Patient Advocate Foundation Patient Privacy Policy

Effective Date: August 1, 2022

Patient Advocate Foundation (“PAF,” “we,” “us” or “our”) is committed to protecting your individually identifiable information (“Personal Information”). This Patient Privacy Policy (“Policy”) discloses the privacy practices for PAF and applies solely to information collected by PAF through its services where this Policy is posted (collectively “PAF programs”), except where stated otherwise. While PAF is not a HIPAA Covered Entity or Business Associate, we are committed to respecting patient privacy. By using the PAF programs, you acknowledge you have read and understood the terms and conditions of this Policy. If you are accessing the PAF programs in your professional capacity, you agree you have consent of your employer to input information and bind yourself and the employer to the Privacy Policy and Terms of Use. If you do not agree to the terms and conditions of this Policy, please do not use the PAF programs.

Please note that your use of our PAF programs is also governed by our Terms of Use.

Information Collection
As PAF provides assistance through the PAF programs, PAF collects from patients certain Person Information, including:

• Contact information;
• Demographic information;
• Protected health information, such as health insurance and other benefit information, financial status, medical information, and employment information;
• Upon completion of service delivery to a patient through a PAF program the patient may be invited to Share Your Story. This is a voluntary opportunity offered to
   each patient and has no bearing on delivery of services to a patient through PAF programs. Personal Information is collected through Satisfaction Evaluation
   with an option to Share Your Story specifically to be publicly shared and demonstrate program impact for patients and their families. Only stories, and Personal
   Information, of patients who have provided authorization to PAF are shared publicly.
• Periodically, PAF conducts follow-up with patients served by PAF programs to ask them questions about the services they received both from PAF and from their
   medical and insurance providers. These responses help PAF understand what matters to the patients we assist and to evaluate how our services have impacted
   patients receiving the services, enabling us to serve as an effective voice for change in the health care system. Voluntary survey and program evaluation
   participation has no bearing on delivery of services to a patient through PAF programs. Survey responses are aggregated for the purposes of public reporting and
   no Personal Information is shared publicly. Information on Surveys and Program Evaluations are linked here

You have choices about the information we collect. When you are asked to provide Personal Information, you may decline. However, if you choose not to provide information that is necessary to provide our services, you may not be able to use some of our services. Information Use PAF uses the information collected from patients or their authorized representatives in order to:

• Provide assistance through its case management programs, CareLines, and/or financial support programs,
• Respond to patients and their representatives to resolve issues presented by and/or for patients,
• Send informational communications about PAF patient programs, educational resources, and upcoming events
• Solicit responses and feedback to voluntary patient and caregiver surveys as part of PAF’s ongoing program satisfaction and health services research activities
• And as otherwise permitted by applicable law.

It is the policy of PAF that patients’ Personal Information, including protected health information, may only be
   used after authorization by patients, or their representatives, as follows:

1. By PAF and its representatives to provide services and support to patients seeking assistance from and enrolled in PAF programs, including those administered
    by PAF as a service provider, in order to respond to applications for assistance and/or resolve issues presented by patients seeking assistance from PAF.
    Representatives may include PAF employees, both permanent and temporary, directors, officers, PAF legal counsel, and contracted third party service provider
    organizations.
2. In PAF Case Management programs as described in a. Patient Advocate Foundation Representation Authorization linked here. b. Patient Advocate Foundation
    Case Management Program Disclaimer linked here.
3. In PAF CareLine programs in the program disclaimer for each program listed and linked here.
4. In PAF Employee Benefit Advocate Program Disclaimer linked here.
5. In the PAF Co-Pay Relief Program Disclaimer linked here.
6. In the PAF Financial Aid Fund Program Disclaimer linked here and for individual financial aid funds listed and linked at the bottom of that same page.

Disclosure of Information
We may share or disclose your information to the following categories of third parties and for the following reasons:

• To third party service providers, agents or independent contractors who help us maintain our PAF programs and provide other administrative services to us, in
   order to resolve issues presented by the patients or their representatives, to process an application for assistance, to process a claim being made against a
   financial award that has been provided, as required by a partnering organization or as required by law. The patient, or the authorized representative, is notified of
   these disclosure practices via written program disclaimer that is provided via mail, email and/or published on our PAF programs websites.
• We may share your Personal Information in the course of any reorganization process including, but not limited to, mergers, acquisitions, and transfers of all or
   substantially all of our assets. If transferred in such a case, the purchaser will abide by the terms and conditions of this Policy.
• We may disclose your Personal Information to law enforcement, government agencies, and other related third parties, in order to comply with the law, enforce
   our policies, or protect our or others’ rights, property or safety.
• We may disclose information to third parties where necessary to assist in fraud protection and to minimize credit risk.

Collection and Use Of Information From
Children The PAF programs and PAF’s online services are not intended for use directly by children. We do not specifically or knowingly collect Personal
Information directly from children, and none of our online services are designed to attract children. If we learn that we have collected information from a minor
under the age of 18 without parental consent, we take steps to remove that information from our servers. In some instances, we may use that information only to
respond directly to that child (or his/her/their parent or legal guardian) to inform the minor that he/she/they cannot use the services.

Notice Regarding Public Posting Areas
Please note that any information you include in a message you post to any chat room, forum or other public posting area is available to anyone with Internet access. If you do not want people to know your email address, for example, do not include it in any message you post publicly. PLEASE BE EXTREMELY CAREFUL WHEN DISCLOSING ANY INFORMATION IN CHAT ROOMS, FORUMS AND OTHER PUBLIC POSTING AREAS. WE ARE NOT RESPONSIBLE FOR THE USE BY OTHERS OF THE INFORMATION THAT YOU DISCLOSE IN CHAT ROOMS, FORUMS AND OTHER PUBLIC POSTING AREAS.

Third-Party Links
You might find links to third party websites on our PAF websites. These websites should have their own privacy policies which you should check. We do not accept any responsibility or liability for their policies whatsoever as we have no control over them.

Media Release Form
Certain patients may be contacted by PAF in reference to participation in public appearances, media interviews, and other outreach activities. These voluntary activities have no bearing on delivery of services to patients through PAF programs. Before participating in such activities, patients must complete a media release form. Only patients who have provided authorization to PAF to share their Personal Information publicly will be engaged in media events and opportunities.

Information Ownership and Sharing
PAF is the sole owner of the Personal Information collected through PAF programs, except in certain programs where PAF serves as an administrator for another organization’s program, or in partnership with another organization to deliver a program. Where PAF serves as an administrator for another organization’s program, or in partnership with another organization, your Personal Information is also subject to that third party’s privacy policy. PAF collects information that patients voluntarily provide or that is given to us by patients’ authorized representatives and providers, including but not limited to family members, caregivers, guardians, medical providers, pharmacies, health care facilities, diagnostic laboratories, medical equipment providers, health and welfare benefit plans, insurance companies, benefit administrators and employers.

Security
We implement reasonable security measures to ensure the security of your Personal Information. Please understand, however, that no data transmissions over the Internet can be guaranteed to be 100% secure. Consequently, we cannot ensure or warrant the security of any information you transmit to us and you understand that any information that you transfer to us is done at your own risk. If we learn of a security systems breach we may attempt to notify you electronically so that you can take appropriate protective steps. By using PAF programs or providing Personal Information to us, you agree that we can communicate with you electronically regarding security, privacy and administrative issues relating to your use of the PAF programs. We may post a notice via our PAF website if a security breach occurs. We may also send an email to you at the email address you have provided to us in these circumstances. Depending on where you live, you may have a legal right to receive notice of a security breach in writing.

International Data Transfers
We are based in the US. If you choose to provide us with information, please understand that your Personal Information may be transferred to the US and that we may transfer that information to third parties, across borders, and from your country or jurisdiction to other countries or jurisdictions around the world. If you are visiting from the EU or other regions with laws governing data collection and use that may differ from US law, please note that you are transferring your Personal Information to the US and other jurisdictions which may not have the same data protection laws as the EU. We put in place appropriate operational, procedural and technical measures in order to ensure the protection of your Personal Information, such as standard contractual clauses. You acknowledge you understand that by providing your Personal Information: (i) your information will be used for the uses identified above in accordance with this Policy; and (ii) your information may be transferred to the US and other jurisdictions as indicated above, in accordance with applicable law.

Access to and Updates of Your Information
Patients may request a printed copy of their Personal Information that is electronically stored at PAF and/or provide updates to their Personal Information by contacting us via email privacy@patientadvocate.org, by calling 757-952-0589, or by writing to Patient Advocate Foundation, Attn: Patient Privacy, 421 Butler Farm Rd, Hampton, VA 23666. PAF does not delete entire patient records that are electronically stored upon request.

Retention of Your Information
We retain Personal Information for as long as we have a legitimate business need to do so or as allowed under applicable law, such as for the duration outlined in our documentation retention and destruction policy or to comply with applicable legal, tax, or accounting requirements.

Opt Out of Future Contacts
Patients may opt out of any future contacts from PAF at any time. To do so, contact us via email privacy@patientadvocate.org, by calling 757-952-0589, or by writing to Patient Advocate Foundation, Attn: Patient Privacy, 421 Butler Farm Rd, Hampton, VA 23666.

How We Respond To Do-Not-Track Signals
At this time our websites do not recognize automated browser signals regarding tracking mechanisms, which may include “Do Not Track” instructions.

Cookies
Like many websites, we use cookies, log data, pixels, web beacons, and similar tracking technologies (collectively “cookies”) to see which web pages are visited and how often, to improve our service, to make our service more user friendly, and to give you a better experience when you return to the PAF programs. Most browsers accept cookies automatically but allow you to disable them. Please check your browser and browser settings to determine where these types of cookies are stored and whether and how they may be deleted. The Network Advertising Initiative also offers a means to opt-out of a number of advertising cookies. Please visit their website here to learn more and to opt-out, if desired. In any event, if you reject our cookies, you may still use the PAF programs, but you may be limited in some of the features. We may also work with service providers that use cookies and web beacons to collect information, and to serve advertisements to you across the Internet based on that information.

Your California Privacy Rights
California Civil Code Section 1798.83 permits users who are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

Printed Copy of this Policy
To request a printed copy of this policy, any PAF authorization form, or any PAF program disclaimer, contact us via email privacy@patientadvocate.org, by calling 757-952-0589, or by writing to Patient Advocate Foundation, Attn: Patient Privacy, 421 Butler Farm Rd, Hampton, VA 23666.

Questions or Concerns
Concerns about PAF’s use of individually identifiable information may be expressed to the PAF employee with whom the patient is communicating to and/or working with for assistance or, via email privacy@patientadvocate.org, by calling 757-952-0589, or by writing to Patient Advocate Foundation, Attn: Patient Privacy, 421 Butler Farm Rd, Hampton, VA 23666.

Notification of Patient Privacy Policy Changes
The current Patient Privacy Policy is posted at www.patientadvocate.org/patient-privacy. We reserve the right to modify this policy at any time. When we do so, we will update the “Effective Date” above. You will be notified of any material changes to this policy via a posting on the websites.