Effective date: June 5, 2026.
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
1. About this Notice and ElderberryMD’s role
ElderberryMD provides back-office care-coordination services and clinical software to independent and small physician practices, and offers a free patient app at elderberry.health. In the course of these services we handle Protected Health Information (“PHI”) — information that identifies you and relates to your health, your health care, or payment for that care.
In most situations, ElderberryMD acts as a Business Associate to the physician practices that use our services. Those practices are the “covered entities” responsible for your care, and each maintains its own Notice of Privacy Practices that governs the treatment relationship between you and your clinicians. When we act as a Business Associate, we handle PHI on behalf of your practice and under a written Business Associate Agreement that requires us to protect your PHI and to use and disclose it only as that agreement and the law allow.
In some patient-facing situations — for example, when you use our app to communicate with your care team or to exercise your privacy rights — ElderberryMD handles PHI more directly, on your behalf and on behalf of your practice. We provide this Notice so that you understand, in one place, how ElderberryMD uses and protects your PHI and what rights you have. This Notice does not replace the Notice of Privacy Practices provided by your own physician practice; where the two differ as to your treatment relationship, your practice’s Notice governs that relationship.
2. How we use and disclose PHI for treatment, payment, and health care operations
ElderberryMD uses and discloses PHI to support the treatment, payment, and health care operations of the physician practices we serve. Examples include:
- Treatment. We help coordinate your care across your care team — for example, routing messages, organizing records, surfacing relevant clinical information, and helping your clinicians follow up on results, referrals, and care plans so the people involved in your care have the information they need.
- Payment. We support billing and reimbursement for your practice — for example, helping prepare and transmit claims, verify coverage and eligibility, and resolve billing questions — using the minimum PHI necessary.
- Health care operations. We support day-to-day operations and quality — for example, care management and outreach, quality measurement and improvement, auditing, and the secure operation and improvement of the software and services your practice relies on.
We use and disclose PHI for these purposes only as permitted by HIPAA, by our Business Associate Agreement with your practice, and by any more protective requirements of applicable law.
3. How AI assistance is used
ElderberryMD offers AI-enabled tools, including AskEvidence (which helps clinicians find and apply medical evidence) and an AI Scribe (which helps document clinical encounters). These tools are designed as clinician-controlled assistance. They support, and do not replace, the professional judgment of your clinicians. A licensed member of your care team remains responsible for clinical decisions and for reviewing any AI-assisted documentation or suggestions before they are relied upon.
Where these tools involve third-party technology vendors, those vendors are engaged under written agreements, including HIPAA Business Associate Agreements where applicable, that require them to protect your PHI and to use it only to provide services to ElderberryMD and your practice. We do not use your PHI to train AI models for unrelated purposes, and we do not permit our vendors to do so, without a valid authorization or as otherwise permitted by law.
4. We do not sell your PHI, and we do not use it for advertising
ElderberryMD does not sell your PHI. We do not exchange your PHI for payment in any way that HIPAA would treat as a sale of PHI, and we will not do so without your written authorization. ElderberryMD does not use or disclose your PHI for patient advertising or marketing. We do not use your PHI to target advertising to you, and we do not share your PHI with advertising platforms or data brokers for that purpose.
5. Uses and disclosures that require your written authorization
Other than the uses and disclosures described in this Notice, ElderberryMD will use or disclose your PHI only with your written authorization. In particular, your written authorization is required for the sale of PHI (which we do not do), for marketing that uses your PHI (which we do not do), and for any use or disclosure of psychotherapy notes, except in the limited circumstances HIPAA permits. If you give us an authorization, you may revoke it in writing at any time. Your revocation will stop future uses and disclosures made under that authorization, except to the extent we have already acted in reliance on it.
6. Other ways we may use or disclose PHI without your authorization
HIPAA permits or requires ElderberryMD (and the practices we support) to use or disclose PHI without your authorization in certain situations, always limited to what the law allows and to the minimum necessary. These include:
- Public health activities — such as reporting to public health authorities to prevent or control disease, injury, or disability, and reporting adverse events to the FDA.
- Health oversight activities — such as audits, investigations, and inspections by agencies that oversee the health care system.
- Legal proceedings — in response to a court or administrative order, or to a subpoena or discovery request where the required protections are met.
- Law enforcement — in the limited circumstances HIPAA permits, such as in response to valid legal process or to report certain injuries.
- To avert a serious threat to health or safety — when necessary to prevent or lessen a serious and imminent threat. In an emergency, call 911. If you are experiencing a mental-health crisis or suicidal thoughts, call or text 988 (the Suicide and Crisis Lifeline). ElderberryMD’s app and services are not monitored for emergencies and are not a substitute for emergency services.
- Workers’ compensation — as authorized by and necessary to comply with workers’ compensation laws.
- Coroners, medical examiners, and funeral directors — as necessary for them to carry out their duties.
- Research — when an Institutional Review Board or privacy board has approved the use with appropriate safeguards, or when the information has been de-identified.
- As required by law — when federal, state, or other law requires the use or disclosure.
- To business associates and subcontractors — who perform services for us or your practice, under written agreements that require them to protect your PHI.
When we disclose your PHI to another organization or person, that recipient may, in some cases, redisclose it in ways that are no longer protected by HIPAA.
7. Special protections for certain information
Some information receives extra protection under federal or state law, and we will follow those more protective rules where they apply. This may include substance use disorder treatment records protected under 42 CFR Part 2, and certain mental-health, HIV/AIDS, genetic, and reproductive-health information. Where the law requires your specific consent or imposes additional restrictions before this information may be shared, we will follow those requirements.
8. Your access rights and the 21st Century Cures Act
You have the right to timely access to your electronic health information. Federal “information blocking” rules under the 21st Century Cures Act are intended to ensure that you, and applications you authorize, can access and use your electronic health information without unnecessary delay. ElderberryMD supports your practice in providing this access. Limited exceptions apply — for example, to prevent harm, to protect privacy, or to comply with other law — and in those situations access may be limited as the law allows.
9. Your rights
You have the following rights regarding your PHI. To exercise any of these rights, use the contact form or the tools available in the ElderberryMD app at elderberry.health. Where a request concerns records held by your physician practice, we may direct your request to your practice or help you submit it there.
- Get a copy of your health information. You can ask to inspect and obtain a copy of the PHI we maintain about you, in the form and format you request if we can readily produce it. We will respond within the timeframes the law requires and may charge a reasonable, cost-based fee where permitted.
- Ask us to correct your health information. If you believe PHI we maintain is incorrect or incomplete, you can ask us to amend it. We may deny the request in certain cases and will tell you why in writing.
- Get a list of certain disclosures (an accounting). You can ask for a list of the times we or your practice disclosed your PHI for purposes other than treatment, payment, health care operations, and certain other excluded categories. The first accounting in any 12-month period is free.
- Request restrictions. You can ask us to limit how we use or disclose your PHI. We are not required to agree to every request, but we will tell you our decision. If you pay for a service in full, out of pocket, you can ask that information about that service not be disclosed to your health plan for payment or operations, and we will honor that request as the law requires.
- Request confidential communications. You can ask us to communicate with you in a specific way or at a specific location — for example, by app message only.
- Get a paper copy of this Notice. You can ask for a paper copy at any time, even if you have agreed to receive it electronically.
- Be notified of a breach. You have the right to be notified if a breach occurs that may have compromised the privacy or security of your PHI.
- Choose someone to act for you. A person with medical power of attorney, or a legal guardian or personal representative, can exercise your rights and make choices about your PHI; we will verify their authority before acting.
- Revoke an authorization you have given us, in writing, at any time, as described above.
If you ask us to exercise a right, we will not retaliate against you.
10. Minors and personal representatives
For patients who are minors or who have a personal representative (such as a parent, legal guardian, or person with appropriate health care power of attorney), that representative may generally exercise privacy rights on the patient’s behalf. In some cases, state law gives minors the right to control certain sensitive health information themselves, or limits a representative’s access. ElderberryMD follows applicable state law in these situations, and we may decline to treat a person as a personal representative where the law permits — for example, where we reasonably believe doing so could endanger the patient.
11. State law and more protective requirements
Some state laws, and some federal laws, provide greater privacy protection than HIPAA or grant you additional rights. Where a law that applies to your information is more protective than HIPAA, ElderberryMD will follow that more protective law. This Notice describes the floor of protections under HIPAA; your state may give you more.
12. Our responsibilities
ElderberryMD is required by law to maintain the privacy and security of your PHI and protect it with appropriate administrative, technical, and physical safeguards; to provide this Notice of our legal duties and privacy practices and follow the terms of the Notice currently in effect; to notify you, or support your practice in notifying you, if a breach occurs that may have compromised the privacy or security of your PHI; and to use and disclose your PHI only as described in this Notice or as otherwise permitted or required by law. For any other use, we will ask for your written authorization, which you may revoke.
13. Breach notification
If we discover a breach of unsecured PHI, ElderberryMD will provide, or assist the affected physician practice in providing, notification as required by the HIPAA Breach Notification Rule. As a Business Associate, we will notify the affected practice without unreasonable delay and no later than 60 days after discovering the breach, and we will support the practice’s notifications to affected individuals and, where required, to the Secretary of Health and Human Services and the media.
14. How to file a complaint
If you believe your privacy rights have been violated, you may file a complaint with ElderberryMD using the contact form. You may also file a complaint directly with the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”), by mail to the U.S. Department of Health and Human Services, Office for Civil Rights, 200 Independence Avenue SW, Washington, D.C. 20201, or online through the OCR Complaint Portal at ocrportal.hhs.gov/ocr. A complaint to OCR must generally be filed in writing within 180 days of when you knew or should have known that the act occurred. You will not be retaliated against for filing a complaint with ElderberryMD or with OCR.
15. How to contact ElderberryMD
For questions about this Notice, to exercise your rights, or to raise a privacy concern, please use the contact form or the tools in the ElderberryMD app at elderberry.health. In an emergency, call 911. If you are in a mental-health or suicidal crisis, call or text 988.
16. Changes to this Notice
ElderberryMD reserves the right to change the terms of this Notice at any time and to make the revised Notice effective for all PHI we maintain, including PHI created or received before the change. When we make a material change, we will post the updated Notice with a new effective date at the location where this Notice appears and at elderberry.health, and we will make the current Notice available on request. We encourage you to review this Notice periodically.
This Notice describes how ElderberryMD handles protected health information in connection with its services. For information specific to your own care, your physician’s practice provides its own Notice of Privacy Practices. This Notice is effective June 5, 2026.