HIPAA Notice Of Privacy Practices

Genesis MD, Inc. (a California Professional Corporation), operating under the registered fictitious business name Genesis Sleep MD, Inc. (hereinafter referred to uniformly as “the Company” or “Genesis Sleep MD”)

Effective Date: June 29, 2026
Version: 1.0
Last Updated: June 29, 2026

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.


1. The Company’s Legal Duty and the Scope of This Notice

1.1 Who Provides This Notice

The Company is a Covered Entity under the federal Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”), and the Health Information Technology for Economic and Clinical Health Act (“HITECH”). The Company is required by law to maintain the privacy of your Protected Health Information (“PHI”), to provide you with this Notice of the Company’s legal duties and privacy practices with respect to your PHI, to notify affected individuals following a breach of unsecured PHI, and to abide by the terms of the Notice currently in effect.

1.2 The Clinical Scope of This Notice (Authenticated Environment Only)

This Notice applies SOLELY to Protected Health Information that is created, received, maintained, or transmitted by Genesis Sleep MD within the Company’s secure, authenticated clinical infrastructure — the Healthie electronic health record platform (the “Healthie EHR”), including the integrated Zoom for Healthcare video environment used to deliver telehealth Clinical Services.

This Notice governs PHI generated in connection with the Tier 2 Precision Concierge and Tier 3 Longevity Elite clinical packages and any other regulated clinical care the Company provides.

1.3 What This Notice Does Not Govern (Public / Non-Clinical Environment)

This Notice does not apply to information collected through the Company’s public-facing, non-clinical environment, which is instead governed by the Company’s separate Privacy Policy (CCPA/CPRA). The non-clinical environment includes the website at genesissleepmd.com, the Sleep Blocker Quiz, the masterclass webinar and other marketing content, the Company’s RedNova CRM marketing infrastructure, the Company’s ManyChat / Instagram direct-message channels, and the Tier 1 ($2,500) Foundations Program, which is a non-clinical, educational product.


No physician-patient relationship is formed, and no PHI subject to this Notice is created, through the public environment or through the Tier 1 Foundations Program. This deliberate separation between the Company’s public educational layer and regulated clinical layer is intended to ensure that all clinical care is delivered only through appropriate, consented, and lawful channels.


1.4 Interaction with Stricter State Law

Where the California Confidentiality of Medical Information Act (“CMIA,” California Civil Code § 56 et seq.), Pennsylvania law, or any other applicable state law affords you greater privacy protection than HIPAA, the stricter standard controls. Sections 4.3 and 11 describe how California and Pennsylvania law impose heightened protections, particularly for behavioral health information.

2. How the Company May Use and Disclose Your PHI for Treatment, Payment, and Health Care Operations (TPO)

The Company may use and disclose your PHI, without your separate written authorization, for the following purposes:

2.1 Treatment

The Company uses and discloses your PHI to provide, coordinate, and manage your clinical sleep care. Examples specific to the Company’s practice include:

(a) Home Sleep Testing (WatchPAT) workflow — disclosing the PHI necessary to order, ship, activate, and interpret your WatchPAT at-home sleep study, including transmitting your information to and receiving study data from the device vendor for the purpose of generating diagnostic results that Dr. Meneena Bright or a covering clinician reviews and interprets;

(b) Laboratory and biomarker workflow (Quest Diagnostics) — disclosing the PHI necessary to order your comprehensive sleep, hormone, genetic, and/or longevity biomarker panels from Quest Diagnostics, and receiving the resulting laboratory data so that your clinician can interpret it and incorporate it into your care plan;

(c) Telehealth encounters — using PHI during synchronous video consultations conducted through the Zoom for Healthcare environment integrated within the Healthie EHR;


(d) Care coordination and referrals — disclosing PHI to other physicians, specialists, sleep laboratories, or your primary care physician (with your authorization where required) when the Company refers you for care that is outside its clinical scope (see Section 2.4); and

(e) Clinical documentation — generating and maintaining your clinical record, including the text-only summaries produced by the Company’s ambient artificial-intelligence clinical scribe, as described in Section 5.

2.2 Payment

The Company may use and disclose your PHI to obtain payment for the services it provides. Examples include processing a credit card maintained on file through the Company’s payment processor within the Healthie EHR, generating an itemized superbill (containing diagnostic and procedure codes) that you may submit to your own insurer for possible out-of-network reimbursement, and managing billing and collection activities. Genesis Sleep MD operates as a private cash-pay practice and does not participate in commercial insurance networks; reimbursement by any third-party payer is not guaranteed.


2.3 Health Care Operations

The Company may use and disclose your PHI for its health care operations — activities necessary to run the practice and ensure quality care. Examples include internal quality-assessment and improvement reviews (including review of the Company’s automated triage and onboarding sequences), evaluating clinician and staff performance, conducting training, maintaining and securing the Company’s digital health platforms, and general administrative and business-management functions.


2.4 Clinical Scope and Out-of-Scope Referral

The Company’s clinical scope is limited to the evaluation and management of insomnia, hypersomnia, and parasomnia. The following conditions are outside the Company’s clinical scope and will result in disclosure of the minimum necessary PHI to refer you to appropriate in-person care: severe untreated cardiac disease; active substance use disorder requiring detoxification; acute psychiatric crisis; pediatric primary sleep disorders; and complex surgical sleep cases (including severe obstructive sleep apnea requiring surgical evaluation).

2.5 Appointment, Reminder, and Health-Related Communications

The Company may contact you to provide appointment reminders, results-availability notifications (for example, “your results are ready; please log in to the portal”), and information about treatment alternatives or other health-related benefits and services that may be of interest to you. As described in the Company’s Telehealth Informed Consent, the Company will not place clinical detail in unencrypted SMS or email; such channels are used only for administrative notifications, and the Company obtains your acknowledgment of the risks of unencrypted communication before using them for any clinical purpose.

3. Group CBT-I Sessions — Important Disclosure Regarding Exposure to Other Participants

The Tier 2 and Tier 3 programs include live, group-based Cognitive Behavioral Therapy for Insomnia (CBT-I) sessions conducted via telehealth. By participating in a group session, your presence, identity, image, voice, and any information you choose to share are necessarily visible and audible to the other participants in that group. This exposure occurs outside the one-to-one confidentiality boundary that applies to your individual clinical encounters, and Genesis Sleep MD cannot control or be responsible for the conduct of other group participants or their re-disclosure of what they observe or hear.


The Company asks all participants to respect the confidentiality of others, but the Company cannot guarantee it. You are not required to disclose any particular information during a group session and may limit your participation as you see fit. If you prefer not to participate in a group setting, please contact the Company to discuss available alternatives.

4. Uses and Disclosures That Require Your Written Authorization

Other than as described in this Notice, the Company will not use or disclose your PHI without your written authorization, which you may revoke in writing at any time (except to the extent the Company has already acted in reliance on it). In particular, the following require your authorization:

4.1 Marketing

The Company will not use or disclose your PHI — including any name, email, or telephone number maintained in the Healthie EHR — for marketing purposes, or sell your PHI for promotional lists or campaigns, without your prior written authorization. The Company does not sell PHI.


4.2 Psychotherapy / Behavioral Notes

Most uses and disclosures of psychotherapy notes (where such notes are maintained separately from the rest of your record) require your authorization.


4.3 Heightened Behavioral Health Protections (CA and PA)

Consistent with California law and the heightened mental-health record protections under Pennsylvania law, disclosure of behavioral health information generated through the Company’s CBT-I and related services may require your specific, separate written consent or authorization beyond the standard HIPAA TPO framework. Where state law imposes this higher bar, the Company will obtain the required consent before disclosing such information.


4.4 Other Authorization-Required Uses

Any use or disclosure of PHI for purposes not described in this Notice, and any use of PHI to train external or third-party generative artificial-intelligence models, will be made only with your prior written authorization. (See Section 5 regarding the Company’s limited, internal, BAA-governed use of an AI scribe.)


5. Artificial Intelligence Clinical Scribe Disclosure

In compliance with emerging transparency expectations, you are informed that the Company uses an ambient, text-only artificial-intelligence clinical scribe to generate written summaries and transcripts of telehealth encounters. No audio or video recording of any clinical encounter is retained by the Company or the scribe vendor. The resulting text summaries are integrated into your medical record and retained as part of that record. The scribe vendor operates under a Business Associate Agreement. Your PHI will not be used to train any external, public, or third-party generative artificial-intelligence model.

6. Uses and Disclosures That May Be Made Without Your Authorization

The Company may use or disclose your PHI without your authorization in the following circumstances, to the extent permitted or required by law and subject to applicable state-law limitations:


(a) As required by law, including disclosures required by federal, state, or local law;

(b) Public health activities, including reporting to public health authorities and, where applicable, reporting medical-device safety or compliance data (for example, device-monitoring data) to manufacturers or the U.S. Food and Drug Administration;

(c) Victims of abuse, neglect, or domestic violence, including mandatory reporting of suspected child, elder, or dependent-adult abuse under California and Pennsylvania law;

(d) Health oversight activities by agencies authorized by law;


(e) Judicial and administrative proceedings, in response to a valid court order, subpoena, warrant, or similar lawful process, with required protections;


(f) Law enforcement purposes, as permitted by law;


(g) To avert a serious and imminent threat to health or safety;


(h) Coroners, medical examiners, and funeral directors, as authorized by law;


(i) Specialized government functions and workers’ compensation, as authorized by law; and


(j) Research, only with your authorization or as otherwise permitted by law (for example, under a waiver granted by an Institutional Review Board or Privacy Board).

The Company applies the minimum necessary standard to internal uses and to disclosures that are not for treatment purposes.


7. Your Individual Rights Regarding Your PHI

You have the following rights with respect to PHI the Company maintains about you. To exercise any of these rights, submit a written request to the Company’s Privacy Officer using the contact information in Section 10.

7.1 Right to Inspect and Copy

You have the right to inspect and obtain a copy of your clinical sleep records, diagnostic histories, laboratory and biomarker results, and billing information, including an electronic copy of records maintained electronically in the Healthie EHR. The Company will act on your request within thirty (30) days (with one permitted thirty-day extension upon written notice). The Company may charge a reasonable, cost-based fee to the extent permitted by HIPAA and the CMIA. The Company may deny access in limited circumstances permitted by law, and certain denials are subject to review.

7.2 Right to Amend

You have the right to request that the Company amend PHI you believe is inaccurate or incomplete — for example, a misstated sleep history or an erroneous entry in your clinical file. Your request must be in writing and state the reason for the requested amendment. The Company may deny the request in certain circumstances permitted by law and will provide a written explanation; you may submit a statement of disagreement that becomes part of your record.


7.3 Right to an Accounting of Disclosures

You have the right to request an accounting of certain disclosures of your PHI made by the Company, going back up to six (6) years before the date of the request. This accounting does not include disclosures made for treatment, payment, or health care operations, disclosures made to you, disclosures made pursuant to your authorization, and certain other disclosures excepted by law. The Company will provide one accounting in any twelve-month period free of charge.


7.4 Right to Request Restrictions

You have the right to request restrictions on certain uses and disclosures of your PHI for treatment, payment, or health care operations. The Company is not generally required to agree to a requested restriction, except as described in Section 7.5.


7.5 Right to Restrict Disclosure to a Health Plan for Out-of-Pocket Services (HITECH Cash-Pay Right)

Under the HITECH Act, if you pay for a specific item or service in full, out of pocket, you have the right to request — and the Company is required to honor — a restriction prohibiting disclosure of PHI relating solely to that item or service to your health plan for purposes of payment or health care operations, where the disclosure is not otherwise required by law.


Because Genesis Sleep MD operates as a cash-pay practice, this right gives the Company’s patients the ability to keep PHI for fully self-paid services from being disclosed to their health insurer. To exercise this right, notify the Company at the time of service.


7.6 Right to Confidential Communications

You have the right to request that the Company communicate with you about your PHI by alternative means or at an alternative location — for example, that the Company contact you only through the authenticated Healthie portal, by a specific telephone number, or at a discrete address. The Company will accommodate reasonable requests.


7.7 Right to a Paper Copy of This Notice

You have the right to obtain a paper copy of this Notice upon request, even if you have agreed to receive it electronically.


7.8 Right to Breach Notification

You have the right to be notified following a breach of your unsecured PHI, as described in Section 8.

8. Breach Notification

The Company is required by law to notify affected individuals following a breach of unsecured PHI. Notification to affected individuals will be provided without unreasonable delay and in no case later than sixty (60) calendar days after discovery of the breach, in accordance with the HIPAA Breach Notification Rule (HIPAA Omnibus Rule).

Where required, the Company will also notify the Secretary of the U.S. Department of Health and Human Services and, as applicable, the media and state authorities (including the California Attorney General), and the Company will comply with any stricter breach-notification timelines or content requirements imposed by California or Pennsylvania law.

9. Our Duties; Changes to This Notice; Business Associates

The Company is required to maintain the privacy of your PHI, to provide this Notice, to abide by its current terms, and to notify you of breaches as described above. The Company reserves the right to change this Notice and to make the revised Notice effective for PHI the Company already maintains as well as PHI the Company receives in the future. If the Company makes a material change, the Company will post the revised Notice within its clinical portal and make it available to active patients before the change takes effect, and the revised Notice will display a new effective date.

The Company requires its Business Associates — vendors that create, receive, maintain, or transmit PHI on the Company’s behalf, including the Company’s EHR, telehealth video platform, laboratory partner, and AI scribe vendor — to protect your PHI under written Business Associate Agreements, and to flow those obligations down to their subcontractors.

10. Complaints, Enforcement, and Contact Information

10.1 How to File a Complaint With Us

If you believe your privacy rights have been violated, you may file a complaint with the Company’s Privacy Officer. You will not be retaliated against, and no service will be conditioned, for filing a complaint.


Covered Entity: Genesis MD, Inc., operating as Genesis Sleep MD
HIPAA Privacy Officer / Security Officer: Dr. Meneena Bright
Email: [email protected]
Mailing Address: 510 Superior Avenue, Suite 200A, Newport Beach, California 92663


10.2 How to File a Complaint With the Federal Government

You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”). California patients are served by OCR Region IX; Pennsylvania patients are served by OCR Region III. Complaints may be filed in writing or through the OCR online complaint portal, generally within 180 days of when you knew or should have known of the alleged violation.

10.3 State Authorities

California patients may also contact the California Attorney General. Pennsylvania patients may contact the appropriate Pennsylvania state authority.

11. State-Law Stricter-Standard Provisions

11.1 California (CMIA)

The CMIA imposes requirements on the electronic transmission and disclosure of medical information that are, in certain respects, stricter than HIPAA. The Company maintains detailed access and disclosure logs for transmissions of medical information to external platforms consistent with California Civil Code § 56.10 and related provisions, and the Company applies CMIA’s heightened standards where they exceed HIPAA.


11.2 Pennsylvania (Behavioral Health)

For patients in Pennsylvania, the disclosure of behavioral and mental-health information — including information generated through CBT-I and related behavioral services — is subject to Pennsylvania’s heightened consent requirements, which require specific consent for the release of such information beyond what federal HIPAA TPO rules would otherwise permit.


12. Acknowledgment, Effective Date, and Onboarding Execution

This Notice is effective as of June 29, 2026. As part of clinical onboarding, and before the clinical intake form unlocks and before the Stage 7 Clinical Deep Dive is scheduled, you will be presented with the full text of this Notice within the Healthie EHR and asked to acknowledge receipt (acknowledgment of receipt, not agreement to a contract — the NPP is a notice, not an agreement). The platform records the acknowledgment with a timestamp, the accepting user’s identity, the IP address, and the specific version of this Notice acknowledged, as part of the clinical record.


Acknowledgment of this Notice confirms only that you have received it. It is separate from, and does not constitute, the Telehealth Informed Consent or any financial agreement.


Copyright © Genesis MD, Inc. 2026. All rights reserved. “Genesis Sleep MD,” “Genesis MD,” and “Genesis Protocol” are trademarks or service marks of Genesis MD, Inc.

Follow Us on Instagram

Get daily insights, sleep tips, and behind-the-scenes content from Dr. Bright

Facebook
Instagram
Twitter
LinkedIn
YouTube
TikTok