Privacy Statement

Nonstop Administration and Insurance Services, Inc. PORTAL PRIVACY STATEMENT

Effective Date: June 3, 2024

This policy explains how Nonstop Administration and Insurance Services, Inc. (“Company,” “Nonstop”, “We,”, “Us” or “Our”) treats personal information we obtain from you (“You” or “Your”) as users of Company websites that provide services that You may receive as a licensed user (collectively Company “Portals”). These provisions are intended to supplement the protections described in our general Privacy Policy applicable to the Company Information site.

We use the Company Portal to make products and services available to You.

For the purposes of this Privacy Statement, the information We collect includes two important categories of information:

“Personal Information” means any information that can be used to identify an individual such as Your name, email, home address, phone number, social security number, driver’s license number, biometric data, or other forms of information that can be linked to You; and

“Protected Health Information” (or “PHI”) means any information that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment, EOBs, and invoices that include or disclose the health services that you received.

1) The Information We Obtain. We collect the information We need to provide You with the information, products, and services that You request and to update, promote, and distribute Our products and services to meet Your needs as they evolve. This includes both Personal information and, in most cases, Protected Health Information.

2) How Information is Obtained. We request information from You to authenticate and verify You are authorized to use and access the products, services, and other resources that We provide. The following are the sources from which We may receive Your Personal Information:

• a. directly from You when you inquire about our Services via the Company Portal
• b. when a benefit program sponsor creates an account for You with us
• c. from You when you submit a claim for reimbursement
• d. from Your device when you access our Portal and other online services
• e. from third parties that assist Us in providing relevant Services
• f. We may combine the Personal Information that You provide us through our Portal with other information we have received from You, Your employer plan, program sponsor, or other sources such as Our service providers.

3) Disclosure is Optional. You are not required to provide any information to Us at any time. However, if You do not provide Us with the information We request, We may be unable to provide You with the information or services You have asked for. In other cases, Your decision not to give Us information may preclude Your access to certain features and functions of Our Services. Children under the age of thirteen (13) should not use any of Our services unless they are doing so under the direction of their parent/guardian.

4) How We Use The Information Provided. Certain web-based services provided by Us via the Portal involve access to and processing of patient information. We use the information We obtain to:

• a. Provide You with products, services, and information resources provided via the Portal;
• b. Improve the development of new and updated products, services, and information resources;
• c. Enable the administration of, protection of, and management of the products, services, and information resources You request via the Portal;
• d. General operations required to provide Services to You or Your Employer or other features; and
• e. Perform other general operations of the Company. These operations may include standard data gathering functionality, such as cookies and other devices that collect certain standard information generated by Web browsers such as IP addresses, access times, and Your experience using one or more websites operated by or on behalf of Us.

5) Steps We Take to Protect Your Information. We will:

• a. Protect your account information with a password and two-factor authentication. In order to access Your account via the Portal or receive Services, You will need to use a User ID and password, along with Our enhanced two-factor authentication process for added security. The User ID is Your email address that was provided to Us by your employer. You will choose your own password.
  • i. As part of our two-factor authentication, You will be required to provide a mobile phone number. A six-digit code will be sent to this number, which You must enter to gain access to your account. Additionally, a backup code will be provided for use in the event you cannot access your mobile device. We recommend securely recording this backup code. If You do not have a mobile phone number, please contact us for alternative authentication methods.
  • ii. For your convenience, if you are using a trusted computer or browser, you have the option to select “Remember This Browser” to bypass two-factor authentication for 30 days. Please be aware that this feature should be used only on personal and secure devices.
  • iii. Your User ID, password, and two-factor authentication process are designed to protect You by confirming your identity to our computer network systems. Our employees cannot access Your password or personal authentication details.
  • You are responsible for maintaining the confidentiality and security of Your password, mobile phone number, and any backup codes provided. We encourage you to use strong, unique passwords and to keep your authentication information secure to ensure the safety and privacy of your account.
• b. Require that the password you enter is hard to guess to make it more difficult to unlawfully acquire.
• c. Never ask for Your login or password through email or phone.
• d. Secure each session after authenticating You. These sessions utilize Transport Layer Security (TLS, formerly known as SSL) technology to ensure that the information is encrypted while in transit. Your browser must be able to support this technology to use Our web services.
• e. Automatically log You out of Your Account if You are inactive after logging in for a certain amount of time.
• f. Monitor Your Account for any signs of suspicious or potentially fraudulent activity.
• g. Maintain up-to-date policies, standards, and processes designed to protect Your personal information and comply with applicable state and federal data security laws, regulations, and guidance.
• h. Train our workforce on Our policies, standards, and processes.
• i. Limit access to Your personal information to only those who need it to perform their duties.
• j. Retain Your personal information as needed for the business purposes listed in this Notice and as permitted by law.
• k. Require our subcontractors to maintain the same privacy and security standards for protecting Your information as We do.

6) Your Rights. You have the right to ask about the information that Nonstop has collected about you, requests modifications to that information, and to request restrictions on the use or disclosure of your PHI for treatment, payment, or health care options. You have the right to request electronic or paper copies of your PHI. Under certain circumstances, your request may be denied, with an explanation and detail provided in writing.

7) Disclosures of Information. We may disclose specific information We obtain to provide certain products, services, and information resources and develop, promote, and support Our products and services solely as Our agreements with Our customers, other authorized users, vendors, and technology partners, permit. To ensure the continuity of the Company Portal and the integrity and availability of the information required to provide it and Our products and services, the information provided to Us may be backed up or archived, including the storage of information at facilities operated by Our vendors. Finally, We may disclose information as We believe necessary to:

• a. comply with applicable law and regulations, which may include disclosures made in response to any subpoena, document request, or other legal request seeking the disclosure of information that appears to have been lawfully issued;
• b. perform under and enforce the terms and conditions under which Our products and services are provided;
• c. exercise Our legal rights in its products, services, and resources and to protect its assets;
• d. protect Our rights, reputation, and property, or that of Our users and affiliates, and
• e. provide to public health authorities who are legally authorized to receive such information for the purpose of preventing or controlling disease, injury, or disability.

The information We obtain in connection with the Portal is not sold, rented, or otherwise disclosed to any person or entity except as this policy states.

8) Third-Party Links. The Company Site may contain links to third-party sites to provide additional, value-added services. Except as set forth herein, We do not share Your personal information with those third parties and are not responsible for their privacy practices. We, therefore, have no responsibility or liability for the content and activities of these linked sites. We suggest You read the privacy policies on all such third-party websites.

9) Privacy Regulation & Security. Certain information provided to Us may be Protected Health Information as that term is defined in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), American Recovery and Reinvestment Act (“ARRA”), Health Information Technology for Economic and Clinical Health Act (“HITECH”) and in regulations promulgated there under and it may also be subject to regulation under state law (“PHI”). We place a high priority on protecting Your personal information. We maintain administrative, technical, and physical safeguards designed to protect the information that You provide on the Portal and in connection with the products and services from unauthorized access to or acquisition of such information. Furthermore, we administer the Portal and associated products and services in a manner that complies with all applicable laws and regulations we are aware of and become known to us and will continue to do so. For example, We have Business Associates Agreements in place with Our customers, partners, and vendors that govern the disclosure and use of PHI that is required for Us to provide them with the products and services they have requested.

10) Cyber Attacks. Regardless of Our best efforts to protect Personal Information, particularly PHI, the confidentiality and security of any communication or material transmitted to or from any website (including the Portal) cannot be guaranteed 100% secure at any time. We also cannot guarantee that the Personal information You transmit over the Internet will not be unlawfully intercepted or accessed by third parties illegally. Any transmission of Your information is at Your own risk. Therefore, we strongly encourage all users to be careful and responsible about what You choose to provide online.

11) Personally identifiable and De-identified Information. Personally identifiable patient, physician, and Your information shall remain confidential and not be released. Further, should We place the De-Identified Use Data in its national database or incorporate such data in studies and analyses conducted directly or indirectly by Us, no such data shall be identified as originating from You, Your Employer, or physicians. The De-Identified Use Data shall also not be utilized in any study, report, or publication without being integrated with a significant body of other data such that neither You nor your employer can be identified, unless appropriate, advance and written consents to such identification are obtained. We use regulatory-compliant security measures to protect the information. You grant Us a non-exclusive, perpetual, irrevocable, royalty-free right and license to use de-identified patient and administrative data (“De-Identified Use Data” as defined under 45 C.F.R. § 165.514) collected or provided through Your use of the Company Site for any lawful business purpose, provided that such data is not personally identifiable. We shall have the right to de-identify such patient and administrative data and then utilize the De-Identified Use Data for any lawful purpose, including but not limited to creating statistical norms and reports de-identified score cards, regional or national benchmarking, or to be used for research considerations, provided however that the data shall not include member identities and claims information that is unprotected.

12) Access and Changes to Information; Deletion of Information. Customers and authorized users of Our products, services, and information resources have access to the information We store about them and may change that information at no charge, provided that doing so is consistent with their respective agreements with Us. Certain information services We provide may reflect patient information as it appears in the medical records of those patients maintained by the medical professionals they consult. We may retain the information We obtain for a period sufficient to provide the products and services that Our customers request, as necessary to comply with Our legal obligations, and as Our management deems appropriate.

13) California Residents. If You are a California resident, please see more information about our privacy practices and Your rights (to the extent We are legally required to comply with such current or future regulations) in our California Privacy Notice.

14) Compliance, Questions, and Concerns. We monitor Our compliance with this policy. Questions or concerns should be directed to compliance@nonstophealth.com. Complaints will be acknowledged, investigated, resolved between Us and the parties concerned when possible and reported to governmental authorities as the applicable law requires and as appropriate.

15) Changes to this Privacy Statement. We reserve the right to amend this Statement at our discretion and at any time as permitted or required under state and federal laws. Amended terms take effect upon being incorporated into this Statement and Your receipt of Notice upon entry into the Portal. Your continued use of the Portal and participation in your employer’s covered benefit program following Your receipt of Notice of any changes constitutes acceptance of any new terms. If the changes materially affect how We use Personal Information that We have already collected, We will notify You by sending You a notice to the email address associated with your account.