EMSANACARE’S PRIVACY POLICY AND HIPAA NOTICE OF PRIVACY PRACTICES

EmsanaCare’s Privacy Policy

LAST UPDATED: March 15, 2022

EmsanaCare, Inc. (“EmsanaCare” the “Company,” “we,” or “us”) want you to be familiar with how we collect, use and disclose information. This Privacy Policy describes our practices in connection with information that we collect through the business interactions you have with us. Collectively, we refer to the texts, chats, emails, and offline business interactions we may have with you as the “Services.”

By using our Services, you agree to the collection, use, disclosure, sharing, and procedures this Privacy Policy describes. Your use of ourServices is also subject to our Terms of Use and EmsanaCare’s HIPAA Notice of Privacy Practices .

We encourage you to read this privacy policy closely as it describes in detail what types of information we collect about our users, how we collect it, how we use the information we collect, for how long we keep the information and under what circumstances and with whom the information may be disclosed. You may also read more about your rights in relation to your Personal Information, and the security measures we take to protect your Personal Information.

If anything in our privacy policy is unclear, or if you have any questions, please email us at legal@emsanacare.com.

What Types of Information Do We Collect?

Personal Information. We and our service providers may collect Personal Information in a variety of ways. When you use our services to assist in finding a care provider, we collect “Personal Information,” which is information that identifies you as an individual or relates to an identifiable individual. This information may include your name, phone number, date of birth, gender, location, and email address. This information is collected to confirm your eligibility with the Sponsor Organization that is paying for access to Services on your behalf, such as your or your partner’s, spouse’s, or parent/guardian’s employer, university, or health plan (“Sponsor Organization”). Your information is also used in making recommendations to care providers.

Protected Health Information. To the extent that information collected through the Services is patient information, such as information about a health care condition you may have, it is governed by the Notice of HIPPA Privacy Practices . If you have questions about which policy applies to specific information, please contact us at legal@emsanacare.com.

Collection of Personal Information.

Information you share with us directly: We collect the information you provide to us, for example when you contact us directly. This information may include Personal Information including information relating to your health. If you disclose any Personal Information relating to other people to us or to our service providers in connection with the Services, you represent that you have the authority to do so and to permit us to use the information in accordance with this Privacy Policy.

Information we collect automatically: When you visit or use our website, we may gather, collect and record information about it. We do this ourselves or with the help of third-party services, including through the use of “cookies” and other tracking technologies, as further detailed below. This information may include your IP address (which may also be associated with your domain name or the domain name of your internet service provider), data relating to your use and navigation, unique identification numbers associated with your mobile device or our mobile application and your approximate geographical location.

Information you direct us to receive, information we receive from third parties and social media: We may collaborate with third parties in connection with providing the Services and these third parties may provide us information about you. For example, if you direct us to receive information held in your electronic medical record, one of our partners may provide us with this information.

We need to collect such information in order to provide our services to you. If you do not provide the information requested, we may not be able to provide our services.

Use of Personal Information. We and our service providers use your Personal Information for the following purposes:

• Providing the functionality of the Services and fulfilling your requests.

• To provide the Services’ functionality to you, such as providing you with customer service.

• To respond to your inquiries and fulfill your requests, when you contact us via one of our online contact forms or otherwise, for example, when you send us questions, suggestions, compliments or complaints, or when you request other information about our Services.

• To complete your transactions, verify your information, and provide you with related customer service.

• To send administrative information to you, such as changes to our terms, conditions, and policies.

• Providing you with our information about new services and/or other marketing materials.

• To send you marketing related emails, with information about our services, new products and other news about our company.

Analyzing Personal Information for Providing the Services. We may use your Personal Information in order to improve our AI and analytic models, so that we are constantly improving the information we provide our users. When you are using EmsanaCre, you are not only learning from people like you, they are also learning from you and your experiences. Over the long term, this growing repository of health experiences will accelerate and improve our understanding of individual care preferences and provider performance. The information we use to improve our machine learning algorithms and technology is always used in an anonymized way, and can never be traced back to you. Examples include:

• Analyzing Personal Information for business reporting and providing personalized services.

• To analyze or predict our users’ preferences in order to prepare aggregated trend reports on how our digital content is used, so we can improve our Services.

• To better understand your interests and preferences, so that we can personalize our interactions with you and provide you with information and/or offers tailored to your interests.

• To better understand your preferences so that we can deliver content via our Services that we believe will be relevant and interesting to you.

Aggregating and/or anonymizing Personal Information. We may aggregate and/or anonymize Personal Information so that it will no longer be considered Personal Information. We may use the information we collect in order to improve our AI models, so that we are constantly improving the information we provide our users. As described above, when you are using our Services, you are not only learning from people like you, but they are also learning from you and your experiences. Over the long term, this growing repository of health experiences and clinical decision-making will accelerate medical research and improve our understanding of human disease. The information we use to improve our machine learning algorithms and technology is always used in an aggregated and anonymized way and can never be traced back to you. We may use and disclose this information for any purpose, as it no longer identifies you or any other individual:

• Accomplishing our business purposes;

• For data analysis, for example, to improve the efficiency of our Services;

• For audits, to verify that our internal processes function as intended and to address legal, regulatory, or contractual requirements;

• For fraud prevention and fraud security monitoring purposes, for example, to detect and prevent cyberattacks or attempts to commit identity theft;

• For developing new products and services;

• For enhancing, improving, repairing, maintaining, or modifying our current products and services, as well as undertaking quality and safety assurance measures;

• For identifying usage trends, for example, understanding which parts of our Services are of most interest to users;

• For determining the effectiveness of our promotional campaigns, so that we can adapt our campaigns to the needs and interests of our users; and

• For operating and expanding our business activities, for example, understanding which parts of our Services are of most interest to our users so we can focus our energies on meeting our users’ interests.

Disclosure of Personal Information. We may share your Personal Information with third parties in the following manners and instances:

• Providers: We may share your data with care providers we recommend for the purposes described in this Privacy Policy and in order for them to provide you care or coordinate your treatment.

• Partners: We may share your data with other companies, such as companies with whom we jointly offer products and services.

• Third-Party Service Providers: We may share Personal Information with certain service providers, whose services and solutions complement, facilitate and enhance our own. These include hosting and server services, communications and content delivery networks (CDNs), data and cybersecurity services, performance measurement services, data optimization and marketing services, content providers, and our legal and financial advisors. Such service providers may have access to Personal Information according to their particular roles and purposes.

• Health information disclosed under this Privacy Policy may be disclosed electronically.

Other Uses and Disclosures of Personal Information. We may also use and disclose your Personal Information as necessary or appropriate, in particular when we have a legal obligation to do so:

• Applicable Law. We may share Personal Information to comply with applicable law and regulations.

• Transactions, Liquidation: We may share Personal Information with third parties in connection with a transaction, such as a merger, sale of company assets or shares, reorganization, financing, change of control or acquisition of all or a portion of our business, or in the event of a bankruptcy or related or similar proceedings.

• Public and Government Authorities, Law Enforcement: Where permitted or required by applicable data protection laws, we may disclose your Personal Information pursuant to a legal request, or in compliance with applicable laws, if we have good faith belief that the law requires us to do so, with or without notice to you.

• Protecting Rights and Safety: Where permitted or required by law, we may share your Personal Information with others if we believe in good faith that it will help protect the rights, property or personal safety of EmsaanCare, any of our users, or any member of the general public, with or without notice to you.

Other Information. “Other Information” is any information that does not reveal your specific identity or does not directly relate to an identifiable individual. The Services collect Other Information such as:

• Browser and device information

• App usage data

• Information collected through cookies, pixel tags and other technologies

• Demographic information and other information provided by you that does not reveal your specific identity

• Information that has been aggregated in a manner such that it no longer reveals your specific identity

Collection of Other Information. We and our service providers may collect Other Information in a variety of ways, including:

• Your browser or device.

• Certain information is collected by most browsers or automatically through your device, such as your Media Access Control (MAC) address, computer type (Windows or Mac), screen resolution, operating system name and version, device manufacturer and model, language, Internet browser type and version and the name and version of the Services (such as the App) you are using. We use this information to ensure that the Services function properly.

• Cookies. Cookies are pieces of information stored directly on the computer that you are using. Cookies allow us to collect information such as browser type, time spent on the Services, pages visited, language preferences, and other traffic data. We and our service providers use the information for security purposes, to facilitate navigation, to display information more effectively, and to personalize your experience. We also gather statistical information about use of the Services in order to continually improve their design and functionality, understand how they are used, and assist us with resolving questions regarding them. We do not currently respond to browser do-not-track signals. If you do not want information collected through the use of cookies, most browsers allow you to automatically decline cookies or be given the choice of declining or accepting a particular cookie (or cookies) from a particular website. You may also wish to refer to http://www.allaboutcookies.org/manage-cookies/index.html. If, however, you do not accept cookies, you may experience some inconvenience in your use of the Services.

• Pixel tags and other similar technologies. Pixel tags. Pixel tags (also known as web beacons and clear GIFs) may be used to, among other things, track the actions of users of the Services (including email recipients), measure the success of our marketing campaigns, and compile statistics about usage of the Services and response rates.

• Analytics. We use Google Analytics, which uses cookies and similar technologies to collect and analyze information about use of the Services and report on activities and trends. This service may also collect information regarding the use of other websites, apps and online resources. You can learn about Google’s practices by going to www.google.com/policies/privacy/‌partners/, and exercise the opt-out provided by Google by downloading the Google Analytics opt-out browser add-on, available at https://tools.google.com/dlpage/gaoptout.

• Physical Location. We may collect the physical location of your device by, for example, using satellite, cell phone tower or WiFi signals. We may use your device’s physical location to provide you with personalized location-based services and content. In some instances, you may be permitted to allow or deny such uses and/or sharing of your device’s location.

Uses and Disclosures of Other Information. We may use and disclose Other Information for any purpose, except where we are required to do otherwise under applicable law. If we are required to treat Other Information as Personal Information under applicable law, we may use and disclose it for the purposes for which we use and disclose Personal Information as detailed in this Privacy Policy. In some instances, we may combine Other Information with Personal Information. If we do, we will treat the combined information as Personal Information as long as it is combined.

Your Choices Regarding Personal Information. Your choices regarding our use and disclosure of your Personal Information:

• Notifications. We may send you push notifications and similar forms of communication from us, which you can control within the Services. If you choose to use our Care Connect services, you will receive notifications to your mobile device.

• Email and SMS Messaging. We may also use your email address or phone number to send you messages, such as changes to features of the Services and special offers. If you do not want to receive such notifications, you may opt-out or change your preferences by contacting our support team at hello@emsanacare.com. Opting out may prevent you from receiving notification including notices regarding updates, improvements, or offers. You will not be able to opt-out from receiving service and payment-connected notifications from us.

• Marketing. We give you choices regarding our use and disclosure of your Personal Information for marketing purposes.

You may opt out from: Receiving marketing-related emails from us. If you no longer want to receive marketing related emails from us on a going-forward basis, you may opt out by contacting us via the Contact Us information below. We will try to comply with your request(s) as soon as reasonably practicable. Please note that if you opt out of receiving marketing related emails from us, we may still send you important administrative messages, from which you cannot opt out.

Access, Change, or Delete your Personal Information. If you would like to request to access, correct, update, suppress, restrict, or delete Personal Information, object to or opt out of the processing of Personal Information, or if you would like to request to receive a copy of your Personal Information for purposes of transmitting it to another company (to the extent these rights are provided to you by applicable law), you may contact us in accordance with the “Contact Us” section below. We will respond to your request consistent with applicable law. If you are a California resident, please refer to the “Information for California Residents” section at the end of this Policy for more information about the requests you may make under the CCPA.

In your request, please make clear what Personal Information you would like to have changed or whether you would like to have your Personal Information suppressed from our database. For your protection, we may only implement requests with respect to the Personal Information associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable.

Please note that we may need to retain certain information for recordkeeping purposes and/or to complete any transactions that you began prior to requesting a change or deletion (e.g., when you make a purchase, you may not be able to change or delete the Personal Information provided until after the completion of such purchase).

Third-party Services. This privacy policy does not address, and we are not responsible for, the privacy, information, or other practices of any third parties, including any third party operating any website or service to which our services link. The inclusion of a link on our services does not imply endorsement of the linked site or service by us.

In addition, we are not responsible for the information collection, use, disclosure, or security policies or practices of other organizations, such as Facebook, Apple, Google, Microsoft, RIM, or any other app developer, app provider, social media platform provider, operating system provider, wireless service provider, or device manufacturer, including with respect to any Personal Information you disclose to other organizations through or in connection with our app or website.

Retention Period. We will keep your Personal Information for as long as your user account is active, in order to allow you to have access to your information and to provide you with our services. We may continue to retain your Personal Information even after you deactivate your user account or stop using EmsanaCare, as reasonably necessary to comply with our legal obligations, to resolve disputes regarding our users, enforce our agreements or protect our legitimate interests, consistent with applicable law. When your Personal Information is no longer required, we will ensure it is deleted.

Security. We seek to use reasonable organizational, technical and administrative measures to protect Personal Information within our organization. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us in accordance with the “Contact Us” section below.

Information for California Residents. If you are a California resident, California Civil Code Section 1798.83 permits you to request information regarding the disclosure of your personal information by EmsanaCare to third parties for the third parties’ direct marketing purposes. To make such a request, please send an email to legal@emsanacare.com or write to us using the mailing address provided in the “Contact Us” section below.

Currently, various browsers — including Internet Explorer, Firefox, and Safari — offer a “do not track” or “DNT” option that relies on a technology known as a DNT header, which sends a signal to Web sites’ visited by the user about the user’s browser DNT preference setting. We do not currently respond to browsers’ DNT signals with respect to sites we provide, in part, because no common industry standard for DNT has been adopted by industry groups, technology companies or regulators, including no consistent standard of interpreting user intent.

Pursuant to the California Consumer Privacy Act of 2018 (“CCPA”), we are providing the following additional details regarding the categories of Personal Information that we collect, use, and disclose about California residents.

Collection and Disclosure of Personal Information. The following chart includes: (1) the categories of Personal Information, as listed in the CCPA, that we plan to collect and have collected and disclosed within the preceding 12 months; and (2) the categories of third parties to which we disclosed Personal Information for our operational business purposes within the preceding 12 months. For a description of the third parties listed below, please see the “Disclosure of Personal Information” section above.

Under the CCPA, if a business sells Personal Information, it must allow California residents to opt out of the sale of their Personal Information. However, we do not “sell” and have not “sold” Personal Information for purposes of the CCPA in the last 12 months. For example, and without limiting the foregoing, we do not sell the Personal Information of minors under 16 years of age.

Sources of Personal Information. As described in the “Collection of Personal Information” section above, we collect this information from you and third parties.

Use of Personal Information. As described in the “Use of Personal Information” section above, we may use this Personal Information to operate, manage, and maintain our business, to provide our products and services, to fulfill your requests, and to accomplish our business purposes and objectives, including, for example, to: develop, improve, repair, and maintain our products and services; personalize, advertise, and market our products and services; conduct research, analytics, and data analysis; create aggregated and/or anonymized data; maintain our facilities and infrastructure; undertake quality and safety assurance measures; conduct risk and security control and monitoring; detect and prevent fraud; perform identity verification; perform accounting, audit, and other internal functions, such as internal investigations; comply with law, legal process, and internal policies; maintain records; and exercise and defend legal claims.

If you are a California resident, you may make the following requests under the CCPA:

Request to Know. You may request that we disclose to you the following information covering the 12 months preceding your request:

• The categories of Personal Information we collected about you and the categories of sources from which we collected such Personal Information;

• The specific pieces of Personal Information we collected about you;

• The business or commercial purpose for collecting (if applicable) Personal Information about you;

• The categories of Personal Information about you that we otherwise shared or disclosed, and the categories of third parties with whom we shared or to whom we disclosed such Personal Information (if applicable).

Request to Delete. You may request that we delete Personal Information we collected from you. To make a Request to Know or a Request to Delete, please contact us in accordance with the “Contacting Us” section below. We will verify and respond to your request consistent with applicable law, taking into account the type and sensitivity of the Personal Information subject to the request. Note the following:

We may require you to log into the servicers to make the request or request additional Personal Information from you, such as your name and data of birth, in order to verify your identity and protect against fraudulent requests.

We may verify your identity through our existing authentication practices for your account and require you to re-authenticate yourself before disclosing or deleting your Personal Information.

If you make a Request to Delete, we may ask you to confirm your request before we delete your Personal Information.

If you want to make a Request to Know or a Request to Delete as an authorized agent on behalf of a California resident, you may use the submission methods noted above. As part of our verification process, we may request that you provide, as applicable, proof concerning your status as an authorized agent, which also may include:

• Proof of your registration with the California Secretary of State to conduct business in California;

• Proof of a power of attorney from the resident pursuant to Probate Code sections 4121-4130. If you are an authorized agent and have not provided us with a power of attorney from the resident pursuant to Probate Code sections 4121-4130, we may also require the resident to:

• Verify the resident’s own identity directly with us; or Directly confirm with us that the resident provided you permission to make the request.

You have the right to be free from unlawful discriminatory treatment for exercising your rights under the CCPA.

Contact Us:

EmsanaCare Privacy Officer

legal@emsanacare.com

Emsanacare, Inc.

275 Battery Street, Suite 480

San Francisco, CA 94111

—---

EmsanaCare’s HIPAA Notice of Privacy Practices

LAST UPDATED: March 15, 2022

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

This HIPAA Notice of Privacy Practices (the “Notice”) is being provided to you on behalf of EmsanaCare,Inc. (referred to herein as “EmsanaCare”, “we”, “our” or “us”). The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) requires that we provide you this Notice to describe our legal obligations and your legal rights regarding the protected health information (“PHI”) we collect, create, share or store.

PHI is information about you that we obtain to provide our services to you and that can be used to identify you. It includes your name and contact information, as well as information about your health, medical conditions and providers. It may relate to your past, present or future physical or mental health or condition, or the provision or health care products and services to you. Among other things, this Notice describes how your PHI may be used and disclosed to carry out health care operations, or for any other purposes that are permitted or required by law, and how you can get access to your PHI.

Our Responsibilities to Protect Your Protected Health Information. EmsanaCare is not a Covered Entity for purposes of compliance with the Health Insurance Portability and Accountability Act (“HIPAA”), however EmsanaCare is a Business Associate of employer-sponsored, managed care organization-sponsored, health insurance company-sponsored, and non-profit-sponsored health plans, third party administrators, pharmacy benefit managers, healthcare information technology providers, health administrative services organizations, and other organizations (collectively, “Providers”) that are Covered Entities or Business Associates to Covered Entities in the ordinary course of its business.

HIPAA requires that we protect your PHI. Additionally, we are required to notify you of our legal duties and abide by the privacy practices detailed in this Notice, unless more protective laws or regulations apply. This Notice applies to all EmsanaCare health care services and our employees. Toreceive a copy of this Notice, please Contact Us at legal@emsanacare.com or to view acopy of this Notice on our website, please visit www.emsanacare.com/HIPAA.

Our Uses and Disclosures of Your Protected Health Information. Uses and disclosures not requiring your authorization. EmsanaCare collects, creates and stores PHI in its internal systems. Additionally, when we contract with third parties to perform certain services for us, these third-party service providers, known as Business Associates, can access PHI to perform these services on our behalf. They are required by law and their agreements with us to protect PHI in the same way we do.

The following categories describe different ways that we use and disclose your PHI. We have provided you with examples in certain categories; however, not every permissible use or disclosure will be listed in this Notice. Except where prohibited by federal or state laws requiring special privacy protections, we may use and disclose your PHI without your prior authorization for treatment, payment and health care operations as follows:

• Operations. We may use and share your PHI to operate EmsanaCare, improve your care and contact you when necessary. As part of our health care operations, we may share your PHI with our accountants, attorneys, consultants and others to ensure we are complying with laws applicable to us.

• Care Coordination. We may also share your PHI with other health care providers and plans for their business operations if they have or had a patient relationship with you.

• Feedback. To improve your care experience, we may send you surveys or requests for feedback regarding our services or your the services if providers you have received care from.

You may opt out of these types of communications by following the instructions provided in the survey or feedback request. Example: We use your PHI to review the quality of services you received or the performance of the professionals who provided care to you.

We may also use or disclose your PHI without your prior authorization for other purposes outlined below. Applicable laws require that we meet certain conditions before disclosing PHI for these purposes:

• Appointments and Services. We may contact you to remind you of an appointment or provide information about extra benefits or financial awards available under your health plan. You may ask us to contact you in a specific way (for example, home or mobile phone). We may also contact you to provide you with information about other services and benefits we offer.

• Help with Public Health and Safety Issues. We may share PHI in certain situations such as to prevent disease, support product recalls, report adverse reactions or product complaints, prevent or reduce a serious threat to another’s health or safety, or report necessary information regarding a deceased person to a coroner, medical examiner or funeral director.

• Conduct Research. We may disclose your PHI to researchers when: (a) individual identifiers have been removed; or (b) an institutional review board or privacy board has (x) reviewed the research proposal; (y) reviewed the established protocols to ensure the privacy of the requested information; and (z) approves the research. Additionally, we may use and disclose your PHI for human subject research purposes, subject to the confidentiality provisions of state and federal law. If your PHI will be used as a part of such research, you may be asked to complete a HIPAA authorization and study consent form to authorize specific PHI uses and/or disclosures.

• Comply with Federal, State or Local Law, Judicial or Administrative Proceedings or Law Enforcement. We may use and disclose PHI when required to do so by federal, state or local law, judicial or administrative proceedings or law enforcement. For example, we may disclose PHI to government agencies or law enforcement personnel about victims of abuse, neglect or domestic violence or pursuant to federal, state or local laws, subpoena or court order.

• Respond to Organ and Tissue Donation Requests. We may share PHI with organ, eye or tissue procurement or placement organizations or banks, as necessary to facilitate organ, eye or tissue donation and transplantation.

• Address Workers’ Compensation, Law Enforcement, and Specific Government Requests. We may use or share PHI about you for workers’ compensation claims, law enforcement purposes or with a law enforcement official, special government functions such as military, national security, and presidential protective services and with health oversight agencies for legally authorized activities.

Uses and disclosures requiring your authorization. Disclosures related to human immunodeficiency virus (HIV) test results, diagnosis of acquired immune deficiency virus (AIDS) or an AIDS-related condition, or information about alcohol or drug treatment you received in a related treatment program will not be made without your authorization except as required or allowed by law. Before we use, disclose or sell your PHI for a reason other than those reasons described above, we will get your written authorization. You may revoke written authorization at any time, by Contact Us in writing. Once we receive your written revocation, it will apply to future PHI uses and disclosures.

Opportunity to Object to Certain Disclosures.

Disclosures to Family, Friends or Others. We may provide your PHI to a family member, friend or other person you indicate is involved in your care or payment for your care, unless you Contact Us in writing to object.

Health Information Exchanges. We may share PHI through secure electronic means both to and from health care providers treating you. If you do not wish to participate in EmsanaCare Health Information Exchanges, you must Contact Us in writing to object.

Your Rights.

The Right to Request Limits on How We Use and Share Your PHI. You may ask us to not to use or share certain PHI for treatment, payment, or health care operations. We are not required to agree to your request and may deny your request if we believe it may impact your care. If you pay for our services out-of-pocket in full, you may ask us not to share your PHI for the purpose of payment or our health care operations. We will agree to this request unless a law requires us to share it. To request such limitation, you must Contact Us in writing. If we agree to your request, we will document our agreement and abide by it except in emergency situations.

The Right to Choose How We Send Your PHI to You. You have the right to request that we communicate with you in a certain way or at a certain location. For example, you can ask that we send email to you at a different email address or to contact you at work or by postal mail. We will accommodate all reasonable requests when able to do so.

The Right to See and Get Copies of Your Health Information. You or your legally authorized representative may request to see or get an electronic or paper copy of your medical record and other PHI we have about you. We will provide a copy and/or summary within the time frames established by law and we may charge a reasonable cost-based fee. In certain situations provided by law, we may deny your request. If we do, we will inform you in writing of our reasons for denying your request and explain how you may have the denial reversed, if applicable. Additionally, you may access the chat transcripts of your EmsanaCare visits and related care plans at any time in the EmsanaCare app’s “History” tab.

The Right to Get a List of Those with Whom We’ve Shared Your PHI. You have the right to request a list (or an “accounting”) of certain disclosures of your PHI for up to six years prior to the date of your request, including with whom we shared your PHI and reasons for sharing. To get this list, you must Contact Us in writing.

The Right to Correct or Update Your PHI. If you believe there is a mistake in or that a piece of important information is missing from your medical record or other PHI we have about you, you may ask us to correct such information. To do so, you must Contact Us in writing specify your requested correction or update as well as your reason for making such request. We will inform you after we make your requested change(s) and advise those to whom we have disclosed your information of your requested changes. In certain situations, we may deny your request. If we do, we will let you know in writing within 60 days of receiving your request of our reasons for denial and you will have the right to file a statement of disagreement with us. Please note, any future disclosures of the disputed information will include your written disagreement statement.

The Right to Receive This Notice. You have the right to request a paper copy of this Notice at any time, even if you have agreed to receive it electronically. To receive a copy of this Notice, please Contact Us or to view a copy of this Notice on our website, please visit our www.EmsanaCare.com/legal-and-privacy.

The Right to Privacy Notification. We are required to notify you if we (or one of our Business Associates) discover a breach of your unsecured PHI.

Changes To This Notice. If our privacy practices should change at any time in the future, we will promptly change and post a new notice. We reserve the right to apply any changes to our privacy practices or this Notice to the PHI we maintain, including PHI collected before the date of the change.

Complaints and Contact Information. If you believe that your privacy rights have been violated or you disagree with a decision we made about your PHI, you may file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue SW, Washington, D.C. 20201; calling 1-877-696-6775; or visiting www.hhs.gov/ocr/privacy/hipaa/complaints.

If you have any questions about this Notice or any complaints about your privacy practices, please contact us at the address below. Please note, we will not retaliate against you for filing a complaint. You should keep a copy of any notices you send to us or the EmsanaCare Privacy Office for your records.

Contact Us:

EmsanaCare Privacy Officer

legal@emsanacare.com

Emsanacare, Inc.

275 Battery Street, Suite 480

San Francisco, CA 94111