HIPAA Notice of Privacy Practices

This Notice of Privacy Practices (the “Notice”) is issued by Jimenez Medical Wellness, PLLCand its affiliated medical practices (collectively, the “Medical Group,” “we,” “us,” or “our”), the licensed medical group that delivers clinical care through the ForbiddenRx platform at forbiddenrx.co. The Medical Group is a Covered Entity under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”).

ForbiddenRX LLC (the technology platform) is not a Covered Entity, but acts as a Business Associate of the Medical Group with respect to protected health information (“PHI”) it handles on the Medical Group’s behalf, under a written Business Associate Agreement.

1. Our Pledge Regarding Your PHI

The Medical Group is required by law to:

• Maintain the privacy and security of your protected health information
• Provide you with this Notice of our legal duties and privacy practices with respect to your PHI
• Notify you following a breach of unsecured PHI
• Abide by the terms of the Notice currently in effect

2. How We May Use and Disclose Your PHI Without Your Authorization

The Medical Group may use and disclose your PHI for the following purposes without obtaining your written authorization:

Treatment

We may use your PHI to provide, coordinate, or manage your healthcare, and may disclose it to other providers, pharmacies, laboratories, and clinicians involved in your care — including the dispensing pharmacy that fills any prescription written for you.

Payment

We may use and disclose your PHI to bill for services, process payment for treatment, and confirm coverage where applicable.

Healthcare Operations

We may use your PHI for quality assessment and improvement, peer review, provider credentialing, training, audits, compliance, and other administrative functions necessary to operate the Medical Group.

Business Associates

We may disclose your PHI to third parties that perform services on our behalf — including the ForbiddenRx technology platform, electronic health record vendors, the telehealth clinical infrastructure provider, secure messaging providers, and pharmacies — under written Business Associate Agreements that require them to safeguard your PHI to the same standard.

As Required by Law

We may use and disclose your PHI when required to do so by federal, state, or local law — for example, in response to a court order, subpoena, warrant, or other lawful process; for reporting of communicable diseases, child or elder abuse or neglect; or to comply with FDA adverse event reporting requirements.

Public Health and Safety

We may disclose your PHI to authorized public health authorities for activities that prevent or control disease, injury, or disability, and to avert a serious and imminent threat to the health or safety of you or others.

Health Oversight, Law Enforcement, and Other Lawful Uses

We may disclose your PHI to health oversight agencies for audits, investigations, and inspections; to law enforcement officials as required or permitted by law; to coroners, medical examiners, and funeral directors; and for organ donation, research with appropriate IRB approval, workers’ compensation, and specialized government functions, as permitted by HIPAA.

3. Uses and Disclosures That Require Your Written Authorization

Other than as described in Section 2 above, we will not use or disclose your PHI without your written authorization. Specifically, your written authorization is always required for:

• Marketing communications that promote a product or service, except for face-to-face communications and de minimis promotional gifts
• Sale of your PHI — we do not sell PHI
• Most uses and disclosures of psychotherapy notes, where applicable

You may revoke any authorization at any time by writing to us. Revocation does not affect any use or disclosure that has already occurred in reliance on the authorization.

4. Your Rights Regarding Your PHI

You have the following rights with respect to PHI we maintain about you:

• Right to inspect and copy. You may request to inspect or obtain a copy of your medical record, including in electronic form. We may charge a reasonable, cost-based fee for copies.
• Right to amend. You may request that we amend PHI that you believe is incorrect or incomplete. We may deny the request in certain circumstances, and you may submit a written statement of disagreement.
• Right to an accounting of disclosures. You may request a list of certain disclosures of your PHI made in the six years preceding your request, excluding disclosures for treatment, payment, healthcare operations, and certain other categories.
• Right to request restrictions. You may request restrictions on certain uses and disclosures of your PHI. We are not required to agree, except that we must comply with a request to restrict disclosure to a health plan for services that you have paid for in full out of pocket.
• Right to request confidential communications. You may request that we contact you about medical matters in a specific way or at a specific location.
• Right to a paper copy of this Notice. You may request a paper copy at any time, even if you have agreed to receive it electronically.
• Right to be notified of a breach. You have the right to be notified following a breach of unsecured PHI, as required by HIPAA and applicable state law.

To exercise any of these rights, email support@forbiddenrx.co with the subject line “HIPAA Request.” We will respond within the timeframes required by law (typically 30 days, with one 30-day extension if needed).

5. Complaints

If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services. You will not be retaliated against for filing a complaint.

To file a complaint with us: Email support@forbiddenrx.co with the subject line “HIPAA Complaint,” or write to the address in Section 8 below.

To file a complaint with the federal government: Office for Civil Rights, U.S. Department of Health and Human Services, 200 Independence Avenue SW, Room 509F, HHH Building, Washington, D.C. 20201. Online: hhs.gov/hipaa/filing-a-complaint. Toll-free: 1-800-368-1019.

6. Changes to This Notice

We reserve the right to change this Notice at any time and to make any revised Notice effective for PHI we already have about you, as well as any PHI we receive in the future. The most current version of this Notice will always be posted at forbiddenrx.co/hipaa-notice, with a revised “Last updated” date at the top of the page.

7. State Law

Where state law provides greater privacy protections than HIPAA, the Medical Group will comply with the more protective standard. Where state law conflicts with HIPAA, HIPAA controls except where the state law is more stringent.

8. Contact and Privacy Officer

For questions about this Notice, to exercise any of the rights described above, or to file a complaint, contact the Medical Group’s Privacy Officer:

Jimenez Medical Wellness, PLLC
Attention: HIPAA Privacy Officer
c/o ForbiddenRX LLC
1270 Avenue of the Americas, 7th Floor, #1178
New York, NY 10020
Email: support@forbiddenrx.co (subject: “HIPAA Privacy Officer”)

9. Effective Date

This Notice is effective May 21, 2026.