Notice of Privacy Practices

Our Notice of Privacy Practices (the “Notice”) details the commitment of CareDx, Inc., including its covered entity affiliates such as The Transplant Pharmacy, and their agents and employees (collectively “CareDx,” “we” or “us”) to protecting the privacy of your identifiable health information. This information is known as “protected health information” or “PHI” under HIPAA (as defined below). PHI includes laboratory test orders, test results and prescriptions as well as insurance and billing information for the healthcare services we provide.

We understand that medical information about you and your health is personal, and we are committed to protecting that information. We create a record of the tests and services you receive from us to provide you with quality care and to comply with certain legal requirements. This Notice applies to all of the records of your care generated by us. Your personal doctor may have different policies or notices regarding the doctor’s use and disclosure of your PHI created in the doctor’s office or clinic. Please refer to those other policies or notices, not this Notice, to understand how your doctor’s office or clinic processes PHI.

CareDx is required by law to maintain the privacy of your PHI and to provide you with this Notice upon request. It describes our legal duties, privacy practices, and your patient rights as determined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). In the event of a Breach involving Unsecured PHI, we will follow HIPAA to notify affected individuals.

This Notice describes different ways that we use or disclose your PHI. For each of these categories of use or disclosure, we have provided a description and example below but not every use or disclosure for every category is listed in this Notice. Any capitalized term not defined here will have the same meaning of that term as defined under HIPAA. As permitted by HIPAA, CareDx can use or disclose your PHI, without your written consent or Authorization, for purposes of Treatment, Payment, or Health Care Operations. To the extent HIPAA applies to CareDx applications or apps that you download and agree to, this Notice applies; for non-PHI in CareDx apps, please refer to the applicable privacy notice, policy and/or terms governing that app. Other uses and disclosures of your PHI not described in this Notice will require your written authorization.

Subject to limited HIPAA exceptions, we will not use or disclose your PHI for “Marketing” purposes or a “Sale” of your PHI, unless you have signed an Authorization. You may revoke a HIPAA Authorization you sign at any time. If you revoke your Authorization, we will no longer use or disclose your PHI for the reasons stated in your Authorization, except to the extent we have already taken action based on your Authorization. Once we receive your written revocation, it will only be effective for future uses or disclosures of PHI. Please note we are unable to undo any disclosures of PHI we already made based on your Authorization or where CareDx is required by applicable law to retain your PHI. CareDx uses an electronic medical record (“EMR”), and CareDx also participates in electronic health information exchanges with health information organizations. The law permits us to use and disclose your health information for the following purposes:

For Treatment

We may use and disclose PHI about you for Treatment purposes. CareDx provides laboratory testing for physicians and other healthcare professionals, and we use your information in our testing process. We disclose your PHI to authorized healthcare professionals who order tests or need access to your test results for treatment purposes. Other examples include sending reminders, scheduling an ordered lab test, filling your prescriptions, contacting an at-home service or third-party testing kit provider to assist in collecting a specimen from you, and coordinating different items and services you need. Treatment can also include disclosing your PHI to people not affiliated with CareDx, such as your prescribing physician, transplant center and referring laboratory, family members involved in your care, or others involved in providing services that are part of your testing and care. Treatment also includes coordination and consultations with other health care providers relating to your care and referrals for healthcare from one health care provider to another.

For Payment

We may use and disclose PHI about you to bill and collect Payment from you, your insurance company, or a third-party payor. For example, we may disclose your PHI to health plans or other payers to determine whether you are enrolled with the payer or eligible for health benefits or to obtain payment for our services. If you are insured under another person’s health insurance policy (for example, parent, spouse, domestic partner or a former spouse), we may also send invoices to the subscriber whose policy covers your health services. We may also give your PHI to your other providers so that they may bill for their services, such as other laboratories performing tests for you. Federal or state law may require us to obtain a written release from you prior to disclosing certain specially protected PHI for payment purposes, and we will ask you to sign a release when necessary under applicable law.

For Healthcare Operations

We may use and disclose PHI about you for our Health Care Operations, including case management, customer service, accreditation, and other management/administrative activities. For example, CareDx may use and disclose your PHI for activities to support performing quality checks, internal audits, or developing reference ranges for our tests. We may use your PHI to review our tests and services and to evaluate the performance of our staff, including teaching our staff. We may establish databases of PHI and other data for our internal purposes, such as for quality review, evaluating outcomes, and developing guidelines and protocols, that we may use and disclose as permitted by HIPAA. We may also combine your PHI with PHI from other health care providers for our internal purposes, such as to decide what additional services we should offer, what services are not needed, and whether certain new treatments are effective. We may remove identifiers about you from this combined information to help protect your privacy.

We may send you possible treatment options, alternatives, or health-related benefits or services that may be of interest to you.

Business Associates

We may provide your PHI to Business Associates, which are other companies or individuals that need the information to provide services to us or assist us in providing services to you. Business Associates have agreements with us which require them to maintain the privacy and security of your PHI. For example, we may provide information to companies that assist us with accreditation and billing of our services. We may also use an outside collection agency to obtain payment when necessary.

As Required By Law

We may use and disclose your PHI as required by federal, state or local law, including laws requiring the reporting of abuse, neglect, or domestic violence. In accordance with applicable law, we may disclose your PHI to your employer if we are retained to conduct an evaluation relating to medical surveillance of your workplace or to evaluate whether you have a work-related illness or injury. You will be notified of these disclosures by your employer or the company as required by applicable law.

Avert Serious Threat to Health or Safety

We may use and disclose your PHI, if necessary, to prevent or lessen a serious threat to your health and safety, another person, or the public, or as necessary for law enforcement authorities to identify or apprehend an individual. Note: HIV-related information, genetic information, alcohol and/or substance abuse records, mental health records, and other specially protected health information may enjoy certain special confidentiality protections under applicable state and federal law. Any disclosures of these types of records will be subject to these special protections as applicable.

Law Enforcement and Legal Proceedings

We may provide PHI to Law Enforcement officials as permitted by HIPAA, for example, in response to an administrative request, court order, warrant, investigative demand or similar legal process, or for officials to identify or locate a suspect, fugitive, material witness, or missing person. We may also disclose an individual’s PHI to Law Enforcement agencies if we reasonably believe an individual to be a victim of abuse, neglect, domestic violence; the disclosure is about a death we believe may be the result of criminal action; to report a crime (including on our premises); or in emergency circumstances to report a crime or describe the perpetrator.

We may disclose your PHI as required to comply with a court or administrative order, including in a lawsuit or dispute in which you are involved. We may disclose your PHI in response to a subpoena, discovery request or other legal process in the course of a judicial or administrative proceeding, but generally only if efforts have been made to tell you about the request or to seek/obtain an order of protection for the requested information.

Research

We may use and disclose PHI about you for Research purposes as permitted by HIPAA. In some situations, use and disclosure is permitted without your authorization, such as when an Institutional Review Board or privacy board has reviewed and approved the research proposal and established protocols in a clinical trial or study, where you have authorized such disclosure to us, or the information does not identify you directly. For example, a research project may involve comparisons of the health and recovery of all patients who received a particular medication. Research projects are subject to a special approval process which balances research needs with a patient’s need for privacy. When required, we will obtain a written authorization from you prior to using your health information for Research. We may also disclose information about decedents to researchers under certain circumstances. We may establish databases of PHI and other data for Research purposes as permitted by law, which we or others can use and disclose for Research purposes consistent with HIPAA, including information you provide to us or authorize others to provide to us. We may also De-Identify PHI that we receive from you or others by removing certain identifiers. De-Identified information is no longer subject to HIPAA.

Other Uses and Disclosures

As permitted by HIPAA, we may disclose your PHI (including without your Authorization or consent) for the following purposes or categories:

• Public Health Authorities (such as to prevent or control disease, injury or disability, to report births and deaths, to report child abuse or neglect, to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition, and to notify the appropriate government authority if we believe an adult patient has been the victim of abuse, neglect, or domestic violence (if the patient agrees or when required or authorized by law))
• The Food and Drug Administration (“FDA”) and persons subject to the FDA (such as for activities related to quality, safety, or effectiveness of FDA-regulated products or services and to report reactions to medications or problems with products)
• Health Oversight Activities authorized by law (including disclosure for audits, investigations, inspections and licensure, and disclosure to federal or state agencies which oversee our activities, e.g., providing health care, seeking payment and civil rights)
• Military and Veterans (if you are a member of the Armed Forces, we may release PHI about you as required by military command authorities. We may also release PHI about foreign military personnel to the appropriate foreign military authority)
• National Security, Protective Service and Intelligence Activities (we may release PHI about you to authorized federal officials for intelligence, counterintelligence, other national security activities authorized by law, or to authorized federal officials so they may provide protection to the President, foreign heads of state or other authorized persons)
• Correctional Institutions/Law Enforcement Officials (if you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release PHI about you to the correctional institution or law enforcement official as necessary to provide you with health care, to protect your/others’ health and safety, or for the safety and security of the correctional institution)
• Organ and Tissue Donation Organizations (we may use or disclose PHI about you for the purpose of facilitating authorized organ, eye, or tissue donation and transplantation)
• Coroners, Medical Examiners and Funeral Directors (as necessary to carry out their duties)
• Workers Compensation or similar benefit programs for work-related injuries or illnesses
• Personal Representatives (persons authorized by law to make health care decisions for you)
• Requests by the Secretary of the U.S. Department of Health (“HHS”), including to assess HIPAA compliance
• As otherwise permitted by HIPAA, which includes but is not limited to De-Identifying PHI and also creating or disclosing a Limited Data Set, if certain assurances are provided to us

We may disclose relevant PHI to a family member, friend, or anyone else you designate in order for that person to be involved in your care or payment related to your care. We may also disclose PHI to those assisting in disaster relief efforts so that others can be notified about your condition, status and location.

We may use or disclose your PHI to notify, or assist in the notification of, a family member, a personal representative, or another person responsible for your care, of your location, general condition or death. If you are available, we will give you an opportunity to object to these disclosures, and we will not make these disclosures if you object. If you are not available, we will determine whether a disclosure to your family or friends is in your best interest, taking into account the circumstances and based upon our professional judgment.

We will allow your family and friends to act on your behalf to pick up filled prescriptions, medical supplies, and similar forms of PHI, when we determine, in our professional judgment that it is in your best interest to make such disclosures.

We may contact you as part of our fundraising efforts as permitted by applicable law. You have the right to opt out of receiving such fundraising communications.

Note: incidental uses and disclosures of PHI sometimes occur and are not considered to be a violation of your rights. Incidental uses and disclosures are by-products of otherwise permitted uses or disclosures which are limited in nature and cannot be reasonably prevented.

Note Regarding State Law

When applicable state law is more restrictive than federal law, we are required to follow the more restrictive state law. For example, genetic information, mental health records, alcohol and/or substance abuse records and other certain PHI may have special protections under state law. Disclosure of these types of records may be subject to additional protections as applicable to CareDx.

Right to Inspect and Copy Health Information; Receive Test Results

You have the right to request access to your PHI that we hold about you that may be used to make decisions about your healthcare. You may also receive your test results. You may obtain a form to request a copy of your completed test results by calling CareDx Customer Care at 1-888-255-6627, or emailing CareDx’s Privacy Team at privacy@caredx.com. If your request for information is denied (consistent with HIPAA), you may request that the denial be reviewed as permitted by HIPAA. HIPAA does not provide for a review for all denials. You may also request that CareDx transmit a copy of the requested PHI directly to another person designated by you, if your request is in writing, signed by you and clearly identifies the designated person and where to send the copy of the PHI. If you request a copy of your PHI, we may charge a fee for the costs of copying and mailing your PHI.

You have the right to inspect and copy the PHI contained in records consistent with HIPAA, except:

• for psychotherapy notes, (i.e., notes that have been recorded by a mental health professional documenting counseling sessions and have been separated from the rest of your medical record),
• for information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding,
• for PHI involving laboratory tests when your access is restricted by law,
• if you are a prison inmate, and access would jeopardize your health, safety, security, custody, or rehabilitation or that of other inmates, any officer, employee, or other person at the correctional institution or person responsible for transporting you,
• if we obtained or created PHI as part of a research study, your access to the PHI may be restricted for as long as the research is in progress, provided that you agreed to the temporary denial of access when consenting to participate in the research,
• for PHI contained in records kept by a federal agency or contractor when your access is restricted by law; and
• for PHI obtained from someone other than us under a promise of confidentiality when the access requested would be reasonably likely to reveal the source of the information.

If there is a potential harm to yourself or others, we may deny a request for access to PHI. If we deny a request for access for this purpose, you have the right to have our denial reviewed in accordance with the requirements of applicable law.

Amend Health Information

If you believe the PHI we have about you is incorrect or incomplete, you may request an amendment to your PHI by making a written request and listing the reason for your request. However, we may deny the request as permitted by HIPAA (such as if we determine the PHI is accurate and complete, it is not available for inspection as set forth above, it is not part of your medical or billing records or other records used to make decisions about you, or we did not create the PHI at issue (unless the originator of the PHI is no longer available to act on the requested amendment)). If we deny your request to change your PHI, we will provide you with a written explanation of the reason for the denial and, if appropriate, provide additional information regarding further actions you may take. In any event, any agreed upon amendment will be included as an addition to, and not a replacement of already existing records.

Accounting of Disclosures

You have the right to request in writing and receive a list of certain disclosures of your PHI made by CareDx for a specific time period within the past six years from the date of your written request. Under HIPAA, this generally does not include disclosures made for purposes of treatment, payment, or healthcare operations, disclosures to you, or certain other purposes as listed below. The first list you request within a 12-month period will be free. For additional lists, we may charge you for the costs, but we will notify you in advance of the costs. You may choose to withdraw or modify your request at that time before any costs are incurred. Your right to request an accounting does not apply to disclosures which are (i) incidental to a use or disclosure otherwise permitted or required by applicable law; (ii) pursuant to an Authorization; (iii) for a facility to persons involved in your care; (iv) for other notification purposes as provided by law; (v) for national security or intelligence purposes as provided by law; (vi) to correctional institutions or law enforcement officials as provided by law; and (vii) which are part of a Limited Data Set as provided by law.

Request Restrictions

You may request in writing that we agree to restrictions on certain uses and disclosures of your PHI for treatment, payment or health care operations. This includes a request to restrict (limit) your PHI to someone involved in your care or payment. We are not required to agree to your request, except for requests to limit disclosures to your health plan for purposes of payment or healthcare operations if you have paid us in full for that item or service out-of-pocket and the uses or disclosures are not required by law.

Request Confidential Communications

You have the right to request in writing that we send your PHI by alternative means or to an alternative address, and we will accommodate reasonable requests. For example, you may request that we only communicate with you at work.

Copy of this Notice

You have the right to obtain a paper copy of this Notice upon request.

How to Exercise Your HIPAA Rights

You may write or send an email to us with your specific request, including requesting a form to complete to obtain a copy of your test results or exercise any of the HIPAA rights summarized in this Notice. All written correspondence should be sent to the physical address or email address listed below. CareDx will consider your request and provide you a response.

Questions and Complaints

If you have any questions about this Notice, or would like to file a complaint, please email us at privacy@caredx.com, call us at 1-888-255-6627, or write to us at the following address:

CareDx, Inc.
Attention: Privacy Officer
8000 Marina Boulevard, 4th Floor
Brisbane, CA 94005

If you believe your privacy rights have been violated, you have the right to file a complaint with us. You also have the right to file a complaint with the Secretary of the U.S. Department of Health and Human Services, Office for Civil Rights. CareDx will not retaliate or take action against you or any individual for filing a complaint.

Changes to This Notice

We reserve the right to amend the terms of this Notice to reflect changes in our privacy practices, and to make the new terms and practices applicable to all PHI we maintain about you, including PHI created or received prior to the effective date of the Notice’s revision. This Notice is displayed on our website at caredx.com (go to the bottom of the main page and click on “Privacy”). You should periodically review our website to confirm you are aware of any such updates. A copy of this Notice is available upon request.

Original Effective Date: September 29, 2014

Effective Date of Latest Revision: June 22, 2022