Privacy Policy

Ola Migraine Inc.

www.olamigraine.com

Effective Date: May 28, 2026

Introduction and Scope

Ola Migraine Inc. ("Practice," "we,""us," or "our") is committed to protecting your privacy andthe confidentiality of your personal and health information. This Privacy Policy, available at www.olamigraine.com/privacy, explains how we collect, use, disclose, and safeguard information when you visit our website at www.olamigraine.com, use our patient portal, or interact with our services (collectively, the "Services").

This Privacy Policy applies to information collected throughout our website and digital services. It does not govern the collection and use of your protected health information (PHI) in the context of your care, which is covered separately by our Notice of Privacy Practices provided to you at the time of your first visit.

By using our Services, you consent to the practices described in this Privacy Policy. If you do not agree with any part of this Policy, please discontinue use of our Services.

HIPAA and Protected Health Information

As a medical practice, we are a "Covered Entity" under the Health Insurance Portability and Accountability Act of 1996 (HIPAA)and its implementing regulations. HIPAA establishes national standards for the protection of your Protected Health Information (PHI).

The use of any information provided on this Site is solely at your own risk. Ola Migraine Inc. expressly disclaims responsibility for any adverse effects that may result from the use or application of information on this Site.

What Is PHI

PHI includes any individually identifiable health information we create, receive, maintain, or transmit in connection with your care, including:

This Site is intended for use by individuals who are 18 years of age or older. By using this Site, you represent and warrant that:

  •  Your name, address, date of birth, and contact information when linked to your health data;
  • Medical history, diagnoses, treatment plans, and prescription information;
  •  Insurance and billing information;
  • Test results, imaging, and clinical notes; and
  • Any other information that could identify you and relates to your health or healthcare.
Our HIPAA Obligations

We are required by law to maintain the privacy of your PHI, provide you with our Notice of Privacy Practices, and notify you in the event of a breach of your unsecured PHI. We may use and disclose your PHI only as permitted by HIPAA, including for treatment, payment, and healthcare operations, or as authorized by you in writing.

For a complete description of how we may use and disclose your PHI, please refer to our Notice of Privacy Practices, available upon request or at our office.

Information We Collect

Information You Provide

We collect information you voluntarily provide when you:

  • Complete appointment request forms or contact forms on our website;
  • Register for or use our patient portal;
  • Communicate with us via phone, email, or secure messaging;
  • Complete health history questionnaires or intake forms; and
  • Subscribe to newsletters or other communications.

This may include your name, email address, phone number, mailing address, date of birth, insurance information, and health-related information you choose to share.

Information Collected Automatically

When you visit our website, we may automatically collect certain technical information, including:

  • IP address and general geographic location;
  • Browser type and version;
  • Pages visited and time spent on those pages;
  • Referring website or search terms used to find us;
  • Device type and operating system; and
  • Anonymous website analytics data collected via Fathom Analytics (see the Analytics and Tracking Technologies section below).
Information from Third Parties

We may receive information about you from third-party service providers in connection with delivering care, such as insurance verification services, laboratory systems, or referral sources, in accordance with applicable law.

How We Use Your Information

We use the information we collect for the following purposes:

  • Providing, coordinating, and managing your healthcare and treatment;
  • Processing appointments, referrals, and prior authorizations;
  • Communicating with you regarding your care, appointments, and test results;
  • Billing and processing insurance claims;
  •  Improving our website, services, and patient experience;
  • Sending appointment reminders, health tips, and practice updates (you may opt out at any time);
  • Complying with legal, regulatory, and accreditation obligations;
  • Detecting and preventing fraud or unauthorized access; and
  • Conducting quality improvement and internal operations.

Third-Party Service Providers and Technology Platforms

To deliver high-quality care and operate efficiently, OlaMigraine Inc. uses trusted third-party platforms that may have access to your information. Each of these vendors is bound by applicable data protection requirements, and where PHI is involved, we maintain a Business Associate Agreement (BAA) as required by HIPAA.

Below is a description of the key platforms we use and the role they play in your care:

Elation Health — Electronic HealthRecord (EHR) System
Role:
Business Associate / EHR Platform
Data Shared:
Business Associate / EHR Platform Protected Health Information (PHI), including clinical notes, diagnoses, prescriptions, medical history, lab results, and appointment records.
Purpose:
Elation Health is our primary electronic health records system. It stores and manages your complete medical record, enables secure provider-to-patient communication, supports e-prescribing, and facilitates care coordination. All clinical documentation created during your care is stored within Elation Health.

Privacy Policy:
https://www.elationhealth.com/privacy-policy/
Spruce Health — Patient Communication Platform
Role:
Business Associate / Secure Messaging and Communication Platform
Data Shared:
PHI transmitted through secure messages,including appointment details, care instructions, billing inquiries, andclinical communications.
Purpose:
Spruce is our HIPAA-compliant communication platform used for secure two-way messaging between patients and our care team. We use Spruce for appointment reminders, care follow-ups, billing questions, and general patient communications. Spruce may also be used to send and receive documents securely.

Privacy Policy:
https://www.sprucehealth.com/privacy
Fathom Analytics — Website Analytics
Role:
Website Analytics Platform (non-PHI)
Data Shared:
Anonymized, aggregate website usage data only —including page views, referral sources, and visit duration. No cookies are used. No personally identifiable information or PHI is collected or stored.
Purpose:
We use Fathom Analytics to understand how visitors use our website so we can improve the patient experience. Fathom is a privacy-first analytics platform that does not use cookies, does not track individuals across websites, and does not collect or store any personally identifiable information or PHI. All data is anonymized and aggregated before storage. No cookie consent banner is required. We are in the process of confirming BAA availability with Fathom; if a BAA is not available, Fathom's data practices are structured such that no PHI is ever transmitted to or stored by Fathom.

Privacy Policy:
https://usefathom.com/legal/privacy

We encourage you to review the privacy policies of these platforms using the links provided above to understand their individual data handling practices. We are not responsible for the privacy practices ofthird-party platforms beyond our contractual agreements with them.

Disclosure of Your Information

Permitted Disclosures

We may disclose your information, including PHI, in the following circumstances as permitted or required by law:

  • Treatment: To physicians, specialists, labs, and other providers involved in your care;
  • Payment: To your health insurance company or other payers for billing and claims processing;
  • Healthcare Operations: For internal quality review, staff training, and practice management;
  • Legal Requirements: To comply with court orders, subpoenas, or applicable laws;
  • Public Health Activities: To public health authorities as required by law;
  • Serious Threats: To prevent a serious and imminent threat to health or safety; and
  • Business Associates: To our vetted service providers(such as Elation Health, Spruce) under signed Business Associate Agreements; and to Fathom Analytics for anonymized, non-PHI website analytics.

Disclosures Requiring Your Authorization

We will obtain your written authorization before using or disclosing your PHI for purposes not described in this Policy or permitted by HIPAA, including for most marketing purposes, sale of PHI, or use of psychotherapy notes. You may revoke your authorization at any time in writing.

No Sale of Personal Information

We do not sell, rent, or trade your personal information or PHI to any third party for commercial or marketing purposes.

Analytics and Tracking Technologies

We use Fathom Analytics (usefathom.com) to collect anonymized,aggregate data about how visitors use our website. Fathom is a privacy-first analytics platform with the following key characteristics:

  • No cookies: Fathom does not use cookies or anypersistent identifiers on your device;
  • No personal data: Fathom does not collect, store, orshare any personally identifiable information or PHI;
  • No cross-site tracking: Fathom does not follow visitorsacross other websites;
  • Aggregate only: All data in our dashboard is aggregated— we cannot identify any individual visitor; and
  • No consent banner required: Because no personal data iscollected, no cookie consent notice is legally required for Fathom.

The analytics data we receive includes only aggregate metrics such as page views, visit duration, referral sources, and general geographic region (country/state level only). This information is used solely tounderstand how our website is performing and to improve the patient experience.

Because Fathom does not collect or transmit PHI or personallyidentifiable information, it operates differently from traditional analytics tools. We are in the process of confirming BAA availability with Fathom. You may review Fathom's full privacy and data practices at https://usefathom.com/legal/privacy.

Fathom honors Do Not Track (DNT) browser settings when configured to do so. You may also use a browser extension that blocks analytics scripts if you prefer to opt out entirely. Doing so will not affect yourability to use our website.

Data Security

We implement administrative, technical, and physical safeguards designed to protect your information from unauthorized access, use, disclosure, alteration, or destruction. These safeguards include:

  • Encryption of PHI in transit and at rest;
  • Role-based access controls limiting staff access to information needed for their job;
  • Secure, HIPAA-compliant platforms with signed Business Associate Agreements;
  • Regular staff training on privacy and security practices;
  • Multi-factor authentication for systems containing PHI; and
  • Regular audits and monitoring of system access.

While we take data security seriously and employindustry-standard protections, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your information.

In the event of a breach of unsecured PHI, we will notify you as required by the HIPAA Breach Notification Rule and applicable state law.

Data Retention

We retain your medical records and PHI for as long as required by applicable state and federal law, and as necessary to provide ongoing care. Medical records for adult patients are generally retained for a minimum of seven (7) years from the date of last service, or as otherwise required by law.

Website analytics data collected through Fathom Analytics is retained by Fathom indefinitely in aggregate, anonymized form. Because no personally identifiable information is collected, this data is not subject to the same retention limitations as PHI. You may review Fathom's data retention practices at https://usefathom.com/legal/privacy.

Your Privacy Rights

HIPAA Rights Regarding Your PHI

As our patient, you have the following rights under HIPAA with respect to your PHI:

  • Right to Access: Request a copy of your medical records and health information;
  • Right to Amend: Request corrections to inaccurate or incomplete PHI;
  • Right to an Accounting of Disclosures: Request a list of certain disclosures we have made of your PHI;
  • Right to Restrict: Request restrictions on how we use or disclose your PHI (we are not always required to agree);
  • Right to Confidential Communications: Request that we communicate with you in a specific way or at a specific location; and
  • Right to a Paper Copy of This Notice: Receive a paper copy of our Notice of Privacy Practices upon request.

To exercise any of these rights, please contact our office in writing at the address or email provided in the Contact Us and How to File a Complaint section below.

California Residents (CCPA/CPRA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) with respect to personal information that is not PHI governed by HIPAA, including the right to know, the right to delete, and the right to opt out of the sale of personal information. To submit a request, please contact us at the information in the Contact Us and How to File a Complaint section below.

Marketing Communications

You may opt out of receiving non-essential marketing or newsletter communications from us at any time by clicking the"unsubscribe" link in any email or contacting us directly. Opting out will not affect communications necessary for your care, such as appointment reminders or treatment follow-ups.

Children's Privacy

We provide healthcare services to patients of all ages, including minors. When we provide care to a minor patient, the parent or legal guardian is generally authorized to access the minor's health information, subject to applicable state law and certain exceptions (such as services a minor may consent to independently under state law).

Our website is not directed to children under 13 for general use, and we do not knowingly collect personal information from children under 13 through our website outside of the patient care context. If you believe achild's information has been submitted without appropriate authorization, please contact us immediately.

Links to Third-Party Websites

Our website may contain links to third-party websites, including the privacy policy links for our technology vendors listed in the Third-Party Service Providers and Technology Platforms section. These third-party sites have their own privacy practices, which we do not control. We encourage you to read the privacy policies of any external websites you visit. We are not responsible for the content or privacy practices of those sites.

Contact Us and How to File a Complaint

Our website may contain links to third-party websites, including the privacy policy links for our technology vendors listed in Section5. These third-party sites have their own privacy practices, which we do not control. We encourage you to read the privacy policies of any external websites you visit. We are not responsible for the content or privacy practices of those sites.

Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or your health information, please contact us:

Ola Migraine Inc. (dba Ola Migraine, Ola Migraine Honolulu & Ola Migraine Clinic)

Website:  www.olamigraine.com

Email: support@olamigraine.com

Phone: (808) 378-3753

Filing a Complaint

If you believe your privacy rights have been violated, you have the right to file a complaint with us directly or with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR):

  • Online: www.hhs.gov/ocr/privacy/hipaa/complaints
  • By mail: Centralized Case Management Operations, 200 Independence Ave., S.W., Room 509F HHH Bldg., Washington, D.C. 20201
  • By phone: 1-800-368-1019 (TDD: 1-800-537-7697)

We will not retaliate against you for filing a complaint.

Practice and Financial Policy

Patients of Ola Migraine Inc. are required to complete a separate Practice and Financial Policy document prior to receiving care. That document governs the clinical and contractual relationship between you and the practice and includes:

  • Financial, Scheduling & Cancellation Policy —including direct-pay terms, refund policy, and payment authorization;
  • Consent for Evaluation and Treatment — your voluntary consent to medical consultation and care;
  • Telehealth Consent Agreement — governing the use of telemedicine services;
  • Communication & Messaging Policy — covering use of Spruce and other approved platforms; and
  • Acknowledgment of Notice of Privacy Practices — confirming receipt of your HIPAA rights.

The Practice and Financial Policy is provided to all new patients during the scheduling and onboarding process and must be completed before your first appointment. It is distinct from this Privacy Policy, which governs information collected through our website and digital services at www.olamigraine.com/privacy.

By completing your intake agreements, you separately acknowledge and consent to the clinical policies, financial terms, and communication practices of Ola Migraine Inc., Ola Migraine, Ola Migraine Honolulu, and Ola Migraine Clinic as applicable.

Copies of your signed intake agreements are available upon request through our patient portal or by contacting the practice directly.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Effective Date" at the top of this Policy and post the updated version on our website.

We encourage you to review this Policy periodically. Your continued use of our Services after any changes constitutes your acceptance of the updated Policy.

This Privacy Policy is provided in addition to, and does not replace, the HIPAA Notice of Privacy Practices provided to you as a patient of Ola Migraine Inc. The Notice of Privacy Practices is available at www.olamigraine.com/hipaa.