PEARL INC. PRIVACY SHIELD POLICY

Pearl Inc. Privacy Shield Policy

Pearl Inc. complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Frameworks, as applicable, as set forth by theU.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and/or Switzerland, as applicable to the United States.  PearlInc. has certified to the Department of Commerce that it adheres to the PrivacyShield Principles.  If there is any conflict between the terms in this privacy policy and the Privacy ShieldPrinciples, the Privacy Shield Principles shall govern. To learn more about thePrivacy Shield program, and to view our certification, please visithttps://www.privacyshield.gov/.

In compliance with the Privacy Shield Principles, Pearl Inc. commits to resolve complaints about our collection or use of your personal information.  parties may submit any such dispute, claim or controversy to non-binding mediation prior to the commencement of arbitration in compliance with the Privacy Shield Principles. Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Pearl Inc. at:

ATTN: Chief Compliance Officer
Pearl Inc.
8605 Santa Monica Blvd
PMB 58456
West Hollywood, California 90069-4109 US

Or contact us at customersupport@hellopearl.com with the subject line “EU Privacy”.

PearlInc. has committed to cooperate with EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship.

Pearl Inc. has further committed to refer unresolved PrivacyShield complaints to binding arbitration conducted by JAMS ADR, an alternative dispute resolution provider located in the United States. This dispute solution service is provided by Pearl at no cost to you. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit JAMS Cyber security and Privacy Practice Group - www.jamsadr.com/cybersecurity, for more information or to file a complaint. The services of JAMS ADR are provided at no cost to you

Pearl Inc. has further committed to cooperate with the panel established by the EU data protection authorities(DPAs) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU in the context of the employment relationship.

The purpose of this document is to provide policies and procedures to safeguard and protect the privacy of private personal data and ProtectedHealth Information (“PHI”) and assure Pearl’s compliance with The HealthInsurance Portability and Accountability Act (HIPAA) and EU Privacy ShieldPrinciples.  This policy contains Pearl’s guidelines and procedures for protecting the security of individually identifiable electronic health information by:

1.    Providing a Training to all employees of the Pearl that have access to PHI.
2.    Implementing formal documents and controls for the Pearl to protect and  safeguard PHI.
3.    Training of a compliance officer.

It is the policy of Pearl Inc. to honor a patient's right of access to inspect and obtain a copy of their personal data and/or protected health information (PHI)in Pearl's designated record set, for as long as thePHI is maintained in compliance with HIPAA and Pearl's retention policy.

Pearl Inc. is subject to the investigatory and enforcement powers of the United States Federal Trade commission (FTCC.

Pearl Inc. may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Pearl Inc.is liable in all cases of onward transfers of your private information to third parties.

Procedures

1.    A patient must make a request to a staff member to access and inspect their protected health information. Whenever possible, this request shall be made in writing and documented on either the "Authorization for Disclosure" form or in the notes of the patient's health record.

2.    Determination of accessibility of the information shall be based on:
      a.    Availability of protected patient information (i.e., final completion of information, long term storage, retention practices, etc.).

3.    Pearl must take action within a reasonable period of time or within 30 days after receipt of the request when the PHI is on-site, and within 60 days when the PHI is off-site.One 30-day extension is permitted, if Pearl provides the patient with a written statement of the reasons for the delay and the date by which the access request will be processed.

4.    Pearl must document and retain the designated record set subject to access and the titles of persons or offices responsible for receiving and processing requests for access.

Access, Inspection and/or Copy Request is Granted

5.    The patient and Pearl will arrange a mutually convenient time and place for the patient to inspect and/or obtain a copy of the requested PHI. Inspection and/or copying of PHI will be carried out within Pearl with staff assistance. 

6.    The patient may choose to inspect the PHI, copy it, or both in the form or format requested. If the PHI is not readily producible in the requested form or format, Pearl must provide the patient with a readable hard copy form, or other form as agreed toby the Pearl and the patient.
      a.    If the patient chooses to receive a copy of the PHI, Pearl may offer to provide copying services. The patient may request that this copy be mailed.
      b.    If the patient chooses to copy their own information, Pearl may supervise the process to ensure that the integrity of the patient record is maintained.

7.    Upon prior approval by the patient, Pearl may provide a summary of the requested PHI.

8.    Pearl may charge a reasonable fee for the production of copies or a summary of PHI if the patient has been informed of such charge and is willing to pay the charge.

9.    If, upon inspection of the PHI, the patient feels it is inaccurate or incomplete, the patient has the right to request an amendment to the PHI. Pearl shall process requests for amendment as outlined in additional Pearl policy/procedures addressing this patient right.

Access, Inspection, and/or Copy Request is Denied in Whole or in Part

10.    Pearl must provide a written denial to the patient. The denial must be in plain language and must contain:
        a.   The basis for the denial;
        b.   A statement, if applicable, of the patient's review rights; and
        c.   A description of how the patient may complain to Pearl or to the Secretary of Health and Human Services (HHS). 

11.    If access is denied because Pearl does not maintain the PHI that is the subject of the request, and Pearl knows where that PHI is maintained, Pearl must inform the patient whereto direct the request for access.

12.    Pearl must, to the extent possible, give the patient access to any other PHI requested, after excluding the PHI as to which Pearl has grounds to deny access.

13.    If access is denied as permitted under §164.524, the individual has the right to have the denial reviewed by a licensed health care professional who is designated by Pearl to act as are viewing official and who did not participate in the original decision to deny.

14.    The patient must initiate the review of a denial by making a request for review to Pearl. If the patient has requested a review, Pearl must provide or deny access in accordance with the determination of the reviewing professional, who will make the determination within a reasonable period of time.

15.    Pearl must promptly provide written notice to the patient of the determination of the reviewing professional. See paragraph 10 above for denial requirements.

It is the policy of Pearl to honor a patient or a patient's legal representative right to request restrictions on how his or her personal data and protected health information (PHI) is used and/or disclosed for the purposes of treatment, payment, and/or healthcare operations and for disclosures permitted under §164.522(a).                                                                                                                          

NOTE: Although not required by law, sometimes Pearl may wish to implement a formal denial process. The final rule requires all covered entities to permit individuals to make the request but does not require a covered entity to agree to a restriction.

Procedures

General:

1.    Pearl will inform patients of their right to request restrictions on how their PHI is used and/or disclosed for treatment, payment, and healthcare operations in their published,"Notice of Privacy Practices."

2.    The patient has the right to request restrictions. Pearl may require the request to be in writing.Pearl's Privacy Officer (or designee) reviews each request and makes a determination of final actions. Effective September 23rd 2013, the AmericanRecovery and Reinvestment Act (ARRA) allows a patient the right to request that a healthcare provider must comply with the patient's request for restriction of disclosure to a health plan for purposes of payment or healthcare operations when the patient health information pertains to a service for which the healthcare provider has been paid in full by the patient "out of pocket."

3.    Pearl may agree to a patient's request for restrictions on the use and disclosure of their PHI if the request is determined to be reasonable and in the patient’s best interests.

When a Request for Restriction(s) Is Accepted:

4.    Pearl will notify the patient of the approval of the request.

5.    Pearl will inform the  patient of any potential consequences of the restriction.  

6.    Pearl will inform the patient that Pearl will comply with the agreed restriction with the following exceptions:
      a.   In an emergency treatment situation where Pearl may use or disclose information to a health care provider for providing treatment. Pearl will request the emergency treatment provider not further use or disclose the information;
      b.   The restrictions are terminated by either Pearl or the patient; and
      c.    If restrictions prevent uses or disclosures permitted or required under §164.502(a)(2)(ii), §164.510(a) or §164.512.

7.    If  the agreed upon restriction hampers treatment, Pearl may ask the patient to modify or revoke the restriction. Pearl may require written agreement to the modification/revocation or document the patient's oral agreement. 

8.    A  notice of restriction will be made in writing in the patient's medical record and/or identified in an appropriate field in the computerized patient information system.

9.    Pearl will notify separately any other departments to which the restriction may apply (e.g.,marketing, public relations, administration, foundation, etc.) and if necessary, ensure that the patient's name is removed from all applicable mailing lists.

10.    Pearl will notify separately any other business associates to which the restriction may apply.

11.    Pearl will not use or disclose PHI inconsistent with the agreed upon restriction, nor will its business associates, until the restriction is terminated either by Pearl or the individual.

12.    Pearl will restrict use and/or disclosure of PHI consistent with the status of the restriction in effect on the date it is used or disclosed.

When a Request for Restriction Is Denied:

13.    If the request for restriction is denied, Pearl must notify the patient. 

Termination:

14.    The patient must request in writing to terminate the restriction.

15.     If Pearl wants to terminate the agreement, the patient must agree to the termination in writing, or an oral agreement must be documented. The termination will be effective with respect to PHI created or received after the patient was notified by Pearl.

Record Retention:

16.    All documentation associated with this procedure will be maintained in writing or in electronic format for at least six (6) years from the date of its creation or the date when it was last in effect, whichever is later.

Any claim, dispute or other matter in question of any kind relating to this Privacy Shield Security Policy which is not resolved by the claims procedures under this Plan shall be settled by arbitration.  The arbitration shall be administered by JAMS pursuant to its Streamlined Arbitration Rules. Notice of demand for arbitration shall be made in writing. In no event shall a demand for arbitration be made after the date when the applicable statute of limitations would bar the institution of a legal or equitable proceeding based on such claim, dispute or other matter in question. The decision of the arbitrators shall be final and may be enforced in any court of competent jurisdiction. The arbitrators may award reasonable fees and expenses to the prevailing party in any dispute hereunder and shall award reasonable fees and expenses in the event that the arbitrators find that the losing party.