Notice of Privacy Practices

Effective Date: May 26, 2026

Your Information. Your Rights. Our Responsibilities.

THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW THIS NOTICE CAREFULLY.

Our Legal Duty

Guidelight Health, Inc., on behalf of itself, its subsidiaries and its managed professional practices (collectively, “Guidelight”, “we”, “us”, “our”) are required by law to:

• Protect the privacy and security of your protected health information
• Provide you with this Notice of Privacy Practices
• Follow the terms of this Notice
• Notify you if a breach occurs that may compromise your information

State Law Protections

Some states provide additional protections for mental health, substance use, adolescent care, or sensitive information. When state law is stricter than federal law, we follow the stricter standard.

Your Rights

You have the right to:

1. Access and request copies of your PHI
2. Request corrections, restrictions, or confidential communications
3. Receive an accounting of disclosures
4. Request a paper copy of this Notice

PHI: Use & Disclosure

Protected Health Information (“PHI”) includes any information that identifies you and relates to your health, care, or payment. We use PHI for treatment, payment, and healthcare operations, including coordinating care, billing, quality improvement, licensing, and staff training.

1. Treatment

• Coordinate care among providers
• Referrals and ongoing care planning

2. Payment

• Billing insurance and determining coverage
• Collections, if necessary

3. Health Care Operations

• Manage treatment and services
• Quality improvement, staff training, and supervision
• Licensing, accreditation, and compliance
• Business planning and administrative activities

4. Authorization Required

PHI may not be used or disclosed without your written permission for:

• Family members not involved in your care
• Release to schools, employers, or attorneys
• Fundraising efforts
• Marketing or sale of PHI

5. Permitted/Required by Law

PHI may be disclosed without authorization for:

• Serious threats to safety
• Suspected abuse or neglect
• Public health reporting
• Oversight and audits
• Judicial or administrative proceedings
• Worker’s compensation
• Law enforcement requests (minimum necessary)

Technology Used in Your Care

We may use secure technologies to support the accuracy, quality, and safety of your treatment. These tools assist with documentation and care support as specified for each technology below, but do not replace clinical judgement and are not used to make clinical decisions for your care. All treatment decisions and documentation are made and reviewed by a licensed healthcare professional. All technologies are implemented in accordance with applicable federal and state privacy laws.

• AI-Assisted Documentation Tools

We may use secure AI-assisted tools to help us summarize or organize information in your medical record. These tools are used only to support documentation and care delivery.

• Operate solely on information in your medical record
• Used in compliance with the HIPAA Privacy Rule and applicable agreements with technology partners
• Your protected health information (“PHI”) is not sold or used to train external AI systems

• Audio/Visual Recordings

We may use secure audio or visual recordings to support treatment, documentation accuracy, and clinical oversight.

• Used only for treatment, payment, and healthcare operations (“TPO”)
• Your consent is required before any recording of group therapy sessions
• You may revoke consent for group session recordings at any time without affecting your care

These tools are designed to support your care and do not replace a human provider. Their use allows our team to focus more on individualized treatment and safety, while maintaining strict confidentiality.

Special Protections for Mental Health Information

• Psychotherapy notes are highly protected and disclosed only with your authorization, except required by law. We require a separate, specific authorization for disclosure of psychotherapy notes.
• Similarly, if we have records of SUD counseling notes which are maintained separately from the rest of your SUD treatment and medical records, a separate written consent will be required for disclosure of these notes.
• Program content is not shared with your family or others without proper authorization, except as legally permitted.

Substance Use Information and Federal Confidentiality Protections

• Some clients may discuss substance use during care, and this information may be documented in your treatment records.
• We do not operate as a federally assisted substance use disorder (“SUD”) treatment program. Substance use information generated in our PHP or IOP program is treated as PHI under HIPAA and treated as protected SUD medical records under applicable state law that governs the confidentiality of such records.
• However, if any SUD treatment or medication is provided as part of your care (even as a secondary diagnosis), those records may be subject to additional federal confidentiality protections under 42 CFR Part 2.
• This information may be used or disclosed for TPO purposes just like other mental health information.
• If we receive your SUD client records from a federally assisted SUD program (42 CFR Part 2), pursuant to your consent for the federally assisted SUD program to disclose your SUD client records for TPO purposes, the redisclosure of these records will be governed by HIPAA regulations.
• If we receive records from a federally assisted SUD program (42 CFR Part 2), those records are used and disclosed only as permitted by law and cannot be used in a civil, criminal, administrative, legislative, or legal investigation or proceeding against you without specific written consent or a court order that meets federal requirements.

Adolescents & Parent/Guardian Access

Privacy rights vary by state for minors (ages 12-17). We will follow applicable laws regarding consent, record access, and parental notification.

Group Therapy and Program Settings

Our Integrated Partial Hospitalization Program (“PHP”) and Intensive Outpatient Program (“IOP”) may include group sessions. Participants must respect others’ privacy. Staff take reasonable steps to protect confidentiality but cannot guarantee the behavior of others.

Breach Notification

If a breach of unsecured PHI occurs, we will notify you as required by federal and applicable state law.

Changes To This Notice

We reserve the right to change this Notice to apply the revised Notice to all PHI we maintain. Updated Notices will be available upon request and posted at our facilities and website.

Complaints

If you believe your privacy rights have been violated, you may:

• File a complaint with our Privacy Officer
• File a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights:
  • Address: 200 Independence Avenue, S.W. Washington, D.C. 20201
  • Phone: 1-877-696-6775
  • Website: https://www.hhs.gov/ocr/privacy/hipaa/complaints/
• You will not be retaliated or discriminated against for filing a complaint.

Legal & Authorized Representatives

Nothing in this Notice waives your rights. A personal representative, including a legal guardian, medical power of attorney, or other individual authorized under applicable State law, may act on your behalf after verification of authority.

If a client has been adjudged incompetent by a court of proper jurisdiction under applicable State law, the client’s rights shall be exercised by the individual appointed by the court to act on the client’s behalf (e.g., guardian or conservator), in accordance with the scope of authority granted by the court.

Contact Information

Privacy Officer: Chelsea Ladendorf

Phone: (737) 330-2173

Email: privacy@guidelighthealth.com

Address: 101 Federal Street, Suite 1900, Boston, MA 02110