TEFCA Privacy and Security Notice

1Purpose and Scope

This Areti Health Privacy and Security Notice (“Notice”) describes how Areti Health Inc. (“Areti”, “we,” “us” or “our”) may:

• Access, exchange, use, disclose, and store your individually identifiable information as an Individual Access Service Provider in connection with our Trusted Exchange Framework and Common Agreement (“TEFCA”) connection; and
• Your rights with respect to such individually identifiable information.

Individually identifiable information (III) is information that identifies you or for which there is a reasonable basis to believe that it could identify you. Information that is de-identified is not individually identifiable information. This Notice is in addition to the Areti Privacy Policy applicable to your use of our Platform. To the extent this Notice conflicts with our general Areti Privacy Policy, this Notice controls with respect to the individually identifiable information we collect about you through our TEFCA connection.

This Notice is intended to fulfill the requirements of the U.S. Department of Health and Human Services (HHS), Assistant Secretary for Technology Policy (ASTP) / Office of the National Coordinator for Health IT (ONC) and the Recognized Coordinating Entity (RCE) with respect to our participation in TEFCA as an Individual Access Service Provider (IAS Provider). Please know that this Notice is limited to our TEFCA participation as an IAS Provider. Other terms and policies may apply to how your individually identifiable information is collected and processed by us on behalf of your health care provider, health plan, or other third party to support treatment planning and delivery.

2Who We Are and What is TEFCA

About Areti

Areti Health, through the AI Coordinator platform, provides technology-driven solutions to enhance clinical treatment planning, trial recruitment, and patient engagement. Areti Health provides TEFCA Individual Access Services (IAS) so patients can securely retrieve comprehensive medical records across providers, which enables Areti’s AI platform to scan clinical histories for clinical research eligibility validation, treatment plan optimization, and contraindication detection for the patient.

Areti Health offers a suite of innovative products designed to improve clinical treatment planning, trial recruitment, and patient engagement by integrating artificial intelligence (AI) with clinical practices in a HIPAA compliant manner. Their platform provides a comprehensive set of tools aimed at enhancing the delivery of patient engagement services through technology.

• Patient engagement and patient-facing chat
• Medical history and eligibility questionnaire
• Appointment scheduling
• Engagement and conversion reporting

We operate within cloud-based infrastructure hosted by AWS and implement layered defenses across systems and services.

What is TEFCA?

TEFCA is a contractual framework for supporting nationwide health information exchange between and among QHINs and their participants and subparticipants. A QHIN is a technology company that has been approved by a government-established process to provide the technical backbone to support electronic health information exchange. Participants and subparticipants in TEFCA include health care providers, health plans, public health authorities and governmental agencies, individual access service providers and the individuals and entities who support them. You can learn more about the types of individuals and entities that participate in TEFCA by reading this Standard Operating Procedure (SOP): Types of Entities That Can Be a Participant or Subparticipant in TEFCA.

TEFCA permits QHINs, participants, and subparticipants to participate in different use cases that are called exchange purposes. One of those exchange purposes includes providing individuals with access to their health information, called Individual Access Services (“IAS”). Organizations that have a direct contractual relationship with individuals to support their right of access are called Individual Access Services Providers (“IAS Providers”). Areti is an IAS Provider with respect to certain IAS services it offers through its TEFCA connection.

If you are interested in learning more about TEFCA, please read this Fact Sheet about how individuals can access their health information via TEFCA: https://rce.sequoiaproject.org/rce-tefca-for-individuals/.

3Privacy Commitments

Areti adheres to applicable federal and state privacy laws and TEFCA privacy and security requirements when we process your individually identifiable information through our TEFCA connection. Specifically, we commit to the following:

• IAS Consent: Before we engage in patient-directed data sharing through our TEFCA connection, we will share this notice and ask you for your express, written and informed consent first. We call this consent our Individual Access Services Consent (“IAS Consent”). We may collect this IAS Consent electronically or in paper form. You can revoke your IAS Consent at any time as explained later in this Notice, see Section 10. If you revoke your IAS Consent you will not be able to access our IAS services through our TEFCA connection after that, unless you sign a new IAS Consent.
• Confidentiality: We use commercially reasonable efforts to protect III from unauthorized or illegal access, modification, use, or destruction. These obligations under the Privacy and Security Notice will continue for as long as Areti maintains the III.
• Data Minimization: We only collect and use the minimum necessary amount of individually identifiable information as necessary to fulfill the permitted uses described in this Notice.
• Exchange Purpose Limitation: When individually identifiable information is accessed, used, or disclosed through TEFCA it is only done for permitted TEFCA exchange purposes.
• Individual Rights: Individuals can access, request correction, or request deletion of their individually identifiable information as explained in this Notice (see section below on Individual Rights and Contact Information and our Areti Privacy Policy).
• Transparency: Our practices and responsibilities are communicated through policies, agreements, and user notifications.
• Health Insurance Portability and Accountability Act (HIPAA Rules): Areti is subject to the HIPAA Rules as a matter of law.

Our full Areti Privacy Policy can be found here: https://www.aretihealth.com/privacy-policy/

4Security Measures

Areti implements security safeguards aligned with industry standards and SOC 2 controls to protect individually identifiable information, including:

• Access Controls: Role-based access, least privilege, and multi-factor authentication (MFA) are required for all systems with individually identifiable information.
• Encryption: All individually identifiable information is encrypted in transit and at rest using industry standard encryption measures. We do this regardless of whether we obtained the individually identifiable information through our TEFCA connection.
• Security Testing: Annual third-party penetration testing is conducted.
• System Monitoring: We continuously monitor for anomalies via infrastructure monitoring tools and intrusion detection systems (IDS).
• Incident Response: We maintain a formal incident response plan, including 24/7 on-call escalation procedures and post-incident review processes.
• Business Continuity: Disaster recovery plans are documented and tested annually.

5Compliance Framework

Areti’s internal security, privacy and compliance program is structured to meet or exceed the following standards:

• AICPA Trust Services Criteria (SOC 2 — Security, Availability, Privacy)
• Health Insurance Portability and Accountability Act (HIPAA Rules) of 1996
• TEFCA security and privacy principles as defined in the Participant/Subparticipant Terms of Participation (ToPs) and the Standard Operation Procedure (SOP): Individual Access Service (IAS) Provider Requirements.

All employees undergo background checks, complete annual privacy and security awareness training, and sign confidentiality agreements.

6Our Use and Disclosure of Your Individually Identifiable Information as an IAS Provider

Permitted Uses and Disclosures on TEFCA

To provide you with Individual Access Services on TEFCA, Areti uses and discloses your individually identifiable information to QHINs, their participants and subparticipants, and other individuals and entities only when allowed under TEFCA, applicable law, applicable HHS guidance and by you. This means that if you consent to it, we may use and disclose your individually identifiable information to other individuals and entities that participate in TEFCA or that may request it for the following exchange purposes:

• Treatment
• Health Care Operations, including without limitation care coordination / case management, HEDIS reporting, and quality measure reporting
• Public Health, including electronic case reporting and lab reporting
• Individual Access Services (IAS)
• Any other exchange purposes approved by ASTP/ONC and RCE as permitted or required by the Participant/Subparticipant Terms of Participation (ToPs).

As an IAS Provider, Areti’s primary exchange purpose is Individual Access Services or IAS. That means with your consent, we may request your individually identifiable information for you to access, inspect, obtain or transmit a copy of your information.

You can learn more about the TEFCA exchange purposes by reading this Standard Operating Procedure (SOP): Exchange Purposes (XPs). Please know that the government may decide to change these SOP documents at any time and that we will follow the most current version of these documents.

We will never sell your individually identifiable information or disclose such information to third parties for such third parties’ marketing purposes without your explicit consent. We will only disclose your individually identifiable information as follows:

• Identity Verification: Certain of our Services require that we confirm your identity prior to the provision of such Services. In order to do so, we utilize a third-party identity verification provider that collects a copy of your driver’s license or other official government ID and images of your face. We do not collect or store this information which you disclose to the identity verification provider. For information on how such third-party may use and disclose your personal and/or biometric information, please see their privacy notice at: https://www.clearme.com/privacy-policy.
• Third Party Service Providers: To deliver the Services, we use a variety of third-party service suppliers of technology, internet service hosting, payment processing, technical integration, marketing, analytics, customer service, and support. We share the minimum necessary individually identifiable information with these third parties for them to provide their services to us. These companies are acting on our behalf and are required, by contract with us, to keep our information confidential and maintain appropriate security safeguards to protect such information, and are only authorized to use and disclose it for specified purposes, which are consistent with this Privacy and Security Notice.
• Treating Physicians / Clinicians / Researchers / Third-Parties as Directed by You: We share individually identifiable information with those treating physicians for whom we are acting as a business associate or as otherwise directed or consented by you, such as pursuant to the “right of access” under HIPAA, or any other purpose that you have authorized, such as to a third party that you have authorized to hold and/or use your information.
• Law Enforcement, Regulatory Authorities, and Civil Proceedings: We resist disclosing individually identifiable information to law enforcement or regulatory authorities unless we determine we must do so under law to comply with a valid court order, subpoena, or search warrant. We closely scrutinize all law enforcement and regulatory requests. If we determine that we must comply with a valid law enforcement or regulatory request, we first determine if we can comply after receiving the explicit authorization to make the disclosure. Otherwise, to the extent feasible, we attempt to comply by limiting disclosure to de-identified information, or by redacting information so that only the minimum necessary individually identifiable information is disclosed. We also attempt to receive adequate assurances from the requesting law enforcement or government agency that it will protect the confidentiality of the individually identifiable information, and will not disclose it in violation of applicable federal or state confidentiality laws. While we cannot offer assurance that these efforts will be successful, we will maintain a detailed record of all disclosures we make in response to law enforcement and regulatory requests. If Areti is a party to a legal proceeding with an account holder or research participant, we may disclose individually identifiable information to the court or arbitrator for purposes of resolving a civil dispute. If Areti is not a party to a legal proceeding, we may be required by law to disclose this individually identifiable information pursuant to a valid subpoena, discovery request, or other lawful process. Even if additional protections are not required by applicable laws, we use our reasonable best efforts to obtain your authorization or seek a qualified protective order to protect individually identifiable information or data before disclosing it in a civil proceeding. We also use reasonable best efforts to limit disclosures of individually identifiable information or data to the minimum necessary to accomplish their intended purpose. We may use or disclose individually identifiable information related to reproductive health care services (as defined in Executive Order 14076) or gender affirming care in accordance with applicable law where we are required to do so in response to a civil or criminal subpoena, court order, search warrant, or other demand for compulsory disclosure, including across state lines, even if a service is paid for entirely out-of-pocket by an individual. If we receive a civil or criminal subpoena, court order, search warrant or other demand for compulsory disclosure of individually identifiable information, we may be required under applicable laws and frameworks such as the Trusted Exchange Framework and Common Agreement (“TEFCA”) to provide written or electronic notice to the individual(s) whose information is implicated. Where we are required to provide such notice and providing notice is not otherwise prohibited, we will strive to provide it within three business days of receiving the demand for individually identifiable information and provide the affected individual(s) an opportunity to object to the production of the individually identifiable information or seek a protective order or other appropriate remedy consistent with applicable law. If we disclose individually identifiable information to a law enforcement agency, we may be required under applicable laws and frameworks such as TEFCA to provide written or electronic notice to the individual(s) whose information is implicated. Where we are required to provide such notice and providing notice is not otherwise prohibited, we will strive to provide it within three business days of disclosing the individually identifiable information to the law enforcement agency.
• Additional Third Parties: We may disclose III to other third parties you have explicitly authorized; and
• For the other purposes covered in our Areti Privacy Policy to the extent they do not conflict with the express use and disclosure restrictions in this Notice.

No Marketing or Profiling

We do not intend to use or disclose the individually identifiable information we obtain through our TEFCA connection for advertising, profiling, or any other unauthorized purposes. We will ask for your consent before using your individually identifiable information for such purposes.

No Sale

We do not intend to sell the individually identifiable information we obtain through our TEFCA connection to third parties. We will ask for your consent before engaging in the sale of your individually identifiable information.

De-Identified Data

We may deidentify and/or aggregate individually identifiable information, including protected health information, in accordance with the HIPAA de-identification standards at 45 CFR 164.514(b), in connection with our services or for our internal business purposes, such as creating application usage data. Application usage data reflects general patterns and trends about how users interact with our Platform (for example, feature utilization, navigation flows, and performance metrics) but does not identify any individual user. We use usage data to analyze, maintain, and improve the functionality, performance, and user experience of our Platform and related services, as well as to promote our business.

We may also create, use and disclose de-identified data if: (1) required to do so by applicable law; or (2) as may be permitted by applicable law, if you consent to it and in accordance with our Privacy Policy.

No Use Against You

Areti will never use your information to make claims against you, except (if applicable) to collect fees or costs for services you requested.

7Fees and Costs

Areti supports an individual’s right to access their health information and to exercise their individual rights at no cost to the individual. However, if we were to charge an individual fees or costs for our IAS services, those fees or costs will be listed on our website (www.aretihealth.com). We also reserve the right to charge fees and costs to businesses for services provided to them or on their behalf or for other work we may do for them around education, identity verification, consent management and data delivery.

8Vendors, Subcontractors, Third-Party Service Providers and Subservice Organizations

We use trusted vendors such as Amazon Web Services (AWS) for infrastructure and hosting. These vendors have undergone industry standard security certification. Vendor risk assessments and subprocessor reviews are conducted annually. We may also contract with other types of vendors, subcontractors, third-party service provider and subservice organizations to assist us in providing the services and supporting the proper management and administration of our business and legal responsibilities. Our contracts with them require them to protect the confidentiality of individually identifiable information.

9Data Retention and Disposal

We retain the individually identifiable information obtained through our TEFCA connection for the minimum duration necessary (not to exceed 24 months unless explicitly requested to do so by you or required by law) to fulfill the permitted purposes for which we are processing it. After this period of time, your individually identifiable information is securely deleted in accordance with industry standards and our Data Retention Policy. But please know that this deletion requirement does not apply to any individually identifiable information that may be contained in our audit logs or for which it is technically infeasible for us to completely delete.

10Individual Rights and Contact Information

You have the right to:

• Register for Areti’s individual access services at any time through our services or through our authorization site.
• Access your individually identifiable information anytime through our services or by writing to us as described below.
• Download your individually identifiable information in a machine-readable format. For example, we will send you an electronic copy (PDF) of your records when you use our services that you can download or save.
• Request corrections to your individually identifiable information by writing to us at the address(es) listed below.
• Request deletion of your individually identifiable information (except audit logs), unless prohibited by law. You can delete your full clinical record by going to the data subject access request page, and choosing to Delete your data.
• Revoke your IAS Consent at any time via the data subject access request page. This is simple, electronic, and immediate. Revoking the IAS Consent you gave to us stops us from continuing to request or disclose your individually identifiable information through our TEFCA connection, but does not undo our prior authorized requests or disclosures. It also does not stop any uses or disclosures that are either required by law or that are otherwise permitted by applicable law.
• Get notified if your data is involved in an IAS Incident. An “IAS Incident” is one of the following: (a) an unauthorized acquisition, access, disclosure, or use of unencrypted individually identifiable information that does not qualify for an exception; and (b) other security events that are set forth in the Standard Operating Procedure (SOP): TEFCA Security Incident Reporting. In the event an IAS Incident occurs, the notification will include:
  • A brief description of what happened, including dates if known
  • A description of the types of III involved
  • A description of what steps you should take to protect yourself
  • What we are doing to investigate and mitigate the incident
  • Contact procedures for obtaining additional information about the incident, which will include phone number, email address, and website.

Submit requests to access, correct, or delete your individually identifiable information, to file a privacy or security complaint with us, or learn about IAS incidents by contacting us at:

Please know that we process your requests within a reasonable period of time. There may be instances where we need more information from you to process your request in accordance with applicable law and that some laws might prohibit us from honoring a request to delete individually identifiable information.

We document and track all privacy-related concerns according to our incident response process.

11Legal Proceedings and Law Enforcement Requests

If we receive a civil or criminal subpoena, court order, search warrant, or other demand for compulsory disclosure or law enforcement request for your individually identifiable information that we obtained in connection with our TEFCA connection, we will notify you within three (3) business days, unless we are prohibited by law from doing so (e.g., Patriot Act). Written or electronic notice will also be provided to affected Individual(s) (unless prohibited by Applicable Law) within three (3) business days of us making Individually Identifiable Information available to law enforcement agencies, including through sale of Individually Identifiable data.

Unless required by law to do so, we will use our best efforts to not share your individually identifiable information related to reproductive health care services or gender affirming care in response to subpoenas, court orders, or law enforcement requests. However, please know that there may be circumstances in which we are required by law to share this information pursuant to such a legal process.

To the extent permitted by applicable law, you’ll have a chance to object or seek a protective order.

12Changes to This Notice

If we make material changes, we will update this Notice and let you know.

All changes to this Notice will also be posted to our website at https://www.aretihealth.com/privacy-policy/.

This Notice remains in effect as long as we hold your individually identifiable information that we processed through our TEFCA connection.