BLUFF AUGUSTA PRIVACY POLICY

What information does BluffAugusta.com collect from site visitors?

You can visit BluffAugusta.com without telling us who you are or revealing any personal information. While we do log IP addresses (the Internet address of a computer) and use "cookie" technology to track user sessions and page views on our site. Tracking user sessions and page views helps us understand how visitors use our site, which areas are most popular, and how long visitors spend there. Bluff's cookies do not collect personally identifiable information unless you've already previously registered or provided your information via one of our contact forms.

How is my email address or other personal information used?

Bluff uses email addresses submitted through our Web site to reply to your requests for information about our company, services, and other general information.

We will need certain details — such as your name, email address, postal address, or phone number in order to respond to your inquiries and provide you with more information on those services. We may also use your contact information to inform you of additional Bluff services that you might be interested in. You can elect not to receive such information by opting out by sending an email to [email protected] or by clicking on the opt-out links at the bottom of our emails and communications.

In certain instances, such as when you register for an event or subscribe to a publication or to respond to a specific marketing campaign, etc. you may be asked to provide more detailed information. This information is to help us gain a better understanding of how Bluff can best respond to your needs.

All information submitted through BluffAugusta.com's contact forms for company information, services, investor relations, employment, partnerships, and media relations and press inquiries are treated as confidential by Bluff's staff. We do not sell, rent, or loan our subscriber list to any third parties.

How do I remove my email address from email communications to which I previously subscribed?

Bluff offers a subscription-based e-mail to patients, clients, partners, investors, media representatives, and other interested parties, providing the latest company news, information, events, and trends. You will find instructions on how to unsubscribe from this communication at the bottom of every email. Or you can send an unsubscribe request to [email protected].

Does this Privacy Policy include third-party Web sites that may be hyperlinked from BluffPlantation.com?

BluffAugusta.com's Privacy Policy only addresses the use and disclosure of information collected by Bluff on its own Web sites. We do not control and are not responsible for the privacy and data collection practices on other sites we host, manage or partner with, or among third parties with which we contract.

In some instances, such as event registration, visitors may be asked to submit credit card information for payment. All credit card transactions initiated on our Web sites are handled independently by one of our payment processing partner companies. These firms maintain their own error and credit card transaction logs, and are responsible for creating and adhering to their own privacy policies.

In what instances may Bluff be obligated to provide information about its site visitors?

Bluff cooperates fully with law enforcement, other governmental agencies, and third parties to enforce laws, defend intellectual property, and protect other rights. To this end, we may disclose the personal information of our registered visitors if and when:

• We're required to do so by law
• We believe that such disclosure is necessary to protect us from legal liability
• We believe that we need to do so to protect someone's safety

At Bluff, we realize that you exercise caution when submitting personal information about yourself via the Internet. That's why we are committed to maintaining your privacy and protecting the information that you share with us.

MARKETING UNDER HIPAA PRIVACY STANDARDS

PURPOSE
To facilitate compliance with requirements of the Health Insurance Portability and Accountability Act (HIPAA) Standards for Privacy of Individually Identifiable Health Information (Privacy Standards), 45 CFR Part 164 and the sections that relate to uses and disclosures of protected health information (PHI) for marketing purposes, the Health Information Technology for Economic and Clinical Health Act (HITECH) component of the American Recovery and Reinvestment Act (ARRA), and applicable state laws.

POLICY
An authorization signed by the patient or the patient's Personal and/or Legal Representative (as defined in Pyramid Healthcare's Privacy & Security Program Policy) is required and must be obtained for any uses or disclosures of PHI for purposes of marketing under the HIPAA Privacy Standards. The patient shall be provided with clear notice of how the PHI will be used or shared. This policy applies to Pyramid Healthcare, Inc, and its affiliates and subsidiaries ("Pyramid Healthcare") and all members of the Pyramid Healthcare workforce.

Cookie

A "cookie" is a small text file that a website can place on your computer's hard drive in order, for example, to collect information about your activities on the site or to make it possible for you to use an online "shopping cart" to keep track of items you wish to purchase. The cookie transmits this information back to the Web site's computer, which, generally speaking, is the only computer that can read it. Most consumers do not know that "cookies" are being placed on their computers when they visit websites. If you want to know when this happens, or to prevent it from happening, you can set your browser to warn you when a website attempts to place a "cookie" on your computer.

As defined by the Federal Trade Commission.

1. PRIVACY & SECURITY PROGRAM

PURPOSE
The Patient Privacy & Security Program is part of the overall Compliance Program at of Pyramid Healthcare, Inc and its affiliates ("Pyramid Healthcare").

This Privacy and Security Program will provide information for employees (and others defined below as workforce members) ("Associates") about the privacy rights that patients have regarding the use and disclosure of their Protected Health Information (PHI).

This policy establishes general requirements and best practices under the Health Insurance Portability and Accountability Act (HIPAA) Standards for Privacy of Individually Identifiable Health Information (Privacy Standards), the Security Rule, the Health Information Technology for Economic and Clinical Health Act (HITECH) component of the American Recovery and Reinvestment Act of 2009 (ARRA), and any applicable state privacy laws.

POLICY
Pyramid Healthcare work to balance business needs and uses of PHI with patients' rights outlined in the HIPAA Privacy & Security Standards.

2. MEDICAL RECORD DISCLOSURES

PURPOSE
To establish guidelines for responses to requests for medical records and other uses and disclosures of PHI.

POLICY
Healthcare information about a patient will not be disclosed to any person other than as outlined in this policy or as authorized by law (see "Request and Disclosure Table"). In all other cases, PHI may be disclosed without the patient's HIPAA compliant authorization only as permitted by law. Some examples are below:

1. Treatment, Payment & Operations: PHI may be disclosed to Health Care providers, health plans for purposes of their
   treatment, payment, or specified health care operations.
2. PHI may also be disclosed without a patient's authorization when necessary to meet the following regulatory, public
   health, and other public purposes:
   1. For billing, claims management, medical data processing, or other administrative purposes;
   2. To committees engaged in reviewing the competence or qualifications of an Pyramid Healthcare or any Health Care
      professional or reviewing health care services;
   3. As otherwise authorized by law or for public health activities,
   4. When needed to report victims of abuse, neglect or domestic violence,
   5. For judicial, administrative proceedings or law enforcement purposes,
   6. To avert serious threat to health or safety, or assist in relief efforts;
   7. When members of Pyramid Healthcare's workforce are victims of a crime.

For each public and public health purpose listed above, specific requirements must be met prior to the disclosure of PHI and such disclosure must be reviewed by the CPO and/or Pyramid Healthcare's legal counsel.

3. PATIENT PRIVACY RIGHTS

PURPOSE
The purpose of this policy is to provide information to Associates about the privacy rights that patients have regarding the use and disclosure of PHI.

POLICY

1. Notice of Privacy Practices

The "Notice of Privacy Practices" will be used to inform patients about how we may use and/or disclose their information. The "Notice of Privacy Practices" also describes the actions a patient may take, or request us to take, with regard to the use and/or disclosure their PHI. Patients may on intake or from time to time be asked to acknowledge receipt of the "Notice of Privacy Practices" or be given a copy.

Nothing in this policy shall prevent Pyramid Healthcare from changing its policies or the "Notice of Privacy Practices" at any time, provided that the changes in the policies or the "Notice of Privacy Practices" comply with state or federal law.

4. MINIMUM NECESSARY

PURPOSE
To provide Pyramid Healthcare guidance related to using and disclosing only the minimum amount of identifiable Protected Health Information ("PHI") to fulfill the purpose of the use or disclosure, regardless of the extent of access provided. This policy covers uses and disclosures of PHI in any form including oral, written and/or electronic mediums. Each Associate is responsible for adhering to this policy by using only the minimum information necessary to perform his or her responsibilities, regardless of the extent of access provided or available.

POLICY
Pyramid Healthcare will make all reasonable efforts not to use or disclose more than the minimum amount of PHI necessary to accomplish the intended purpose of the use or disclosure. Only Associates with a legitimate "need to know" may access, use or disclose patient information. This includes all activities related to treatment, payment and health care operations of the facility. Each Associate may only access, use or disclose the minimum information necessary to perform his or her designated role regardless of the extent of access provided to him or her.

The minimum necessary requirement is not imposed in any of the following circumstances:

1. Disclosure to or a request by a health care provider for the purpose of treatment;
2. Uses or disclosures made to an individual who is the subject of the information, or the individual's personal representative;
3. Use or disclosure made pursuant to a HIPAA compliant authorization;
4. Disclosure for complaint investigation, compliance review or enforcement;
5. Use or disclosure that is required by law; or
6. Uses or disclosures of de-identified information.

5. PRIVACY COMPLAINT PROCESS

PURPOSE
The purpose of this policy is to provide information for handling privacy complaints.

POLICY
Under the Privacy Standards and state laws governing privacy and confidentiality of health information, a patient may file a complaint with Pyramid Healthcare, as well as others if they believe their privacy rights have been violated. The CPO will be involved in all privacy related complaints as part of the overall complaint handling polices.

6. PATIENT'S RIGHT TO ACCESS

PURPOSE
To ensure patients the right to inspect and/or obtain a copy of their protected health information (PHI) as required by federal and state law.

POLICY
Patients, or the patient's legal representative will be provided the right to inspect and/or obtain a copy of their protected health information that is contained within a designated record set. The facility may deny a request under certain circumstances. Some states have separate patient privacy laws that may apply additional legal requirements. Contact the CPO to identify and comply with any such additional legal mandates.

7. PATIENT'S RIGHT TO AN ACCOUNTING OF DISCLOSURES

PURPOSE
To provide an Accounting of Disclosures of PHI to all individuals.

POLICY
Individuals have the right to receive a list of certain disclosures that Pyramid Healthcare has made of their PHI. Requests for an Accounting of Disclosures must be made in writing or the verbal request must be documented.

A system must be in place within each facility to accurately and completely track all disclosures and have such information available for a minimum of seven (7) years as required by the HIPAA Privacy Rule and applicable state laws.

8. PATIENT'S RIGHT TO AMEND

PURPOSE
To ensure patients the right to amend PHI stored in a designated record set as required by state and federal laws.

POLICY
Patients will be provided the right to request an amendment to their PHI that is contained within the designated record set for as long as the information is maintained by Pyramid Healthcare

A Pyramid Healthcare facility may deny a patient's request for amendment, if it determines that the PHI that is the subject of the request: Was not created by the facility, and the patient is unable to show in writing that the creator of the PHI is no longer available to act on the requested amendment; Is not part of the designated record se or is accurate and complete; or is not available to the patient for inspection.

If the request for amendment is denied, the CPO will provide the patient with a written denial letter that outlines the reason for the denial.

9. PATIENT'S RIGHT TO CONFIDENTIAL COMMUNICATIONS

PURPOSE
To ensure patients the right to request Confidential Communications as required by state and federal laws.

POLICY
Patients are permitted to request confidential communications if they can be produced in in a requested form and format.

All reasonable requests for Confidential Communications will be accommodated by the facility. Confidential Communications pertain to all future correspondence and communication related to the specific visit(s) stated in the request.

Acceptable alternate means of communication include mail, telephone, and in limited circumstances may include fax and encrypted e-mail. Any requests for communication via phone only must also include a mailing address (permanent or alternate) for purposes of billing and collections. Unacceptable means include unencrypted e-mail and Internet communications (as security of the transmission cannot be guaranteed).

10. PATIENT'S RIGHT TO PRIVACY RESTRICTIONS

PURPOSE
To ensure patients the right to request privacy restrictions on the use or disclosure of their PHI as required by state and federal laws.

POLICY
Patients will be provided the right request restrictions on certain use or disclosures of their PHI contained within the designated record set. A determination to restrict uses or disclosures must be made very carefully to ensure the request can be met.

Pyramid Healthcare will endeavor to comply with a patient's request to restrict or limit the disclosure of the individual's PHI to a health plan if 1) the disclosure is for payment or healthcare operations (not treatment), 2) the PHI pertains solely to a health care item or service for which the patient has paid out of pocket and in full, and 3) Pyramid Healthcare is not legally required to disclose such information.

11. SALE OF PHI

PURPOSE
Pyramid Healthcare will comply with restriction on the sale of PHI.

POLICY
The "sale of PHI" refers to a disclosure of PHI by Pyramid Healthcare or a Business Associate, if applicable, where Pyramid Healthcare or the Business Associate directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI. However, the sale of PHI does not include disclosures:

1. For public health purposes;
2. For research purposes where the only payment is a reasonable to cover the costs;
3. For the sale, transfer, merger, or consolidation of all or part of the organization and for related due diligence;
4. To a Business Associate for activities undertaken by the Business Associate on behalf of Pyramid Healthcare when the only payment provided is by Pyramid Healthcare to the Business Associate.

12. DE-IDENTIFICATION OF PHI

PURPOSE
To provide specific guidance regarding the definition of, and the uses and disclosures of de-identified information, as required by the HIPAA Privacy Standards and or state privacy laws.

POLICY
PHI may be used to create information that is not individually identifiable. Health information that does not identify an individual, and for which there is no reasonable basis to believe that it can be used to identify an individual, is not PHI and is no longer covered by the HIPAA Privacy Standards or state privacy laws.

13. CLINICAL RESEARCH

POLICY
Pyramid Healthcare is committed to conducting research in compliance with all applicable laws, regulations and policies. As part of this commitment Pyramid Healthcare has adopted a policy to clearly define the circumstances under which PHI may and may not be used internally or disclosed externally in connection with research activities.

14. PATIENT AUTHORIZATION TO RELEASE MEDICAL RECORDS

PURPOSE
For all uses and disclosures of an individual's PHI other than those required by law or for treatment, payment and health care operations, HIPAA and applicable state laws require a covered entity to obtain an authorization.

POLICY
For all uses and disclosures of an individual's PHI, Pyramid Healthcare will obtain a signed authorization from the individual, unless the use or disclosure is required by law, for treatment, payment or health care operations, or otherwise permitted without an authorization (the Privacy Rule) or applicable state law.

15. MARKETING UNDER HIPAA PRIVACY STANDARDS

PURPOSE
To facilitate Marketing in compliance with requirements of HIPAA and applicable state laws.

POLICY
An authorization signed by the patient or the patient's Personal and/or Legal Representative is required and must be obtained for any uses or disclosures of PHI for purposes of marketing under the HIPAA Privacy Standards.

16. NOTICE OF PRIVACY PRACTICES

PURPOSE
To ensure that each facility understands the requirement to provide a Notice of Privacy Practices to all patients.

POLICY
Each facility will have and should provide a Notice of Privacy Practices ("Notice") to all patients. Some states have laws that may apply additional legal requirements. Consult the CPO to identify and comply with any such additional legal mandates.

17. BUSINESS ASSOCIATES

PURPOSE
To ensure that Associates understand their obligations with respect to engaging and sharing PHI with Business Associates.

POLICY
Pyramid Healthcare is permitted to disclose PHI to its Business Associates so the Business Associate may assist Pyramid Healthcare with performing its treatment, payment, and/or health care operations activities. However, prior to disclosing PHI to its Business Associates, Pyramid Healthcare must enter into Business Associate Agreements that contains, at a minimum, all provisions required by law.

Pyramid Healthcare may in some instances act as a Business Associate of other entities. When acting as a Business Associate, Pyramid Healthcare will use and disclose PHI only as permitted by the Business Associate Agreement it has entered into with the covered entity.

18. PHI BREACH NOTIFICATION

PURPOSE
To facilitate compliance with HITECH and ARRA for breach notification of unsecured PHI as well as any other federal or state notification law.

POLICY
In the case of a breach of unsecured PHI, the patient or their personal representative must be notified without unreasonable delay.

A breach is considered discovered as of the first day on which the breach is known by the business associate and/or the organization.

Centers in states with additional or more restrictive breach notification laws shall develop and implement policies and procedures addressing the state-specific requirements.

19. HIPAA VIOLATION SANCTIONS

PURPOSE
To ensure that there are appropriate sanctions that will be applied to Associates who violate the requirements of the HIPAA Privacy Rule.

POLICY
It is the policy of Pyramid Healthcare to take appropriate disciplinary action against any Associate granted access to PHI that violates Pyramid Healthcare's privacy and security policies or state, or federal confidentiality laws or regulations, HIPAA.

1. Sanction Exemptions
   Sanctions will not apply to an Associate if PHI disclosure meets the following elements:
   1. Disclosure by Whistleblowers:
      1. The Associate is acting in good faith on the belief that Pyramid Healthcare has engaged in conduct that is unlawful or otherwise violates professional or clinical standards; or, that the care, services and conditions provided by Pyramid Healthcare potentially endangers one (or more) of Pyramid Healthcare's patients, workers or a member of the general public;
      2. The disclosure is made to a federal or state health oversight agency or public health authority authorized by law to oversee the relevant conduct;
      3. The disclosure is made to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by Pyramid Healthcare; or
      4. The disclosure is made to an attorney retained by or on behalf of the employee or Business Associate for the purpose of determining legal options regarding disclosure conduct.
   2. Disclosure by Crime Victims:
      1. A disclosure of PHI made by an Associate who is the victim of a criminal act to a law enforcement official (but only if the PHI disclosed is about the suspected perpetrator of the criminal act, and the disclosed PHI is limited to identification and location information).
2. Definition of Offense
   1. Level 3 Breach: Carelessness, Unintentional — This level of breach occurs when an Associate unintentionally or carelessly accesses, reviews or reveals PHI to him/herself or others without a legitimate need to access the PHI. Examples include, but are not limited to: Associate discussing patient information in a public area; staff leaving a copy of patient medical information in a public area; staff leaving a computer unattended in an accessible area with medical record information unsecured.
   2. Level 2 Breach: Intentional (no personal gain) — This level of breach occurs when an Associate intentionally accesses or discusses PHI for purposes other than the care of the patient or other authorized purposes but for reasons unrelated to personal gain. Examples include, but are not limited to: an Associate looks up birth dates, address of friends or relatives; an Associate accesses and reviews a record of a patient out of concern or curiosity; or an Associate reviews a public personality's record.
   3. Level 1 Breach: Personal gain or malice- This level of breach occurs when an Associate accesses, reviews or discusses PHI for personal gain or with malicious intent. Examples include but are not limited to: an Associate reviews a patient record to use information in a personal relationship; an associate compiles a mailing list for personal use or to be sold.
3. Sanctions
   1. Level 3 offenses shall include, but are not limited to, the following sanctions:
      1. Verbal reprimand;
      2. Written reprimand in Associate's personnel file;
      3. Retraining on HIPAA Awareness;
      4. Retraining on Pyramid Healthcare's Privacy Policy and how it impacts Associate's role; or
      5. Retraining on the proper use of internal forms and HIPAA required forms.
   2. Level 2 offenses shall include, but are not limited to, the following sanctions:
      1. Written reprimand in Associate's personnel file;
      2. Retraining on HIPAA Awareness;
      3. Retraining on Pyramid Healthcare's Privacy Policy and how it impacts Associate's role;
      4. Retraining on the proper use of internal forms and HIPAA required forms; or
      5. Suspension of Associate (In reference to suspension period: minimum of one (1) day/ maximum of three (3) days).
   3. Level 1 offenses shall include, but are not limited to, the following sanctions:
      1. Termination of employment or working relationship;
      2. Civil penalties as provided under HIPAA or other applicable Federal/State/Local law; or
      3. Criminal penalties as provided under HIPAA or other applicable Federal/State/Local law.

20. ACCESS TO PHI BY ASSOCIATES

PURPOSE
The purpose of this policy is to provide information to Associates of Pyramid Healthcare regarding access to PHI to assure that they recognize the importance of maintaining the confidentiality, security and integrity of PHI.

POLICY
Associates shall be granted access to PHI, whether written, electronic or verbal in nature, in accordance with HIPAA and other state and federal laws. Such access shall be limited to the minimum necessary amount of PHI the Associate needs to know in order to accomplish their job or task. In addition, communications between Associates, which involve PHI, shall also be considered confidential and should not take place in public areas. If it is absolutely necessary to conduct such conversations in public areas, reasonable steps shall be taken to assure the confidentiality of the PHI.