Privacy & Confidentiality Notice.

This Notice applies to QuickVisitMD d/b/a Ankur Sunildatta Fadia PLLC and to Ankur Fadia, MD, the treating physician (together, "QuickVisitMD," "we," "us," or "our"). QuickVisitMD voluntarily adopts and maintains HIPAA-level privacy and security protections for all patient information and is committed to maintaining the privacy of your protected health information (PHI), providing you with this Notice, and abiding by its terms.

We may use and disclose your PHI without your written authorization for the following purposes:

• Treatment. We use your intake answers, messages, photographs, and clinical history to evaluate your request, decide whether async online care is appropriate, issue non-controlled prescriptions when clinically indicated, and coordinate with pharmacies or other treating providers.
• Payment. We use and disclose PHI to charge your payment method, issue receipts, process refunds under our on-time response guarantee, and resolve billing disputes.
• Health care operations. We use PHI for quality review, physician supervision, audit, training, credentialing, compliance, business planning, and related administrative activities for the practice.

Consistent with HIPAA standards, we may use or disclose PHI without your authorization for the following purposes, among others:

• When required by law.
• Public health activities, including reportable disease surveillance.
• Reporting suspected abuse, neglect, or domestic violence.
• Health oversight activities such as audits and investigations.
• Judicial and administrative proceedings, including valid subpoenas and court orders.
• Law enforcement purposes where permitted by law.
• Coroners, medical examiners, and funeral directors.
• Organ, eye, or tissue donation.
• Research that has been approved under applicable privacy protections.
• Serious threats to health or safety.
• Specialized government functions, including military and national security.
• Workers' compensation as authorized by law.

Unless an exception applies, we will obtain your written authorization before we:

• Use or disclose PHI for marketing purposes.
• Sell your PHI.
• Use or disclose psychotherapy notes (we do not maintain psychotherapy notes).

You may revoke an authorization in writing at any time, except to the extent we have already relied on it.

When using or disclosing PHI, or when requesting PHI from another covered entity, we make reasonable efforts to limit the information to the minimum necessary to accomplish the intended purpose, consistent with HIPAA's minimum necessary standard. This standard does not apply to disclosures for treatment purposes, disclosures to you about your own health information, disclosures made pursuant to your written authorization, disclosures required by law, or disclosures to the U.S. Department of Health and Human Services for compliance investigations.

We use third-party service providers who may access or process information on our behalf. Where a provider handles protected health information, we require a Business Associate Agreement (BAA) consistent with HIPAA standards or implement technical safeguards (such as PHI minimization) to limit exposure. Categories of service providers include:

• Cloud infrastructure and hosting. Our application and database are hosted on U.S.-based cloud platforms that store and process PHI in encrypted form.
• Payment processing. Payment is processed by a PCI DSS-compliant payment processor. We do not store credit card numbers on our servers.
• Email and communications. Transactional emails (sign-in codes, status alerts, after-visit notifications) are sent through third-party email delivery services. Email content is minimized to avoid PHI in transit unless the provider has executed a BAA.
• AI and physician documentation assistance. AI tools may process your intake information to assist the physician with documentation drafting and translation. Direct identifiers (name, email, phone number, home address) are not sent to AI services. Clinical information necessary for documentation — including age, sex, symptoms, medications, allergies, medical history, and your intake responses — is sent to generate physician note drafts, patient instructions, and educational materials. Free-text clinical narratives that you write may contain information you voluntarily include. All AI-generated content is reviewed and approved by the treating physician before it becomes part of your medical record. The physician makes all final clinical decisions; AI tools are used only for documentation assistance.

We do not sell your PHI or share it for marketing or advertising purposes. We do not allow business associates to use PHI for their own purposes beyond the services they provide to us.

Your PHI is stored on servers located in the United States. We implement administrative, physical, and technical safeguards consistent with the HIPAA Security Rule, including:

• Encryption of data in transit (TLS/HTTPS) and at rest.
• Role-based access controls limiting PHI access to authorized personnel.
• Audit logging of access to patient records.
• Secure authentication for all administrative and patient portal access.
• Regular review of security practices and vendor compliance.

No electronic system is completely secure. While we take commercially reasonable steps to protect your information, we cannot guarantee absolute security against every threat.

QuickVisitMD uses the following technologies on its website:

• Essential cookies. Session cookies required for authentication, form state, and security (e.g., CSRF protection, admin session tokens). These cannot be disabled without breaking core functionality.
• Local storage. Browser local storage is used to save intake form drafts so you do not lose progress if you navigate away. Draft data is stored only in your browser and is not transmitted to our servers until you submit.
• Aggregate website analytics. On public informational pages only (such as pricing, condition guides, and informational pages), we use a privacy-focused analytics service to measure aggregate page views, referral sources, and browser types. This service does not use cookies, does not track individual users across sessions, and does not collect personal identifiers. Analytics scripts are not loaded on any page that handles protected health information, including the intake flow, patient portal, medical records, payment, or administrative pages.
• Error monitoring. We may use an error-tracking service to detect and fix software issues. When enabled, this service collects technical information (browser type, error messages, page URLs). We configure scrubbing rules to reduce the risk of PHI exposure, but no automated scrubbing system is perfect. Error reports are reviewed only by authorized personnel for debugging purposes.

We do not use advertising cookies, cross-site tracking pixels, social media trackers, or analytics services that profile individual users. We do not participate in ad networks or sell browsing data. No tracking technologies are loaded on pages that handle protected health information.

As part of our privacy commitment, QuickVisitMD provides you with the following abilities regarding your PHI:

• Access. You may inspect and receive a copy of your PHI, in electronic form when we maintain it electronically.
• Amendment. You may ask us to amend PHI you believe is incorrect or incomplete.
• Accounting of disclosures. You may receive a list of certain disclosures we have made of your PHI.
• Restrictions. You may ask us to limit how we use or disclose your PHI. We will agree if you pay in full out of pocket for an item or service and ask us not to disclose that information to your health plan, which applies to this self-pay-only service in every case.
• Confidential communications. You may request that we communicate with you by a specific method or at a specific location.
• Paper copy. You may receive a paper copy of this Notice upon request, even if you have agreed to receive it electronically.
• Breach notification. You will be notified following a breach of unsecured PHI.
• Complaints. See the Complaints section below.

To exercise any right listed above, submit a written, dated, signed request to us by one of the methods below. We may ask you to verify your identity or, for access and amendment, complete a short form.

• Records access: use the records request form.
• All other privacy requests: admin@quickvisitmd.com.
• Contact us via secure portal message for written requests.
• Mail: Wythe County Community Hospital, 600 West Ridge Road, Wytheville, VA 24382.

As part of our records access commitment, we will respond to access requests within 30 days of receipt. One 30-day extension may apply if we notify you in writing. Amendment requests are answered within 60 days. Accounting-of-disclosure requests are answered within 60 days. We may charge a reasonable, cost-based fee for paper copies as permitted by law. There is no fee for electronic copies of your records.

Privacy Officer: The Privacy Officer for QuickVisitMD is Ankur Fadia, MD. For privacy-related questions, contact admin@quickvisitmd.com.

As part of our voluntary HIPAA-level privacy practices, we commit to:

• Maintain the privacy and security of your PHI.
• Provide you with this Notice describing our privacy commitments and practices.
• Abide by the terms of the Notice currently in effect.
• Notify you if a breach of unsecured PHI occurs.

We retain adult medical records for a minimum of 10 years after the last patient encounter. This meets or exceeds the retention periods required by Virginia (six years, Va. Code § 54.1-2910.4 and 18 VAC 85-20-26) and the West Virginia Board of Medicine (minimum retention period). Because this practice provides care only to adult patients, no pediatric retention rules apply. After the retention period ends, records become eligible for destruction in a manner that protects confidentiality (such as secure shredding or verified digital destruction), unless a legal hold, patient authorization, or longer federal or contractual obligation requires continued retention. Destruction timing is subject to periodic review and may extend beyond the minimum retention period.

If a breach of your unsecured health information occurs, we will notify you without unreasonable delay and in no case later than 60 days from discovery of the breach, consistent with HIPAA Breach Notification standards. For larger breaches affecting 500 or more individuals, we will also notify applicable government agencies and prominent local media outlets as appropriate under applicable law. Notifications describe what happened, the types of information involved, steps you can take to protect yourself, what we are doing to investigate and mitigate, and how to contact us for questions. The practice maintains cyber-liability insurance to support forensic investigation, patient notification, and remediation in the event of a security incident.

We may change this Notice at any time and make the revised Notice effective for PHI we already have and for PHI we receive in the future. The current Notice will always be posted on our website with its effective date.

If you believe your privacy rights have been violated, you may file a complaint directly with us. You may also contact the U.S. Department of Health and Human Services Office for Civil Rights as an external resource. We will not retaliate against you for filing a complaint.

Internal complaint: sign in to the secure patient portal and send a message describing the concern. For privacy, please do not include protected health information in unsecured email. If you do not have portal access, email admin@quickvisitmd.com with only your name and a brief description — we will follow up through a secure channel.

External resource: You may also contact the U.S. Department of Health and Human Services, Office for Civil Rights, if you believe your health information privacy has not been properly protected. This is a general federal resource and is provided for your awareness: 200 Independence Avenue SW, Washington, D.C. 20201; 1-877-696-6775; hhs.gov/ocr/privacy/hipaa/complaints/.

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide certain rights regarding personal information. However, under California Civil Code § 1798.145(c), most protected health information governed by HIPAA and the Confidentiality of Medical Information Act (CMIA) is exempt from CCPA/CPRA requirements. Because QuickVisitMD maintains privacy and security practices consistent with the HIPAA Privacy Rule and Security Rule, your medical information is primarily governed by the HIPAA-level protections described in this notice rather than CCPA/CPRA.

• We do not sell personal information.
• We do not share personal information for targeted advertising.
• We will not discriminate against you for exercising any privacy right.

For questions about your privacy rights, email admin@quickvisitmd.com with the subject line "Privacy Inquiry."