Notice of Privacy Practices

TrestleTree, LLC

3715 Business Drive, Suite 202, Fayetteville, AR 72703

Privacy Officer: Lisa Stafford: 479-973-7195

As Revised: July 25, 2016 (Effective Date)

Your privacy and the security of your personal information are very important to TrestleTree, LLC (“TrestleTree”). We understand that health is a personal, private subject, and we want you to feel as comfortable as possible as an enrollee in our disease management or lifestyle management program (collectively, “Programs”) and when using our on-line services. This Privacy Policy and Agreement (“Privacy Policy”) explains what information we collect about you and about your use of our website, how we protect that information, and your rights about the information and how it is used. Please read this Privacy Policy carefully. Except as we may disclose in this Privacy Policy, we will not share, sell, license, trade or rent your personal information to others. By enrolling in the TrestleTree program or using the TrestleTree site, you agree to the terms of this Privacy Policy.

We will inform you of the following in this privacy policy:

TrestleTree As A Business Associate

Many health care providers and health insurance plans are “covered entities” under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Covered entities are required by HIPAA to take certain actions to safeguard your personal health information. Although TrestleTree is not a “covered entity” under HIPAA, it has entered into agreements to provide Programs to enrollees in various employer-sponsored health plans which are HIPAA covered entities (“HIPAA Plans”). When TrestleTree agrees to provide Programs to enrollees in a HIPAA Plan, it enters into a Business Associate Agreement with the HIPAA Plan under which TrestleTree agrees to certain confidentiality obligations with regard to enrollees’ personal health information. If you are receiving services in any of our Programs through a HIPAA Plan, TrestleTree will use and disclose your health information only as allowed by the terms of its Business Associate Agreement with your health plan. Typically, in addition to allowing TrestleTree to share personal health information with the HIPAA Plan, Business Associate Agreements allow TrestleTree to use and disclose your health information in order to provide Program services to you, to fulfill various legal responsibilities, and for TrestleTree’s management and administrative purposes.

Public Forums

Any information (including personal and medical information) that you reveal in a public forum on TrestleTree’s website, such as a bulletin board, message board or chat room/event, is not protected by this Privacy Policy. These postings will be seen by third parties not employed by TrestleTree. What you write could be used by others in ways we are unable to control or predict, including to contact you for unauthorized purposes.

Linked Sites

This Privacy Notice applies only to TrestleTree and the TrestleTree website. For your convenience, TrestleTree’s website may contain links to websites operated by companies other than TrestleTree (“Third Party Websites”). TrestleTree does not disclose any information about you to these Third Party Websites. Once you enter a Third Party Website, be aware that TrestleTree does not endorse and is not responsible for the privacy practices of these sites. We encourage you to look for and review the privacy statements of each and every Third Party Website that you visit in order to understand how that website may collect and use your Personal Information.

A. What Personal Information Is Collected By TrestleTree?

“Personal Information” is information that identifies you or can be used to identify or contact you. TrestleTree collects Personal Information in three ways: (1) when you register as an enrollee and/or when you update your enrollee information; (2) when you obtain Program services and use various TrestleTree interactive tools; and (3) when we update your health information as you progress through one or more of the Programs. TrestleTree does not store any Personal Information on your computer, through the use of “cookies” or in any other manner.

Enrollment : You may use our website only if you enrolled and submitted Personal Information through our enrollment process. Enrollment occurs either electronically on a secure enrollment site, by telephone, or through a paper enrollment form. Enrollment is completed by a TrestleTree employee who verifies that you are qualified to participate in a TrestleTree Program. The types of information we collect during the enrollment process are listed below:

1. Name

2. Address

3. Employer

4. Contact Information

5. Date of Birth

6. Gender

7. Height/Weight

8. Information regarding chronic conditions

9. Whether you use tobacco

Coaching Sessions : Upon your registration and qualification, you will be contacted by TrestleTree for an initial telephone or in-person interview and coaching session with your Health Coach. Further health information will be collected during this interview. TrestleTree collects this information as well as other information you voluntarily provide in follow-up correspondence and coaching sessions with your Health Coach. In order to ensure the highest quality of health coaching sessions, these sessions may be supervised and/or recorded by authorized TrestleTree personnel solely for TrestleTree’s internal supervisory or evaluative purposes.

Special Notice Regarding Children

We are committed to protecting the privacy of children. TrestleTree’s website is not designed or intended to attract children under the age of 18 without the direct supervision and consent of custodial parents/guardians. We do not collect Personal Information from any person we actually know is under the age of 18 without the direct consent and involvement of custodial parents/guardians.

B. How is Your Personal Information Used and With Whom is it Shared?

Except as set forth in this Privacy Policy or as specifically agreed to by you, TrestleTree will not use or disclose any Personal Information it gathers from you. The law permits us to use or disclose your health information for the following purposes. The examples listed under the categories below do not list every possible use or disclosure in that category.

1. Program Services: TrestleTree will use and disclose your Personal Information as necessary to provide services to you through our Programs. For example, we will use information collected from you in the enrollment process, your initial coaching session, and any follow-up contact with your Health Coach in order to assist you with managing a chronic illness and/or improving your health through establishing health-related goals.

2. Payment for Services: TrestleTree does not routinely provide your Personal Information to your employer or your health plan, with the exception of certain information that is necessary in order to obtain payment for TrestleTree’s services. For example, we may be required to disclose to your health plan the fact that you are enrolled in one of our Programs in order to obtain payment for Program services provided to you. We will disclose Personal Information about you for payment purposes only as authorized or required by our contract with your health plan or your employer.

3. Management and Administration: Consistent with the terms of its Business Associate Agreements with HIPAA Plans, TrestleTree may use your Personal Information as necessary or appropriate for its proper management and administration or to carry out its legal responsibilities. TrestleTree may use and/or provide your personal information to your plan sponsor, health plan, or other entities that have contracted with your plan sponsor or health plan, for the administration of your wellness program or to provide you with other health-related services available through your plan sponsor and/or your health plan. TrestleTree will disclose your Personal Information for management and administration purposes only if it receives certain assurances from the other party concerning the confidentiality of the Personal Information.

4. Communications From TrestleTree: TrestleTree may contact you for coaching sessions or to provide other Program services to you. TrestleTree also may contact you to provide appointment reminders. If you are not home, we may leave this information on your answering machine or in a message left with the person answering the phone. TrestleTree also may contact you to provide information about your healthcare alternatives or other health-related benefits and services that may be of interest to you. We may send information via e-mail to you or ask you to participate in surveys by e-mail. You are not required to participate in these surveys and may opt out of receiving e-mail from us.

5. Communications With Your Physician: TrestleTree may provide notice to your personal physician of your enrollment in a TrestleTree Program. With your express permission, TrestleTree may also provide your personal physician certain Personal Information regarding your progress in the Program.

6. Communications To Family or Friends: We may disclose your Personal Information to your relatives, close friends or any other person identified by you if the information is directly related to that person’s involvement in your care or payment for your care. Generally, except in emergency situations, we will inform you of our intended action prior to making any such uses and disclosures and will, at that time, offer you the opportunity to object. However, if you are not present or are unable to agree or object to such a disclosure, we may disclose such information as necessary if we determine that it is in your best interest based on our professional judgment. We also may use and disclose your Personal Information for the purpose of locating and notifying your relatives or close personal friends of your location, general condition or death, and to organizations that are involved in those tasks during disaster situations. TrestleTree will not make any disclosure described in this paragraph if it is prohibited by an applicable Business Associate Agreement, and before making any disclosure described in this paragraph, TrestleTree will consult your health plan, if it is a HIPAA Client.

7. Required By Law: We may use or disclose Personal Information as required by federal, state, or local law if the disclosure complies with the law and is limited to the requirements of the law.

8. Legal Proceedings: We may disclose your Personal Information as expressly required by a court or administrative tribunal order or in compliance with state law in response to subpoenas, discovery requests or other legal process when we receive satisfactory assurances that efforts have been made to advise you of the request or to obtain an order protecting the information requested.

9. Law Enforcement: Subject to the terms of its Business Associate Agreements and in consultation with HIPAA Clients, if necessary, TrestleTree may disclose Personal Information for law enforcement purposes under certain specific conditions. For example, TrestleTree may disclose information in order to assist with the investigation of a crime or suspected crime, identifying or locating a suspect, fugitive, material witness or missing person, complying with a court order, warrant, grand jury subpoena and other law enforcement purposes.

10. Emergencies: In limited circumstances and subject to any applicable Business Associate Agreement, we may disclose Personal Information in an emergency situation when we have a good faith belief that the disclosure is necessary to prevent a serious and imminent threat to the health or safety of a person or to the public.

11. Compliance Review: We may be required by law or by the terms of our Business Associate Agreements, to disclose Personal Information to certain government agencies, including without limitation, the Secretary of the United States Department of Health and Human Services, in connection with a compliance review or investigation of TrestleTree or one of its HIPAA Clients.

12. With Your Authorization: In other circumstances, TrestleTree may use or disclose your Personal Information by first obtaining your written authorization. If you give your written authorization to TrestleTree, you have the right to revoke the authorization at any time.

13. Access By Our Contractors: The only entities that will have access to your stored Personal Information are TrestleTree itself and any third parties hired by TrestleTree to assist us in providing services, such as operating, maintaining and improving the web site or internal reporting systems. These third parties are required by us to hold your information in the strictest of confidence and may not use or disclose it except to fulfill the service we hired them to perform.

14. Aggregate Information: TrestleTree may provide to third parties information about you that does not allow you to be identified or contacted and that is combined with information of other enrollees (“Aggregate Information”). This Aggregate Information is not Personal Information because it cannot be used to identify you. For example, we might inform third parties regarding the number of users of our site and the activities they conduct while on our site. We may also query you, as an enrollee, concerning the effectiveness of the TrestleTree program for the purpose of attaining program evaluation information. When we gather this information from you, we will follow established guidelines to ensure the confidentiality of your responses. We may then aggregate your responses with those of other enrollees in order to generate Aggregate Information to share with other parties about our Programs. When we disclose Aggregate Information to a third party, we cannot limit the third parties’ use of the Aggregate Information, except that we do require third parties to whom we disclose Aggregate Information to agree that they will not attempt to make this information personally identifiable by combining it with other databases or otherwise.

15. Internet Business Purposes: TrestleTree uses your information to improve the operations of our website, to statistically analyze site usage, to improve content and product offerings, and to customize the site’s content and layout. If an enrollee has problems with the use of our site, we may use personal information to solve these problems, and we may need to look at several enrollees’ information in order to resolve these problems. TrestleTree believes that these uses will improve its site and better tailor it to meet enrollees’ needs.

16. Specialized Government Functions: We may disclose your health information for military or national security purposes or to correctional institutions or law enforcement officers that have you in their lawful custody.

17. Workers’ Compensation: We may disclose your health information as necessary to comply with workers’ compensation laws. For example, to the extent your care is covered by workers' compensation, we will make periodic reports to your employer about your condition. We are also required by law to report cases of occupational injury or occupational illness to the employer or workers' compensation insurer.

18. Change of Ownership: In the event that TrestleTree is sold or merged with another organization, your health information/record will become the property of the new owner, although you will maintain the same rights as set forth in this Privacy Policy.

19. Breach Notification: In the case of a breach of unsecured protected health information, we will notify you as required by law. If you have provided us with a current e-mail address, we may use e-mail to communicate information related to the breach. In some circumstances your health plan or employer may provide the notification. We may also provide notification by other methods as appropriate.

C. When TrestleTree May Not Use or Disclose Your Health Information

Except as described in this Notice of Privacy Practices, TrestleTree will, consistent with its legal obligations, not use or disclose health information which identifies you without your written authorization. If you do authorize TrestleTree to use or disclose your health information for another purpose, you may revoke your authorization in writing at any time.

1. Marketing: We will not use or disclose your medical information for marketing purposes or accept any payment for other marketing communications without your prior written authorization. The authorization will disclose whether we receive any compensation for any marketing activity you authorize, and we will stop any future marketing activity to the extent you revoke that authorization.

2. Sale of Health Information: We will not sell your health information without your prior written authorization. The authorization will disclose that we will receive compensation for your health information if you authorize us to sell it, and we will stop any future sales of your information to the extent that you revoke that authorization.

D. Your Health Information Rights

1. Right to Request Special Privacy Protections: You have the right to request restrictions on certain uses and disclosures of your health information by a written request specifying what information you want to limit, and what limitations on our use or disclosure of that information you wish to have imposed. If you tell us not to disclose information to your commercial health plan concerning health care items or services for which you paid for in full out-of-pocket, we will abide by your request, unless we must disclose the information for treatment or legal reasons. We reserve the right to accept or reject any other request, and will notify you of our decision.

2. Right to Request Confidential Communications: You have the right to request that you receive your health information in a specific way or at a specific location. For example, you may ask that we send information to a particular e-mail account or to your home address. We will comply with all reasonable requests submitted in writing which specify how or where you wish to receive these communications.

3. Right to Inspect and Copy: You have the right to inspect and copy your health information, with limited exceptions. To access your medical information, you must submit a written request detailing what information you want access to, whether you want to inspect it or get a copy of it, and if you want a copy, your preferred format. We will provide copies in your requested format if it is readily producible, or we will provide you with an alternative format you find acceptable, or if we can’t agree and we maintain the record in an electronic format, your choice of a readable electronic or hardcopy format. We will also send a copy to any other person you designate in writing. We will charge a reasonable fee which covers our costs for labor, supplies, postage, and if requested and agreed to in advance, the cost of preparing an explanation or summary. You may request access to your health information by sending a written request to our Privacy Officer listed at the top of this Notice of Privacy Practices. In certain circumstances, we may deny your request for access, but we will try to accommodate all requests, subject to the terms of our Business Associate Agreements.

4. Right to Amend or Supplement: You can always contact us in order to update the Personal Information that you have provided to us or change your preferences with respect to e-mail contacts or other activities. Such changes will not have any effect on other information that TrestleTree maintains. You also have a right to request that we amend your health information that you believe is incorrect or incomplete. You must make a request to amend in writing, and include the reasons you believe the information is inaccurate or incomplete. We are not required to change your health information, and will provide you with information about any denial and how you can disagree with the denial. We may deny your request if we do not have the information, if we did not create the information, if the person or entity that created the information is no longer available to make the amendment, if you would not be permitted to inspect or copy the information at issue, or if the information is accurate and complete as is. If we deny your request, you may submit a written statement of your disagreement with that decision, and we may, in turn, prepare a written rebuttal. All information related to any request to amend will be maintained and disclosed in conjunction with any subsequent disclosure of the disputed information. You may request an amendment to your health information by sending a written request to our Privacy Officer listed at the top of this Notice of Privacy Practices.

5. Right to an Accounting of Disclosures: You have a right to receive an accounting of disclosures of your health information made by us. Some disclosures, including without limitation, those made to you or with your written authorization, to provide Program services to you or to obtain payment for Program services, will not be included in the accounting. You may request an accounting through our Privacy Officer listed at the top of this Notice of Privacy Practices.

6. Right to a Paper or Electronic Copy of this Notice: You have a right to notice of our legal duties and privacy practices with respect to your health information, including a right to a paper copy of this Notice of Privacy Practices, even if you have previously requested its receipt by e-mail.

E. What Kind of Security Procedures are in Place to Protect Your Information?

TrestleTree wants your information, including Personal Information, to remain as secure as possible. Even though TrestleTree is not a covered entity under HIPAA, every effort will be made to safeguard protected health information. We have a security system at TrestleTree that combines leading technical safeguards and a code of conduct for those employees who are permitted to access our enrollees’ Personal Information. On the technical side, TrestleTree uses GeoTrust encryption technology in transmitting your Personal Information to our servers to help ensure the integrity and privacy of the Personal Information you provide to us. Encryption involves systematically scrambling numbers and letters, so that even if someone managed to intercept the information, they would not be able to make sense of it. Once we receive your Personal Information, we use every reasonable effort to ensure its security on our systems. We secure the Personal Information you provide on services located in controlled, secure environments, protected from unauthorized access, use or alteration. Only employees who need access to your Personal Information to perform a specific task or function are granted access to such information. In addition, all TrestleTree employees must abide by this Privacy Policy and our Privacy Policies and Procedures and are kept up-to-date on security practices. Any employee who violates TrestleTree’s Privacy Policies and Procedures is subject to disciplinary action, up to and including termination.

Although we will make every reasonable effort to protect your Personal Information from loss, misuse or alteration by third parties, you should be aware that there is always some risk involved in transmitting information over the Internet. TrestleTree takes precautions to avoid transmission of Personal Information over the Internet unless such transmissions involve encrypted sites. There is always some risk that thieves could find a way to thwart our security systems.

Cookies

TrestleTree’s website uses cookies as a login mechanism for our enrollees, to assist you in migrating between sites on our website and in using our interactive tools. These cookies are "Session Cookies" which expire at the end of each session on our website and are not stored on your computer. TrestleTree does not use these cookies for anything else.

F. How Will I Know About Privacy Policy Changes?

Subject to the terms of our Business Associate Agreements with HIPAA Clients, we reserve the right to make changes to our Privacy Policy at any time. If we make significant changes to this Privacy Policy, we will notify you by e-mail or other means and obtain your consent to any new uses of your Personal Information. We also may make non-significant changes to our Privacy Policy that generally will not affect our use of your Personal Information. Any changes to our privacy policy will apply retroactively to protected health information maintained prior to the date of the amendment. You should also check this posted Privacy Policy for any future changes. If you do not agree to the terms of this Privacy Policy or any revised policy, please notify us immediately.

G. How Do I File A Complaint About A Privacy Violation?

If you feel that your privacy rights have been violated, you may at any time lodge a written complaint addressed to the attention of the Privacy Officer listed at the top of this Notice of Privacy Practices.

You may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775 or visiting www.hhs.gov/ocr/privacy/hipaa/complaints/

In compliance with the US-EU Safe Harbor Principles, TrestleTree, LLC commits to resolve complaints about your privacy and our collection or use of your personal information. European Union citizens with inquiries or complaints regarding this privacy policy should first contact TrestleTree, LLC at: 3715 Business Drive, Suite 202, Fayetteville, AR 72703. TrestleTree, LLC has further committed to refer unresolved privacy complaints under the US-EU Safe Harbor Principles to an independent dispute resolution mechanism, the BBB EU SAFE HARBOR, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by TrestleTree, please visit the BBB EU SAFE HARBOR web site at www.bbb.org/us/safe-harbor-complaints for more information and to file a complaint.

We will not retaliate against you for filing a complaint.

H. What Should I Do If I Want to Discontinue Trestle Tree Services?

You may, at any time, choose to discontinue participation in any Program by contacting your Health Coach and requesting to be removed from the Active Enrollee list. TrestleTree will inactivate your file and will discontinue all ongoing health-related contact; however, we may contact you to request feedback on the effectiveness of our Programs. You are not required to give us feedback in the event of such a request. After you withdraw as an enrollee, we will continue to maintain the confidentiality of your Personal Information consistent with applicable legal requirements and our Business Associate Agreements.

I. Who Can Answer My Questions About This Privacy Policy?

If you have any questions or concerns about our Privacy Policy, please contact our Privacy Officer listed at the top of this Notice of Privacy Practices.

BY ENROLLING AS A PROGRAM PARTICIPANT AND/OR ACCESSING THE TRESTLETREE WEBSITE, I CONSENT TO THE COLLECTION, STORAGE AND USE OF PERSONAL INFORMATION (AS DEFINED IN THE PRIVACY POLICY ABOVE) BY TRESTLETREE IN ACCORDANCE WITH THE ABOVE PRIVACY POLICY.