HIPAA PRIVACY & SECURITY PLAN

The Incident Response Team is comprised of the CEO, CTO, Doctor, and Physician Assistants, additional members deemed appropriate on an ad hoc basis in the reasonable judgment of the Privacy Officer. In the event of a security incident results in a wrongful disclosure of PHI, the Privacy Officer, in conjunction with the Incident Response Team will take appropriate actions to prevent further inappropriate disclosures.

It is the Company’s policy to train all members of its workforce who have access to PHI on its privacy policies and procedures. All staff members receive HIPAA training and will be required to complete a third party HIPAA compliance certificate every three years and within one month of starting work with ThatSkinnyShot. Whenever a privacy incident has occurred, the Privacy Officer in collaboration with management will evaluate the occurrence to determine whether additional staff training is in order. Depending upon the situation, the Privacy Officer may determine that all staff should receive training that is specific to the privacy incident. The Privacy Officer will review any privacy training developed as part of a privacy incident resolution to ensure the materials adequately address the circumstances regarding the privacy incident and reinforce the Company’s privacy policies and procedures.

The Company has established technical and physical safeguards to prevent PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA's requirements. Technical safeguards include limiting access to information by creating computer firewalls. Physical safeguards include locking doors or filing cabinets and periodically changing door access codes. Additionally all staff members can only access PHI by using their own login information. See Physical Security Policy for more information.

Firewalls ensure that only authorized employees will have access to PHI, that they will have access to only the minimum amount of PHI necessary for their job functions, and that they will not further use or disclose PHI in violation of HIPAA's privacy rules.

Currently all data in the local data center is backed up using industry standards with off site storage of media. ThatSkinnyShot currently utilizes technology that allows the IT team to quickly remove, disable and start staff member access to PHI.

The Privacy Officer is responsible for developing and maintaining a notice of the Company’s privacy practices that describes:

• the uses and disclosures of PHI that may be made by the Company; • the individual's rights; and
• the Company's legal duties with respect to the PHI.

The privacy notice will inform participants that the Company will have access to PHI. The privacy notice will also provide a description of the Company’s complaint procedures, the name and telephone number of the contact person for further information, and the date of the notice.

The notice of privacy practices will be individually delivered to all participants:

• on an ongoing basis, at the time of an individual's enrollment into a Company program or at the time of treatment and consent; and
• within 60 days after a material change to the notice. The Company will also provide notice of availability of the privacy notice at least once every three years.

The Privacy Officer will be the Company's contact person for receiving complaints. The Privacy Officer is responsible for creating a process for individuals to lodge complaints about the Company's privacy procedures and for creating a system for handling such complaints. A copy of the complaint form shall be provided to any participant upon request.

Sanctions for using or disclosing PHI in violation of this HIPAA Privacy Plan will be imposed in accordance up to and including termination.

ThatSkinnyShot shall mitigate, to the extent possible, any harmful effects that become known to it because of a use or disclosure of an Participant’s PHI in violation of the policies and procedures set forth in this Plan. As a result, if an employee becomes aware of a disclosure of protected health information, either by a staff member of the Company or an outside consultant/contractor that is not in compliance with this Policy, immediately contact the Privacy Officer so that the appropriate steps to mitigate the harm to the participant can be taken.

No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA.

No individual shall be required to waive his or her privacy rights under HIPAA as a condition of treatment, payment, enrollment or eligibility.

The Plan document includes provisions to describe the permitted and required uses and disclosures of PHI by ThatSkinnyShot. Specifically, the Plan document requires ThatSkinnyShot to:

• not use or further disclose PHI other than as permitted by the Plan documents or as required by law;
• ensure that any agents or subcontractors to whom it provides PHI received from the Company agree to the same restrictions and conditions that apply to ThatSkinnyShot;
• report to the Privacy Officer any use or disclosure of the information that is inconsistent with the permitted uses or disclosures;
• make PHI available to Participants, consider their amendments and, upon request, provide them with an accounting of PHI disclosures;
• make the Company’s internal practices and records relating to the use and disclosure of PHI received by the Company available to the Department of Health and Human Services (DHHS) upon request; and

The Company’s privacy policies and procedures shall be documented and maintained for at least three years. Policies and procedures must be changed as necessary or appropriate to comply with changes in the law, standards, requirements and implementation specifications (including changes and modifications in regulations). Any changes to policies or procedures must be promptly documented.

If a change in law impacts the privacy notice, the privacy policy must promptly be revised and made available. Such change is effective only with respect to PHI created or received after the effective date of the notice.

ThatSkinnyShot shall document certain events and actions (including authorizations, requests for information, sanctions, and complaints) relating to an individual's privacy rights.

The documentation of any policies and procedures, actions, activities and designations may be maintained in either written or electronic form.

The Company will provide an Incident Report form. This form is used to document reports of privacy breaches that have been referred to the Privacy Officer from staff members who have reviewed or received the suspected incident.

After receiving the Incident Report form from staff members, the Privacy Officer classifies the incident and its severity and analyzes the situation. Documentation shall be retained by the Company for a minimum of six years from the date of the reported incident.

If the Privacy Officer is able to resolve the incident, the Privacy Officer shall also document the actions taken to resolve the issue in the Incident Report form.

Just like paper records, Electronic Health Records must comply with HIPAA, and other state and federal laws. Unlike paper records, electronic health records can be encrypted - using technology that makes them unreadable to anyone other than an authorized user - and security access parameters are set so that only authorized individuals can view them. Further, EHRs offer the added security of an electronic tracking system that provides an accounting history of when records have been accessed and who accessed them.

ThatSkinnyShot will grant access to PHI based on their job functions and responsibilities.

The Privacy Officer is responsible for the determination of which individuals require access to PHI and what level of access they require through discussions with the individual’s manager.

The IT department will keep a record of authorized users and the rights that they have been granted with respect to PHI. IT keeps a comprehensive matrix of how and to who rights are granted.

The Company will use and disclose PHI only as permitted under HIPAA. The terms "use" and "disclosure" are defined as follows:

• Use.The sharing, employment, application, utilization, examination, or analysis of individually identifiable health information by any person working for or within the Company.
• Disclosure.For information that is protected health information, disclosure means any release, transfer, provision of access to, or divulging in any other manner of individually identifiable health information to persons not employed by or working within ThatSkinnyShot with a business need to know PHI.

All staff who performs Participant functions directly on behalf of the Company or on behalf of group health plans will have access to PHI as determined by their department and job description and as granted by IT.

These employees with access may use and disclose PHI as required under HIPAA but the PHI disclosed must be limited to the minimum amount necessary to perform the job function. Employees with access may not disclose PHI unless an approved compliant authorization is in place or the disclosure otherwise is in compliance with this Plan and the use and disclosure procedures of HIPAA.

Staff members may not access either through our information systems or the participant’s medical record the medical and/or demographic information for themselves, family members, friends, staff members or other individuals for personal or other non-work related purposes, even if written or oral participant authorization has been given. If the staff member is a Participant in ThatSkinnyShot’s plans, the staff member must go through their Provider in order to request their own PHI.

PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA's requirements for a valid authorization is provided by the participant. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization.

PHI may be disclosed in the following situations without a participant's authorization, when specific requirements are satisfied. The Company’s use and disclosure procedures describe specific requirements that must be met before these types of disclosures may be made. In particular State, Federal and County compliance to Covid-19 testing.

HIPAA requires that when PHI is used or disclosed, the amount disclosed generally must be limited to the "minimum necessary" to accomplish the purpose of the use or disclosure.

The "minimum-necessary" standard does not apply to any of the following: • uses or disclosures made to the individual;

• uses or disclosures made pursuant to a valid authorization;
• disclosures made to the Department of Labor;
• uses or disclosures required by law; and
• uses or disclosures required to comply with HIPAA.

Minimum Necessary When Disclosing PHI. For making disclosures of PHI to any business associate or providers, or internal/external auditing purposes, only the minimum necessary amount of information will be disclosed.

All other disclosures must be reviewed on an individual basis with the Privacy Officer to ensure that the amount of information disclosed is the minimum necessary to accomplish the purpose of the disclosure.

Minimum Necessary When Requesting PHI. For making requests for disclosure of PHI from business associates, providers or participants for purposes of claims payment/adjudication or internal/external auditing purposes, only the minimum necessary amount of information will be requested.

All other requests must be reviewed on an individual basis with the Privacy Officer to ensure that the amount of information requested is the minimum necessary to accomplish the purpose of the disclosure.

The Company may freely use and disclose de-identified information. De-identified information is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. There are two ways a covered entity can determine that information is de-identified: either by professional statistical analysis, or by removing all specific identifiers.

A person with appropriate expertise must determine that the risk is very small that the information could be used alone or in combination with other reasonably available information by an anticipated recipient to identify the individual. AND this person must document the methods and justification for this determination.

HIPAA gives participants the right to access and obtain copies of their PHI that the Company or its business associates maintains. HIPAA also provides that participants may request to have their PHI amended. The Company will provide access to PHI and it will consider requests for amendment that are submitted.

An individual has the right to obtain an accounting of certain disclosures of his or her own PHI. This right to an accounting extends to disclosures made in the last three years, other than disclosures:

• to carry out treatment, payment or health care operations;
• to individuals about their own PHI;
• incident to an otherwise permitted use or disclosure or pursuant to an authorization;
• for purposes of creation of a facility directory or to persons involved in the participant's care or other notification purposes;
• as part of a limited data set; or
• for other national security or law enforcement purposes.

The accounting must include the date of the disclosure, the name of the receiving party, a brief description of the information disclosed, and a brief statement of the purpose of the disclosure (or a copy of the written request for disclosure, if any).

A participant may request restrictions on the use and disclosure of the participant's PHI. It is the Company’s policy to attempt to honor such requests if, in the sole discretion of the Company, the requests are reasonable. The Privacy Officer is charged with responsibility for processing requests for restrictions.

A participant can request a copy of his/her medical record by completing a Request for Accessing/Inspecting/Copying Health Information form and submitting it to the Department that maintains the information being requested. The Department in collaboration with the Privacy Officer must process and respond to the request.

Participants can receive this form from Patient Services or by going directly to the department that maintains their records.

The purpose of this section is to address the Company’s privacy requirements for reporting, documenting, and investigating a known or suspected action or adverse event resulting from unauthorized use or disclosure of individually identifiable health information.

A privacy breach is an adverse event or action that is unplanned, unusual, and unwanted that happens as a result of non-compliance with the privacy policies and procedures of the Company. A privacy breach must pertain to the unauthorized use or disclosure of health information, including ‘accidental disclosures’ such as misdirected e-mails or faxes.

The Privacy Officer shall immediately investigate and attempt to resolve all reported suspected privacy breaches.

Staff members are required to verbally report to his/her supervisor any event or circumstance that is believed to be an inappropriate use or disclosure of a participant PHI. If the supervisor is unavailable, the staff member must notify the Privacy Officer within 24 hours of the incident. If the manager determines that further review is required, the manager and staff member will consult with the Privacy Officer to determine whether the suspected incident warrants further investigation. In all cases and Incident Report must be filled out and submitted to the appropriate reviewer.

The Privacy Officer will document all privacy incidents and corrective actions taken. Documentation shall include a description of corrective actions, if any are necessary, or explanation of why corrective actions are not needed, and any mitigation undertaken for each specific privacy incident. All documentation of a privacy breach shall be maintained with the Privacy Officer and shall be retained for at least three years from the date of the investigation. Such documentation is not considered part of the participant’s health record.

Following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals if necessary and in certain circumstances, to the media. In addition, business associates must notify covered entities that a breach has occurred.

• Individual Notice

Covered entities must notify affected individuals following the discovery of a breach of unsecured

protected health information. Covered entities must provide this individual notice in written form by by e-mail if the affected individual has agreed to receive such notices electronically. If the covered entity has insufficient or out-of-date contact information for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its web site or by providing the notice in major print or broadcast media where the affected individuals likely reside. If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written, telephone, or other means.

• Media Notice

Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.

• Notice to the Secretary

In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information. Covered entities will notify the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form. If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following a breach. If, however, a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches occurred.

• Notification by a Business Associate

If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach. A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any information required to be provided by the covered entity in its notification to affected individuals.

Concerns about the Company’s privacy practices may arise in a variety of contexts and may be received by many different persons at the Company. It is important that the Company responds to concerns and complaints in a timely manner. When a staff member hears or receives a complaint/concern, he/she should ask the complainant whether or not the complainant wishes to file a formal complaint and offer to assist the complainant with the form. Even if the person does not wish to file a complaint or provide identifying information, the staff member should proceed with the procedures outlined below.

a. Participant’s complaints of alleged privacy rights violations may be forwarded through multiple channels, such as telephone calls, letter via mail/email, in person. If these complaints are received by a staff member the person receiving the complaint will:

• In response to a Telephone Call or In-Person Request to File a Complaint – Complete the Privacy Complaint Form and immediately forward to the Privacy Officer. Offer to forward a copy of the complaint form to the complainant.
• In response to a Letter or Email (print out) – Complete the Privacy Complaint Form and immediately forward to the Privacy Officer. Attach the written complaint to the complaint form.
• In response to an Anonymous Complaint– Complete the Privacy Complaint Form based on the information provided and immediately forward to the Privacy Officer. When possible, explain to the complainant that the Company has an obligation to follow up on complaints whether or not they are anonymously filed.

b. Staff Members – Email the Privacy Officer at info@thatskinnyshot.com

c. Outcome of Investigation -The purpose of the investigation is to determine the compliance of the Company’s policies and procedures implementing the privacy standards mandated by HIPAA. The Company will mitigate, to the extent practicable, any harmful effect that is known of a use or disclosure of PHI in violation of the Company’s policies and procedures or HIPAA’s privacy requirements by the Company or any of its Business Associates. In the event that disciplinary action is recommended, the Privacy Officer or his/her designee will coordinate any action with management.

The Company shall not intimidate, threaten, coerce, discriminate against, or take any other form of retaliatory action against any person who has reported a privacy incident.