WIXLIB

HIPAA Privacy Policy No. 160.306General Statement of Policy: This Policy contains rules and procedures which govern anIndividual’s right to complain about HIPAA violations to the Secretary of Health andHuman Services.POLICYA. Right to file a complaint.An Individual who believes that Business Associate is not complying with the applicableportions of HIPAA’s Privacy Rules, may file a complaint with the Secretary of Health andHuman Services (“HHS”).B. Requirements for filing complaints.1. Complaints to the Secretary of HHS must meet the following requirements:a. The complaint must be in writing either on paper or electronically;b. the complaint must name the entity that is the subject of the complaint anddescribe the acts or omissions which the complaining Individual believes violateHIPAA;c. the complaint must be filed within 180 days of the date the complainingIndividual knew or should have known that the alleged improper act or omissionoccurred, unless this time limit is waived by the Secretary for good cause; andd. any other requirements which the Secretary has properly imposed.C. Investigation.The Secretary has the right to investigate complaints filed under the privacy provisions ofHIPAA. This investigation can include a review of pertinent policies, procedures or privacypractices of Business Associate, and of any circumstances regarding alleged acts oromissions relating to compliance.Page 6 of 80ENTRSAFE LLC

HIPAA Privacy Policy No. 160.310General Statement of Policy: This Policy contains rules and procedures which govern theresponsibilities of Business Associate in respect to the Secretary of Health and HumanServices.POLICYA. Providing records and compliance reports.Business Associate must keep records and submit compliance reports in the time andmanner, and containing such information, as the Secretary determines is necessary toenable him or her to determine if Business Associate has complied or is complying withthe applicable privacy requirements of HIPAA.B. Cooperation with complaint investigation and compliance reviews.Business Associate must cooperate with the Secretary if the Secretary undertakes aninvestigation or compliance review of its policies, procedures or practices to determine ifit is complying with the applicable privacy requirements of HIPAA.C. Permitting access to information.1. Business Associate must permit access by the Secretary during normal business hours toits facilities, books, records, accounts, and other sources of information, including PHI,that may be pertinent to determining Business Associate’s compliance with applicableprivacy requirements of HIPAA. If the Secretary determines that appropriate circumstancesexist (such as hidden or destroyed documents), Business Associate must permit access bythe Secretary at any time and without notice.2. If any information required from Business Associate in connection with an investigationby the Secretary is in the exclusive possession of another agency, institution or person, andthe other agency, institution or person fails or refuses to furnish the information, BusinessAssociate must certify this fact and describe the efforts it has made to obtain thisinformation.Page 7 of 80ENTRSAFE LLC

HIPAA Privacy Policy No. 164.404General Statement of Policy: This Policy describes notification procedures in the event thatthere is a breach of unsecure PHI under Section 13402 of Title XIII (Health InformationTechnology for Economic and Clinical Health Act of the American Recovery andReinvestment Act of 2009).POLICYA. PolicyIt is the policy of Business Associate to notify Covered Entity clients and affectedIndividuals if there is a breach of unsecured PHI. Notification of a breach of unsecure PHIshall be carried out in accordance with federal and state law. Notification of a breach shallbe delayed if a law enforcement official states that a notification of the breach wouldimpede a criminal investigation or cause damage to national security.1. A breach is the unauthorized acquisition, access, use, or disclosure of PHI in a mannernot permitted by the HIPAA Rules which compromises the security or the privacy of theIndividual’s PHI.a. A breach does not include:i. unintentional access, acquisition or use by a Workforce Member actingunder authority and in good faith, so long as not further disclosed in amanner not permitted by the Privacy Rule;ii. inadvertent disclosure from a Workforce Member authorized to accessPHI to a co-employee authorized to access PHI, so long as not furtherdisclosed in a manner not permitted by the Privacy Rule; oriii. unauthorized disclosure to an unauthorized person who cannotreasonably be able to retain the information disclosed.2. PHI is unsecured if it is not rendered unusable, unreadable, or indecipherable tounauthorized individuals through the use of a technology or methodology approved byHealth and Human Services, as revised from time to time.B. ProceduresPage 8 of 80ENTRSAFE LLC

1. Determination of Breacha. The Privacy Official shall determine whether or not a breach has occurred suchthat a breach notice is required. All unauthorized acquisition, access, use, ordisclosure of PHI shall be reported to the Privacy Official immediately.b. There is a presumption that a breach has occurred and there will be a noticerequirement unless the below risk assessment demonstrates a low probability thatthe PHI has been compromised.i. The Privacy Official’s risk assessment must consider at least thefollowing four factors:(A) The nature and extent of the PHI involved, including thelikelihood of re-identification;(B) The identity of the unauthorized user or recipient, includingtheir duty to protect PHI;(C) Whether the PHI was actually acquired or viewed; and(D) The extent to which the risk to PHI has been mitigated.2. Notice to the Covered Entitya. Business Associate shall give the relevant Covered Entity notice of a breachinvolving that Covered Entity’s PHI without unreasonable delay and in no case laterthan 60 calendar days after the discovery of the breach (or the date the breach shouldhave been discovered if reasonable diligence had been exercised).b. Notice to the Covered Entity shall include all information listed in B(3)(c)below.3. Notice to the Individual, if applicable per Business Associate Agreementa. Notification of a breach shall be provided without unreasonable delay and in nocase later than 60 calendar days after the discovery of the breach (or the date thebreach should have been discovered if reasonable diligence had been exercised).b. Written notification shall be provided by first-class mail to affected Individualsat their last known address. Individuals may elect to receive notificationelectronically. Where an Individual has agreed to electronic notification, writtennotice is not required. In the event that it is known that the Individual is deceased,notification shall be provided to the next of kin or personal representative of theIndividual.Page 9 of 80ENTRSAFE LLC

c. Written notification to affected Individuals shall include, to the extent possible:i. A brief description of what happened, including the date of the breachand the date of the discovery of the breach, if known;ii. A description of the types of unsecure PHI that were involved in thebreach (such as whether full name, social security number, date of birth,home address, account number, diagnosis, disability code, or other types ofinformation were involved);iii. Any steps Individuals should take to protect themselves from potentialharm resulting from the breach;iv. A brief description of what is being done in regards to the investigationof the breach, to mitigate harm to Individuals, and to protect against anyfurther breaches; andv. Contact procedures for Individuals to ask questions or learn additionalinformation, which shall include a toll-free telephone number and an emailaddress, website, or postal address.d. If urgent, in addition to written notification, the Privacy Official shall call viatelephone the affected Individuals.e. In the event that there is insufficient or out-of-date contact information for anIndividual, substitute notice shall be provided. If there are fewer than 10 Individualsfor whom there is insufficient or out-of-date contact information, substitute noticeshall be provided by an alternative form of written notice, telephone, or othermeans. If there are 10 or more Individuals for whom there is insufficient or out-ofdate contact information, substitute notice be provided by either:i. a conspicuous posting on the Covered Entity’s or Business Associate’swebsite for a period of 90 days with a toll-free number, orii. conspicuous notices in major print or broadcast media in geographicareas where the Individuals affected by the breach likely reside whichinclude a toll-free phone number that remains active for at least 90 dayswhere an Individual can learn whether the Individual’s unsecure PHI maybe included in the breach.f. If a law enforcement official provides a written statement that a notification ofthe breach would impede a criminal investigation or cause damage to nationalsecurity, and the statement specifies the time for which a delay is required,notification shall be delayed for the time specified. If a law enforcement officialprovides an oral statement that a notification of the breach would impede a criminalinvestigation or cause damage to national security, such statement shall bePage 10 of 80ENTRSAFE LLC

documented and notification shall be delayed no longer than 30 days from the dateof the oral statement.HIPAA Privacy Policy No. 164.501General Statement of Policy: This Policy contains definitions which apply to the otherpolicies and procedures contained in this HIPAA Privacy and Security Manual.DEFINITIONSA. Authorization. A document signed by an Individual authorizing disclosure of ProtectedHealth Information and complying with the requirements of Privacy Policy No. 164.508.B. Breach. The term “Breach” shall have the meaning defined in 45 CFR § 164.402.C. Breach Notification Rule or Rules. The term shall mean the Standards and ImplementationSpecifications for Notification of Breaches of Unsecured Protected Health Information under 45CFR Parts 160 and 164, subparts A and D.D. Business Associate. The term “Business Associate” means:1. ENTRSAFE LLC, when it performs work on behalf of its clients as a “businessassociate”, as that term is defined in 45 CFR § 160.103 and generally means:A person or entity who:a. On behalf of a Plan (or an Organized Health Care Arrangement in which the Planparticipates), but other than in the capacity as a Workforce Member, performs, orassists in performing:i. a function or activity involving the use or disclosure of PHI, includingclaims processing or administration, data analysis, processing oradministration, utilization review, quality assurance, billing, benefitmanagement, patient safety activities, practice management or repricing; orii. any other function or activity regulated by the Privacy Rules; orb. other than in the capacity of a Workforce Member, provides legal, actuarial,accounting, consulting, Data Aggregation, management, administrative,accreditation, or financial services for a Plan (or for an Organized Health CareArrangement in which the Plan participates), where providing these servicesinvolves the disclosure of PHI from a Plan or Arrangement, or from anotherBusiness Associate of the Plan or Arrangement, to the person; orc. other than in the capacity of a Workforce Member, creates, receives, maintainsPage 11 of 80ENTRSAFE LLC

or transmits PHI on behalf of a Covered Entity; ord. is a Health Information Organization, E-prescribing Gateway or other person orentity that provides data transmission services with respect to PHI to a CoveredEntity that requires routine access to such PHI (except courier services and internetservice providers); ore. a person who offers a personal health record to one or more Individuals onbehalf of a Covered Entity; orf. a Subcontractor that creates, receives, maintains or transmits PHI on behalf ofa Business Associate.2. A member of the Plan’s Workforce, or of the Organized Health Care Arrangement’sWorkforce, is not a Business Associate. In addition, a Covered Entity which participates inan Organized Health Care Arrangement, and that performs a function, activity or servicefor the Arrangement as described above, does not through these roles become a BusinessAssociate of the other Covered Entities participating in the Arrangement. Finally, aCovered Entity may be a Business Associate of another Covered Entity.E. Covered Entity. The term “Covered Entity” shall have the meaning defined in 45 CFR § 160.103and generally means a health plan, a health care clearing house, or a Health Care Provider whotransmits Health Information in electronic form in connection with a transaction covered byHIPAA Privacy Rules.F. Data Aggregation. The term “Data Aggregation” means the activity of Business Associate or aCovered Entity when it combines PHI to permit data analysis that relates to Health Care Operationsof a Covered Entity.G. De-Identified Information. The term “De-Identified Information” is defined at Part B ofPrivacy Policy No. 164.514.H. Designated Record Set. The term “Designated Record Set” means a group of recordsmaintained by or for a Covered Entity, consisting of:1. medical and billing records about Individuals maintained by or for a covered HealthCare Provider;2. the enrollment, payment, claims adjudication, and case or medical management recordsystems maintained by or for a health plan; or3. the group of records maintained by or for a Plan which is used in whole or part tomake decisions about Individuals.Page 12 of 80ENTRSAFE LLC

For purposes of this definition, the term “record” means any item, collection or groupingof information that includes PHI, and that is maintained, collected, used or disseminatedby or for a Covered Entity.I. Effective Date. The term “Effective Date” means the date these policies and procedures are firsteffective. The Effective Date is generally defined throughout this Manual as January 1, 2020.J. Family Member. The term “Family Member” means a dependent (as defined in 45 CFR 144.103)of the Individual and any person who is a first, second, third or fourth degree relative of theIndividual or his or her dependent. First degree relatives include parents, spouses, siblings andchildren. Second degree relatives include grandparents, grandchildren, aunts, uncles, nephews andnieces. Third degree relatives include great-grandparents, great- grandchildren, great aunts, greatuncles and first cousins. Fourth degree relatives include great- great-grandparents, great-greatgrandchildren and children of first cousins.K. Genetic Information. The term “Genetic Information” means information about an Individual’sgenetic tests or genetic tests of Family Members, the manifestation of a disease or disorder inFamily Members of the Individual, any request for or receipt from genetic services (test,counseling or education) or participation in clinical genetic research by the Individual or FamilyMember. Genetic Information includes genetic information about a fetus or embryo. GeneticInformation does not include information about the sex or age of an Individual.L. Health Care. The term “Health Care” means care, services or supplies related to the health ofan individual. “Health Care” includes, but is not limited to:1. preventative, diagnostic, therapeutic, rehabilitative, maintenance, palliative care,counseling, service, assessment or procedure with respect to the physical or mentalcondition, or functional status, of an Individual, or that affects the structure or function ofthe body; and2. sale or dispensing of a drug, device, equipment, or other item in accordance with aprescription.M. Health Care Operations. The term “Health Care Operations” is defined in Privacy Policy No.164.506.N. Health Care Provider. The term “Health Care Provider” means a provider of services, includinga provider of medical or health services, as defined in the Social Security Act, and any other personor organization that furnishes, bills, or is paid for Health Care in the normal course of business.O. Health Information. The term “Health Information” means any information, whether oral orrecorded in any form or medium, that:1. is created or received by a Health Care Provider, health plan, public health authority,employer, life insurer, school, university or health care clearing house; andPage 13 of 80ENTRSAFE LLC

2. relates to the past, present or future physical or mental health or condition of anIndividual, the provision of health care to an Individual, or the past, present or futurepayment for the provision of health care to an Individual; or3. is Genetic Information.P. Health Insurance Issuer. The term “Health Insurance Issuer” means an insurance company,insurance service, or insurance organization (including an HMO) that is licensed to engage in thebusiness of insurance in a state and is subject to state law that regulates insurance. The term doesnot include a group health plan.Q. HHS. The term “HHS” means the United States Department of Health and Human Services.R. HIPAA. The term “HIPAA” refers to Title II of the Health Insurance Portability andAccountability Act of 1996.S. HIPAA Rules. The term “HIPAA Rules” shall mean the Privacy Rule, Security Rule, BreachNotification Rule, Standard Transaction rules and enforcement provisions in 45 CFR Parts 160,162 and 164.T. Individual. The term “Individual” shall mean the person who is the subject of PHI.U. Individually Identifiable Health Information. The term “Individually Identifiable HealthInformation” means Health Information, including demographic information, taken from anIndividual which either identifies the Individual or with respect to which there is a reasonable basisto believe the information can be used to identify the Individual.V. Limited Data Set. The term “Limited Data Set” is defined at Part E(2) of Privacy Policy No.164.514.W. Marketing. The term “Marketing” means to make a communication about a product or servicethat encourages recipients of the communication to purchase or use the product or service, unlessthe communication is made:1. to describe a health-related product or service (or payment for such a product or service)that is covered by a Plan, including communications about the entities participating in aHealth Care Provider network or health plan network; replacement of or enhancements toa Plan; and health-related products or services available only to Plan enrollees that addvalue to, but are not covered

extent HIPAA requires policies and procedures not contained in this Manual, such policies and procedures shall be deemed adopted by the Company as necessary to maintain HIPAA compliance. The HIPAA policies and procedures shall be effective on January 1, 2020 (the "Effective Date"). Questions about these policies and procedures should be .