Notice of Privacy Practices

1Who We Are

Family1st Integrated Therapy & Wellness, LLC (“Family1st,” “we,” “us,” or “our”) is a licensed psychiatric mental health nurse practitioner practice operated by Kristin McKnight, MSN, APRN, PMHNP-BC in Las Vegas, Nevada, providing telehealth psychiatric and integrated metabolic wellness services across 15 licensed states. This Notice applies to all protected health information we create, receive, maintain, or transmit in connection with your care.

2Our Legal Duty

We are required by law to:

• Maintain the privacy of your protected health information (PHI)
• Provide you with this Notice of our legal duties and privacy practices
• Notify you following a breach of your unsecured PHI within 60 days of discovery
• Abide by the terms of this Notice currently in effect
• Not use or disclose your PHI except as described in this Notice or as permitted or required by applicable federal and state law

3How We May Use and Disclose Your Health Information

3.1 Treatment

We may use and disclose your PHI to provide, coordinate, or manage your mental health care and related services. For example, we may share information with other treating providers — such as your primary care physician, specialists, pharmacists, laboratories, or hospitals — to coordinate your care. We may also share information with our care team members involved in your treatment, including any collaborating physicians required under your state’s licensing laws.

3.2 Payment

We may use and disclose your PHI to obtain payment for services we provide. This includes submitting claims to your health insurance plan, Medicare, Medicaid, or other payers; verifying insurance eligibility; obtaining prior authorizations; and responding to billing inquiries. For Spravato® (esketamine) treatment, claims are submitted using HCPCS codes G2082, G2083, and J0013 to your insurer as required by the REMS program.

3.3 Healthcare Operations

We may use and disclose your PHI for our internal healthcare operations, including quality assessment and improvement activities, training programs, accreditation, licensing, compliance reviews, and other operational purposes necessary to run our practice.

3.4 Disclosures Without Your Authorization

As permitted or required by federal and state law, we may use or disclose your PHI without your written authorization for the following purposes:

• Required by Law: Court orders, subpoenas, and other lawful legal processes
• Public Health Activities: Reporting communicable diseases, vital statistics, and adverse drug events to appropriate authorities
• Health Oversight Activities: Audits, inspections, and investigations by government agencies
• Serious Threats to Health or Safety: To prevent or lessen a serious and imminent threat to you or others
• Workers’ Compensation: As authorized and necessary for workers’ compensation claims
• Law Enforcement: In limited circumstances as specifically required by law
• Coroners, Medical Examiners, and Funeral Directors: As necessary to carry out their duties
• Research: Under specific privacy protections, IRB oversight, and data use agreements
• Military and National Security: If you are a member of the armed forces or for national security purposes as required by law

3.5 Psychotherapy Notes — Special Protections

3.6 Substance Use Disorder Records — 42 CFR Part 2

3.7 Spravato® (Esketamine) REMS Data

As a REMS-certified Spravato® treatment site, Family1st is required by the FDA to maintain records of each Spravato® treatment session and to document compliance with REMS monitoring requirements. This information is reported to Janssen Pharmaceuticals (manufacturer) and the FDA as required by the REMS program. By enrolling in Spravato® treatment, you acknowledge and consent to this required reporting. REMS data is handled under Business Associate Agreements and in compliance with HIPAA.

3.8 Uses and Disclosures Requiring Your Written Authorization

For any uses or disclosures not described above, we will ask for your written authorization. You may revoke your authorization at any time in writing, and we will honor your revocation prospectively, except where we have already taken action in reasonable reliance on it.

We will always obtain your written authorization before:

• Marketing communications that involve any payment to us from a third party
• Sale of your PHI to any entity for any purpose
• Most uses and disclosures of psychotherapy notes
• Any disclosure of your PHI for purposes not otherwise described in this Notice

4Your Rights Regarding Your Health Information

4.1 Right to Inspect and Copy

You have the right to inspect and obtain a copy of your PHI maintained in our designated record set. To request access, submit a written request to us. We will respond within 30 days. We may charge a reasonable cost-based fee for copies. We may deny access in limited circumstances as permitted by law, and you may request a review of any denial.

4.2 Right to Request an Amendment

If you believe your PHI is incorrect or incomplete, you may request that we amend it. We will respond within 60 days. We may deny your request if the information was not created by us, is not part of our records, or is accurate and complete as recorded. You have the right to submit a statement of disagreement if we deny your request.

4.3 Right to an Accounting of Disclosures

You have the right to request a list of disclosures we have made of your PHI during the previous six years for purposes other than treatment, payment, and healthcare operations. The first accounting in any 12-month period is free. We may charge a reasonable fee for additional requests in the same period.

4.4 Right to Request Restrictions

You may request that we restrict uses or disclosures of your PHI. We are not required to agree to your request except in one circumstance: if you request that we restrict disclosure to a health plan for a service you have paid for in full out-of-pocket, we must agree to that restriction. If we agree to other restrictions, we will honor them unless the information is needed for emergency treatment.

4.5 Right to Request Confidential Communications

You may request that we communicate with you about your health matters in a specific way or at a specific location (for example, “contact me only at my cell phone” or “send correspondence to my P.O. box”). We will accommodate reasonable requests without requiring you to provide a reason.

4.6 Right to a Paper Copy of This Notice

You have the right to a paper copy of this Notice at any time, even if you have agreed to receive it electronically. Contact us at the information in Section 9.

4.7 Right to Notification of a Breach

We are required to notify you without unreasonable delay, and no later than 60 days after discovery, if there is a breach of your unsecured PHI. Notification will be provided by first-class mail (or email if you have agreed to electronic notice) and will include a description of the breach, the types of information involved, steps you can take to protect yourself, what we are doing to investigate and mitigate the breach, and contact information for questions.

5Telehealth-Specific Disclosures

Family1st provides telehealth psychiatric and integrated wellness services across 15 licensed states. The following applies to all patients receiving services via telehealth:

• Secure Platform Requirement: All telehealth services are delivered using HIPAA-compliant, encrypted video and messaging platforms covered by Business Associate Agreements. We do not use standard FaceTime, Zoom (personal), or other non-BAA-covered platforms for clinical care.
• Your Responsibility: You are responsible for ensuring you are in a private location during telehealth sessions and that your personal device is secured. Family1st is not responsible for disclosures that result from your use of an unsecured device or network.
• State-Specific Privacy Laws: Because we operate in multiple states, additional state-specific privacy laws may apply to your care depending on your physical location during service. We comply with the most protective applicable law in all cases.
• Recording Prohibition: Telehealth sessions are never recorded by Family1st without your explicit written consent. You are prohibited from recording sessions without prior written consent from your provider.
• Location Verification: Your physical location at the time of each telehealth session is documented in your medical record for purposes of state licensure compliance and applicable privacy law determination.

6Our Privacy and Security Practices

We implement appropriate administrative, physical, and technical safeguards to protect the privacy and security of your PHI, including:

• Encrypted electronic health records and HIPAA-compliant communications
• Role-based access controls limiting staff access to PHI on a need-to-know basis
• Business Associate Agreements (BAAs) with all vendors and service providers who access PHI
• Regular staff training on HIPAA privacy and security requirements
• Secure, documented disposal of paper and electronic records
• Audit logs of all access to electronic PHI
• Annual security risk assessments as required by the HIPAA Security Rule

6.1 Fundraising Communications

As required by 45 CFR §164.520(b)(1)(v)(C), we are informing you that in the event Family1st conducts any fundraising communications that use your PHI, those communications will be limited to information permitted by HIPAA (demographic information, dates of service, treating provider, outcome information, and health insurance status). You have the right to opt out of any such fundraising communications, and each fundraising communication will provide a clear and conspicuous opportunity to elect not to receive further fundraising communications. We will not condition treatment or payment on your receipt of fundraising communications. Family1st does not currently engage in fundraising activities using PHI; this notice is provided for completeness as required by federal regulation.

6.2 Nondiscrimination & Language Access (Section 1557 of the Affordable Care Act)

Family1st complies with applicable federal civil rights laws, including Section 1557 of the Affordable Care Act, and does not discriminate on the basis of race, color, national origin, age, disability, sex (including pregnancy, sexual orientation, and gender identity), or any other status protected by law. Language assistance services are available free of charge to individuals with limited English proficiency. Auxiliary aids and services, including qualified interpreters and information in alternate formats, are available free of charge to individuals with disabilities. To request language assistance, an interpreter, or an auxiliary aid or service, call 775.245.8200 or email kmcknight@family1stintegratedtherapy.com. Individuals who believe their civil rights have been violated may file a grievance with our Privacy Officer (Section 9) or directly with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr or 1-800-368-1019 (TDD 1-800-537-7697).

6.3 Electronic Acknowledgment for Telehealth Patients

Because Family1st is a telehealth-first practice, acknowledgment of receipt of this Notice may be obtained electronically through our HIPAA-compliant patient portal (Charm EHR) at the time of intake. Electronic acknowledgments carry the same legal effect as the paper signature block in Section 10 of this Notice. A paper copy of this Notice is available at any time upon request, free of charge, by contacting our Privacy Officer.

7Changes to This Notice

We reserve the right to change this Notice at any time. Changes will apply to PHI we already have about you as well as any information we receive in the future. The current Notice will always be posted on our website at www.family1st-integratedtherapy.com and is available upon request. The effective date is displayed at the top of this Notice. We will provide you with a revised Notice at your next appointment following any material change.

8Complaints

If you believe your privacy rights have been violated, you have the right to file a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights. You will not be penalized or retaliated against in any way for filing a complaint.

9Contact Information — Privacy Officer

10Patient Acknowledgment

By signing (electronically or in writing) at the time of intake, you acknowledge that you have received, read, or been offered a copy of this Notice of Privacy Practices for Family1st Integrated Therapy & Wellness, LLC. You understand your rights as described in this Notice and how your health information may be used and disclosed.