THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Effective Date: This Notice is effective on May 21, 2026
Who We Are
This Notice describes the privacy practices of the following Covered Entities that make up the Nuna Organized Health Care Arrangement: Nuna Health LLC and Nuna Health of CA, PC (“Nuna Health LLC” and “Nuna Health of CA, PC“, “Nuna Health,” “we,” or “us“), with administrative services provided by Nuna, Inc., including all healthcare professionals allowed to enter or access information in your medical record and all employees with access to your medical or billing records or health information about you (“Protected Health Information“).
Nuna Health, LLC and Nuna Health of CA, PC participate together in an Organized Health Care Arrangement (“OHCA”), as defined at 45 CFR 164.501, to deliver clinically integrated chronic disease management services to you. This Notice is a joint notice issued under 45 CFR 164.520(d) and applies to the Protected Health Information that any of us, or our workforce members, creates, receives, maintains, or transmits in connection with these services, regardless of whether your care is provided in California or elsewhere. Each entity has agreed to abide by the terms of this Notice. We may share your Protected Health Information between Nuna Health, LLC and Nuna Health of CA, PC, and with the workforce of each, as necessary for the joint treatment, payment, and health care operations of the OHCA.
We may change the terms of this Notice at any time. If we change this Notice, we may make the new notice terms effective for all your Protected Health Information that we maintain, including any information created or received prior to issuing the new notice. If we change this Notice, we will post the new notice on our website at nuna.com. You also may obtain any new notice by contacting us using the contact information at the end of this Notice.
Our Privacy Obligations
We understand that your health information is personal and we are committed to protecting your privacy. In addition, we are required by law to maintain the privacy of your Protected Health Information, to provide you with this Notice of our legal duties and privacy practices with respect to your Protected Health Information, and to notify you in the event of a breach of your unsecured Protected Health Information. When we use or disclose your Protected Health Information, we are required to abide by the terms of this Notice (or other notice in effect at the time of the use or disclosure).
Permissible Uses and Disclosures Without Your Written Authorization
We may use and disclose your Protected Health Information without your written authorization for the following purposes:
Treatment. We use and disclose your Protected Health Information to provide treatment and other services to you. Examples include collecting and reviewing readings from connected medical devices (such as blood pressure monitors and other remote monitoring tools), delivering AI-supported coaching and education, conducting clinical assessments by our Medical Director and clinical team, recommending or arranging additional treatments or services, and sharing your information with your primary care practitioner, the clinician who referred you to us, and other health care providers involved in your care for treatment and care coordination purposes. We may share your Protected Health Information with these other providers directly or through a health information exchange or other electronic health information network.
Payment. We may use and disclose your Protected Health Information to obtain payment for health care services that we provide to you. For example, disclosures to claim and obtain payment from Medicare, Medicaid, your health insurer, or other company or program that arranges or pays the cost of your health care (“Your Payor”) to verify that Your Payor will pay for the health care. We may also disclose Protected Health Information to your other health care providers when such Protected Health Information is required for them to receive payment for services they render to you.
Health Care Operations. We may use and disclose your Protected Health Information for our health care operations, which include internal administration and planning and various activities that improve the quality and cost effectiveness of the care that we deliver to you. Examples include quality assessment and improvement activities, outcomes evaluation, case management and care coordination, performance measurement, clinical training, credentialing and licensing, communications with and about you regarding your care, evaluating and improving our clinical and technology services (including device monitoring, clinical decision support, and patient engagement tools), and conducting or arranging for other business activities. Our health care operations also include reporting clinical, patient-reported, and outcomes data to the Centers for Medicare & Medicaid Services (“CMS”) and its contractors through CMS’s required application programming interfaces (APIs) and reporting systems; receiving and using Medicare claims data from CMS to support care coordination for our aligned beneficiaries; cooperating with CMS’s monitoring, audit, and evaluation activities (which may include disclosure of your information to CMS, its evaluation contractors, and independent reviewers); and other ACCESS Model program integrity, performance, and oversight activities authorized by CMS and applicable law.
Future Communications. We may use your medical information to contact you by text or by phone call in connection with your use of the Nuna App. Please be aware that text messages are not encrypted and may carry inherent risks to the privacy of your medical information. You may opt out of receiving text messages and phone calls at any time and it will not affect your use of the Nuna App.
Each of the entities listed at the beginning of this Notice may share Protected Health Information with the others as necessary to carry out treatment, payment, or health care operations relating to Nuna Organized Health Care Arrangement.
We also may disclose your Protected Health Information with certain of our “business associates” or other third parties that perform various activities (e.g., billing, coordinating care, transcribing records) for us. We contractually require our business associates to implement safeguards to protect the privacy of your Protected Health Information.
Health Information Exchange. We participate in one or more health information exchanges and qualified health information networks (collectively, “HIEs”), including networks operating under the federal Trusted Exchange Framework and Common Agreement (TEFCA). Through these HIEs, we may electronically send and receive your Protected Health Information to and from other health care providers, payers, public health authorities, and other authorized participants for treatment, payment, health care operations, public health activities, individual access, and other purposes permitted by HIPAA and applicable state law. Participating in an HIE means that a health care provider treating you (for example, in an emergency department or at your primary care office) may be able to access your records held by Nuna Health, and we may be able to access records about you held by other providers, to support coordinated care. Information shared through an HIE is used and disclosed only for purposes permitted by law. We do not sell your Protected Health Information through any HIE. Where state law permits, you may have the right to limit or opt out of HIE participation, in whole or in part, as further described in the “Additional State Law Protections” section of this Notice. To request an HIE-related restriction, please contact us using the contact information at the end of this Notice.
Disclosure to Relatives, Close Friends and Other Caregivers. We may use or disclose your Protected Health Information to a family member, other relative, a close personal friend or any other person identified by you when you are present for, or otherwise available prior to, the disclosure, if: (1) we obtain your agreement or provide you with the opportunity to object to the disclosure and you do not object; or (2) we reasonably infer that you do not object to the disclosure.
If you are not present for or unavailable prior to a disclosure (e.g., when we receive a telephone call from a family member or other caregiver), we may exercise our professional judgment to determine whether a disclosure is in your best interests. If we disclose information under such circumstances, we would disclose only information that is directly relevant to the person’s involvement with your care.
As Required by Law. We may use and disclose your Protected Health Information when required to do so by any applicable federal, state or local law.
Public Health Activities. We may disclose your Protected Health Information: (1) to report health information to public health authorities for the purpose of preventing or controlling disease, injury or disability; (2) to report child abuse and neglect to a government authority authorized by law to receive such reports; (3) to report information about products under the jurisdiction of the U.S. Food and Drug Administration; (4) to alert a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition; and (5) to report information to your employer as required under laws addressing work-related illnesses and injuries or workplace medical surveillance.
Victims of Abuse, Neglect or Domestic Violence. We may disclose your Protected Health Information if we reasonably believe you are a victim of abuse, neglect or domestic violence to a government authority authorized by law to receive reports of such abuse, neglect, or domestic violence.
Health Oversight Activities. We may disclose your Protected Health Information to an agency that oversees the health care system and is charged with responsibility for ensuring compliance with the rules of government health programs such as Medicare or Medicaid.
Judicial and Administrative Proceedings. We may disclose your Protected Health Information in the course of a judicial or administrative proceeding in response to a legal order or other lawful process.
Law Enforcement Officials. We may disclose your Protected Health Information to the police or other law enforcement officials as required by law or in compliance with a court order, as long as certain administrative and judicial requirements are met.
Decedents. We may disclose your Protected Health Information to a coroner or medical examiner as authorized by law.
Clinical Trials and Other Research Activities. We may use and disclose your Protected Health Information for research purposes pursuant to a valid authorization from you or when an institutional review board or privacy board has waived the authorization requirement. Under certain circumstances, your Protected Health Information may be disclosed without your authorization to researchers preparing to conduct a research project, for research or decedents or as part of a data set that omits your name and other information that can directly identify you.
Health or Safety. We may use or disclose your Protected Health Information to prevent or lessen a serious and imminent threat to a person’s or the public’s health or safety.
Specialized Government Functions. We may use and disclose your Protected Health Information to units of the government with special functions, such as the U.S. military or the U.S. Department of State under certain circumstances.
Workers’ Compensation. We may disclose your Protected Health Information as authorized by and to the extent necessary to comply with state law relating to workers’ compensation or other similar programs.
Uses and Disclosures Requiring Your Written Authorization
For any purpose other than the ones described above, we only use or disclose your Protected Health Information when you give us your written authorization. You may revoke (take back) your authorization, except to the extent that we have taken action in reliance upon it, by submitting a written statement to us using the contact information at the end of this Notice.
Marketing. We must obtain your written authorization prior to using your Protected Health Information for purposes that are marketing under the HIPAA privacy rules. For example, we will not accept any payments from other organizations or individuals in exchange for making communications to you about treatments, therapies, health care providers, settings of care, case management, care coordination, products or services unless you have given us your authorization to do so or the communication is permitted by law.
Sale of Protected Health Information. We will not make any disclosure of Protected Health Information that is a sale of Protected Health Information without your written authorization.
Psychotherapy Notes. We do not create psychotherapy notes about you in connection with our services. However, to the extent that we receive any psychotherapy notes about you, we will not use or disclose those psychotherapy notes without your authorization except as permitted by law.
Uses and Disclosures of Your Highly Confidential Information. Federal and state law requires special privacy protections for certain health information about you (“Highly Confidential Information”), including mental health records, substance use disorder treatment records, and other health information that is given special privacy protection under state or federal laws other than HIPAA. However, in order for us to disclose any Highly Confidential Information for a purpose other than those permitted by law, we must obtain your authorization.
Third Party Device Integration. You may authorize us to connect with third-party devices or services. By authorizing such a connection, you understand and agree that we may access and share data from and with those third parties, and that such data may be included in your health record and shared with providers on the HIE as described above.
Your Individual Rights
For Further Information; Complaints. If you desire further information about your privacy rights, are concerned that we have violated your privacy rights or disagree with a decision that we made about access to your Protected Health Information, you may contact us using the contact information at the end of this Notice. You may also file written complaints with the Office for Civil Rights of the U.S. Department of Health and Human Services. Upon request, we will provide you with the correct address for the Director. We will not retaliate against you if you file a complaint with us or the Director.
Right to Request Additional Restrictions. You may request restrictions on our use and disclosure of your Protected Health Information (1) for treatment, payment and health care operations, (2) to individuals (such as a family member, other relative, close personal friend or any other person identified by you) involved with your care or with payment related to your care, or (3) to notify or assist in the notification of such individuals regarding your location and general condition. While we will consider all requests for additional restrictions carefully, we are not required to agree to a requested restriction unless the request is to restrict our disclosure to a health plan for purposes of carrying out payment or health care operations, the disclosure is not required by law and the information pertains solely to a health care item or service for which you (or someone on your behalf other than the health plan) have paid us out of pocket in full. If you wish to request additional restrictions, please contact us using the contact information at the end of this Notice. We will send you a written response.
Right to Receive Communications by Alternative Means or at Alternative Locations. You may request, and we will accommodate, any reasonable written request for you to receive your Protected Health Information by alternative means of communication or at alternative locations.
Right to Inspect and Copy Your Health Information. You may request access to your medical record file and billing records maintained by us in order to inspect and request copies of the records. Under limited circumstances, we may deny you access to a portion of your records. If you desire access to your records, please contact us using the contact information at the end of this Notice. If you request copies, we may charge you a reasonable copy fee.
Right to Amend Your Records. You have the right to request that we amend your Protected Health Information maintained in your medical record file or billing records. If you desire to amend your records, please contact us using the contact information at the end of this Notice. We will comply with your request unless we believe that the information that would be amended is accurate and complete or other special circumstances apply.
Right to Receive an Accounting of Disclosures. Upon request, you may obtain an accounting of certain disclosures of your Protected Health Information made by us during any period of time prior to the date of your request provided such period does not exceed six years. If you request an accounting more than once during a twelve (12) month period, we may charge you a reasonable fee for the accounting statement.
Right to Receive Paper Copy of this Notice. Upon request, you may obtain a paper copy of this Notice, even if you agreed to receive such notice electronically.
Additional State Law Protections
In addition to the federal protections described above, certain state laws may provide additional protections for your Protected Health Information. If you are a resident of, or receive services in, one of the states identified below, the following additional rights and limitations apply. Where a state law provides greater protection than HIPAA, we will follow the more protective state law.
California Residents. The California Confidentiality of Medical Information Act (“CMIA”), California Civil Code Section 56 et seq., provides additional protections for your medical information. Specifically: (a) we will not disclose your medical information for marketing or other commercial purposes without your authorization, and we will limit disclosures for non-treatment purposes consistent with CMIA; (b) you have the right to inspect your medical records during normal business hours within 5 working days of our receipt of your written request, and to receive copies within 15 days, subject to a reasonable fee as permitted by California Health & Safety Code Section 123110; (c) under California Civil Code Section 56.110 (added by AB 352), we have implemented capabilities, policies, and procedures to limit access to, and to prevent the disclosure, access, transfer, transmission, or processing outside of California of, medical information related to gender-affirming care, abortion and abortion-related services, and contraception, including when participating in a health information exchange; (d) separate written authorization is required to disclose information identifying you as having tested for, been exposed to, or having a diagnosis of HIV/AIDS, as provided under California Health & Safety Code Section 120975 et seq.; (e) additional protections apply to mental health records under the Lanterman-Petris-Short Act and to genetic information under California law; and (f) you have the right to request that we restrict communications from us that contain certain medical information, such as treatment for sensitive services, sent to a specific address or by a specific means, consistent with California law.
Illinois Residents. Illinois law provides additional protections for certain categories of health information. Specifically: (a) the Illinois Mental Health and Developmental Disabilities Confidentiality Act (740 ILCS 110) requires your separate written consent for the disclosure of mental health and developmental disabilities records, in addition to the protections provided under HIPAA; (b) the Illinois AIDS Confidentiality Act (410 ILCS 305) requires your separate written consent for the disclosure of information identifying you as having tested for, been exposed to, or having a diagnosis of HIV or AIDS; (c) the Illinois Genetic Information Privacy Act (410 ILCS 513) requires your separate written informed consent before we disclose your genetic testing information or the results of genetic testing; and (d) consistent with the Illinois Medical Patient Rights Act (410 ILCS 50) and the opt-out provisions of the statutes referenced in subsections (a) through (c), you have the right to opt out of having your information transmitted to or through a health information exchange. To exercise an HIE opt-out, please contact us using the contact information at the end of this Notice.
Tennessee Residents. Tennessee law provides additional protections for certain categories of health information. Specifically: (a) information identifying you as having a positive HIV test or a diagnosis of HIV-related illness is subject to additional restrictions under Tennessee Code Annotated Section 68-10-115 et seq., and generally requires your written consent for disclosure; (b) records of mental health treatment are subject to additional restrictions under the Tennessee Mental Health and Substance Abuse confidentiality provisions and require your written consent for many disclosures beyond those permitted by HIPAA; (c) you have the right to inspect and obtain copies of your medical records consistent with Tennessee Code Annotated Section 63-2-101; and (d) for personal information that is not Protected Health Information under HIPAA, the Tennessee Information Protection Act may provide additional consumer privacy rights, including rights to access, correct, delete, and limit certain processing of your personal information.
Contact Us
If you have any questions about this Notice, please contact the Privacy Officer at:
Nuna, Inc.
Privacy Officer
370 Townsend St.
San Francisco, CA 94107
privacy@nuna.com