HIPAA Notice of Privacy Practices

Open Water Rx LLC ("Open Water Rx") is committed to protecting the privacy of your health information. This Notice of Privacy Practices ("Notice") describes how we and the healthcare providers who use our platform may use and disclose your Protected Health Information (PHI) and how you can access this information. We are required by law to maintain the privacy of your PHI, to provide you with this Notice of our legal duties and privacy practices, and to abide by the terms of this Notice.

This Notice applies to all PHI created, received, maintained, or transmitted by Open Water Rx in connection with the healthcare services facilitated through our platform. "Protected Health Information" means individually identifiable health information, including demographic data, that relates to your past, present, or future physical or mental health condition, the provision of healthcare to you, or the past, present, or future payment for the provision of healthcare.

We may use and disclose your PHI for the following purposes without your written authorization:

Treatment: We may use and disclose your PHI to facilitate your medical evaluation, coordinate care with licensed physicians, and support the prescribing and dispensing of medications. For example, we may share your health information with the physician reviewing your case and with the licensed pharmacy fulfilling your prescription.

Payment: We may use and disclose your PHI to obtain payment for services rendered, including billing, claims processing, and collection activities.

Healthcare Operations: We may use and disclose your PHI for our internal operations, including quality assessment, compliance activities, training, and business management.

As Required by Law: We will disclose your PHI when required to do so by federal, state, or local law, including in response to a court order, subpoena, or government investigation.

Public Health Activities: We may disclose your PHI to public health authorities for activities such as disease surveillance, reporting of adverse events, or as required by the FDA.

Health Oversight Activities: We may disclose your PHI to health oversight agencies for audits, investigations, inspections, and licensure activities.

Serious Threats to Health or Safety: We may use or disclose your PHI if we believe it is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.

Business Associates: We may share your PHI with third-party service providers ("Business Associates") who perform services on our behalf, provided they have signed a Business Associate Agreement obligating them to protect your PHI.

For uses and disclosures not described in this Notice, we will obtain your written authorization before using or disclosing your PHI. This includes:

Marketing communications (other than face-to-face communications or promotional gifts of nominal value) - Sale of your PHI - Most uses and disclosures of psychotherapy notes - Any other use or disclosure not permitted by HIPAA without authorization

You have the right to revoke any authorization you have given us at any time, in writing. Revocation will not affect any actions we took in reliance on your authorization before we received your revocation.

You have the following rights with respect to your PHI:

Right to Access: You have the right to inspect and obtain a copy of your PHI that we maintain in a designated record set. We may charge a reasonable, cost-based fee for copies. We will respond to your request within 30 days.

Right to Amend: You have the right to request that we amend your PHI if you believe it is inaccurate or incomplete. We may deny your request under certain circumstances and will explain any denial in writing.

Right to an Accounting of Disclosures: You have the right to request a list of certain disclosures we have made of your PHI during the six years prior to your request.

Right to Request Restrictions: You have the right to request restrictions on how we use or disclose your PHI. We are not required to agree to all requested restrictions, but we will comply with any restriction we do agree to.

Right to Confidential Communications: You have the right to request that we communicate with you about your PHI in a certain way or at a certain location.

Right to a Paper Copy of This Notice: You have the right to receive a paper copy of this Notice upon request, even if you have agreed to receive it electronically.

Right to Notification of Breach: You have the right to be notified in the event of a breach of your unsecured PHI, as required by the HITECH Act.

We are required by law to:

Maintain the privacy and security of your PHI - Provide you with this Notice of our legal duties and privacy practices - Notify you promptly if a breach occurs that may have compromised the privacy or security of your PHI - Abide by the terms of this Notice currently in effect

We reserve the right to change the terms of this Notice and to make the new Notice provisions effective for all PHI we maintain. We will post the revised Notice on our website and make it available upon request.

When using or disclosing PHI or when requesting PHI from another covered entity, we make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. This minimum necessary standard does not apply to disclosures to or requests by a healthcare provider for treatment purposes, disclosures to you, uses or disclosures made pursuant to your authorization, or disclosures required by law.

We implement and maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI (ePHI) that we create, receive, maintain, or transmit. These safeguards include:

Encryption of ePHI in transit and at rest using industry-standard protocols - Access controls limiting PHI access to authorized personnel only - Audit controls to record and examine activity in systems containing ePHI - Regular risk assessments and security evaluations - Employee training on HIPAA privacy and security requirements - Business Associate Agreements with all third-party vendors who access ePHI

To exercise any of your rights described in this Notice, or if you have questions about our privacy practices, please contact our Privacy Officer at:

Open Water Rx LLC — Privacy Officer Cape Coral, Florida Email: info@openwaterrx.com

If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights:

U.S. Department of Health and Human Services Office for Civil Rights 200 Independence Avenue, S.W. Washington, D.C. 20201 Toll Free: 1-877-696-6775 Website: hhs.gov/ocr

We will not retaliate against you for filing a complaint.

This Notice of Privacy Practices is effective as of April 4, 2026. We reserve the right to change this Notice at any time. Any revised Notice will be posted on our website and will apply to all PHI we maintain at that time.