Privacy Policy 1 — SUMMIT METABOLIC HEALTH

Privacy policy.

Summit Metabolic Health PLLC

Effective Date: March 15, 2026 | Last Updated: March 15, 2026

Summit Metabolic Health PLLC (“Summit Metabolic Health,” “we,” “us,” or “our”) is a Tennessee-licensed telehealth medical practice operating at summitmetabolichealth.com. We are committed to protecting your privacy and handling your health information with the care and discretion it deserves. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal and protected health information when you visit our website, use our telehealth services, or communicate with us. By using our website or services, you agree to the practices described in this Policy.

1. WHO WE ARE

Summit Metabolic Health PLLC is a telehealth-first medical practice offering GLP-1 therapy, weight management, and metabolic health services. Our services are available to patients located in states where we hold active medical licensure: Tennessee, Florida, Michigan, Washington, and Ohio.

As a medical practice, we are a Covered Entity under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations (45 C.F.R. Parts 160 and 164). We maintain a Notice of Privacy Practices (NPP) governing the use and disclosure of your Protected Health Information (PHI), available upon request and provided at the time of your first clinical encounter.

2. INFORMATION WE COLLECT

A. Protected Health Information (PHI)

When you become a patient, we collect PHI as defined under HIPAA, including:

∙ Full name, date of birth, sex, and contact information

∙ Medical history, current medications, allergies, and health conditions

∙ Height, weight, body mass index (BMI), and other clinical measurements

∙ Lab results and diagnostic information

∙ Treatment plans, prescription records, and clinical notes

∙ Communications between you and your treating provider

∙ Billing and payment information

B. Personal Information (Non-PHI)

When you visit our website or submit an inquiry, we may collect:

∙ Name, email address, and phone number (via contact or intake forms)

∙ IP address, browser type, and device information

∙ Pages visited, time spent, and referring URLs (via analytics tools)

∙ Payment card information (processed by PCI-DSS compliant third-party processors; we do not store full card numbers)

C. Information You Voluntarily Provide

This includes information submitted through intake forms, questionnaires, symptom surveys, secure messaging, or when requesting a consultation.

3. HOW WE USE YOUR INFORMATION

A. Treatment, Payment, and Healthcare Operations (TPO)

Under HIPAA, we are permitted to use and disclose your PHI without specific authorization for:

∙ Treatment: Providing, coordinating, and managing your medical care, including prescribing medications, ordering labs, and communicating with pharmacies

∙ Payment: Processing payments, verifying eligibility, and managing billing

∙ Healthcare Operations: Quality improvement, staff training, compliance activities, and practice administration

B. Communications

∙ Responding to your inquiries and appointment requests

∙ Sending appointment reminders and follow-up care instructions

∙ Sending newsletters or health content (only with your consent; you may opt out at any time)

C. Legal and Regulatory Compliance

∙ Complying with applicable federal and state laws, including HIPAA and state telehealth statutes in our licensed states

∙ Responding to lawful subpoenas, court orders, or governmental requests

∙ Reporting as required by state law (e.g., mandatory reporting obligations)

D. Business Operations

∙ Operating, maintaining, and improving our website and technology platform

∙ Analyzing usage trends to enhance the patient experience

∙ Detecting and preventing fraudulent or unauthorized activity

4. HOW WE SHARE YOUR INFORMATION

We do not sell your personal or health information. We do not share your PHI for marketing purposes without your written authorization. We may share your information in the following limited circumstances:

A. Business Associates

We work with vendors who provide services on our behalf and who may access your PHI in the course of those services — including our EMR platform, pharmacy partners, laboratory services, and payment processors. Each Business Associate is required to execute a Business Associate Agreement (BAA) with us in accordance with 45 C.F.R. § 164.504(e), obligating them to protect your PHI.

B. Pharmacy Partners

To fulfill your prescriptions, we transmit necessary PHI (including your name, medication, and clinical information) to our compounding pharmacy partner(s) via secure, HIPAA-compliant channels.

C. Laboratory Services

If labs are ordered as part of your care, relevant information will be shared with designated laboratory partners.

D. Legal Requirements

We may disclose information when required by law, including in response to valid legal process, to report suspected abuse or neglect, or to avert a serious and imminent threat to health or safety, consistent with 45 C.F.R. § 164.512.

E. With Your Authorization

Any other disclosures of your PHI — including to family members, for marketing purposes, or for research — will be made only with your written authorization, which you may revoke at any time.

5. YOUR HIPAA RIGHTS

As our patient, you have the following rights with respect to your PHI under 45 C.F.R. Part 164, Subpart E:

∙ Right to Access: You may request a copy of your medical records in electronic or paper format within 30 days of your request.

∙ Right to Amend: You may request corrections to your PHI if you believe it is inaccurate or incomplete.

∙ Right to an Accounting of Disclosures: You may request a list of certain disclosures we have made of your PHI.

∙ Right to Restrict: You may request restrictions on how we use or disclose your PHI for treatment, payment, or operations.

∙ Right to Confidential Communications: You may request that we communicate with you through a specific method or at a specific location.

∙ Right to a Copy of Our NPP: You may request a copy of our full Notice of Privacy Practices at any time.

∙ Right to File a Complaint: If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights at www.hhs.gov/ocr, without fear of retaliation.

To exercise any of these rights, contact us using the information in Section 12.

6. DATA SECURITY

We implement administrative, physical, and technical safeguards to protect your information consistent with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C). Measures include:

∙ Encrypted transmission of PHI (TLS/SSL)

∙ Access controls limiting PHI access to authorized personnel on a need-to-know basis

∙ Secure, HIPAA-compliant electronic medical records platform

∙ Workforce training on privacy and security obligations

∙ Incident response and breach notification procedures consistent with 45 C.F.R. §§ 164.400–164.414

No system is completely secure. In the event of a breach affecting your PHI, we will notify you and applicable regulatory authorities as required by the HIPAA Breach Notification Rule.

7. TELEHEALTH-SPECIFIC DISCLOSURES

Summit Metabolic Health provides services via telehealth. By using our telehealth platform, you acknowledge and consent to:

∙ The transmission of your health information over secure electronic networks

∙ The inherent risks of electronic communication, including the possibility of interception despite our security measures

∙ The use of HIPAA-compliant video, messaging, and documentation tools in the delivery of your care

Our telehealth services comply with applicable state telehealth statutes in each licensed state. Specific consent forms may be required at intake.

8. COOKIES AND WEBSITE ANALYTICS

Our website uses cookies and similar tracking technologies to improve functionality and analyze traffic. These tools collect non-PHI information such as browser type, pages visited, and session duration. We may use third-party analytics providers (e.g., Google Analytics) subject to their own privacy policies.

You may adjust your browser settings to refuse cookies. Note that disabling cookies may affect certain website features. We do not use tracking cookies on any patient portal or clinical platform.

9. MARKETING AND ADVERTISING

We will not use your PHI for marketing purposes without your written authorization as required by 45 C.F.R. § 164.508. We may use de-identified, aggregated data (which cannot be linked back to any individual) for marketing analytics, consistent with the HIPAA de-identification standard (45 C.F.R. § 164.514).

Any email or SMS marketing communications are subject to the CAN-SPAM Act and the Telephone Consumer Protection Act (TCPA). You may opt out of marketing communications at any time by following the unsubscribe instructions included in our messages or by contacting us directly.

10. RETENTION OF RECORDS

We retain medical records in accordance with applicable state law. Tennessee law requires retention of adult patient records for a minimum of 10 years from the date of last service (Tenn. Code Ann. § 68-11-305). Records for minor patients are retained until the patient reaches age 18 plus an additional 10 years, or as otherwise required by law. Financial and administrative records are retained per applicable federal and state requirements.

11. CHILDREN’S PRIVACY

Our services are intended for adults aged 18 and older. We do not knowingly collect personal information from individuals under 18. If we become aware that we have collected information from a minor, we will promptly delete it. If you believe a minor has submitted information to us, please contact us immediately.

12. CONTACT US

For questions about this Privacy Policy, to exercise your HIPAA rights, or to report a privacy concern:

Summit Metabolic Health PLLC

Signal Mountain, Tennessee

Website: summitmetabolichealth.com

Email: privacy@summitmetabolichealth.com

To file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights:

www.hhs.gov/ocr/privacy/hipaa/complaints | 1-800-368-1019

13. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in law, our practices, or our services. Material changes will be posted on our website with a revised effective date. Your continued use of our services following any update constitutes your acceptance of the revised Policy.

14. GOVERNING LAW

This Privacy Policy is governed by the laws of the State of Tennessee and applicable federal law, including HIPAA and its implementing regulations. Nothing in this Policy limits the rights afforded to you under applicable state or federal law.