HIPAA Notice of Privacy Practices

Green Wellness is a Washington State medical marijuana evaluation practice. We are a covered entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and are required by law to maintain the privacy of your protected health information (PHI), provide you with this Notice, and follow the terms of this Notice.

We use and disclose health information about you for the following purposes:

• Treatment: To provide, coordinate, or manage your healthcare and related services, including sharing information with providers involved in your care.
• Appointment communications: To send appointment reminders, confirmations, and follow-up messages via email and SMS (with your consent).
• Health records: To create and maintain your medical evaluation records in our electronic health records system (Practice Fusion).
• Required by law: When required by federal, state, or local law, including reporting to Washington State Department of Health for medical marijuana authorization records.
• Business operations: For internal operations, quality improvement, and administrative purposes, subject to HIPAA limitations.

• Access: You have the right to inspect and obtain a copy of your health information.
• Correction: You may request that we correct inaccurate or incomplete information about you.
• Accounting of disclosures: You may request a list of certain disclosures we have made of your health information.
• Restriction: You may request restrictions on how we use or disclose your health information.
• Confidential communications: You may request that we communicate with you about health matters in a certain way or at a certain location.
• Revoke consent: You may revoke your consent to SMS communications at any time by contacting us.

This section applies to Washington State residents and supplements the HIPAA disclosures above. The Washington My Health My Data Act (RCW 19.373, effective March 31, 2024) protects “consumer health data” — information that identifies a person's past, present, or future physical or mental health status, including data that indicates an interest in seeking health care services. The Act applies to data collected through our website even when we are otherwise a HIPAA-covered entity.

What we collect through this website:

• Page views of condition-specific pages (e.g. our chronic-pain or PTSD telehealth landing pages), which may indicate interest in a particular health condition.
• Search queries you enter on the site (e.g. asking the chat widget about a specific qualifying condition).
• Information you provide in our intake forms, chat widget, email replies, SMS messages, and voice calls — including the reason you are contacting us.
• Standard technical data your browser sends (IP address, device type, referring page, session timestamp) — collected only for essential operation, fraud prevention, and security monitoring.

Why we collect it: to operate the booking flow, provide care, respond to patient questions, comply with our medical-record obligations, and improve the patient experience. We never sell consumer health data, and we never share it with advertisers.

Who processes it on our behalf:only the Business Associates listed in the “Third-Party Service Providers” section above plus Amazon Web Services (AWS Bedrock) for AI-assisted patient communications — all under signed Business Associate Agreements or equivalent data-processing terms. Google Analytics is NOT a Business Associate of Green Wellness and is loaded ONLY when you have explicitly opted in via the cookie banner; it is permanently suppressed on condition-specific telehealth pages regardless of your consent choice, as an additional safeguard.

Retention:Patient messages, intake records, and authorization documents are retained for at least six years to satisfy HIPAA medical-record obligations. Chat-widget transcripts are pruned after 90 days unless escalated to a patient record. Cookie-consent choices stored in your browser persist until you clear them via your browser settings or change them via the “Cookie preferences” link in our footer.

Your rights as a Washington consumer under MHMDA:

• Access: request confirmation of, and a copy of, the consumer health data we have collected about you.
• Deletion: request deletion of consumer health data we have collected, subject to the records we are legally required to retain (medical records, authorization documents, tax records).
• Withdraw consent: revoke any consent you previously gave for collection, sharing, or sale of consumer health data — at any time, by the same means you gave it.
• Appeal: appeal our decision if we deny one of the above requests; we will respond to an appeal within 45 days and, if we uphold the denial, will tell you how to contact the Washington State Attorney General to submit a complaint.

How to exercise these rights: email admin@greenwellness.org with the subject line “MHMDA Request” or call 1-888-885-9949. We will verify your identity before processing access or deletion requests, and we will respond within 45 days (extendable by another 45 days for complex requests, with notice). There is no fee for the first request in any 12-month period.

No sale of consumer health data. Green Wellness does not sell consumer health data, has never sold consumer health data, and will not sell consumer health data in the future. We do not exchange your data for advertising consideration of any kind.

When you first visit our site, a banner at the bottom of the page lets you choose how cookies are used. You can:

• Accept all — essential cookies, analytics cookies, and any future marketing cookies are enabled.
• Reject non-essential — only essential cookies run; no analytics or marketing data is collected by our third-party providers.
• Manage choices — opt in or out of analytics and marketing categories individually.

Essential cookies always run because the site cannot function without them. These are limited to: your authenticated session (if you have a patient or staff account), the CSRF token that protects form submissions, and the record of your cookie-consent choice itself. None of these are shared with third parties; none are used for advertising.

Analytics cookies (Google Analytics) are loaded only after you opt in, and are NEVER loaded on our condition-specific telehealth pages — even if you have opted in. This is a defense-in-depth measure that goes beyond what the law requires: HHS December 2022 and March 2024 tracking-technology guidance for HIPAA-covered entities flags condition-indexed URLs as a high-risk surface, and we have chosen to suppress analytics on that surface categorically.

You can change your cookie choice at any time by clicking “Cookie preferences” in the site footer. Your choice is stored in your browser; if you use a different browser or device, or if you clear your browser storage, you will be asked again on your next visit.

We implement physical, technical, and administrative safeguards to protect your health information, including encryption of data in transit and at rest, access controls, and annual HIPAA training for all staff. We have signed Business Associate Agreements (BAAs) with all vendors who handle protected health information on our behalf.

We share PHI with the following Business Associates under signed BAAs, solely as necessary to provide our services:

• Practice Fusion — electronic health records
• Salesforce — patient relationship management
• Stripe — payment processing
• Twilio — SMS appointment reminders (with your consent)
• Resend — email communications
• Vercel / Neon — application hosting and database storage

We reserve the right to change this Notice. We will post a revised Notice on our website and make it available upon request. Changes will apply to health information we already hold as well as information we receive in the future.

To exercise your rights, report a privacy concern, or request a paper copy of this Notice, contact our Privacy Officer:

Green Wellness Privacy Officer

Phone: 1-888-885-9949

Email: admin@greenwellness.org

You also have the right to file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr. We will not retaliate against you for filing a complaint.