Global Privacy Policy – Program Overview

Privacy Policy #1001 – Privacy Program

SCOPE
The scope of this policy governs the establishment and maintenance of HIPAA policies and procedures for Personify Health related to Protected Health Information (“PHI”) and all Personally Identifiable Information (“PII”) processed, collected, recorded, organized,
structured, stored, adapted, altered, retrieved, created, used, disclosed, disseminated,
maintained, made available, aligned, combined, restricted, erased, transmitted, or
destroyed by Personify Health (collectively referred to as “Processing,” “Processed,” or
“Process”).

This policy applies to and includes:

• All Personify Health personnel (i.e. officers, agents, employees, contractors, temporary workers, and volunteers) who have access to or will perform any of the functions on PII or PHI listed within this scope.
• All business functions that incorporate or affect PII and/or PHI.
• All Personify Health information systems, tools, and platforms that perform any of the functions on PII and/or PHI listed within this scope
• All Authorized and Certified Partners Personify Health includes in its ecosystem and interacts with upon request by a client.
• All sub-processors and/or sub-contractors who perform any of the functions on Personify Health PII and/or PHI listed within this scope for or on behalf of Personify Health for Personify Health to provide our products and services to clients and Members.
• All vendors performing any of the functions listed within this scope on Personify Health PII and/or PHI including Personify Health employee data.

Unless otherwise stated in this Policy, references to Personify Health include its
subsidiaries and affiliates. This Privacy Policy, its policies and any procedures implemented in connection with this policy, should be read and interpreted in context with the specific relationship(s) to which each applies, including in relation to different programs operated by Personify Health or its subsidiaries and affiliates, or location of Prospects, clients, Personify Health Personnel, and Members.

OBJECTIVE

To create a privacy program that:

1. Meets or exceeds the privacy expectations of every Personify Health personnel, client and every Member.
2. Complies with the HIPAA Privacy Rule requirements.
3. Complies, as applicable, with known data protection principles, laws and
   regulations from foreign jurisdictions that Personify Health is aware governs any Member data, including, but not limited to the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Personify Health has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles)
   with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Personify Health has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
4. Complies with the California Consumer Protection Act (“CCPA”), the Personal Information Protection and Electronic Documents Act (“PIPEDA”). the Personal Information Protection Law of China (“PIPL”), and other similar data protection laws in jurisdictions where Members reside.
5. Complies with contractual obligations between Personify Health and its clients, including any applicable Data Processing Agreements, Business Associate Agreements, and Standard Contractual Clauses required for the lawful transmission Personify Health Confidential6. of data from one jurisdiction of origination of the PII to another jurisdiction where PII will be affected by any operation listed in the Scope of this Policy.
6. Imposes privacy requirements on vendors, partners, subcontractors, sub-processors and other third- parties that perform any of the functions or operations listed in the Scope of this Policy affecting

DEFINITIONS
Capitalized terms used in this policy and not otherwise defined in this policy have the
meaning(s) set forth in the Compliance Policy Glossary.
POLICY STATEMENT
Personify Health protects the confidentiality of:

1. Prospect and client PII and PHI collected in the course of conducting its sales and business operations.
2. Member PII and PHI collected in the course of conducting wellness operations.
3. Personify Health Personnel PII and PHI Processed in the course of normal employment and workforce related activities.
4. PII belonging to business contacts, and other individuals associated with vendors, subcontractors, Authorized and Certified Partners Processed in the course of conducting its sales and business operations.
5. As applicable, Personify Health Personnel and their respective dependents’ PII and PHI Processed in the course of operating Personify Health’s group health plan or related activities.

Personify Health evaluates and considers requests from clients, Members, prospective
Members, Personify Health Personnel, vendors, subcontractors, Authorized and
Certified Partners, as well as any third-party of whom Personify Health processes PII
and/or PHI, to restrict processing and/or access of PII or PHI beyond the scope of
Personify Health’s policies and applicable to data protection laws and regulations.

PROCEDURES
1. Privacy Policies and Procedures
a) Personify Health shall create or revise its own HIPAA policies and procedures,
consistent with all applicable HIPAA Rules and Regulations as well as wit
applicable State laws and statutes.
b) Personify Health will review and update this manual at least once annually.
Qualified counsel shall be engaged as needed to guide or review the policies
and procedures creation/revision process, to ensure they address all
applicable HIPAA (and other) standards.
c) Personify Health shall internally publish its HIPAA polices and procedures to all workforce members and shall provide appropriate training to all members of its workforce on the interpretation and implementation of its policies and procedures.
2. Risk Management Process – Implement and maintain an ongoing annual Risk
Management Process that is consistent with the HIPAA Security Rule.
3. Workforce Training and Management – Workforce members include
employees, volunteers, trainees, and may also include other persons whose
conduct is under the direct control of Personify Health (whether or not they are
paid by Personify Health). Personify Health shall train all workforce members on
its privacy policies and procedures, as necessary and appropriate for them to
carry out their various functions. Additional security awareness training will also
be provided to Personify Health workforce members including emerging
malware (ransomware) and social engineering threats.
4. Sanctions – Personify Health shall have and apply appropriate sanctions against
workforce members who violate its policies and procedures, and/or HIPAA’s Privacy
and Security Rules.
5. Mitigation – Personify Health shall mitigate, to the extent practicable, any
harmful effect it learns was caused by use or disclosure of protected health
information by its workforce or its business associates in violation of its privacy
policies and procedures or the Privacy Rule.
6. Data Safeguards – Personify Health shall maintain reasonable and appropriate
administrative, technical, and physical safeguards to prevent intentional or
unintentional uses or disclosures of protected health information in violation of the
Privacy Rule and its own policies, and to limit the incidental uses and disclosures
pursuant to otherwise permitted or required uses or disclosures.
7. Complaints and Alternative Dispute Resolution (for DPF) – Personify Health shall
establish procedures for individuals to express concerns about its compliance with
its privacy policies and procedures and the Privacy Rule. Personify Health shall
explain those procedures in its privacy practices notice. In compliance with the EU-
U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Personify
Health commits to refer unresolved complaints concerning our handling of personal
data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S.
DPF and the Swiss-U.S. DPF to Truste, an alternative dispute resolution provider
based in the United States. If the Member does not receive timely acknowledgment
of the Member’s DPF Principles-related complaint from Personify Health, or if
Personify Health has not addressed the Member’s DPF Principles-related complaint
to the Member’s satisfaction, the Privacy Notice will contain this
hyperlink, https://feedback-form.truste.com/watchdog/request for more
information or to file a complaint. The services of Truste are provided at no cost to
the Member.
8. Retaliation and Waiver – Personify Health shall NOT retaliate against a person
for exercising rights provided by HIPAA, for assisting in an investigation by HHS
or another appropriate authority, or for opposing an act or practice that the
person believes in good faith violates any HIPAA standard or requirement.
Personify Health shall not require an individual to waive any right under the
Privacy Rule as a condition for obtaining treatment, payment, and enrollment or
benefits eligibility.
9. Documentation and Record Retention – Personify Health shall maintain, until
at least seven years after the later of the date of their creation or last effective
date, its privacy policies, and procedures, its privacy practices notices,
dispositions of complaints, and other actions, activities, and designations that the
Privacy Rule requires to be documented.
10. Onward Transfers – When Personify Health receives Personal Information from
a third party, or shares Personal Information with a third party, Personify Health
shall execute appropriate written agreements based on the applicable
jurisdiction. For example, Personify Health executes EU approved standard
contractual clauses with EU-based Program Sponsors that send Personify Health
Eligibility Files as the data importer, as that term is defined in the
GDPR. Personify Health shall also execute EU approved standard contractual
clauses with Personify Health’s subcontractors that assist Personify Health in
processing EU based data, as the data exporter. In the context of an onward
transfer Personify Health has responsibility for the processing of personal
information it receives under the Data Privacy Framework and subsequently
transfers to a third party acting as an agent on its behalf. Personify Health shall
remain liable under the GDPR Principles if its agent processes such personal
information in a manner inconsistent with the GDPR Principles, unless the
organization proves that it is not responsible for the event giving rise to the
damage.

PRIVACY OFFICER
The role of the Privacy Officer with respect to the creation, review, consideration,
and maintenance of the Personify Health privacy policies and overall privacy
program is outlined herein:
1. The Privacy Officer develops and implements the privacy program across the organization.
2. The Privacy Officer develops and distributes privacy notices to individuals affected by the privacy program.
3. The Privacy Officer implements procedures for receiving and responding to privacy related questions and complaints.
4. The Privacy Officer verifies that the privacy program is aligned with any contractual
obligations.
5. The Privacy Officer delegates certain functions to other individuals but retains responsibility for the duties described herein.
6. Contact information for the Privacy Officer is as follows:
Privacy Officer
Personify Health, Inc.
Suite 400
75 Fountain Street
Providence, RI 02903
Internal Email Address:
[email protected]
External Email Address:
[email protected]
PERSONIFY HEALTH ENTITY RELATIONSHIPS
1. Wellness Programs
a) Each client designates which individuals are eligible to participate in the applicable wellness program. Participation in the program is optional at the choice of the individual. Each individual who enrolls in a program becomes a Member subject to the terms of the applicable membership agreement, privacy notice, and consent to process PII and
PHI. With respect to PII about Members, Personify Health operates as Data Controller, or similar designation, under the applicable data protection laws and is directly responsible for complying with such laws, including responding to data subject rights requests.
b)Personify Health processes Eligibility Files for its Programs. Personify Health processes Eligibility Files at the direction of its clients and serves as the Data Processor subject to terms supporting the client in meeting its obligations under applicable data protection laws. If the client providing the Eligibility Files is a Covered Entity under HIPAA, then Personify Health will operate as a Business Associate when processing these Eligibility Files.
2. Claims and Data Processing
a) Personify Health provides claims and data processing services to
clients. In these circumstances, Personify Health processes data at the
direction of the client, and the data subject may be unaware that Personify Health is conducting the processing. In these cases, the data subject must direct all Data Subject Rights Requests to the client. In some circumstances, the Data Subject may be eligible for Data Subject Rights with respect to PII or PHI processed under a wellness program,
but may have different rights with respect to the claims data processed.
3. Channel Communications
a) Personify Health provides various channel communication options for
clients, both within and outside the scope of a particular wellness
program, including email and SMS text messaging. In these cases,
Personify Health processes the PII as a Data Processor under
applicable data protection laws, but is also directly subject to data
protection laws relating to opt-in and opt-out with respect to
communications.
4. Business Associate, HIPAA Compliance
a) Personify Health sometimes serves as a Business Associate to Covered Entities or other Business Associates.
b) Personify Health enters into Business Associate Agreements when
Personify Health shares or exchanges PHI with vendors, subcontractors and Certified Partners.
5. Personify Health internal wellness programs
a) Personify Health administers various wellness programs for eligible
Personify Health Personnel and their eligible dependents.
b) Personify Health is a Covered Entity with respect to the PHI it creates, collects, maintains, uses, and transfers in relation to the wellness
program.
c) As applied to the HIPAA privacy rights of Members in Personify Health’s health FSA and wellness program, the term “plan” or “Covered Entity,” when used in the context of Personify Health’s own health plans, means the organized health care arrangement designated above.
6. Personify Health Group Health Plans
a) Personify Health has self‐insured health plans that are managed by a third-party administrator. Personify Health is a Covered Entity with respect to the self-insured group health plan
ORGANIZATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT (OECD) PRIVACY PRINCIPLES
Personify Health follows the eight OECD Privacy Principles:
1. Collection Limitation – Personify Health only collects information necessary for
its authorized purposes. See Privacy Policy 1002 – Collection of PII and PHI and
Privacy Policy 1005 – Minimization of Data in Processing.
2. Data Quality – Personify Health works to validate data quality
throughout the data life cycle. See Privacy Policy 1017 – Right to Correct
PII and PHI.
3. Purpose Specification – Personify Health notifies Members about the
collection purposes. See Privacy Policy 1007 – Notice of Privacy Practices and
Privacy Policy 1032 – Online Privacy Notices.
4.Use Limitation – Personify Health limits use of personal information to the
stated purpose. See Privacy Policy 1003 – Use and Disclosure of PII and Privacy
Policy 1004 – Use and Disclosure of PHI.
5. Security Safeguards – Personify Health implements appropriate security
measures to protect personal information. See Information Security
Policies and Procedures.
6. Openness Principle ‐ Personify Health is direct and transparent with data
practices. See Privacy Policy 1007 – Notice of Privacy Practices and Privacy
Policy 1032 – Online Privacy Notices.
7. Individual Participation – Personify Health allows Members to access and see
their own personal information, as well request updates, amendments, and
restrictions. See Privacy Policy 1014 – Right to Access PII and PHI, Privacy Policy
1017 – Right to Correct PII and PHI, Privacy Policy 1018 – Right to Request
Restriction, and Privacy Policy 1022– Accounting of Disclosures.
8. Accountability – Personify Health shall remain accountable for complying
with measures which give effect to the OECD Privacy Principles.
INTERNATIONAL TRANSFERS OF PII INTO THE UNITED STATES
1. To facilitate data exchanges with clients located in the European Union and
sending Personify Health PII in Eligibility from the European Union, Personify
Health enters into Standard Contractual Clauses to support the transfer of
Personal Data. Upon enrollment, Members consent to Personify Health’s
processing of their information, making consent the legal basis of transfer of
PII contained in Member Data from the European Union, the United Kingdom
and Switzerland to the United States.
2. To facilitate data exchanges with clients located in other jurisdictions,
Personify Health coordinates with clients to meet appropriate international
transfer requirements under applicable data protection laws.
EU-US DATA PRIVACY FRAMEWORK (DPF)
The European Commission adopted its adequacy decision on the Data Privacy
Framework (“DPF”) on July 10, 2023. The rules and binding safeguards of the DPF permit
the transfer of personal data between European Union countries and the United States.
Personify Health has registered with the U.S. Department of Commerce certifying the
company’s compliance with the DPF principles. The U.S. Federal Trade Commission is
the U.S. agency with regulatory authority over Personify Health concerning DPF
compliance matters.
THE GENERAL DATA PROTECTION REGULATION
Personify Health, with the exception of the Welltok and APH entities, has achieved
compliance with the General Data Protection Regulation (“GDPR”) as applicable to
Personify Health depending on the specific context of its operations and its role as a
Processor or Controller.
Personify Health supports its compliance by following the six basic principles of data
protection as stated under GDPR:

1. Lawfulness, Fairness and Transparency – Article 5, clause 1(a) GDPR
Personify Health processes data to carry out its contractual obligations,
depending on the context, to its clients or Members. Personify Health
processes all data in a transparent manner, providing due notice to clients
and Members as to its practices and ensuring strict compliance with its
policies, including this Privacy Policy and all policies associated to it.

2. Purpose limitations – Article 5, clause 1(b) GDPR
Personify Health obtains PII for “specified, explicit and legitimate purposes”
and makes use of such PII only in a manner and for purposes agreed upon
with, as applicable, the clients and/or Members. Any further use is subject to
additional notices and approvals or consents.

Personify Health shall offer individuals the opportunity to choose (opt out)
whether their PII is (i) to be disclosed to a third party or (ii) to be used for a
purpose that is materially different from the purpose(s) for which it was
originally collected or subsequently authorized by the individuals. Individuals
will be provided with clear, conspicuous, and readily available mechanisms to
exercise choice.

For sensitive information (i.e., personal information specifying medical or
health conditions, racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade union membership or information specifying the
sex life of the individual), Personify Health will obtain affirmative express
consent (opt in) from individuals if such information is to be (i) disclosed to a
third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice. Personify Health will treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive.

3. Data minimization – Article 5, clause 1(c) GDPR
Personify Health collects and processes PII that is “adequate, relevant and limited to what is necessary” in relation to the purposes for which the data is collected and processed. The principle of “data minimization” is generally applied to all PII. In all iterations of processing of PII Personify Health, Inc. limits PII to the data points necessary to accomplish the intended purpose of the use, disclosure, or request. While not all Applicable Data Protection Laws have addressed data minimization, Personify Health, Inc. has chosen to extend the GPDR mandated minimization requirement across its book of business and all PII.

The principles of “data minimization” applies to:
• All features and processes used by Personify Health, Inc. in the
development, maintenance and administration of its wellness and
wellbeing programs and ancillary functions;
• The level of access granted to users to access PII; and
• The types of PII included in a data set (including reports provided to
Clients).

The principles of “data minimization” do NOT apply to:
• Uses or disclosures of an individual’s PII when made to the individual,
including in response to a request for access or request for an accounting.
• Uses or disclosures pursuant an authorization from the data subject.
• Uses or disclosures to data protection authorities with a legal right to
access the PII.
• Uses or disclosures required by applicable laws and regulations.
• Uses or disclosures required for compliance with applicable laws and
regulations.

When using or disclosing PHI or when requesting PHI from another Covered Entity
or Business Associate, Personify Health, Inc. limits PHI to the “minimum
necessary” to accomplish the intended purpose of the use, disclosure, or request.

The concept of “minimum necessary” applies to:
• The level of access granted to users to access PHI;
• The types of PHI included in a data set; and
• The number of rows included in a data set.

The concept of “minimum necessary” does NOT apply to:
• Uses or disclosures of an individual’s PHI when made to the individual,
including in response to a request for access or request for an
accounting;
• Uses or disclosures pursuant an authorization from the data subject,
except for uses or disclosures of genetic information for underwriting
purposes;
• Uses or disclosures to the Secretary of the Department of Health and
Human Services (“HHS”);
• Uses or disclosures required by applicable laws and regulations; and
• Uses or disclosures required for compliance with the Privacy Rule.

4. Accuracy of Data – Article 5, clause 1(d) GDPR
Personify Health enforces processes to ensure any Member PII collected is
and remains “accurate and where necessary kept up to date”, including by
providing Members various options to correct or update their PII.

5. Storage limitations – Article 5, 1(e) GDPR
Personify Health ensures data no longer required for its operations or
administration of services is de- identified in a manner compliant with
prevailing industry practices.

6. Integrity and Confidentiality – Article 5, 1(f) GDPR
Personify Health implements appropriate physical, technical and
administrative safeguards, including the maintenance of an Information
Security Management System, aimed at protecting PII from “unlawful
processing or accidental loss, destruction or damage”.

THE CALIFORNIA CONSUMER PRIVACY ACT AND OTHER APPLICABLE LAWS

1. The California Consumer Privacy Act as amended by the California Privacy
Rights Act (“CCPA”), enacted by the State of California and enforceable as of
July 1, 2020, promulgated a set of standards similar in nature but overall less
stringent than the terms of the GDPR.
2. Personify Health, in its operations, applies GDPR standards to all PII
processed, with limited local exceptions for communications structured on an
opt-out basis as permitted by US law, therefore ensuring compliance with the
terms of CCPA. Specifically with regards to the CCPA’s opt-out requirements
for sale of PII, Personify Health has chosen not to implement an opt-out as
Personify Health has never sold, rented, leased or otherwise made available
PII to third parties for commercial purposes, making an explicit “opt-out” feature confusing and unnecessary.
3. With respect to any new applicable state, federal and international privacy
laws, such as Lei Geral de Proteção de Dados (LGPD), Personify Health applies
GDPR standards to all PII processed, unless more restrictive standards are
required by the applicable new laws.
4. Personify Health complies with the following effective and future state privacy
laws:
• Cal. Civ. Code § 1798.100 et seq. California Consumer Privacy Act of 2018 (CCPA),
as amended by California Privacy Rights Act of 2020 (CPRA)
• Colo. Rev. Stat. § 6-1-1301 et seq. Colorado Privacy Act (CPA)
• Conn. Gen. Stat. § 42-515 et seq. (as amended by Conn. S.B. 3) Connecticut Data
Privacy Act (CTDPA)
• Del. H.B. 154 Delaware Personal Data Privacy Act (DPDPA)
• Fl. S.B. 262 Florida Digital Bill of Rights (FDBR)
• Ind. S.B. 5 Indiana Consumer Data Protection Act (ICDPA)
• Iowa S.F. 262 Iowa Consumer Data Protection Act (ICDPA)
• Mont. S.B. 384 Montana Consumer Data Privacy Act (MCDPA)
• Or. S.B. 619 Oregon Consumer Privacy Act (OCPA)
• Tenn. H.B. 1181 Tennessee Information Protection Act (TIPA)
• Tex. H.B. 4 Texas Data Privacy and Security Act (TDPSA)
• Utah Code § 13-61-101 et seq. Utah Consumer Privacy Act (UCPA)
• Va. Code § 59.1-575 et seq. Virginia Consumer Data Protection Act (VCDPA)

OTHER LAWS AND AGREEMENTS; INTERPRETATION

1. If these policies and procedures conflict with the terms of a Data Processing
Agreement, the terms of the Data Processing Agreement shall govern to the
extent such terms are required by applicable law.
2. If these policies and procedures conflict with the terms of a Business Associate
Agreement, the terms of the Business Associate Agreement shall govern to
the extent such terms are required by HIPAA.
3. Personify Health also complies with applicable state, federal, and
international laws not contrary to HIPAA that require more stringent
protection of the privacy of protected health information.
4. To the extent a Personify Health program is open to individuals under
eighteen, for any individuals between the ages of sixteen and eighteen, a
signed parental consent is required to participate in the Personify Health
program. Personify Health does not offer services to individuals under the
age of sixteen. Based upon the age limits enforced within the system,
Personify Health has determined that the Children’s Online Privacy
Protection Act (“COPPA”) is not applicable to its operations and it has not
enacted a compliance program to align itself with the COPPA principles and
requirements.

REFERENCES AND SOURCES OF EVIDENCE
• The Organization for Economic Co-operation and Development (OECD) Privacy Guidelines
• The General Data Protection Regulation (EU) 2016/679
• The UK General Data Protection Regulation (UK GDPR)
• Privacy and Electronic Communications Directive 2002/58/EC
• Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM)
• China Personal Information Protection Law (PIPL)
• Telephone Consumer Protection Act (TCPA)
• The OECD Privacy Guidelines
• HIPAA Privacy Rule
• FTC Rule, Section 5
• California Online Privacy Protection Act (CalOPPA)
• California Consumer Privacy Act (CCPA)
• Lei Geral de Proteção de Dados (LGPD)
• Personal Information Protection and Electronic Documents Act (PIPEDA)
• Children’s Online Privacy Protection Act (COPPA)
• TrustArc (formerly TRUSTe) Requirements
• US‐Swiss Data Privacy Framework
• US‐EU Data Privacy Framework (DPF)
• APEC Privacy Recognition for Processors (PRP)
• APEC Cross Border Privacy Rule (BCPR)

POLICY VIOLATIONS
Any Personify Health Workforce Member who fails to abide by this policy may be subject to disciplinary action, up to and including termination.

REVISION HISTORY

APPENDIX A – POLICY INVENTORY

POLICIES

PLATFORM AND WEBSITE POLICIES, CONSENTS, NOTICES

Personify Health Online Privacy Notice (Platform)

Personify Health Online PHI/GINA Authorization (Platform)

Personify Health Online Data Consent (Platform)

Personify Health Online Privacy Notice (Website)

Personify Health Supplemental Privacy Notice for California Residents

(Website)