User Privacy and HIPAA Policy

Updated February 24, 2022

EVEXIA DIAGNOSTICS USER PRIVACY AND HIPAA POLICY

The purpose of this Privacy Policy is to describe how Evexia Diagnostics, Inc. (“EDI”) collects, uses and shares information about you through our websites located at www.evexiadiagnostics.com , www.evexiadirect.com, www.evexianutraceuticals.com, www.evexiapracticesolutions.com and any other online services that link to this Privacy Policy (collectively, this “Site”) and in email, text, and other electronic messages between you and this Site and written documents, phone calls and other offline activities between you and EDI.

For certain information provided to us through the Site, we have entered into the EDI Terms & Conditions of Use (“Terms”) with physicians or other health care practitioners (or their entities) that use EDI services (collectively, “practitioners”), and the Terms govern our use of that information. This Privacy Policy supplements the Terms of Use. If you are visiting this Site as a patient of your practitioner who is (directly or through a Covered Entity) subject to HIPAA (as each capitalized term is defined below), some of the terms of this Privacy Policy may not apply to you. Additionally, if you are a patient of a practitioner subject to HIPAA, this Privacy Policy may not govern our use of Protected Health Information (as defined below) provided to us through the Site. Our use of Protected Health Information is governed by applicable law and the Business Associate Terms for Practitioners (“BA Terms”) included in the Terms with your practitioner. Your practitioner’s collection, use, disclosure, and transfer of Protected Health Information is governed, in turn, by your practitioner’s own terms and conditions and notice of privacy practices. If you do not know whether your practitioner (directly or through a Covered Entity) is subject to HIPAA, you should check with your practitioner.

HIPAA” means Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act and their implementing regulations as amended from time to time. “Protected Health Information” is individually identifiable health information that is protected by HIPAA and that we receive on behalf of practitioners subject to HIPAA. “Covered Entity” refers to a health care provider or other entity subject to HIPAA.

Please read this notice carefully to understand what we do. If you do not understand any aspects of our Privacy Policy, please feel free to contact us (our contact information is at the end of this document). This Privacy Policy is not a contract and does not create any contractual rights or obligations. Your use of this Site is governed by our Terms.

EDI May Change or Amend this Policy

We’re constantly trying to improve our services offered through the Site (the “Services”), so we may need to change this Privacy Policy from time to time as well, but we will alert you to changes by placing a notice on our Site and applications, by sending you an email, or by some other means. Note that if you’ve opted not to receive legal notice emails from us, those legal notices will still govern your use of the Services, and you are still responsible for reading and understanding them. If you use the Services after any changes to the Privacy Policy have been posted, that means you agree to all of the changes.

What Information does EDI Collect?

Information You Provide to Us:

We collect information you provide to us through the Site and offline, for example when you create or modify your account, register to use our Site, purchase products or services from us, request information from us, contact customer support, fill out any form on the Site, or otherwise communicate with us. If you are a patient, this information may include:
• Name
• Address
• Email address
• Telephone number
• Payment information (credit card or debit card number, expiration date and credit card security code – solely for payment purposes)
• Date of birth
• Username and password
• Any other information requested or provided through a contact form, email, text or other message with the Site.

If you are practitioner or other user, in addition to information we collect for a patient, this information may also include:
• Zip code
• Desired medical testing
• Title / Role
• Referring colleague
• Shipping address
• Associated company name
• Other professional information

Please note if you are a practitioner and sign up to use our Services, we will handle your patients’ lab work. We will use and disclose patients’ Protected Health Information in accordance with the BA Terms with your Covered Entity.

Information Collected Automatically:

Whenever you interact with our Services, we automatically receive and record information on our server logs from your browser or device, which may include your IP address, geolocation data, device identification, “cookie” information, the type of browser and/or device you’re using to access our Services, and the page or feature you requested. “Cookies” are identifiers we, or an included third-party service embedded within the Site, transfer to your browser or device that allow us or the third-party service to recognize your browser or device and tell us or the third-party service how and when pages and features in our Services are visited and by how many people. The third-party service providers may aggregate that information across their sites and other sites that have the same services installed. You may be able to change the preferences on your browser or device to prevent or limit your device’s acceptance of cookies, but this may prevent you from taking advantage of some of our features.

The information we collect automatically may include personal information, or we may maintain it or associate it with personal information we collect in other ways or receive from third parties. It helps us to improve the Site and to deliver a better and more personalized service, including by enabling us to:
• Estimate our audience size and usage patterns.
• Store information about your preferences, allowing us to customize our Site according to your individual interests.
• Speed up your searches.
• Recognize you when you return to our Site.

We may use this data to customize content for you that we think you might like, based on your usage patterns. We may also use it to improve the Services – for example, this data can tell us how often users use a particular feature of the Services, and we can use that knowledge to make the Services more helpful to as many users as possible.

If you click on a link to a third-party website or service, a third party may also transmit cookies to you. Again, this Privacy Policy does not cover the use of cookies by any third parties, and we aren’t responsible for their privacy policies and practices. Be aware that cookies or other third-party tracking technologies may be placed by third parties and may continue to track your activities online even after you have left our Services, and those third parties may not honor “Do Not Track” requests you have set using your browser or device. We do not control these third parties’ tracking technologies or how they may be used by the third parties. If you have any questions about an advertisement or other targeted content, you should contact the responsible party directly.

No Information from Individuals Under the Age of 18

If you are under the age of 18, please do not attempt to register with us at this Site or provide any personal information about yourself to us. If we learn that we have collected personal information from someone under 18, we will promptly delete that information. If you believe we have collected personal information from someone under the age of 18, please email us at info@evexiadiagnostics.com.

How EDI Share or Use the Personal Information it Receives

To Provide Products, Services, and Information.

We collect information from you and use the information to:
• present our Services, Site and its contents to you;
• provide you with information, products, or services that you request from us;
• fulfill any other purpose for which you provide it;
• communicate with lab companies to order and track lab-work either ordered to you or your patients;
• register and service your online account;
• provide information that you request from us;
• contact you about your lab statuses and lab orders;
• process credit card and debit card transactions;
• get products shipped to you from lab companies;
• send you promotional materials or advertisements about our products and services, as well as new features and offerings;
• enforce our Terms or other legal rights and remedies;
• provide interest-based targeted advertising to you;
• notify you about changes to our Site or any products or Services we offer or provide though it; and
• any other purposes disclosed to you at the time we collect your information or pursuant to your consent.

Sharing between Patients, Healthcare Practitioners. We share patients’ personal information with the ordering healthcare provider and their relevant medical staff in connection with getting ordered and lab results in.

Vendors and Service Providers. We may provide information to third-party vendors and service providers that help us operate and manage our Site, process orders, and fulfill and deliver products and Services that you purchase through us. These vendors and service providers will have access to your personal information in order to provide these services, but when this occurs we implement reasonable contractual and technical protections to limit their use of that information to helping us provide the service.

Your Consent. In addition to the sharing described elsewhere in this Privacy Policy, we will share personal information with companies, organizations or individuals outside of EDI when we have your consent to do so.

Legal Proceedings. We will share personal information with third party companies, organizations or individuals outside of EDI if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:
• meet any applicable law, regulation, subpoena, legal process or enforceable governmental request;
• enforce applicable Terms, including investigation of potential violations;
• detect, prevent, or otherwise address fraud, security or technical issues; or
• protect against harm to the rights, property or safety of EDI, our users, customers or the public as required or permitted by law.

Transfer in the Event of Sale or Change of Control. If the ownership of all or substantially all of our business changes or we otherwise transfer assets relating to our business or the Site to a third party, such as by merger, acquisition, bankruptcy proceeding or otherwise, we may transfer or sell your personal information to the new owner. In such a case, unless permitted otherwise by applicable law, your information would remain subject to the promises made in the applicable privacy policy.

Patient Access to Information

You can access and update certain information we have relating to your online account by signing into your account and going to the Account section of our Site. If you have questions about personal information we have about you or need to update your information, you can contact us at info@evexiadiagnostics.com or by phone at (888) 852-2723.

Other Sites

This Privacy Policy does not apply to information collected by EDI through other means, including other websites operated by EDI, or any third-party (including third-party websites that the Site may link to).

Your California Privacy Rights

California residents are entitled to the following privacy rights listed below.

The right to know. You have the right to request that we disclose what personal information we collect, use, disclose, and sell. Specifically, you have the right to know:
• The categories of personal information we have collected about you in the last 12 months;
• The specific pieces of personal information we have about you;
• The categories of sources from which your personal information was collected;
• The categories of your personal information that we sold or disclosed for a business purpose in the last 12 months, if any;
• The categories of third parties to whom your personal information was sold or disclosed for a business purpose in the last 12 months, if any; and
• The purpose for collecting, sharing, and selling your personal information.

Within the preceding 12 months, EDI collected the categories of personal information detailed in the “Information You Provide to Us” and the “Information Collected Automatically” sections above. The sources from and purposes for which EDI collects personal information are also described in the same sections and in the section “How does EDI Share or Use the Personal Information it Receives?” EDI has not sold or disclosed your personal information to a third party for a business purpose in the past 12 months and, except as set forth in the sections above, EDI does not further disclose your personal information for business purposes to third parties who are not service providers, nor does EDI sell your personal information.

The right to deletion. You have the right to request that we delete the personal information that we have collected or maintain about you. Under certain circumstances, we have the right to deny your request, such as if needed to comply with our legal obligations. If we deny your request for deletion, we will inform you of the reason.

The right to opt out of sale. You have the right to request that we do not sell your personal information. EDI does not sell your personal information.

The right to equal service. EDI will not discriminate against you in any way if you exercise any of your California privacy rights. Please be aware that exercising your rights may result in you being unable to use or access certain features of our Site.

To exercise your right to know and right to deletion, contact us using the email address provided in the “Questions and How to Contact Us” section below. You may exercise your right to know and your right to deletion twice a year free of charge. You may also contact us with questions or concerns concerning our privacy policies and practices using the information in the “Questions and How to Contact Us” section.

We will take steps to verify your identity before processing your request to know or request for deletion. We will not fulfill your request unless you have provided sufficient information for us to reasonably verify you are the individual about whom we collected personal information. We may request limited personal information from you in order to verify your identity, such as your name, email address, and physical address. We will only use the personal information provided in the verification process to verify your identity or authority to make a request and to track and document request responses, unless you initially provided the information for another purpose.

You may use an authorized agent to submit a request to know or a request to delete. When we verify your agent’s request, we may require the agent to provide proof that you gave the agent signed permission to submit the request. We may also ask you to verify your identity or to directly confirm with us that you provided the agent permission to submit the request.

California Civil Code Section 1798.83 (also known as the “Shine the Light” law) permits individual California residents to request certain information regarding our disclosure of certain categories of personal information to third parties for those third parties’ direct marketing purposes. To make such a request, please contact us using the information in the “Questions and How to Contact Us” section below. This request may be made no more than once per calendar year, and we reserve our right not to respond to requests submitted other than to the email or mailing addresses specified below. Note that we do not currently share personal information with third parties for those third parties’ direct marketing purposes.

Consent to Processing of Personal Data in the U.S.

This Site are intended for use only in the United States. If you use this Site or contact us from outside of the United States, please be advised that (i) any information you provide to us or that we automatically collect will be transferred to the United States; and (ii) by using this Site or submitting information, you explicitly authorize its transfer to and subsequent processing in the United States in accordance with this Privacy Policy.

HIPAA SPECIFIC PROVISIONS

A. Obligations and Activities of EDI
EDI will:
1.Not use or disclose PHI other than as permitted or required by the Agreement or as Required by Law;
2.Use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by this Agreement;
3.Report to Client any use or disclosure of the PHI not provided for by this Agreement of which it becomes aware;
4.Ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by EDI on behalf of Client agrees to the same restrictions and conditions that apply through this Agreement to EDI with respect to such information;
5.Provide access, at the request of Client, in a timely manner, to PHI in a Designated Record Set, to Client or, as directed by Client, to an Individual in order to meet the requirements under 45 CFR § 164.524;
6.Make internal practices, including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by, EDI on behalf of Client available to the Client within five (5) business days by fax or mail for purposes of the U.S. Department of Health & Human Services Secretary determining Client’s compliance with the Privacy Regulations;To document such disclosures of PHI and information related to such disclosures as would be required for Client to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 CFR § 164.528.

B. Permitted Uses and Disclosures by EDI General Use and Disclosure Provisions
Furthermore, EDI:
1.May Use or disclose PHI as required by law;
2.May not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Client, except with regards to the data aggregation, management, administration and legal responsibilities of EDI;
3.May use PHI for EDI’s proper management and administration or to carry out the legal responsibilities of EDI;
4.May use PHI with any laboratories and internal licensed physicians contracted by EDI;
5.EDI may use PHI to report violations of law to appropriate Federal and State authorities, consistent with § 164.502(j)(1).

C. Provisions for Client to Inform EDI of Privacy Practices and Restrictions
1.Client shall notify EDI of any limitation(s) in its notice of privacy practices of Client in accordance with 45 CFR § 164.520, to the extent that such limitation may affect EDI’s use or disclosure of PHI;
2.Client shall notify EDI of any changes in, or revocation of, permission by Individual to use or disclose PHI, to the extent that such changes may affect EDI’s use or disclosure of PHI;
3.Client shall notify EDI of any restriction to the use or disclosure of PHI that Client has agreed to in accordance with 45 CFR § 164.522, to the extent that such restriction may affect EDI’s use or disclosure of PHI.

D. Obligations of EDI Upon Termination
Upon the termination of the business relationship between Client and EDI, EDI will:
1.Retain only that PHI which is necessary for EDI to continue its proper management and administration or to carry out its legal responsibilities;
2.Destroy the remaining PHI that EDI still maintains in any form;
3.Continue to use appropriate safeguards and comply with Subpart C of 45 CFR Part 164 with respect to electronic PHI to prevent use or disclosure of the PHI, other than is provided for in this Section, for as long as EDI retains the PHI;
4.Not use or disclose the PHI retained by EDI other than for the purposes for which such PHI was retained and subject to the same conditions set out at above which applied prior to termination.
5.Destroy the PHI retained by EDI when it is no longer needed by EDI for its proper management and administration or to carry out its legal responsibilities.

E. Miscellaneous
1.Regulatory References. A reference to a section in the Privacy Regulations means the section as in effect or as amended.
2.Amendment. The Parties agree to take such action as is necessary to amend these provisions from time to time as is necessary for to comply with the requirements of the Privacy Regulations and the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191 with respect to its dealings with EDI.
3.Interpretation. Any ambiguity in these provisions shall be resolved to permit Client to comply with the Privacy Regulations with respect to its dealings with EDI.

Questions and How To Contact Us

If you have any questions, concerns, complaints or suggestions regarding our Privacy Policy or otherwise need to contact us, please email us at info@evexiadiagnostics.com or contact us by US postal mail at P.O. Box 1272 Washington, CT 06793.