Generation Health Privacy Policy

The Privacy of your Personal Information is our Highest Priority. This document describes the Security Practices and Privacy Policies we follow to ensure the confidentiality of your Personal Information including all Personally Identifiable Health Information concerning you and your family. Our Privacy Policy is designed to provide a secure, confidential environment for you to access the genetic testing tools that you and your doctor may require as well as to ensure that the results of your test remain safeguarded.

This notice describes how medical information about you may be used or disclosed and how you can obtain access to this information. Please review it carefully.

By registering with our service, you accept the Terms and Conditions of this Privacy Policy. Your Personal Information will not be released or disclosed by Generation Health without your knowing and voluntary consent, except as specifically set forth in this Privacy Policy or as required by law.

Although your Employer or Health Insurer may have asked Generation Health to offer you this benefit, the law specifically prohibits your Employer from possessing or using any Genetic Information (see definition below) when making any employment decisions. The law also prevents your Health Insurer from using any Genetic Information for determination of eligibility, coverage or pre-existing condition exclusions.

Generation Health requests that you read this Privacy Policy in its entirety. If you have any questions, please contact Generation Health’s Privacy Administrator by email at JJoshi@mygenhealth.com or call 781-906-0491.

CONTENTS

1. General Definitions
2. Personally Identifiable Health Information Is Confidential
3. Information That We Collect
   • Personal Information
     • Personal Account Information
     • Personally Identifiable Health Information
       • Genetic Information
       • Medical Information
   • Non-Personal Information
4. Who Can Access My Genetic Information
   • Physician and Health Care Provider
   • Genetic Counselor
   • Benefit Specialist
   • Health Insurance Company
   • Pharmacy Benefit Manager
   • Employer
   • Parents / Legal Guardian
   • Spouse / Domestic Partner
   • Third Party
   • Law Enforcement /Public Agency Official
   • Life Insurance / Disability Insurance Company
5. The Limited Uses of Your Personal Information
6. Security Protections for Your Personal Information
7. Disclosures of Personal Information Required by Law
8. No Disclosure to Linked Websites
9. Research Use of Aggregated De-Identified Data
10. Individual Request for Voluntary Disclosure of Personal Information
11. Protecting Your Child's Privacy
12. How You Can Help Protect Your Personal Information
13. Accessing, Updating, Requesting Corrections and Deleting Your Account
14. Changes to this Privacy Statement
15. Website Monitoring
16. Communications From Us
17. Contacting Us

1. General Definitions

Certain terms used throughout this Privacy Policy and the Generation Health website have specific meanings and definitions with which you should be familiar:

Personal Information - is any information that uniquely identifies you or that you might consider highly confidential or sensitive and includes both Personal Account Information and all Personally Identifiable Health Information concerning you and your family, including information such as your name, date of birth, and home address.

Non-Personal Information - Non-Personal Information includes any information that we gather as you navigate our website, such as your browser type, your computer's IP address, pages viewed, and the time spent on the web site.

Personally Identifiable Health Information - is any of your personal health information (including Genetic Information as defined below) that is traceable to you or your family. Personal Identifiable Health Information includes both Genetic Information and Medical Information (see definitions below), including any genetic tests performed or requested through our service or provided to us.

Genetic Information - is any information about your genetic tests, your family member’s genetic tests, the manifestation of a disease or medical disorder in a family member, any inquiry about or request for or receipt of Genetic Services and/or counseling by you or a family member, and/or participation in clinical research which includes genetic services. Information about your gender or age is not considered Genetic Information.

Genetic Services - include genetic testing, genetic counseling including obtaining, interpreting or assessing genetic information, and genetic education.

Genetic Testing - is an analysis of human DNA, RNA, chromosomes, proteins or metabolites that detects genotypes, mutations or chromosomal changes.

Medical Information - means any Personally Identifiable Health Information, including age, weight, height, gender, ethnicity, personal medical history, personal social history and other personal health information but does not include Genetic Information.

Aggregated De-Identified Data - is health data collected from a group of individuals in a format with all personal identification removed and without any information that can be used to identify or contact an individual in the group. Aggregated De-Identified Data is not Personally Identifiable Health Information.

Authenticated Authorization -means providing authorization for the release of your Personal Information or for another action to be taken on your behalf through a process that confirms your identity at the time you provide the authorization. This identification may be accomplished by written signature, passwords, challenge questions, tokens, biometrics or a combination thereof.

Express Consent - is the prior, knowing, voluntary Authenticated Authorization that you make for the release and disclosure of your Personal Information, including any Personally Identifiable Health Information and Genetic Information, for a specific purpose and to a specific entity or individual. The specific information to be released is explicitly identified as part of this process.

2. Personally Identifiable Health Information Is Confidential

All Personally Identifiable Health Information provided to Generation Health by you, any laboratory, any healthcare provider, your employer, your group health plan or any third party vendor providing services on behalf of your health plan is considered to be Protected Health Information under the law. Your Personally Identifiable Health Information includes both Genetic Information and Medical Information, including any inquiry about or request for or receipt of Genetic Services and/or counseling by you or a family member. This information is your property, and you have the right to control who is authorized to access it.

We will not disclose or release any of your Personally Identifiable Health Information to anyone,even members of your own family, without your Express Consent except as expressly set forth in this policy or as required by law.

Whenever we are required by law to release any of your Personal Information, we will only release the minimum necessary amount to accomplish the purpose for which the release is required.

3. Information That We Collect

Generation Health collects Personal Information and Non-Personal Information both directly from you and through service providers and partners.

Personal Information: Personal Information is any information that uniquely identifies you or that you might consider highly confidential or sensitive and includes your Personal Account Information, Personally Identifiable Health Information and Genetic Information. Generation Health treats all Personal Information as Private and Confidential. We collect two types of Personal Information:

Personal Account Information: We use Personal Information, such as your name, address, telephone number, email address, employer, address, user name and password, to uniquely identify you and your use of the website. We then use a Generation Health-created test access authorization code or other token to determine benefit usage and to control access to restricted portions of our website containing any of your Personally Identifiable Health Information including your Genetic Information.

Personally Identifiable Health Information: Personally Identifiable Health Information that we collect includes:

Genetic Information: Genetic Information is any information about your genetic tests, a family member’s genetic tests, the manifestation of a disease or medical disorder in a family member, any inquiry about or request for or receipt of Genetic Services and/or counseling by you or a family member, and/or participation in clinical research which includes Genetic Services. Information about your gender or age is not considered Genetic Information.

When your doctor uses our service to order a genetic test on your behalf, we collect information on the test that has been ordered, the doctor ordering the test, the lab conducting the test, the payment information, and the results of that test.

Medical Information: Medical Information includes any personal health information, including your age, weight, height, gender, ethnicity, your medical history, your family history, your social history and other personal health information but does not include Genetic Information.

Non-Personal Information

Non-Personal Information includes any information that we gather as you navigate our website, such as your browser type, your computer's IP address, pages viewed, and the time spent on the web site. In some cases, this information is collected automatically through cookies and stored in our log files. Although it is non-personal, this information is associated with your Personal Account Information when you have logged onto our web site. We use this information to monitor aggregate usage of our website and for internal analysis, quality control, and service improvement purposes.

4. Who Can Access My Genetic Information

As a Generation Health Member, you may access all your Personal Information, including your Personally Identifiable Health Information and Genetic Information. Other than you, the only people who may access some parts of your Genetic Information and other Personally Identifiable Health Information are:

Your Personal Physician or Health Care Provider: Your doctor and/or a health care provider who ordered the genetic test or who has a need to consult with you or with your doctor, can access your Genetic Information and other Personally Identifiable Health Information.

Your Personal Genetic Counselor: A Genetic Counselor whom you have authorized to assist you in evaluating, selecting and understanding the results of Genetic Testing and with a need to consult with you or with your doctor, can access to your Genetic Information and other Personally Identifiable Health Information. This authorization also applies to Genetic Counselors who work for and with Generation Health.

Your Personal Benefit Specialist: A Benefit Specialist whom you have authorized to assist you in determining benefits that may apply to or cover your Genetic Testing or Genetic Services can only access limited Personal, Medical, and Genetic Information necessary to assist you.

Your Health Insurance Company: Even if your Health Insurance Company has asked for Generation Health to offer you this benefit, the law does not allow them to access your Genetic Information, including your Genetic Test Results, except for the limited purpose of making payment determinations and only then with the minimum amount of Genetic Information necessary for making payment determinations being disclosed. No Personally Identifiable Health Information including Genetic Information will be disclosed to your Health Insurance Company for any research program unless you voluntarily give Express Consent for participation in the research program.

Your Pharmacy Benefit Manager: If a Pharmacy Benefit Management Company rather than your Health Insurance Company is responsible for making pharmaceutical payment benefit determinations, your Pharmacy Benefit Manager will be allowed limited access to the minimum amount of your Personally Identifiable Health Information including Genetic Information necessary for making payment determinations.

Your Employer: The Genetic Information Nondiscrimination Act, 42 U.S.C §2000ff specifically prohibits your employer from requesting, requiring, possessing or using any genetic information in connection with the making of any employment decision. No Personally Identifiable Health Information including Genetic Information will be disclosed to your Employer for any Wellness Program or Worksite Injury Monitoring Program unless you voluntarily give Express Consent for participation in the programs.

Parent / Legal Guardian: If you are the parent or legal guardian of a child under the age of 18 or of an unemancipated adult who is covered by this benefit, you may access the Personal Information and Personally Identifiable Health Information, including Genetic Information, of the child or unemancipated adult; however, parental access is allowed only with the Express Consent of your child after the child reaches his or her 18th birthday.

Your Spouse / Domestic Partner: Your spouse or legal domestic partner cannot access your Personally Identifiable Health Information through our service without your Express Consent, regardless of whether or not he or she is the primary benefit holder.

Third Party: Generation Health will not release or disclose your Personal Information including Genetic Information to any Third Party without your Express Consent that identifies the specific information to be released and to whom it is to be released. Generation Health assumes no responsibility or liability for the consequences of any such release.

Law Enforcement / Public Agency Official: Under certain circumstances, Generation Health may be compelled to disclose Personal Information including Genetic Information to satisfy a Court order, a duly executed subpoena, a government request, a law enforcement investigation, or a regulatory compliance review, in which case we will use reasonable and lawful efforts to limit the scope of any legally required disclosure. Generation Health will also make reasonable efforts to notify you in advance of that disclosure, unless doing so would violate the law or the court order.

Disability Insurance / Life Insurance / Long Term Care Insurance Company: Generation Health will not release any of your Personal Information, Personally Identifiable Health Information or Genetic Information to any Disability Insurance Company, Life Insurance Company or Long Term Care Insurance Company without your Express Consent that identifies the specific information to be released and to whom it is to be released.

5. The Limited Uses of Your Personal Information

Generation Health may use your Personal Information, Personally Identifiable Health Information and Genetic Information to:

• Authenticate your use of our website and services
• Perform Genetic Risk Assessments
• Perform Health Risk Assessments
• Provide requested services and process your transactions
• Communicate with you about other appropriate genetic testing.
• Communicate with you, your health care providers, including your Personal Physician or Health Care Provider and/or Your Personal Genetic Counselor

6. Security Protections For Your Personal Information

We take seriously the trust you place in us to protect the privacy of your Personal Information. We have implemented a series of physical, personnel, administrative, access control, system, third party and transmission safeguards to prevent unauthorized access, to maintain data integrity, and to ensure that only authorized persons who need to access your Personal Information can do so.

Physical Security measures include:

• Physical access to servers is restricted to Generation Health Information Technology personnel who have been authorized for server access.
• Comprehensive disaster recovery plan.

Personnel Security measures include:

• Background and criminal reference checks for employees, and
• Annual Privacy and Security Training for Employees

Administrative Security measures include:

• Privacy Policy and Security Practices Compliance
• Sanctions for Employee violations of company policies and practices, and
• Documentation of Compliance Training.

Access Control Security measures include:

• Restricting access to data to approved personnel on need basis only
• Identity Authentication by written signature, passwords, challenge questions, tokens, biometrics or a combination thereof.

System Security measures include:

• Firewall, Data Protections Systems, Intrusion Detection and Monitoring Devices to protect our network and databases
• Separate databases for Genetic, Medical and Account Information
• Encryption of all stored Personal Information data
• Internal and External System Auditing with Audit Trails that monitor, record and document access to these databases

Third Party Security measures include:

• Chain of Trust Agreements and/or Business Partner Agreements with all partners, third parties and vendors with whom we share information that requires them to implement all appropriate security procedures to maintain confidentiality.
• Individual Confidentiality Agreements with all employees and consultants who are required to come into contact with your Personal Information.

Transmission Security measures include:

• Encryption of all data transmitted to and from our website
• Prohibiting Personal Information from being loaded onto laptops and other mobile devices

While we cannot guarantee that loss, misuse or alteration of data will not occur, we are committed to using proven safeguards and security audit procedures designed to prevent any loss, misuse or alteration of data. You will be promptly notified of any security breach which may have allowed disclosure or compromised the security and privacy of any of your Personally Identifiable Health Information including any Genetic Information.

7. Disclosures of Personal Information Required by Law

Under certain circumstances, we may be compelled to disclose your Personal Information to satisfy a Court order, duly executed subpoena, government request, law enforcement investigation, or regulatory compliance review. We will use reasonable and lawful efforts to limit the scope of any legally required disclosure. Under the law, required disclosures include:

• When a law or duly executed Court Order requires disclosure of your Personal Information, in which case only the information expressly ordered to be disclosed shall be released with notice to you of both the Order and the information disclosed. We will make reasonable efforts to notify you in advance of that disclosure, unless doing so would violate the law or the court order.
• When government officials investigating compliance with various Security and Privacy laws and regulations require disclosure of information relevant to their investigation.
• When required to ascertain an employee’s compliance with the certification provisions of the Family and Medical Leave Act of 1993 or requirements under state family and medical leave laws.
• When there is an imminent hazard of death or life-threatening illness and with notice, a Federal, State or local public health agency may require disclosure as part of an investigation in regard to the manifestation of a disease or disorder in family members of an Employee.

8. No Disclosure to Linked Websites

Generation Health provides certain links to third-party websites operated by organizations not affiliated with our service. These links may be found within our content or placed beside the names and logos of these persons.

We do not release any of your Personal Information to organizations operating these third-party web sites. We do not review or endorse the privacy policies of these third-party sites, and assume no responsibility for them. We encourage you to read the privacy policies and statements of each and every site before providing any Personal Information.

9. Research Use of Aggregated De-Identified Data

Generation Health may combine and aggregate health information from a sufficiently large group of individuals in a non-individually identifiable format in the manner prescribed by law to create "Aggregated De-Identified Data" to provide to your employer or health insurer for analysis to assist in research, the delivery of medical care and/or health trend analysis. Aggregated De-Identified Data does not contain any information that could be used to contact or identify you and is not Personally Identifiable Health Information. Aggregated De-Identified Data may also be prepared for research and analysis of health trends and disease correlations by Generation Health, health researchers and/or data warehouses. The ability to perform research on Aggregated De-Identified Data helps to increase our understanding of the genetic bases of disease and to promote the development of new predictive and therapeutic applications.

10. Individual Request for Voluntary Disclosure of Personal Information

You may choose to voluntarily disclose your Personal Information, including Personally Identifiable Health Information and Genetic Information, to friends and/or family members, third-party service providers, doctors or other health professionals, attorneys, and/or other individuals. We urge you to make such disclosure choices carefully. Should you choose to have Generation Health disclose any of your Personal Information to any individual or entity other than you or your healthcare professional, you must provide Express Consent that identifies the specific information to be released and to whom it is to be released. Generation Health will not release or disclose any portion of your Personal Information without your Express Consent and assumes no responsibility or liability for the consequences of any such release.

11. Protecting Your Child's Privacy

Generation Health is committed to protecting the privacy of children. Although our services are not marketed to children under 18, a parent or legal guardian may set up an account on behalf of his or her child. The parent or guardian shall assume full responsibility for the accuracy and security of any information he or she provides to Generation Health about that child. A parent’s right of access terminates when the child reaches his or her 18th birthday.

12. How You Can Help Protect Your Personal Information

Protecting your Personal Information also relies on your compliance with certain basic security practices. We cannot secure any Personal Information that you release on your own, that you request us to release or that is released through another third party to whom you give account access.

You must safeguard your user name, password and other authentication information that you use to access our services. Do not disclose this information to any individual, third party or entity whom you do not trust and who does not have a need to know. You must immediately notify Generation Health of any unauthorized use of your user name, password or other authentication information.

13. Accessing, Updating, Requesting Corrections and Deleting Your Account

You may access your Personal Information in your account at any time through the website.

You may update your Personal Account Information at any time through the website.

You may make a Request for Correction of your Personal Information, including your Personally Identifiable Health Information, in your account through the website. The correction you make will be entered alongside the original data and made available as part of any future disclosure or release of this information.

You may inactivate your Generation Health account at any time through your account page, or by emailing Customer Support at privacy@mygenhealth.com. When you request us to inactivate your account, we will cease to display your Personal Health Information on our website. Please be aware that while this information will no longer be accessible to someone using your account over the Internet, it will be retained for the period of time required by the law in backup media. This information shall be made available pursuant to a duly executed authenticated authorization to release medical records. Generation Health may apply a charge equal to the administrative, copying and communication costs for the retrieval, preparation and transmission of the information requested. We will not otherwise disclose your Personally Identifiable Health Information that may be stored on our backup media, except as required by law or for auditing purposes.

14. Changes to this Privacy Statement

Generation Health reserves the right to amend or modify this privacy policy at any time. Any material changes will be conspicuously posted on this website, and members will also be notified of such changes by email. Changes will take effect 30 days after the changes have been first posted on the website.

15. Website Monitoring

Generation Health gathers certain Non-Personal Information about your use of our website through log files and cookies. The techniques we use and their implications for your privacy are described below.

Log Files: When you access our site, our system automatically collects certain information about you for our logs. This data may include your browser type, your computer's IP address, your Internet Service Provider, operating system, date and time you visited our site, and a list of the pages you visited. We use this information to analyze usage trends, administer the site, and gather demographic information about our members as a whole. It is not designed to identify you personally. However, under certain circumstances we may need to review this information in conjunction with specific Personal Account Information in order to identify and resolve certain issues for our members.

Cookies: Generation Health uses a web technology, referred to as cookies, to make it easier for you to navigate our site, improve the security of your Personal Information, enhance the functionality of some features, and improve performance. These cookies are only applicable within the confines of our site. Generation Health uses both session cookies, which expire when you close your browser, and persistent cookies, which remain on your computer. These cookies act as a user identification card for our servers. Cookies are only read by our computers and are unable to execute any code or virus. You can remove persistent cookies by following the directions provided in your Internet browser's help file. However, if you set your browser security setting to reject all cookies, you may not be able to access certain portions of our web site. When accessing our site using a public computer, we recommend that you delete all persistent cookies according to the directions in your browser's help file before you close the browser.

16. Communications From Us

From time to time, we will contact you to ask about the services you have requested, to inquire about the quality of services you have received and to alert you about service updates. Promotional marketing communications sent via email will be sent to the address provided in your Personal Account Information and will include a link for opting out of future marketing communications.

17. Contacting Us

If you have any questions or concerns regarding this Privacy Statement, please email our Privacy Administrator at jjoshi@mygenhealth.com. You may also contact us by mail at 600 East Crescent Avenue, Suite 205, Upper Saddle River, New Jersey 07458.