Notice of Privacy Practices (HIPAA)

Effective: April 2026

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

1. Our Commitment to Your Privacy

True Roots — Performance & Aesthetics (“True Roots,” “we,” “us,” or “our”) is committed to protecting the privacy of your health information. This Notice of Privacy Practices (“Notice”) describes how we may use and disclose your protected health information (“PHI”) and your rights regarding that information.

We are required by law to maintain the privacy of your PHI, provide you with this Notice, and follow the terms of the Notice currently in effect. PHI is information that identifies you and relates to your past, present, or future health condition, the provision of healthcare to you, or payment for healthcare services.

2. How We May Use and Disclose Your Protected Health Information

2.1 Uses and Disclosures That Do Not Require Your Authorization

We may use and disclose your PHI without your written authorization for the following purposes:

Treatment

We may use and disclose your PHI to provide, coordinate, or manage your healthcare and related services. This includes:

Sharing information with Dr. Luis Valle and other clinical staff involved in your care
Documenting treatment records for Botox, laser hair removal, hair restoration, IV therapy, hormone optimization, peptide therapy, functional medicine, and other services
Reviewing lab results (blood panels, hormone levels, metabolic markers) to inform treatment decisions
Referrals to other healthcare providers when clinically appropriate
Before-and-after photography used within your medical record for treatment planning and progress tracking

Payment

We may use and disclose your PHI to obtain payment for services provided to you. This includes:

Billing and collection activities
Verifying eligibility for membership benefits
Providing documentation if you choose to submit claims to your insurance carrier

Healthcare Operations

We may use and disclose your PHI for our business operations, including:

Quality assessment and improvement activities
Staff training and credentialing
Conducting or arranging for medical review
Business planning and development
Customer service

As Required by Law

We may use or disclose your PHI when required to do so by federal, state, or local law.

Public Health Activities

We may disclose your PHI for public health purposes, including:

Reporting to public health authorities to prevent or control disease, injury, or disability
Reporting adverse events related to products or devices (e.g., medical devices, medications)
Notifying appropriate authorities regarding potential abuse, neglect, or domestic violence

Health Oversight Activities

We may disclose your PHI to health oversight agencies for activities authorized by law, such as audits, inspections, investigations, and licensure.

Judicial and Administrative Proceedings

We may disclose your PHI in response to a court order or administrative tribunal, or in response to a subpoena, discovery request, or other lawful process, subject to applicable legal protections.

Law Enforcement

We may disclose your PHI to law enforcement officials for certain purposes permitted by law, including in response to a court order, warrant, or grand jury subpoena.

To Avert a Serious Threat to Health or Safety

We may use and disclose your PHI when necessary to prevent or lessen a serious and imminent threat to your health or safety or the health or safety of the public or another person.

Workers' Compensation

We may disclose your PHI as authorized by workers' compensation or similar programs providing benefits for work-related injuries or illnesses.

Coroners, Medical Examiners, and Funeral Directors

We may disclose PHI to a coroner, medical examiner, or funeral director as necessary for them to carry out their duties.

Organ and Tissue Donation

If you are an organ donor, we may disclose your PHI to organizations involved in procurement, banking, or transplantation of organs, eyes, or tissue.

Military and National Security

If you are a member of the armed forces, we may release your PHI as required by military command authorities. We may also disclose PHI for national security and intelligence activities or for protective services of the President.

Inmates

If you are an inmate of a correctional institution or in the custody of a law enforcement official, we may disclose your PHI to the institution or official as necessary for your health care, the health and safety of others, or the safety of the institution.

2.2 Uses and Disclosures That Require Your Written Authorization

We will obtain your written authorization before using or disclosing your PHI for purposes not described in this Notice. Situations requiring your authorization include, but are not limited to:

Marketing. Using your PHI to send you marketing communications (other than certain permitted treatment-related communications)
Sale of PHI. Any disclosure that constitutes a sale of your PHI
Before-and-after photographs. Using your images for marketing, website content, social media, or any purpose beyond your individual medical record
Psychotherapy notes. If applicable, any use or disclosure of psychotherapy notes

You may revoke your authorization in writing at any time. Revocation will not affect any uses or disclosures made prior to your revocation.

2.3 Incidental Uses and Disclosures

Certain incidental uses and disclosures of your PHI may occur as a byproduct of otherwise permitted uses or disclosures. We maintain reasonable safeguards to limit incidental disclosures.

2.4 Personal Representatives

We may disclose your PHI to a person who has the legal authority to make healthcare decisions on your behalf (your “personal representative”), such as a parent of a minor or a healthcare power of attorney.

3. Your Rights Regarding Your Protected Health Information

You have the following rights with respect to your PHI:

3.1 Right to Access

You have the right to inspect and obtain a copy of your PHI maintained by True Roots, including medical records, billing records, and other records used to make decisions about your care. To request access, submit a written request to the Privacy Officer at the contact information below.

We may charge a reasonable, cost-based fee for copies. We will respond to your request within 30 days. In certain limited circumstances, we may deny your request, and if so, we will provide you with a written explanation and information about your right to have the denial reviewed.

3.2 Right to Request an Amendment

You have the right to request that we amend your PHI if you believe it is incorrect or incomplete. To request an amendment, submit a written request to the Privacy Officer that explains the reason for your request.

We may deny your request if the information was not created by us, is not part of the records we maintain, is not available for inspection (e.g., psychotherapy notes), or is accurate and complete. If we deny your request, we will provide you with a written explanation.

3.3 Right to an Accounting of Disclosures

You have the right to request a list of certain disclosures we have made of your PHI. This accounting does not include disclosures made for treatment, payment, or healthcare operations, or disclosures made with your authorization.

To request an accounting, submit a written request to the Privacy Officer. The request must specify the time period, which may not exceed six years prior to the date of the request. The first accounting within a 12-month period is free; we may charge a reasonable fee for additional requests.

3.4 Right to Request Restrictions

You have the right to request a restriction on certain uses and disclosures of your PHI. For example, you may ask that we not use or disclose information about a particular treatment.

We are not required to agree to your request, except in the following situation: if you pay for a service entirely out-of-pocket and request that we not disclose your PHI related to that service to a health plan for purposes of payment or healthcare operations, we are required to honor that request.

To request a restriction, submit a written request to the Privacy Officer specifying the information you wish to restrict, whether you want to limit use, disclosure, or both, and to whom the restriction applies.

3.5 Right to Request Confidential Communications

You have the right to request that we communicate with you about your PHI in a certain way or at a certain location. For example, you may request that we contact you only by email rather than by phone, or at a specific address.

We will accommodate reasonable requests. To make a request, contact the Privacy Officer in writing.

3.6 Right to a Paper Copy of This Notice

You have the right to obtain a paper copy of this Notice at any time, even if you previously agreed to receive it electronically. To obtain a paper copy, contact our office at (818) 578-4718 or request one in person.

3.7 Right to Be Notified of a Breach

You have the right to be notified if there is a breach of your unsecured PHI. We will notify you as required by law.

4. Our Duties

True Roots is required to:

Maintain the privacy of your PHI and provide you with this Notice of our legal duties and privacy practices
Notify you following a breach of your unsecured PHI
Follow the terms of the Notice currently in effect
Not use or disclose your PHI without your authorization except as described in this Notice or as otherwise permitted by law

We reserve the right to change the terms of this Notice and to make new provisions effective for all PHI we maintain, including information previously created or received. If we make a material change, we will make the revised Notice available at our office and on our website.

5. Minimum Necessary Standard

When using or disclosing your PHI or when requesting your PHI from another covered entity, we will make reasonable efforts to limit the information to the minimum necessary to accomplish the intended purpose, except where the minimum necessary standard does not apply (e.g., disclosures for treatment, disclosures to you, disclosures pursuant to your authorization).