HIPAA Compliance NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. Pentec Health, Inc. (“Pentec”) is committed to protecting the confidentiality of our patients’ health information. This Notice of Privacy Practices (“Notice”) describes how we may use and disclose your health information and your rights concerning your health information. This Notice is provided to you pursuant to the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”). Pentec and its workforce members who are involved in providing and coordinating your health care are all bound by the terms of this Notice. USES AND DISCLOSURES WITHOUT YOUR AUTHORIZATION Except where prohibited by other laws that require special privacy protections, we may use and disclose your health information without your prior authorization as follows: Treatment: We will use and disclose your health information to provide, coordinate and/or manage your treatment and any related services. For example, a pharmacist may use your health information to dispense prescription medications to you, or a nurse may use your health information to create a plan of care for you. We can also share your health information with other providers involved in your care or to contact you to remind you about an upcoming appointment. Payment: Your health information will be used or disclosed, as needed, to obtain payment for the health care items and services we deliver to you. For example, we may bill your health plan for the cost of prescription medications dispensed to you. The information on or accompanying the bill may include information that identifies you, as well as the prescription medications you are taking. We may also contact your health plan to determine whether it will authorize payment for your prescription or our services, or to determine the amount of your co-payment or co-insurance. Healthcare Operations: We may use or disclose your health information in order to carry out our general business activities or certain business activities of other involved providers. These activities include, but are not limited to, training and education; quality assessment/ improvement activities; risk management; claims management; legal consultation; physician and employee review activities; licensing; regulatory surveys; and other business planning activities. For example, we may use your health information to monitor the quality of the care we are providing to you. Family and Friends: Unless you express an objection, we may disclose your health information to a family member or friend who is involved in your medical care or to someone who helps pay for your care. We may also use or disclose your health information to notify (or assist in notifying) a family member, legally authorized representative or other person responsible for your care of your location, general condition or death. Business Associates: We enter into contracts with third-parties known as business associates. These business associates provide services to us or perform functions on our behalf, e.g., accountants, consultants and attorneys. We may disclose your health information to our business associates once they have agreed in writing to safeguard your health information. Business associates are also required by law to protect the privacy of your health information. Required By Law: We may use or disclose your health information to the extent the use or disclosure is required by law. Any such use or disclosure will be made in compliance with the law and will be limited to what is required under the law. Public Health Activities: We may use your health information for public health activities such as reporting births, deaths, communicable diseases, injuries, or disabilities; ensuring the safety of drugs and medical devices; and for work place surveillance or work-related illness or injury. Health Oversight Activities: We may disclose your health information to a health oversight agency for activities such as audits; civil, administrative or criminal investigations, proceedings or actions; inspections; licensure or disciplinary actions; or other activities necessary for appropriate oversight as authorized by law. Food and Drug Administration (FDA): We may disclose your health information to a person or company subject to the FDA to report adverse events, product defects or problems or biologic product deviations; to track FDA-regulated products; to enable product recalls; to make repairs or replacements; to conduct post-marketing surveillance information or for other purposes related to the quality, safety or effectiveness of a product or activity regulated by the FDA. Law Enforcement: We may disclose your health information to law enforcement in limited circumstances, such as to identify or locate suspects, fugitives, witnesses or victims of a crime, to report deaths from a crime, to report crime on our premises or in emergency treatment situations. Judicial and Administrative Proceedings: We may disclose information about you in response to an order of a court or administrative tribunal as expressly authorized by such order. We may also disclose information about you in response to a subpoena, discovery request or other lawful process not accompanied by an order of a court or administrative tribunal, under certain circumstances as permitted by law. To Avert a Serious Threat to Health or Safety: We may use or disclose your health information when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. We may also disclose information about you if it is necessary for law enforcement authorities to identify or apprehend an individual. Disaster Relief Efforts: We may use or disclose your health information to an authorized public or private entity to assist in disaster relief efforts. You may have the opportunity to object unless it would impede our ability to respond to emergency circumstances. Coroners, Medical Examiners and Funeral Directors: We may disclose health information consistent with applicable law to coroners, medical examiners and funeral directors to assist them in carrying out their duties. Organ and Tissue Donation: We may disclose health information consistent with applicable law to organizations that handle organ, eye or tissue donation or transplantation. Research: Under certain circumstances, we may also use and disclose information about you for research purposes. All research projects are subject to a special approval process through an appropriate committee. Fundraising: We may use certain information to contact you as part of our fundraising efforts. If you receive such a communication from us, you will be provided an opportunity to opt-out of receiving such communications in the future. Workers’ Compensation: We may disclose your health information as authorized to comply with workers’ compensation laws and other similar programs established by law. Military, Veterans, National Security and Other Government Purposes: If you are a member of the armed forces, we may release your health information as required by military command authorities or to the Department of Veterans Affairs. We may also disclose your health information to authorized federal officials for intelligence and national security purposes. Correctional Institutions: If you are or become an inmate of a correctional institution or are in the custody of a law enforcement official, we may disclose to the institution or law enforcement official information necessary for the provision of health services to you, your health and safety, the health and safety of other individuals and law enforcement on the premises of the institution and the administration and maintenance of the safety, security and good order of the institution. Victims of Abuse, Neglect or Domestic Violence: We may disclose your health information to a government authority, such as a social service or protective services agency, if we reasonably believe you are a victim of abuse, neglect or domestic violence. Change of Ownership: In the event that Pentec is sold or merged with another organization, your health information will be transferred to the new owner. OTHER USES AND DISCLOSURES REQUIRE YOUR AUTHORIZATION If we wish to use or disclose your health information for a purpose not discussed in this Notice, we will seek your authorization. Specific examples of uses and disclosures of health information requiring your authorization include: (i) most uses and disclosures of psychotherapy notes (private notes of a mental health professional kept separately from a medical record); (ii) most uses and disclosures of your health information for marketing purposes; and (iii) disclosures of your health information that constitute the sale of your health information. You may revoke your authorization at any time in writing, except to the extent that we have already taken action in reliance on your authorization. YOUR HEALTH INFORMATION RIGHTS Inspect and/or obtain a copy of your health information. You have the right to inspect and/or obtain a copy of your health information maintained in a designated record set. If we maintain your health information electronically, you may obtain an electronic copy of the information or ask us to send it to a person or organization that you identify. To request to inspect and/or obtain a copy of your health information, you must submit a written request to our Privacy Officer. If you request a copy (paper or electronic) of your health information, we may charge you a reasonable, cost-based fee. Request a restriction on certain uses and disclosures of your health information. You have the right to ask us not to use or disclose any part of your health information for purposes of treatment, payment or healthcare operations. While we will consider your request, we are only required to agree to restrict a disclosure to your health plan for purposes of payment or healthcare operations (but not for treatment) if the information applies solely to a healthcare item or service for which we have been paid out of pocket in full. If we do agree to a restriction, we will not use or disclose your health information in violation of that restriction unless it is needed to provide emergency treatment. To request a restriction, you must submit a written request to our Privacy Officer. We will not agree to restrictions on health information uses or disclosures that are legally required or necessary to administer our business. Request confidential communications. You have the right to request that we communicate with you about your health information in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail. To request confidential communication of your health information, you must submit a written request to our Privacy Officer stating how or when you would like to be contacted. We will accommodate all reasonable requests. We will not require you to provide an explanation for your request. Request an amendment to your health information. If you believe that any information in your medical record is incorrect, or if you believe important information is missing, you may request that we correct the existing information or add the missing information. To request such an amendment, you must submit a written request to our Privacy Officer. Request an accounting of certain disclosures. You have the right to receive an accounting of certain disclosures we have made of your health information. To request an accounting, you must submit a written request to our Privacy Officer. The first accounting you request within a 12 month period will be provided free of charge. We may charge you for any additional requests in that same 12 month period. Obtain a paper copy of this Notice. You have the right to obtain a paper copy of this Notice upon request, even if you agreed to accept this Notice electronically. To obtain a paper copy of this Notice, contact our Privacy Officer. OUR RESPONSIBILITIES We are required to (i) maintain the privacy of your health information as required by law; (ii) provide you with notice of our legal duties and privacy practices with respect to your health information; (iii) abide by the terms of such notice; and (iv) notify you following a breach of your health information that is not secured in accordance with certain security standards. We reserve the right to change the terms of this Notice and to make the provisions of the new Notice effective for all health information that we maintain. If we change the terms of this Notice, the revised Notice will be made available upon request, posted to our website and posted at our delivery sites. Copies of the current Notice may be obtained by contacting our Privacy Officer or by visiting our website at: www.pentechealth.com. STATE LAW We will not use or share your information if state law prohibits it. Many states have laws that are stricter than the federal privacy regulations we describe in this Notice. If a state law applies to us and is stricter or places limits on the ways we can use or share your health information, we will follow the state law. For instance, some states may provider greater protections for genetic testing information, HIV/AIDS information, mental health and developmental disabilities records, and alcohol or drug abuse records. The way that state and federal laws interact is complicated. If you would like to know more about applicable state laws, please ask our Privacy Officer. QUESTIONS, CONCERNS OR COMPLAINTS If you have any questions or want more information about this Notice or how to exercise your health information rights, you may contact our Privacy Officer by telephone at 610-494-8700, or toll free at 1-800-223-4376, or via e-mail at firstname.lastname@example.org. If you believe your privacy rights have been violated, you may file a complaint with our Privacy Officer or with the U.S. Department of Health and Human Services, Office for Civil Rights, 200 Independence Ave. S.W., Room 509F HHH Bldg., Washington DC 20201 (OCRComplaint@hhs.gov). We will not retaliate against you for filing a complaint. The effective date of this notice is December 3, 2015.