HIPAA Notice of Privacy Practices

Alpine Digital Health, Inc. ("Alpine," "we," "us," or "our") is committed to protecting the privacy of your health information. We are required by law to:

• Maintain the privacy of your Protected Health Information (PHI)
• Provide you with this Notice of our legal duties and privacy practices
• Follow the terms of the Notice currently in effect
• Notify you if we are unable to agree to a requested restriction on how we use or disclose your PHI
• Accommodate reasonable requests you may have to communicate health information by alternative means or at alternative locations

This Notice applies to all health information created, received, maintained, or transmitted by Alpine through the Arc and Arc Care services.

Protected Health Information is information about you, including demographic information, that may identify you and relates to:

• Your past, present, or future physical or mental health or condition
• The provision of health care to you
• Payment for the provision of health care to you

We may use and disclose your PHI without your written authorization for the following purposes:

Treatment

We use and disclose your health information to facilitate your medical treatment and care coordination. Examples include:

• Provider Communication: Sharing your health information with your healthcare provider who uses our platform to deliver your care
• Care Coordination: Enabling communication between your healthcare provider and other healthcare professionals involved in your care (with your provider's direction)
• AI-Assisted Care: Using your health information to generate personalized communications, care plans, and clinical insights through our AI-powered platform
• Treatment Recommendations: Providing your healthcare provider with information to support clinical decision-making
• Appointment Coordination: Scheduling and managing your appointments with your healthcare provider
• Prescription Management: Facilitating prescription orders and pharmacy communications
• Lab and Test Results: Transmitting lab orders and communicating test results between your provider and testing facilities

Payment

We may use and disclose your health information to support payment and billing activities. Examples include:

• Billing Services: Processing payments for services provided through our platform
• Insurance Claims: Submitting claims to your health insurance company for services rendered by your healthcare provider
• Payment Processing: Working with payment processors to handle billing transactions
• Collection Activities: Collecting payment for services, if necessary
• Insurance Verification: Verifying your insurance coverage and eligibility

Healthcare Operations

We may use and disclose your health information for our healthcare operations and business activities. Examples include:

• Quality Improvement: Analyzing care delivery to improve our services and patient outcomes
• AI Model Training: Using de-identified or aggregated data to train and improve our AI models (we do not use your identifiable information for this purpose without specific authorization)
• Performance Monitoring: Evaluating the performance and effectiveness of our platform
• Customer Support: Providing technical support and responding to your inquiries
• Business Planning: Conducting business planning, development, and management activities
• Compliance Activities: Conducting compliance reviews, audits, and legal functions
• Provider Training: Training healthcare providers on how to use our platform effectively

For uses and disclosures beyond treatment, payment, and healthcare operations, we will obtain your written authorization. These include:

• Marketing Communications: Using your health information for marketing purposes (except for face-to-face communications or promotional gifts of nominal value)
• Sale of PHI: Selling your health information (we do not sell your health information)
• Psychotherapy Notes: Using or disclosing psychotherapy notes (if applicable)
• Other Purposes: Any other use or disclosure not described in this Notice

You have the right to revoke your authorization at any time by submitting a written request. However, we cannot take back any disclosures already made based on your authorization.

In certain situations, we may use or disclose your health information without your authorization:

Required by Law

We will disclose your health information when required to do so by federal, state, or local law.

Public Health Activities

We may disclose your health information for public health activities, including:

• Reporting diseases, injuries, or disabilities
• Reporting adverse reactions to medications or medical devices
• Product recalls or tracking
• Public health surveillance, investigations, or interventions

Health Oversight Activities

We may disclose your health information to health oversight agencies for:

• Audits and investigations
• Inspections and licensure activities
• Government monitoring of the healthcare system
• Compliance reviews

Judicial and Administrative Proceedings

We may disclose your health information in response to:

• A court order
• A subpoena, discovery request, or other lawful process
• Administrative tribunals

Law Enforcement

We may disclose your health information to law enforcement officials for:

• Legal processes and as otherwise required by law
• Identifying or locating suspects, fugitives, witnesses, or missing persons
• Information about victims of crimes under certain circumstances
• Reporting deaths that may have resulted from criminal conduct
• Reporting crimes that occur on our premises
• Medical emergencies involving crimes

Coroners, Medical Examiners, and Funeral Directors

We may disclose health information to coroners, medical examiners, or funeral directors to allow them to carry out their duties.

Organ and Tissue Donation

We may disclose health information to organizations involved in organ, eye, or tissue procurement, banking, or transplantation.

Research

Under certain circumstances, we may use and disclose your health information for research purposes. We will only do so with your authorization or when an Institutional Review Board or privacy board has reviewed the research and established protocols to protect your privacy.

Serious Threat to Health or Safety

We may use or disclose your health information when necessary to prevent a serious threat to your health and safety or the health and safety of others.

Specialized Government Functions

We may disclose your health information for:

• Military and veterans' activities
• National security and intelligence activities
• Protective services for the President and others
• Correctional institutions (if you are an inmate)
• Law enforcement custody

Workers' Compensation

We may disclose your health information as necessary to comply with workers' compensation or similar programs.

Business Associates

We may disclose your health information to our business associates (companies that perform services on our behalf) who need the information to perform their services. We require these business associates to protect your health information through written agreements.

Examples of business associates include:

• Cloud hosting and data storage providers
• Payment processors
• IT support and security services
• Analytics and performance monitoring services

You have the following rights regarding your health information:

Right to Inspect and Copy

You have the right to inspect and obtain a copy of your health information that we maintain in designated record sets. This typically includes medical and billing records.

How to exercise this right:

• Submit a written request to our Privacy Officer (contact information below)
• We may charge a reasonable, cost-based fee for copying and mailing records

We may deny your request in certain limited circumstances. If we deny your request, we will provide you with a written explanation and information about your right to have the denial reviewed.

Timeline: We will respond to your request within 30 days. If we need additional time, we will notify you of the delay and provide the information within 60 days of your request.

Right to Request Amendment

You have the right to request that we amend your health information if you believe it is incorrect or incomplete.

How to exercise this right:

• Submit a written request to our Privacy Officer, specifying what information you want amended and why
• Include supporting documentation if available

We may deny your request if:

• The information was not created by us
• The information is not part of the records we maintain
• The information is not part of the information you would be permitted to inspect and copy
• The information is accurate and complete

Timeline: We will respond within 60 days. If we need additional time, we will notify you of the delay and respond within 90 days of your request.

Right to an Accounting of Disclosures

You have the right to request an "accounting of disclosures," which is a list of certain disclosures we have made of your health information.

What's included:

The accounting will include disclosures made within the six years prior to your request (or a shorter period if you specify), excluding:

• Disclosures for treatment, payment, and healthcare operations
• Disclosures made to you
• Disclosures you authorized
• Disclosures for national security or intelligence purposes
• Disclosures to correctional institutions or law enforcement
• Disclosures that occurred before April 14, 2003

How to exercise this right:

• Submit a written request to our Privacy Officer
• Specify the time period for the accounting (not to exceed six years)

Timeline: We will provide the accounting within 60 days of your request.

Fees: The first accounting in any 12-month period is free. We may charge a reasonable fee for additional requests within the same 12-month period.

Right to Request Restrictions

You have the right to request restrictions on how we use and disclose your health information for treatment, payment, or healthcare operations. You also have the right to request restrictions on disclosures to persons involved in your care.

How to exercise this right:

• Submit a written request to our Privacy Officer, specifying the restriction you want and to whom it applies

Important limitations:

• We are not required to agree to your request
• If we do agree, we will comply with your request unless the information is needed for emergency treatment
• We are required to agree to your request if:
  • The disclosure is to a health plan for payment or healthcare operations (not treatment)
  • The information pertains solely to a healthcare item or service you paid for out of pocket in full

Right to Request Confidential Communications

You have the right to request that we communicate with you about your health information by alternative means or at alternative locations.

Examples:

• Requesting that we call you at work instead of home
• Requesting that we send mail to a P.O. Box instead of your home address
• Requesting communications through the Arc app only, without emails

How to exercise this right:

• Submit a written request to our Privacy Officer, specifying how or where you wish to be contacted
• We will accommodate reasonable requests

Right to Notification of Breach

You have the right to be notified if there is a breach of your unsecured health information.

What we will do:

• Notify you in writing within 60 days of discovering a breach
• Provide information about the breach, what information was involved, and steps you can take to protect yourself
• Describe what we are doing in response to the breach

Right to Obtain a Paper Copy of This Notice

You have the right to obtain a paper copy of this Notice at any time, even if you have agreed to receive the Notice electronically.

How to exercise this right:

• Request a copy through the Arc app
• Contact our Privacy Officer
• Visit our website

To exercise any of the rights described above, please contact our Privacy Officer:

We reserve the right to change this Notice at any time. We reserve the right to make the revised or changed Notice effective for health information we already have about you as well as any information we receive in the future.

How we will notify you of changes:

• We will post the current Notice on our website and in the Arc app
• The Notice will contain the effective date on the first page
• For material changes, we will provide you with the revised Notice within 60 days

How to obtain the current Notice:

• Visit our website
• View it in the Arc app under Settings > Privacy
• Request a copy from our Privacy Officer

If you believe your privacy rights have been violated, you have the right to file a complaint.

How to file a complaint with us:

• Submit a written complaint to our Privacy Officer (contact information above)
• Send an email to privacy@alpine.healthcare
• Call 609-721-2155

How to file a complaint with the federal government:

• U.S. Department of Health and Human Services
• Office for Civil Rights
• Website: www.hhs.gov/ocr/privacy/hipaa/complaints/
• Phone: 1-877-696-6775

If you have questions about this Notice or need more information, please contact:

Digital Twin Technology and AI-Assisted Care

Arc and Arc Care use artificial intelligence to create digital representations of your healthcare provider's communication style and clinical approach. This technology:

• Analyzes your health information to generate personalized communications and insights
• Operates under the direct supervision and approval of your healthcare provider
• Is trained using de-identified or aggregated data to protect your privacy
• Helps your provider deliver more proactive, personalized care

Your healthcare provider reviews and approves significant clinical decisions and communications generated by our AI system.

Healthcare Provider Relationship

Alpine provides technology services to support your healthcare provider. Your healthcare provider is responsible for your medical care and maintains your official medical records. This Notice describes how Alpine handles your health information as a Business Associate of your healthcare provider.

For questions about your medical care or to access your complete medical records, please contact your healthcare provider directly.

Data Storage and Security

Your health information is stored securely using industry-standard encryption and security measures. We use reputable cloud service providers who are also required to protect your health information through Business Associate Agreements.

By using Arc or Arc Care, you acknowledge that you have received and reviewed this Notice of Privacy Practices.