NOTICE OF PRIVACY PRACTICES

Our Pledge to You

Aperion Health is committed to protecting the privacy and security of your Protected Health Information (PHI). We understand that your health information is personal and sensitive, and we take our responsibility to safeguard it seriously.

Our Legal Obligations:

• Maintain the privacy and security of your Protected Health Information
• Provide you with this Notice of our legal duties and privacy practices
• Follow the terms of the Notice currently in effect
• Notify you if we are unable to agree to a requested restriction
• Notify you if your Protected Health Information has been breached

What is Protected Health Information (PHI)? PHI is individually identifiable health information that we create, receive, maintain, or transmit. This includes information about your health condition, healthcare services you receive, and payment for healthcare services.

Uses and Disclosures of Your Health Information

Uses and Disclosures That Require Your Written Authorization

We will obtain your written authorization before using or disclosing your Protected Health Information for the following purposes:

• Marketing: Communications that encourage you to purchase a product or service (except for face-to-face marketing or promotional gifts of nominal value)
• Sale of PHI: Any disclosure that constitutes a sale of your health information (which we do not do)
• Psychotherapy Notes: Uses or disclosures of psychotherapy notes (if applicable)
• Other Purposes: Any other use or disclosure not described in this Notice

You may revoke your authorization in writing at any time, except to the extent we have already taken action based on your authorization.

Uses and Disclosures That Do NOT Require Your Authorization

We may use and disclose your Protected Health Information without your authorization for the following purposes:

1. Treatment

We may use and disclose your health information to provide, coordinate, or manage your healthcare and related services. For example:

• Coordinating your care with healthcare providers
• Providing healthcare navigation and care management services
• Making referrals to specialists or other providers
• Communicating with your doctors about treatment options
• Helping you find quality, cost-effective healthcare services

2. Payment

We may use and disclose your health information to obtain payment for services and to carry out payment-related activities. For example:

• Processing and submitting claims to your health plan
• Determining your eligibility for benefits
• Coordinating benefits with other health plans
• Obtaining pre-authorization for services
• Billing and collection activities

3. Healthcare Operations

We may use and disclose your health information for our healthcare operations. For example:

• Quality assessment and improvement activities
• Care coordination and case management programs
• Evaluating the performance of our services
• Training healthcare professionals and students
• Business planning and development
• Customer service activities
• Internal audits and compliance activities

4. To Your Health Plan Sponsor (Employer)

Important Protection: We may share only limited information with your employer or health plan sponsor. Specifically:

• Summary Health Information: We may disclose summary health information to your health plan sponsor for plan administration purposes, such as obtaining premium bids or modifying the health plan. Summary information does not identify you individually.
• Enrollment Information: We may disclose whether you are enrolled in or have disenrolled from our services.
• De-Identified Data: We may share aggregate, de-identified data about program outcomes and effectiveness.
• Individual PHI: We will NOT share your individual Protected Health Information with your employer unless you provide specific written authorization or as otherwise permitted by HIPAA.

5. As Required by Law

We will disclose your health information when required to do so by federal, state, or local law.

6. Public Health Activities

We may disclose your health information for public health activities, including:

• Preventing or controlling disease, injury, or disability
• Reporting births, deaths, or suspected abuse or neglect
• Reporting adverse events or product defects to the FDA
• Notifying persons of recalls of products they may be using
• Notifying persons who may have been exposed to a disease

7. Health Oversight Activities

We may disclose your health information to health oversight agencies for activities such as:

• Audits and investigations
• Inspections and licensing
• Disciplinary proceedings
• Civil, administrative, or criminal proceedings or actions

8. Judicial and Administrative Proceedings

We may disclose your health information in response to:

• A court order or administrative tribunal order
• A subpoena, discovery request, or other lawful process (with certain protections)

9. Law Enforcement Purposes

We may disclose limited health information to law enforcement officials for purposes such as:

• Complying with a court order, warrant, or subpoena
• Identifying or locating a suspect, fugitive, or missing person
• Reporting a crime on our premises
• Reporting a crime in an emergency

10. Coroners, Medical Examiners, and Funeral Directors

We may disclose health information to coroners, medical examiners, or funeral directors to enable them to carry out their duties.

11. Organ and Tissue Donation

We may disclose health information to organizations that handle organ, eye, or tissue procurement, banking, or transplantation.

12. Research

We may use or disclose your health information for research purposes when:

• An Institutional Review Board has approved the research and privacy protections
• The information has been de-identified
• You have provided written authorization

13. Serious Threats to Health or Safety

We may use or disclose your health information if we believe it is necessary to prevent or lessen a serious and imminent threat to your health or safety or the health or safety of others.

14. Specialized Government Functions

We may disclose health information for specialized government functions such as:

• Military and veterans activities
• National security and intelligence activities
• Protective services for the President and others
• Medical suitability determinations
• Correctional institutions (if you are an inmate)

15. Workers' Compensation

We may disclose your health information as authorized by workers' compensation laws.

Your Rights Regarding Your Health Information

Under HIPAA, you have the following rights regarding your Protected Health Information:

1. Right to Inspect and Copy

You have the right to inspect and obtain a copy of your health information that we maintain in our designated record set.

• How to Request: Submit a written request to our Privacy Officer (contact information below)
• Response Time: We will respond to your request within 30 days. We may extend this by 30 days with written notice.
• Fees: We may charge a reasonable fee for copying, postage, and preparation
• Format: You may request an electronic copy if we maintain the information electronically
• Denial: In certain limited circumstances, we may deny your request. If we do, we will provide you with a written explanation and inform you of your right to have the denial reviewed.

2. Right to Amend

If you believe that health information we have about you is incorrect or incomplete, you have the right to request an amendment.

• How to Request: Submit a written request to our Privacy Officer, including the reason for the amendment
• Response Time: We will respond within 60 days
• Denial: We may deny your request if the information:
  • Was not created by us
  • Is not part of our designated record set
  • Is not available for inspection
  • Is accurate and complete
• If Denied: You may submit a statement of disagreement, which will be included with your health information

3. Right to an Accounting of Disclosures

You have the right to receive a list of certain disclosures we have made of your health information.

• What's Included: Disclosures made for purposes other than treatment, payment, or healthcare operations
• Time Period: You may request disclosures made in the last six (6) years
• How to Request: Submit a written request to our Privacy Officer
• First Accounting: The first accounting in a 12-month period is free
• Additional Requests: We may charge a reasonable fee for additional accountings within the same 12-month period
• Response Time: We will respond within 60 days

4. Right to Request Restrictions

You have the right to request restrictions on how we use or disclose your health information for treatment, payment, or healthcare operations.

• Our Obligation: We are generally not required to agree to your request, except in one specific case: if you pay for a service or item out-of-pocket in full and request that we not disclose the information to your health plan for payment or healthcare operations purposes, we must agree (unless required by law to disclose)
• How to Request: Submit a written request to our Privacy Officer describing the restriction
• If We Agree: We will comply with your request unless the information is needed for emergency treatment

5. Right to Request Confidential Communications

You have the right to request that we communicate with you about your health information in a certain way or at a certain location.

• Example: You may request that we contact you only at work or by email
• How to Request: Submit a written request to our Privacy Officer specifying how or where you wish to be contacted
• Reasonable Requests: We will accommodate all reasonable requests

6. Right to a Paper Copy of This Notice

You have the right to receive a paper copy of this Notice at any time, even if you have previously agreed to receive it electronically.

• How to Request: Contact our Privacy Officer
• Online Access: This Notice is also available on our website at aperion.health/privacy/hipaa-notice

7. Right to Notification of a Breach

You have the right to be notified in the event of a breach of your unsecured Protected Health Information.

• Notification: We will notify you within 60 days of discovering a breach
• Method: Notification will be by mail or email, as appropriate

How to Exercise Your Rights

To exercise any of the rights described in this Notice, please contact our Privacy Officer:

Request Forms: We can provide you with forms to help you submit requests. Please contact us to request a form.

Response Time: We will respond to all requests within the timeframes required by HIPAA, typically within 30-60 days depending on the type of request.

Complaints

If you believe your privacy rights have been violated, you have the right to file a complaint.

File a Complaint with Aperion Health

You may file a complaint with us by contacting our Privacy Officer using the contact information above. Please submit your complaint in writing, describing the issue and how we can help resolve it.

File a Complaint with the U.S. Department of Health and Human Services

You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services:

No Retaliation

Changes to This Notice

We reserve the right to change this Notice at any time. We reserve the right to make the revised or changed Notice effective for health information we already have about you as well as any information we receive in the future.

How We Will Notify You of Changes:

• We will post the current Notice on our website at aperion.health/privacy/hipaa-notice
• We will provide you with a copy of the revised Notice by email or through our member portal
• The Notice will include the effective date on the first page

Material Changes: If we make a material change to our privacy practices, we will notify you within 60 days of the change.

Obtaining a Copy: You may obtain a current copy of our Notice at any time by:

• Visiting our website: aperion.health/privacy/hipaa-notice
• Contacting our Privacy Officer to request a paper copy
• Accessing it through the member portal

Contact Information

If you have any questions about this Notice or our privacy practices, please contact us: