NOTICE OF PRIVACY PRACTICES

EFFECTIVE DATE: MAY 29, 2026
VERSION: 2026.1

SECTION 1
OUR COMMITMENT TO YOUR PRIVACY

Compass Dermatopathology PC ("Compass") is committed to protecting the privacy and security of your protected health information ("PHI"). This Notice of Privacy Practices describes how Compass may use and disclose your health information, your rights regarding that information, and our legal obligations with respect to protecting it.

Compass is a healthcare provider and HIPAA-covered entity that delivers healthcare services through multiple practice locations, service lines, websites, patient portals, telehealth platforms, and clinical brands, including SkyMD®, Lanoi Dermatology, Compass Dermatopathology, and other Compass-affiliated operations that may be established from time to time.

Throughout this Notice, references to "Compass," "we," "us," and "our" refer to Compass Dermatopathology PC and its workforce members, providers, and authorized business associates, as applicable.

Please review this Notice carefully.

SECTION 2
WHO WILL FOLLOW THIS NOTICE

This Notice applies to Compass and all healthcare services provided by or on behalf of Compass, including services provided through its practice locations, websites, patient portals, telehealth platforms, laboratories, clinical brands, and affiliated operations.

This Notice applies to:

- Physicians and other licensed healthcare professionals who provide services through Compass;

- Employees, workforce members, trainees, and authorized contractors;

- Business associates and service providers when acting on behalf of Compass as permitted by law; and

- Other individuals or entities whose activities are under the control of Compass and are required to follow its privacy practices.

All of these individuals and entities may share health information with one another for purposes of treatment, payment, healthcare operations, and other activities permitted or required by law.

SECTION 3
HOW WE PROTECT YOUR HEALTH INFORMATION

We understand that information about your health and healthcare is personal. Compass is committed to protecting the privacy, confidentiality, integrity, and security of your protected health information ("PHI").

We maintain administrative, physical, and technical safeguards designed to protect your health information from unauthorized access, use, disclosure, alteration, or destruction. These safeguards include workforce training, access controls, security technologies, policies and procedures, and other measures designed to comply with applicable federal and state privacy and security requirements.

While no system can guarantee absolute security, we continually evaluate and update our privacy and security practices to help protect your information and support the delivery of healthcare services.

We require our workforce members, providers, contractors, and business associates who have access to protected health information to comply with applicable privacy and security obligations.

SECTION 4
HOW WE MAY USE AND DISCLOSE YOUR HEALTH INFORMATION

Federal and state laws permit us to use and disclose your protected health information ("PHI") for purposes of treatment, payment, healthcare operations, and certain other activities permitted or required by law. The following examples describe common ways we may use and disclose your information. Not every permitted use or disclosure is listed.

SECTION 4.1
Treatment

We may use and disclose your health information to provide, coordinate, and manage your healthcare and related services.

For example, we may use or disclose your information:

- To diagnose and treat medical conditions;

- To receive, process, analyze, interpret, report, and communicate pathology, laboratory, diagnostic, and related testing information in connection with your healthcare;

- To prescribe medications and monitor treatment;

- To communicate with physicians, nurses, therapists, laboratories, pharmacies, imaging facilities, hospitals, specialists, and other healthcare providers involved in your care;

- To coordinate referrals and follow-up care;

- To review laboratory results, pathology results, diagnostic testing, and treatment recommendations;

- To communicate with caregivers, family members, or personal representatives when authorized or otherwise permitted by law; and

- To support healthcare services delivered in person, through telehealth technologies, patient portals, secure messaging systems, or other approved communication methods.

SECTION 4.2
Payment

We may use and disclose your health information to obtain payment for healthcare services provided to you.

For example, we may use or disclose your information:

- To submit claims to health insurance plans, government programs, and other payors;

- To determine eligibility for benefits and coverage;

- To obtain prior authorizations and pre-certifications;

- To verify insurance information;

- To bill and collect payment from patients and responsible parties; and

- To conduct healthcare reimbursement, utilization review, and related payment activities.

SECTION 4.3
Healthcare operations

We may use and disclose your health information for activities necessary to operate and improve our healthcare practice.

For example, we may use or disclose your information:

- To evaluate and improve the quality of care and patient outcomes;

- To conduct quality assurance, peer review, risk management, and patient safety activities;

- To train healthcare professionals, students, and workforce members where permitted by law;

- To perform credentialing, licensing, accreditation, and compliance activities;

- To conduct auditing, business planning, operational management, and administrative activities;

- To investigate complaints and respond to legal or regulatory inquiries;

- To maintain and improve our technology systems, patient portals, communication systems, and healthcare operations; and

- To engage qualified business associates and service providers that assist us in operating our practice, provided they are required to appropriately safeguard your information.

SECTION 5
OTHER USES AND DISCLOSURES PERMITTED OR REQUIRED BY LAW

In addition to treatment, payment, and healthcare operations, federal and state laws permit or require us to use and disclose your health information in certain circumstances.

Examples include:

- PUBLIC HEALTH ACTIVITIES

• We may disclose health information for public health purposes, including disease prevention and control, reporting adverse events, tracking regulated products, reporting communicable diseases, and other activities authorized by law.

- ABUSE, NEGLECT, AND DOMESTIC VIOLENCE

• We may disclose health information to appropriate government authorities when required or permitted by law to report suspected abuse, neglect, domestic violence, or other situations involving potential harm.

- HEALTH OVERSIGHT ACTIVITIES

• We may disclose health information to governmental agencies and oversight authorities responsible for healthcare regulation, licensure, accreditation, audits, investigations, inspections, compliance reviews, and enforcement activities.

- JUDICIAL AND ADMINISTRATIVE PROCEEDINGS

• We may disclose health information in response to court orders, subpoenas, discovery requests, warrants, lawful process, or other legal proceedings when permitted or required by law.

- LAW ENFORCEMENT

• We may disclose health information to law enforcement officials for certain law-enforcement purposes as permitted or required by law.

- CORONERS, MEDICAL EXAMINERS, AND FUNERAL DIRECTORS

• We may disclose health information to coroners, medical examiners, funeral directors, and organ procurement organizations as authorized by law.

- RESEARCH

• We may use or disclose health information for research purposes when approved through appropriate review processes or otherwise permitted by law.

- TO PREVENT SERIOUS THREATS TO HEALTH OR SAFETY

• We may use or disclose health information when necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.

- SPECIALIZED GOVERNMENT FUNCTIONS

• We may disclose health information for certain military, veterans, national security, intelligence, protective services, correctional institution, and other specialized governmental functions as authorized by law.

- WORKERS' COMPENSATION

• We may disclose health information as authorized or required by workers' compensation laws and similar programs.

- INDIVIDUALS INVOLVED IN YOUR CARE

• Unless you object, we may disclose relevant health information to family members, caregivers, personal representatives, or others involved in your care or payment for your care when permitted by law.

- APPOINTMENT REMINDERS AND HEALTH-RELATED COMMUNICATIONS

• We may use your contact information to communicate with you regarding appointments, follow-up care, treatment recommendations, care coordination, prescription-related matters, health-related benefits and services, patient portal communications, billing matters, and other healthcare-related communications.

- BUSINESS ASSOCIATES AND SERVICE PROVIDERS

• We may disclose health information to vendors, contractors, consultants, technology providers, billing companies, cloud-service providers, record- storage providers, and other business associates who perform services on our behalf. We require such parties to appropriately safeguard protected health information and comply with applicable legal requirements.

SECTION 6
USES AND DISCLOSURES REQUIRING YOUR AUTHORIZATION

Certain uses and disclosures of your health information require your written authorization unless otherwise permitted or required by law.

For example, we generally will obtain your written authorization before:

- Using or disclosing psychotherapy notes where authorization is required by law;

- Using or disclosing health information for marketing purposes where authorization is required by law;

- Selling protected health information where authorization is required by law; or

- Making other uses or disclosures that are not otherwise described in this Notice or permitted or required by applicable law.

You may revoke a previously provided authorization at any time by submitting a written request, except to the extent that we have already relied upon the authorization or where applicable law permits continued use or disclosure.

Certain categories of health information may be entitled to additional protections under federal or state law. When required, we will obtain any additional authorizations, consents, or permissions necessary before using or disclosing such information.

SECTION 7
YOUR RIGHTS REGARDING HEALTH INFORMATION

You have certain rights regarding your protected health information, subject to applicable legal requirements and limited exceptions.

SECTION 7.1
Right to access and obtain copies

You have the right to inspect and obtain copies of certain health information maintained by Compass. In many cases, you may request copies in paper or electronic format. We may charge a reasonable, cost-based fee where permitted by law.

Certain information may not be available for inspection or copying under applicable law, including certain psychotherapy notes and information compiled for legal proceedings.

Compass maintains medical records as custodian of those records in accordance with applicable legal, regulatory, professional, and record-retention requirements.

SECTION 7.2
Right to request amendments

If you believe information in your medical record is inaccurate or incomplete, you have the right to request that we amend the record. We may deny certain amendment requests as permitted by law, but we will provide a written explanation if we do so.

SECTION 7.3
Right to request an accounting of disclosures

You have the right to request an accounting of certain disclosures of your health information made by us during the period permitted by law. This accounting generally does not include disclosures made for treatment, payment, healthcare operations, or certain other disclosures permitted by law.

SECTION 7.4
Right to request restrictions

You have the right to request restrictions on certain uses and disclosures of your health information. While we are not required to agree to most requested restrictions, we will comply with restrictions that are required by applicable law.

If you pay for a healthcare service or item completely out of pocket, you may request that we not disclose information about that service to your health plan for payment or healthcare operations purposes, and we will honor such request when required by law.

SECTION 7.5
Right to request confidential communications

You have the right to request that we communicate with you through alternative means or at alternative locations. For example, you may request that we contact you at a specific telephone number, mailing address, email address, or other approved communication method.

SECTION 7.6
Right to obtain a copy of this notice

You have the right to receive a paper copy of this Notice at any time, even if you previously agreed to receive it electronically.

SECTION 7.7
Exercising your rights

Requests relating to your health information should be submitted using the contact information provided in this Notice. We may ask that certain requests be made in writing and may require verification of identity before processing requests.

SECTION 8
OUR RESPONSIBILITIES

Compass is required by law to maintain the privacy and security of your protected health information and to provide you with this Notice of Privacy Practices.

We are required to:

- Maintain the privacy and security of your protected health information;

- Provide you with this Notice describing our legal duties and privacy practices regarding your health information;

- Abide by the terms of the Notice currently in effect;

- Notify you following a breach of unsecured protected health information when notification is required by applicable law; and

- Comply with applicable federal and state privacy and security laws.

Compass reserves the right to change its privacy practices and the terms of this Notice at any time, as permitted by law. Any revised Notice may be applied to health information that we already maintain, as well as information received or created after the revision becomes effective.

When material changes are made to this Notice, the updated version will be made available through our website, patient portal, and other locations where required by law.
The effective date of this Notice appears at the beginning of this document.

SECTION 9
ELECTRONIC COMMUNICATIONS AND PATIENT PORTAL COMMUNICATIONS

Compass may communicate with you electronically regarding your healthcare, appointments, treatment, billing, account activity, patient portal access, telehealth services, prescription-related matters, and other healthcare-related activities.

Electronic communications may include:

• Patient portal messages;
• Secure messaging;
• Email communications;
• Text messages (SMS);
• Appointment reminders;
• Follow-up care communications;
• Telehealth-related communications; and
• Account verification, authentication, and security notifications.

While we take reasonable measures to protect electronic communications, transmission methods involving email, text messaging, mobile devices, internet connections, and other technologies may involve risks that are beyond our direct control.

You may request alternative methods of communication as described in the "Your Rights Regarding Health Information" section of this Notice. However, certain communications relating to your care, account security, legal obligations, billing activities, or healthcare operations may still be necessary.

Electronic communications involving protected health information will be conducted in accordance with applicable privacy and security requirements.

SECTION 10
COMPLAINTS AND CONTACT INFORMATION

If you believe your privacy rights have been violated, you have the right to file a complaint with Compass or with the U.S. Department of Health and Human Services.

You will not be retaliated against, penalized, denied treatment, or otherwise disadvantaged for filing a complaint.

To submit a privacy complaint, request additional information regarding this Notice, exercise your privacy rights, or obtain assistance regarding your health information, please contact:

Privacy Officer

Compass Dermatopathology PC
6605 Nancy Ridge Drive
San Diego, California 92121
Email: privacy@skymd.com
Phone: 858-750-2983

You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services:

U.S. Department of Health and Human Services
Office for Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll-Free: 1-877-696-6775

Additional information regarding privacy complaints may be available through the Office for Civil Rights website.

SECTION 11
CHANGES TO THIS NOTICE

Compass reserves the right to change, revise, or update this Notice of Privacy Practices at any time, as permitted by applicable law.

Any revised Notice may apply to protected health information that we already maintain, as well as information received or created after the effective date of the revision.

When material changes are made to this Notice, the revised version will be made available through our website, patient portal, and other locations where required by law. The effective date of the current Notice will appear at the beginning of this document.

You may request a current copy of this Notice at any time using the contact information provided in this Notice.