Effective Date: April 2024

 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

 This Notice of Privacy Practices (“Notice”) describes how Osier Health, P.C., a Colorado professional corporation (“Willow Health” “we,” “our,” or “us”) may use and disclose your health information to carry out treatment, payment, or health care operations and for other legally permissible purposes, as well as your rights to access and control that information.

We are required by law to maintain the privacy of your health information, to provide you with this Notice of our legal duties and privacy practices with respect to your health information, and to notify you in the event of a breach of your unsecured health information. When we use or disclose your health information, we are required to abide by the terms of this Notice (or other notice in effect at the time of the use or disclosure).

Permissible Uses and Disclosures Without Your Written Authorization

In certain situations, which we will describe in “Uses and Disclosures Requiring Your Written Authorization” below, we must obtain your written authorization in order to use and/or disclose your health information.

However, unless the health information is Highly Confidential Information (as defined in “Uses and Disclosures Requiring Your Written Authorization” below) and the applicable law regulating such information imposes special restrictions on us, we may use and disclose your health information without your written authorization for the following purposes:

A. Treatment. We use and disclose your health information to provide treatment and other services to you. For example, we may use your information to provide healthcare services to you or consult with your other healthcare providers about your care. We may use your information to direct or recommend alternative treatments, therapies, health care providers, or settings of care to you or to describe a health-related product or service. We may also disclose health information to other providers involved in your treatment.

B. Payment. We may use and disclose your health information to obtain payment for healthcare services that we provide to you. For example, disclosures to verify your eligibility with, and claim and obtain payment from, your health insurer, HMO, Medicare, Medicaid, or other company or program that arranges or pays the cost of your health care. We may also disclose health information to your other health care providers when such health information is required for them to receive payment for services they render to you.

C. Health Care Operations. We may use and disclose your health information for our health care operations, which include internal administration and planning and various activities that improve the quality and cost effectiveness of the care that we deliver to you. For example, we may use health information to evaluate the quality and competence of our healthcare professionals, provide customer service, and to coordinate your care.

D. Business Associates. We use certain vendors and subcontractors (called “business associates”) to help us operate our business, and we may share your health information with these business associates so that they can perform the job we have asked them to do. To further protect your health information, we require our business associates to appropriately safeguard your health information by contract.

E. Disclosure to Relatives, Close Friends, and Other Caregivers. We may use or disclose your health information to a family member, other relative, a close personal friend or any other person identified by you when you are present for, or otherwise available prior to, the disclosure, if: (1) we obtain your agreement or provide you with the opportunity to object to the disclosure and you do not object; or (2) we reasonably infer that you do not object to the disclosure.

If you are not present for or unavailable prior to a disclosure (e.g., when we receive a telephone call from a family member or other caregiver), we may exercise our professional judgment to determine whether a disclosure is in your best interests. If we disclose information under such circumstances, we will disclose only information that is directly relevant to the person’s involvement with your care.

F. As Required by Law. We may use and disclose your health information when required to do so by any applicable federal, state, or local law.

G. Public Health Activities. We may disclose your health information: (1) to report health information to public health authorities for the purpose of preventing or controlling disease, injury or disability; (2) to report child abuse and neglect to a government authority authorized by law to receive such reports; (3) to report information about products under the jurisdiction of the U.S. Food and Drug Administration; (4) to alert a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition; and (5) to report information to your employer as required under laws addressing work-related illnesses and injuries or workplace medical surveillance.

H. Victims of Abuse, Neglect or Domestic Violence. We may disclose your health information if we reasonably believe you are a victim of abuse, neglect or domestic violence to a government authority authorized by law to receive reports of such abuse, neglect, or domestic violence.

I. Health Oversight Activities. We may disclose your health information to an agency that oversees the healthcare system and is charged with responsibility for ensuring compliance with the rules of government health programs such as Medicare or Medicaid.

J. Judicial and Administrative Proceedings. We may disclose your health information in connection with a judicial or administrative proceeding in response to a legal order or other lawful process.

K. Law Enforcement Officials. We may disclose your health information to the police or other law enforcement officials as required by law or in compliance with a court order.

L. Decedents. We may disclose your health information to a coroner or medical examiner as authorized by law.

M. Organ and Tissue Procurement. We may disclose your health information to organizations that facilitate organ, eye or tissue procurement, banking, or transplantation.

N. Clinical Trials and Other Research Activities. We may use and disclose your health information for research purposes pursuant to a valid authorization from you or when an institutional review board or privacy board has waived the authorization requirement. Under certain circumstances, your health information may be disclosed without your authorization to researchers preparing to conduct a research project, for research or decedents or as part of a data set that omits your name and other information that can directly identify you.

O. Health or Safety. We may use or disclose your health information to prevent or lessen a serious and imminent threat to a person’s or the public’s health or safety.

P.  Specialized Government Functions. We may use and disclose your health information to units of the government with special functions, such as the U.S. military or the U.S. Department of State under certain circumstances.

Q. Workers’ Compensation. We may disclose your health information as authorized by and to the extent necessary to comply with state law relating to workers’ compensation or other similar programs.

Uses and Disclosures Requiring Your Written Authorization

For any purpose other than the ones described above in “Permissible Uses and Disclosures Without Your Written Authorization”, we only use or disclose your health information when you give us your written authorization.

A. Marketing. We must obtain your written authorization prior to using your health information for purposes that are marketing under the HIPAA privacy rules. For example, we will not accept any payments from other organizations or individuals in exchange for making communications to you about treatments, therapies, health care providers, settings of care, case management, care coordination, products or services unless you have given us your authorization or the communication is permitted by law.

We may provide refill reminders or communicate with you about a drug or biologic that is currently prescribed to you so long as any payment we receive for making the communication is reasonably related to our cost of making the communication. In addition, we may market to you in a face-to-face encounter and give you promotional gifts of nominal value without obtaining your written authorization.

B. Sale of health information. We will not make any disclosure of Protected Health Information that is a sale of health information without your written authorization.

C. Uses and Disclosures of Your Highly Confidential Information. Federal and state law requires special privacy protections for certain health information about you (“Highly Confidential Information”), including information regarding substance use disorders, mental health, HIV/AIDS and other communicable disease, and other health information that is given special privacy protection under state or federal laws other than HIPAA. In order for us to disclose any Highly Confidential Information for a purpose other than those permitted by law, we must obtain your authorization.

D. Revocation of Your Authorization. You may revoke your authorization, except to the extent that we have already acted in reliance upon it, by delivering a written revocation statement to us at our contact information identified below.

Your Individual Rights

A. For Further Information; Complaints. If you desire further information about your privacy rights, are concerned that we have violated your privacy rights or disagree with a decision that we made about access to your health information, you may contact us. You may also file written complaints with the Office for Civil Rights of the U.S. Department of Health and Human Services (“OCR”). Upon request, we will provide you with the correct address for OCR. We will not retaliate against you if you file a complaint with us or OCR.

B. Right to Request Additional Restrictions. You may request restrictions on our use and disclosure of your health information (1) for treatment, payment and healthcare operations, (2) to individuals (such as a family member, other relative, close personal friend or any other person identified by you) involved with your care or with payment related to your care, or (3) to notify or assist in the notification of such individuals regarding your location and general condition. While we will consider all requests for additional restrictions carefully, we are not required to agree to a requested restriction unless the request is to restrict our disclosure to a health plan for purposes of carrying out payment or health care operations, the disclosure is not required by law and the information pertains solely to a health care item or service for which you (or someone on your behalf other than the health plan) have paid us out of pocket in full. If you wish to request additional restrictions, please obtain a request form from us and submit the completed form to us. We will send you a written response.

C. Right to Receive Communications by Alternative Means or at Alternative Locations. You may request, and we will accommodate, any reasonable written request for you to receive your health information by alternative means of communication or at alternative locations.

D. Right to Inspect and Copy Your Health Information. You may request access to your medical record file and billing records maintained by us in order to inspect and request copies of the records. Under limited circumstances, we may deny you access to a portion of your records. If you desire access to your records, please obtain a record request form from us and submit the completed form to us. If you request copies, we may charge you a reasonable copy fee.

E. Right to Amend Your Records. You have the right to request that we amend your health information maintained in your medical record file or billing records. If you desire to amend your records, please obtain an amendment request form from us and submit the completed form to us. We will comply with your request unless we believe that the information that would be amended is accurate and complete or other special circumstances apply.

F. Right to Receive an Accounting of Disclosures. Upon request, you may obtain an accounting of certain disclosures of your health information made by us during any period of time prior to the date of your request provided such period does not exceed six years. If you request an accounting more than once during a twelve (12) month period, we may charge you a reasonable fee for the accounting statement.

G. Right to Receive Paper Copy of this Notice. Upon request, you may obtain a paper copy of this Notice, even if you agreed to receive such notice electronically.

Changes to This Notice

We may change the terms of this Notice at any time. If we change this Notice, we may make the new notice terms effective for all your health information that we maintain, including any information created or received prior to issuing the new notice. If we change this Notice, we will update the “Effective Date” at the top of this Notice and post the new notice on our website at www.willowbehavioralhealth.com. You also may obtain any new notice by contacting us.

Contact Information

You may contact us at:

Willow Health

2248 Broadway #1073, New York, NY 10024

646-814-1530

privacy@willowbehavioralhealth.com

1.0 Introduction
1.01 Introduction
The Health Insurance Portability and Accountability Act of 1996, including its regulations implementing certain privacy requirements (the “Privacy Rule”), certain breach notification requirements (the “Breach Notification Rule”), and certain security requirements regarding information transmitted by or maintained in Electronic Media (the “Security Rule”), each as amended from time to time(collectively “HIPAA”), and as enforced by the US Department of Health and Human Services (“HHS”), imposes certain health information obligations on Osier Health P.C., its subsidiaries, and its affiliated medical groups, laboratories, and other facilities (“Company”) in each entity’s role as a Covered Entity or Business Associate.  These obligations concern the privacy and security of individually identifiable health information that Company receives from individuals or other Covered Entities.
‍
This HIPAA Privacy Policy and Procedures Manual (the “Policy”) describes the policies and procedures of Company that are intended to comply with the requirements of the Privacy Rule and the Breach Notification rule. Company’s policies and procedures that are intended to comply with the requirements of the Security Rule are set forth in a separate Company manual, the “HIPAA Security Policy and Procedures Manual.”
‍
The Privacy Rule restricts Company’s ability to use and disclose certain individually identifiable health information that is termed“ protected health information” or “PHI.” For purposes of this Policy:
Protected Health Information or “PHI” means information that is individually identifiable health information that would be considered “protected health information” under HIPAA, including information received from a Covered Entity or created, received, or maintained on behalf of a Covered Entity and relates to the past, present, or future physical or mental health condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies an individual, or for which there is a reasonable basis to believe the information can be used to identify an individual, including name, date of birth, or social security number. PHI includes information of persons living or who have been deceased for50 years or less.

Other words and phrases that are capitalized in this Policy, and not specifically defined when used have special meanings that are defined in Section 6 below; provided that any capitalized term not specifically defined in this Policy shall have the same meaning as is set forth in HIPAA, and all words and phrases defined in Section 7 that are also defined in HIPAA are intended to have the same meaning as is set forth in HIPAA.

The Policy consists of seven (7) sections:
Section 1 is an introduction that describes the purpose of the Policy and its organization.
Section 2 describes Company’s policies and procedures for complying with the administrative requirements of the Privacy Rule.
Section 3 describes Company’s policies and procedures for using and disclosing PHI, including procedures for verifying the identity of those requesting PHI.
Section 4 describes Company’s policies and procedures for addressing breach of unsecured PHI.
Section 5 describes Company’s procedures for complying with the Privacy Rule’s documentation requirement.
Section 6 defines key terms that are used in this Policy. The defined terms are capitalized throughout the Policy.
Section 7 contains links to key resources related to the implementation of this Policy, including the text of the HIPAA Privacy Rule and Breach Notification Rule and helpful third-party documents.

It is Company’s policy to comply fully with the Privacy Rule and Breach Notification requirements.  To that end, all members of Company’s workforce who have access to PHI to carry out their duties (the “Workforce”) must comply with this Policy. For purposes of this Policy, the Workforce includes individuals who would be considered part of Company’s Workforce under the Privacy Rule, such as employees, volunteers, trainees, and other persons whose work performance is under the direct control of Company, whether or not they are paid by Company.  The Policy (or the applicable portions) will be provided to the Workforce who have Access to PHI. These Workforce members will also receive updates that reflect any changes in law or the Policy's procedures. Workforce members can obtain more information from Company’s Privacy Official.
‍
No third party rights (including but not limited to rights of Company employees, clients, other Covered Entities, or Business Associates) are created by this Policy.  Company reserves the right to amend or change this Policy at any time (and even retroactively) without notice.  To the extent this Policy establishes requirements and obligations above and beyond those required by the Privacy Rule and Breach Notification Rule, the Policy will be aspirational and will not be binding upon Company, nor give rise to a violation of the Privacy Rule or the Breach Notification Rule.  This Policy does not address requirements under other federal laws or under state laws.  Furthermore, this Policy is designed solely to meet the requirements of the Privacy Rule and Breach Notification Rule and serves no purpose under the Employee Retirement Income Security Act of 1974 (“ERISA”).  Thus, this Policy shall not be deemed to constitute a contract under any applicable law, is not a health plan document under ERISA, and individuals may not bring a private cause of action based on this Policy or Company’s obligations under the Privacy Rule or Breach Notification Rule.

‍
2.0 Administrative Requirements
2.01 Privacy Official
‍Company shall at all times have a designated Privacy Official who is responsible for the development and implementation of policies and procedures relating to privacy, including but not limited to this Policy.  The Privacy Official will also serve as Company’s contact person who is responsible for receiving complaints regarding Company’s compliance with the Privacy Rule, the Breach Notification Rule and this Policy, and providing further information about matters covered by Company’s Notice of Privacy Rights.  Wherever this Policy refers to the Privacy Official such reference will include any person delegated by the Privacy Official, whether such delegation is oral or written.
The Privacy Official is:
Name: Lauren Morrell
Mobile: (646) 814-1531
Email: privacy@willowbehavioralhealth.com
[45 C.F.R. § 164.530(a)]

2.02 Workforce Training
a. Policy
The Privacy Official is charged with developing training schedules and programs so that all Workforce members receive the training necessary and appropriate to permit them to carry out their functions for Company.

b. Procedures
(i) All current Workforce members shall be trained annually regarding the Privacy Rule, the Breach Notification Rule, and applicable procedures.
(ii) All new Workforce members will be trained within a reasonable time after joining the Workforce,
(iii) Training is presented by the Privacy Official or Security Official. The training includes a PowerPoint presentation, a handout, and quiz examination at the completion of the training.
(iv) If this Policy is materially changed, the Privacy Official will perform a new training session for the Workforce members whose functions are affected by a material change in this Policy or the Privacy Rule or Breach Notification Rule within a reasonable time after the new Policy takes effect.
(v) The Privacy Official shall document that all training has been provided as required (such as through training rosters that show training dates, the subject of the training, and the names of attendees) in accordance with the Policy’s procedures under Section 5.03(“Documentation”).
[45 C.F.R. § 164.530(b)]

‍
2.03 Administrative, Technical and Physical Safeguards
a. Policy
Company has established and shall implement appropriate administrative, technical and physical safeguards to protect the privacy of PHI.  Company shall reasonably safeguard PHI from any intentional or unintentional use or disclosure of PHI that violates the Privacy Rule’s requirements, and shall reasonably safeguard PHI to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.

b. Procedures
(vi) While working on a specific document or file, Workforce members will take measures to prevent others from viewing it and keep all other documents containing PHI inside folders or face down;
(vii) When Workforce members are away from their workstations during the day, such as breaks and lunch, PHI must be put in a drawer and when leaving for the day, PHI information must be placed in a locked drawer or cabinet;
(viii) The number of photocopies made of PHI must be limited;
(ix) E-mails containing PHI must be limited to the Minimum Necessary, for example, strings of e-mails containing PHI should not be forwarded;
(x) To assure PHI confidentiality, conversations regarding PHI are not to take place in elevators, in the hallway, lunch/break rooms or while standing in the aisles of the office and Workforce members whose workstations are in cubicles should speak at low volumes and never use speakerphone;
(xi) Before speaking to any individual about his or her PHI, Workforce members must verify the individual’s identify in accordance with Section 3.08 (“Verification of Identity of Those Requesting PHI”);
(xii) When on the telephone, Workforce members must lower their voices to prevent others from overhearing conversations regarding PHI;
(xiii) Documents or files containing PHI must not be removed from the office without the specific advance written approval of the Privacy Official, which shall record all pertinent information to track the transaction and documents generated during client site visits (e.g. paper quick screen) shall be returned to the office on the following business day and kept in a secure location until returned;
(xiv) Documents with PHI, which are distributed internally, must be placed in distinct inter office envelopes (i.e. red envelopes) or labeled in large font as “CONFIDENTIAL,CONTAINS PHI”;
(xv) Social Security numbers must not be used as identifiers in e-mails;
(xvi) All papers which are being discarded containing PHI must be placed in the shredder bin before leaving the office for the day;
(xvii) A password is not to be written where someone can see it or find it and passwords are never to be shared with anyone including managers or IT staff;
(xviii) A Workforce member’s computer must be locked before the Workforce member leaves the workstation;
(xix) Telephone calls are not to be monitored with speaker or speakerphones on.  When it is necessary to monitor or listen to audible sources of PHI all necessary precautions must be taken to protect the privacy of those communications; and
(xx) Only authorized personnel are permitted in work areas. Visitors must sign in at one of the front desks and reasonable steps must be taken to avoid exposing visitors to PHI.
[45 C.F.R. § 164.530(c)]

‍
2.04 Complaints
a. Policy
The Privacy Official will be Company’s contact person for receiving complaints about this Policy, and Company’s compliance with this Policy or the requirements of the Privacy Rule or Breach Notification Rule, and for handling such complaints.

b. Procedures
(xxi) The Privacy Official will review and handle complaints.
(xxii) The Privacy Official will document complaints received and their resolutions in accordance with the Policy’s procedures under Section 5.03 (“Documentation”).
[45 C.F.R. § 164.530(d)]

2.05 Sanctions
a. Policy
Sanctions against Workforce members for using or disclosing PHI in violation of this Policy, or the requirements of the Privacy Rule or the Breach Notification Rule (subject to protections afforded to whistleblowers, and in compliance with applicable anti-retaliation requirements set forth in Section2.06) will be imposed in accordance with Company’s discipline policy, as outlined in the Employee Handbook, and may include discipline up to and including termination.

b. Procedures
(xxiii) During training, Workforce members are informed that sanctions may be imposed if the Policy is violated.
(xxiv) Appropriate sanctions will be determined based on the nature of the violation, its severity, and whether it was intentional or unintentional. Such sanctions may include, without limitation, verbal counseling, written warnings, probationary periods and/or termination of employment.
(xxv) Application of any sanctions will be documented in accordance with the Policy’s procedures under Section 5.03 (“Documentation”).
[45 CFR § 164.530(e)]

2.06 No Intimidating or Retaliatory Acts; No Waiver of the Privacy Rule
a. Policy
Company, incompliance with HIPAA, shall not, and no Workforce member shall, intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual or other person: (i) for the exercise of any right established, or for participation in any process provided for by the Privacy Rule or Breach Notification Rule, or (ii) for filing a complaint under HIPAA, or (iii) for testifying, assisting or participating in an investigation, compliance review, proceeding or hearing under HIPAA, or (iv) for opposing any act or practice made unlawful by HIPAA, provided the individual or person has a good faith belief that the practice opposed is unlawful, and the manner of opposition is reasonable and does not involve a disclosure of PHI in violation of the Privacy Rule.  In addition, Company shall not require individuals to waive their rights under HIPAA to make a complaint to the Secretary of HHS, or any right under the Privacy Rule or the Breach Notification Rule, as a condition of the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits.

b. Procedure
If a Workforce member or other person becomes aware of a violation of the foregoing prohibitions against intimidation, retaliation, etc., the Workforce member or other person will promptly (but not later than 24 hours) notify the Privacy Official.
[45 CFR §§164.530(g), (h)]‍

3.0 Uses and Disclosures of PHI
3.01 Business Associate Uses and Disclosures of PHI
a. Policy
As a Business Associate, Company may use or disclose PHI only as permitted or required by the individual patient, or as permitted or required by law. Company may use and disclose PHI for purposes of treatment, payment and/or operations without express patient authorization. Company may also use and disclose PHI for the proper management and administration of Company so long as such uses or disclosures are permitted under by law.

b. Procedures
Company will comply with the following requirements:
(xxvi) Use appropriate safeguards to prevent use or disclosure of PHI as set forth in Company’s HIPAA Security Policy and Procedures Manual;
(xxvii) Promptly report to affected individuals and the Office of Civil Rights (“OCR”) any unauthorized access, use or disclosure of PHI of which it becomes aware, including breaches of unsecured PHI as further set forth in Section 4 (“Breaches of Unsecured PHI”);
(xxviii) Execute and enforce Business Associate Agreements with all Business Associates that create, receive, maintain or transmit PHI on behalf of Company. A sample Business Associate Agreement is attached hereto in Exhibit A.
(xxvix) Require Business Associates to obtain written assurances from any subcontractors that create or receive, maintain, or transmit PHI on behalf of Company that they shall adhere to the same restrictions and conditions that apply to Company and Company’s Business Associates with respect to such PHI as further set forth in Section3.04 (“Disclosures of PHI to Business Associates”);
(xxx) Disclose and amend an individual’s PHI as set forth in Section 3.02 (“Mandatory Disclosure of PHI to the Individual”) and Section 3.03 (“Individuals’ Access to PHI and Requests for Copies or Amendments”);
(xxxi) Upon an individual’s request, provide an accounting of disclosures as required by the Privacy Rule;
(xxxii) Company will not use or disclose PHI in a manner that would violate the Privacy Rule;
(xxxiii) Make reasonable efforts to limit PHI to the “minimum necessary” to accomplish the intended purpose of the use, disclosure or request;
(xxxiv) Make its internal practices and records related to the use and disclosure of PHI available to HHS for purposes of determining compliance with the Privacy Rule; and
(xxxv) Require the return or destruction of PHI at the termination of a contract with a Business Associate, if feasible, or if such return or destruction is not feasible, ensure the Business Associate will extend the protections of the PHI set forth in the Business Associate Agreement to the PHI and limit further uses and disclosures.
[45 C.F.R. § 164.502(a)(3); 45 C.F.R. §164.504(e)(2)(ii)]

3.02 Mandatory Disclosures of PHI to the Individual
a. Policy
An individual’s PHI must be disclosed to the individual who is the subject of the information as required by the Privacy Rule.

b. Procedures
(xxxvi) Follow the procedures for verifying the identity of the individual as set forth at Section  3.08 (“Verification of Identity of Those Requesting PHI”); and
(xxxvii) Follow the procedures set at Section 3.03 (“Individuals’ Access to PHI and Requests for Copies or Amendments”).

‍
3.03 Individuals’ Access to PHI and Requests for Copies or Amendments
a. Policy
The Privacy Rule gives individuals the right to access and obtain copies of their PHI that Company maintains in designated record sets. The Privacy Rule also provides that individuals may request to have their PHI amended. Company will only consider requests for access or amendments that are submitted inwriting.
‍
A “Designated Record Set, for purposes of this Policy, is defined as in the Privacy Rule and consists of a particular group of “records” maintained by Company or maintained by a Business Associate on Company’s behalf. “Records” mean any item, collection or grouping of information that includes PHI and is maintained, collected, used or disseminated by or for Company.

b. Procedures
(xxxviii) Requests for Access to and/or Copy of PHI. Upon receiving a written request from an individual (or a minor’s parent or an individual’s authorized personal representative under applicable law) for access to an individual’s PHI held in a designated record set, the Workforce member must take the following steps:
(a) Follow the procedures for verifying the identity and, as applicable, the authority of the requester, as set forth in Section 3.08 (“Verification of Identity of Those Requesting PHI”).
(b) Review the disclosure request, including by consulting and coordinating with Business Associates if necessary.  This will include a review to determine whether the PHI at issue is held in a Designated Record Set of Company, a Business Associate or a Company Subcontractor.  It will also include review to determine whether an exception to the disclosure requirement might exist under the Privacy Rule; for example, disclosure may be denied for requests to access psychotherapy notes, documents compiled for a legal proceeding, certain requests by inmates, information compiled during research when the individual has denied access, information obtained under a promise of confidentiality, and other disclosures that are determined by a health care professional to belikely to cause harm.  All Workforce member determinations to approve or deny access must be reviewed and approved by the Privacy Official.
(c) Respond to the request, including by consulting and coordinating with Business Associates and Subcontractors, as applicable.  This will include providing the information or denying the request within 30 days.  If the requested PHI cannot be accessed within the 30-day period, the deadline may be extended for no more than 30 days by providing written notice to the individual within the original 30-day period of the reasons for the extension and the date by which the Plan will respond.
(1) A denial notice must comply with Privacy Rule requirements, including by containing: (i)the basis for the denial; (ii)a statement of the individual’s right to request a review of the denial, if applicable; and (iii)a statement of how the individual may file a complaint concerning the denial.  All notices of denial must be prepared or approved by the Privacy Official.
(2) If the request is approved, provide the information requested, in the form and format requested by the individual, if readily producible in such form.  Otherwise, provide the information in a readable hard copy or such other form and format as is agreed to by the individual, except that if the requested PHI is maintained electronically, and the request is made for an electronic copy, Company must provide the PHI in the electronic form and format requested, if it is readily producible in such form and format; or, if not, in a readable electronic form and format as agreed toby Company and the individual. Individuals have the right to receive a copy directly by mail or come in and pick up a copy.  Individuals also have the right to come in and inspect the information.

(3) If the individual has requested a summary and explanation of the requested information in lieu of, or in addition to, the full information (including agreeing in advance to the fees imposed, if any, by Company, for the summary and explanation), prepare such summary and explanation of the information requested, and make it available to the individual in the form or format requested by the individual.  All such statements must be reviewed and approved by the Privacy Official.
(4) If the individual’s request for access directs Company to transmit the PHI directly to another person designated by the individual, the Workforce member shall provide the copy to the person designated by the individual.  This designation must be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of PHI.  Any such requests shall be reviewed and approved by the Privacy Official.
(d) Charge a reasonable cost-based fee for copying, postage, and preparing a summary, which shall include the costs for supplies for electronic media if the individual requests that the electronic copy be provided on portable media.  The calculation of this fee may include consulting and coordinating with Business Associates, or Subcontractors, as applicable.  The fee for preparing a summary must be agreed to in advance by the individual.
(xxxix) Disclosure requests and associated matters must be documented in accordance with the Policy’s procedures under Section 5.03 (“Documentation”).
(xl) Request to Amend PHI. Upon receiving a written request from an individual (or a minor’s parent or an individual’s authorized personal representative under applicable law) for amendment of an individual’s PHI held in a Designated Record Set, the Workforce member must take the following steps:
(a) Follow the procedures for verifying the identity, and as applicable, the authority of the requester as set forth in Section 3.08 (“Verification of Identity of Those Requesting PHI”);
(b) Review the request for amendment, including by consulting and coordinating with Business Associates and Subcontractors, as applicable. This will include determining whether the PHI at issue is held in a Designated Record Set of Company or a Business Associate (or its Subcontractors).  It will also including reviewing the request for amendment, to determine whether the amendment is appropriate under the Privacy Rule, including regarding whether the PHI was created by Company or a Business Associate (or its subcontractors), would be available for access and inspection by the individual under subparagraph (i), above; and is accurate and complete without the amendment. All Workforce member determinations to approve or deny an amendment requests must be reviewed and approved by the Privacy Official.
(c) Respond to the request, including by consulting and coordinating with Business Associates and Subcontractors, as applicable. This will include responding within 60 days by informing the individual in writing that the amendment will be made or that the request is denied.  If the determination cannot be made within the 60-day period, the deadline may be extended for no more than 30 days by providing written notice to the individual within the original 60‑day period of the reasons for the extension and the date by which Company will respond.

(1) When an amendment is accepted, make appropriate changes and notations in the applicable Designated Record Set in accordance with Privacy Rule requirements.  All such notations and changes must be reviewed and approved by the Privacy Official.
(2) With respect to all approved amendments, in accordance with Privacy Rule requirements, and within the time period specified in subparagraph (c), above, provide appropriate notice to the individual of the amendment, and obtain the individual's identification and agreement regarding persons who have received the applicable PHI and require the amendment.  Also, Company shall make reasonable efforts to identify and notify within a reasonable time other persons/entities who are known to have the particular record (e.g. other Business Associates or Subcontractors) and who may rely on the uncorrected information to the detriment of the individual.
(3) When an amendment request is denied, the following procedures apply:
(A) A denial notice must comply with Privacy Rule requirements, including by containing (i)the basis for the denial; (ii)information about the individual’s right to submit a written statement disagreeing with the denial and how to file such a statement; (iii)an explanation that the individual may (if he or she does not file a statement of disagreement) request that the request for amendment and its denial be included in future disclosures of the information; and(iv)a statement of how the individual may file a complaint concerning the denial.  All notices of denial must be prepared or approved by the Privacy Official;
(B) The Privacy Official shall be responsible for assuring that Company complies with all HIPAA Privacy Rule requirements regarding any individual's statement of disagreement and shall coordinate any Company rebuttal/response to such statement of disagreement, including, without limitation, all record-keeping requirements with respect to such matters.
(d) Amendment requests and associated matters must be documented in accordance with the Policy’s procedures under Section 5.03 (“Documentation”).
[45 C.F.R. § 164.524;45 C.F.R. § 164.526]

3.04 Disclosures of PHI to Business Associates
a. Policy
Workforce members may disclose PHI to Company or Company’s Business Associates, subject to certain safeguards, including the execution of a Business Associate Agreement that satisfies the Privacy Rule requirements.

b. Procedures
(xli) All uses and disclosures by a Business Associate must be made in accordance with a valid Business Associate Agreement between Company and the Business Associate.  The Privacy Official shall provide management with a list of Subcontractors to whom PHI may be disclosed, and a form Business Associate Agreement to be used with any Subcontractors of the Business Associate, if applicable.  Changes to the form Business Associate Agreement must be approved by the Privacy Official.  Before providing PHI to a Business Associate, Workforce members must verify that the Business Associate is on such list;
(xlii) The following additional procedures must be satisfied:
(a) Disclosures must be consistent with the terms of the Business Associate Agreement; and
(b) Disclosures must comply with Section 3.07 (“Complying with the Minimum Necessary Standards”).
(xliii) Evidence of the Business Associate’s Agreement to safeguard PHI must be documented in accordance with the Policy’s procedures under Section 5.03 (“Documentation”);
(xliv) If a Workforce member becomes aware of a pattern of activity or practice that may be a material breach or violation of the Business Associate’s obligations under its Business Associate Agreement, this Policy or the Privacy Rule, the Workforce member should notify the Privacy Official.  The Privacy Official will assess the situation and in particular determine if there has been a material breach or violation of the Business Associate’s obligations under its Business Associate Agreement, and take reasonable steps to cure the breach or end the violation, as applicable.  If such steps are unsuccessful, the Privacy Official will take any additional reasonable steps to cure the breach or end the violation, as applicable.  If such steps are unsuccessful, Company will terminate the Business Associate Agreement, if feasible.  In addition, further appropriate action will be taken, for example, determining if the violation falls within Section 4 (“Breaches of Unsecured PHI”).
[45 C.F.R. §164.502(e)(1)(ii)]

3.05 Disclosure of PHI With Authorization
a. Policy
Company may make disclosures of PHI not otherwise permitted under the Privacy Rule when authorized by the individual whose PHI will be disclosed (or by the personal representative of the individual).  PHI may be disclosed for any purpose if an authorization that satisfies all of the Privacy Rule’s requirements for a valid authorization is provided.  All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization.

b. Procedures
Any requested disclosure to a third party that does not fall within one of the categories for which disclosure is permitted or required (i.e., the individual to whom the PHI pertains or the relevant Covered Entity) may be made pursuant to an individual authorization.  In addition, except for certain narrow exceptions permitted by law (such as legal defense), Company, incompliance with the Privacy Rule, will not use or disclose PHI that is a mental health professional’s psychotherapy notes (discrete notes that document the contents of conversation during counseling sessions) without prior authorization, and will not use or disclose PHI for any paid marketing activities, or sell PHI without prior authorization.
If an authorization is requested, the following procedures will be followed:
(xlv) Following the procedures for verifying the identity of the individual (or the individual’s representatives) set forth in Section 3.08 (“Verification of Identity of Those Requesting PHI”).
(xlvi) Prior to any use or disclosure of information pursuant to an authorization, the Privacy Official shall verify that the authorization form is valid in accordance with the Privacy Rule.  Generally, valid authorization forms are those that:
(a) Are properly signed and dated by the individual or the individual’s representative;
(b) Are not expired or revoked.  The expiration date of the authorization form must be a specific date or a specific time period  (e.g., one year from the date of signature), or an event directly relevant to the individual or the purpose of the use or disclosure;
(c) Contain a description of the information to be used or disclosed
(d) Contain the name of the entity or person authorized to use or disclose the PHI;
(e) Contain the name of the recipient of the use or disclosure;
(f) Contain a statement regarding the individual’s right to revoke the authorization and the procedures for revoking authorizations;
(g) Contain a statement regarding the possibility for a subsequent re‑disclosure of the information.
(xlvii) A copy of the authorization should be provided to the authorizing individual unless the individual indicates on the authorization form that he/she does not want a copy;
(xlviii) All uses and disclosures made pursuant to an authorization must be consistent with the terms and conditions of the authorization;
(xlviv) A copy of each verified and signed authorization shall be documented in accordance with the Policy’s procedures under Section 5.03 (“Documentation”);
(l) If the authorization is revoked or expired, subsequent uses and disclosures only permitted by an authorization should cease until a new authorization is executed.
[45 C.F.R. §164.502(a)(1)(iv); 45 C.F.R. § 164.508]

3.06 Disclosures of De-Identified Information
a. Policy
Company may use and disclose information that has been de-identified in accordance with the Privacy Rule.  Generally, de-identified information is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. There are two ways Company can determine that information is de-identified:  either by professional statistical analysis, or by removing the specific identifiers listed below.  Workforce members should consult with the Privacy Official with any specific questions regarding the de-identification of PHI in accordance with the Privacy Rule. Generally, the identifiers that must be removed are as follows:
(li) Names;
(lii) All geographic subdivisions smaller than a state;
(liii) All elements of dates(except year) for dates directly related to an individual, including birthdate, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
(liv) Telephone numbers;
(lv) Fax numbers;
(lvi) Electronic mail addresses;
(lvii) Social security numbers;
(lviii) Medical record numbers;
(lvix) Health Plan beneficiary numbers;
(lx) Account numbers;
(lxi) Certificate/license numbers;
(lxii) Vehicle identification and serial numbers, including license plate numbers;
(lxiii) Device identifiers and serial numbers;
(lxiv) Web Universal Resource Locators (URLs);
(lxv) Internet Protocol(IP) address numbers;
(lxvi) Biometricidentifiers, including finger and voice prints;
(lxvii) Full face photographic images and any comparable images; and
(lxviii) Any other unique identifying number, characteristic, or code.

b. Procedures
Workforce members must obtain approval from the Privacy Official for the disclosure of de-identified information. The Privacy Official will verify that the information is de-identified. Company may use and disclose de-identified information. De-identified information is not PHI.
[45 C.F.R. §164.514(b)]

‍
3.07 Complying with the “Minimum Necessary Standard”
a. Policy
The Privacy Rule generally requires that when Company uses or discloses PHI, or when Company requests PHI from another Covered Entity or Business Associate, Company must make reasonable efforts to limit PHI to the “minimum necessary” to accomplish he intended purpose of the use, disclosure or request.

b. Procedures
(lxix) Workforce members may reasonably rely on a requested disclosure of PHI as the minimum necessary for the stated purpose if the PHI is requested by a professional who is a member of the Workforce or another Covered Entity for the purpose of providing treat mentor payment for treatment for an individual, or for Company’s internal business operations. For all other requests for disclosures of PHI, Workforce members must determine that the amount of information disclosed is the minimum necessary to accomplish the intended purpose of the disclosure.  If a Workforce member has a question regarding whether a use or disclosure of PHI meets the minimum necessary standard, he or she is required to consult with the Privacy Official, who shall assist in making the determination.
(lxx) The minimum necessary standard does not apply to any of the following:
(a) Disclosures made to the individual;
(b) Uses or disclosures made pursuant to an individual authorization;
(c) Disclosures made to HHS;
(d) Uses or disclosures required by law; and
(e) Uses or disclosures required to comply with HIPAA.
(lxxi) If a Workforce member requests PHI from another Covered Entity or Business Associate, such request must be limited to the minimum necessary for the requested purpose;
(lxxii) The Privacy Official shall identify those persons or classes of persons, as appropriate, that are Workforce members and who accordingly need access to PHI to carry out their duties; and for each such person or class of persons, the category or categories of PHI to which access is needed and any conditions appropriate to such access.  Documentation of these determinations shall be retained pursuant to Section 5.03 (“Documentation”).
[45 C.F.R. §164.502(b)]

3.08 Verification of Identity of Those Requesting PHI
a. Policy
Company must verify the identity and authority of individuals requesting PHI before disclosing such PHI.

b. Procedures
Workforce members must take steps to verify the identity of individuals who request PHI.  They must also verify the authority of any person to have access to PHI, if the identity or authority of such person is not known.  Separate procedures are set forth below for verifying the identity and authority, depending on whether the request is made by the individual, a parent seeking access to the PHI for his or her minor child, an authorized personal representative under applicable law, or a public official.
(lxxiii) When an individual requests access to his or her own PHI, the following steps must be followed:
(a) If the individual requests PHI in person, Workforce members must request a form of identification.  Workforce members may rely on a valid driver’s license, passport or other photo identification issued by a government agency.
(b) If the individual requests PHI over the telephone, the Workforce member must verify the individual’s identity by requesting all of the following information: (i)address, (ii) date of birth, and (iii) Social Security number, or other unique identifier.
(lxxiv) When a parent requests access to the PHI of the parent’s minor child, seek verification of the person’s relationship with the child. Such verification may take the form of confirming enrollment of the child in the parent’s health plan as a dependent and no notation in the file that either such child’s information should not be shared with one of the parents or that the minor is considered an “emancipated minor.”  However, applicable state or other laws may, in select circumstances, limit parental access to a minor’s PHI for certain sensitive services where a minor is authorized to personally consent to treatment without parental consent (e.g., regarding HIV/AIDS treatment, or treatment for sexually transmitted illness) and the Privacy Official should be consulted regarding parental inquiries with respect to these types of services;
(lxxv) When a personal representative requests access to an individual’s PHI, the following steps should be followed:

(a) Require a copy of a valid power of attorney or other official documentation that authorizes the individual to access the requested PHI under applicable state or other law(such as court-appointment as a guardian or trustee, appointment under a power of attorney or health care proxy, or appointment as executor of an estate).  With respect to a living individual, the documentation must grant the personal representative the authority to act on behalf of the individual in making decisions related to health care, which would include decisions relating to payment for health care, and the personal representative may access the individual’s PHI only to the extent that PHI is relevant to the matters on which the personal representative is authorized to represent the individual. For deceased individuals, a person may be a personal representative of a deceased individual if they have the authority to act on behalf of such individual or such individual's estate for any decision, not only decisions related to health care, and would generally be entitled to access all PHI.  The Privacy Official should be consulted to verify the authority of the individual to access the requested PHI as a personal representative under the documentation provided;
(b) A copy of the authorizing documentation provided shall be documented in accordance with the Policy’s procedures under Section 5.03 (“Documentation”);
(lxxvi) If a public official requests access to PHI, the following steps should be followed to verify the official’s identity and authority:
(a) If the request is made in person, request presentation of an agency identification badge, other official credentials, or other proof of government status.  Make a copy of the identification provided and file it with the individual’s designated record set in accordance with the Policy’s procedures Section 5.03 (“Documentation”);
(b) If the request is inwriting, verify that the request is on the appropriate government letterhead;
(c) If the request is by a person purporting to act on behalf of a public official, request a written statement on appropriate government     letterhead that the person is acting under the government’s  authority or other evidence or documentation of agency, such as a contract for services, memorandum of understanding, or purchase order, that establishes that the person is acting on behalf of the public official;
(d) Request a written statement of the legal authority under which the information is requested, or, if a written statement would be impracticable, an oral statement of such legal authority.
(lxxvii) In accordance with the Privacy Rule, Company reserves the right to not treat a personal representative as the individual, and to not provide a parent of a minor child with access to the minor child’s PHI, if, in the exercise of professional judgment, Company finds that doing so would not be in the best interest of the individual because of a reasonable belief that the individual has been or maybe subject to domestic violence, abuse or neglect by the personal representative or parent, or that doing so would otherwise endanger the individual.

3.09 Accounting for Disclosures
a. Policy
Company is required to provide an accounting of certain disclosures of PHI made in the six year prior to the date on which the accounting is requested. Company will maintain and make available the information required to provide an accounting of disclosures to any individual patient, or his or her representative, as necessary to satisfy Company’s accounting obligations under the Privacy Rule.

b. Procedures
(i) Company will maintain accounting information for all disclosures of PHI, except disclosures made:
(a) To carry out treatment, payment and health care operations;
(b) To the individual about his or her own PHI;
(c) Pursuant to an individual authorization;
(d) To a spouse, domestic partner, relatives, friends or other persons identified by the individual;
(e) For national security or intelligence purposes;
(f) To correctional institutions or law enforcement when the disclosure was permitted without an authorization; or
(g) As part of a limited data set.

(ii) The accounting information maintained by Company for the reportable disclosures must include:
(a) The date of the disclosure;
(b) The name (and if known, the address) of the entity or person to whom the information was disclosed;
(c) A brief statement of the PHI disclosed; and
(d) A brief statement explaining the purpose for the disclosure that reasonably explains the basis for the disclosure. As permitted by the Privacy, for certain disclosures, the statement of purpose may be accomplished by providing a copy of the applicable written request for the disclosure.

(iii) Upon receiving arequest from an individual for an accounting of disclosures, the Privacy Official will promptly respond to the request.

‍
4.0 Breaches of Unsecured PHI
4.01 Determination of a Breach of Unsecured PHI
a. Policy
Because Company maintains, accesses, stores, destroys, and otherwise uses and discloses unsecured PHI, Company will diligently address all actual or suspected unauthorized uses or disclosures of PHI.

b. Procedures
(lxxviii) Any Workforce member who becomes aware of an actual or suspected unauthorized use or disclosure of PHI held by Company or any of its Business Associates, or any other actual or suspected unauthorized use, disclosure, loss theft, or alteration of PHI by or on behalf of Company must notify the Privacy Official immediately, but in no case later than 24 hours after the incident or Breach is suspect or identified.
(lxxix) The Privacy Official will immediately undertake an investigation to determinate if the unauthorized use or disclosure constitutes a “Breach of Unsecured PHI” under HIPAA. All such investigations and assessment of suspect or actual Breaches by Company or its Business Associates will be documented, and maintained on file by the Privacy Official, for at least six (6) years from the date of the incident, in accordance with the Policy’s procedures under Section 5.03 (“Documentation”).
(lxxx) A Breach does not include:
(a) Any unintentional acquisition, access, or use of PHI by a Workforce member or person acting under the authority of Company or its Business Associates, if made in good faith and within the scope of authority, which does not result in further use or disclosure in a manner not permitted under the Privacy Rule
(b) Any inadvertent disclosure by a person who is authorized to access PHI at Company or its Business Associate to another person authorized to access PHI at Company or same Business Associate, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule; or
(c) Any disclosure of PHI where Company or its Business Associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
(lxxxi) Any such finding will be reviewed and approved by the Privacy Official, who may consult with attorneys for Company to make such finding.
(lxxxii) Except for the exclusions listed in subparagraph (iii), above, an acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule is presumed to be a Breach unless the Company or the Business Associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
(a) The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
(b) The unauthorized person who used the PHI or to whom the disclosure was made;
(c) Whether the PHI was actually acquired or viewed; and
(d) The extent to which the risk to the PHI has been mitigated.
[45 C.F.R. § 164.402]

4.02 Notification of Breach
a. Policy
Company shall, following the discovery of a breach of unsecured PHI, notify the affected individuals and OCR of such breach. A breach shall be treated as discovered by Company as of the first day on which such breach is known to the Company or Company’s Business Associate (as applicable) or, by exercising reasonable diligence, would have been known to the Company or Company’s Business Associate(as applicable). Company shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of Company.
‍
b. Procedures
(lxxxiii) Company shall provide notification of a breach or a suspected breach without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.
(lxxxiv) The notification shall include, to the extent possible, the identification of each individual whose unsecured PHI has been, or is reasonably believed by Company to have been accessed, acquired, used, or disclosed during the breach or suspected breach. Company shall provide any other available information that Company is required to include by the Privacy Rule in a notification to the individual at the time of notification or promptly thereafter as information becomes available.
[45 C.F.R. § 164.410]
‍
4.03 Mitigation and Remediation of Inadvertent Disclosures of PHI and Breaches
a. Policy
Company will mitigate, to the extent practicable, any harmful effects that become known to Company of a use or disclosure of PHI in violation of this Policy or the requirements of the Privacy Rule by Company or its Business Associates.

b. Procedures
(lxxxv) Inadvertent Disclosure. If a Workforce member becomes aware of a disclosure of PHI, either by a Workforce member or a Business Associate, that is or is suspected to be not in compliance with this Policy or the Privacy Rule, the Workforce must immediately (but not later than 24 hours)contact the Privacy Official so that the appropriate steps to the mitigate the harm can be taken.
(lxxxvi) Breach. Any Workforce member who becomes aware of an actual or suspected unauthorized use or disclosure of PHI held by Company or any of its Business Associates, or any other actual or suspected unauthorized use, disclosure, loss theft, or alteration of PHI by or on behalf of Company must notify the Privacy Official immediately, but in no case later than 24 hours after the incident or Breach is suspect or identified. The Privacy Official, in consultation with Company attorneys, will be responsible for determining what steps should be taken to mitigate the effects of any Breaches (e.g., credit monitoring, retraining of relevant Workforce members, and what remedial steps should be taken to avoid similar future events (e.g., retraining of Workforce members, instituting new procedures, engaging alternative Subcontractors).
(lxxxvii) All mitigation and remedial steps must be documented by the Privacy Official and maintained on file for at least six (6) years from the date of the incident, in accordance with the Policy’s procedures set forth at Section 5.03(“Documentation”).
[45 C.F.R. §164.530(f)]

5.0 Required Legal Documents
5.01 Business Associate Agreements
a. Policy
Company shall have a Business Associate Agreement with all Business Associates that establish the permitted and required uses and disclosures of PHI by Business Associates and their Subcontractors. The Business Associate Agreement will not authorize Business Associates or their Subcontractors to use or further disclose PHI in a manner that would violate the requirements of the Privacy Rule, if done by Company, except that:
(a) The Business Associate Agreement may permit Business Associates to use and disclose PHI from the proper management and administration of its business; and
(b) The Business Associate Agreement may permit Business Associates to provide data aggregation services relating to the healthcare operations of Company.

b. Procedures
(lxxxviii) Company will obtain signed Business Associate Agreements that comply with HIPAA from all Business Associates and Subcontractors.
(lxxxix) If a Workforce member knows or suspects that a Business Associate or a Subcontractor is violating the terms of its Business Associate Agreement, the Workforce member must promptly notify the Privacy Official and the Privacy Official must determine if a breach has occurred, if the breach can be cured, and must take any other actions that are indicated under HIPAA and otherwise appropriate.

5.02 Policies and Procedures
a. Policy
Company’s privacy policies and procedures are documented and maintained for at least six (6) years from the later of the date of creation or when it was last in effect, whichever is later. Policies and procedures are changed as necessary and appropriate to comply with changes in the law, including the standards, requirements and implementation specifications of the Privacy Rule or Breach Notification Rule.  Any changes to policies or procedures are promptly documented.

b. Procedures
The Privacy Official shall maintain copies of the following
(xc) Company’s HIPAA Security Policies and Procedures Manual;
(xci) Company’s HIPAA Privacy Security Policies and Procedures Manual;
(xcii) Records of HIPAA Training;
(xciii) Sanctions applied to Workforce members who violate Company’s HIPAA policies and procedures;
(xciv) Business Associate Agreements and lists of Covered Entities and Subcontractors;
(xcv) Complaints and resolutions;
(xcvi) Records regarding Workforce member access to PHI; and
(xcvii) Records regarding Breaches of Unsecured PHI.

5.03 Documentation
a. Policy
Company will comply with the Privacy Rule requirements regarding documentation creation and retention.

b. Procedures
(xcviii) Document Retention: Company will retain all documentation required by the HIPAA Privacy Rule for six (6) years from the later of the date of its creation or the date when it was last in effect, whichever is later.
(xcix) Availability: Company will make documentation available to those persons responsible for implementing the procedures, set forth in this Policy, to which the documentation pertains
(c) Updates: Company will periodically review HIPAA privacy documents and documentation, and update the documents and documentation, as needed

6.0 Glossary
Access: The ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.
‍Business Associate: A person or entity that performs a function or activity regulated by HIPAA on behalf of a Covered Entity and involving PHI. Examples of such functions or activities are claims processing, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial services. A Business Associate maybe a Covered Entity.
‍Covered Entity: A health plan (including an employer plan, insurer, HMO, and government coverage such as Medicare); a health care provider(such as a doctor, hospital, or pharmacy) that electronically transmits any health information in connection with a transaction for which HHS has established an electronic data interchange standard; and a health care clearinghouse(an entity that translates electronic information between nonstandard and HIPAA standard transactions). The Covered Entities most likely to work with Company are health insurance plans and carriers and their business associates.  The HIPAA Privacy Rule requires that each Company enter into a written contract (Business Associate Agreement) with a Covered Entity and Subcontractors regarding PHI.
‍Disclosure: The release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information.
‍Encryption: The use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.
‍HHS: The United States Department of Health and Human Services.
‍Information System: An interconnected set of informationresources under the same direct management control that shares commonfunctionality. A system normally includes hardware, software, information,data, applications, communications, and people.
‍Subcontractor:  A person to whom a Business Associate delegates a function, activity or service, other than in the capacity of a member of the workforce of such Business Associate. A Subcontractor is a considered a Business Associate under HIPAA.
‍Workforce: Individuals who would be considered part of Company’s workforce under the Privacy Rule, such as employees, volunteers, trainees, and other persons whose work performance is under the direct control of Company, whether or not they are paid by Company and who have Access to PHI.
‍Workstation: An electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions and Electronic Media stored in its immediate environment.

7.0 Key Resources
7.01 HIPAA Privacy Rule
http://www.hhs.gov/hipaa/for-professionals/privacy/
‍
‍7.02 HIPAA Breach Notification Rule
http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

7.03 Other Resources
a. HHS Privacy Rule Guidance
http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/significant-aspects/index.html

b. HHS Breach Notification Rule Guidance
http://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html

‍

ACCEPTANCE OF THESE TERMS OF SERVICE:
Osier Health, P.C. (“Willow Health, Inc.,” “Willow Health,” “Willow,” “we,” “us,” or “our”) provides a communication platform for accessing virtual crisis clinic services and related content to you through our website(s) located at www.willowbehavioralhealth.com (the “Site”) and related technologies (collectively with the Site, including any updated or new features, functionality and technology, the “Service”). All access and use of the Service is subject to the terms and conditions contained in these Terms of Service (as amended from time to time, these “Terms of Service”). By accessing, browsing, or otherwise using the Site or any other aspect of the Service, you acknowledge that you have read, understood, and agree to be bound by these Terms of Service. If you do not accept the terms and conditions of these Terms of Service, you will not access, browse, or otherwise use the Service.
‍
We reserve the right, at our sole discretion, to change or modify portions of these Terms of Service at any time. If we do this, we will post the changes on this page and will indicate at the top of this page the date these Terms of Service were last revised. You may read a current, effective copy of these Terms of Service by visiting the “Terms of Service” link on the Site. We will also notify you of any material changes, either through the Service user interface, a pop-up notice, email, or through other reasonable means. Your continued use of the Service after the date any such changes become effective constitutes your acceptance of the new Terms of Service. You should periodically visit this page to review the current Terms of Service so you are aware of any revisions. If you do not agree to abide by these or any future Terms of Service, you will not access, browse, or use (or continue to access, browse, or use) the Service.

PLEASE READ THESE TERMS OF SERVICE CAREFULLY, AS THEY CONTAIN AN AGREEMENT TO ARBITRATE AND OTHER IMPORTANT INFORMATION REGARDING YOUR LEGAL RIGHTS, REMEDIES, AND OBLIGATIONS. THE AGREEMENT TO ARBITRATE REQUIRES (WITH LIMITED EXCEPTION) THAT YOU SUBMIT CLAIMS YOU HAVE AGAINST US TO BINDING AND FINAL ARBITRATION, AND FURTHER (1) YOU WILL ONLY BE PERMITTED TO PURSUE CLAIMS AGAINST WILLOW ON AN INDIVIDUAL BASIS, NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY CLASS OR REPRESENTATIVE ACTION OR PROCEEDING, (2) YOU WILL ONLY BE PERMITTED TO SEEK RELIEF (INCLUDING MONETARY, INJUNCTIVE, AND DECLARATORY RELIEF) ON AN INDIVIDUAL BASIS, AND (3) YOU MAY NOT BE ABLE TO HAVE ANY CLAIMS YOU HAVE AGAINST US RESOLVED BY A JURY OR IN A COURT OF LAW.
‍‍
‍DO NOT USE THE SERVICES FOR EMERGENCY OR LIFE-THREATENING MEDICAL MATTERS. FOR ALL LIFE THREATENING MATTERS, IMMEDIATELY CALL 911 OR GO TO THE NEAREST EMERGENCY ROOM.

Your Privacy: At Willow, we respect the privacy of our users. For more information please see our Privacy Policy, located at https://www.willowbehavioralhealth.com/privacy (the “Privacy Policy”). By using the Service, you consent to our collection, use and disclosure of personal data and other data as outlined therein.
Additional Terms: In addition, when using certain features through the Service, you will be subject to any additional terms applicable to such features that may be posted on or within the Service from time to time. All such terms are hereby incorporated by reference into these Terms of Service.

‍
ACCESS AND USE OF THE SERVICE:
Service Description: Willow offers patients access to our virtual crisis clinic that provides personalized, recovery-oriented care for people experiencing behavioral health crises. For clarity, Willow Health, Inc. provides administrative, management and other non-clinical services. All professional medical services provided to you are provided by Osier Health, P.C. and its affiliated healthcare providers.
Willow does not provide any medical services, including via the Services. Rather, Willow provides a technology platform for you to access a healthcare provider who is employed or contracted with a Willow-affiliated medical practice and obtain access to additional information. You understand that by coordinating and consulting with an affiliated physician practice or its healthcare providers through the Services, you are not entering into a provider-patient relationship with Willow.  Other than the guidance and advice you receive directly to you from your healthcare provider, the graphics, educational and research sources and other incidental information on the Site, should not be considered medical advice.  You should never disregard, avoid, or delay obtaining medical advice from your doctor or other qualified healthcare provider solely because of information you saw on the Site.  
Your Registration Obligations: You may be required to register with Willow or provide information about yourself in order to access and use certain features of the Service. You agree to provide and maintain true, accurate, current, and complete information about yourself as prompted by the Service. Registration data and certain other information about you are governed by our Privacy Policy. If you are under 18 years of age, you are not authorized to use the Service, with or without registering.
Member Account, Password and Security: You are responsible for maintaining the confidentiality of your password and account details, if any, and are fully responsible for any and all activities that occur under your password or account. You agree to (a) immediately notify Willow of any unauthorized use of your password or account or any other breach of security, and (b) ensure that you exit from your account at the end of each session when accessing the Service. Willow will not be liable for any loss or damage arising from your failure to comply with this paragraph.
Modifications to Service: Willow reserves the right to modify or discontinue, temporarily or permanently, the Service (or any part thereof) with or without notice. You agree that Willow will not be liable to you or to any third party for any modification, suspension or discontinuance of the Service.
‍General Practices Regarding Use and Storage: You acknowledge that Willow may establish general practices and limits concerning use of the Service, including the maximum period of time that data or other content will be retained by the Service and the maximum storage space that will be allotted on Willow’s or its third-party service providers’ servers on your behalf. You agree that Willow has no responsibility or liability for the deletion or failure to store any data or other content maintained or uploaded by the Service. You acknowledge that Willow reserves the right to terminate accounts that are inactive for an extended period of time. You further acknowledge that Willow reserves the right to change these general practices and limits at any time, in its sole discretion, with or without notice.

CONDITIONS OF ACCESS AND USE:
User Conduct: You are solely responsible for all code, video, images, information, data, text, software, music, sound, photographs, graphics, messages, and other materials (“content”) that you make available to Willow, including by uploading, posting, publishing, or displaying (hereinafter, “upload(ing)”) via the Service or by emailing or otherwise making available to other users of the Service (collectively, “User Content”). The following are examples of the kinds of content and/or uses that are illegal or prohibited by Willow. Willow reserves the right to investigate and take appropriate legal action against anyone who, in Willow’s sole discretion, violates this provision, including removing the offending content from the Service, suspending or terminating the account of such violators, and reporting the violator to law enforcement authorities. You agree to not use the Service to:
(a) Email or otherwise upload any content that (i) infringes any intellectual property or other proprietary rights of any party; (ii) you do not have a right to upload under any law or under contractual or fiduciary relationships; (iii) contains software viruses or any other computer code, files or programs designed to interrupt, destroy, or limit the functionality of any computer software or hardware or telecommunications equipment; (iv) poses or creates a privacy or security risk to any person; (v) constitutes unsolicited or unauthorized advertising, promotional materials, commercial activities and/or sales, “junk mail,” “spam,” “chain letters,” “pyramid schemes,” “contests,” “sweepstakes,” or any other form of solicitation; (vi) is unlawful, harmful, threatening, abusive, harassing, tortious, excessively violent, defamatory, vulgar, obscene, pornographic, libelous, invasive of another’s privacy, hateful, discriminatory, or otherwise objectionable; or (vii) in the sole judgment of Willow, is objectionable or which restricts or inhibits any other person from using or enjoying the Service, or which may expose Willow or its users to any harm or liability of any type;
(b) interfere with or disrupt the Service or servers or networks connected to the Service, or disobey any requirements, procedures, policies, or regulations of networks connected to the Service;
(c) violate any applicable local, state, national, or international law, or any regulations having the force of law;
(d) impersonate any person or entity, or falsely state or otherwise misrepresent your affiliation with a person or entity;
(e) solicit personal information from anyone under the age of 18;
(f) harvest or collect email addresses or other contact information of other users from the Service by electronic or other means for the purposes of sending unsolicited emails or other unsolicited communications;
(g) advertise or offer to sell or buy any goods or services for any business purpose that is not specifically authorized;
(h) further or promote any criminal activity or enterprise or provide instructional information about illegal activities;
(i) obtain or attempt to access or otherwise obtain any content or information through any means not intentionally made available or provided for through the Service;
(j) circumvent, remove, alter, deactivate, degrade, or thwart any of the content protections in or geographic restrictions on any content (including Service Content (as defined below)) available on or through the Service, including through the use of virtual private networks; or
(k) engage in or use any data mining, robots, scraping, or similar data gathering or extraction methods.
If you are blocked by Willow from accessing the Service (including by blocking your IP address), you agree not to implement any measures to circumvent such blocking (e.g., by masking your IP address or using a proxy IP address or virtual private network).

Competitors: No employee, independent contractor, agent, or affiliate of any competing virtual behavioral health crisis clinic is permitted to view, access, or use any portion of the Service without express written permission from Willow. By viewing, using, or accessing the Service, you represent and warrant that you are not a competitor of Willow or any of its affiliates, or acting on behalf of a competitor of Willow in using or accessing the Service.
Fees: You may elect to pay for certain professional services via the Service. If you elect to make such a payment, you may be required to provide information regarding your credit card or other payment instrument. You represent and warrant to Willow that such information is true and that you are authorized to use the payment instrument. You will promptly update your account information with Willow or the Payment Processor (as defined below), as applicable, of any changes (for example, a change in your billing address or credit card expiration date) that may occur. If you dispute any charges you must let Willow know within sixty (60) days after the date that Willow charges you, or within such longer period of time as may be required under applicable law. We reserve the right to change Willow’s prices. If Willow does change prices, Willow will provide notice of the change through the Service user interface, a pop-up notice, email, or through other reasonable means, at Willow’s option, at least thirty (30) days before the change is to take effect. Your continued use of the Service after the price change becomes effective constitutes your agreement to pay the changed amount. You will be responsible for all taxes associated with the Service, other than taxes based on Willow’s net income.
Payment Processing: Notwithstanding any amounts owed to Willow hereunder, WILLOW DOES NOT PROCESS PAYMENT FOR ANY SERVICES. To facilitate payment for the Service via bank account, credit card, or debit card, we use Stripe, Inc. and its affiliates (“Stripe”), a third-party payment processor. These payment processing services are provided by Stripe and are subject to the Stripe terms and conditions and other policies available at https://stripe.com/legal and Stripe’s Global Privacy Policy available at https://stripe.com/privacy (collectively, the "Stripe Agreements"). By agreeing to these Terms of Service, users that use the payment functions of the Service also agree to be bound by the Stripe Agreements, as the same may be modified by Stripe from time to time. You hereby authorize Stripe to store and continue billing your specified payment method even after such payment method has expired, to avoid interruptions in payment for your use of the Service. Please contact Stripe for more information. Willow assumes no liability or responsibility for any payments you make through the Service.
Commercial Use: Unless otherwise expressly authorized herein or in the Service, you agree not to display, distribute, license, perform, publish, reproduce, duplicate, copy, create derivative works from, modify, sell, resell, grant access to, transfer, or otherwise use or exploit any portion of the Service for any commercial purposes. The Service is for your personal use.

MOBILE SERVICES AND SOFTWARE:
Mobile Services: The Service includes certain services that are available via a mobile device, including (i) the ability to upload content to the Service via a mobile device and (ii) the ability to browse the Service and the Site from a mobile device (collectively, the “Mobile Services”). To the extent you access the Service through a mobile device, your wireless service carrier’s standard charges, data rates, and other fees may apply. In addition, downloading, installing, or using certain Mobile Services may be prohibited or restricted by your carrier, and not all Mobile Services may work with all carriers or devices.
Telephonic Communications Services: By using the Service and providing us with your telephone number(s), you are consenting to be contacted by Willow Health Inc., Osier Health, P.C., and their affiliates or partners by telephone, including on a recorded line or by text message. These communications may include operational notices (e.g., appointment reminders) and are part of your relationship with us. You acknowledge that text messages, phone calls and emails may be unencrypted and carry some risk that the information in the messages, including information about your health, could be read by an unauthorized person. You further acknowledge and agree that we cannot guarantee the security and confidentiality of the unencrypted communications that we send to you, and we are not responsible for any unauthorized access that occurs during or after the transmission of the communications to you.
There is no additional charge for telephonic communications, but your carrier’s standard message and data rates apply to any calls, text messages, SMS or MMS messages you send or receive. Your carrier may prohibit or restrict certain mobile features and certain mobile features may be incompatible with your carrier or mobile device. We are not liable for any delays in the receipt of, or any failures to receive, any calls, text messages, SMS or MMS messages, as delivery is subject to effective transmission by your mobile carrier and compatibility of your mobile device. Please contact your mobile carrier if you have any questions regarding these issues or your mobile data and messaging plan.
You may opt out of messages by replying “STOP” to any message you receive. You may reply “HELP” for customer support information. If you choose to cancel text, SMS or MMS messages from us, you agree to receive a final message from us confirming your cancellation.
Ownership; Restrictions: The technology and software underlying the Service or distributed in connection therewith are the property of Willow, its affiliates, and its licensors (the “Software”). You agree not to copy, modify, create a derivative work of, reverse engineer, reverse assemble, or otherwise attempt to discover any source code, sell, assign, sublicense, or otherwise transfer any right in the Software. Any rights not expressly granted herein are reserved by Willow.
Special Notice for International Use; Export Controls: Willow is headquartered in the United States. Whether inside or outside of the United States, you are solely responsible for ensuring compliance with the laws of your specific jurisdiction. Software available in connection with the Service and the transmission of applicable data, if any, is subject to United States export controls. No Software may be downloaded from the Service or otherwise exported or re-exported in violation of U.S. export laws. Downloading, accessing or using the Software or Services is at your sole risk.

‍
INTELLECTUAL PROPERTY RIGHTS:
Service Content: You acknowledge and agree that the Service may contain content or features (“Service Content”) that are protected by copyright, patent, trademark, trade secret, or other proprietary rights and laws. Except as expressly authorized by Willow, you agree not to modify, copy, frame, scrape, rent, lease, loan, sell, distribute, or create derivative works based on the Service or the Service Content, in whole or in part, except that the foregoing does not apply to your own User Content (as defined below) that you upload to or make available through the Service in accordance with these Terms of Service. Any use of the Service or the Service Content other than as specifically authorized herein is strictly prohibited.
Trademarks: The Willow name and logos are trademarks and service marks of Willow (collectively the “Willow Trademarks”). Other Willow, product, and service names and logos used and displayed via the Service may be trademarks or service marks of their respective owners who may or may not endorse or be affiliated with or connected to Willow. Nothing in these Terms of Service or the Service should be construed as granting, by implication, estoppel, or otherwise, any license or right to use any of Willow Trademarks displayed on the Service, without our prior written permission in each instance. All goodwill generated from the use of Willow Trademarks will inure to our exclusive benefit.
Third-Party Material: Under no circumstances will Willow be liable in any way for any content or materials of any third parties (including users), including for any errors or omissions in any content, or for any loss or damage of any kind incurred as a result of the use of any such content. You acknowledge that Willow does not pre-screen content, but that Willow and its designees will have the right (but not the obligation) in their sole discretion to refuse or remove any content that is available via the Service. Without limiting the foregoing, Willow and its designees will have the right to remove any content that violates these Terms of Service or is deemed by Willow, in its sole discretion, to be otherwise objectionable. You agree that you must evaluate, and bear all risks associated with, the use of any content, including any reliance on the accuracy, completeness, or usefulness of such content.
User Content: You represent and warrant that you own all right, title and interest in and to such User Content, including all copyrights and rights of publicity contained therein. You hereby grant Willow and its affiliates, successors and assigns a non-exclusive, worldwide, royalty-free, fully paid-up, transferable, sublicensable (directly and indirectly through multiple tiers), perpetual, and irrevocable license to copy, display, upload, perform, distribute, store, modify, and otherwise use your User Content in connection with the operation of the Service in any form, medium or technology now known or later developed. You assume all risk associated with your User Content and the transmission of your User Content, and you have sole responsibility for the accuracy, quality, legality and appropriateness of your User Content.
You hereby authorize Willow and its third-party service providers to derive statistical and usage data relating to your use of the Service (“Usage Data”). We may use Usage Data for any purpose in accordance with applicable law and our Privacy Policy.
Any questions, comments, suggestions, ideas, feedback, reviews, or other information about the Service (“Submissions”), provided by you to Willow are non-confidential and Willow will be entitled to the unrestricted use and dissemination of these Submissions for any purpose, commercial or otherwise, without acknowledgment, attribution, or compensation to you.
You acknowledge and agree that Willow may preserve User Content and may also disclose User Content if required to do so by law or in the good faith belief that such preservation or disclosure is reasonably necessary to: (a) comply with legal process, applicable laws, or government requests; (b) enforce these Terms of Service; (c) respond to claims that any content violates the rights of third parties; or (d) protect the rights, property, or personal safety of Willow, its users, or the public. You understand that the technical processing and transmission of the Service, including your User Content, may involve (i) transmissions over various networks; and (ii) changes to conform and adapt to technical requirements of connecting networks or devices.

THIRD PARTY SERVICES AND WEBSITES:
The Service may provide links or other access to services, sites, technology, and resources that are provided or otherwise made available by third parties (the “Third-Party Services''). These Third Party Services include, but are not limited to, services in connection with our virtual and telehealth services, as well as our electronic health records and electronic medical records services. As of the date set forth above, these services are provided by the following providers: Osier Health, P.C., ZENTAKE Inc., Dialpad, Inc., Elation Health, Inc., and Doxy.me Inc. Your access and use of the Third-Party Services may also be subject to additional terms and conditions, privacy policies, or other agreements with such third party, including each third party’s Terms of Service made available via each respective site, and you may be required to authenticate to or create separate accounts to use Third-Party Services on the websites or via the technology platforms of their respective providers. Some Third-Party Services will provide us with access to certain information that you have provided to third parties, including through such Third-Party Services, and we will use, store and disclose such information in accordance with our Privacy Policy. For more information about the implications of activating Third-Party Services and our use, storage and disclosure of information related to you and your use of such Third-Party Services within the Service, please see our Privacy Policy. Willow has no control over and is not responsible for such Third-Party Services, including for the accuracy, availability, reliability, or completeness of information shared by or available through Third-Party Services, or on the privacy practices of Third-Party Services. We encourage you to review the privacy policies and any other applicable terms of the third parties providing Third-Party Services prior to using such services. You, and not Willow, will be responsible for any and all costs and charges associated with your use of any Third-Party Services. Willow enables these Third-Party Services merely as a convenience and the integration or inclusion of such Third-Party Services does not imply an endorsement or recommendation. Any dealings you have with third parties while using the Service are between you and the third party. Willow will not be responsible or liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any Third-Party Services.

INDEMNIFICATION:
To the extent permitted under applicable law, you agree to defend, indemnify, and hold harmless Willow, its affiliates, and its and their respective officers, employees, directors, service providers, licensors, and agents (collectively, the “Willow Parties”) from any and all losses, damages, expenses, including reasonable attorneys’ fees, rights, claims, actions of any kind, and injury (including death) arising out of or relating to your use of the Service, any User Content, your connection to the Service, your violation of these Terms of Service, or your violation of any rights of another. Willow will provide notice to you of any such claim, suit, or proceeding. Willow reserves the right to assume the exclusive defense and control of any matter which is subject to indemnification under this section, and you agree to cooperate with any reasonable requests assisting Willow’s defense of such matter. You may not settle or compromise any claim against the Willow Parties without Willow’s written consent.

DISCLAIMER OF WARRANTIES:
YOUR USE OF THE SERVICE IS AT YOUR SOLE RISK. THE SERVICE IS PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. THE WILLOW PARTIES EXPRESSLY DISCLAIM ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.THE WILLOW PARTIES MAKE NO WARRANTY THAT (A) THE SERVICE WILL MEET YOUR REQUIREMENTS; (B) THE SERVICE WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE; (C) THE RESULTS THAT MAY BE OBTAINED FROM THE USE OF THE SERVICE WILL BE ACCURATE OR RELIABLE; OR (D) THE QUALITY OF ANY PRODUCTS, SERVICES, INFORMATION, OR OTHER MATERIAL PURCHASED OR OBTAINED BY YOU THROUGH THE SERVICE WILL MEET YOUR EXPECTATIONS.

LIMITATION OF LIABILITY:
YOU EXPRESSLY UNDERSTAND AND AGREE THAT THE WILLOW PARTIES WILL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY DAMAGES, OR DAMAGES FOR LOSS OF PROFITS INCLUDING DAMAGES FOR LOSS OF GOODWILL, USE, OR DATA OR OTHER INTANGIBLE LOSSES (EVEN IF THE WILLOW PARTIES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, OR OTHERWISE, RESULTING FROM: (A) THE USE OR THE INABILITY TO USE THE SERVICE; (B) THE COST OF PROCUREMENT OF SUBSTITUTE GOODS AND SERVICES RESULTING FROM ANY GOODS, DATA, INFORMATION, OR SERVICES PURCHASED OR OBTAINED OR MESSAGES RECEIVED OR TRANSACTIONS ENTERED INTO THROUGH OR FROM THE SERVICE; (C) UNAUTHORIZED ACCESS TO OR ALTERATION OF YOUR TRANSMISSIONS OR DATA; (D) STATEMENTS OR CONDUCT OF ANY THIRD PARTY ON THE SERVICE; OR (E) ANY OTHER MATTER RELATING TO THE SERVICE. IN NO EVENT WILL THE WILLOW PARTIES’ TOTAL LIABILITY TO YOU FOR ALL DAMAGES, LOSSES, OR CAUSES OF ACTION EXCEED THE AMOUNT YOU HAVE PAID WILLOW IN THE LAST SIX (6) MONTHS, OR, IF GREATER, ONE HUNDRED DOLLARS ($100).
SOME JURISDICTIONS DO NOT ALLOW THE DISCLAIMER OR EXCLUSION OF CERTAIN WARRANTIES OR THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES. ACCORDINGLY, SOME OF THE ABOVE LIMITATIONS SET FORTH ABOVE MAY NOT APPLY TO YOU OR BE ENFORCEABLE WITH RESPECT TO YOU. IF YOU ARE DISSATISFIED WITH ANY PORTION OF THE SERVICE OR WITH THESE TERMS OF SERVICE, YOUR SOLE AND EXCLUSIVE REMEDY IS TO DISCONTINUE USE OF THE SERVICE.
IF YOU ARE A USER FROM NEW JERSEY, THE FOREGOING SECTIONS TITLED “INDEMNIFICATION”, “DISCLAIMER OF WARRANTIES” AND “LIMITATION OF LIABILITY” ARE INTENDED TO BE ONLY AS BROAD AS IS PERMITTED UNDER THE LAWS OF THE STATE OF NEW JERSEY. IF ANY PORTION OF THESE SECTIONS IS HELD TO BE INVALID UNDER THE LAWS OF THE STATE OF NEW JERSEY, THE INVALIDITY OF SUCH PORTION WILL NOT AFFECT THE VALIDITY OF THE REMAINING PORTIONS OF THE APPLICABLE SECTIONS.

DISPUTE RESOLUTION BY BINDING ARBITRATION:
PLEASE READ THIS SECTION CAREFULLY AS IT AFFECTS YOUR RIGHTS.
‍Agreement to Arbitrate: This Dispute Resolution by Binding Arbitration section is referred to in these Terms of Service as the “Arbitration Agreement.” You agree that any and all disputes or claims that have arisen or may arise between you and Willow, whether arising out of or relating to these Terms of Service (including any alleged breach thereof), the Service, any advertising, or any aspect of the relationship or transactions between us, will be resolved exclusively through final and binding arbitration, rather than a court, in accordance with the terms of this Arbitration Agreement, except that you may assert individual claims in small claims court, if your claims qualify. Further, this Arbitration Agreement does not preclude you from bringing issues to the attention of federal, state, or local agencies, and such agencies can, if the law allows, seek relief against us on your behalf. You agree that, by entering into these Terms of Service, you and Willow are each waiving the right to a trial by jury or to participate in a class action. Your rights will be determined by a neutral arbitrator, not a judge or jury. The Federal Arbitration Act governs the interpretation and enforcement of this Arbitration Agreement.
Prohibition of Class and Representative Actions and Non-Individualized Relief: YOU AND WILLOW AGREE THAT EACH OF US MAY BRING CLAIMS AGAINST THE OTHER ONLY ON AN INDIVIDUAL BASIS AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS OR REPRESENTATIVE ACTION OR PROCEEDING. UNLESS BOTH YOU AND WILLOW AGREE OTHERWISE, THE ARBITRATOR MAY NOT CONSOLIDATE OR JOIN MORE THAN ONE PERSON’S OR PARTY’S CLAIMS AND MAY NOT OTHERWISE PRESIDE OVER ANY FORM OF A CONSOLIDATED, REPRESENTATIVE, OR CLASS PROCEEDING. ALSO, THE ARBITRATOR MAY AWARD RELIEF (INCLUDING MONETARY, INJUNCTIVE, AND DECLARATORY RELIEF) ONLY IN FAVOR OF THE INDIVIDUAL PARTY SEEKING RELIEF AND ONLY TO THE EXTENT NECESSARY TO PROVIDE RELIEF NECESSITATED BY THAT PARTY’S INDIVIDUAL CLAIM(S), EXCEPT THAT YOU MAY PURSUE A CLAIM FOR AND THE ARBITRATOR MAY AWARD PUBLIC INJUNCTIVE RELIEF UNDER APPLICABLE LAW TO THE EXTENT REQUIRED FOR THE ENFORCEABILITY OF THIS PROVISION.
Pre-Arbitration Dispute Resolution: Willow is always interested in resolving disputes amicably and efficiently, and most customer concerns can be resolved quickly and to the customer’s satisfaction by emailing customer support at support@willowbehavioralhealth.com. If such efforts prove unsuccessful, a party who intends to seek arbitration must first send to the other, by certified mail, a written Notice of Dispute (“Notice”). The Notice to Willow should be sent to 2248 Broadway #1073, New York, NY 10024 (“Notice Address”). The Notice must (i) describe the nature and basis of the claim or dispute and (ii) set forth the specific relief sought. If Willow and you do not resolve the claim within sixty (60) calendar days after the Notice is received, you or Willow may commence an arbitration proceeding. During the arbitration, the amount of any settlement offer made by Willow or you will not be disclosed to the arbitrator until after the arbitrator determines the amount, if any, to which you or Willow is entitled.

Arbitration Procedures: Arbitration will be conducted by a neutral arbitrator in accordance with the American Arbitration Association’s (“AAA”) rules and procedures, including the AAA’s Consumer Arbitration Rules (collectively, the “AAA Rules”), as modified by this Arbitration Agreement. For information on the AAA, please visit its website, https://www.adr.org. Information about the AAA Rules and fees for consumer disputes can be found at the AAA’s consumer arbitration page, https://www.adr.org/consumer. If there is any inconsistency between any term of the AAA Rules and any term of this Arbitration Agreement, the applicable terms of this Arbitration Agreement will control unless the arbitrator determines that the application of the inconsistent Arbitration Agreement terms would not result in a fundamentally fair arbitration. The arbitrator must also follow the provisions of these Terms of Service as a court would. All issues are for the arbitrator to decide, including issues relating to the scope, enforceability, and arbitrability of this Arbitration Agreement. Although arbitration proceedings are usually simpler and more streamlined than trials and other judicial proceedings, the arbitrator can award the same damages and relief on an individual basis that a court can award to an individual under these Terms of Service and applicable law. Decisions by the arbitrator are enforceable in court and may be overturned by a court only for very limited reasons.
Unless Willow and you agree otherwise, any arbitration hearings will take place in a reasonably convenient location for both parties with due consideration of their ability to travel and other pertinent circumstances. If the parties are unable to agree on a location, the determination will be made by AAA. If your claim is for $10,000 or less, Willow agrees that you may choose whether the arbitration will be conducted solely on the basis of documents submitted to the arbitrator, through a telephonic hearing, or by an in-person hearing as established by the AAA Rules. If your claim exceeds $10,000, the right to a hearing will be determined by the AAA Rules. Regardless of the manner in which the arbitration is conducted, the arbitrator will issue a reasoned written decision sufficient to explain the essential findings and conclusions on which the award is based.
Costs of Arbitration: Payment of all filing, administration, and arbitrator fees (collectively, the “Arbitration Fees”) will be governed by the AAA Rules, unless otherwise provided in this Arbitration Agreement.  To the extent any Arbitration Fees are not specifically allocated to either Willow or you under the AAA Rules, Willow and you shall split them equally; provided that if you are able to demonstrate to the arbitrator that you are economically unable to pay your portion of such Arbitration Fees or if the arbitrator otherwise determines for any reason that you should not be required to pay your portion of any Arbitration Fees, Willow will pay your portion of such fees. In addition, if you demonstrate to the arbitrator that the costs of arbitration will be prohibitive as compared to the costs of litigation, Willow will pay as much of the Arbitration Fees as the arbitrator deems necessary to prevent the arbitration from being cost-prohibitive. Any payment of attorneys’ fees will be governed by the AAA Rules.

Confidentiality: All aspects of the arbitration proceeding, and any ruling, decision, or award by the arbitrator, will be strictly confidential for the benefit of all parties.
Severability: If a court or the arbitrator decides that any term or provision of this Arbitration Agreement (other than the subsection (b) above titled “Prohibition of Class and Representative Actions and Non-Individualized Relief” above) is invalid or unenforceable, the parties agree to replace such term or provision with a term or provision that is valid and enforceable and that comes closest to expressing the intention of the invalid or unenforceable term or provision, and this Arbitration Agreement will be enforceable as so modified. If a court or the arbitrator decides that any of the provisions of subsection (b) above titled “Prohibition of Class and Representative Actions and Non-Individualized Relief” are invalid or unenforceable, then the entirety of this Arbitration Agreement will be null and void, unless such provisions are deemed to be invalid or unenforceable solely with respect to claims for public injunctive relief. The remainder of these Terms of Service will continue to apply.
Future Changes to Arbitration Agreement: Notwithstanding any provision in these Terms of Service to the contrary, Willow agrees that if it makes any future change to this Arbitration Agreement (other than a change to the Notice Address) while you are a user of the Service, you may reject any such change by sending Willow written notice within thirty (30) calendar days of the change to the Notice Address provided above. By rejecting any future change, you are agreeing that you will arbitrate any dispute between us in accordance with the language of this Arbitration Agreement as of the date you first accepted these Terms of Service (or accepted any subsequent changes to these Terms of Service).

TERMINATION:
You agree that Willow, in its sole discretion, may suspend or terminate your account (or any part thereof) or use of the Service and remove and discard any content within the Service, for any reason, including for lack of use or if Willow believes that you have violated or acted inconsistently with the letter or spirit of these Terms of Service. Any suspected fraudulent, abusive, or illegal activity that may be grounds for termination of your use of the Service, may be referred to appropriate law enforcement authorities. Willow may also in its sole discretion and at any time discontinue providing the Service, or any part thereof, with or without notice. You agree that any termination of your access to the Service under any provision of these Terms of Service may be effected without prior notice, and acknowledge and agree that Willow may immediately deactivate or delete your account and all related information and files in your account and/or bar any further access to such files or the Service. Further, you agree that Willow will not be liable to you or any third party for any termination of your access to the Service.

USER DISPUTES:
You agree that you are solely responsible for your interactions with any other user in connection with the Service, and Willow will have no liability or responsibility with respect thereto. Willow reserves the right, but has no obligation, to become involved in any way with disputes between you and any other user of the Service.
‍
GENERAL:
These Terms of Service (together with the terms incorporated by reference herein) constitute the entire agreement between you and Willow governing your access and use of the Service, and supersede any prior agreements between you and Willow with respect to the Service. You also may be subject to additional terms and conditions that may apply when you use Third-Party Services, third-party content or third-party software. These Terms of Service will be governed by the laws of the State of New York without regard to its conflict of law provisions. With respect to any disputes or claims not subject to arbitration, as set forth above, you and Willow submit to the personal and exclusive jurisdiction of the state and federal courts located within New York County, NY. The failure of Willow to exercise or enforce any right or provision of these Terms of Service will not constitute a waiver of such right or provision. If any provision of these Terms of Service is found by a court of competent jurisdiction to be invalid, the parties nevertheless agree that the court should endeavor to give effect to the parties’ intentions as reflected in the provision, and the other provisions of these Terms of Service remain in full force and effect. You agree that regardless of any statute or law to the contrary, any claim or cause of action arising out of or related to use of the Service or these Terms of Service must be filed within one (1) year after such claim or cause of action arose or be forever barred. A printed version of these Terms of Service and of any notice given in electronic form will be admissible in judicial or administrative proceedings based upon or relating to these Terms of Service to the same extent and subject to the same conditions as other business documents and records originally generated and maintained in printed form. You may not assign these Terms of Service without the prior written consent of Willow, but Willow may assign or transfer these Terms of Service, in whole or in part, without restriction. The section titles in these Terms of Service are for convenience only and have no legal or contractual effect. As used in these Terms of Service, the words “include” and “including,” and variations thereof, will not be deemed to be terms of limitation, but rather will be deemed to be followed by the words “without limitation.” Notices to you may be made via either email or regular mail. The Service may also provide notices to you of changes to these Terms of Service or other matters by displaying notices or links to notices generally on the Service. Willow will not be in default hereunder by reason of any failure or delay in the performance of its obligations where such failure or delay is due to civil disturbances, riot, epidemic, hostilities, war, terrorist attack, embargo, natural disaster, acts of God, flood, fire, sabotage, fluctuations or unavailability of electrical power, network access or equipment, or any other circumstances or causes beyond Willow’s reasonable control.

NOTICE FOR CALIFORNIA USERS:
Under California Civil Code Section 1789.3, users of the Service from California are entitled to the following specific consumer rights notice: The Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs may be contacted (a) via email at dca@dca.ca.gov; (b) in writing at: Department of Consumer Affairs, Consumer Information Division, 1625 North Market Blvd., Suite N 112, Sacramento, CA 95834; or (c) by telephone at (800) 952-5210 or (800) 326-2297 (TDD). Sacramento-area consumers may call (916) 445-1254 or (916) 928-1227 (TDD). You may contact us at  Willow Health at 2248 Broadway #1073, New York, NY 10024 and (646) 814-1530.
‍
U.S. GOVERNMENT RESTRICTED RIGHTS:
The Service is made available to the U.S. government with “RESTRICTED RIGHTS.” Use, duplication, or disclosure by the U.S. government is subject to the restrictions contained in 48 CFR 52.227-19 and 48 CFR 252.227-7013 et seq. or its successor. Access or use of the Service (including the Software) by the U.S. government constitutes acknowledgement of our proprietary rights in the Service (including the Software).

QUESTIONS? CONCERNS? SUGGESTIONS?
Please contact us at privacy@willowbehavioralhealth.com or at 2248 Broadway #1073, New York, NY 10024 to report any violations of these Terms of Service or to pose any questions regarding these Terms of Service or the Service.

‍