RHYTHMSCIENCE INC.

NOTICE OF PRIVACY PRACTICES

Last Updated: June 10th, 2020

THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED BY RHYTHMSCIENCE AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

This Notice of Privacy Practices (“Notice”) serves as a notice for RhythmScience Inc. (“RhythmScience”) as required under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, and the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009, and its implementing regulations and guidance issued by the Secretary of Health and Human Services, all as amended from time to time (collectively, “HIPAA”) when RhythmScience is acting in the capacity as your healthcare provider or “covered entity”.  We will follow the terms of this Notice and may share your protected health information (“health information”) for purposes of treatment, payment and health care operations as described in this Notice and as required or permitted under HIPAA.

OUR DUTIES REGARDING YOUR HEALTH INFORMATION

We respect the confidentiality of your health information and recognize that information about your health is personal. We are committed to protecting your health information and to informing you of your rights regarding such information. We are also required by law to protect the privacy of your health information and to provide you with notice of these legal duties.

This Notice explains how, when and why we typically use and disclose health information and our privacy rights regarding your health information. In our Notice, we refer to our uses and disclosures of health information as our “Privacy Practices.” Health information generally includes information that we create or receive that identifies you and your past, present or future health status or care or the provision of or payment for that health care. We are obligated to abide by these Privacy Practices as of the last updated date listed above.

We may, however, change our Privacy Practices in the future and specifically reserve our right to change the terms of this Notice and our Privacy Practices. We will communicate any change in our Notice and Privacy Practices as described at the end of this Notice. Any changes that we make in our Privacy Practices will affect any health information that we maintain.

Generally, our Privacy Practices strive:

Notification Requirements.

Our patients have the right to or will receive a breach notification in appropriate circumstances in the event of a breach of unsecured health information.

Business Associates.

RhythmScience’s Business Associate Agreements with subcontractors provide that all HIPAA security administrative safeguards, physical safeguards, and technical safeguard requirements apply directly to our business associate subcontractors.

Access to E-Health Records.

Individuals have the right to access their own e-health record in an electronic format and to direct RhythmScience to send the e-health record directly to a third party. RhythmScience may only charge for reasonable labor costs under electronic transfers of e-health records.

Accounting of E-Health Records for Treatment, Payment, and Health.

Individuals have a right to request an accounting of disclosures through an e-health record to carry out treatment, payment, and health care operations.

HOW WE MAY USE AND DISCLOSE YOUR HEALTH INFORMATION

Our healthcare platform is designed to manage your pacemaker data. Under no circumstances will health information about you be shared with another provider (or their staff), unless it is in support of a referral that you have made and in that case, health information will only be shared with the providers that you designate. Those providers, in accordance with HIPAA, have the ability to share that information with their various staff members and/or designees. In addition, there are situations where the law permits or requires us to use and disclose your health information without your authorization. Specifically, we may use and disclose your health information as follows:

For Treatment, Payment and Healthcare Operations Purposes.

In general we may use and or disclosure your health information without first obtaining your written authorization for treatment, payment, and healthcare operations purposes. There are other situations where we may use and/or disclose your health information without first obtaining your written authorization as described below:

Other Uses and Disclosures Will Require Your Written Prior Authorization, including without limitation, the following:


For other situations not generally or specifically described in our Notice, we will ask for your written authorization before we use or disclose your health information. You may revoke that authorization, in writing, at any time to stop future disclosures of your health information. Information previously disclosed, however, will not be requested to be returned nor will your revocation affect any action that we have already taken. In addition, if we collected the information in connection with a research study, we are permitted to use and disclose that information to the extent it is necessary to protect the integrity of the research study.

YOUR RIGHTS REGARDING YOUR HEALTH INFORMATION

This portion of our Notice describes your individual privacy rights regarding your health information and how you may exercise those rights.

Requesting Restrictions of Certain Uses and Disclosures of Health Information.

You may request, in writing, a restriction on how we use or disclose your health information for treatment or for activities related to our health care operations. You may also request a restriction on what health information we may disclose to someone who is involved in your healthcare, such as a family member or friend. Additionally, you have the right to opt out of fundraising solicitations. Finally, you have the right to restrict certain disclosures of your health information to health plans when you have paid in full for a health care item or service.

To make any request or complaint to RhythmScience in connection with this Notice, please contact: RhythmScience HIPAA Compliance Officer at hipaaofficer@rhythmscience.com.

We are not required to agree with all requests. Additionally, any restriction that we may approve will not affect any use or disclosure that we are legally required to make under HIPAA.

Requesting Confidential Communications.

You may request and receive reasonable changes in the manner or the location where we may contact you for healthcare related services and information. You must make your request in writing and specify the alternate method or location where you wish to be contacted.

We will accommodate your reasonable request, but in determining whether your request is reasonable, we may consider the administrative difficulty it would impose on us.

Inspecting and Obtaining Copies of Your Health Information.

You may ask to review and obtain a copy of your health information. You must make your request in writing.

Requesting a Change in Your Health Information.

You may request, in writing, a change or addition to your health information. HIPAA limits your ability to change or add to your health information. These limitations include whether we created or include the health information within your medical records or if we believe that the health information is accurate and complete without any changes. Under no circumstances will we erase or otherwise delete original documentation in your designated health record, unless required to do so by applicable law.

Requesting an Accounting of Disclosures of Your Health Information.

You may ask, in writing, for an accounting of certain types of disclosures of your health information. HIPAA excludes from an accounting many of the typical categories of disclosures, such as those made to provide you with healthcare treatment or where you provided your written authorization prior to the disclosure.

Generally, we will respond to your request within 60 days of receiving your request unless we need additional time.

Obtaining a Notice of Our Privacy Practices.

We provide you with our Notice to explain and inform you of our Privacy Practices, and this Notice is available on our website at https://rhythm360.io/privacy. Even if you have received this Notice electronically, you may request a paper copy at any time.

COMPLAINTS

We welcome an opportunity to address any concerns that you may have regarding the privacy of your health information. If you believe that the privacy of your health information has been violated, you may file a complaint with RhythmScience at the contact email listed above and with the Secretary of the U.S. Department of Health and Human Services U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting www.hhs.gov/ocr/privacy/hipaa/complaints.

CHANGES TO THIS NOTICE

We reserve the right to change this Notice concerning our Privacy Practices affecting all the health information that we now maintain, as well as health information that we may receive in the future. We will provide you with the revised Notice by making it available to you upon request and by posting the revised Notice on our website, as indicated by the last updated date at the top of the Notice.

YOU WILL NOT BE PENALIZED OR RETALIATED AGAINST FOR FILING A COMPLAINT