NOTICE OF PRIVACY PRACTICES

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Effective Date: January 1, 2026

Updated Date: Mar 26, 2026

This Notice of Privacy Practices describes how Malama Medical Group (CA), PC and Malama Medical Group (CO), PLLC, as applicable to the care you receive, may use and disclose your protected health information ("PHI"), and explains your rights regarding that information. This Notice applies to the Malama Medical Group entity that provides your care (referred to here as “we” or “us”).

This Notice applies to PHI created or received by us as a HIPAA covered health care provider in connection with the health care services we provide to you, including care coordination, remote monitoring, digital health tools, messaging, billing, and related operations. We may use third-party service providers and other business associates to help us provide and support our services. When they create, receive, maintain, or transmit PHI on our behalf, they must safeguard it and may use or disclose it only as permitted by law and contract.

Your Rights

When it comes to your PHI, you have the right to:

  • Get an electronic or paper copy of your medical record and other health information we maintain about you.

  • Ask us to correct PHI about you that you believe is incorrect or incomplete.

  • Request confidential communications, such as asking us to contact you in a specific way or at a specific location.

  • Ask us to limit certain uses or disclosures of your PHI.

  • Ask for an accounting of certain disclosures of your PHI.

  • Get a paper or electronic copy of this Notice.

  • Choose someone to act for you, if that person has legal authority to do so.

  • File a complaint if you believe your privacy rights have been violated.

Get a copy of your medical record You can ask to inspect or obtain an electronic or paper copy of your medical record and other PHI we maintain about you. We will provide a copy or a summary, usually within 30 days of your request. We may charge a reasonable, cost-based fee where permitted by law.

Ask us to correct your information You can ask us to correct PHI about you that you think is incorrect or incomplete. We may deny your request in certain circumstances, but if we do, we will explain why in writing, usually within 60 days.

Request confidential communications You can ask us to contact you in a specific way, such as by mobile phone, text message, email, portal message, or mail, or to send communications to a different address. We will accommodate reasonable requests as required by law.

Ask us to limit what we use or share You can ask us not to use or disclose certain PHI for treatment, payment, or health care operations. We are not required to agree to every request. If we do agree, we will follow the agreed restriction except where disclosure is required or permitted by law, including emergency treatment situations.

If you pay out-of-pocket in full for a health care item or service, you can ask us not to share information about that item or service with your health insurer for payment or health care operations, and we will honor that request unless the law requires us to share the information.

Get a list of disclosures You can ask for a list of certain disclosures we made of your PHI during the six years before the date of your request. This list will not include disclosures for treatment, payment, health care operations, and certain other disclosures permitted by law. We will provide one accounting in any 12-month period for free. We may charge a reasonable, cost-based fee for additional requests within the same 12-month period.

Choose someone to act for you If you have given someone medical power of attorney, or if someone is your legal guardian or personal representative, that person may exercise your rights and make choices about your PHI, consistent with applicable law. We will verify that person's authority before we act on a request.

Rights of Minors If you are under 18 years of age, California law may give you the right to consent to certain healthcare services — including reproductive health, prenatal care, and mental health services — independently of a parent or guardian. In those cases, you may also have independent rights regarding the privacy of information related to those services. Where you have the right to consent to care on your own, we will not share information about those services with your parent or guardian without your permission, except when the law clearly allows or requires us to do so. We will follow California law regarding parental or guardian access to a minor's records.

File a complaint If you believe we have violated your privacy rights, you may file a complaint with us using the contact information below. You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights. We will not retaliate against you for filing a complaint.

U.S. Department of Health and Human Services Office for Civil Rights 200 Independence Avenue, S.W. Washington, D.C. 20201 1-877-696-6775 https://www.hhs.gov/hipaa/filing-a-complaint/index.html

Your Choices

For certain types of PHI, you can tell us your preferences about what we share.

In these situations, if applicable, you may tell us to:

  • Share information with family members, close friends, or others involved in your care or payment for your care.

  • Share information in a disaster relief situation.

If you are not able to tell us your preference, such as if you are unconscious or in an emergency, we may share information if we believe doing so is in your best interest or necessary to lessen a serious and imminent threat to health or safety.

We will not use or disclose your PHI for the following purposes without your written authorization, except as otherwise permitted or required by law:

  • Marketing where HIPAA authorization is required.

  • Sale of your PHI.

  • Most uses and disclosures of psychotherapy notes, if we maintain them.

  • Reproductive health services, as described below.

If you give us written authorization, you may revoke it at any time in writing, except to the extent we have already relied on it.

How We Typically Use and Disclose Your PHI

Treatment We may use and disclose your PHI to provide, coordinate, or manage your care and related services.

Examples may include:

  • Reviewing your health history, glucose readings, meal logs, images, symptoms, medications, and related information.

  • Sharing information with clinicians, care coordinators, doulas, dietitians, or other professionals involved in your care, where appropriate.

  • Using digital tools, mobile applications, text messaging, portal messaging, telehealth tools, or remote monitoring systems to support your care.

Payment We may use and disclose your PHI to bill and obtain payment for the services we provide to you.

Examples may include:

  • Submitting claims to health plans, insurers, managed care organizations, government programs, or other payers.

  • Verifying eligibility and benefits.

  • Obtaining prior authorization, medical necessity review, utilization review, claims status, payment posting, and collections activities.

Health Care Operations We may use and disclose your PHI to run our organization and improve the quality and effectiveness of the care we provide.

Examples may include:

  • Quality assessment and improvement.

  • Care management and care coordination.

  • Staff training and supervision.

  • Credentialing, licensing, auditing, accreditation, and compliance activities.

  • Customer service, technology support, security, fraud prevention, and business planning.

  • Managing our website, mobile application, and related patient service systems.

Special Categories of Information

Reproductive Health Information California law provides special protections for information related to reproductive health services, including abortion, pregnancy loss, and related care. We will not disclose information about these services without your written authorization, except as required by law or where a specific legal exception applies. We will apply California’s protective standards and will resist or narrowly respond to requests that conflict with California law, to the extent legally permissible.

Substance Use Disorder Records If you receive substance use disorder treatment, or if we receive records from a substance use disorder program about you, those records may be subject to additional federal and state confidentiality protections under 42 CFR Part 2 and California Health and Safety Code §11845.5. We will handle such records in accordance with those laws, which may require your specific written consent before we can share them.

CalAIM and Medi-Cal Coordination 

Care Coordination with Medi-Cal Partners As a provider of services under CalAIM, we may share your health information with other Medi-Cal Partners — including your Medi-Cal managed care plan, other healthcare providers, community-based organizations, and county agencies — for purposes of coordinating your care, consistent with California Welfare and Institutions Code §14184.102 and applicable federal law. You do not need to provide separate written consent for these care coordination disclosures.

Encounter Reporting and Program Oversight As a Medi-Cal Provider, we are required to submit encounter data and program reports to your Medi-Cal managed care plan and to the California Department of Health Care Services (DHCS) as part of program oversight and quality monitoring. This reporting is required by law and by our Medi-Cal contracts and does not require your separate authorization. In some cases, we may still ask you to sign a Release of Information to support broader or non‑CalAIM-related information sharing, or to share with entities that are not Medi-Cal Partners. We will explain when and why we ask for any additional authorization.

Other Uses and Disclosures Permitted or Required by Law

We may also use or disclose your PHI in the following circumstances, subject to the conditions and limitations of applicable law:

  • Public health and safety activities, such as preventing disease, reporting adverse events, or reporting suspected abuse, neglect, or domestic violence.

  • Health oversight activities, such as audits, investigations, inspections, and licensure or regulatory actions.

  • Research, when permitted by law.

  • Compliance with federal, state, or local laws.

  • Judicial and administrative proceedings, including in response to court orders, subpoenas, or lawful process.

  • Law enforcement purposes, where permitted by law.

  • Coroners, medical examiners, and funeral directors.

  • Organ and tissue donation organizations.

  • Workers' compensation and certain government functions.

  • To avert a serious threat to health or safety.

Communications About Your Care

We may contact you, using the contact information you provide, for purposes related to your treatment, care coordination, billing, benefits, account administration, service updates, reminders, and support. These communications may be made by phone call, voicemail, text message, email, portal message, app notification, or mail, consistent with applicable law and your communication preferences.

If you ask us to communicate with you in a particular way, we will accommodate reasonable requests as required by law.

Our Responsibilities

We are required by law to:

  • Maintain the privacy and security of your PHI.

  • Provide you with this Notice of our legal duties and privacy practices.

  • Follow the duties and privacy practices described in this Notice currently in effect.

  • Notify you following a breach of unsecured PHI when required by law.

We will not use or disclose your PHI other than as described in this Notice unless you authorize us to do so or the law permits or requires us to do so.

Changes to This Notice

We may change the terms of this Notice at any time. Any change will apply to all PHI we maintain about you. When we make a material change, we will update the effective date and make the revised Notice available upon request, at our service locations as applicable, and on our website.

Language Access 

This Notice is available in other languages. If you need this Notice in another language, please contact us at the information below and we will provide a translated version at no cost.

Spanish / Español: Este Aviso está disponible en español. Comuníquese con nosotros para obtener una copia gratuita.

Tagalog / Filipino: Ang Abisong ito ay makukuha sa Tagalog. Makipag-ugnayan sa amin para sa libreng kopya.

Vietnamese / Tiếng Việt: Thông báo này có sẵn bằng tiếng Việt. Vui lòng liên hệ với chúng tôi để nhận bản dịch miễn phí.

(Additional language taglines should be added based on the languages spoken by 5% or more of the patient population in your service area, consistent with California language access requirements.)

Contact Information

Privacy Contact / Privacy Officer: Orlando Li Email: legal@heymalama.com Phone: 408-256-3180 Address: 2261 Market Street #4875, San Francisco, CA 94114