PRIVACY POLICY

Last Updated 01/17/2024

PRIVACY POLICY

INFORMATION COLLECTION

We may obtain information about you in a number of ways, including through (A) information you provide to us directly; (B) information we collect when you create an account; (C) information we receive from third parties; and (D) information we automatically collect.

We collect information from you when you choose to share it with us, such as when you request information about Evolent, register or create an account with or through the Websites, or otherwise communicate with or contact us (such as through any available
Website chat function). In the course of these interactions, you may provide us with biographical and demographic information (including, but not limited to, your name, address, email address, phone number, date of birth, gender, and ethnicity); financial or insurance
information to complete a transaction; inferences drawn from other personal information listed above to create a profile reflecting your preferences, characteristics, behavior, attitudes, and abilities; and information collected from industry, customers, providers and
patient groups and associations.

If you are a healthcare professional, we may also collect professional credentials (including educational and professional history, institutional and government affiliations, and information included on a resume or curriculum vitae); details about our interactions with you;
publicly-available information related to your practice; and information shared with us by customers or insurers.

We collect information from you when you create an account on one or more of our Websites, including a username and password that you select to establish an account.

If you create a member or beneficiary account, or a plan administrator account, we may collect your first and last name; email address; physical address; phone number; date of birth; driver’s license number; member or beneficiary ID; social security number, drug
allergy information; health condition; medical history; claims history; eligibility data; credit card information; credit scores and history; and employment and insurance information.

If you are a healthcare professional or other independent provider, we may collect your first and last name; work address; work phone number; fax number; email address; date of birth; treatment dates; clinical details; member demographics; Taxpayer Identification
Number, and National Provider Identifier.

We may collect information about you from third parties such as healthcare professionals; data brokers; insurance companies; third party administrators; service providers; vendors; affiliates; business partners; customers; credit agencies; social media platforms; and
government agencies or public records.

If your employer uses Evolent for benefit administration services, Evolent may collect information from your employer or a benefits administrator. In those cases, most questions about how your information is handled should be directed to your employer.

From time to time, we may use or augment the personal information we have about you with information obtained from other sources, such as public databases, social media platforms and other third parties. For example, we may use such third party information to
confirm or verify licensure of healthcare professionals or to better understand your interests by associating demographic information with the information you have provided.

If you use our Websites, certain information may be collected from your computer or device during your interaction with the Websites. We, as well as our service providers, may use a variety of technologies, such as cookies, widgets, web beacons, and log files, to
automatically or passively collect certain information about your online activity on the Websites. This information is used, for example, to help us (1) understand who is using the Websites and how (e.g., by measuring the number and frequency of visitors to the different
sections of our Websites); (2) remember your information so you do not have to re-enter it; (3) make our Websites more useful to our visitors and users; and (4) otherwise manage and enhance our products and services.

When you interact with our Websites we may collect your IP address; browsing history; search history; and information on interaction with our Website.

Technologies, Third Parties, and Do Not Track Disclosures

• Cookies: Cookies are a collection of information sent by a website to a user’s computer, and then sent back each time the user accesses that website. Cookies help us understand how you navigate around the Websites. Most web browsers enable you to
  control whether or not you want to receive cookies or notify you when a website is about to deposit a cookie file. Please refer to your device’s settings or your browser “Help” section for more information on how to delete and/or disable your browser
  from receiving cookies. However, blocking or deleting cookies may create a less-than-optimal user experience on the Websites.


• Web beacons: Web beacons are small pieces of data that are embedded in images on a website. Web beacons may involve the transmission of information directly to us, to another party on our behalf, or to another party in accordance with its Privacy
  Policy.


• Log Files: Log files are pieces of information that let us know how users are accessing the Websites. For example, each time you visit an Evolent website, we may create a log file that tells us that someone visited the page. We use log files to create
  aggregate reports of Website activity, which means we take that information and add it together to report on all Website activity.

Do Not Track

Because there is not yet a consensus on how companies should respond to web browser-based do-not track (“DNT”) mechanisms, our system will not recognize or respond to Do Not Track requests or headers at this time.

INFORMATION USE

Evolent may use the information we collect from and about you for a number of purposes. Some examples of the ways we may use that information include:

• Providing you with the Services, Websites, experience, products, and information you request, view, and engage with.


• Fulfilling our obligations under contracts with our customers, including insurance providers, governmental agencies and employers.


• Managing our relationship with you.


• Customizing your experience on the Websites, including managing and recording your preferences.


• Marketing, product development, and research purposes.


• Reviewing and developing reports regarding usage, activity, and statistics, including to conduct analysis to enhance or improve our content, products, and services.


• Acting at your direction and with your consent.


• Providing you with access to particular tools and services and enabling certain functions and tools on the Websites.


• Managing your account.


• Paying your medical bills online.


• Responding to your inquiries and requests and sending you administrative and other communications.


• For other purposes disclosed at the time you provide your information or otherwise with your consent.


• Protect against fraud, suspicious, or other illegal activities.

We do not sell your personal information or transfer personal information to third parties to use for their own benefit; however, we allow certain companies to place tracking technologies like cookies on our Services. Those companies receive information about your
interaction with our Services that is associated with your browser or device and may use that data to serve you relevant ads on our Services or others. Except for this kind of sharing, we do not sell any of your information. For more information, please see the section of
this Privacy Policy titled, “Technologies, Third Parties, and Do Not Track Disclosures above.”

INFORMATION SHARING

Evolent may share your information as follows:

• Legal Matters: We may access and disclose your information to respond to subpoenas, regulatory or judicial processes, or government requests and investigations, or in connection with an investigation on matters related to public safety, as permitted by law, or otherwise as required by law.


• Prevent Fraud or Misuse: We may disclose your information to protect the security of our Websites, servers, network systems, and databases. We also may disclose your information as necessary if we believe that there has been a violation of our Terms and Conditions, any other legal document or contract related to our Websites, or the rights of any third party.


• Safety: We may access and disclose your information to protect any individual’s personal safety, health, or welfare, including, without limitation, if you threaten to harm yourself or others, we have reason to believe that abuse or neglect might be occurring, or otherwise in the event of a medical emergency. In such instances, we will notify the appropriate authorities, which may include law enforcement, medical or other emergency personnel, or a potential victim.


• Payer/Healthcare Organization: To your payer/healthcare organization or others responsible for the payment of healthcare or other services to you.


• Sale or Transfer of Business or Assets: In the event of a sale or change in corporate control, for example, a merger, a sale of assets, or bankruptcy, information we have collected from and about you may be transferred. Should such a sale or change in corporate control occur, we will use reasonable efforts to try to require that the transferee use and disclose your information in a manner that is consistent with this Privacy Policy.


• Affiliates and Service Providers: We share your information with our affiliates, business partners, vendors, suppliers, agents and other service providers that provide business, professional, or technical support functions for us, help us operate our business and the Websites, or administer activities on our behalf. We request that such third parties maintain the confidentiality of your information.


• Healthcare Providers and Organizations: We may share your information with your healthcare providers and other healthcare organizations or professionals in connection with the provision of care to you, including:
  
  
  • To a provider/healthcare organization or healthcare professional who has referred you to the Websites ancillary to your treatment, or to whom you are referred.
  
  
  • To an organization providing you access to the Websites, if applicable, as part of a health, wellness, or insurance program.

In this case, the use of your personal information by any such third party shall also be subject to the terms of the privacy statement issued by that third party.

• Aggregate or Anonymous Information: We may also share aggregate or anonymous information with our business partners and other third parties including without limitation for research, audit, treatment, marketing, or program evaluation.


• De-Identified Information: We may also share de-identified information, which is not linked to any information that can identify any individual person, without restriction.


• Other: We also may share your information as disclosed to you at the time of collection, or otherwise with your consent.

ONLINE MEDICAL BILL PAYMENT PROCESSING

In limited circumstances we may utilize the services of a third party payment processing vendor to allow you to pay your medical bills online. This vendor utilizes secure SSL encryption to secure payments of your medical bills. We link to these services through a
payment portal hosted by the third party vendor available to you on our Website. You can learn more about how these services and payments are secured by referring to our myInsight Terms of Use and the Patient Notebook payment portal operated by Waystar, Inc.

YOUR ACCOUNT AND EMAILS

Please note that individualized information transmitted via email correspondence between you and Evolent — as opposed to transmission over the Websites — is not encrypted. As a result, like most, if not all, non-encrypted Internet email communications, such email
correspondence may be accessed and viewed by other Internet users without your knowledge and permission while in transit. For that reason, to protect your privacy, if you have concerns about treatment, or questions that would involve the communication of
confidential/personal health information, please call your physician, or other healthcare professional.

Website accounts may require that you create a user ID and/or password. It is very important that you do not share your user ID and/or password with anyone, and also that you give thought to any person(s) who may have access to your account. You are responsible for all activity that occurs under your account.

MARKETING

You can opt-out of our use and disclosure of your personal information for marketing purposes and customer satisfaction surveys, and/or withdraw your prior consent for same, by the methods provided below. Upon requesting an opt out, your consent will be
withdrawn; however, please note that it often takes some time to process these requests. Therefore, it is possible that you may receive promotions scheduled prior to our receipt of your withdrawal of consent.

You may also unsubscribe from receiving marketing or other commercial emails by following the instructions included in the email. (If you use more than one e-mail address, then send your opt-out e-mail from each of your e-mail addresses.) To opt-out of any other
promotional mailings from Evolent and our partners or affiliates you may notify us at Privacy@Evolent.com. We may also provide additional methods for you to opt-out of having your personal information used or disclosed for promotional and marketing purposes.

Please note, even if you opt out of receiving marketing or commercial communications, we retain the right to send you non-marketing communications such as correspondence about your existing relationship with us, for example notifying you of updates to our Privacy Notice or Terms of Use.

SECURITY

A range of security features protect the privacy of information provided over a secure sign-in to the Evolent Websites, including 128-bit or greater cryptographic security and other security safeguards. Evolent also uses physical, technical, and administrative safeguards
to protect the information collected from and about Website users. Only authorized employees and third parties have access to that information and only to provide service to you. Please note, the confidentiality of Personal Information transmitted over the Internet
cannot be guaranteed. Evolent urges you to exercise caution when transmitting Personal Information over the Internet. Evolent cannot guarantee that unauthorized third parties will not gain access to your Personal Information; therefore, when submitting Personal
Information to Evolent online, you must weigh both the benefits and the risks.

DATA TRANSFERS

Any personal information you provide to us may be stored and processed, transferred between and accessed from the United States where we are headquartered.

RETENTION

We retain personal information for as long as is necessary for the processing purpose(s) for which the data was collected, and any other permissible, related purpose. When we no longer need the personal information
we collect, we either deidentify the information or securely destroy the information.

LINKED SITES

The Websites may have links to other websites and applications that we think might be useful or of interest to you. We are not responsible for, and do not endorse the privacy practices or the content of, those linked websites and applications. We urge you to review the
privacy policies of any websites and applications you visit once you leave the Websites.

CHILDREN’S PRIVACY

Evolent and its third-party service providers may offer services that are targeted to children. As a result, we may collect information from children. Below we summarize when we may collect personal information from children, and how and when we will provide
parental notice and/or seek parental consent.

At the direction of a healthcare professional, children can access one of our websites or download and use one of our mobile applications. We will ask for a parent or guardian consent during the enrollment process. In the consent, we will explain what information we
are collecting, how we plan to use it, and how the parent or guardian can provide consent.

We will share and disclose personal information collected from children in limited circumstances only: (1) with our service providers, if necessary for them to perform a business, professional, or technology support function for us; (2) if required or permitted by law,
such as in response to a court order or subpoena, or to protect our rights and the rights of others; and (3) as otherwise permitted by the parent or guardian, such as to the healthcare provider or other individual designated by the parent, guardian, or child
(with parent’s/guardian’s approval).

If we collect personal information from a child, we will retain that information so long as reasonably necessary to fulfill the activity request or allow the child to continue to participate in the activity, to ensure the security of our users and our services, as allowed
or required by law or contract, or for data retention or recovery purposes.

At any time, a parent or guardian may stop their child’s use of the Websites, and upon the child’s nonuse of the Websites no further collection or use of their child’s personal information will occur.

Parents or guardians can contact us at Privacy@Evolent.com to request access to or to change their child’s personal information. Please include the child’s username and the parent’s or guardian’s email address and telephone number. To protect children’s privacy and
security, we will take reasonable steps to help verify a parent’s or guardian’s identity before granting access to any personal information.

Parents and guardians are responsible for providing supervision of their minor children’s use of the Websites. Parents and guardians assume full responsibility for ensuring that all information supplied by or on behalf of their minor children is kept secure and is and remains accurate.

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (“HIPAA”)

As a provider of services and technology to the health care industry, Evolent has implemented programs consistent with HIPAA privacy and security requirements. Under HIPAA, each covered entity (health care provider, health plan or health care clearinghouse) is
required to provide or make available to you a Notice of Privacy Practices (NPP), depending on your relationship with the covered entity. To the extent an Evolent subsidiary is a covered entity, a NPP will be provided to you or made available to you. The NPP is not
related to the practices described in this website Privacy Policy.

YOUR RIGHTS

You may have certain rights and choices regarding our processing of your Personal Information. Depending on your jurisdiction, applicable law may entitle you to additional consumer rights, including the right to:

• Know the categories and/or specific pieces of Personal Information collected about you, including whether your Personal Information is sold or disclosed, and with whom your Personal Information was shared


• Access a copy of the Personal Information we retain about you


• Request deletion of your Personal Information

We reserve the right to verify your identity in connection with any requests regarding Personal Information to help ensure that we provide the information we maintain to the individuals to whom it pertains, and allow only those individuals or their authorized
representatives to exercise rights with respect to that information. If you are an authorized agent making a request on behalf of a consumer, we may require and request additional information to verify that you are authorized to make that request.

Evolent may not be able to comply with a request where Personal Information has been destroyed, erased or made anonymous in accordance with Evolent’s record retention obligations and practices. In the event that Evolent cannot provide an individual with access
to his/her Personal Information, Evolent will endeavor to provide the individual with an explanation, subject to any legal or regulatory restrictions.

We will not restrict or deny you access to our Evolent products and services because of choices and requests you make in connection with your personal information. Please note, certain choices may affect our ability to deliver our services. For example, if you ask us
to delete your information, we will not be able to send you communications about our services and other offerings.

To submit a request, please contact us via Privacy@Evolent.com.

REVISIONS TO THIS PRIVACY POLICY

Evolent is always looking to offer expanded features and functions that make healthcare more efficient and accessible. As additional features and functions are added, updates to this Privacy Policy may be necessary, and we reserve the right, at our sole discretion, to
change, modify, add, remove, or otherwise revise portions of this Privacy Policy at any time. When we do, we will post the change(s) on the Websites. Each time you visit this website or any Evolent website it is your responsibility to review the most current Terms and
Conditions and any other policies, restrictions, conditions and notices on this website or any Evolent website you access. By accessing, browsing, and/or otherwise using the Websites following the posting of changes, you accept and agree to be bound by those changes.

CALIFORNIA PRIVACY RIGHTS

Under the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA”), California residents have certain rights around our collection, use, and sharing of their personal information. Evolent does not sell your personal
information and will not do so in the future without providing you with notice and an opportunity to opt-out of such sale as required by law. We do not offer financial incentives associated with our collection, use, or disclosure of your personal information. We collect
various types of personal information about you during the course of your relationship with us. If you are a resident of California, you have the right to request to know what personal information has been collected about you, and to access that information. You also
have the right to request deletion of your personal information, though exceptions under the CCPA may allow Evolent to retain and use certain personal information notwithstanding your deletion request. Effective January 1, 2023, you have the right to request
correction of inaccurate personal information and to request to limit disclosure or use of your sensitive personal information. However, any right to request correction is limited by our legal rights. We will not discriminate against you for exercising your rights under the
CCPA. As of January 1, 2023, you have the right to opt-out of sharing your personal information with third parties for the purposes of targeted behavioral advertising. You may make a written request to us about how we have shared your information with third parties for
their direct marketing purposes. In response to your written request, we are allowed to provide you with a notice describing the cost-free means to opt-out of our sharing your information with third parties with whom we do not share the same brand name, if the third party will use such information for its direct marketing purposes. If you would like to exercise your rights under California law, please send your written request to Privacy@Evolent.com or to the postal address below with the words “CALIFORNIA PRIVACY OPT-OUT”.
Please include your postal address in your request. Within thirty (30) days of receiving your written request, we will provide you with a Third Party Direct Marketing Opt-Out Form so you may request that your personal information not be disclosed to third parties for their direct marketing purposes.

VIRGINIA PRIVACY RIGHTS

Effective January 1, 2023, the Virginia Consumer Data Protection Act (“CDPA”), provides Virginia residents certain rights regarding our collection, use, and sharing of their personal data. Evolent does not sell your personal data and will not do so in the future without
providing you with notice and an opportunity to opt-out of such sale as required by law. We do not engage in profiling or predictive automated processing that may result in decisions to provide or deny significant services, benefits or opportunities. We may engage
in “targeted advertising” as defined in the CDPA. Effective January 1, 2023, you have the right to opt-out of targeted advertising by contacting us at Privacy@Evolent.com. We collect various types of personal data about you during the course of your relationship with us. If
you are a resident of Virginia, you have the right to (1) request to know what personal data has been collected about you, and to access that information; (2) request deletion of your personal data, though exceptions under the CDPA and other laws may allow Evolent to
retain and use certain personal data notwithstanding your deletion request; (3) request correction of inaccurate personal data; and (4) obtain a copy of your personal data. You may submit a personal data request or appeal denial of a request by contacting us at Privacy@Evolent.com.

COLORADO PRIVACY RIGHTS

Under Colorado’s Consumer Privacy Act (“CPA”) effective July 1, 2023, Colorado residents have certain rights regarding our collection, use, and sharing of their personal data. Evolent does not sell your personal data and will not do so in the future without providing you
with notice and an opportunity to opt-out of such sale as required by law. We do not engage in profiling or predictive automated processing that may result in decisions to provide or deny significant services, benefits or opportunities. We may engage in “targeted
advertising” as defined in the CPA. Effective July 1, 2023, you have the right to opt-out of targeted advertising by contacting us at Privacy@Evolent.com. We collect various types of personal data about you during the course of your relationship with us. If you are a
resident of Colorado, as of July 1, 2023 you have the right to (1) request to know what personal data has been collected about you, and to access that information; (2) request deletion of your personal data, though exceptions under the CPA and other laws may allow
Evolent to retain and use certain personal data notwithstanding your deletion request; (3) request correction of inaccurate personal data; and (4) obtain a copy of your personal data. You may submit a personal data request or appeal denial of a request by
contacting us at Privacy@Evolent.com.

CONNECTICUT PRIVACY RIGHTS

Under Connecticut’s Data Privacy Act (“CTDPA”) effective July 1, 2023, Connecticut residents have certain rights regarding our collection, use, and sharing of their personal data. Evolent does not sell your personal data and will not do so in the future without providing you
with notice and an opportunity to opt-out of such sale as required by law. We do not engage in profiling or predictive automated processing that may result in decisions to provide or deny significant services, benefits or opportunities. We may engage in “targeted
advertising” as defined in the CTDPA. Effective July 1, 2023, you have the right to opt-out of targeted advertising by contacting us at Privacy@Evolent.com. We collect various types of personal data about you during the course of your relationship with us. If you are a
resident of Connecticut, as of July 1, 2023 you have the right to (1) request to know what personal data has been collected about you, and to access that information; (2) request deletion of your personal data, though exceptions under the CTDPA and other laws may allow
Evolent to retain and use certain personal data notwithstanding your deletion request; (3) request correction of inaccurate personal data; and (4) obtain a copy of your personal data. You may submit a personal data request or appeal denial of a request by
contacting us at Privacy@Evolent.com.

CONTACT US

If you have any questions or concerns about this Privacy Policy or the practices described herein, you may contact us at Privacy@Evolent.com. Alternatively, letters may be mailed to the following address:

Privacy Office

Evolent
1812 N Moore St, Suite 1705
Arlington, VA 22209

All communications should include the individual’s name and contact information and a detailed explanation of the request. Evolent will endeavor to respond to all reasonable requests in a timely manner and within any time limits prescribed by applicable law.