MEDLY HEALTH, INC. HIPAA Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. Medly Health, Inc., and its subsidiary entities and pharmacies operating under the Medly Pharmacy, Medly Mail Service Pharmacy, and Pharmaca Integrative Pharmacy banners (hereinafter “Medly”), are committed to safeguarding your protected health information (”PHI”). PHI is health information collected about you that does or may identify you, by your name or by using your demographic information, and that relates to your past, present, or future physical or mental health or condition and related health care services. This Notice of Privacy Practices (”Notice”) explains our legal obligation to protect the privacy of your PHI and describes the ways that we may use and disclose the PHI we collect and maintain to provide treatment, collect payment, or for health care operations and other specified purposes that are permitted or required by law (our “Privacy Practices”). This Notice also describes your rights under federal and state law relating to your PHI. Medly is required to inform you of and comply with the rights and obligations described in this Notice and to notify you in the event of a breach of your unsecured PHI. We will not use or disclose your PHI without your authorization except as permitted or required by law as described in this Notice. We reserve the right to change the Privacy Practices described herein and make the new practices effective for all PHI we maintain. Should we make such a change, we will display the revised Notice online and in our pharmacies and have printed copies available for you or others upon request.

USES AND DISCLOSURES OF PHI

A. Routine Uses and Disclosures of PHI for the Purposes of Treatment, Payment, and Health Care Operations. HIPAA permits Medly to use PHI about you without seeking or obtaining your written authorization for the following three primary purposes: treatment, payment, and health care operations. Examples of these types of routine uses and disclosures include, but are not limited to: 1. Treatment. A pharmacist may consult with your physician about the purpose of a prescription and to suggest treatment alternatives. The pharmacist also uses PHI to counsel you on the proper use of your medication, and we may use your PHI to send you reminders to refill your prescription on time and other communications aimed to improve your treatment outcomes and overall health. 2. Payment. A pharmacy staff member may use PHI to bill your insurance for your prescription and to determine the amount you owe. We may also use PHI to bill others involved in your care and to respond to inquiries by insurance companies or other health care providers for their payment activities. 3. Health Care Operations. Your PHI may be used or disclosed for certain business administration and quality improvement activities that are necessary to provide, monitor, and improve our health care services, such as to conduct business planning, to evaluate the performance of our health care professionals, and to engage in other quality improvement activities. B. Required and Permitted Uses and Disclosures without Written Authorization. HIPAA requires PHI to be disclosed in only two instances: 1) to comply with our obligations when you exercise your right to inspect and obtain copies of your PHI or to request an accounting of disclosures of your PHI; and 2) when required by the Secretary of Health and Human Services to investigate or determine our compliance with the HIPAA rules. Other uses and disclosures that are permitted by HIPAA without your authorization and that are likely to occur include: 1. Incident to otherwise permitted uses or disclosures. HIPAA allows for PHI uses and disclosures that may be incidental to other permitted uses or disclosures as long as we comply with HIPAA’s minimum necessary standards and exercise reasonable safeguards. 2. Business associates. Some services are provided on our behalf through contracts with outside entities that HIPAA refers to as business associates. We may disclose PHI about you to our business associates so that they can perform the services required by our agreement with them. To protect PHI about you, we contractually require the business associate to appropriately safeguard all PHI they collect or use on our behalf, and they are also subject to HIPAA penalties for any failure to comply with the HIPAA rules. 3. Personal representatives. If an individual has legal authority to make health care decisions on your behalf, we will treat that person as your personal representative in regard to uses and disclosures of PHI about you that are within the scope of the authority granted as long as, based on professional judgment, we have a reasonable basis to believe that the individual is acting in your best interest. We will also recognize as personal representatives individuals who have been granted legal authority to act on behalf of our deceased patients to the extent of the authority granted and for up to 50 years following the patient’s death for the PHI we have retained. C. Permitted Uses and Disclosures with Opportunity to Agree or Object or in Emergencies. We are also permitted to use or disclose PHI about you, without your written authorization, in certain circumstances when you have been informed in advance and given the opportunity to agree or object to the use or disclosure and in emergency situations when the disclosure is in your best interest. The circumstances in which we are most likely to make these types of uses or disclosures are as follows: 1. Disclosures to individuals involved in your care or payment for your care: We may, based on professional judgment and your verbal or inferred agreement or your opportunity and failure to object and in certain emergency circumstances when you are unable to agree or object and the disclosure is deemed to be in your best interest, disclose to a family member, other relative, close personal friend, or any person you identify PHI relevant to that person's involvement in your care or payment related to your care. 2. Notification: We may use or disclose PHI about you to notify or assist in notifying a family member, personal representative, or another person responsible for your care of your location, general condition, or death. 3. Disaster relief: We may use and disclose PHI about you to a public or private entity authorized by law or by its charter to assist in disaster relief efforts for the purpose of coordinating with these entities the notification to a family member, personal representative, or other person responsible of your location, general condition, or death. D. Less Common Permitted Uses and Disclosures. Other uses and disclosures of PHI that are less common, but are permitted to occur without allowing you the opportunity to agree or object and without your authorization include: 1. Required by law: We may use or disclose PHI about you when required to do so by state or federal law and the use or disclosure complies with and is limited to the relevant requirements of such law. 2. Public health activities: We may disclose PHI about you to public health, government, and legal authorities, when authorized by law, for their use for purposes of preventing or controlling disease, injury, or disability; for purposes of reporting child abuse or neglect; for activities related to the quality, safety, or effectiveness of FDA-regulated products or activities; or for purposes of public health intervention or investigation. 3. Victims of abuse, neglect, or domestic violence: We may disclose PHI about you to a government authority authorized to receive such information, such as a social service or protective services agency, if we reasonably believe you are a victim of abuse, neglect, or domestic violence. We will only disclose this type of information when: it is required by law and only to the extent required; you agree to the disclosure; or the disclosure is allowed by law and, based on professional judgment, we believe it is necessary to prevent serious harm to you or someone else or the law enforcement or public official that is to receive the report represents that it is necessary and is not intended to be used against you. 4. Health oversight activities: We may disclose PHI about you to an oversight agency for activities authorized by law such as: audits, investigations, inspections, licensure or disciplinary actions, civil, administrative, or disciplinary proceedings, or other activities necessary for the oversight of the health care system, government programs, regulatory compliance, and compliance with civil rights laws. 5. Judicial and administrative proceedings: We may disclose PHI about you in response to a court or administrative order. We may also disclose PHI about you in response to a subpoena, discovery request, or other lawful process, but only if reasonable efforts have been made to inform you about the request or to obtain an order protecting the requested PHI. 6. Law enforcement purposes: We may disclose PHI about you for law enforcement purposes, as permitted or required by law, or in response to a valid court order, warrant, subpoena, summons, or other legal process. 7. Deceased individuals: We may release PHI to a coroner, medical examiner, or funeral director, as permitted by law, for purposes such as to identify or to determine the cause of death of a deceased person or to otherwise carry out their duties. We may also disclose PHI to funeral directors consistent with applicable law lo carry out their duties. When permitted, we may also disclose PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of organs for the purpose of tissue donation and transplant. 8. Research purposes: We may disclose PHI to researchers when the research has been approved by an institutional review board that has reviewed the research proposal and established protocols to ensure the privacy of the PHI disclosed. 9. Avert a serious threat to health or safety: We may use and disclose PHI about you when necessary to prevent or lessen a serious and imminent threat to your health and safety or the health and safety of the public or another person. 10. Specialized government functions: For members of the armed forces, we may release PHI as required by military command authorities. We may also release PHI about foreign military personnel to the appropriate military authority. We may release PHI about you to authorized federal officials for lawful intelligence, counterintelligence, and other authorized national security activities. We may disclose PHI to authorized federal officials so they may provide protection to the President, foreign heads of state, or other authorized persons or for the conduct of authorized investigations. 11. Correctional institutions or custodial law enforcement facilities: If you are or become an inmate of a correctional institution or similar law enforcement facility, we may disclose PHI to the facility or its agents when necessary for your health, for the health and safety of others, for law enforcement on facility premises, or for administration of the safety, security, and good order of the facility. 12. Workers’ compensation: We may disclose PHI about you as authorized by and as necessary to comply with laws relating to worker's compensation or other similar programs. E. PHI Uses and Disclosures that Require Your Authorization. We will obtain your written authorization before using or disclosing PHI about you for marketing purposes, before selling PHI about you, and before using it for purposes other than those provided herein unless permitted or required by law. If you provide your authorization, you may revoke it in writing at any time. Upon receipt of the written revocation, we will stop using or disclosing the PHI about you that was covered by your authorization, except to the extent that we have already acted in reliance on the authorization.

YOUR HEALTH INFORMATION RIGHTS

As our patient, you have the following rights: A. Request a Restriction on Certain Uses and Disclosures of Your PHI. You have the right to request additional restrictions on our use or disclosure of PHI. This right specifically permits you to request that we not disclose PHI to your health plan if the disclosure is made for purposes of payment or health care operations and is not otherwise required by law. Medly must honor this request only if you have both properly submitted this request to our Privacy Office, as directed in this notice, and paid for the product or service. You may also request that we not disclose your PHI to individuals involved in your care. We are not required to agree to all requests for restrictions. For any restrictions we agree to honor, we will only do so to the extent that our compliance poses no threat to the health or safety of you or others, and we reserve the right to terminate the restriction at any time. B. Request Confidential Communications of PHI by Alternative Means or at Alternative Locations. For instance, you may request that we contact you about medical matters only in writing, or at a different residence or post office box. Your request must include details on how or where you would like to be contacted. We will attempt to accommodate all reasonable requests and will not request an explanation from you as to the reason for your request. C. Request to Inspect and/or Obtain a Copy of Your PHI. You have the right to inspect and request paper or electronic copies of your PHI collected in a designated record set for as long as the information is maintained. We may charge you a reasonable fee for the costs of copying, mailing, postage, or other expenses we incur in fulfilling your request. We are required to respond to you within 30 days of receipt of your request (or within 60 days if the PHI is stored offsite). We may deny your request to inspect and copy in certain limited circumstances. If your access request is denied, you may request that the denial be reviewed. D. Request an Amendment of PHI. If you believe that PHI we have collected about you is incomplete or incorrect, you may request that we amend it for as long as we maintain the PHI. Your request must include any supporting information. We will respond to your request within 60 days, if possible, but are permitted to take up to a 30-day extension when needed. If your request is denied, you have the right to provide a written statement of disagreement, and we will provide a written response. E. Request an Accounting of Certain PHI Disclosures. You have the right to receive an accounting of the disclosures we have made of PHI about you for most purposes other than treatment, payment, or health care operations. The accounting will exclude certain disclosures, such as disclosures made directly to you, disclosures you authorize, disclosures to friends or family members involved in your care, and disclosures for notification purposes. The right to receive an accounting is subject to certain other exemptions, restrictions, and limitations. Your request must specify a time period but we are not required to provide more than a six year history. We are required to provide the accounting within 60 days if possible, with one 30-day extension permitted, if needed. You are permitted to request one accounting free of charge in any 12-month period. A reasonable fee may be charged for more frequent requests. F. Request a Paper Copy of This Notice. You may request a paper copy of this Notice from your pharmacy or from our Privacy Office at any time. Even if you have agreed to receive the Notice electronically, you are still entitled to a paper copy. To exercise one or more of these rights, please send your written request to our Privacy Office, using one of the contact methods below, sufficiently in advance to allow us to review and process your request as required

FOR MORE INFORMATION OR TO REPORT A PROBLEM

If you have questions or would like additional information about Medly’s privacy practices, you may contact the Privacy Office. If you believe your privacy rights have been violated, you have the right to submit a complaint by email, phone, or regular mail to the Privacy Office or to the Secretary of Health and Human Services. Rest assured, there will be no retaliation for filing a complaint about our Privacy Practices.

CONTACT US

If you have any questions about our policies, our websites and apps, or how we collect, use, and disclose PHI, please contact our Privacy Office by email at privacyoffice@medly.com, by phone at (833) 313-2050 (toll free) or by mail to: Medly Health, Inc., Attn: Privacy Officer, 31 Debevoise Street, Brooklyn, NY 11206 Email: privacyoffice@medly.com

Effective as of January 1, 2022