NOTICE OF PRIVACY PRACTICES FOR BEAM HEALTH GROUP, LLC.

9 April 2020

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

We have implemented reasonable technical, physical, administrative, and organizational safeguards to protect the information we collect from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. Please be aware that despite our efforts, no data security measures can guarantee 100% security. You should take steps to protect against unauthorized access to your password, phone, and computer by, among other things, signing off after using a shared computer, choosing a robust password that nobody else knows or can easily guess, and keeping your log-in and password private. We are not responsible for any lost, stolen, or compromised passwords or for any activity on your account via unauthorized password activity.

As a Patient, your information will be shared with Healthcare Providers as directed and consented to by you. Our Services make your Assessments and related information available to your Healthcare Provider. We will not make information available to Healthcare Providers other than those with whom you have requested that we share your Assessments. This Policy does not address how Healthcare Providers will use and disclose information obtained using Beam. If you would like this information, you should ask your Healthcare Provider directly for a copy of his/her Notice of Privacy Practices.

Service Providers. We may disclose the information we collect from you to third party vendors, service providers, contractors or agents who perform functions on our behalf.

Business Transfers. If we are acquired by or merged with another company, if substantially all of our assets are transferred to another company, or if we are a part of a bankruptcy proceeding, we may transfer the information we have collected from you to the other Company.

In Response to Legal Process. We also may disclose the information we collect from you in order to comply with the law, a judicial proceeding, court order, or other legal process, such as in response to a subpoena in compliance with applicable privacy laws.

To Protect Us and Others. We also may disclose the information we collect from you, to the extent permitted by law, where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of our Terms of Use or this Policy, or as evidence in litigation in which Beam is involved.

Aggregate and De-Identified Information. We may share aggregate or de-identified information about users with third parties for marketing, advertising, research or similar purposes.

COOKIES AND OTHER TRACKING MECHANISMS

We use cookies and other tracking mechanisms to track information about your use of our Site or Services. We may combine this information with other information we collect from you.

Cookies. Cookies are alphanumeric identifiers that we transfer to your computer’s hard drive through your web browser for record-keeping purposes. Some cookies allow us to make it easier for you to navigate our Site and Services, while others are used to enable a faster log-in process or to allow us to track your activities at our Site and Service. Most web browsers automatically accept cookies, but if you prefer, you can edit your browser options to block them in the future. The Help portion of the toolbar on most browsers will tell you how to prevent your computer from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. Visitors to our Site who disable cookies will be able to browse public areas of the Site, but the Services will not function.

Clear GIFs (a.k.a. web beacons, web bugs or pixel tags). Clear GIFs are tiny graphics with a unique identifier, similar in function to cookies. In contrast to cookies, which are stored on your computer’s hard drive, clear GIFs are embedded invisibly on web pages. We may use clear GIFs (in connection with our Site to, among other things, track the activities of Site visitors, help us manage content, and compile statistics about Site usage. We and our third-party service providers also use clear GIFs in HTML e-mails to our customers, to help us track e-mail response rates, identify when our e-mails are viewed, and track whether our e-mails are forwarded.

Third Party Analytics. We use automated devices and applications, such as Google Analytics, MixPanel, and Kissmetrics, to evaluate usage of our Site and Services and to help us personalize content on out Site and Services. We also may use other analytic means to evaluate our Services. We use these tools to help us improve our Services, performance and user experiences. These entities may use cookies and other tracking technologies to perform their services. We do not share your personal information with these third parties.
Advertising. We may use network advertisers, such as AdRoll, to advertise our Site and Services on other websites, and we may do so based on your visits to our Site and to other third party Sites. These entities may use cookies and other tracking technologies to perform their services. We do not share your personal information with these third parties. Our Site does not currently respond to browser “Do-Not-Track requests; however, you may find out more about targeted advertising in general, and opt out of targeted ads from many ad networks, including AdRoll, through the National Advertising Initiative (“NAI”) website, or the Digital Advertising Alliance (“DAA”) website.

MARKETING EMAILS

We may send periodic promotional or informational emails to Healthcare Providers. Healthcare Providers may opt-out of such communications by following the opt-out instructions contained in the e-mail. Please note that it may take up to 10 business days for us to process opt-out requests. If you opt-out of receiving emails about recommendations or other information we think may interest you, we may still send you e-mails about your account or any Services you have requested or received from us.

THIRD-PARTY LINKS

Our Site and Services may contain links to third-party websites. Any access to and use of such linked websites is not governed by this Policy, bu instead is governed by the privacy policies of those third party websites. We are not responsible for the information practices of such third party websites.

PATIENT HEALTH INFORMATION

The privacy and security of Patients’ individually identifiable health information provided to Beam Health Group in connection with Services may be protected by federal law (HIPAA, the HITECH Act, and their regulations) and state privacy laws, because Beam provides Services to health care providers. This health information is “protected health information” (“PHI”). PHI may be used and disclosed by Beam as necessary to provide Services, for our own management and operations, to meet our legal obligations, and for any other purpose for which Patients have given consent. We may share PHI with third parties for these purposes in compliance with applicable law. We may de-identify PHI and aggregate it for purposes of monitoring and improving our products and services, for benchmarking purposes, and to provide customized services or technologies our customers.

ACCESS TO MY PATIENTS’ PERSONAL INFORMATION

You may modify registration information that you have submitted by sending an email to info@beamhealthgroup.com Please note that copies of information that you have updated, modified or deleted may remain viewable in cached and archived pages of the Site for a period of time.

CONTACT

We encourage you to contact us if you have any questions or concerns regarding the privacy aspects of our Services or would like to make a complaint. You may write us at info@beamhealthgroup.com or Beam Health Group, LLC. 26 Broadway Street Floor 8, New York, NY 10002

CHANGES TO THE POLICY

This Policy is current as of the Effective Date set forth above. We may change this Policy from time to time, so please be sure to check back periodically. We will post any changes to this Policy on this page. If we make any changes to this Policy that materially affect our practices with regard to the personal information we have previously collected from you, we will endeavor to provide you with notice in advance of such change, such as by highlighting the change on our Site, or emailing the email address of record for your account.

BUSINESS ASSOCIATE AGREEMENT

1. Term. This Agreement shall remain in effect for the duration of this Agreement and shall apply to all of the Services and/or Supplies delivered by the Business Associate pursuant to this Agreement

2. HIPAA Assurances. In the event Business Associate creates, receives, maintains, or otherwise is exposed to personally identifiable or aggregate patient or other medical information defined as Protected Health Information (PHI) in the Health Insurance Portability and Accountability Act of 1996 or its relevant regulations (“HIPAA”) and otherwise meets the definition of Business Associate as defined in the HIPAAPrivacy Standards (45 CFR Parts 160 and 164), Business Associate shall:(a) Recognize that HITECH (the Health Information Technology for Economic and ClinicalHealth Act of 2009) and the regulations thereunder (including 45 C.F.R. Sections 164.308, 164.310,164.312, and 164.316), apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity;(b) Not use or further disclose the PHI, except as permitted by law;(c) Not use or further disclose the PHI in a manner that had Insert Clinic Name done so, would violate the requirements of HIPAA;(d) Use appropriate safeguards (including implementing administrative, physical, and technical safeguards for electronic PHI) to protect the confidentiality, integrity, and availability of and to prevent the use or disclosure of the PHI other than as provided for by this Agreement;(e) Comply with each applicable requirements of 45 C.F.R. Part 162 if the Business Associate conducts Standard Transactions for or on behalf of the Covered Entity;(f) Report promptly to _____ any security incident or other use or disclosure of PHI not provided for by this Agreement of which Business Associate becomes aware;(g) Ensure that any subcontractors or agents who receive or are exposed to PHI (whether in electronic or other format) are explained the Business Associate obligations under this paragraph and agree to the same restrictions and conditions;(h) Make available PHI in accordance with the individual’s rights as required under the HIPAA regulations;(i) Account for PHI disclosures for up to the past six (6) years as requested by Covered Entity, which shall include: (i) dates of disclosure, (ii) names of the entities or persons who received the PHI, (iii) a brief description of the PHI disclosed, and (iv) a brief statement of the purpose and basis of such disclosure;(j) Make its internal practices, books, and records that relate to the use and disclosure of PHI available to the U.S. Secretary of Health and Human Services for purposes of determining Customer’s compliance with HIPAA;(k) Incorporate any amendments or corrections to PHI when notified by Customer or enter into aBusiness Associate Agreement or other necessary Agreements to comply with HIPAA.

3. Termination Upon Breach of Provisions. Notwithstanding any other provision of this Agreement,Covered Entity may immediately terminate this Agreement if it determines that Business Associate
LIBC/3968202.1breaches any term in this Agreement. Alternatively, Covered Entity may give written notice to BusinessAssociate in the event of a breach and give Business Associate five (5) business days to cure such breach.Covered Entity shall also have the option to immediately stop all further disclosures of PHI to BusinessAssociate if Covered Entity reasonably determines that Business Associate has breached its obligations under this Agreement. In the event that termination of this Agreement and the Agreement is not feasible,Business Associate hereby acknowledges that the Covered Entity shall be required to report the breach to the Secretary of the U.S. Department of Health and Human Services, notwithstanding any other provision of this Agreement or Agreement to the contrary.

4. Return or Destruction of Protected Health Information upon Termination. Upon the termination of this Agreement, unless otherwise directed by Covered Entity, Business Associate shall either return or destroy all PHI received from the Covered Entity or created or received by Business Associate on behalf of the Covered Entity in which Business Associate maintains in any form. Business Associate shall not retain any copies of such PHI. Notwithstanding the foregoing, in the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible upon termination of thisAgreement, Business Associate shall provide to Covered Entity notification of the condition that makes return or destruction infeasible. To the extent that it is not feasible for Business Associate to return or destroy such PHI, the terms and provisions of this Agreement shall survive such termination or expiration and such PHI shall be used or disclosed solely as permitted by law for so long as Business Associate maintains such Protected Health Information.

5. No Third Party Beneficiaries. The parties agree that the terms of this Agreement shall apply only to themselves and are not for the benefit of any third party beneficiaries.

6. De-Identified Data. Notwithstanding the provisions of this Agreement, Business Associate and its subcontractors may disclose non-personally identifiable information provided that the disclosed information does not include a key or other mechanism that would enable the information to be identified.

7. Amendment. Business Associate and Covered Entity agree to amend this Agreement to the extent necessary to allow either party to comply with the Privacy Standards, the Standards for ElectronicTransactions, the Security Standards, or other relevant state or federal laws or regulations created or amended to protect the privacy of patient information. All such amendments shall be made in a writing signed by both parties.

8. Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits. Covered Entity to comply with the then most current version of HIPAA and the HIPAA privacy regulations.9. Definitions. Capitalized terms used in this Agreement shall have the meanings assigned to them as outlined in HIPAA and its related regulations.