HIPAA Notice of Privacy Practices

We are required by law to:

• Maintain the privacy of your Protected Health Information (PHI)
• Provide you with this Notice of our legal duties and privacy practices
• Follow the terms of the Notice currently in effect
• Notify you in the event of a breach of your unsecured PHI

We reserve the right to change this Notice and to make the revised Notice effective for PHI we already have about you as well as any information we receive in the future. We will post the current Notice on our website and make copies available upon request.

PHI is information about you, including demographic information, that may identify you and that relates to:

• Your past, present, or future physical or mental health or condition
• The provision of health care or social services to you
• The past, present, or future payment for the provision of health care to you

Through our Apply for Support form, ERS may collect information such as your date of birth, housing status, employment status, healthcare training program interest, and support needs. This information is treated as sensitive personal information and handled with the same protections as PHI.

Treatment & Service Coordination: We may use your information to coordinate social services, case management, scholarship assistance, transportation, food support, housing support, and healthcare training program enrollment on your behalf.

Affiliated Organizations: With your explicit written consent, we may share your information with affiliated organizations within the Equip Human Solutions ecosystem — including Western Medical Training Center (WMTC) — solely for the purpose of coordinating services you have requested. We will not share your information with affiliates without your consent.

Required by Law: We may disclose your PHI when required to do so by federal, state, or local law, including reporting requirements related to public health, abuse, neglect, or domestic violence.

Business Associates: We may share your PHI with third-party service providers ("Business Associates") who perform services on our behalf, such as technology hosting and email delivery. All Business Associates are required to sign a Business Associate Agreement (BAA) and protect your PHI in accordance with HIPAA.

We will NOT use or disclose your PHI for the following without your written authorization:

• Marketing purposes
• Sale of PHI
• Fundraising (beyond general organizational communications)
• Any purpose not described in this Notice

You have the following rights with respect to your PHI. To exercise any of these rights, please submit a written request to [email protected].

• Right to Access: You have the right to inspect and obtain a copy of your PHI that we maintain. We will respond within 30 days of your request.
• Right to Amend: You have the right to request that we amend your PHI if you believe it is incorrect or incomplete. We may deny your request under certain circumstances.
• Right to an Accounting of Disclosures: You have the right to request a list of certain disclosures we have made of your PHI in the past six years.
• Right to Request Restrictions: You have the right to request restrictions on how we use or disclose your PHI. We are not required to agree to your request, but if we do, we will comply with it.
• Right to Confidential Communications: You have the right to request that we communicate with you about your PHI in a certain way or at a certain location.
• Right to Revoke Authorization: If you have given us written authorization to use or disclose your PHI, you may revoke that authorization in writing at any time. Revocation will not affect any actions we took before receiving your revocation.
• Right to a Paper Copy of This Notice: You have the right to a paper copy of this Notice at any time, even if you have agreed to receive it electronically.

ERS implements the following administrative, physical, and technical safeguards to protect your PHI:

• Encryption in Transit: All form submissions are transmitted over TLS-encrypted HTTPS connections
• Access Controls: Our internal case management system requires password authentication and is accessible only to authorized ERS staff
• Session Management: Administrative sessions automatically expire after 15 minutes of inactivity
• Minimum Necessary: We collect only the information necessary to provide the services you request
• Staff Training: ERS staff with access to PHI are trained on HIPAA privacy and security requirements
• Audit Logging: Changes to applicant records in our system are logged with timestamps and staff identifiers

Important limitation: While ERS takes reasonable steps to protect your information, email is not a fully HIPAA-compliant transmission method. Internal staff notifications of new applications are sent via email as an operational necessity. If you have concerns about this, please contact us to discuss alternative intake methods.

In the event of a breach of your unsecured PHI, ERS will notify you as required by the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414) and California law (Cal. Civ. Code § 1798.82):

• We will notify affected individuals without unreasonable delay and no later than 60 days after discovery of the breach
• Notification will be provided by first-class mail or email (if you have provided an email address and consented to electronic communication)
• If the breach affects 500 or more individuals, we will also notify the U.S. Department of Health and Human Services (HHS) and prominent media outlets as required
• We will maintain a log of all breaches and report breaches affecting fewer than 500 individuals to HHS annually

California residents have additional rights under the California Consumer Privacy Act (CCPA), the California Confidentiality of Medical Information Act (CMIA), and other state laws:

• CMIA: Medical information about you may not be disclosed without your written authorization, except as permitted by law
• CCPA: You have the right to know, delete, and opt out of the sale of your personal information. ERS does not sell personal information.
• Minors: We do not knowingly collect information from individuals under 13. Applicants under 18 must have a parent or legal guardian complete forms on their behalf.

If you believe your privacy rights have been violated, you may file a complaint with:

We will not retaliate against you for filing a complaint.

For questions about this Notice or to exercise your rights, contact: