Beluga Health's Privacy Policy

PART THREE: FULL PRIVACY POLICY

Version 1

Last Updated: September 10, 2020

WE AT BELUGA HEALTH, P.A. (“We”, “Us”, or “Beluga”) VALUE YOUR PRIVACY AND ARE COMMITTED TO KEEPING YOUR (“You/Your”) PERSONAL DATA CONFIDENTIAL. WE USE YOUR DATA SOLELY IN THE CONTEXT OF PROVIDING A WEB PORTAL (“WEB PORTAL”) AND VARIOUS RELATED SERVICES DEFINED BELOW (“SERVICES”) TO SUPPORT THE DELIVERY OF REMOTE CLINICAL CARE AND PRESCRIPTION SERVICES BY QUALIFIED PHYSICIANS (“PROVIDER USERS”) TO PATIENTS OF BELUGA HEALTH (“PATIENT USERS”). YOU ARE EITHER A PATIENT USER OR A PROVIDER USER. THE SERVICES INCLUDE, IN ADDITION TO THE WEB PORTAL, THE FACILITATION OF (1) SECURE INFORMATION COLLECTION, (2) SHORT MESSAGE SERVICE (“SMS”) AND MULTIMEDIA MESSAGING SERVICE (“MMS”) COMMUNICATIONS BETWEEN PATIENTS AND PROVIDERS, AND (3) ELECTRONIC PRESCRIBING OF MEDICATIONS.

THIS PRIVACY POLICY APPLIES TO PERSONAL DATA BELUGA COLLECTS FROM USERS OF THE SERVICES. “PERSONAL DATA” INCLUDES ANY INFORMATION THAT CAN BE USED ON ITS OWN OR WITH OTHER INFORMATION IN COMBINATION TO IDENTIFY OR CONTACT ONE OF OUR PATIENT OR PROVIDER USERS. WE BELIEVE THAT TRANSPARENCY ABOUT THE USE OF YOUR PERSONAL INFORMATION IS OF UTMOST IMPORTANCE. IN THIS PRIVACY POLICY, WE PROVIDE YOU DETAILED INFORMATION ABOUT OUR COLLECTION, USE, MAINTENANCE, AND DISCLOSURE OF YOUR PERSONAL DATA. THE POLICY EXPLAINS WHAT KIND OF INFORMATION WE COLLECT, WHEN AND HOW WE MIGHT USE THAT INFORMATION, HOW WE PROTECT THE INFORMATION, AND YOUR RIGHTS REGARDING YOUR PERSONAL INFORMATION

SOME OF THE PERSONAL DATA WE COLLECT AND TRANSMIT WILL, IN SOME CIRCUMSTANCES, BE CONSIDERED “HEALTH DATA” (data related to a Patient User's physical or mental health) or “Protected Health Information” (information that relates to the past, present, or future physical or mental health or condition of a Patient User; the provision of health care to a Patient User; or the past, present, or future payment for the provision of health care to a Patient User). THEREFORE, OUR PRIVACY PRACTICES ARE INTENDED TO COMPLY WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (“HIPAA“) AND WITH STATE LAW RELATED TO HEALTH DATA, WHERE APPLICABLE. FOR ADDITIONAL INFORMATION RELATED TO YOUR HEALTHCARE INFORMATION, PLEASE CONTACT OUR PRIVACY OFFICER AT [email protected].

BY SUBMITTING YOUR PERSONAL DATA THROUGH THIS WEB PORTAL OR THROUGH THE SERVICES, YOU ARE ACKNOWLEDGING THAT YOU HAVE READ AND AGREE TO THE TERMS OF THIS POLICY. IF YOU DO NOT AGREE, PLEASE DO NOT LOG INTO OR ACCESS THE WEB PORTAL AND DO NOT SUBMIT ANY PERSONAL DATA TO US.

PLEASE NOTE THAT WE OCCASIONALLY UPDATE THIS PRIVACY POLICY AND THAT IT IS YOUR RESPONSIBILITY TO STAY UP TO DATE WITH ANY AMENDED VERSIONS. IF WE MODIFY THE PRIVACY POLICY, WE WILL POST A LINK TO THE MODIFIED TERMS ON THE WEB PORTAL AND WILL ALSO NOTIFY YOU VIA EMAIL. YOU CAN STORE THIS POLICY AND/OR ANY AMENDED VERSION(S) DIGITALLY, PRINT IT, OR SAVE IT IN ANY OTHER WAY. ANY CHANGES TO THIS PRIVACY POLICY WILL BE EFFECTIVE IMMEDIATELY UPON PROVIDING NOTICE, AND SHALL APPLY TO ALL INFORMATION WE MAINTAIN, USE, AND DISCLOSE. IF YOU CONTINUE TO USE THE SERVICES FOLLOWING SUCH NOTICE, YOU ARE AGREEING TO THOSE CHANGES.

In case You have any questions or concerns after reading this Privacy Policy, please do not hesitate to contact Us at [email protected]. We appreciate Your feedback. If You do not agree or no longer agree to the processing of Personal Data as described in this Privacy Policy, You can delete Your account or request Beluga terminate the processing of your Personal Data by notifying Us by email at [email protected].

Responsible Entity

Beluga is the controller of Your Personal Data and may process Personal Data in accordance with the Privacy Policy. If We are processing Personal Data on behalf of a third party that is not an agent or affiliate of Beluga, the terms of this Privacy Policy do not apply—instead, the terms of that third party's privacy policy will apply. You can contact Us with any questions about Our Privacy Policy at [email protected].

What Personal Data do We collect?

The types of Personal Data We collect are described below.

Demographic Data

We collect demographic information, such as Your name, birth year, gender, phone number, and e-mail address. Primarily, the collection of Your Personal Data assists us in creating Your account (“User Account”) if You are a Provider User, which You can use to securely receive the Services. If You are a Patient User, the collection of Your Personal Data assists us in securely providing you with the Services.

Payment Data

If you make payments via our Services, We may require that You provide to Us Your financial and billing information, such as billing name and address, credit card number or bank account information.

For Patient Users: Health Data

In addition to demographic information, We will collect information regarding Your health conditions, allergies, medical history, symptoms, and communications between You and the Provider User providing healthcare services to You via the Services. We collect this information to provide You with the Services.

Support Data

If You contact Us for support or to lodge a complaint, We may collect technical or other information from You through log files and other technologies, some of which may qualify as Personal Data. (e.g., Internet Protocol (“IP”) address). Such information will be used for the purposes of troubleshooting, customer support, software updates, and improvement of the Services in accordance with this Privacy Policy. Calls with Beluga may be recorded or monitored for training, quality assurance, customer service, and reference purposes.

For Provider Users: Device, Telephone, and ISP Data

We use common information-gathering tools, such as log files, cookies, web beacons, and similar technologies to automatically collect information, which may contain Personal Data, from Your computer as You navigate Our Services, or interact with emails We have sent You. The information We collect may include Your IP address (or proxy server), device and application identification numbers, location, browser type, Internet service provider and/or mobile carrier, the pages and files You viewed, Your searches, Your operating system and system configuration information, and date/time stamps associated with Your usage. This information is used to analyze overall trends, to help Us provide and improve Our Services and to guarantee their security and continued proper functioning.

How will We use Your Personal Data?

We process Your Personal Data for purposes based on legitimate business interests, the fulfillment of Our Services to You, compliance with Our legal obligations, and/or Your consent. We only use or disclose Your Personal Data when it is legally mandated or where it is necessary to fulfill the purposes described herein. Where required by law, We will ask for Your prior consent before using or disclosing Personal Data.

Specifically, We process Your Personal Data for the following legitimate business purposes:

To fulfill Our obligations to You under the Terms of Use (for Provider Users);
To communicate with You about and manage Your User Account (for Provider Users);
To properly store and track Your data within Our system;
To respond to lawful requests from public and government authorities, and to comply with applicable state/federal law, including cooperation with judicial proceedings or court orders;
To protect Our rights, privacy, safety, or property, and/or that of You or others by providing proper notices, pursuing available legal remedies, and acting to limit Our damages;
To handle technical support and other requests from You;
To enforce and ensure Your compliance with Our Terms of Use or the terms of any other applicable services agreement We have with You;
To manage and improve the Services, including the development of additional functionality;
To manage payment processing;
To evaluate the quality of service You receive, identify usage trends, and thereby improve Your user experience;
To keep Our Services safe and secure for You and for Us;
To send You information about changes to Our terms, conditions, and policies;
To allow Us to pursue available remedies or limit the damages that We may sustain; and
If applicable, to provide access to the authorized Provider User/caregiver (with Your consent), to enable that individual to monitor Your progress and overall condition and to follow up with You, as they deem appropriate.

Where is Your Personal Data processed?

Personal Data Beluga collects through the Services will be stored on secure servers in the United States. Personal Data may be transmitted to third parties, which parties may store or maintain the data on their secure servers on Our behalf. These third parties are not permitted to transfer Your Personal Data outside of the United States.

Will We share Your Personal Data with anyone else?

For Patient Users: Yes, with the Provider User with whom You connect via the Services.

We will share information you provide to Us via the Services with the Provider User with whom connect via the Services. If, at any point, you want to deny access to one or more Provider Users, you can do so by emailing [email protected].

Yes, with third parties that help us power Our Services

Beluga has a limited number of service providers and other third parties (“Business Partners”) that help Us run various aspects of Our business. These Business Partners are contractually bound to protect Your Personal Data and to use it only for the limited purpose(s) for which it is shared with Us. Business Partners' use of Personal Data may include, but is not limited to, the provision of services such as data hosting, IT services, customer service, and payment processing.

Yes, with third parties and the government when legal or enforcement issues arise

We may share Your Personal Data, if reasonable and necessary, to (i) comply with legal processes or enforceable governmental requests, or as otherwise required by law; (ii) cooperate with third parties in investigating acts in violation of this Agreement; or (iii) bring legal action against someone who may be violating the Terms of Use or who may be causing intentional or unintentional injury or interference to the rights or property of Beluga or any third party, including other users.

Yes, with third parties that provide advisory services

We may share Your Personal Data with Our lawyers, auditors, accountants, or banks when We have a legitimate business interest in doing so.

Yes, with third parties in the event of a reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of Beluga's corporate entity, assets, or stock (including in connection with any bankruptcy or similar proceedings)

If We share Your Personal Data with a third party other than as provided above, You will be notified at the time of data collection or transfer, and You will have the option of not permitting the transfer.

How long do We retain Personal Data?

We will retain Your Personal Data for as long as You maintain a User Account or use Our Services and up to five (5) years after the account is closed or Services are terminated. The exact period of retention will depend on the type of Personal Data, Our contractual obligation to You, and applicable law. We keep Your Personal Data for as long as necessary to fulfill the purpose for which it was collected, unless otherwise required or necessary pursuant to a legitimate business purpose outlined herein. At the end of the applicable retention period, We will remove Your Personal Data from Our databases and will request that Our Business Partners remove Your Personal Data from their databases. If there is any data that We are unable, for technical reasons, to delete entirely from Our systems, We will put in place appropriate measures to prevent any further processing of such data. We retain anonymized data indefinitely.

NOTE: Once We disclose Your Personal Data to third parties, We may not be able to access that Personal Data any longer and cannot force the deletion or modification of any such information by the parties to whom We have made those disclosures. Written requests for deletion of Personal Data other than as described should be directed to [email protected].

For Provider Users: What is Our Cookie Policy?

Cookies are small files that a Web server sends to Your computer or device when You visit a web site that uses cookies to keep track of Your activity on that site. Cookies hold a small amount of data specific to that web site, which can later be used to help remember information You enter into the web site (like Your email or other contact info), preferences selected, and movement within the site. If You return to a previously visited web site (and Your browser has cookies enabled), the web site sends the small file to the Web server, which tells it what activity You engaged in the last time You used the web site, and the server can use the cookie to do things like expedite logging in and retrieving user data and keeping Your browser session secure.

We use essential cookies to provide user authentication. and other technologies to, among other things, better serve You with more tailored information, and to facilitate efficient and secure access to the Services. We only use essential cookies. Essential cookies are those necessary for Us to provide Services to You.

We may also collect information using pixel tags, Web beacons, clear GIFs or other similar technologies. These may be used in connection with some Web Portal pages and HTML-formatted email messages to, among other things, track the actions of users and email recipients, and compile statistics about usage and response rates.

For Provider Users: How can You “Opt Out” of Cookies?

If You prefer, You can usually choose to set Your browser to remove cookies and reject cookies. If You enable a do not track (“DNT”) signal or otherwise configure Your browser to prevent Beluga from collecting any cookies, You will no longer be able to access the Web Portal.

How do We protect Your Personal Data?

Beluga is committed to protecting the security and confidentiality of Your Personal Data. We use a combination of reasonable physical, technical, and administrative security controls to maintain the security and integrity of Your Personal Data, to protect against any anticipated threats or hazards to the security or integrity of such information, and to protect against unauthorized access to or use of such information in Our possession or control that could result in substantial harm or inconvenience to You. However, Internet data transmissions, whether wired or wireless, cannot be guaranteed to be 100% secure. As a result, We cannot ensure the security of information You transmit to Us. By using the Services, You are assuming this risk.

Safeguards

The information collected by Beluga and stored on secure servers, is protected by a combination of technical, administrative, and physical security safeguards, such as authentication, encryption, backups, and access controls. If Beluga learns of a security concern, We may attempt to notify You and provide information on protective steps, if available, through the e-mail address that You have provided to Us or the phone number you have provided Depending on where You live, You may have a legal right to receive such notices in writing.

You are solely responsible for protecting information entered or generated via the Services that is stored on Your device and/or removable device storage. Beluga has no access to or control over Your device's security settings, and it is up to You to implement any device--level security features and protections You feel are appropriate (e.g., password protection, encryption, remote wipe capability, etc.). We recommend that You take any and all appropriate steps to secure any device that You use to access Our Services.

NOTWITHSTANDING ANY OF THE STEPS TAKEN BY US, IT IS NOT POSSIBLE TO GUARANTEE THE SECURITY OR INTEGRITY OF DATA TRANSMITTED OVER THE INTERNET. THERE IS NO GUARANTEE THAT YOUR PERSONAL DATA WILL NOT BE ACCESSED, DISCLOSED, ALTERED, OR DESTROYED DESPITE THE IMPLEMENTATION OF OUR PHYSICAL, TECHNICAL, OR ADMINISTRATIVE SAFEGUARDS. THEREFORE, WE DO NOT AND CANNOT ENSURE OR WARRANT THE SECURITY OR INTEGRITY OF ANY PERSONAL DATA YOU TRANSMIT TO US AND YOU TRANSMIT SUCH PERSONAL DATA AT YOUR OWN RISK.

How can You Protect Your Personal Data?

In addition to securing Your device, as discussed above, We will NEVER send You an e-mail requesting confidential information such as account numbers, usernames, passwords, or social security numbers, and You should NEVER respond to any e-mail requesting such information. If You receive such an e-mail purportedly from Beluga, DO NOT RESPOND to the e-mail and DO NOT click on any links and/or open any attachments in the e-mail, and notify Beluga support at [email protected].

For Provider Users: You are responsible for taking reasonable precautions to protect Your user ID, password, and other User Account information from disclosure to third parties, and You are not permitted to circumvent the use of required encryption technologies. You should immediately notify Beluga at [email protected] if You know of or suspect any unauthorized use or disclosure of Your user ID, password, and/or other User Account information, or any other security concern.

Your rights

You have certain rights relating to Your Personal Data, subject to local data protection laws. These rights may include:

to access Your Personal Data held by Us;
to erase/delete Your Personal Data, to the extent permitted or required by applicable data protection laws;
to receive communications related to the processing of Your personal data that are concise, transparent, intelligible, and easily accessible;
to restrict the processing of Your Personal Data to the extent permitted by law (while We verify or investigate Your concerns with this information, for example);
to object to the further processing of Your Personal Data, including the right to object to marketing;
to request that Your Personal Data be transferred to a third party, if possible;
to receive Your Personal Data in a structured, commonly used, and machine-readable format;
to lodge a complaint with a supervisory authority;
to rectify inaccurate Personal Data and, taking into account the purpose of processing the Personal Data, ensure it is complete;
and to not be subject to a decision based solely on automated processing, including profiling, which produces legal effects ("Automated Decision-Making").

Where the processing of Your Personal Data by Beluga is based on consent, You have the right to withdraw that consent without detriment at any time or to exercise any of the rights listed above by emailing Beluga at [email protected].

How can You update, correct, or delete Personal Data?

You can change Your e-mail address and other contact information by contacting [email protected]. If You are a Provider User, and You need to make changes or corrections to other information, You may change your password within the account settings on the Web Portal dashboard. Please note that in order to comply with certain requests to limit use of Your Personal Data, We may need to terminate Your account and/or Your ability to access and use the Services, and You agree that We will not be liable to You for such termination or for any refunds of prepaid fees paid by You. You can deactivate Your account or request termination of Services by contacting [email protected].

Although We will use reasonable efforts to do so, You understand that it may not be technologically possible to remove from Our systems every record of Your Personal Data. The need to back up Our systems to protect information from inadvertent loss means a copy of Your Personal Data may exist in a non-erasable form that will be difficult or impossible for Us to locate or remove.

Can You “OPT-OUT” of receiving communications from Us?

We pledge not to market third party services to You without Your consent. We may send e-mails to You regarding Your Beluga account and/orservices. You can choose to filter these account and services emails using Your e-mail client settings or, if you are a Patient User, by emailing [email protected], but We do not provide an option for You to opt out of these e-mails.

Information submission by minors

We do not knowingly collect Personal Data from individuals under the age of 18 and the Services are not directed to individuals under the age of 13. We request that these individuals not provide Personal Data to Us. If We learn that Personal Data from users less than 18 years of age has been collected, We will deactivate the account and take reasonable measures to promptly delete such data from Our records. If You are aware of a user under the age of 13 using the Services, please contact Us at [email protected].

If You are a resident of California, under the age of 18 and have registered for an account with Us, You may ask Us to remove content or information that You have posted to Our Services.

California Residents

California residents may request and obtain from Us, once a year, free of charge, a list of third parties, if any, to which We disclosed their Personal Data for direct marketing purposes during the preceding calendar year and the categories of Personal Data shared with those third parties. If You are a California resident and wish to obtain that information, please submit Your request by sending Us an email at [email protected] with “California Privacy Rights” in the subject line.

Contact Us

If You have any questions about this Privacy Policy, please contact Us by email at [email protected] or please write to: Beluga Health, P.A., 3225 McLeod Drive, Suite 100, Las Vegas, NV 89121. Please note that email communications are not always secure; so please do not include sensitive information in Your emails to Us.

NOTICE OF PRIVACY PRACTICES ‐ BELUGA HEALTH, P.A

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

This Notice of Privacy Practices (the “Notice”) describes how Beluga Health, P.A. (“we” or “our”) may use and disclose your protected health information to carry out treatment, payment or business operations and for other purposes that are permitted or required by law. We are not a “Covered Entity” as that term is defined in the Health Insurance Portability and Accountability Act (“HIPAA”), but we have elected to voluntarily substantially comply with the standards set forth in HIPAA. “Protected health information” or “PHI” is information about you, including demographic information, that may identify you and that relates to your past, present or future physical health or condition, treatment or payment for health care services. This Notice also describes your rights to access and control your protected health information.

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION:

Your protected health information may be used and disclosed by our health care practitioners, our staff, and others outside of our office that are involved in your care and treatment for the purpose of providing health care services to you, to support our business operations, to obtain payment for your care, and any other use authorized or required by law.

TREATMENT:

We will use and disclose your protected health information to provide, coordinate, or manage your health care and any related services. This includes the coordination or management of your health care with a third party. For example, your protected health information may be provided to a health care provider to whom you have been referred to ensure the necessary information is accessible to diagnose or treat you.

PAYMENT:

Your protected health information may be used to bill or obtain payment for your health care services. This may include certain activities that your health insurance plan may undertake before it approves or pays for your services, such as: making a determination of eligibility or coverage for insurance benefits and reviewing services provided to you for medical necessity.

HEALTH CARE OPERATIONS:

We may use or disclose, as needed, your protected health information in order to support the business activities of this office. These activities include, but are not limited to, improving quality of care, providing information about treatment alternatives or other healthrelated benefits and services, development or maintaining and supporting computer systems, legal services, and conducting audits and compliance programs, including fraud, waste and abuse investigations.

USES AND DISCLOSURES THAT DO NOT REQUIRE YOUR AUTHORIZATION

USES AND DISCLOSURES THAT REQUIRE YOUR AUTHORIZATION:

Other permitted and required uses and disclosures will be made only with your consent, authorization or opportunity to object unless permitted or required by law. Without your authorization, we are expressly prohibited from using or disclosing your protected health information for marketing purposes. We may not sell your protected health information without your authorization. Your protected health information will not be used for fundraising. If you provide us with an authorization for certain uses and disclosures of your information, you may revoke such authorization, at any time, in writing, except to the extent that we have taken an action in reliance on the use or disclosure indicated in the authorization.

YOUR RIGHTS WITH RESPECT TO YOUR PROTECTED HEALTH INFORMATION:

You have the right to inspect and copy your protected health information.

You may request access to or an amendment of your protected health information.

You have the right to request a restriction on the use or disclosure of your protected health information/personal information. Your request must be in writing and state the specific restriction requested and to whom you want the restriction to apply. We are not required to agree to a restriction that you may request, except if the requested restriction is on a disclosure to a health plan for a payment or health care operations purpose regarding a service that has been paid in full out-of-pocket.

You have the right to request to receive confidential communications from us by alternative means or at an alternate location. We will comply with all reasonable requests submitted in writing which specify how or where you wish to receive these communications.

You have the right to request an amendment of your projected health information. If we deny your request for amendment, you have the right to file a statement of disagreement with us. We may prepare a rebuttal to our statement and we will provide you with a copy of any such rebuttal.

You have the right to receive an accounting of certain disclosures of your protected health information that we have made, paper or electronic, except for certain disclosures which were pursuant to an authorization, for purposes of treatment, payment, healthcare operations (unless the information is maintained in an electronic health record); or for certain other purposes.

You have the right to obtain a paper copy of this Notice, upon request, even if you have previously requested its receipt electronically by e-mail.

REVISIONS TO THIS NOTICE:

We reserve the right to revise this Notice and to make the revised Notice effective for protected health information we already have about you as well as any information we receive in the future. You are entitled to a copy of the Notice currently in effect. Any significant changes to this Notice will be posted on our web site. You then have the right to object or withdraw as provided in this Notice.

BREACH OF HEALTH INFORMATION:

We will notify you if a reportable breach of your unsecured protected health information is discovered. Notification will be made to you no later than 60 days from the breach discovery and will include a brief description of how the breach occurred, the protected health information involved and contact information for you to ask questions

COMPLAINTS:

Complaints about this Notice or how we handle your protected health information should be directed to our HIPAA Privacy Officer. If you are not satisfied with the manner in which a complaint is handled you may submit a formal complaint to the Department of Health and Human Services, Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting

www.hhs.gov/ocr/privacy/hipaa/complaints/

We will not retaliate against you for filing a complaint.

We must follow the duties and privacy practices described in this Notice. We will maintain the privacy of your protected health information and to notify affected individuals following a breach of unsecured protected health information. If you have any questions about this Notice, please contact us at [2244840496] and ask to speak with our HIPAA Privacy Officer.