Notice of Privacy Practices

NeuroTap Health, Inc. ("NeuroTap Health") is committed to protecting the privacy of your health information. This Notice of Privacy Practices ("Notice") describes your rights and our obligations regarding your Protected Health Information ("PHI") under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act, as amended.

This Notice applies to all PHI we create, receive, maintain, or transmit in connection with your participation in the NeuroTap Health program.

Our Responsibilities

NeuroTap Health is required by law to:

• Maintain the privacy and security of your Protected Health Information
• Provide you with this Notice of our legal duties and privacy practices
• Follow the terms of the Notice currently in effect
• Notify you in the event of a breach of your unsecured PHI

How We May Use and Disclose Your Health Information

The following categories describe the ways we may use and disclose your PHI without your authorization. Not every use or disclosure in a category will be listed, but all of the ways we are permitted to use and disclose information will fall within one of these categories.

Treatment

We may use and disclose your PHI to provide, coordinate, and manage your healthcare and related services. This includes sharing information with your assigned care team, program coordinators, supervising clinicians, and your referring or treating healthcare provider. For example, we may share your assessment results and session data with your treating clinician to inform adjustments to your program.

Payment

We may use and disclose your PHI to obtain payment for services we provide to you. This may include submitting claims to your health insurer, employer health plan, or other payer, and responding to requests for prior authorization. We may also disclose your PHI to your insurance company to verify your coverage and benefits.

Health Care Operations

We may use and disclose your PHI for our healthcare operations, including:

• Quality assurance and improvement activities, including reviewing the effectiveness of our tapping-based interventions
• Training and education of clinical and program staff
• Accreditation, licensing, and credentialing activities
• Business management and administrative activities
• Conducting or arranging for medical review, legal services, and auditing functions

Health Information Exchanges

We may participate in health information exchanges (HIEs) that electronically share health information among healthcare providers and other entities involved in your care. You may have the right to opt out of such sharing; contact us for more information.

Research

We may use or disclose your PHI for research purposes when a research project has been approved through an established review process that evaluates the proposal and establishes protocols to ensure the privacy of your health information. We may also use or disclose your PHI to researchers preparing to conduct research (for example, to help them identify patients who may be eligible for a study), provided safeguards are in place. For any research involving your identifiable PHI beyond these preparatory activities, we will seek your separate written authorization.

We may use de-identified health information derived from your PHI — from which all identifying information has been removed — for research, program evaluation, and outcomes reporting without restriction.

As Required by Law

We will disclose your PHI when required to do so by federal, state, or local law, including in response to valid court orders, subpoenas, or other lawful process.

Public Health Activities

We may disclose your PHI to public health authorities authorized to receive such information for purposes such as preventing or controlling disease, reporting adverse events related to medications or products, or reporting suspected child abuse or neglect as required by law.

Health Oversight Activities

We may disclose your PHI to health oversight agencies for oversight activities authorized by law, such as audits, investigations, inspections, and licensure activities related to the health care system.

Serious Threats to Health or Safety

We may use or disclose your PHI when necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, consistent with applicable law and ethical standards.

Business Associates

We share PHI with our Business Associates — vendors and service providers who perform functions on our behalf that involve the use or disclosure of PHI. All Business Associates are required to enter into written agreements with us that require them to appropriately safeguard your PHI. Examples include our cloud hosting provider, clinical analytics vendors, and care coordination platform partners.

Uses and Disclosures Requiring Your Authorization

The following uses and disclosures of your PHI require your written authorization before we may proceed:

• Most uses and disclosures of psychotherapy notes (if applicable)
• Uses and disclosures of PHI for marketing purposes
• Sale of your PHI
• Uses and disclosures not otherwise described in this Notice

If you provide us with authorization to use or disclose your PHI, you may revoke that authorization, in writing, at any time. If you revoke your authorization, we will no longer use or disclose your PHI as allowed by that authorization, except to the extent that we have already taken action in reliance on your authorization.

Your Rights Regarding Your Health Information

Right to Access Your PHI

You have the right to inspect and obtain a copy of your PHI that is contained in a designated record set, which generally includes your medical and billing records. We will provide you with a copy of your PHI in the format you request, if it is readily producible in that format, or in a mutually agreeable format. We may charge a reasonable, cost-based fee for copies. We must provide access within 30 days of your request (or 60 days if the information is stored off-site), with one possible 30-day extension.

We may deny your request in certain limited circumstances as permitted by law. If we deny your request, we will explain the basis for the denial and your right to have the denial reviewed.

Right to Request Amendment

If you believe that the PHI we have about you is incorrect or incomplete, you may ask us to amend it. You must submit your request in writing, including the reason for the amendment. We may deny your request if the information: was not created by us; is not part of the information you would be permitted to inspect or copy; is not part of our designated record set; or is accurate and complete. If we deny your request, you have the right to submit a statement of disagreement.

Right to an Accounting of Disclosures

You have the right to receive a list of certain disclosures of your PHI we have made during the six years prior to your request (or a shorter period if requested). This accounting does not include disclosures made for treatment, payment, or health care operations; disclosures you authorized; and certain other disclosures as permitted by law.

Right to Request Restrictions

You have the right to request restrictions on our use or disclosure of your PHI for treatment, payment, or health care operations. We are not required to agree to your request, except that we must agree to a restriction on disclosures to a health plan for payment or health care operations if the PHI pertains solely to a health care item or service for which you paid out of pocket in full.

Right to Request Confidential Communications

You have the right to request that we communicate with you about your health information in a certain way or at a certain location. For example, you may ask that we contact you only by email or only at a specific address. We will accommodate reasonable requests.

Right to a Paper Copy of This Notice

You have the right to a paper copy of this Notice at any time, even if you have agreed to receive it electronically. You may request a paper copy from us using the contact information below.

Right to Receive Notification of a Breach

In the event that your unsecured PHI is subject to a breach, we will notify you as required by the HIPAA Breach Notification Rule, generally within 60 days of discovering the breach.

Changes to This Notice

We reserve the right to change this Notice at any time. Changes will apply to PHI we already hold, as well as new PHI we receive after the effective date of the revised Notice. When we make material changes, we will post the revised Notice on our website (www.neurotaphealth.com/hipaa) and make the new Notice available to you at your next program interaction or upon request. The effective date of the current Notice appears at the top of this document.

Complaints

If you believe your privacy rights have been violated, you have the right to file a complaint with us or with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). We will not retaliate against you for filing a complaint.

To file a complaint with NeuroTap Health:

To file a complaint with the HHS Office for Civil Rights:

Contact Our Privacy Officer

For questions about this Notice or to exercise any of your rights described above, please contact: