Privacy Policy

OVERVIEW
Arthrosurface takes data security and your personal privacy seriously. We are the sole owners of the information collected on this site and will only provide it to third parties like your primary care provider upon your explicit request. We will not sell or rent this information to anyone and adhere to HIPAA data policies.¹

We only collect information that you voluntarily give us via email, online form, other direct contact from you. We will use your information to respond to you regarding the reason you contacted us, provide services, and fulfill administrative tasks.

Unless you ask us not to, we may contact you via email in the future to tell you about new products or services, send greeting sand other cordial correspondence, or changes to this privacy policy. You may be contacted via direct mail, email, text message, or phone. You can unsubscribe from our emails at any time.

OUR GOALS
Arthrosurface respects users’ rights to their data. All data is secured to the best of our ability and stored in compliance with HIPAA. As a healthcare provider, all transactions including claims, eligibility inquiries, referral requests, and other action items under the HIPAA Transactions Rule are done in compliance with HIPAA data privacy rules. In broadest terms, we will use your information to respond to you regarding the reason you contacted us and will not share it with any third party outside our organization, other than as necessary to fulfill your request, e.g. notify your physician’s office or process a payment.

INFORMATION WE COLLECT
We may collect personally identifiable information about you such as your full name, phone number, email address, and information related to your joint and medical needs. For our staff to fulfill your requests, there is some mandatory information that Arthrosurface requires to find surgeons in your area that are experienced with our implants, answer questions, and to contact you with information regarding your service requests. Information is most frequently gathered through our “Contact” and “Find a Doctor” forms, but may also be gathered from information provided in person or through customer support.

HOW WE USE YOUR INFORMATION
We use data such as user’s email addresses for administrative purposes such as marketing communications, customer service, scheduling, and to find a qualified surgeon that is experienced with our implants. We use your data to understand and analyze usage trends and preferences of our site visitors to improve service and improve web functionality. Further, we may use statistics from de-identified aggregate data of our patients for promotional purposes such as to journals or other third party publications for product features or to researchers to advance medical knowledge.

INFORMATION STORAGE
Your information may be stored and processed in the United States or any other country in which Arthrosurface or its subsidiaries, affiliates, or service providers maintain facilities. Information is stored in our trusted host sites. We take precautions to protect your information. When you submit sensitive information via the website, your information is protected both online and offline.

Other health care providers and insurance agencies may pay us on your behalf. We do not collect your personal payment information, only a record of payments issued for billing and accounting purposes.

While we use encryption to protect sensitive information transmitted online, we also protect your information offline. Only employees who need the information to perform a specific job (for example, billing or customer service) are granted access to personally identifiable information.

INFORMATION PROTECTIONS
In compliance with HIPAA, individually identifiable health information such as demographic data, patients’ present or past physical or mental health, provided health care services, and present, past, and future payment for services are protected as it relates to an identifiable individual or where there is a reasonable basis to believe that the individual can be identified. Identifiable health information will only be disclosed when I. an individual or their personal representatives request access to it, or II. when Arthrosurface is legally required to do so under investigation, review, or enforcement action. There is no restriction on de- identified information. You can view more information about HIPAA data compliance here.²

THIRD PARTIES
We may occasionally pass information to physicians upon patient request. We do not share your information with third parties. Unless you request we forward your information, the data is accessible to only Arthrosurface staff.

DATA BREACHES
A data breach is the unauthorized acquisition or use of sensitive personal information such as a Social Security Number, driver’s license number, and financial information, that creates a substantial risk of identity theft or fraud. In case of a serious data breach, Arthrosurface will notify all mandated supervisory authorities including but not limited to the Office of Consumer Affairs and Business Regulation and the Attorney General’s Office in accordance with Massachusetts state law as soon as possible so users can take appropriate measures.2 Additionally, in accordance with the FTC requirements³, if health information is leaked, individuals will be personally notified without unreasonable delay and within 60 calendar days after the breach is discovered. If more than 500 residents of a particular state are affected by a breach, Arthrosurface will additionally notify prominent media outlets that serve the relevant geographic area(s). You can read more about the FTC’s health breach notification requirements here.⁴

LINKS
This website contains links to other sites. Please be aware that we are not responsible for the content or privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of any other site that collects personally identifiable information.

MANDATORY DATA
In order to use this website, a user must first complete the registration form. During registration a user is required to give certain information (such as name and email address). This information is used to contact you about the products and services on our

site in which you have expressed interest. All mandatory fields are marked on every online form and will be communicated when applicable in person. Unmarked fields, while not required, are helpful in pursuing your medical interests and improving your overall experience with Arthrosurface.

COOKIES
We use “cookies” and marketing analytic tools on this site. A cookie is a piece of data stored on a site visitor’s hard drive to help us improve your access to our site and identify repeat visitors to our site. Cookies can also enable us to track and target the interests of our users to enhance their experience on our site. Usage of a cookie is in no way linked to any personally identifiable information on our site.

USER RIGHTS
Some of the data rights for our clients and users include a right to be informed about how Arthrosurface is using your personal data, a right to access of what information we have stored about you, a right to have your data rectified, and a right to object how your data is being used.

YOU CAN
We respect your privacy rights and will provide reasonable access to the Personal Data that we have gathered. You can contact Arthrosurface at any time to:

• request access to the information that Arthrosurface has about you
• correct any information that Arthrosurface has on you
• opt out of our email services

If you have any additional questions about Arthrosurface’s data collection and storage of data, please contact us at: marketing@arthrosurface.com

<sup>Footnotes:
1. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
2. https://www.mass.gov/service-details/requirements-for-data-breach-notifications
3. 45 CFR §§ 164.400-414
4. https://www.ftc.gov/tips-advice/business-center/guidance/complying-ftcs-health-breach-notification-rule</sup>