HIPAA NOTICE OF PRIVACY PRACTICES MEDICAL INFORMATION PRIVACY NOTICE This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. We* are required by law to protect the privacy of your health information. We are also required to send you this notice, which explains how We may use information about you and when We can give out or “disclose” that information to others. You also have rights regarding your health information that are described in this notice. We are required by law to abide by the terms of this notice. The terms “information” or “health information” in this notice include any information We maintain that reasonably can be used to identify you and that relates to your physical or mental health condition, the provision of health care to you, or the payment for such health care. We have the right to change Our privacy practices and the terms of this notice. If We make a material change to Our privacy practices, We will provide a revised notice by direct mail to you reflecting that change within 60 days of the change and We will otherwise post the revised notice on Our website WWW.THEOMSPA.COM. We reserve the right to make any revised or changed notice effective for information We already have and for information that We receive in the future. *For purposes of this Notice of Privacy Practices, “We” or “Us” refer to the health plans that are affiliated with Common Ground Healthcare Cooperative.

HOW WE USE OR DISCLOSE INFORMATION We must use and disclose your health information to provide that information:

 To you or someone who has the legal right to act for you (your personal representative) in order to administer your rights as described in this notice; and

 To the Secretary of the Department of Health and Human Services, if necessary, to make sure your privacy is protected. We have the right to use and disclose health information for your treatment, to pay for your health care and to operate Our business. For example, We may use or disclose your health information:

 For Payment of premiums due Us, to determine your coverage, and to process claims for health care services you receive, including for subrogation or coordination of other Benefits you may have. For example, We may tell a doctor whether you are eligible for coverage and what percentage of the bill may be covered. CGHC.2015 2 | HIPAA Notice of Privacy Practices

 For Treatment. We may use or disclose health information to aid in your treatment or the coordination of your care. For example, We may disclose information to your Physicians or hospitals to help them provide medical care to you.

 For Health Care Operations. We may use or disclose health information as necessary to operate and manage Our business activities related to providing and managing your health care coverage. For example, We might talk to your Physician to suggest a disease management or wellness program that could help improve your health or We may analyze data to determine how We can improve Our services.

 To Provide Information on Health Related Programs or Products such as alternative medical treatments and programs or about health-related products and services, subject to limits imposed by law as of February 17, 2015.

 For Plan Sponsors. If your coverage is through an employer sponsored group health Plan, We may share summary health information and enrollment and disenrollment information with the Plan sponsor. In addition, We may share other health information with the Plan sponsor for Plan administration if the Plan sponsor agrees to special restrictions on its use and disclosure of the information in accordance with Federal law.

 For Reminders. We may use or disclose health information to send you reminders about your Benefits or care, such as appointment reminders with providers who provide medical care to you. We may use or disclose your health information for the following purposes under limited circumstances:

 As Required by Law. We may disclose information when required to do so by law.

 To Persons Involved With Your Care. We may use or disclose your health information to a person involved in your care or who helps pay for your care, such as a family member, when you are incapacitated or in an Emergency, or when you agree or fail to object when given the opportunity. If you are unavailable or unable to object, We will use Our best judgment to decide if the disclosure is in your best interests.

 For Public Health Activities such as reporting or preventing disease outbreaks.

 For Reporting Victims of Abuse, Neglect or Domestic Violence to government authorities that are authorized by law to receive such information, including a social service or protective service agency.

 For Health Oversight Activities to a health oversight agency for activities authorized by law, such as licensure, governmental audits and fraud and abuse investigations.

 For Judicial or Administrative Proceedings such as in response to a court order, search warrant or subpoena.

 For Law Enforcement Purposes. We may disclose your health information to a law enforcement official for purposes such as providing limited information to locate a missing person or report a crime.

 To Avoid a Serious Threat to Health or Safety to you, another person, or the public, for example, disclosing information to public health agencies or law enforcement authorities, or in the event of an Emergency or natural disaster.

 For Specialized Government Functions such as military and veteran activities, national security and intelligence activities, and the protective services for the President and others. CGHC.2015 3 | HIPAA Notice of Privacy Practices

 For Workers’ Compensation as authorized by, or to the extent necessary to comply with, state workers compensation laws that govern job-related injuries or illness.

 For Research Purposes such as research related to the evaluation of certain treatments or the prevention of disease or disability, if the research study meets privacy law requirements.

 To Provide Information Regarding Decedents. We may disclose information to a coroner or medical examiner to identify a deceased person, determine a cause of death, or as authorized by law. We may also disclose information to funeral directors as necessary to carry out their duties.

 For Organ Procurement Purposes. We may use or disclose information to entities that handle procurement, banking or transplantation of organs, eyes or tissue to facilitate donation and transplantation.

 To Correctional Institutions or Law Enforcement Officials if you are an inmate of a correctional institution or under the custody of a law enforcement official, but only if necessary (1) for the institution to provide you with health care; (2) to protect your health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.

 To Business Associates that perform functions on Our behalf or provide Us with services if the information is necessary for such functions or services. Our business associates are required, under contract with Us, to protect the privacy of your information and are not allowed to use or disclose any information other than as specified in Our contract. As of February 17, 2015, Our business associates also will be directly subject to Federal privacy laws.  For Data Breach Notification Purposes. We may use your contact information to provide legallyrequired notices of unauthorized acquisition, access, or disclosure of your health information. We may send notice directly to you or provide notice to the sponsor of your Plan through which you receive coverage. Except for uses and disclosures described and limited as set forth in this notice, We will use and disclose your health information only with a written authorization from you. Once you give Us authorization to release your health information, We cannot guarantee that the person to whom the information is provided will not disclose the information. You may take back or “revoke” your written authorization at any time in writing, except if We have already acted based on your authorization. To find out where to mail your written authorization and how to revoke an authorization, contact the phone number listed on the back of your ID card.

WHAT ARE YOUR RIGHTS The following are your rights with respect to your health information:

 You have the right to ask to restrict uses or disclosures of your information for treatment, payment, or health care operations. You also have the right to ask to restrict disclosures to family members or to others who are involved in your health care or payment for your health care. We may also have policies on Dependent access that authorize your dependents to request certain restrictions. Please note that while We will try to honor your request and will permit requests consistent with Our policies, We are not required to agree to any restriction.

 You have the right to request that a provider not send health information to Us in certain circumstances if the health information concerns a health care item or service for which you have paid the provider out of pocket in full. CGHC.2015 4 | HIPAA Notice of Privacy Practices

 You have the right to ask to receive confidential communications of information in a different manner or at a different place (for example, by sending information to a P.O. Box instead of your home address). We will accommodate reasonable requests where a disclosure of all or part of your health information otherwise could endanger you. We will accept verbal requests to receive confidential communications, but requests to modify or cancel a previous confidential communication request must be made in writing. Mail your request to the address listed below.

 You have the right to see and obtain a copy of health information that may be used to make decisions about you such as claims and case or medical management records. You also may in some cases receive a summary of this health information. You must make a written request to inspect and copy your health information. Mail your request to the address listed below. In certain limited circumstances, We may deny your request to inspect and copy your health information. We may charge a reasonable fee for any copies. If We deny your request, you have the right to have the denial reviewed. If We maintain an electronic health record containing your health information, you have the right to request that We send a copy of your health information in an electronic format to you or to a third party that you identify. We may charge a reasonable fee for sending the electronic copy of your health information.

 You have the right to ask to amend information We maintain about you if you believe the health information about you is wrong or incomplete. Your request must be in writing and provide the reasons for the requested Amendment. Mail your request to the address listed below. If We deny your request, you may have a statement of your disagreement added to your health information.

 You have the right to receive an accounting of certain disclosures of your information made by Us during the six years prior to your request. This accounting will not include disclosures of information made: (i) prior to April 14, 2003; (ii) for treatment, payment, and health care operations purposes; (iii) to you or pursuant to your authorization; and (iv) to correctional institutions or law enforcement officials; and (v) other disclosures for which Federal law does not require Us to provide an accounting.

 You have the right to a paper copy of this notice. You may ask for a copy of this notice at any time. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice. You may also obtain a copy of this notice at Our website, www.THEOMSPA.COM.

EXERCISING YOUR RIGHTS

 Contacting your Health Plan. If you have any questions about this notice or want to exercise any of your rights, please call the phone number on the back of your ID card or you may contact the The Om Spa Cooperative Customer Service Department at 1-239-631-5895.

 Submitting a Written Request. Mail to Us your written requests for modifying or cancelling a confidential communication, for copies of your records, or for Amendments to your record, at the following address: The Om Spa Member Services Department 6318 Trail Blvd Naples, FL 34108

 Filing a Complaint. If you believe your privacy rights have been violated, you may file a complaint with Us at the address listed above. 

 You may also notify the Secretary of the U.S. Department of Health and Human Services of your complaint. We will not take any action against you for filing a complaint.