HIPAA Notice of Privacy Practices

Nightingale Health Intelligence, Inc. ("Nightingale") is committed to protecting the privacy and security of your Protected Health Information (PHI). This Notice of Privacy Practices describes: • How we may use and disclose your PHI • Your privacy rights regarding your PHI • Our obligations to protect your PHI We are required by law to maintain the privacy of PHI, to provide individuals with notice of our legal duties and privacy practices with respect to PHI, and to notify affected individuals following a breach of unsecured PHI.

PHI is information about you, including demographic data, that can reasonably be used to identify you and that relates to: • Your past, present, or future physical or mental health • Health care you have received • Payment for health care services you have received PHI does not include information that has been de-identified in accordance with HIPAA standards.

For Treatment: We may use and disclose your PHI to provide, coordinate, or manage your health care and related services. For Payment: We may use and disclose your PHI to obtain payment for health care services provided to you. For Health Care Operations: We may use and disclose your PHI for various business activities, including: • Quality assessment and improvement activities • Compliance and auditing programs • Business planning and development • General administrative activities As Required by Law: We will disclose your PHI when required to do so by federal, state, or local law. Public Health Activities: We may disclose your PHI to public health authorities for purposes such as: • Preventing or controlling disease, injury, or disability • Reporting vital events (births, deaths) • Reporting adverse events related to food, supplements, or products Health Oversight Activities: We may disclose your PHI to health oversight agencies for activities authorized by law, such as audits, investigations, and inspections. Judicial and Administrative Proceedings: We may disclose your PHI in response to a court or administrative order, subpoena, or discovery request. Law Enforcement: We may disclose your PHI to law enforcement officials under certain circumstances, such as: • To identify or locate a suspect, fugitive, material witness, or missing person • To report certain types of wounds or injuries • In response to a valid court order or warrant Research: We may use or disclose your PHI for research purposes with appropriate protections or under specific circumstances permitted by HIPAA. To Avoid Harm: We may disclose your PHI if we believe it is necessary to prevent or avoid a serious threat to health or safety. Organ and Tissue Donation: We may disclose your PHI to organizations that handle organ, eye, or tissue donation and transplantation. Workers' Compensation: We may disclose your PHI as authorized by and to the extent necessary to comply with workers' compensation laws.

For most other purposes, we must obtain your written authorization before using or disclosing your PHI. This includes: • Marketing activities • Sale of PHI • Psychotherapy notes (with limited exceptions) • Most uses and disclosures for research purposes Once you give us authorization, you may revoke it at any time in writing. If you revoke your authorization, we will stop using or disclosing your PHI, but we cannot take back any uses or disclosures already made.

We are required by law to: • Maintain the privacy and security of your PHI • Provide you with this Notice of our legal duties and privacy practices • Abide by the terms of this Notice • Notify you promptly if a breach occurs that may have compromised the privacy or security of your PHI • Not use or share your information other than as described here unless you tell us we can in writing We reserve the right to change our practices and make the new provisions effective for all PHI we maintain. If we make material changes to this Notice, we will post the updated version on our website.

For Privacy Questions or to Exercise Your Rights: Privacy Officer Nightingale Health Intelligence, Inc. 501 Folsom St San Francisco, CA 94105, USA Email: privacy@nightingalehq.org Phone: +1 (628) 529-5070 To File a Complaint with HHS: U.S. Department of Health and Human Services Office for Civil Rights 200 Independence Avenue, S.W. Washington, D.C. 20201 Phone: 1-800-368-1019 Website: www.hhs.gov/ocr We will not retaliate against you for filing a complaint.