Privacy Policy

INFORMATION SUBJECT TO THIS PRIVACY POLICY

This Privacy Policy applies, in part, to protected health information (“PHI”) as defined under the Health Insurance Portability and Accountability Act of 1996 (known as “HIPAA”). PHI includeshealth-related information that Shanadoa collects, creates, receives or maintains in connection with your use of the Website, and that reasonably could be used to identify you. Shanadoa may receive your PHI directly from you or from a third party, such as your insurer or medical provider.

Shanadoa has developed and implemented policies and procedures designed to comply with HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act provisions of the American Recovery and Reinvestment Act of 2009 (“HITECH”), and the Privacy, Security, Breach Notification and Enforcement
regulations thereunder (45 C.F.R. Parts 160 and 164), as the same may be amended from time to time; and HIPAA and HITECH (a “HIPAA/HITECH Policies”).Shanadoa’s use of PHI obtainedor provided by you or a third party while using the Website will comply with its HIPAA/HITECH Policies, HITECH, HIPAA, and the rules and regulations promulgated thereunder. Further, any security breach incident shall be handled in accordance with all federal, state and local laws, rules and regulations
concerning breach notification requirements.

Shanadoa will have a valid, existing Business Associate Agreement or Subcontractor Business Associate Agreement (collectively referred to herein as a “BAA”) with any third
party as required by the HIPAA/HITECH Policies. A BAA requires that a business associate, among other things, will not use or further disclose PHI other than
as permitted or required by the BAA or as required by law. Shanadoa will at all times comply with its applicable BAA when using or disclosing your PHI.

DATA SECURITY

Shanadoa has implemented measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure. All
information you provide to us is stored on our secure servers behind firewalls. Any disclosures/uses of PHI (See De-Identificationof PHI section below) will be encrypted using industry standard technology when necessary.The safety and security of your information also depends on you. You are responsible for ensuring that you only disclose information (i) that you arelegally allowed to disclose, and (ii) that you wish for individuals in our organization to access. Unfortunately, the transmission of information via the Internet
is not completely secure. Although we do our best to protect your personal information, we cannot give a 100% guarantee of the security of your personal
information transmitted to our Website. Any transmission of personal information is at your own risk. Shanadoa is not responsible for the circumvention of any privacy settings or security measures contained on the Website.

HOW SHANADOA MAY USE AND SHARE PHI

Shanadoa may use and share your PHI for the following purposes without first asking for your written permission:

Treatment

Shanadoa may use and share your PHI for treatment-related purposes.

Payment

Shanadoa can use and share your PHI with a covered entity or healthcare provider for
facilitating payment.

Health Care Operations

Shanadoa may use and share your PHI with a covered entity for healthcare operations.

Contractors

Third-partycontractors may provide certain services to Shanadoa or you on our behalf. Shanadoa may share your PHI with these third-party contractors fortreatment, payment, or health care operation purposes in accordance with HIPAA and the BAA between Shanadoa and said third party. These contractors are required by law to protect your PHI the same way we do.

Your Health Plan/ Insurers

Shanadoa may use andshare your PHI with your health plan administrator or insurers (or their other service providers) as permitted by applicable law.

Other Uses or Disclosures

Shanadoa may and sometimes is required to use or share your PHI in special circumstances without first asking for your written permission (e.g. when required by court order).

HOW SHANADOA MAY USE AND SHARE YOUR PHI WITH PARTIES INVOLVED IN YOUR CARE OR PAYMENT FOR CARE

Generally, Shanadoa will not share PHI or communicate with someone other than patients,health plans, insurers, third party services providers, or health care
providers directly.

If you are represented by a legally appointed personal representative, Shanadoa will communicate with your representative in the same mannerShanadoa would communicate with you, provided that Shanadoa has received a valid health authorization designating such asyour representative and authorizing them to receive your PHI.
In special circumstances, Shanadoa may share your PHI or communicate with individualsidentified as family members, personal relatives, close personal friends, or others involved in your care with your permission or, if you are unable to give permission, only if we believe it is necessary and in your best interest. In the event you are unable to give permission, and Shanadoa determines it is in your best interest to share your PHI with an individual identifying as a family member, other relative, close personal friend or as otherwise involved in your care we will only disclose PHI that is directly relevant to their involvement with your care or payment related to your health care or as otherwise needed for notification purposes.

INFORMATION COLLECTION, USE, AND SHARING

Personal Information

You may be asked to provide personal information, including but not limited to, your name, telephone number, mailing address, email address, gender, health insurance information, PHI, and other such information.

Non-Personal Information

Shanadoa may collect non-personal information about your activity on the Website, including but not limited to information that you provide to Shanadoa or generate using our Website, records and copies of your correspondence with us, your responses to surveys Shanadoa might ask you to complete, and details of transactions youcarry out through our Website. This information, if collected, may be collected via computer code sent to your computer (commonly referred to as "cookies" or "web beacons"). Shanadoa does not collect personal information automatically, but we may tie this non-personal information to personal information about you that we collect from other sources or you provide to us.

"Cookies"are small text files that are placed on your device by a web server when you access our services. Shanadoa may use both session cookies and persistent cookies toidentify that you've logged into the services and to tell us how and when you interact with our services. Shanadoa may also use cookies to monitor aggregate usage and webtraffic routing on our services and to customize and improve our services. Unlike persistent cookies, session cookies are deleted when you log off from the services and close your browser. You may refuse to accept browser cookies by activating the appropriate settings on your browser. However, if you select this setting you may be unable to access certain parts of our Website. Unless you have adjusted your browser setting so that it will refuse cookies, Shanadoa’s system will issue cookies when you direct your browser toour Website. Some third-party service providers that we engage may also place their own cookies on your device, however, this Privacy Policy only covers Shanadoa’s use of cookies and not third party uses of cookies.

"Web Beacons" are tiny graphics (also referred to as clear gifs, pixel tags, and single-pixel gifs) with a unique identifier that may be included on Shanadoa’s Website for several purposes, including to deliver orcommunicate with cookies, to track and measure the performance of Shanadoa’s services, to monitor how many visitors view the Website,and to monitor the effectiveness of advertising. Web Beacons are typically embedded invisibly on web pages (or in an e-mail).

The Website may automatically record certain information about how you, or any other individual accessing our Website on your behalf, use Shanadoa’s services ("Log Data"). Log Data may includeinformation such as a user’s Internet Protocol (IP) address, operating system, browser type, the website that a user was visiting before accessing Shanadoa’s Website, the pages or features on Shanadoa’s Website that a user accessed (including the time spent onthose pages) and features, search terms, and links on Shanadoa’s Website that a user clicked on and similar statistics. Shanadoauses Log Data to administer its services and analyze Log Data to improve, customize, and enhance Shanadoa’s services by expanding features and functionality. Shanadoa may collect your IP address and other information aboutyour online activity to generate aggregate, non-identifying information about how our services are used and analytics data regarding users' interactions on the Website.

Usage of Data

Shanadoa uses non-personal information to manage the Website. Shanadoa may analyze the data about visits to the Website to make it more accessible and interesting
for visitors. Further, Shanadoa may share this data with third party service providersassociated with the maintenance of the Website. Additionally, Shanadoa may disclose non-personal information about pages you visiton the Website, as well as the frequency with which you visit pages, but not in a manner that is inconsistent with the applicable law. We will not sell or rent this information to anyone.

Any personal information submitted to the Website will only be used for the purpose requested, for which it is collected, or authorized. That information may be
stored and maintained by Shanadoa. Shanadoa may share this information with third-party serviceproviders that work with us to administer and provide the services. These
third-party service providers have access to your personal information and financial information only for the purpose of performing services on our behalf.

Shanadoa will not share your information with any third party outside of our organization, other than with trusted partners to help us fulfill your request, perform statistical
analysis, send you email or postal mail, provide customer support, provide other services to Website users, or otherwise consistent with HIPAA, HITECH, or other applicable law, rule or regulation. Shanadoa has takenand will continue to take measures to ensure the secure and safe handling of your personal information.

Information Sent by Your Mobile Device

We may collect certain information that your mobile device (e.g. device identifier, user settings and the operating system of your device) sends when you use Shanadoa’s services.

Location Information

When you use the Website, Shanadoa may collect and store information about your location byconverting your IP address into an approximate geo-location or by accessing
your mobile device's GPS coordinates, if location services are enabled on your device. Location services are used to personalize your experience on the Website. If you do not want Shanadoa to collect location information, you should disable saidfeatures on your device.

De-Identification of PHI

In certain circumstances, HIPAA may require Shanadoa tode-identify PHI prior to making certain disclosures. In such a case, Shanadoa shall, prior to making any disclosure, de-identify the PHI in accordance with Section 164.514 of the HIPAA Privacy Rule.

Information Disclosed in Connection with Legal Requirements

Shanadoa may disclose any personal (in compliance with the rules and regulations set forth in HIPAA and HITECH) or non-personal information collected to the extent it reasonably believes that such disclosure is necessary to comply with the law, such as in response to any subpoena, to the extent reasonably necessary to establish or defend a legal claim and for other purposes permitted by applicable law.

USE OF WEBSITE BY CHILDREN

This Website is not intended to be used by, nor is this Website marketed to, minors (i.e. children under the age of 18). Only parents/guardians of a minor child may submit any personal or non-personal information (including PHI) concerning their minor child. As such, the Children’s Online Privacy Protection Rule, and similar state laws, are not applicable to this Privacy Policy. Any information provided to Shanadoa via the Website, by aparent/guardian of a minor child, that concerns a minor child shall (i) be
deemed given with the parent’s/guardian’s informed consent, and (ii) shall be treated consistent with this Privacy Policy and applicable law.

CONTACT SHANADOA

Get an electronic copy of your PHI

You may see the PHI Shanadoa has collected about you by making a request to Shanadoa’sprivacy officer.

Get a copy of this Privacy Policy

You may ask us for a paper copy of this communication at any time by emailing us at Shanda@shanadoahh.com. Shanadoa will provide you with a paper copy promptly.

General Questions

If you have any questions regarding this Privacy Policy or Shanadoa’s services in general, you may contact a representative as follows:

Email: Shanda@shanadoahh.com

Telephone: (918) 331-0800

Mailing Address: 2448 E 81st St Suite 1400, Tulsa, OK 74137

Revocation of Permission

If you have given Shanadoa permission to use or share your PHI in a certain way, you may change your mind at any time. Let us know by emailing us at Shanda@shanadoahh.com.