Notice of Privacy Practices

Effective date: June 5, 2026.

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

1. About this Notice and ElderberryMD’s role

ElderberryMD provides back-office care-coordination services and clinical software to independent and small physician practices, and offers a free patient app at elderberry.health. In the course of these services we handle Protected Health Information (“PHI”) — information that identifies you and relates to your health, your health care, or payment for that care.

In most situations, ElderberryMD acts as a Business Associate to the physician practices that use our services. Those practices are the “covered entities” responsible for your care, and each maintains its own Notice of Privacy Practices that governs the treatment relationship between you and your clinicians. When we act as a Business Associate, we handle PHI on behalf of your practice and under a written Business Associate Agreement that requires us to protect your PHI and to use and disclose it only as that agreement and the law allow.

In some patient-facing situations — for example, when you use our app to communicate with your care team or to exercise your privacy rights — ElderberryMD handles PHI more directly, on your behalf and on behalf of your practice. We provide this Notice so that you understand, in one place, how ElderberryMD uses and protects your PHI and what rights you have. This Notice does not replace the Notice of Privacy Practices provided by your own physician practice; where the two differ as to your treatment relationship, your practice’s Notice governs that relationship.

2. How we use and disclose PHI for treatment, payment, and health care operations

ElderberryMD uses and discloses PHI to support the treatment, payment, and health care operations of the physician practices we serve. Examples include:

We use and disclose PHI for these purposes only as permitted by HIPAA, by our Business Associate Agreement with your practice, and by any more protective requirements of applicable law.

3. How AI assistance is used

ElderberryMD offers AI-enabled tools, including AskEvidence (which helps clinicians find and apply medical evidence) and an AI Scribe (which helps document clinical encounters). These tools are designed as clinician-controlled assistance. They support, and do not replace, the professional judgment of your clinicians. A licensed member of your care team remains responsible for clinical decisions and for reviewing any AI-assisted documentation or suggestions before they are relied upon.

Where these tools involve third-party technology vendors, those vendors are engaged under written agreements, including HIPAA Business Associate Agreements where applicable, that require them to protect your PHI and to use it only to provide services to ElderberryMD and your practice. We do not use your PHI to train AI models for unrelated purposes, and we do not permit our vendors to do so, without a valid authorization or as otherwise permitted by law.

4. We do not sell your PHI, and we do not use it for advertising

ElderberryMD does not sell your PHI. We do not exchange your PHI for payment in any way that HIPAA would treat as a sale of PHI, and we will not do so without your written authorization. ElderberryMD does not use or disclose your PHI for patient advertising or marketing. We do not use your PHI to target advertising to you, and we do not share your PHI with advertising platforms or data brokers for that purpose.

5. Uses and disclosures that require your written authorization

Other than the uses and disclosures described in this Notice, ElderberryMD will use or disclose your PHI only with your written authorization. In particular, your written authorization is required for the sale of PHI (which we do not do), for marketing that uses your PHI (which we do not do), and for any use or disclosure of psychotherapy notes, except in the limited circumstances HIPAA permits. If you give us an authorization, you may revoke it in writing at any time. Your revocation will stop future uses and disclosures made under that authorization, except to the extent we have already acted in reliance on it.

6. Other ways we may use or disclose PHI without your authorization

HIPAA permits or requires ElderberryMD (and the practices we support) to use or disclose PHI without your authorization in certain situations, always limited to what the law allows and to the minimum necessary. These include:

When we disclose your PHI to another organization or person, that recipient may, in some cases, redisclose it in ways that are no longer protected by HIPAA.

7. Special protections for certain information

Some information receives extra protection under federal or state law, and we will follow those more protective rules where they apply. This may include substance use disorder treatment records protected under 42 CFR Part 2, and certain mental-health, HIV/AIDS, genetic, and reproductive-health information. Where the law requires your specific consent or imposes additional restrictions before this information may be shared, we will follow those requirements.

8. Your access rights and the 21st Century Cures Act

You have the right to timely access to your electronic health information. Federal “information blocking” rules under the 21st Century Cures Act are intended to ensure that you, and applications you authorize, can access and use your electronic health information without unnecessary delay. ElderberryMD supports your practice in providing this access. Limited exceptions apply — for example, to prevent harm, to protect privacy, or to comply with other law — and in those situations access may be limited as the law allows.

9. Your rights

You have the following rights regarding your PHI. To exercise any of these rights, use the contact form or the tools available in the ElderberryMD app at elderberry.health. Where a request concerns records held by your physician practice, we may direct your request to your practice or help you submit it there.

If you ask us to exercise a right, we will not retaliate against you.

10. Minors and personal representatives

For patients who are minors or who have a personal representative (such as a parent, legal guardian, or person with appropriate health care power of attorney), that representative may generally exercise privacy rights on the patient’s behalf. In some cases, state law gives minors the right to control certain sensitive health information themselves, or limits a representative’s access. ElderberryMD follows applicable state law in these situations, and we may decline to treat a person as a personal representative where the law permits — for example, where we reasonably believe doing so could endanger the patient.

11. State law and more protective requirements

Some state laws, and some federal laws, provide greater privacy protection than HIPAA or grant you additional rights. Where a law that applies to your information is more protective than HIPAA, ElderberryMD will follow that more protective law. This Notice describes the floor of protections under HIPAA; your state may give you more.

12. Our responsibilities

ElderberryMD is required by law to maintain the privacy and security of your PHI and protect it with appropriate administrative, technical, and physical safeguards; to provide this Notice of our legal duties and privacy practices and follow the terms of the Notice currently in effect; to notify you, or support your practice in notifying you, if a breach occurs that may have compromised the privacy or security of your PHI; and to use and disclose your PHI only as described in this Notice or as otherwise permitted or required by law. For any other use, we will ask for your written authorization, which you may revoke.

13. Breach notification

If we discover a breach of unsecured PHI, ElderberryMD will provide, or assist the affected physician practice in providing, notification as required by the HIPAA Breach Notification Rule. As a Business Associate, we will notify the affected practice without unreasonable delay and no later than 60 days after discovering the breach, and we will support the practice’s notifications to affected individuals and, where required, to the Secretary of Health and Human Services and the media.

14. How to file a complaint

If you believe your privacy rights have been violated, you may file a complaint with ElderberryMD using the contact form. You may also file a complaint directly with the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”), by mail to the U.S. Department of Health and Human Services, Office for Civil Rights, 200 Independence Avenue SW, Washington, D.C. 20201, or online through the OCR Complaint Portal at ocrportal.hhs.gov/ocr. A complaint to OCR must generally be filed in writing within 180 days of when you knew or should have known that the act occurred. You will not be retaliated against for filing a complaint with ElderberryMD or with OCR.

15. How to contact ElderberryMD

For questions about this Notice, to exercise your rights, or to raise a privacy concern, please use the contact form or the tools in the ElderberryMD app at elderberry.health. In an emergency, call 911. If you are in a mental-health or suicidal crisis, call or text 988.

16. Changes to this Notice

ElderberryMD reserves the right to change the terms of this Notice at any time and to make the revised Notice effective for all PHI we maintain, including PHI created or received before the change. When we make a material change, we will post the updated Notice with a new effective date at the location where this Notice appears and at elderberry.health, and we will make the current Notice available on request. We encourage you to review this Notice periodically.

This Notice describes how ElderberryMD handles protected health information in connection with its services. For information specific to your own care, your physician’s practice provides its own Notice of Privacy Practices. This Notice is effective June 5, 2026.

Start free today.

Patients are always free. Providers start on the free plan in minutes — no contract, no credit card. Have a larger practice or health system? Our team will help you plan the rollout.