Exhibit B: Customer Data Privacy

This provides notice of the privacy practices and policies of pie Health, LLC . These protections have been adopted to ensure that the information that we obtain and maintain for our current, past, and potential clients and customers for which we are providing services (“Protected Parties”) is protected in accordance with relevant state and federal rules. Protected Health Information (PHI) of those Protected Parties (under the privacy regulations mandated by the Health Insurance Portability and Accountability Act and further expanded by the Health Information Technology for Economic and Clinical Health Act provisions in Title XIII of the American Recovery and Reinvestment Act (“HITECH”), the HIPAA Omnibus ruling of 2013, and the regulations related to these laws and mandates), and the protection of personally-identifiable information under 45 CFR § 155.260 (collectively referred herein as “Privacy Rules”).

THIS NOTICE DESCRIBES HOW PHI ABOUT A PROTECTED PARTY MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

PLEASE REVIEW IT CAREFULLY.

THE PROTECTION OF THE PRIVACY AND SECURITY OF THE INFORMATION WE MAINTAIN IS IMPORTANT TO US

1. Statement of Our Duties. We are required by law to maintain the privacy of protected health information (“PHI”), and personally identifiable information (“PII”) (collectively referred herein as “Protected Information”) of the Protected Parties and to provide our clients with this notice of our privacy practices and legal duties. We are required to abide by the terms of this notice. We reserve the right to change the terms of this notice and to adopt any new provisions regarding the Protected Information that we maintain about the Protected Parties. If we revise this notice, we will provide each client or customer with whom there is a current and direct business relationship with a revised notice by mail, electronic mail, or any other electronic means, telefacsimile or fax, or hand-delivery.

2. Statement of the Client’s Rights under Privacy Rules. As our client or customer, you have a right to know how we may use or disclose the Protected Information we maintain on those Protected Parties with whom there is a direct relationship. Our obligations to not disclose the Protected Information we maintain about those individuals may arise due to our contractual obligations as a Business Associate of both the client or customer, as well as to any other third party who is a Covered Entity under the Privacy Rules.

Primary Uses and Disclosures of Protected Information. We use and disclose Protected Information about Protected Parties for payment and healthcare operations. Privacy Rule does not generally “preempt” (or take precedence over) state privacy or other applicable laws that provide individuals greater privacy protections. As a result, to the extent state law applies, the privacy laws of a particular state, or other federal laws, rather than the Privacy Rules, might impose a privacy standard under which we will be required to operate. For example, where such laws have been enacted, we will follow more stringent state privacy laws that relate to uses and disclosures of the Protected Information concerning HIV or AIDS, mental health, substance abuse/chemical dependency, genetic testing, or reproductive rights.

In addition to these law requirements, we also may use or disclose Protected Information in the following situations:

Payment: We might use and disclose your Protected Information for all activities that are included within the definition of “payment” within the Privacy Rules. For example, we might use and disclose a Protected Party’s Protected Information to assist with the payment of claims for services provided to that Protected Party by doctors, hospitals, pharmacies, and others for services.

Health Care Operations: We might use and disclose a Protected Party’s Protected Information for all activities that are included within the definition of “health care operations” within the Privacy Rules. For example, we might use and disclose the Protected Information of a Protected Party to an insurer to determine the premiums for your health plan, to conduct quality assessment and improvement activities, to engage in care coordination or case management, and manage our business.

Business Associate Subcontractors: In connection with our payment and healthcare operations activities, we contract with individuals and entities (called “subcontractors”) to perform various functions on our behalf or to provide certain types of services. To perform these functions or to provide the services, our subcontractors will receive, have access to, create, maintain, use, or disclose Protected Information, but only after we require the subcontractor to agree in writing to contract terms designed to appropriately safeguard your information.

Other Covered Entities: In addition, we might use or disclose your Protected Information to assist healthcare providers in connection with their treatment or payment activities, or to assist other covered entities in connection with certain of their healthcare operations. For example, we might disclose a Protected Party’s Protected Information to a healthcare provider when needed by the provider to render treatment to that party, and we might disclose Protected Information to another covered entity or subcontractor to conduct healthcare operations related to billing, claims payment, or enrollment.

For all other uses and disclosures, we first must obtain your permission.

In addition, the Protected Parties have the following rights:

• The right to request that we place additional restrictions on our uses and disclosures of the Protected Information of Protected Parties. However, we are not obligated to agree to impose any such additional restrictions.

• The right to access, inspect, and copy the protected information pertaining to Protected Parties that we maintain in our files, and the right to have us correct or amend any information that we create in error. Requests to access or amend your health information should be sent to the contact person and address provided below.

• The right to receive an accounting of the disclosures of the Protected Information we maintain on Protected Parties that we make for purposes other than activities related to payment functions or other health care operations.

• The right to request that communications containing a protected party’s Protected Information are sent in a confidential manner.

• If you received this notice electronically, you also have the right to obtain a paper copy of this notice from us on request.

3. Information We Collect. We collect information directly from Protected Parties, in conversations, or other forms that a Protected Party provides.

4. Permissible Uses and Disclosures of Protected Information. We disclose the information we receive only in accordance with the terms and conditions of the various Business Associate contracts we have entered into with Covered Entities under Privacy Rules and as permitted under state and federal laws. Those include:

• Situations Permitted or Required by Law. We also may use or disclose Protected Information without written permission for other purposes permitted or required by law, including, but not limited to the following:

a) As authorized by and to the extent necessary to comply with workers’ compensation or other no-fault laws;

b) To an oversight or regulatory agency for activities including audits or civil, criminal or administrative actions;

c) To a public health authority for purposes of public health activities (such as to the Federal Food and Drug Administration to report consumer product defects);

d) To a law enforcement official for law enforcement purposes or in response to a court order or in the course of any judicial or administrative proceeding;

e) To organ procurement organizations or other entities for approved research; or

f) To a governmental authority, including a social service or protective services agency, authorized to receive reports of abuse, neglect or domestic violence.

• For Any Purposes to Which You Have Not Objected. In certain limited circumstances, we may use or disclose Protected Information after we have given Protected Parties an opportunity to object and they have not objected. For example, if a Protected Party does not object, we may use limited information to maintain an office directory, to notify family members or any other person identified by you regarding issues directly related to such person’s involvement with your care or payment for that care, or in emergency circumstances.

• For Purposes for Which We Have Obtained your Written Permission. All other uses or disclosures of your Protected Information will be made only with written permission, and it may be revoked at any time.

5. Complaints About Misuse of Health Information. Protected Parties may complain either directly to us or to the Secretary of Health and Human Services if they believe that rights with respect to our protection of health information have been violated. To file a complaint with us, send a written statement outlining your complaint, the facts, and the circumstances surrounding your complaint, including the names, dates, and as many details as possible. Protected Parties will not be retaliated against in any way for filing a complaint.

6. Our Practices Regarding Confidentiality and Security. We restrict access to Protected Information to those employees and our subcontractors who need to know that information in order to provide products and services to you. We maintain physical, electronic, and procedural safeguards that comply with state and federal regulations to guard your Protected Information.

7. Our Duties. We are required by law to maintain the privacy of Protected Information and to provide individuals with notice of legal duties and privacy practices with respect to Protected Information. If unsecured Protected Information is acquired, used or disclosed in a manner that is not permitted under the Privacy Rules that compromises the security, or privacy of that Protected Information, (referred to as a “Breach”), We are required to provide appropriate Notice as defined by law without unreasonable delay and in no case later than 60 days after the discovery of the Breach or the receipt of information of the Breach. We may delegate this duty to a subcontractor. We are required to abide by the terms of the Notice that is currently in effect. We will provide a paper copy of this Notice upon your request.

8. Our Policy Regarding Dispute Resolution. Any controversy or claim arising out of or relating to our privacy policy, or the breach thereof, shall be settled by arbitration in accordance with the rules of the American Arbitration Association, and judgment upon the award rendered by the arbitrator(s) may be entered in any court having jurisdiction thereof.

9. Revisions to this Notice. We reserve the right to change the terms of this Notice and to make the new Notice provisions effective for all Protected Information we maintain, regardless of whether the Protected Information was created or received prior to issuing the revised Notice. Whenever there is a material change to our use and disclosure of Protected Information, individual rights, our duties, or other privacy practices stated in this Notice, we will promptly revise and distribute the new Notice.

Contact Person for Filing Complaint or Obtaining Other Information. If you believe your rights have been violated, a written complaint may be filed with our Privacy Officer at the following address:

pie Health Privacy Department 4500 Williams Drive Ste 212 PMB 144, Georgetown, Texas 78633 [email protected] 800-799-3859