RhythmScience Inc. Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED BY RHYTHMSCIENCE AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

This Notice of Privacy Practices (“Notice”) serves as a notice for RhythmScience Inc. (“RhythmScience”) as required under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, and the Health Information Technology for Economic and Clinical Health Act, as incorporated in the American Recovery and Reinvestment Act of 2009, and its implementing regulations and guidance issued by the Secretary of Health and Human Services, all as amended from time to time (collectively, “HIPAA”) when RhythmScience is acting in the capacity as your healthcare provider or “covered entity”.  We will follow the terms of this Notice and may share your protected health information (“health information”) for purposes of treatment, payment and health care operations as described in this Notice and as required or permitted under HIPAA.

OUR DUTIES REGARDING YOUR HEALTH INFORMATION

We respect the confidentiality of your health information and recognize that information about your health is personal. We are committed to protecting your health information and to informing you of your rights regarding such information. We are also required by law to protect the privacy of your health information and to provide you with notice of these legal duties.

This Notice explains how, when and why we typically use and disclose health information and our privacy rights regarding your health information. In our Notice, we refer to our uses and disclosures of health information as our “Privacy Practices.” Health information generally includes information that we create or receive that identifies you and your past, present or future health status or care or the provision of or payment for that health care. We are obligated to abide by these Privacy Practices as of the last updated date listed above.

We may, however, change our Privacy Practices in the future and specifically reserve our right to change the terms of this Notice and our Privacy Practices. We will communicate any change in our Notice and Privacy Practices as described at the end of this Notice. Any changes that we make in our Privacy Practices will affect any health information that we maintain.

Generally, our Privacy Practices strive:

• To make sure that health information that identifies you is kept private;
• To provide you this Notice of our Privacy Practices and legal duties with respect to protected health information;
• To follow the terms of the Notice that is currently in effect; and
• To make a good faith effort to give you an opportunity to receive this Notice.

Notification Requirements.

Our patients have the right to or will receive a breach notification in appropriate circumstances in the event of a breach of unsecured health information.

Business Associates.

RhythmScience’s Business Associate Agreements with subcontractors provide that all HIPAA security administrative safeguards, physical safeguards, and technical safeguard requirements apply directly to our business associate subcontractors.

Access to E-Health Records.

Individuals have the right to access their own e-health record in an electronic format and to direct RhythmScience to send the e-health record directly to a third party. RhythmScience may only charge for reasonable labor costs under electronic transfers of e-health records.

Accounting of E-Health Records for Treatment, Payment, and Health.

Individuals have a right to request an accounting of disclosures through an e-health record to carry out treatment, payment, and health care operations.

HOW WE MAY USE AND DISCLOSE YOUR HEALTH INFORMATION

Our healthcare platform is designed to manage your pacemaker data. Under no circumstances will health information about you be shared with another provider (or their staff), unless it is in support of a referral that you have made and in that case, health information will only be shared with the providers that you designate. Those providers, in accordance with HIPAA, have the ability to share that information with their various staff members and/or designees. In addition, there are situations where the law permits or requires us to use and disclose your health information without your authorization. Specifically, we may use and disclose your health information as follows:

For Treatment, Payment and Healthcare Operations Purposes.

In general we may use and or disclosure your health information without first obtaining your written authorization for treatment, payment, and healthcare operations purposes. There are other situations where we may use and/or disclose your health information without first obtaining your written authorization as described below:

• For Public Health Activities. We may use or disclose health information to a public health authority that is authorized by law to collect or receive information in order to report, among other things, communicable diseases and child abuse, or to the F.D.A. to report medical device or product-related events. In certain limited situations, we may also disclose health information to notify a person exposed to a communicable disease.
• For Health Oversight Activities. We may disclose health information to a health oversight agency that includes, among others, an agency of the federal or state government that is authorized by law to monitor the health care system.
• For Law Enforcement Activities. We may disclose limited health information in response to law enforcement official’s request for information to identify or locate a victim, a suspect, a fugitive, a material witness or a missing person (including individuals who have died) or for reporting a crime that has occurred on our premises or that may have caused a need for emergency services.
• For Judicial and Administrative Proceedings. We may disclose health information in response to a subpoena or order of a court or administrative tribunal.
• To Coroners, Medical Examiners, and Funeral Directors. We may release health information to a coroner or medical examiner to identify a deceased person or to determine the cause of death.
• For Purposes of Organ Donation. We may disclose health information to an organ procurement organization or another facility that participates in the procurement, banking or transplantation of organs or tissues.
• For Purposes of Research. We may conduct and/or participate in medical, social, psychological and other types of research. Most research projects are subject to a special approval process to evaluate the proposed research project and its use of health information before we use or disclose health information. In certain circumstances, however, we may disclose health information to people preparing to conduct a research project to help them determine whether a research project can be carried out or will be useful.
• To Avoid Harm to a Person or for Public Safety. We may use and disclose health information if we believe that the disclosure is necessary to prevent or lessen a serious threat or harm to the public or the health or safety of another person.
• For Specialized Government Functions. We may use and disclose health information of certain military individuals, for specific governmental security needs, or as needed by correctional institutions.
• For Workers’ Compensation Purposes. We may disclose health information to comply with the workers’ compensation laws or other similar programs.
• For Appointment Reminders and to Inform You of Healthcare Products or Services. We may use or disclose your health information to contact you for appointments or other scheduled services or to provide you with information about treatment alternatives or our other products and services.

Other Uses and Disclosures Will Require Your Written Prior Authorization, including without limitation, the following:

• Most Uses and disclosures of psychotherapy notes (as applicable, if recorded by RhythmScience);
• Uses and disclosures of your health information for marketing purposes, including subsidized treatment communications; and
• Disclosures of your health information that constitute a “sale.”

For other situations not generally or specifically described in our Notice, we will ask for your written authorization before we use or disclose your health information. You may revoke that authorization, in writing, at any time to stop future disclosures of your health information. Information previously disclosed, however, will not be requested to be returned nor will your revocation affect any action that we have already taken. In addition, if we collected the information in connection with a research study, we are permitted to use and disclose that information to the extent it is necessary to protect the integrity of the research study.

YOUR RIGHTS REGARDING YOUR HEALTH INFORMATION

This portion of our Notice describes your individual privacy rights regarding your health information and how you may exercise those rights.

Requesting Restrictions of Certain Uses and Disclosures of Health Information.

You may request, in writing, a restriction on how we use or disclose your health information for treatment or for activities related to our health care operations. You may also request a restriction on what health information we may disclose to someone who is involved in your healthcare, such as a family member or friend. Additionally, you have the right to opt out of fundraising solicitations. Finally, you have the right to restrict certain disclosures of your health information to health plans when you have paid in full for a health care item or service.

To make any request or complaint to RhythmScience in connection with this Notice, please contact: RhythmScience HIPAA Compliance Officer at hipaaofficer@rhythmscience.com.

We are not required to agree with all requests. Additionally, any restriction that we may approve will not affect any use or disclosure that we are legally required to make under HIPAA.

Requesting Confidential Communications.

You may request and receive reasonable changes in the manner or the location where we may contact you for healthcare related services and information. You must make your request in writing and specify the alternate method or location where you wish to be contacted.

We will accommodate your reasonable request, but in determining whether your request is reasonable, we may consider the administrative difficulty it would impose on us.

Inspecting and Obtaining Copies of Your Health Information.

You may ask to review and obtain a copy of your health information. You must make your request in writing.

Requesting a Change in Your Health Information.

You may request, in writing, a change or addition to your health information. HIPAA limits your ability to change or add to your health information. These limitations include whether we created or include the health information within your medical records or if we believe that the health information is accurate and complete without any changes. Under no circumstances will we erase or otherwise delete original documentation in your designated health record, unless required to do so by applicable law.

Requesting an Accounting of Disclosures of Your Health Information.

You may ask, in writing, for an accounting of certain types of disclosures of your health information. HIPAA excludes from an accounting many of the typical categories of disclosures, such as those made to provide you with healthcare treatment or where you provided your written authorization prior to the disclosure.

Generally, we will respond to your request within 60 days of receiving your request unless we need additional time.

Obtaining a Notice of Our Privacy Practices.

We provide you with our Notice to explain and inform you of our Privacy Practices, and this Notice is available on our website at https://rhythm360.io/privacy. Even if you have received this Notice electronically, you may request a paper copy at any time.

COMPLAINTS

We welcome an opportunity to address any concerns that you may have regarding the privacy of your health information. If you believe that the privacy of your health information has been violated, you may file a complaint with RhythmScience at the contact email listed above and with the Secretary of the U.S. Department of Health and Human Services U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting www.hhs.gov/ocr/privacy/hipaa/complaints.

CHANGES TO THIS NOTICE

We reserve the right to change this Notice concerning our Privacy Practices affecting all the health information that we now maintain, as well as health information that we may receive in the future. We will provide you with the revised Notice by making it available to you upon request and by posting the revised Notice on our website, as indicated by the last updated date at the top of the Notice.

YOU WILL NOT BE PENALIZED OR RETALIATED AGAINST FOR FILING A COMPLAINT‍