Joint Notice of Privacy Practices

This Joint Notice of Privacy Practices describes the privacy practices of the U.S. subsidiaries of Myriad Genetics, Inc. which are a “covered entity” under Federal privacy laws which make up the Myriad Affiliated Covered Entity (“ACE”). The ACE entities are Myriad Genetic Laboratories, Inc., Crescendo Bioscience, Inc., Assurex Health, Inc., and Myriad Women’s Health, Inc. (formerly known as Counsyl, Inc.), (collectively referred to herein as “Myriad”). For purposes of complying with Federal privacy and security requirements, the above-designated entities have designated themselves an ACE. These entities are under common ownership and control and have agreed to treat themselves as a single “covered entity” under Federal privacy laws. Myriad is committed to protecting the confidentiality of your medical and health information (“protected health information” or “PHI”) as described in this Notice. We are required by law to provide this Notice to you and to maintain the privacy and security of your protected health information as stated in this Notice. Myriad Genetics, Inc., and our additional U.S. subsidiaries which are not part of the ACE and are not covered entities, also follow the relevant privacy practices outlined in this Notice.

Uses and Disclosures of Your Protected Health Information

Myriad may use or disclose your protected health information for treatment, payment, research, or healthcare operations purposes and for other purposes as permitted or required by law. Where state or federal law restricts one of the described uses or disclosures, we follow the requirements of such state or federal law. These are general descriptions only. They do not cover every example of disclosure within a category.

Treatment:

We may use and disclose your protected health information to provide you with laboratory services related to your treatment, including disclosure to other health care professionals who are involved in your care for use in treating you in the future. For example, when your test has been completed, we will use your protected health information to create a test results report which we will provide to the physician that ordered your test.

Payment:

We may use and disclose your protected health information to bill and obtain payment from health plans or other entities for the services we provide to you. For example, we may contact your health plan to verify coverage for the services we are providing, to get prior approval for those services when required, or to generate a claim for the services provided to obtain payment.

Research:

We may use and disclose your protected health information for internal and external research purposes to, among other things, develop and improve our testing services and products. We may disclose your PHI to organizations that support medical research or that find, investigate, or cure diseases. To do this, we will use standard de-identification practices to de-identify your PHI before it is disclosed, or obtain your consent to do so. For example, we may use your PHI to assist us in developing our variant classification program.

Health Care Operations:

We may use and disclose your protected health information, as needed, in order to support the business activities of our company, such as quality assessment and improvement activities, staff training, providing customer service, managing costs, and licensing of our laboratory with the goal of improving the care we provide. For example, we may use your PHI to develop and improve our internal controls to improve our testing services.

Business Associates:

We may also disclose your protected health information to third party “business associates”, which may also include affiliates of Myriad, that perform various administrative activities for us related to treatment, payment or health care operations. For example, we may disclose information to an agency that performs collections on unpaid accounts. Our business associates sign an agreement stating they will maintain the privacy and security of your health information as required by law.

Persons Involved in Your Care:

We may disclose your protected health information to individuals, such as family members, relatives, personal friends or others who are involved with your care or who help pay for your care as long as you have not expressed your objection to, or requested a restriction on these types of disclosures. For example, if you are covered by your spouse’s, parents’ or other individual’s health insurance, we may disclose information to that individual relevant to payment for the services we have provided you. In all cases, we will use our best judgment and restrict the information shared to only that which is relevant to your family’s and others’ involvement in your care. In cases where you are not present or the opportunity to agree or object to the use or disclosure cannot be provided because of your incapacitation or an emergency circumstance, a disclosure may be made in your best interests.

To Perform and Improve Our Services.

We may use and disclose your PHI to, among other things, assist with your healthcare provider’s operations to facilitate the provision of healthcare services, improve and develop new screenings and other services, provide customer service when you have questions about your billing, results, or otherwise, and to run and improve our organization. We may share your PHI with your healthcare provider by discussing your Report with them or by processing claims for payment.

Other uses and disclosures:

We are permitted or required by law to share your information in other ways – usually in ways that contribute to the public good, such as public health and research. We have to meet many conditions in the law before we can disclose your information for these purposes. These additional uses and disclosures include:

• for public health and safety activities authorized by law to collect or receive such information for the purposes of preventing or controlling disease, injury, or disability;
• to certain governmental agencies if we suspect child abuse or neglect; we may also release your protected health information to certain governmental agencies if we believe you to be a victim of abuse, neglect, or domestic violence;
• to Food and Drug Administration (FDA) regulated entities for purposes of monitoring or reporting the quality, safety, or effectiveness of FDA regulated products, or to participate in product recalls;
• to your employer when we have provided health care to you at the request of your employer for purposes related to occupational health and safety (in most cases you will receive notice
• that information is disclosed to your employer);
• if required by law to a government oversight agency conducting audits, investigations, inspections and related oversight functions; in emergency circumstances, such as to prevent a serious and imminent threat to a person or the public;
• to respond to lawsuits or legal actions (if required or requested by a legal representative, court or administrative order, subpoena or discovery request, in most cases you will have notice of such release);
• to law enforcement officials to identify or locate suspects, fugitives or witnesses, or victims of crime, or for other allowable law enforcement purposes;
• to correctional institutions, to the extent that Myriad makes such disclosures to coroners or medical examiners for the purpose of identifying a deceased person, determining cause of death or another purpose authorized by law and to funeral directors as necessary to carry out their duties with respect to the deceased to the extent consistent with applicable law;
• if necessary to arrange an organ or tissue donation from you or a transplant for you;
• if you are a member of the military for activities set out by certain military command authorities required by armed forces services;
• if necessary for national security, intelligence, or protective services activities;
• for purposes related to your workers’ compensation benefits or similar programs that provide benefits for work-related injuries or illness;
• to researchers when the research they are conducting has been approved by an institutional review or privacy board that has reviewed the research proposal and established protocols to ensure the privacy of your protected health information or to people preparing to conduct a research project;
• in connection with the publication of clinical research or studies in peer reviewed journals or for medical and societal presentations, or disclosure to publicly available databases such as the National Center for Biotechnology Information, in which case we use standard de-identification practices to de-identify PHI before it is disclosed;
• as a part of a business transaction, such as a merger or acquisition of all or part of our business; in this event, your PHI will still be afforded the same or comparable protections contained in this Notice;
• we may make a disclosure to the secretary of the HHS for HIPAA Rules compliance and enforcement purposes; and
• we may create and distribute de-identified health information by removing all individually identifiable information.

For all of the above purposes, in cases where state law is more restrictive than federal law, we are required to follow the more restrictive state law.

Uses and Disclosures with Your Authorization

Uses and disclosures of your protected health information other than those stated immediately above will be made only with your written authorization. Examples include, but are not limited to:

• use or disclosure of protected health information for marketing purposes, and
• disclosures that constitute a sale of your protected health information.

If you provide authorization for the disclosure of your health information, you may revoke this authorization at any time in writing, except to the extent that Myriad or a Myriad’s business associates has taken an action in reliance on the use or disclosure indicated in the authorization.

Your Individual Rights

Following is a statement of your rights related to your protected health information and how you may exercise these rights. In accordance with the privacy rule, in the event that you request access, restrictions, confidential communications, record amendments or an accounting of disclosures, Myriad is required to respond within 30 days of receiving your request. Myriad may notify you within the first 30 days of receiving your request that an additional 30 days is necessary to respond to your request.

Access:

You have the right to access and receive a copy of your protected health information that may be used to make decisions about your care or payment for your care. If we maintain the information you have requested in an electronic format you can ask for it to be provided to you electronically, and also ask us to electronically send copies to another person. Requests for access to or copies of your protected health information must be submitted to Myriad in writing following the applicable process listed below.

For Myriad Genetic Laboratories patients: Contact Customer Support at (800) 469-7423 or use Myriad’s record request form which is located at mysupport360.com under the “Resources” tab in the “Patient Records Request” section.

For Assurex Health patients: Contact Customer Support at (866) 757-9204 or via email at support@assurexhealth.com.

For Myriad Women’s Health patients: Contact Customer Support at 1-888-COUNSYL (1-888-268-6795) or via email at privacy@counsyl.com

For Crescendo Biosciences patients: Contact Customer Support at (877) 743-8639 or medicalrecords@myriad.com.

Restrictions:

You may ask us to limit the use and disclosure of your protected health information for the purposes of treatment, payment and health care operations activities. We will consider your request carefully, but we may not be required to agree to your requested restrictions. Requests for restrictions should be directed to the Privacy Officer.

Confidential Communications:

You have the right to ask that we send information to you to an alternate address or by alternate means. We will accommodate reasonable requests. Requests for alternate means of sending protected health information and the use of alternate addresses should be directed to the Privacy Officer.

Amendments:

You have the right to request an amendment of your protected health information. We will honor your request unless we are not the originator of the information or we believe the information you requested to be amended is accurate and complete. Requests for amendments to medical records should be directed to the Privacy Officer.

Accounting of Disclosures:

You have a right to receive a list of certain instances in which we disclosed your protected health information. This list will not include disclosures of protected health information such as those made for treatment, payment, health care operations, or disclosures made based on your written authorization. You can request a list including disclosures made up to six years prior to the date of your request. Requests for an accounting of disclosures should be directed to the Privacy Officer.

Breach Notification:

You will be notified within 60 days in the event that we (or one of our business associates) discover a breach of your unsecured protected health information. Notification will include any impact that the breach may have had on you and/or your family member(s) and actions Myriad undertook to minimize the impact of the breach.

Copy of this Notice:

If you have received this Notice electronically, you have a right to receive a paper copy at any time. You may download a copy of this Notice from our website, or you may obtain a paper copy of the Notice by calling or writing our Privacy Officer.

Complaints/Objections:

If you believe that your privacy rights have been violated by us or disagree with our privacy practices, you may file a complaint. You may file a complaint with us by notifying our Privacy Officer, or you may send a written complaint to the Secretary of the U.S. Department of Health and Human Services. We will not retaliate against you if you file a complaint about our privacy practices. For further information regarding our complaint process, you may contact our Privacy Officer.

Contacts

Privacy Officer Myriad Genetics, Inc. 320 Wakara Way Salt Lake City, UT 84108 (800) 469-7423 privacy@myriad.com

Changes to this Notice

We reserve the right to change this Notice and to make the provisions in our new Notice effective for all protected health information we maintain. If we change these practices, we will publish a revised Notice on our website.

Effective Date

This notice became effective on September 30, 2018.