Effective Date : March 24, 2026
This Notice of Privacy Practices describes how medical information about you or your child may be used and disclosed and how you can access this information. Please review it carefully. Kinuu, LLC (“BrainyAct”) is committed to protecting the privacy and security of your personal and health information.
At BrainyAct, we take privacy extremely seriously.
As a health care company, we operate in accordance with all applicable privacy and dataprotection laws. Doing so is core to our philosophy as an organization and our ability to create life-changing product experiences for our participants. We take the trust that you put in us very seriously and protect your privacy through our use of strict policies and appropriate data protection technologies for handling your personal information. If you have any questions or concerns about our privacy practices or this consent, please contact us at 952-444-2808 or Hope@BrainyAct.com.
Notice of HIPAA Privacy Practices
THIS NOTICE DESCRIBES HOW WE MAY ACCESS HEALTH INFORMATION ABOUT YOU AND HOW THAT INFORMATION MAY BE USED. PLEASE REVIEW IT CAREFULLY.
Entities and Individuals Covered by this Notice
BrainyAct, LLC offers digitally-based health care programs (the Programs”) and delivers those programs using coaches, clinical specialists, and other health care providers. We arrange for certain aspects of the BrainyAct Rehabilitation Program to be delivered by licensed physical therapists who work as employees or contractors for us. This notice (this “Notice”) applies to all employees or contractors of BrainyAct, and we refer to these parties together as “BrainyAct,” “we,” or “us.” When you apply for or participate in the BrainyAct Programs or use one of our online clinical screeners, we refer to this as using our “Health Care Services,” and we provide you with health care. This joint Notice describes the information privacy practices that each of the following people, entities, and sites will follow:
Any health care provider who provides services to you from BrainyAct’s locations, whether physical
or online, including health coaches, clinical specialists, BCBA’s, occupational therapists, and others;All departments and units of our organization, including any mobile units; and
Our employees, contractors, and volunteers, including those at regional support offices and affiliates.
These people, entities, and sites may share health information with each other for treatment, payment, or health care operations purposes described in this Notice. In addition, we also use and share your information for other reasons as allowed and required by law.
Your doctor and your health care providers other than us may have different practices or notices about their use and sharing of health information in their own offices or clinics.
If you have any questions about this Notice, you may contact us in any of the manners described at the end of this Notice. We will gladly explain this Notice to you or your family member, and a copy is always available at www.BrainyAct.com/hipaa.
Information Covered by this Notice
BrainyAct, LLC and, where applicable, the employees and contractors, the therapists that we engage are regulated as “covered entities” under the federal privacy law referred to as the Health Information Portability and Accountability Act of 1996 (“HIPAA”). Regulations under HIPAA explain how we may use and disclose identifiable health information that we collect from and about you and how we must safekeep and secure that information.
When we receive information in connection with the Health Care Services that relates to your past, present, or future physical or mental health or condition, to the provision of health care to you, or to your past, present, or future payment for health care, that information is considered “protected health information” or “PHI” under HIPAA, and this Notice applies to that information. For example, if you take a clinical assessment on our website or application to determine whether you might be clinically eligible for a BrainyAct Program, we treat all identifiable information that we receive from you in that clinical assessment as PHI governed by this Notice. In other circumstances, the information that we receive from you may not relate to your health or health care, like if you merely browse our public website but do not take a clinical assessment or enroll in a BrainyAct Program. In those circumstances, we keep any personal information that we collect from you safe, private, and confidential under the terms of our Privacy Policy. In either situation, as further described in our Privacy Policy, we will not rent or sell your Personal Information or Protected Health Information, and we will not permit our business partners to rent or sell your Personal Information or Protected Health Information either.
Where appropriate for a particular BrainyAct Program, we may collect PHI directly from you through questionnaires, connected health devices, as well as other health information that you disclose to coaches, clinical specialists, or other health care providers in BrainyAct and to other participants in the Health Care Services. We receive this PHI to provide you with quality care and to comply with certain legal requirements. To ensure that we operate the Health Care Services efficiently and in a clinically effective manner, or for payment purposes, we may also receive health information about you from other sources in certain cases, like blood glucose readings from labs.
Our Committment to Your Privacy
We understand that health information about you is private and personal. We are dedicated to maintaining the privacy and integrity of the PHI that we receive from you as part of your application for participation in the Health Care Services.
We are required by law to maintain the privacy of your PHI and to provide you with notice of our legal duties and privacy practices related to that information. When we use or disclose your PHI, we are required to abide by the terms of this Notice (or any other Notice in effect at the time of the use or disclosure). We will let you know promptly if a breach occurs that may have compromised the privacy or security of your PHI.
How We May Use and Disclose Information About You
We are required to maintain the confidentiality of your PHI, and we have implemented policies, procedures, and other safeguards to help protect your PHI from improper use and disclosure. We protect your PHI in accordance with HIPAA and all other applicable laws and regulations. Where applicable state law or any other applicable law or regulation requires more protection for your PHI than HIPAA, we comply with that law or regulation as well.
Below, we describe different ways that we may use your PHI amongst ourselves and ways we may disclose your PHI to other people and entities. We have not listed every possible use or disclosure in the list below, but all the ways that we may use and disclose PHI fall within one of the categories below. As we describe below, some uses and disclosures will require your specific authorization.
The amount of PHI that we may legally use or disclose without your written permission will vary based on the circumstances, including the intended purpose of the use or disclosure. Sometimes we may only need to use or disclose a limited amount of PHI, such as to send you a reminder or to confirm your health insurance coverage. At other times, we may need to use or disclose more PHI, such as when a doctor requires that information for medical treatment.
The list below includes examples of ways that we may disclose PHI about you without a written
authorization from you.
Disclosure at Your Request. If you ask us to send PHI about you to a third party, such as a friend, family member, or health care provider, we will do so if we believe that your request is authentic. We may ask you to prove your identity before we honor this request. We may need up to 60 days to honor a request like this, depending on the data that you would like us to disclose, but in most cases, we can honor this request in 30 or fewer days.
Treatment. We may use your PHI and disclose it to a physician or other health care provider to provide treatment and other services to you. For example, we may disclose your weight loss results to your physician so that he or she may monitor your results in our program.
Payment. We may use and disclose your PHI to obtain payment for the services that we provide to you. For example, we may disclose certain PHI to claim and obtain payment from your health insurer, your HMO, or any other company that arranges for or pays the cost of your health care (“Your Payor”) or to verify that Your Payor will pay for that health care.
Our Health Care Operations. We may use and disclose your PHI for our health care operations. Examples of our health care operations include training clinical personnel, improving the operation of our program (which includes the improvement of fine-tuning of specific features, including Generative AI Features as described in our Privacy Policy), and other internal management functions such as legal and audit processes. When we use your PHI for our health care operations, we are required to use only the amount of PHI that is necessary. For example, if we were to evaluate the accuracy of our digital scale, and that evaluation could be accomplished by reviewing scale weights only by date and location and without additional identifiers, we would limit the PHI that we use for that evaluation to date and location information. In addition, we do not share your PHI with developers of Generative AI Features for improvement of their AI models or otherwise for their own purposes.
Health Care Operations of Other Covered Entities. We are also permitted to share PHI about you with other covered entities that have a relationship with you (including, in some circumstances, your employer’s health plan, your health insurer, or other health care providers) for their health care operations and to certain companies that provide those covered entities with services as their business associates. For example, we might share PHI about you with your health insurer to enable the health insurer to evaluate which benefits to make available to you. As another example, we might share PHI aboutyou with your physician’s office to enable the physician to demonstrate to the government that the physician referred you to a particular program and how that program works for you. Other examples of another covered entity’s health care operations may include using PHI about you for quality assessment activities, for disease management programs, to improve quality of care, for patient satisfaction surveys, for training, for benchmarking, and other purposes. In each of these cases, these covered entities may only seek from us PHI about you that is the minimum necessary for their health care operations purposes.
Business Associates. We provide some aspects of our Health Care Services through contracts with business associates for whom we are legally responsible. Examples of our business associates include companies for secure cloud hosting, management consultants, quality assurance reviewers, accreditation agencies, and billing and collection services. We may disclose your PHI to our business associates so that they can perform the jobs that we have asked them to do. To protect your PHI, we require our business associates to sign written agreements requiring that they appropriately safeguard your PHI and use it only as we permit.
Health-Related Products and Services. We may use and disclose your PHI to tell you about our health-related products or services that may be of interest to you.
Communications with Family and Others When You Are Present. Sometimes a family member or other person involved in your care will be present when we are discussing your PHI with you. We may use your PHI or disclose it to a relative, a close friend, or any other person that you identify when you are present for that disclosure or available prior to the disclosure if we obtain your agreement, if we provide you with the opportunity to object to the disclosure and you do not object, or if we reasonably infer that you do not object to the disclosure.
Communications with Family and Others When You Are Not Present or Are Incapacitated. If you are not present, or you cannot practically agree or object to a use or disclosure because of your incapacity or an emergency, we may exercise our professional judgment to determine whether a disclosure is in your best interest. If we disclose information to a relative, a close friend, or any other person in this context, we will disclose only the information that we believe is directly relevant to that person’s involvement with your health care or health care payment. We may also disclose your PHI to notify or assist in notifying these people of your location, your general condition, or your death.
Threat to Health or Safety. We may use and disclose your PHI when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person but only to someone who may be able to help prevent that threat, as we determine in good faith.
Health Information Exchange. We may use and disclose your PHI as part of a Health Information Exchange (HIE) so that we can exchange additional PHI about you (such as glucose lab results) with other healthcare organizations for treatment, payment, and/or health care operations purposes.
Additional Special Situations That Do Not Require Your Authorization
The following categories describe some additional circumstances in which we may use or disclose your PHI without your authorization. For disclosures such as these, the information, once disclosed, may be used and redisclosed by the recipient and, accordingly, no longer protected by HIPAA.
Public Health Activities. We may disclose your PHI for the following public health activities: (1) to prevent or control disease, injury, or disability; (2) to report births and deaths; (3) to report the abuse or neglect of children, elders, and dependent adults; (4) to report reactions to medications or problems with products; (5) to notify people of recalls of products they may be using; (6) to notify people who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; and (7) to notify emergency response employees regarding possible exposure to HIV/AIDS, to the extent necessary to comply with state and federal laws.
Victims of Abuse, Neglect, or Domestic Violence. If we reasonably believe you are a victim of abuse, neglect, or domestic violence, we may disclose your PHI to a governmental authority authorized by law to receive reports of such abuse, neglect, or domestic violence, including a social service or protective services agency.
Health Oversight Activities. We may disclose your PHI to a health oversight agency for activities authorized by law. One example of a health oversight agency is a state health insurance regulator or Medicaid program. These oversight activities include, for example, audits, investigations, inspections, licensure, and other activities necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.
Lawsuits and Other Legal Disputes. We may use and disclose PHI in responding to a court or administrative order, a subpoena, or a discovery request. We may also use and disclose your PHI without your authorization to the extent permitted by law in any other way related to our legal disputes, such as to defend against a lawsuit or in arbitration.
Law Enforcement Officials. We may disclose your PHI to the police or other law enforcement officials as required or permitted by law, including: (1) in response to a court order, subpoena, warrant, summons, or similar process; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) when concerning the victim of a crime if, under certain limited circumstances, we are unable to obtain the person’s agreement; (4) about a death we believe may be the result of criminal conduct; (5) about criminal conduct at BrainyAct; and (6) in emergency circumstances to report a crime, the location of the crime, or victims or to report the identity, description, or location of the person who committed the crime. Although BrainyAct has a policy to only disclose PHI to law enforcement when required to do so by a court order issued by a judge, BrainyAct may be presented with such a court order. In those cases, before disclosing PHI that is reproductive health care information, we will require a requestor to attest that the use or disclosure of that information is not intended for a purpose prohibited by federal law. For example, if we receive a request from law enforcement seeking PHI related to your reproductive healthcare, we would be prohibited from disclosing the requested reproductive healthcare PHI unless (and until) the law enforcement agency provided us with a signed attestation that the requested PHI is not being requested for purposes of conducting a criminal, civil, or administrative investigation into you and your reproductive healthcare choices.
Coroners and Medical Examiners. We may disclose your PHI to a coroner or medical examiner as authorized by law.
Organ and Tissue Donation. We may disclose your PHI to organizations that facilitate organ, eye, or tissue procurement, tissue banking, or transplantation.
Research that Does Not Involve Your Treatment. When a research study does not involve any treatment, we may disclose your PHI to researchers. To do this, we will either ask your permission to use your PHI or we will use a special process that protects the privacy of your PHI. For example, we are allowed to supply to a third-party researcher with a data set in which identifiers about you have been removed, except for complete dates and five-digit zip codes. The researcher, before receiving this data set, must contract with us to limit use of this data set, to safekeep the data set, and to destroy or return the data set when the research concludes.
As Required by Law. We may use and disclose your PHI when required to do so by any other law not already referred to in the preceding categories. For example, the Secretary of the Department of Health and Human Services may review our compliance efforts, which may include access to
your PHI.
Situations That Do Require Your Authorization
If we need to use your PHI for reasons that have not been described in the sections above, we will obtain your written permission, which is referred to as a written “authorization.” If you authorize us to use or disclose PHI about you, you may revoke that authorization in writing at any time. If you revoke your authorization, we will no longer use or disclose PHI about you for the reasons stated in that written authorization, except to the extent we have already acted in reliance on your authorization. Any revocation of an authorization applies only to what you or your representative had authorized and does not apply to the situations above where we are permitted to use or disclose PHI about you without an authorization. You understand that we are unable to take back any disclosures that we have already made with your permission and that we are required to retain our records of the care we provide to you. Examples of typical disclosures that require your authorization include:
Research Involving Your Treatment. When you participate in a research study that involves your treatment, we may disclose your PHI to researchers, provided that you have signed a specific authorization for us to do so or an Institutional Review Board has approved the disclosure in connection with its review and approval of the research proposal and the procedures that the research organization has established to protect the privacy of your PHI.
Marketing. We must obtain your written authorization prior to using your PHI to send you any information that HIPAA defines as marketing information. HIPAA considers communications about a product or service that encourage you to purchase or use that product or service to be marketing when that product or service is not one of BrainyAct’s programs or services or when we are paid to communicate about the product or service to you. We may send some types of communications to you that are not part of our Health Care Services but that are not considered marketing communications for which we would need your prior authorization. We may send these communications to you directly, or one of our business associates may send them for us. For example, we may send you communications about care coordination and care management services that may be available to you if we are not paid to make this communication. We may also remind you to fill a prescription so long as we are only reimbursed for our expenses in doing so. We are also allowed to give you a promotional gift of nominal value.
Your Rights Regarding Your PHI
Minimum Necessary
To the extent required by law, when using or disclosing your PHI or when requesting your PHI from another covered entity, we will make reasonable efforts not to use, disclose, or request more than the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request, taking into consideration practical and technological limitations.
Changes to this Notice
Concerns or Complaints
If you desire further information about your privacy rights, if you are concerned that we have violated your privacy rights, or if you disagree with a decision that we made about access to your PHI, you may contact our Privacy Officer in any of the manners described at the end of this Notice. You also may send a written complaint to the U.S. Department of Health and Human Services, Office of Civil Rights (and we can provide you with the office’s current address) or your state board governing your treating provider (for example, the Board of Physical Therapy). We will not take any action against you for filing a complaint.
How to Contact Us