ArmoCare Hub

# Notice of Privacy Practices

**Effective: April 25, 2026**

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

## Who we are

Armo Benefits and Services ("Armo," "we," "us") is a Medicare insurance brokerage. We act as a **Business Associate** of the Medicare Advantage and Part D plans we represent. We are committed to protecting the privacy of your protected health information (PHI) as required by the federal Health Insurance Portability and Accountability Act (HIPAA), HIPAA's implementing regulations (45 CFR Parts 160 and 164), and applicable state privacy laws.

## What this Notice covers

This Notice describes how we may use and disclose your PHI to carry out treatment, payment, and health care operations on behalf of the Medicare plan you enroll in, and for other purposes that are permitted or required by law. It also describes your rights to access and control your PHI.

## How we may use and disclose your PHI

### For treatment, payment, and health care operations
We may use and disclose your PHI without your written authorization to:

- **Enroll you** in a Medicare Advantage, Part D, Hospital Indemnity, or other insurance plan you select.
- **Communicate with the plan** you enrolled in regarding your enrollment status, eligibility, premium, effective date, confirmation code, and routine servicing matters.
- **Bill the plan** for commission and service fees.
- **Provide customer service and support**, including answering your questions, scheduling appointments, sending appointment reminders, and verifying chronic-condition eligibility for plans that require it.
- **Perform internal quality, compliance, training, and audit activities** within Armo.

### Servicing communications
We may send you SMS messages, emails, postcards, faxes, and recorded or live phone calls relating to your enrollment and ongoing servicing. These communications may include your name, address, phone, email, plan name, carrier name, effective date, confirmation code, and the contact information of your assigned licensed agent. They will not include premium amounts, benefit dollar amounts, or comparison language about other plans without your separate written authorization.

### Required by law
We will use and disclose your PHI when required by federal, state, or local law, including:

- Reporting suspected abuse, neglect, or domestic violence.
- Responding to court orders, subpoenas, and lawful requests by government regulators (HHS Office for Civil Rights, CMS, state insurance regulators).
- Reporting to public health authorities for purposes authorized by law.

### To business associates and subcontractors
We use vendors to operate our CRM, telephony, email, postcard, fax, and AI-assisted services. Each vendor that handles your PHI must have controls in place that meet our internal security policies. Where we have not yet executed a HIPAA Business Associate Agreement with a vendor, we apply additional compensating controls (encryption, access restrictions, PHI minimization, signed webhooks, audit logging) and document the gap in our internal compliance debt register.

### Authorization required
We will obtain your written authorization for any use or disclosure that is not described in this Notice or otherwise permitted by law, including most uses and disclosures of psychotherapy notes, marketing communications that involve payment from a third party, and the sale of PHI. You may revoke an authorization at any time, in writing, except to the extent we have already acted in reliance on it.

## Your rights

You have the following rights regarding your PHI:

### Right to access (45 CFR §164.524)
You have the right to inspect and obtain a copy of the PHI we maintain about you, in paper or electronic format, generally within 30 days of your written request. We may charge a reasonable, cost-based fee for the labor and supplies of producing the copy.

### Right to amend (45 CFR §164.526)
You may request that we correct PHI you believe is inaccurate or incomplete. We will respond within 60 days. If we deny your request, we will explain why in writing and you may file a statement of disagreement.

### Right to an accounting of disclosures (45 CFR §164.528)
You have the right to request a list of certain disclosures of your PHI we have made in the prior six (6) years, excluding disclosures made for treatment, payment, or health care operations and a few other categories. We will respond within 60 days.

### Right to request restrictions (45 CFR §164.522(a))
You may request that we restrict certain uses and disclosures of your PHI. We are not required to agree to every requested restriction, except that we must agree to a restriction on disclosures to a health plan for items or services for which you paid out of pocket in full.

### Right to confidential communications (45 CFR §164.522(b))
You may request that we communicate with you using an alternate channel or address (for example: "do not call my home; text me at this other number"). We will accommodate reasonable requests.

### Right to a copy of this Notice
You have the right to a paper or electronic copy of this Notice on request. The current version is always available at https://crm.armomedicare.com/privacy.

### Right to be notified of a breach
You have the right to be notified if we discover a breach of your unsecured PHI. We will provide notification within 60 days of discovery as required by 45 CFR Part 164 Subpart D.

### Right to file a complaint
You have the right to file a complaint with us or with the U.S. Department of Health and Human Services if you believe your privacy rights have been violated. We will not retaliate against you for filing a complaint.

To file a complaint with HHS:
- Online: https://www.hhs.gov/hipaa/filing-a-complaint/
- Mail: Office for Civil Rights, U.S. Department of Health and Human Services, 200 Independence Avenue, SW, Room 509F, HHH Building, Washington, D.C. 20201
- Phone: 1-800-368-1019

## Our duties

We are required by law to:
- Maintain the privacy and security of your PHI.
- Provide you with this Notice of our legal duties and privacy practices regarding your PHI.
- Follow the terms of the Notice that is currently in effect.
- Notify you of a breach of unsecured PHI affecting you.

## Changes to this Notice

We reserve the right to change the terms of this Notice at any time. The new Notice will be effective for all PHI we maintain at that time. We will post the updated Notice at https://crm.armomedicare.com/privacy. The current version date appears at the top of this document.

## Substance Use Disorder records (42 CFR Part 2)

If we ever receive substance use disorder records protected by 42 CFR Part 2, those records will only be used and disclosed in compliance with the Part 2 regulations, which align with HIPAA following the February 16, 2026 enforcement date of the 2024 Part 2 final rule.

## Contact

For questions about this Notice, to exercise any of the rights described above, or to file a complaint:

**Privacy Officer**
Kian Motamedi
Armo Benefits and Services
Email: privacy@armomedicare.com
Website: https://armomedicare.com

---

*This Notice is reviewed at least annually and on any material change to our privacy practices. Version 2026-04-25 supersedes any prior version.*