HIPAA Notice

This notice explains the relationship between Conscious Health Connections, LLC ("CHC") and the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). We provide this notice to be fully transparent with our medical practice clients and to help you understand your own HIPAA obligations with respect to your digital marketing.

1. CHC Is Not a Covered Entity

Conscious Health Connections, LLC is a digital marketing company. We are not a healthcare provider, health plan, or healthcare clearinghouse as defined under HIPAA. As such, CHC is not a "covered entity" subject to HIPAA's Privacy Rule or Security Rule in the course of providing our standard marketing services.

CHC does not access, store, create, transmit, or receive Protected Health Information (PHI) — defined as individually identifiable health information in any form — in the ordinary course of delivering the CHC AI Readiness Program.

2. What CHC Websites Collect

All websites built and managed by CHC are marketing and patient acquisition sites only. They are not patient portals, EHR-connected systems, scheduling platforms, or telemedicine tools. Specifically:

• Contact forms on CHC-built sites collect only name, email, phone number, and general inquiry — no medical history, diagnoses, treatment information, or insurance data
• No HIPAA-regulated data is transmitted through CHC's marketing pages
• Analytics tools (Google Analytics) are configured to not collect personally identifiable information
• No health-related behavioral retargeting pixels are installed on client sites without explicit client consent and review

3. Business Associate Agreement (BAA)

Because CHC does not access PHI in the course of its standard services, a Business Associate Agreement (BAA) is generally not required for our typical marketing engagements. However, if you believe your specific engagement with CHC creates a situation where PHI may be involved (for example, if you want us to access your patient management system), please contact us before beginning that work so we can evaluate the need for a BAA.

4. HIPAA Best Practices on CHC-Built Sites

Even though CHC is not a covered entity, we design all client websites with HIPAA best practices in mind to support your practice's compliance posture:

5. Your HIPAA Obligations as a Medical Practice

As a medical practice, you remain solely responsible for your own HIPAA compliance with respect to:

• Your Electronic Health Records (EHR) system and patient data
• Any patient scheduling, intake, or communication tools connected to your website
• Email communications with patients that may contain PHI
• Any third-party tools or widgets you add to your CHC-built website after delivery
• Staff training on HIPAA requirements
• Your Notice of Privacy Practices (NPP) required to be provided to patients

CHC strongly recommends that all medical practices work with a qualified HIPAA compliance consultant or attorney to ensure their full digital footprint — including their website, scheduling system, and email practices — meets applicable requirements.

6. If You Add Third-Party Tools to Your Site

If after receiving your CHC-built website, you or your team add third-party tools that may collect PHI (such as online scheduling, patient intake forms, or telehealth widgets), the HIPAA compliance of those tools is your responsibility. Ensure any such vendors have signed a BAA with your practice before integrating their tools.

7. Reporting Concerns

If you believe any aspect of CHC's services has resulted in inappropriate handling of PHI, or if you have compliance concerns, please contact us immediately: