This Policy is Effective as of December 10, 2024

Last Revision Date: 10 December 2024

Scope and Purpose

This privacy policy describes the practices of athenahealth, Inc. and affiliates, (“athenahealth”, “our”, “we”,

or “us”) with regard to information that we obtain, either directly or indirectly through you and/or third-

parties, through your use of the athenaOne mobile application, including all associated content and/or

documentation (collectively, (as may be renamed, rebranded or incorporated into our other offerings), (the

“App”).

The App is a mobile application that is designed to facilitate healthcare providers (“Providers”) ability to

track and manage patient encounters and records and facilitates the transmission of data to and from an

underlying electronic health record platform (the “Platform”). The term “you” refers to a Provider end user of

the App. When you use the App, our collection and handling of patient information is generally regulated

by the Health Insurance Portability and Accountability Act (“HIPAA”) and our agreements with you and/or

the organization that purchased the App for your use. This Privacy Policy describes our practices with respect

to the information we obtain about you through the App in our role as a Business Associate.

This policy does not apply to (i)athenahealth.com or Epocrates.com or any other mobile application

offered by us; (ii) information that we obtain outside of the App; (iii) applications of third parties to which

we provide links; or (iv) Third-Party Platforms. We do not control and are not responsible for the privacy

practices of, or the data available on or through, the applications of third parties or Third-Party Platforms,

and we urge you to evaluate the soundness of these practices for yourself.

Because the information we collect via the App is regulated by HIPAA and/or relates to you in your

professional or employment capacity, it may be exempt from certain U.S. state privacy laws like the

California Consumer Privacy Act. You may contact us if you have questions about these exemptions. To

the extent these laws do apply, we process your information as a “service provider” or “processor” on

behalf of your employer, and your employer’s privacy policy may apply to the information we collect in

the App in addition to or in place of this Privacy Policy.

Any unauthorized registration for, access or use of our App, client accounts or Third-Party Platforms is strictly

prohibited.

We urge you to read this Privacy Policy so that you understand our commitment to you and your privacy,

and how you can participate in that commitment. By using the App, you consent to athenahealth’s

collection, use, disclosure, transfer and storage of information relating to you as set forth in this Privacy

Policy.

WHAT INFORMATION DO WE COLLECT?

Information You Provide to Us

In accordance with our agreements with you or your employer who purchased the App for your use, we

may collect your information in the following ways:

• We collect information you provide us if you access, voluntarily enter information into, or sign up

for the App. The information we collect directly from you may include: Your name and contact

information, app credentials, specialty information, email address, practice id, practice name,

when used to access the App (i.e. fingerprint), voice data and information and content created

as a result of the recording of your voice information; photograph of yourself that you may

upload into the App and other information you enter into the App; User preferences (Ex. Default

department, search filters selected in the App); Support cases reported by you within the App;

Your response to surveys / feedback requested within the App; Content created as a result of

your use of dictation functionality; and Video and audio content provided by you through your

use of the App.

• You may also have the option in certain instances to enter additional information in free text

fields.

Information Automatically Collected

• Whenever you use the App, we may automatically collect data about your device such as your

user id, username, device Info (device id, iOS version, model name, device resolution, device

token, device free ram), App diagnostic logs (App state, audit / access logs), IP address (country,

city, time zone- based on IP address).

• Information about your use of the App including, but not limited to, your usage patterns,

screens visited, etc.

• We may also collect information related to your use of the App, including any permissions you

set, authorizations you provide (including authorizations and information related to any third-

party platforms you use or access through your accounts), your language and communication

preferences, security related information (such as your account credentials, failed login attempts,

timeouts, past passwords, security questions for identity or account validation, number and

frequency of username or password resets, and access attempts), and geolocation information.

In addition, we may collect other information as permitted under applicable law or our agreements.

HOW DO WE USE YOUR INFORMATON?

We use your information only in accordance with HIPAA and our agreements with you and/or your

employer who purchases the App for your use. This includes, for example:

• To provide, enhance, secure, support and improve the App and to improve upon the App

functionality. This includes communication with you in connection with the App as well as

communications related to new features, updates, security alerts, feedback requests, technical

notices and administrative messages;

• To track the popularity of features on the App to guide the development of new features;

• To provide you with any other information, products or services that you request from us;

• For data analysis, internal management/operations, audits, and compliance with all applicable

laws, regulations, and law enforcement requirements;

• To plan and execute security and risk control measures, like fraud and abuse detection and

prevention for athenahealth or your healthcare provider.

We may also de-identify and/or aggregate your data for business purposes in accordance with our

agreements with your employer. We de-identify protected health information in accordance with the

HIPAA expert determination method and/or the safe harbor method.

SHARING YOUR INFORMATION

We share your information only in accordance with HIPAA and our agreements with your healthcare

provider.

• With your employer (or contracting party) who purchased the App for your use in the context of

providing the App as well as to comply with the contractual obligations we may have to you or

your employer;

• With third-party vendors, consultants, agents, or other service providers or other third-parties we

use to help us provide or improve the App;

• To parties you consent to or direct us to send/receive information to/from pursuant to our

agreements;

• When we are complying with laws or responding to lawful requests and legal processes or

responding to an emergency situation;

• With our subsidiaries or affiliates;

• When we believe it is necessary to protect our rights and the security of the App, to protect the

rights and security of our customers or partners, to avoid liability, and to avoid violations of the law;

• In connection with or during negotiation or consummation of any merger, divestiture, restructuring,

reorganization, financing, acquisition, or bankruptcy transaction or proceeding involving sale or

transfer of all or a portion of our business or assets to another company.

As noted above, we may have the right under our agreements with your employer to de-identify data

in accordance with HIPAA. We may sell or disclose such de-identified information to third-parties.

Security Measures Taken to Protect Personal Information by Us

Security of all information is of the utmost importance for athenahealth. athenahealth uses technical,

physical and administrative safeguards to protect the security of your personal information from

unauthorized disclosure. However, security cannot be guaranteed against all threats.

Data Retention and Storage

We retain your information for as long as permitted under our contracts with you or your employer who

purchased the App for your use or as needed to comply with our legal obligations, to resolve disputes, and

to enforce our legal rights, policies, terms and agreements.

Collection of Information from Children

athenahealth recognizes the importance of protecting the privacy and safety of children. Our App is

directed towards the general audience and is not directed towards children. We do not knowingly collect

information from children under the age of 13.

Electronic communications

In connection with your accounts created through your use of the App, athenahealth may need to send

business, informational, support and security related messages (whether texts, alerts or calls) to all

telephone numbers, including cellular numbers or mobile devices, you choose to provide on your

accounts. You agree such texts or calls may be pre-recorded messages or placed with an automatic

telephone dialing system. In addition, you agree that athenahealth may send service or account related

text messages to cellular phone numbers you provide to athenahealth, and you agree to accept and pay

all carrier message and data rates that apply to such text messages.

If you choose to provide an e-mail or other electronic address on your account, you acknowledge and

consent to receive business and informational messages relating to your account at the address, and you

represent and warrant that such address is your correct address and is not accessible or viewable by any

other person.

Third-Party Platforms

The App may include links to or information about websites, applications, products, services, and solutions

that are operated by third parties (“Third-Party Platforms”). We do not control and are not responsible for

Third-Party Platforms or any information you may share with, or access from, any Third-Party Platforms.

Changes to our Privacy Policy

We reserve the right to amend this Privacy Policy, at our discretion and at any time. When we make

changes to this Policy, we will post the updated Policy on the App and update the Policy’s last revision

date, which also constitutes the Policy’s effective date. Your continued use of our website following the

posting of changes constitutes your acknowledgment of such changes.

Contact information

You may contact us by:

• Calling us at 888-807-2076.

• Completing the form at https://www.athenahealth.com/consumer-privacy-request

• Via mail at:athenahealth, Inc.

Attn: Chief Compliance Officer

80 Guest Street

Boston, MA 02135