Notice of Privacy Practices

Effective: 2026-04-17 · Rev 2

This Notice describes how medical information about you may be used and disclosed and how you can access this information. Please review it carefully.

Recovery Network's Role

Recovery Network Inc. ("Recovery Network") operates as a Business Associate under HIPAA to each Covered Entity (licensed behavioral health facility) that deploys the RNI platform. Each Covered Entity's Notice of Privacy Practices governs the patient-provider relationship. This Notice supplements that document by describing how Recovery Network, as Business Associate, handles Protected Health Information ("PHI") received or created on behalf of the Covered Entity.

Use of PHI

Recovery Network uses and discloses PHI only as permitted by the Business Associate Agreement with each Covered Entity and by applicable law.

Recovery Network processes identifiable PHI solely within each Covered Entity's environment for clinical and operational purposes. Recovery Network does not use identifiable PHI across clients for model training or system optimization. Recovery Network may use de-identified data, in accordance with 45 CFR §164.514, to improve system performance, AI-assisted analysis of patient communications, risk scoring and alert generation, and safety monitoring. Such data is aggregated, non-identifiable, and cannot reasonably be used to re-identify any individual.

AI-Assisted Analysis

Recovery Network operates The Council — a multi-doctor AI system that performs AI-assisted analysis of patient communications, wearable signals, and voice/video journaling to support clinical decision-making. The Council's outputs include risk scoring and alert generation. All Critical-tier alerts are reviewed by a licensed clinician before any clinical action is taken. Dr. Chen (Compliance Authority) holds absolute veto power over all escalation decisions. The Council supports — and does not replace — licensed clinical judgment.

Voice & Video Capture

When a patient uses the Voice & Video Journal feature, audio is transcribed by Google Cloud Speech-to-Text under Recovery Network's HIPAA Business Associate Agreement with Google. Video is analyzed on-device (in the patient's browser) by MediaPipe Pose. Audio and video are never stored. Only the resulting transcript, a de-identified risk score, and a movement status label are retained within the Covered Entity's environment.

42 CFR Part 2 — Substance Use Disorder Records

Records that identify a patient as having or having had a substance use disorder and that are maintained in connection with the provision of substance use disorder diagnosis, treatment, or referral for treatment are additionally protected under 42 CFR Part 2. Recovery Network will not disclose such records except as permitted by the patient's written consent or as otherwise authorized by 42 CFR §2.12 through §2.67. Re-disclosure is prohibited except as permitted by Part 2.

Safeguards

Recovery Network implements administrative, physical, and technical safeguards required by 45 CFR §164.308, §164.310, and §164.312, including encryption in transit and at rest, access controls, audit logging, and facility_id scoping on every data access.

Your Rights

Right to inspect and obtain a copy of your PHI (45 CFR §164.524)
Right to request amendment of your PHI (45 CFR §164.526)
Right to an accounting of disclosures (45 CFR §164.528)
Right to request restrictions on uses and disclosures (45 CFR §164.522)
Right to request confidential communications (45 CFR §164.522)
Right to receive notice of any breach of unsecured PHI (45 CFR §164.404)
Right to revoke consent for voice/video journaling or wearable data collection at any time

Complaints

You may file a complaint with the Covered Entity's Privacy Officer, with Recovery Network at info@recoverynetwork.ai, or with the Secretary of the U.S. Department of Health and Human Services. You will not be retaliated against for filing a complaint.

Contact

Recovery Network Inc.
Attn: Privacy Officer
info@recoverynetwork.ai

HIPAA Notice of Privacy Practices