PRIVACY POLICY

This Privacy Policy governs the manner in which WP&H LLC (and its subsidiaries Military Medical Supplies, CalMed Hawaii, and CompPlus Ancillary) collects, uses, maintains and discloses information collected from users (each, a "User") of the https://compplusancillary.com, https://militarymedical.us.com and https://calmedhawaii.com websites ("Sites") This privacy policy applies to these Sites and all products and services offered by WP&H LLC

Personal identification information

We may collect personal identification information from Users in a variety of ways, including, but not limited to, when Users visit our site, register on the site, place an order, fill out a form or application, respond to a survey, subscribe to the newsletter and in connection with other activities, services, features or resources we make available on our Site. Users may be asked for, as appropriate, name, email address, mailing address, phone number, and credit card information.

Users may, however, visit our Site anonymously.

We will collect personal identification information from Users only if they voluntarily submit such information to us. Users can always refuse to supply personally identification information, except that it may prevent them from engaging in certain Site related activities.

California’s California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”) provide customers/patients with certain rights which is outlined in this policy:

• Knowledge of information collected;

• Deletion of information collected;

• Opt-out of information collected;

• Opt-in of information collected;

• Correction of information collected;

• Go to court;

• Limit use of information collected;

• Not to be discriminated or retaliated against for exercising rights under the law.

Non-personal identification information

We may collect non-personal identification information about Users whenever they interact with our Site. Non-personal identification information may include the browser name, the type of computer and technical information about Users means of connection to our Site, such as the operating system and the Internet service providers utilized and other similar information.

Web browser cookies

Our Site may use "cookies" to enhance User experience. User's web browser places cookies on their hard drive for record-keeping purposes and sometimes to track information about them. Users may choose to set their web browser to refuse cookies, or to alert you when cookies are being sent. If they do so, note that some parts of the Site may not function properly.

How we use collected information

WP&H LLC and its subsidiaries collects and uses Users personal information for the following purposes:

To improve customer service

Your information helps us to more effectively respond to your customer service requests and support needs.

To personalize user experience

We may use information in the aggregate to understand how our Users as a group use the services and resources provided on our Site.

To improve our Site

We continually strive to improve our website offerings based on the information and feedback we receive from you.

To process transactions

We may use the information Users provide about them when placing an order only to provide service to that order. We do not share this information with outside parties except to the extent necessary to provide the service.

To administer a content, promotion, survey or other Site feature

To send Users information they agreed to receive about topics we think will be of interest to them.

To review to your interest in a career with us

We may use the information Users provide about them when submitting their resume and contact information to an open position on our careers page.

To send periodic emails

The email address Users provide for order processing, will only be used to send them information and updates pertaining to their order. It may also be used to respond to their inquiries, and/or other requests or questions. If a User decides to opt-in to our mailing list, they will receive emails that may include company news, updates, related product or service information, etc. If at any time the User would like to unsubscribe from receiving future emails, we include detailed unsubscribe instructions at the bottom of each email or User may contact us via our Site.

Data Rights

Individuals have:

The right to delete personal information.
The right to correct inaccurate personal information.
The right to know, which encompasses (a) the right to a disclosure about how the business collects, uses, and discloses the requestor's personal information and (b) the right to access the specific pieces of personal information obtained by the business.
The right to opt out of sales of personal information.
The right to opt out of sharing of personal information, meaning disclosure of personal information to third parties for behavioral advertising.
The right to limit the use and disclosure of sensitive personal information.

How we protect your information

We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorized access, alteration, disclosure or destruction of your personal information, username, password, transaction information and data stored on our Site. Sensitive and private data exchange between the Site and its Users happens over an SSL secured communication channel and is encrypted and protected with digital signatures. We do not sell or trade personal data with 3rd parties, disclosures to 3rd parties are made for a “business purposes” only.

Vendor Contracting

Personal information may be provided to a vendor (only) that are contracted specifically to fulfill or track an order request that is fulfilled by such vendor.

Requests and Verifications

An individual’s authorized agent can make a request under the CPRA via mail to 1172 N Knollwood Circle, Anaheim, CA 92801

WP&H LLC will match identifying information provided by the individual to the personal information of the individual already maintained.

Requests for a right to know, delete, or correct data will be addressees within 45 days from the date the request was received. However, WP&H LLC can extend the response period with notice and if deemed reasonably necessary. All requests to know, delete, or correct will received a receipt confirmation within 10 business days of receiving the request.

WP&H LLC holds data records for no more than 12 months. Therefore. a request may be denied that is beyond a 12-month period.

Compliance with children's online privacy protection act

Protecting the privacy of the very young is especially important. For that reason, we never collect or maintain information at our Site from those we actually know are under 16, and no part of our website is structured to attract anyone under 16.

HIPAA and Privacy

The Health Insurance Portability and Accountability Act and supplemental legislation collectively referred to as the HIPAA. Rules (HIPAA) lay out privacy and security standards that protect the confidentiality of protected health information (PHI). In terms of unified communication systems, the solution and security architecture must comply with the applicable standards, implementation specifications and requirements with respect to electronic PHI.

The general requirements of HIPAA state that covered entities and business associates must:

Ensure the confidentiality, integrity, and availability of all electronic PHI the entity creates, receives, maintains, or transmits.
Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the privacy regulations.
Ensure compliance by its workforce.

Who must comply with HIPAA?

All military and civilian health care plans, health care clearinghouses and health care providers who electronically conduct financial and administrative transactions must comply with HIPAA. TRICARE, military hospitals and clinics, providers, regional contractors, subcontractors and other business associate relationships fall within these categories. HIPAA's Privacy Rule and Security Rule relate specifically to the privacy and security of your protected health information (PHI).

How the privacy rule protects you

The HIPAA Privacy Rule lets medical staff use and disclose your PHI for treatment, payment and health care operations without written authorization. Your permission is required for most other uses and disclosures.

Under the Privacy Rule, you have the right to:

Receive a copy of the Military Health System Notice of Privacy Practices • Request access to PHI
Request amendment of PHI
Request an accounting of PHI disclosures.
Request restriction on PHI use and disclosure
File a complaint regarding privacy infractions
HIPAA and Lactation Education Classes

We offer lactation education classes that are supported via third party Zoom.com. WP&H LLC has executed a business associate agreement to enable a HIPAA compliance program by safeguarding PHI.

WP&H LLC has employed the appropriate administrative, technical, and physical safeguards to prevent unauthorized access to, or use or disclosure of, PHI.

Zoom safeguard supports Security Rule standards (published in the Federal Register on February 20, 2003; 45 CFR Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule).

Access Control

Data in motion is encrypted at the application layer using Advanced Encryption Standard (AES).

Multi-layered access control for owner, admin, and members.
Web and application access are protected by verified email address and password. • Meeting access is password protected by password or waiting room.
Meetings are not listed publicly by Zoom.
Zoom leverages a redundant and distributed architecture to offer a high level of availability and redundancy.
Organizations can select data center regions for data in motion to your account. This setting does not affect the data at rest storage location.
Meeting host can easily remove attendees or terminate meeting sessions.
Hosts can lock a meeting in progress.
Meetings end automatically with timeouts.
Privacy features allow you to control session attendee admittance with individual or group entry, waiting rooms, forced meeting test pass codes, and locked room functionality.

Audit Controls

Platform connections are logged for audio and quality-of-service purposes. • Account admins have secured access to manage individual, group, or organization level management.
Data in motion traverse Zoom’s secured and distributed infrastructure.

Integrity

Multilayer integration protection is designed to protect both data and service layers.
Controls are in place to protect and encrypt meeting data.

Integrity Mechanism

Application executables are digitally signed.
Data connections leverage TLS 1.2 encryption and PKI Certificates issued by a trusted commercial certificate authority.
Web and application access are protected by verified email address and password.

Person or Entity Authentication

Web and application access are protected by verified email and password.
The meeting host must log in to Zoom using a unique email address and account password. • Access to desktop or window for screen sharing can be locked by host.
Privacy features allow session attendee admittance with individual or group entry, waiting rooms, forced meeting pass codes, waiting rooms, forced meeting pass codes, and locked room functionality.

Transmission Security

Zoom employs 256-bit AES-GCM encryption for data to protect health information.

Security and Encryption

We have implemented safeguards to ensure the security and privacy of PHI.

Data in motion is encrypted at the application layer using 256-bit AES-GCM encryption.
Advanced Chat encryption allows for a secured communication where only the intended recipient can read the secured message. Privacy features allow you to control session attendee admittance with individual or group entry, waiting rooms, forced meeting pass codes, and locked room functionality.

Privacy Officers

The company has designated the corporate Human Resources Manager as the HIPAA compliance officer (HCO), and any questions or issues

regarding PHI should be presented to the HCO for resolution. The HCO is also charged with the responsibility for:

Issuing procedural guidelines for access for PHI.
Developing a matrix for personnel who will need access to PHI.
Developing guidelines for describing how and when PHI will be maintained, used, transferred or transmitted.

What if my privacy is violated?

If you think your privacy rights have been violated through the use of our website, you may submit a written complaint to our privacy officer in writing to the address listed below. You may also give us a call at 800-270-6990.

Written complaints can be sent to 1170 Knollwood Cir. Anaheim, CA 92801

Notice of Privacy Practices

When you receive treatment at a military hospital or clinic, you will be given a copy of the Notice of Privacy Practices. This document details how your medical information may be used and with whom it may be shared. If you see civilian authorized providers, they may have their own privacy practices guidelines that they will share with you at the time of your appointment. It's important that you carefully read any information about privacy practices.

This section gives you information about how to access your medical records and how HIPAA regulations relate to you.

DME Patient Rights

At WP&H LLC, we believe that our patients have rights and responsibilities, and we are committed to ensuring that we care for people respectfully, safely, and in a quality manner.

As a patient of WP&H LLC, you have the right to (which includes but is not limited to) the following:

Be given information about your rights to receive homecare services.
Receive a timely response from WP&H LLC, regarding your request for homecare services. Be given information about WP&H LLC, policies, procedures, and charges for services.
Choose your homecare providers.
Be given appropriate and professional quality homecare services without discrimination against your race, color, creed, religion, sex, national origin, sexual orientation, disability, or age. • Be treated with courtesy and respect by all who provide homecare services to you. Be free from physical and mental abuse and/or neglect.
Be given proper identification by name and title of everyone who provides homecare services to you.
Be given the necessary information regarding treatment and choices concerning rental or purchase options for durable medical equipment, so you will be able to give informed consent for your service prior to the start of any service.
Be given complete and current information concerning your diagnosis, treatment, alternatives, risks and prognosis as required by your physician’s legal duty to disclose in terms and language you can reasonably be expected to understand.
A plan of service that will be developed to meet your unique service needs. Participate in the development of your plan of care/service.
Be given an assessment and update of your developed plan of care/service. Be given data privacy and confidentiality.
Review your clinical record at your request.
Be given information regarding anticipated transfer of your homecare service to another healthcare facility and/or termination of homecare service to you.
Voice grievance with and/or suggest a change in homecare services and/or staff without being threatened, restrained and discriminated against.
Refuse treatment within the confines of the law.
Be given information concerning the consequences of refusing treatment.
Have an advance directive for medical care, such as a living will or the designation of a surrogate decision maker, respected to the extent provided by the law.
Participate in the consideration of ethical issues that arise in your care.

We are committed to providing you with quality service that meets your homecare needs and exceeds your expectations. If you have a complaint or suggestion about products, equipment, or services provided by WP&H LLC and its subsidiaries, please contact us at 800-270-6990 or on our website at https://www.militarymedical.us.com/contact

MEDICARE DMEPOS Supplier Standards

NOTE: THIS IS AN ABBREVIATED VERSION OF THE SUPPLIER STANDARDS EVERY MEDICARE DMEPOS SUPPLIER MUST MEET IN ORDER TO OBTAIN AND RETAIN THEIR BILLING PRIVILEGES. THESE STANDARDS, IN THEIR ENTIRETY, ARE LISTED IN 42 C.F.R. 424.57(C).

A supplier must be in compliance with all applicable Federal and State licensure and regulatory requirements.
A supplier must provide complete and accurate information on the DMEPOS supplier application. Any changes to this information must be reported to the National Supplier Clearinghouse within 30 days.
A supplier must have an authorized individual (whose signature is binding) sign the enrollment application for billing privileges.
A supplier must fill orders from its own inventory, or contract with other companies for the purchase of items necessary to fill orders. A supplier may not contract with any entity that is currently excluded from the Medicare program, any State health care programs, or any other Federal procurement or non-procurement programs.
A supplier must advise beneficiaries that they may rent or purchase inexpensive or routinely purchased durable medical equipment, and of the purchase option for capped rental equipment.
A supplier must notify beneficiaries of warranty coverage and honor all warranties under applicable State law, and repair or replace free of charge Medicare covered items that are under warranty.
A supplier must maintain a physical facility on an appropriate site and must maintain a visible sign with posted hours of operation. The location must be accessible to the public and staffed during posted hours of business. The location must be at least two hundred square feet and contain space for storing records.
A supplier must permit CMS or its agents to conduct on-site inspections to ascertain the supplier’s compliance with these standards.
A supplier must maintain a primary business telephone listed under the name of the business in a local directory or a toll-free number available through directory assistance. The exclusive use of a beeper, answering machine, answering service, or cell phone during posted business hours is prohibited.
A supplier must have comprehensive liability insurance in the amount of at least $300,000 that covers both the supplier’s place of business and all customers and employees of the supplier. If the supplier manufactures its own items, this insurance must also cover product liability and completed operations.
A supplier is prohibited from direct solicitation to Medicare beneficiaries. For complete details on this prohibition see 42 CFR § 424.57(c)(11).
A supplier is responsible for delivery of and must instruct beneficiaries on the use of Medicare covered items and maintain proof of delivery and beneficiary instruction.
A supplier must answer questions, respond to complaints of beneficiaries, and maintain documentation of such contacts.
A supplier must maintain and replace at no charge or repair cost either directly, or through a service contract with another company, any Medicare-covered items it has rented to beneficiaries.
A supplier must accept returns of substandard (less than full quality for the particular item) or unsuitable items (inappropriate for the beneficiary at the time it was fitted and rented or sold) from beneficiaries.
• A supplier must disclose these standards to each beneficiary it supplies a Medicare covered item. A supplier must disclose any person having ownership, financial, or control interest in the supplier.
A supplier must not convey or reassign a supplier number, i.e., the supplier may not sell or allow another entity to use its Medicare billing number.
A supplier must have a complaint resolution protocol established to address beneficiary complaints that relate to these standards. A record of these complaints must be maintained at the physical facility.
Complaint records must include: the name, address, telephone number, and health insurance claim number of the beneficiary, a summary of the complaint, and any actions taken to resolve it.
A supplier must agree to furnish CMS with any information required by the Medicare statute and regulations.
All suppliers must be accredited by a CMS-approved accreditation organization in order to receive and retain a supplier billing number. The accreditation must indicate the specific products and services for which the supplier is accredited in order for the supplier to receive payment for those specific products and services (except for certain exempt pharmaceuticals).
All suppliers must notify their accreditation organization when a new DMEPOS location is opened.
All supplier locations, whether owned or subcontracted, must meet the DMEPOS quality standards and be separately accredited to bill Medicare.
All suppliers must disclose upon enrollment all products and services, including the addition of new product lines for which they are seeking accreditation.
A supplier must meet the surety bond requirements specified in 42 CFR § 424.57(d).
A supplier must obtain oxygen from a state-licensed oxygen supplier.
A supplier must maintain ordering and referring documentation consistent with provisions found in 42 CFR § 424.516(f).
A supplier is prohibited from sharing a practice location with other Medicare providers and suppliers.
A supplier must remain open to the public for a minimum of 30 hours per week except physicians (as defined in section 1848(j) (3) of the Act) or physical and occupational therapists or a DMEPOS supplier working with custom made orthotics and
prosthetics.
DMEPOS suppliers have the option to disclose the following statement to satisfy the requirement outlined in Supplier Standard 16 in lieu of providing a copy of the standards to the beneficiary.
The products and/or services provided to you by (supplier legal business name or DBA) are subject to the supplier standards contained in the Federal regulations shown at 42 Code of Federal Regulations Section 424.57(c).

These standards concern business professional and operational matters (e.g. honoring warranties and hours of operation).

The full text of these standards can be obtained at http://ecfr.gpoaccess.gov. Upon request we will furnish you with a written copy of the standards.

Rights and Responsibilities

If you a Healthcare insurance beneficiary, you have rights regarding your health care and responsibilities for participating in your health care decisions.

Patient Rights

If you are a patient in the Healthcare System, you have the right to:

Easy-to-understand information about Health Plan
A choice of health care providers that is sufficient to ensure access to appropriate high-quality health care.
Emergency health care services when and where you need it.
Review information about the diagnosis, treatment and progress of your condition • Fully participate in all decisions related to your health care or to be represented by family members, conservators or other duly appointed representatives if you are unable to fully participate in treatment decisions.
Considerate, respectful care from all members of the health care system without discrimination based on race, ethnicity, national origin, religion, sex, age, mental or physical disability, sexual orientation, genetic information or source of payment.
Communicate with health care providers in confidence and to have the confidentiality of your health care information protected.
Review, copy, request amendments to your medical records.
A fair and efficient process for resolving differences with your health plan, health care providers and the institutions that serve them.

Patient Responsibilities

If you are a patient in the Healthcare System, you have the responsibility to:
Maximize healthy habits, such as exercising, not smoking, and maintaining a healthy diet.
Be involved in health care decisions, which means working with providers in developing and carrying out agreed-upon treatment plans, disclosing relevant information, and clearly communicating your wants and needs.
Be knowledgeable about coverage and program options, including covered benefits, limitations, exclusions, rules regarding the use of network providers, coverage and referral rules, appropriate processes to secure additional information, and appeals, claims, and grievance processes.
Be respectful of other patients and health care workers. Make a good-faith effort to meet financial obligations.
Follow the claims process and use the disputed claims process when you have a disagreement concerning your claims.
Report any wrongdoing or fraud to the appropriate resources or legal authorities.

Changes to this privacy policy

WP&H LLC and its subsidiaries have the discretion to update this privacy policy at any time. When we do, revise the updated date at the

bottom of this page, we encourage Users to frequently check this page for any changes to stay informed about how we are helping to protect the personal information we collect. You acknowledge and agree that it is your responsibility to review this privacy policy periodically and become aware of modifications.

Your acceptance of these terms

By using this Site, you signify your acceptance of this policy and terms of service. If you do not agree to this policy, please do not use our Site. Your continued use of the Site following the posting of changes to this policy will be deemed your acceptance of those changes.

Contacting us

If you have any questions about this Privacy Policy, the practices of this site, or your dealings with this site, please contact us at:

WP&H LLC

1170- 1172 N Knollwood Cir.

Anaheim, CA 92801

800-270-6990

info@militarymedical.us.com

Policy last revised : 3/17/2024