Privacy Policy for PrepMD RMS

I. Introduction: Who We Are and Why We Collect Your Information

PrepMD RMS, LLC ("PrepMD RMS," "we," "us," "our") provides remote monitoring services and software-as-a-service ("SaaS") related to medical devices (each such device, a "Device," and all collectively, the "Devices") provided to individual patients by our customer healthcare facilities and systems (each a "Customer Hospital" and collectively, "Customer Hospitals"). The services we provide to Customer Hospitals include collecting information from and about the Devices and usage of the SaaS, collecting patient and other information from the electronic medical records ("EMRs") of our Customer Hospitals, collecting patient and other information provided by Customer Hospitals and others from the SaaS, collecting information from Device manufacturers and their associated portals, preparing reports (the "Reports") based on the information from portals, Devices, SaaS and EMRs, and making those reports available on our online portal and SaaS (collectively, the "Portal"), which we provide to Customer Hospitals (all such services, including the Portal, collectively, the "Services"). The Reports help the Customer Hospital (including their physicians, clinicians and staff) inform their medical opinions and recommendations for their patients. We take privacy of personal information seriously. Please read the following to learn more about our privacy practices.

II. What Does This Privacy Policy Cover?

This Privacy Policy covers our collection and processing of (1) personally identifiable information ("PII") protected by data security and breach notification laws in the United States and its individual States (collectively, "PII Laws"); (2) information protected by the California Consumer Privacy Act ("CCPA"), California Privacy Rights Act ("CPRA"), and California Online Privacy Protection Act ("CalOPPA"), if and to the extent those laws apply to information that we collect and process; (3) information protected by the New York Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act"), if and to the extent that law applies to information that we collect and process; (4) personal data protected by the Virginia Consumer Data Protection Act ("CDPA"), if and to the extent that law applies to information that we collect and process; (5) personal information protected by the Federal Children's Online Privacy Protection Act ("COPPA"); and (6) personal information the confidentiality, availability, or integrity of which is protected by applicable law (such laws collectively with the PII Laws, CCPA, CPRA, CalOPPA, the SHIELD Act, CDPA, and COPPA, the "Privacy Laws") (collectively, "Personal Information"), which we gather when you are accessing, viewing or using the Portal, the SaaS, the Services, our website,  https://us.prepmdrms.com/ (collectively with its sub-websites, the "Website"), or the messaging applications we use to coordinate communications with Customer Hospital employees and with individual patients, such as Twilio (such applications, the "Messaging Apps"). Where noted, the terms of this Privacy Policy are limited by the Privacy Laws that govern an individual's or user's jurisdiction, such that requirements created by the Privacy Laws of one jurisdiction with regard to Personal Information are not incorporated herein and made to apply to the Personal Information of an individual or user of another jurisdiction if such Privacy Laws would not otherwise govern. This policy does not apply to the practices of companies that we do not own or control, or to individuals that we do not employ or otherwise control.

III. HIPAA Compliance

Please note that this Privacy Policy addresses how we collect and process all Personal Information, much of which is governed by state laws (CCPA, CPRA, the SHIELD Act, etc.) with requirements regarding privacy rights (deletion, correction, opting out, etc.) that are explained in Section VIII. However, the PHI we collect and process is governed by Health Insurance Portability and Accountability Act ("HIPAA"), the terms of which we have agreed to in the business associate agreements that we enter into with our Customer Hospitals. Many of the Privacy Laws exclude PHI under HIPAA by their terms. As HIPAA is a federal law, its requirements governing PHI preempt the state laws that govern Personal Information broadly.

IV. What Information Does PrepMD RMS Collect?

PrepMD RMS endeavors to limit the type and amount of Personal Information that we collect and process to only information necessary to fulfill the purposes identified in this Privacy Policy. With that in mind, we collect and process the following types of information:

A. Information Obtained from Third Parties

As part of performing the Services, we receive Personal Information from Customer Hospitals that is collected from the Devices implanted in individual patients or included in the SaaS. This information may include: date each Device is implanted; type of Device; serial number of each Device; patient's name; diagnostics regarding the Device itself (including how many years of battery remain and the status of the Device's wires, etc.); and medical information regarding the patient (which vary depending on the type of Device, but may include the patient's heart rate, etc.). Similarly, the electronic records Customer Hospitals send to us containing Device information may also include: the patient's medical record number, date of birth, and physician; and notes from the physician.

Customer Hospitals also send us PHI from EMRs. That information may include any information Customer Hospitals maintain in patient EMRs, such as: notes from physicians; medications; blood pressure; weight; age; home address; gender; and phone number.

Additionally, employees or contractors of Customer Hospitals may send PrepMD RMS Personal Information via chat functions embedded within the Portal when they interact with the Portal and Services to receive Reports.

B. Information You Provide to Us

We may collect and process Personal Information from and about you when you provide it to us via the Website, SaaS, Portal, or Messaging Apps or when you otherwise communicate with us. For example, if you create an account to access the Portal, we may collect your name, contact information (including phone number and email address), and user name or e-mail address in combination with a password or security question. Additionally, if you communicate with our employees, Customer Hospital employees, or with patients through the SaaS, Portal or Messaging Apps, we may collect the contents of those communications. You can choose not to provide us with certain information, although that may affect the functionality of the Services.

C. Information Collected Automatically

When you access the SaaS, Portal or the Website, certain information is passively collected (that is, gathered without you actively providing the information) using various technologies and means, such as Internet Protocol (IP) addresses and cookies. These are described in more detail below:

  • IP Addresses. The SaaS, Portal and Website use IP addresses. An IP address is a number assigned to your device by your internet service provider to access the internet. In most consumer cases an IP address is dynamic (changing each time you connect to the internet), and not static (unique to a particular individual's device).
  • Cookies are small text files that are placed on your device by websites that you visit. They are widely used to make websites work, or work more efficiently, and to provide information to the owners of the site. Most web browsers allow some control of cookies through browser settings. We may collect the following information via cookies when you visit the SaaS, Portal or Website or interact with the SaaS, Portal and/or Website: aggregate statistical information, information related to your use of our SaaS, Portal and/or Website (including your password, the links you click on, your movement around the SaaS, Portal and Website, the pages you visit, the number of times you open a page, and which information is consulted), period of use, your geographic location, your IP address, your device, your operating system, and your browser type. You may be able to change the preferences on your browser or mobile device to send "do not track" signals or to prevent or limit your computer or device's acceptance of cookies, but this may affect the functionality of the Services or prevent you from using parts of the Services. If you click on a link to a third-party website or portal, such third party may also transmit cookies to you. This Privacy Policy does not cover the use of cookies by any third parties.

D. E-mail, Messaging Apps, and Other Communications

We may communicate with you by email, through the SaaS or Messaging Apps, or other means. When we do this, in addition to the information contained in the communication, we may collect a confirmation when you open the communication, open the message, or click on links in the communication or message. This confirmation helps us improve our service. If you do not want to receive email or other communications from us, please indicate your preference by visiting our email preference page. Please note that, if you do not want to receive legal notices from us, those legal notices will still govern your use of the websites, and you are responsible for reviewing such legal notices for changes.

E. Sensitive Personal Information

Except as otherwise stated in this Privacy Policy, we do not knowingly collect sensitive Personal Information, including: government identifiers (such as Social Security numbers and driver's licenses); financial account and login information (such as credit or debit card number together with login credentials); precise geolocation; race, ethnicity, religious or philosophical beliefs, or union membership; content of nonpublic communications (mail, email and text messages); genetic data; biometric or health information; and sex life or sexual orientation information. As applicable under the relevant Privacy Laws, where we collect and use such information as a contractor, service provider, business associate, or similar type of entity, we rely on the business, covered entity, or other types of similar entities to obtain any required informed consent.

V. What Does PrepMD RMS Do With Personal Information?

PrepMD RMS collects and uses Personal Information:

· To satisfy our contractual obligations with Customer Hospitals;

· To respond to inquiries and comments;

· To contact you with administrative communications and changes to this Privacy Policy, and our other policies;

· To operate, maintain, develop, and grow PrepMD RMS;

· To operate, develop, maintain, and improve the Portal, SaaS, Website, and Services;

· To conduct market research;

· To analyze how visitors use the Portal, Saas, Website, and Services;

· To investigate and resolve disputes and security issues;

· To comply with regulatory and legal obligations; and

· For any other lawful, legitimate business purpose.

PrepMD RMS may anonymize or aggregate any Personal Information it collects. It may also use that information and other non-Personal Information it collects when you, your doctor, or Customer Hospital employees use or interact with the Portal, SaaS, Website, or Services to better understand our users and their behavior and to improve the user experience of the Portal, SaaS, Website, and Services.

We may also share certain Personal Information with third parties, including Customer Hospitals as applicable (as described in this Section and in Section VI below).

VI. Will PrepMD RMS Share Any of the Personal Information it Collects?

We share Personal Information with third parties as described below.

A. Agents and Service Providers

We employ other companies and people to perform tasks on our behalf and may need to share Personal Information with them to provide products and services to you. Unless we tell you differently, our agents and service providers do not have any right to use the Personal Information we share with them beyond what is necessary to assist us.

B. Customer Hospitals

We may share Personal Information with Customer Hospitals, the employees of Customer Hospitals, and doctors to fulfill our contractual obligations with Customer Hospitals and provide the Services to Customer Hospitals.

C. Business Transfers

We may choose to buy or sell assets. In these types of transactions, Personal Information is typically one of the business assets that is transferred. Also, if we (or all of our assets) are acquired, or if we go out of business, enter bankruptcy, or go through some other change of control, Personal Information would be one of the assets transferred or acquired.

D. Protection of PrepMD RMS and Others

We reserve the right to access, read, preserve, and disclose any information that we reasonably believe necessary to comply with law or court order, enforce or apply our customer agreements (including any subscription or other agreement with a Customer Hospital), or other agreements, or protect the rights, property, or safety of PrepMD RMS, our employees, our users, patients, or others, including exchanging information with other organizations for fraud protection and credit risk reduction.

E. With Your Consent

Except as set forth above, you will be notified when your Personal Information may be shared with third parties, and will be able to prevent the sharing of this information.

F. With our Affiliates

We reserve the right to share the Personal Information we collect with our affiliates and our affiliates shall have the same rights and responsibilities related to use of such information as does PrepMD RMS.

VII. How Long Does PrepMD RMS Retain Personal Information?

Except upon the request of an individual, as explained in Section VIII below, and except as the law permits and requires, PrepMD RMS will determine the retention period for Personal Information based on the following criteria:

A. The nature of our relationship with the Customer Hospital and the relevant individual, if applicable;

B. The existence of other ongoing or expected projects with the relevant Customer Hospital;

C. The nature of the Personal Information in question; and

D. Our business needs.

The above criteria notwithstanding, PrepMD RMS complies with HIPAA regulations for the retention of PHI as required by its business associate agreements with Customer Hospitals.

VIII. What Are Individuals' Rights to Control Their Personal Information?

To the extent required by the Privacy Laws, except where permitted or required by law (including, but not limited to, compliance with a legal obligation, to further a public interest, and establishing and/or exercising a legal claim or defense), you have the following rights regarding PrepMD RMS's collection and use of your Personal Information. Please note that many of the rights described below are not available with regard to PHI due to the requirements of HIPAA.

A. Requests to PrepMD RMS

You may request the following from PrepMD RMS with respect to your Personal Information:

1. Correction, updating, deletion, or restriction of collection and processing of your Personal Information;

2. The categories of your Personal Information that PrepMD RMS collects or processes;

3. The categories of sources from which PrepMD RMS collects or processes your Personal Information;

4. The expected period for which PrepMD RMS will store your Personal Information, or if not possible, the criteria used to determine that period;

5. The business or commercial purpose(s) that PrepMD RMS collects and disclosing your Personal Information;

6. A description of how PrepMD RMS has used or is using your Personal Information;

7. A copy of your Personal Information, including the specific pieces of Personal Information, in a format that is easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format, which also may be transmitted to another entity at your request without hindrance;

8. Categories of third parties with whom PrepMD RMS shares your Personal Information, and list of third parties with whom PrepMD RMS has shared your Personal Information;

9. Categories of your Personal Information that we have shared with third parties, including Customer Hospitals, and the categories of third parties to which we have shared each particular category of Personal Information;

10. Your specific Personal Information PrepMD RMS has collected, used, or disclosed.

If you request that your Personal Information be erased or deleted or that PrepMD RMS otherwise restrict its collection and processing of Personal Information, PrepMD RMS may terminate or limit your access to the website and service. If PrepMD RMS has not collected or processed your Personal Information, or has not shared your Personal Information with another party, PrepMD RMS will inform you of that in response to any of the above requests. Some information may remain in PrepMD RMS's backup media after erasure or deletion for a period of time. When you request that PrepMD RMS update information, PrepMD RMS may retain a copy of the unrevised information in PrepMD RMS's records. We may also use any anonymized aggregated statistical data derived from or incorporating Personal Information after it is updated, erased, or deleted, but not in a manner that would identify you.

We will confirm receipt of all such requests, provide information about how PrepMD RMS will process the request, and substantively respond to all such requests consistent with the Privacy Laws. There may be a delay in processing a request while we verify that the request is valid and originates from you as opposed to an unauthorized third party.

Our verification process varies based on the source and nature of the request, but may include: comparing data in the request against Personal Information we retain; contacting you using other contact information; requesting further information, although we will avoid doing so to the extent possible; and the consideration of certain factors, including the type, sensitivity, and value of your Personal Information, the risk of harm to you posed by an unauthorized request, the likelihood that fraudulent or malicious actors would seek your Personal Information, the manner in which we interact with you, the available technology, and whether the information you have provided to verify your identity is sufficiently robust to protect against fraudulent requests. To the extent permitted by the Privacy Laws, PrepMD RMS retains the right to deny any request if we cannot verify that it originated from you.

PrepMD RMS retains records of all of the above requests and our responses as required by the Privacy Laws.

When you update information, we may maintain a copy of the unrevised information in our records. Please note that some information may remain in our private records after your deletion of such information from your account.

PrepMD RMS may use any anonymized aggregated statistical data derived from or incorporating Personal Information after it is updated, erased, or deleted, but not in a manner that would identify you.

B. Making Foregoing Requests

The foregoing requests may be made by (1) email: hello@prepmd.com, (2) phone: (888) 633-7737, or (3) mail: Director of Global Marketing and Admissions, 50 Braintree Hill Park Suite 102, Braintree, MA 02184.

C. Authorized Agent

You may authorize an agent to take any of the acts permitted in this Section VIII on your behalf. To do so, you must provide written and signed authority to the agent, and written and signed notice to PrepMD RMS that PrepMD RMS may act on such requests by that agent.

D. Withdrawal of Consent

ou may withdraw your consent for PrepMD RMS to collect or process your Personal Information in any of the following manners: (1) contact us at hello@prepmd.com; contact us at (888) 633-7737; or (3) contact us at Director of Global Marketing and Admissions, 50 Braintree Hill Park Suite 102, Braintree, MA 02184. Please be aware that such withdrawal does not affect the lawfulness of PrepMD RMS's collection or processing of your Personal Information before such withdrawal. We reserve the right to terminate or limit your access to the Portal, SaaS, Website, and Services in the event that you withdraw your consent. Additionally, if you withdraw your consent to PrepMD RMS's collection or processing of your Personal Information, the services provided to Customer Hospital to you may be impacted.

E. "Do Not Sell My Personal Information" and Opting Out of Sharing Personal Information

Other than providing Personal Information to Customer Hospitals as described in Section VI.B above, PrepMD RMS does not "sell" Personal Information, as that term is defined by the CCPA and CPRA. You may opt out of PrepMD RMS's disclosure of your Personal Information in any of the following manners: (1) contact us at hello@prepmd.com; contact us at (888) 633-7737; or (3) contact us at Director of Global Marketing and Admissions, 50 Braintree Hill Park Suite 102, Braintree, MA 02184.

We will act upon any request to opt out of all disclosure and sharing of your Personal Information, including notifying all third parties to whom we have disclosed or shared your Personal Information and ceasing to disclose or share your Personal Information, consistent with the requirements of the Privacy Laws.

If you exercise your right to opt out of the disclosure of your Personal Information to third parties, PrepMD RMS will cease disclosing your Personal Information as of the date we receive notice in a manner provided above. We will not contact you about opting in to disclosing your Personal Information for at least 12 months following the date that we receive your notice.

F. Object or Challenge

You may object to, or otherwise challenge, our collection and processing of your Personal Information in any of the following manners: (1) contact us at hello@prepmd.com; contact us at (888) 633-7737; or (3) contact us at Director of Global Marketing and Admissions, 50 Braintree Hill Park Suite 102, Braintree, MA 02184. PrepMD RMS will respond consistent with the requirements of the Privacy Laws.

G. Filing a Complaint

Regulatory authorities that oversee the Privacy Laws typically advise individuals to file an objection or challenge with the company before lodging a formal complaint with a regulatory authority. If an individual is dissatisfied with PrepMD RMS's response to an objection or challenge filed under Section VIII.F, or wishes to file a complaint with a regulatory authority first, the individual may do so, including as follows:

CCPA and CPRA: California Attorney General

PII Laws: Relevant state Attorney General

H. Accessibility for Individuals with Disabilities

If you are unable to review this Privacy Policy or any portion of it, please use the following information to contact us and request an alternative format: (1) email us at hello@prepmd.com, (2) call us at (888) 633-7737, or (3) send us mail at Director of Global Marketing and Admissions, 50 Braintree Hill Park Suite 102, Braintree, MA 02184.

I. Non-Discrimination

PrepMD RMS will not discriminate against you because you have exercised any of the rights above or any other rights you retain pursuant to Privacy Laws, including, but not limited to by:

1. Not denying goods or services to you;

2. Not charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;

3. Not providing a different level or quality of goods or services to you; and

4. Not suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services.

Consistent with Privacy Laws, PrepMD RMS: (a) retains the right to charge you a different price or rate, or provide a different level or quality of goods or services to you, if that difference is reasonably related to the value provided to PrepMD RMS by your Personal Information; (b) may offer financial incentives, including payments to you as compensation, for the collection, disclosure, or deletion of your Personal Information; (c) may enter you into a financial incentive program only if PrepMD RMS clearly describes the material terms of the financial incentive program, so long as you give PrepMD RMS prior opt-in consent, which you may revoke at any time; and (d) shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.

IX. What Are PrepMD RMS's Service Differences?

PrepMD RMS does not offer any financial incentives for providing your Personal Information.

X. Is Personal Information About Me Secure?

We employ reasonable administrative, organizational, technical, and physical measures designed to protect the confidentiality, integrity, and availability of your Personal Information, which we regularly review and update as necessary.

PrepMD RMS's website may contain links to other sites. We are not responsible for the privacy or security practices of those other sites. When following a link to another site, you should read that site's privacy policy.

XI. Children's Privacy

We do not knowingly collect or solicit, and expressly instruct you not to provide, any Personal Information from anyone under the age of 18 through the Website. If and to the extent we learn that we have collected Personal Information from a child under age 18 through the Website or SaaS without verified parental consent, we will delete that information, except as provided below. If you believe that we might have any information from or about a child under age 18 without verified parental consent, please contact us immediately us at hello@prepmd.com, (888) 633-7737, or Director of Global Marketing and Admissions, 50 Braintree Hill Park Suite 102, Braintree, MA 02184.

XII. Contractual or Statutory Requirement

Except as noted in this Privacy Policy or in contractual documents, PrepMD RMS's collection and use of Personal Information is not a contractual or statutory requirement or a requirement necessary to enter into a contract.

XIII. Failure to Provide Personal Information

You can always opt not to disclose information to us. Please keep in mind, we may not be able to provide the Services or full access to the Portal, SaaS or Website if you do not provide Personal Information.

XIV. Automated Decision Making

PrepMD RMS does not currently rely on automated decision making, including profiling, and will not subject you to decisions based solely on automated processing which will produce legal effects concerning you or similarly significantly affecting you.

XV. Changes to this Privacy Policy

We may amend this Privacy Policy from time to time. Collection and processing of information we collect is subject to the Privacy Policy in effect at the time such information is processed. You are bound by any changes to the Privacy Policy when you use the Portal, SaaS or Website after such changes have been first posted.

XVI. Questions or Concerns; Contact Information

If you have any questions or concerns regarding our privacy policies, please contact us at hello@prepmd.com, (888) 633-7737, or Director of Global Marketing and Admissions, 50 Braintree Hill Park Suite 102, Braintree, MA 02184.

Effective Date: January 23, 2023
Privacy Policy