Notice Regarding The Bank of America Wellness Program as of August 1, 2025

The Bank of America Wellness Program is a voluntary wellness program available to all employees  enrolled in an eligible Bank of America medical plan and covered spouses, partners, or other adult  dependents. The program is administered according to federal rules permitting employer-sponsored  wellness programs that seek to improve employee health or prevent disease, including the Americans  with Disabilities Act of 1990, the Genetic Information Nondiscrimination Act of 2008, and the Health  Insurance Portability and Accountability Act, as applicable, among others.  

If you and your covered spouse/partner choose to participate in the wellness program you will be asked  to complete certain voluntary wellness activities – a health questionnaire, a biometric health screening, and an attestation that you have a primary care provider (PCP) and have had an annual physical with your  PCP in the last 12 months. The questionnaire, often referred to as a health risk assessment, asks a series  of questions about your health-related activities and behaviors and whether you have or had certain  medical conditions (e.g., cancer, diabetes, or heart disease). The biometric health screening includes a  non-fasting blood test for total cholesterol. The PCP/Annual Physical attestation is an electronic  confirmation that you have a primary care provider (PCP) and have had an annual physical with your PCP  in the last 12 months. You and your spouse/ partner are not required to complete the wellness activities.  

However, employees and covered spouses/partners who choose to complete and submit the health risk  assessment and biometric health screening activities will each retain a credit of up to $250 toward the  annual medical plan premium. For those who also choose to complete the PCP attestation, they will each  retain up to an additional $250 credit toward the annual medical premium. Although you are not  required to complete the voluntary wellness activities only employees and covered spouses/partners  who do so will maintain the credit of up to $500, respectively, toward the annual medical plan premium. 

Additional incentives and/or surcharges may be included for employees and/or covered spouse/partners  who do or do not participate in certain health-related activities or achieve certain health outcomes such  as quitting tobacco use. If you are unable to participate in any of the health-related activities or achieve  any of the health outcomes required to earn an incentive, you may be entitled to a reasonable  accommodation or an alternative standard. The recommendation of your personal physician will be  accommodated. You may request a reasonable accommodation or an alternative standard by contacting  the Global HR Service Center at 800.556.6044. 

The information from your health risk assessment and the results from your biometric health screening  will be used to provide you with information to help you understand your current health and potential risks and may also be used to offer you services through the wellness program, such as health coaching and condition management. You also are encouraged to share your results or concerns with your own  provider.

Protections from Disclosure of Medical Information 

We are required by law to maintain the privacy and security of your personally identifiable health  information. Although Bank of America may use aggregate information collected to design programs based  on identified health risks in the workplace, the wellness program administrators will never disclose any of  your personal information either publicly or back to Bank of America, except as necessary to respond to a  request from you for a reasonable accommodation needed to participate in the wellness program, or as  expressly permitted by law. Medical information that personally identifies you that is provided in connection  with the wellness program will not be provided to your managers and may never be used to make decisions  regarding your employment. 

Your health information will not be sold, exchanged, transferred, or otherwise disclosed except to the extent  permitted by law to carry out specific activities related to the wellness program, and you will not be asked or  required to waive the confidentiality of your health information as a condition of participating in the  wellness program or receiving an incentive. Anyone who receives your information for purposes of providing  you services as part of the wellness program will abide by the same confidentiality requirements. The only  individuals who will receive your personally identifiable health information are health coaches or nurses who work for your insurance carrier or other third parties who have developed specific programs for Bank of  America employees in order to provide you with services under the wellness program.  

In addition, all medical information obtained through the wellness program will be maintained separate  from your personnel records, information stored electronically will be encrypted, and no information you  provide as part of the wellness program will be used in making any employment decision. Appropriate  precautions will be taken to avoid any data breach, and in the event a data breach occurs involving  information you provide in connection with the wellness program, we will notify you immediately. 

You may not be discriminated against in employment because of the medical information you provide as  part of participating in the wellness program, nor may you be subjected to retaliation if you choose not to  participate. 

If you have questions or concerns regarding this notice, or about protections against discrimination and  retaliation, please contact the Global HR Service Center at 800.556.6044.

Your privacy is paramount — HIPAA privacy notice enclosed 

We believe your personal information under our health plans should be kept between you, your doctors  and the plan administrators. 

Your health benefit information is also protected by HIPAA (the Health Insurance Portability and  Accountability Act of 1996), which provides strict privacy guidelines from the federal government.  Enclosed is a legal notice that outlines these HIPAA requirements. No action is required on your part. 

We’re happy to answer any questions you may have about the HIPAA privacy notice. If you’d like to speak  with a benefits representative, please contact the Global HR Service Center at 800.556.6044, 8 a.m. to  8 p.m. Eastern, Monday through Friday (excluding certain holidays). Remember that you’ll need to have  your phone PIN ready. If you haven’t established a phone PIN or need to reset your phone PIN, log in to  My Benefits Resources > My Profile > Log On Information > Change Phone PIN. 

Sincerely, 

Bank of America Global Human Resources  

Important note: Receipt of this document does not entitle you to benefits. To be entitled to a benefit from  the health and insurance plans, you must meet the eligibility requirements for each individual benefit.

 

Notice of Privacy Practices 

Overview 

This notice describes how medical information about you may be used and disclosed and how you can  get access to this information. Please review it carefully. 

This is the HIPAA Notice of Privacy Practices for participants in the Bank of America Group Benefits Program (“Plan” or “We”). This Notice describes how we protect health information that we have about you  (“Protected Health Information” or “PHI”) and how we may use and disclose this information. PHI is  information about you, including demographic information, that can reasonably be used to identify you and  that relates to your past, present or future physical or mental health or condition, the provision of health care to you or the payment for that care. This Notice also describes your rights with respect to the PHI and  how you can exercise those rights. 

We are required to provide this Notice to you by the federal laws known as the Health Insurance Portability  and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health  Act (“HITECH Act”). We must follow the terms of this Notice while it is in effect. Some of the uses and  disclosures described in this Notice may be limited in certain cases by applicable state laws that are more  stringent than the federal standards. If you have any questions about this Notice or about the Plan’s privacy  practices, please reach out to the Contact Person listed at the end of this Notice. 

We are required by law to do all of the following: 

• Maintain the privacy and security of your PHI 
• Provide you with certain rights with respect to your PHI 
• Provide you notice promptly if a breach occurs that may have compromised the privacy or security of  your information 
• Provide you this Notice of the Plan’s legal duties and privacy practices with respect to your PHI • Follow the terms of this Notice 

We reserve our rights to change the terms and policies described in this Notice at any time. We also reserve  the right to make the revised or changed terms and policies effective for any PHI that we already have about  you, as well as any PHI we may receive in the future. If we do make material changes to the terms and  policies in this Notice, we will send you, by mail (to your last-known address on file), an updated version of  this Notice, which will include the date that the new terms and policies are effective.

Permitted uses and disclosures of your PHI 

In order to provide you with medical benefits, we need personal information about you, and we may obtain  that information from many different sources — from you, third-party administrators, insurers, HMOs or  health care providers. In administering your health benefits, we may use and disclose this information in  various ways, including: 

• For treatment — Treatment means the provision, coordination or management of your health care by  one or more health care providers. We may disclose medical information about you to health care  providers, including doctors, nurses, technicians, medical students or other hospital personnel who  

are involved in your care. For example, we may send certain information to doctors for patient safety  or other treatment-related reasons. 

• For payment — Payment means activities the Plan undertakes to pay for the health or dental care  that has been provided to you, including determinations of eligibility and coverage. We may use and  disclose your PHI to facilitate payment for treatment and services you receive from health care  providers, to determine benefit responsibility under the Plan or to coordinate Plan coverage. For  example, we may disclose PHI for payment-related functions, such as eligibility determinations,  resolution of benefit claims or to assist you with your inquiries or disputes. 
• For health care operations — Health care operations are the support functions of a medical plan,  such as quality assessment and improvement activities, case management, receiving and responding  to participant complaints, business planning, development, management and administrative activities.  We may use and disclose your PHI to enable these functions to operate or operate more efficiently or  make certain all of the Plan’s participants receive their health benefits. For example, we may use the  information to provide disease management programs for members with specific conditions, such as  diabetes, asthma or heart failure. We will not use your genetic information for underwriting purposes.  Generally, genetic information involves information about differences in a person’s DNA that could  increase or decrease his or her chance of getting a disease (for example, diabetes, heart disease,  cancer or Alzheimer’s disease). 

Other uses and disclosures of PHI 

We also may disclose your PHI, without your authorization, as permitted or required by HIPAA, including,  without limitation, to the following persons or entities for the following reasons: 

• Plan administration — to the Plan Administrator or Plan Sponsor, as specified in the plan documents,  for purposes of Plan administrative activities. Unless authorized by you in writing, your PHI: (1) may  not be disclosed by us to any employee, official or department other than those individuals involved  in Plan administrative activities and (2) will not be used for any employment-related actions and  decisions or in connection with any other employee benefit plan. In addition, we may disclose  “summary health information” to obtain premium bids or modify, amend or terminate the Plan.  Summary health information summarizes the claims history, claims expenses or type of claims  experienced under a group health plan. It does not include information that would identify  any individual. 

The Plan may disclose your PHI to the respective plan sponsors for the Plan for purposes related to  payment of benefits, Plan operations and other matters pertaining to administration of the Plan that  involve the plan sponsor, for example in connection with appeals that you file following a denial of a benefit claim. When disclosing PHI to the plan sponsors, the Plan will make reasonable efforts not to  disclose more than the minimum necessary amount of PHI to achieve the particular purpose of the  disclosure. In accordance with the plan documents, the plan sponsors have agreed not to use or  disclose your PHI: (1) other than as permitted in this Notice or as required by law, (2) with respect to  any employment-related actions or decisions or (3) with respect to any other benefit plan sponsored  by or maintained by the plan sponsors. 

In addition, the Plan may disclose “summary health information” to their respective plan sponsors for  obtaining premium bids or modifying, amending or terminating the benefits provided under the Plan.  Summary health information summarizes the claims history, claims expenses or type of claims  experienced by individuals for whom a plan sponsor has provided health benefits under a group  health plan. Identifying information will be deleted from summary health information in accordance  with federal privacy rules. 

• Business associates — to persons or entities that provide services to the Plan. Examples of business  associates include third-party administrators, data processing companies or companies that provide  general administrative services. For example, we may input information about your health care  treatment into an electronic claims processing system maintained by the Plan’s business associate so  your claim may be paid. In so doing, we will disclose your PHI to business associates so they can  perform their claims payment functions. However, we will require our business associates, through  written contract, to appropriately safeguard your health information. 
• Treatment alternatives or health-related benefits and services — to you about treatment  alternatives or other health-related benefits and services that might be of interest to you. 
• As required by law — to a person or entities as required to do so by federal, state or local law.  For example, we may disclose your PHI when required by national security laws or public health  disclosure laws. 
• Law enforcement, legal proceedings — to federal, state and local law enforcement officials or in  response to a court or administrative order. We may also disclose your PHI in response to a subpoena,  discovery request or other lawsuit process by someone involved in a legal dispute, but only if efforts  have been made to tell you about the request or to obtain a court or administrative order protecting  the information requested. 
• Public health risks or to avert a serious threat to health or safety — to someone able to help prevent  a serious threat to your health and safety or the health and safety of the public or another person. For  example, we may disclose your PHI in a proceeding regarding the licensure of a physician. 
• Workers’ compensation, public health activities, and welfare and industry regulation — to workers’  compensation officials, to address matters of public health or public interest as required or permitted  by law (e.g., child abuse and neglect, serious threats to your or public health and safety, to coroners  and medical examiners) or to state insurance departments, the U.S. Department of Labor, the U.S.  Department of Health and Human Services and other government agencies that may regulate the Plan. 
• Military and national security and intelligence — if you are a member of the armed forces, to the  armed forces to provide information as required by military command authorities or to authorized  federal officials to conduct intelligence, counterintelligence or other national security activities.
• Organ and tissue donation — if you are an organ donor, we may release medical information to  organizations that handle organ procurement or organ, eye or tissue transplantation or to an organ  donation bank to facilitate organ or tissue donation and transplantation. 
• Coroners, medical examiners and funeral directors — to a coroner or medical examiner. This may be  necessary, for example, to identify a deceased person or to determine the cause of death. We may  also release your PHI to a funeral director, as necessary, to carry out their duties. 
• Inmates — if you are an inmate of a correctional institution or are in the custody of a law  enforcement official, to the correctional institution or law enforcement official, if necessary (1) for the  institution to provide you with health care; (2) to protect your health and safety or the health and  safety of others; or (3) for the safety and security of the correctional institution. 
• Research — to researchers when their research has been approved by an institutional review board or  privacy board that has established protocols to ensure the privacy of your PHI. 
• Government audits — to the Secretary of the U.S. Department of Health and Human Services when  the Secretary is investigating or determining the Plan’s compliance with HIPAA. 
• Your personal representatives — to your personal representative in accordance with applicable state  law (e.g., to parents of unemancipated children under 18, to those with unlimited powers of attorney  or health care proxies). Under HIPAA, we do not have to disclose information to a personal  representative if we have a reasonable belief that: (1) you have been, or may be, subjected to  domestic violence, abuse or neglect by such person; or (2) treating such person as your personal  representative could endanger you; and (3) in the exercise of personal judgment, it is not in your best  interest to treat the person as your personal representative. 
• Individuals involved in your care or payment for your care — to a family member involved in or who  helps pay for your health care, but only to the extent relevant to that family member’s involvement in  your care or payment for your care. Such disclosures will not be made if you request in writing that we  do not make these types of disclosures, and we have agreed to such request. 

Special situations 

In all situations other than those described above, you must provide us with your written authorization  before we use or disclose PHI about you. For example, we will not share your information for marketing  purposes or sell your information unless you give us written authorization. In addition, most uses of and  

disclosures of psychotherapy notes require your authorization. If you have given us an authorization, you  may revoke it in writing at any time. Your revocation will not apply to any disclosure we have already made  in reliance on your previous authorization. However, we will not make any further disclosures until a new  authorization is received. If you have questions regarding authorizations, please call the Contact Person listed at the end of this Notice. 

The Plan is prohibited by law from using or disclosing PHI that is genetic information of an individual for  underwriting purposes. Generally, genetic information involves information about differences in a person’s  DNA that could increase or decrease his or her chance of getting a disease (for example: diabetes, heart  disease, cancer or Alzheimer’s disease).

If a use or disclosure of health information is prohibited or materially limited by other applicable state law, it  is the Plan’s intention to meet the requirements of the more stringent state law. For instance, special  privacy protections may apply to certain sensitive information, HIV-related information, alcohol and  substance abuse treatment information and mental health information. If you would like more information,  contact the Contact Person listed at the end of this Notice. 

Your rights 

The following are your various rights concerning your PHI. If you have questions about any of your rights,  please write to or call the Contact Person at the number listed at the end of this Notice. 

• Right to request restrictions — You have the right to request a restriction or limitation on PHI that we  are otherwise permitted to use or disclose about you for treatment, payment or health care  operations. You also have the right to request a limit on your PHI that the Plan uses or discloses to  someone who may be involved in your care or payment for your care, such as a family member or  friend. You should note that we are not required to agree to your request. To request a restriction,  you must make your request in writing to the Contact Person. You must advise: (1) what information  you want to limit; (2) whether you want to limit the Plan’s use, disclosure or both; and (3) to whom  you want the limit(s) to apply — for example, disclosures to your spouse. 
• Right to request confidential communications — You have the right to request that we communicate  with you about PHI in a certain way or at a certain location if communication in another manner may  endanger you. For example, you can ask that we only contact you at work or by mail. To request  confidential communications, you must make your request in writing to the Contact Person listed at  the end of this Notice, and you must specify how or where you wish to be contacted. We will  accommodate reasonable requests. 
• Right to inspect and copy your PHI — In most cases, you have the right to inspect and obtain a copy  of the PHI that the Plan maintains about you. To inspect and copy your PHI, you must submit your  request in writing to the Contact Person listed at the end of this Notice. To receive a copy of your PHI,  you may be charged a fee for the costs of preparing, copying, mailing or other supplies associated  with your request. If the information you requested is maintained electronically, and you request an  electronic copy, we will provide a copy in the electronic form and format you request; if the  information cannot be readily produced in that form and format, we will provide you with a paper  copy. In limited circumstances, we may deny your request to inspect and copy your PHI. Generally, if  you are denied access to your PHI, you may request a review of the denial by submitting a written  request to the Contact Person. 
• Right to amend your PHI — If you believe that your PHI is incorrect or that an important part of it is  missing, you have the right to ask the Plan to amend your PHI while it is kept by or for the Plan. You  must provide your request and your reason for the request in writing to the Contact Person listed at  the end of this Notice. We may deny your request if it is not in writing or does not include a reason  that supports the request. 

In addition, we may deny your request if you ask us to amend PHI that is any of the following: 

– Not accurate and complete 

– Not created by the Plan, unless the person or entity that created the PHI is no longer available to  make the amendment 

– Not part of the PHI kept by or for the Plan 

– Not part of the PHI which you would be permitted to inspect and copy 

• Right to a list of disclosures — You have the right to request a list of the disclosures of PHI about you  that we have made. This list will not include disclosures made for treatment, payment or health care  operations, for purposes of national security, made to law enforcement personnel, made pursuant to  your authorization, made to family or friends in your presence or because of an emergency or made  directly to you. To request this list, you must submit your request in writing to the Contact Person listed at the end of this Notice. 

Your request must state the time period for which you want to receive a list of disclosures, which time  period shall be no more than six years from the date on which the list is requested. Your request should  indicate in what form you want the list (for example, on paper or electronically). The first list you  request within a 12-month period will be free. We may charge you for responding to any additional  requests. We will notify you of the cost involved, and you may choose to withdraw or modify your  request at that time before any costs are incurred. 

• Right to be notified of a breach — You have the right to be notified in the event that the Plan (or a  business associate) discovers a breach of unsecured PHI. 
• Right to a paper copy of this Notice — You have the right to a paper copy of this Notice. You may  write to the Contact Person to request a written copy of this Notice at any time. 
• Changes to this Notice — The Plan reserves its rights to change this Notice at any time and to make  the revised or changed notice effective for health information the Plan already has about you, as well  as any information the Plan receives in the future. 

Complaints 

If you believe that your privacy rights have been violated, you may contact the Plan’s Contact Person in  writing at the address below. You may also file a complaint with the Secretary of the U.S. Department of  Health and Human Services Office for Civil Rights at 200 Independence Ave., S.W., Washington, DC 20201,  by calling 800.368.1019 or by visiting hhs.gov/hipaa/filing-a-complaint/index.html. 

We will not retaliate against you if you file a complaint. 

Contact person 

If you have any questions or would like further information about the policies described in this Notice,  please contact: 

Bank of America Global HR Service Center 

Department 01487  

P.O. Box 64083  

The Woodlands, TX 77387-4083

About this Notice 

This Notice of Privacy Practices is effective Aug. 2, 2024.  

We reserve the right to change the terms of this Notice and to make the new provisions effective for all PHI we maintain. We will provide you with a copy of the new notice (or notice of the revisions) whenever we  make a material change to the privacy practices described in this Notice.