1. Purpose

The purpose of this HIPAA privacy policy is to ensure that Butterfly Health, Inc. (“PALOMA HEALTH”) has procedures in place to comply fully with all the HIPAA Privacy Rule and is prepared to use and disclose individuals protected health information (“PHI”) in a way that complies with federal and state privacy protection laws and regulations. Protection of patient privacy is of paramount importance to this organization. Violations of any of these provisions will result in severe disciplinary action including termination of employment and possible referral for criminal prosecution.

2. Definitions

2.1  Protected Health Information (PHI). Protected health information means individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium.

2.2  HIPAA Privacy Officer.  PALOMA HEALTH shall designate a member of its staff as the HIPAA Privacy Officer. The HIPAA Privacy Officer is the PALOMA HEALTH employee in charge of all procedures covered within this policy.

3. Assigning Privacy Responsibilities

It is the policy of PALOMA HEALTH that the HIPAA Privacy Officer along with other specific individuals within our workforce are assigned the responsibility of implementing and maintaining this HIPAA Privacy Policy. Furthermore, it is our policy that these individuals will be provided sufficient resources and authority to fulfill their responsibilities.

4. Permitted uses and disclosures

PALOMA HEALTH shall only use or disclose PHI if either:

4.1 The HIPAA Privacy Rule specifically permits or requires it.

4.2 The individual who is the subject of the information gives authorization in writing.

4.3 For the following subset of health care operations activities of the recipient covered entity (45 CFR 164.501) without needing patient consent or authorization (45 CFR 164.506(c)(4):

·  Conducting quality assessment and improvement activities

·  Developing clinical guidelines

·  Conducting patient safety activities as defined in applicable regulations

·  Conducting population-based activities relating to improving health or reducing health care cost

·  Developing protocols

·  Conducting case management and care coordination (including care planning)

·  Contacting health care providers and patients with information about treatment alternatives

·  Reviewing qualifications of health care professionals

·  Evaluating performance of providers and/or health plans

·  Conducting training programs or credentialing activities

·  Supporting fraud and abuse detection and compliance programs.

5. Minimum Necessary Use and Disclosure of Protected Health Information

PALOMA HEALTH shall ensure that for all routine and recurring uses and disclosures of PHI (except for uses or disclosures made 1) to or as authorized by the patient or 2) as required by law for HIPAA compliance such uses and disclosures of protected health information must be limited to the minimum amount of information needed to accomplish the purpose of the use or disclosure. PALOMA HEALTH shall also ensure that non-routine uses and disclosures will be handled pursuant to established criteria. It is also PALOMA HEALTH’s policy that all requests for protected health information (except as specified above) must be limited to the minimum amount of information needed to accomplish the purpose of the request. Under HIPAA’s minimum necessary provisions, an organization must make reasonable efforts to limit PHI to the minimum necessary to accomplish the purpose of the use, disclosure or request. (45 CFR 164.502(b)).

6. Breach

In the event that a Breach has or may have occurred PALOMA HEALTH will adhere to the rules stated in the Breach Notification Policy. It shall be the responsibility of the HIPAA Privacy Officer to implement and enforce the rules in the Breach Notification Policy.   

7. Prohibited Activities-No Retaliation or Intimidation

PALOMA HEALTH shall ensure that no employee or contractor may engage in any intimidating or retaliatory acts against persons who file complaints or otherwise exercise their rights under HIPAA regulations.

8. Responsibility

The responsibility for designing and implementing procedures to implement this policy lies with the HIPAA Privacy Officer.

9. Mitigation

PALOMA HEALTH will implement measures to ensure that the effects of any unauthorized use or disclosure of protected health information be mitigated to the greatest extent possible.

10. Safeguards

PALOMA HEALTH shall ensure that appropriate physical safeguards will be in place to reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Rule.

11. Training and Awareness

11.1 PALOMA HEALTH will ensure that all members of the workforce are trained on the policies and procedures governing protected health information and compliance with the HIPAA Privacy and Security Rules. New members of the workforce shall receive training on these matters within a reasonable time after they have joined the workforce. Should any policy or procedure related to the HIPAA Privacy and Security Rule materially change PALOMA HEALTH shall provide new training to update the workforce on those changes. This training will be provided within a reasonable time after the policy or procedure materially changes. Furthermore, all training provided to the workforce will be documented indicating participants, date and subject matter.

11.2 Our HIPAA Privacy Officer will develop, coordinate, and facilitate initial and ongoing training programs on privacy, and coordinate privacy training with security training requirements. Each member of our workforce, including management, will be trained on our policies and procedures at least once annually in a formal setting, and regularly in an informal setting and as needed. Our HIPAA Privacy Officer will determine who needs additional training, the type of training that is appropriate, and the frequency with which such training will occur. New employees will participate in training within thirty (30) days following their first date of service.

11.3 All workforce members will participate in retraining on privacy policies and procedures related to the HITECH Act and the Breach Notification Rule, and on any other regulations related to the safeguarding of protected health information.

11.4 Upon completing training or retraining, each member of our workforce will sign an acknowledgement form that he or she participated in training and is aware of and understands our organization’s privacy policies and procedures.

11.5 When retraining is a result of a sanction for a violation of a privacy policy or procedure by a workforce member, a copy of the workforce member’s acknowledgement form will be maintained in the personnel file of the workforce member.

12. Material Change

It is the policy of the Company that the term “material change” for the purposes of these policies is any change in our HIPAA compliance activities.

13. Complaints

Individuals may submit complaints either directly to a supervisor or to the HIPAA privacy officer. There shall be a mechanism for complaints to be submitted anonymously. Complaints may also be submitted to the Secretary of HHS.

14. Sanctions

PALOMA HEALTH will determine and enforce sanctions upon any member of the workforce who intentionally or unintentionally violates any of these policies or any procedures related to the fulfillment of these policies. Such sanctions will be recorded in the individual’s personnel file.

15. Retention of Records

PALOMA HEALTH maintains that the HIPAA Privacy Rule records retention requirement of six years will be strictly adhered to. All records designated by HIPAA in this retention requirement will be maintained in a manner that allows for access within a reasonable period of time. This records retention time requirement may be extended at PALOMA HEALTH’s discretion to meet with other governmental regulations or internal requirements.

16. Regulatory Currency

It is the policy of PALOMA HEALTH to remain current in our compliance program with HIPAA regulations.

17. Verification of Identity

PALOMA HEALTH will ensure that the identity of all persons who request access to protected health information be verified before such access is granted.

18. Cooperation with Privacy Oversight Authorities

PALOMA HEALTH maintains that oversight agencies such as the Office for Civil Rights of the Department of Health and Human Services be given full support and cooperation in their efforts to ensure the protection of health information within this organization. PALOMA HEALTH will disclose protected health information as required by the HIPAA Privacy Rule, and to HHS when it is undertaking a compliance investigation or review or enforcement action. PALOMA HEALTH shall additionally ensure that all personnel cooperate fully with all privacy compliance reviews and investigations.