Notice of Privacy Practices

1. Our Commitment to Your Privacy

Natoe Inc., a Delaware corporation doing business as Natoe AI, with principal offices located at 29399 US Highway 19 N, Suite #150, Clearwater, Florida 33761, is a teleradiology company that provides remote diagnostic imaging interpretation services primarily to healthcare facilities in the State of Florida. As a healthcare provider and HIPAA Covered Entity, we are required by law to maintain the privacy of your Protected Health Information (“PHI”), provide you with this Notice of our legal duties and privacy practices regarding PHI, and abide by the terms of this Notice currently in effect.

Protected Health Information is individually identifiable health information, including demographic data, that relates to your past, present, or future physical or mental health condition, the provision of healthcare to you, or the past, present, or future payment for healthcare, and that identifies you or could reasonably be used to identify you.

As a teleradiology provider, Natoe AI typically receives Protected Health Information from referring healthcare facilities (such as hospitals, urgent care centers, and imaging centers) rather than directly from patients. Patients do not have a direct provider-patient relationship with Natoe AI. Instead, our relationship is with the ordering/referring healthcare provider. If you are an individual patient, you receive this Notice through your referring healthcare facility or upon your request to our Privacy Officer.

2. How We May Use and Disclose Your PHI

The following describes the ways we may use and disclose your PHI. Not every use or disclosure is listed, but all uses and disclosures fall within one of the permitted categories.

2.1 Uses and Disclosures That Do Not Require Your Authorization

Treatment: We may use and disclose your PHI to provide, coordinate, and manage your healthcare and related services. For example, we use diagnostic images and clinical information sent to us by your healthcare provider to prepare radiology reports and interpretations, which we then send back to your treating physician. PHI may also be disclosed to other qualified radiologists for second opinions, overreads, or peer review in accordance with our quality assurance processes. Critical or urgent findings are communicated to the ordering physician in accordance with our Critical Findings Communication Protocol.

Payment: We may use and disclose your PHI for billing and payment purposes. For example, we may share certain PHI with your healthcare facility or health plan to obtain payment for the teleradiology services we provide.

Healthcare Operations: We may use and disclose your PHI for our healthcare operations, which include quality assessment and improvement activities, peer review, credentialing, training, licensing, and other activities necessary to run our practice and provide quality care. This includes the use of AI-assisted tools for case prioritization, triage support, and quality assurance. All final diagnostic interpretations are made by licensed, board-certified radiologists.

2.1a Use of Technology and AI

Natoe AI uses artificial intelligence and machine learning-based tools as decision support systems for case prioritization, triage, quality assurance, and clinical workflow optimization. These AI-assisted tools are designed to enhance the efficiency and consistency of our diagnostic services. However, all final clinical interpretations, findings, and diagnostic decisions are made independently by licensed, board-certified radiologists. AI tools do not make independent clinical decisions. AI processing of your PHI occurs only within our HIPAA-compliant, secure environment and in accordance with our Business Associate Agreements where third-party services are used. Our AI clinical decision support tools have received FDA 510(k) clearance for their intended uses and are used in compliance with applicable FDA requirements.

As Required by Law: We will disclose your PHI when required to do so by federal, state, or local law.

Public Health Activities: We may disclose your PHI for public health activities, such as reporting to public health authorities for the purpose of preventing or controlling disease, injury, or disability, or reporting to the Food and Drug Administration regarding adverse events.

Health Oversight Activities: We may disclose your PHI to a health oversight agency for activities authorized by law, such as audits, investigations, inspections, and licensure.

Judicial and Administrative Proceedings: We may disclose your PHI in response to a court order, subpoena, discovery request, or other lawful process, subject to applicable legal requirements.

Law Enforcement: We may disclose your PHI in limited circumstances to law enforcement officials, such as in response to a court order or warrant, to identify or locate a suspect or missing person, or to report certain types of wounds or injuries.

Coroners, Medical Examiners, and Funeral Directors: We may disclose your PHI to a coroner, medical examiner, or funeral director as necessary for them to carry out their duties.

Research: Under certain circumstances, we may use and disclose your PHI for research purposes, provided the research has been approved through a special process that evaluates the need for and protection of PHI.

Threat to Health or Safety: We may use or disclose your PHI when necessary to prevent a serious and imminent threat to your health or safety or the health or safety of the public or another person.

Health Information Exchanges: PHI may be disclosed through secure health information exchanges as part of treatment coordination and care delivery, where applicable and in accordance with state law.

Workers’ Compensation: We may disclose your PHI as authorized by workers’ compensation or similar laws.

Military and Veterans: If you are a member of the armed forces, we may disclose your PHI as required by military command authorities.

Correctional Institutions: If you are an inmate of a correctional institution, we may disclose your PHI to the institution or its agents when necessary for your health, health and safety of others, or law enforcement.

2.2 Uses and Disclosures That Require Your Written Authorization

We will obtain your written authorization before using or disclosing your PHI for purposes not described in this Notice. You may revoke an authorization at any time, in writing, except to the extent that we have already taken action in reliance on the authorization. Specific situations requiring authorization include:

• Marketing purposes (with limited exceptions).
• Sale of your PHI.
• Uses and disclosures of psychotherapy notes (if any were to be maintained).
• Fundraising purposes.
• Other uses and disclosures not described in this Notice.

2.2a Fundraising and Marketing

Natoe AI does not use your Protected Health Information for fundraising or solicitation purposes. Any marketing communications you may receive from us will only be conducted with your prior written authorization where required by law.

3. Your Rights Regarding Your PHI

You have the following rights with respect to your PHI. To exercise any of these rights, please submit a written request to our Privacy Officer using the contact information in Section 7.

Right to Access: You have the right to inspect and obtain a copy of your PHI maintained in a designated record set. We may charge a reasonable, cost-based fee for copies. In certain limited circumstances, we may deny access, and you may request a review of the denial. We will respond to your request within 30 days of receipt; this period may be extended by one additional 30-day period if necessary.

Right to Amend: You have the right to request that we amend your PHI if you believe it is incorrect or incomplete. We may deny the request under certain circumstances (for example, if we did not create the information or believe it is accurate). If we deny your request, we will provide you with a written explanation.

Right to an Accounting of Disclosures: You have the right to receive a list of certain disclosures we have made of your PHI. The accounting will not include disclosures made for treatment, payment, healthcare operations, or certain other purposes. The first accounting in any 12-month period is free; we may charge a reasonable fee for subsequent requests. We will respond to your request within 60 days of receipt; this period may be extended by one additional 30-day period if necessary.

Right to Request Restrictions: You have the right to request that we restrict certain uses and disclosures of your PHI. We are not required to agree to your request. However, if you pay entirely out of pocket for a service and request that we restrict disclosures to a health plan for payment or healthcare operations, we must honor that request in accordance with 45 CFR §164.522(a)(1)(vi).

Right to Request Confidential Communications: You have the right to request that we communicate with you about health matters through a particular means or at a certain location. For example, you may request that we contact you only by mail or at a specific address. We will accommodate reasonable requests.

Right to a Paper Copy of This Notice: You have the right to receive a paper copy of this Notice at any time, even if you have previously agreed to receive it electronically. You may request a copy by contacting our Privacy Officer.

Right to Be Notified of a Breach: You have the right to be notified in the event of a breach of your unsecured PHI. We will notify you in accordance with applicable federal and state law.

3.1 Personal Representatives

A personal representative is someone legally authorized to act on your behalf regarding your healthcare or health information. This includes a parent or legal guardian of a minor child (subject to certain exceptions under state law), an individual with healthcare power of attorney, a court-appointed guardian or conservator, and the executor or administrator of a deceased individual’s estate. Personal representatives have the same rights as the individual with respect to PHI, subject to applicable limitations under federal and state law. We may deny access to a personal representative if we reasonably believe doing so would endanger the individual.

4. Our Duties

We are required by law to:

• Maintain the privacy of your PHI and provide you with this Notice of our legal duties and privacy practices.
• Abide by the terms of this Notice currently in effect.
• Notify you if we are unable to agree to a requested restriction on how we use or disclose your PHI.
• Notify affected individuals following a breach of unsecured PHI.

We reserve the right to change the terms of this Notice and to make the new provisions effective for all PHI we maintain. If we make a material change to this Notice, we will make the revised Notice available on our website and provide copies upon request.

5. Minimum Necessary Standard

When using or disclosing PHI or when requesting PHI from another covered entity or business associate, we will make reasonable efforts to limit the PHI used, disclosed, or requested to the minimum necessary to accomplish the intended purpose, except where the minimum necessary standard does not apply (such as disclosures to your treating healthcare provider for treatment purposes).

6. State-Specific Requirements

Some states have privacy laws that are more protective than HIPAA. Where applicable state law provides greater privacy protections or additional rights, we will comply with those requirements in addition to HIPAA. This may include, but is not limited to, state laws governing:

• Mental health records.
• Substance abuse treatment records.
• HIV/AIDS-related information.
• Genetic information.
• Minors’ health information.

As a Delaware corporation with principal operations in Florida, we comply with all applicable Florida health information privacy laws in addition to HIPAA. We also comply with the healthcare privacy laws of any other state in which we provide teleradiology services.

As a teleradiology provider operating primarily in Florida, Natoe complies with all applicable Florida health information privacy laws, including Florida’s breach notification statute (Fla. Stat. §501.171) and any Florida-specific requirements regarding medical records and imaging data.

7. Contact Information

If you have questions about this Notice, wish to exercise your rights, or want to file a complaint about our privacy practices, please contact:

Privacy Officer
Pragya Goyal
Natoe Inc.
29399 US Highway 19 N, Suite #150, Clearwater, Florida 33761
Email: [email protected]
Phone: +1 (656) 241-6730

8. Breach Notification

In the event of a breach of unsecured PHI, Natoe AI will provide notification to affected individuals in accordance with both the HIPAA Breach Notification Rule and applicable state law. Under HIPAA, notification must be provided without unreasonable delay and in no case later than sixty (60) calendar days after discovery of the breach. Florida law (Fla. Stat. §501.171) requires notification within thirty (30) days of determining a breach has occurred. Note that “discovery” under HIPAA and “determination” under Florida law may represent different points in time; Natoe AI will comply with the shortest applicable timeline in all cases. Breach notification will include a description of the breach, the types of information involved, steps individuals should take to protect themselves, what Natoe AI is doing to investigate and prevent recurrence, and contact information for questions.

9. Complaints

If you believe your privacy rights have been violated, you may file a complaint with us using the contact information above. You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, by calling 1-877-696-6775, or by visiting www.hhs.gov/ocr/privacy/hipaa/complaints.

You will not be retaliated against for filing a complaint.

10. Effective Date and Changes

This Notice is effective as of March 16, 2026. We reserve the right to change the terms of this Notice at any time. Any changes will apply to all PHI we already maintain, as well as any PHI we create or receive in the future. A revised Notice will be posted on our website and made available upon request.