HIPAA

HOOT HEALTH INC.

HIPAA AUTHORIZATION FOR USE OR DISCLOSURE OF HEALTH INFORMATION

45 C.F.R. § 164.508 — Form Version 2.0 — Effective March 2026

IMPORTANT — PLEASE READ BEFORE SIGNING

This authorization allows Hoot Health, Inc. to use and disclose your protected health information (“PHI”) only for the specific purposes described in Section D. You are NOT required to authorize this form. Authorization is entirely voluntary. Your treatment, payment, enrollment, and eligibility for benefits will NOT be conditioned on whether you authorize. Please read each section carefully.

A. PATIENT INFORMATION

B. PARTIES AUTHORIZED TO USE OR DISCLOSE MY HEALTH INFORMATION

I authorize the following parties to use or disclose my protected health information as described in this Authorization:

Hoot Health, Inc. (“Hoot”), a Delaware corporation, operating the Hoot myopia care platform (the “Hoot Platform”);
My treating healthcare provider(s) who participate in or refer me to the Hoot Platform (“Provider”); and
Hoot’s authorized business associates, subcontractors, and third-party service providers acting under a HIPAA Business Associate Agreement with Hoot, including technology vendors, analytics providers, cloud storage providers, and communications platforms.

C. PERSONS OR CLASSES OF PERSONS WHO MAY RECEIVE MY HEALTH INFORMATION

Subject to the specific purposes I initial in Section D, my health information may be disclosed to:

Hoot Health, Inc. and its authorized workforce members and agents;
My treating Provider(s) and their authorized clinical staff involved in my care;
Third-party marketing partners of Hoot or my Provider, solely where I have authorized paid third-party marketing communications in Section D(3) below;
Research institutions or analytics partners, solely where I have authorized research and analytics use in Section D(4) below;
Third-party purchasers of PHI, solely where I have authorized the sale of my PHI in Section D(5) below; and
Recipients of de-identified health information derived from my PHI, where such information has been de-identified in strict accordance with 45 C.F.R. § 164.514 and no longer constitutes PHI protected by HIPAA.

D. DESCRIPTION OF HEALTH INFORMATION AND AUTHORIZED PURPOSES

INSTRUCTION TO PATIENT

Please initial next to each purpose you wish to authorize. You may authorize one, some, or all purposes. You are NOT required to authorize all purposes. Your access to the Hoot Platform is NOT conditioned on authorizing Sections D(2) through D(5). You will not be penalized for declining to initial any section.

D(1) Platform Operations, Care Coordination, and Treatment Communications

Health Information Covered: My myopia care records, vision measurements, prescription information, eye health history, clinical assessments, treatment plans, appointment records, and related health communications generated through or in connection with the Hoot Platform.

Purpose: To enable Hoot and my Provider to: (a) provide, coordinate, and manage my myopia care through the Hoot Platform; (b) communicate with me about my treatment, appointments, and health status; (c) facilitate care coordination between my Provider and Hoot; and (d) support clinical operations, billing, and quality improvement activities.

NOTE: Authorization of this purpose is required for Hoot to provide clinical platform services. If you do not authorize D(1), Hoot cannot provide services to you.

D(2) Hoot Platform and Myopia Care Marketing Communications (No Third-Party Payment)

Health Information Covered: My name, contact information, age, myopia diagnosis, and general myopia care status.

Purpose: To allow Hoot and my Provider to send me communications about Hoot’s own products, services, clinical updates, and educational content related to myopia management, where Hoot or my Provider does NOT receive financial remuneration from any third party to send such communications.

This includes newsletters, product updates, myopia education content, and reminders about Hoot services. No financial remuneration is received from third parties for these communications. This is distinct from Section D(3) below.

D(3) Paid Third-Party Marketing Communications

Hoot or my Provider WILL RECEIVE FINANCIAL REMUNERATION from the third party identified below to send communications to me. This is required to be disclosed under HIPAA, 45 C.F.R. § 164.508(a)(3), and ARRA § 13406.

Health Information Covered: My name, contact information, age, and general myopia care status.

Purpose: To allow Hoot or my Provider to send me marketing communications on behalf of third-party companies, including optical lens manufacturers, vision correction product companies, and other health and wellness companies whose products or services relate to myopia care, where Hoot or my Provider receives direct financial payment from such third parties to contact me.

I understand that Hoot or my Provider receives financial compensation to send me these communications.

You are NOT required to sign this section. Your refusal will not affect your treatment or access to the Hoot Platform.

D(4) De-identification, Research, Analytics, and Technology Improvement (Including AI/ML)

Health Information Covered: My myopia care data, vision measurements, clinical outcomes, treatment history, and Hoot Platform usage data.

Purpose: To allow Hoot to: (a) de-identify my health information in accordance with 45 C.F.R. § 164.514 for use in population health research, analytics, and product improvement; (b) use de-identified data derived from my health information to train, validate, and improve Hoot’s artificial intelligence and machine learning models supporting myopia care; and (c) share de-identified data with research partners, academic institutions, and analytics providers. Once de-identified, this data is no longer PHI and is no longer protected by HIPAA.

Hoot retains sole and exclusive ownership of all de-identified data and any AI/ML models developed using such data. No individually identifiable information will be shared with research or analytics partners without a separate, specific authorization.

De-identification means your data cannot be re-traced to you individually, using standards required by federal law. You are NOT required to authorize this section.

D(5) Sale of Protected Health Information to Third Parties

Hoot WILL RECEIVE DIRECT FINANCIAL REMUNERATION in exchange for disclosing your PHI to the recipient below. This authorization is required by ARRA § 13405(d) and 45 C.F.R. § 164.508(a)(3)(ii).

Health Information Covered: As specifically identified in a written notice Hoot will provide to me prior to any such sale.

Purpose: To permit Hoot to sell or otherwise transfer my identifiable protected health information to specifically identified third parties in exchange for direct financial remuneration.

I understand and acknowledge that: (a) the disclosure of my PHI will result in direct financial remuneration to Hoot; (b) the recipient may further use or disclose my PHI; and (c) my PHI may no longer be fully protected by HIPAA once received by the purchaser.

You are NOT required to sign this section. Hoot CANNOT sell your identifiable PHI without your explicit authorization here.

E. EXPIRATION OF THIS AUTHORIZATION

This Authorization expires upon the EARLIEST of the following:

A specific date selected by the patient
Upon written revocation of this Authorization (see Section F below)
Upon permanent closure of the Hoot Platform account AND termination of the active patient relationship with the participating Provider, whichever is later
Upon completion of a specific purpose described by the patient

IMPORTANT NOTE ON EXPIRATION

If you do not select an expiration date or event, this Authorization remains in effect until you revoke it in writing under Section F. The expiration event must relate to you as an individual or to the purpose of the authorized use or disclosure, as required by 45 C.F.R. § 164.508(c)(1)(v). An expiration tied solely to administrative account status does not satisfy this requirement.

F. YOUR RIGHTS — PLEASE READ CAREFULLY

F(1) Right to Revoke.

You have the right to revoke this Authorization at any time, in writing, except to the extent that Hoot or your Provider has already taken action in reliance on it. To revoke, submit written notice to:

Hoot Health, Inc. — HIPAA Privacy Officer Email: privacy@hootmyopiacare.com (confirmed receipt within 5 business days) Mail: 500 State Route 33, Millstone Township, NJ 08535-8538, United States

Revocations are processed within 10 business days of confirmed receipt. Hoot will send written confirmation. Revocation does not apply retroactively to uses or disclosures already made in good-faith reliance on this Authorization.

F(2) No Conditioning of Treatment or Benefits.

Hoot and your Provider may NOT condition your treatment, payment, enrollment, or eligibility for benefits on whether you sign this Authorization, except as expressly permitted under 45 C.F.R. § 164.508(b)(4). The Hoot Platform’s core services are NOT conditioned on signing Sections D(2) through D(5).

F(3) Right to Inspect and Copy.

You have the right to inspect and receive a copy of the PHI used or disclosed pursuant to this Authorization, subject to HIPAA access rights at 45 C.F.R. § 164.524. Submit requests to: privacy@hootmyopiacare.com.

F(4) Risk of Re-Disclosure.

Information disclosed pursuant to this Authorization may be re-disclosed by the recipient and may no longer be protected by HIPAA. However, certain federal laws (including 42 C.F.R. Part 2 for substance use disorder records) and state laws may impose additional protections. Contact Hoot’s Privacy Officer for information about your state-specific rights.

F(5) Copy of This Authorization.

You will receive a signed copy of this Authorization. A photocopy or electronic copy is as valid as the original. Hoot retains the signed original for a minimum of six (6) years from the date of signature, as required by 45 C.F.R. § 164.530(j).

F(6) State Law Rights.

Depending on your state of residence, you may have additional rights beyond those described here, including under: California’s Confidentiality of Medical Information Act (Cal. Civ. Code § 56 et seq.); Illinois’ Biometric Information Privacy Act (740 ILCS 14); New York’s SHIELD Act and Health Information Privacy Act; Texas’ Medical Records Privacy Act; and New Jersey’s Identity Theft Prevention Act. Contact privacy@hootmyopiacare.com for state-specific guidance.

F(7) Right to File a Complaint.

If you believe your privacy rights have been violated, you may file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights at: www.hhs.gov/ocr/privacy/hipaa/complaints, or by calling 1-800-368-1019. You may also file a complaint directly with Hoot at privacy@hootmyopiacare.com. Hoot will NOT retaliate against you in any way for filing a complaint.

G. MINOR PATIENT AND AUTHORIZED REPRESENTATIVE

IMPORTANT — FOR MINOR PATIENTS (UNDER AGE 18)

Hoot Health provides myopia care services that frequently involve minor patients. Under HIPAA and applicable state laws, a parent or legal guardian generally has the right to authorize use and disclosure of a minor’s health information. However, in certain states and circumstances — including emancipated minors or minors who are legally authorized to consent to their own care — the minor may have independent privacy rights that limit parental access. Contact Hoot’s Privacy Officer if you have questions about the minor’s independent rights in your state before signing on their behalf.

Hoot Health Inc. — HIPAA Authorization Form v2.0 — Effective March 2026 — 45 C.F.R. § 164.508