.

Right to Request Confidential Communications: You have the right to request that we communicate with you about your PHI by alternative means or at alternative locations (e.g., only by email, or only at a specific address). We will accommodate reasonable requests.

Right to a Paper Copy of This Notice: You have the right to a paper copy of this Notice at any time, even if you have agreed to receive it electronically.

Right to Notification of Breach: You have the right to be notified in the event of a breach of your unsecured PHI, as required by the HIPAA Breach Notification Rule.

To exercise any of these rights, please contact us at: Email: [email protected] Phone: (941) 217-1132

We are required by law to maintain the privacy of your PHI and to provide you with this Notice of our legal duties and privacy practices with respect to PHI. We are required to abide by the terms of this Notice currently in effect.

We reserve the right to change the terms of this Notice and to make the new Notice provisions effective for all PHI that we maintain. We will post the revised Notice on our website and make it available upon request.

If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

To file a complaint with us: Email: [email protected] Phone: (941) 217-1132

To file a complaint with HHS OCR: U.S. Department of Health and Human Services Office for Civil Rights 200 Independence Avenue, S.W. Washington, D.C. 20201 Toll-free: 1-800-368-1019 Website: hhs.gov/ocr/privacy

You will not be retaliated against for filing a complaint.

For questions about this Notice or to exercise your rights, please contact our Privacy Officer:

VeinLife Direct Privacy Officer Email: [email protected] Phone: (941) 217-1132

This Notice is effective as of April 19, 2026.