Bank of America Wellness/Privacy Notices

NOTICE REGARDING THE BANK OF AMERICA WELLNESS PROGRAM

as of August 1, 2025

The Bank of America Wellness Program is a voluntary wellness program available to all employees
enrolled in an eligible Bank of America medical plan and covered spouses, partners, or other adult
dependents. The program is administered according to federal rules permitting employer-sponsored
wellness programs that seek to improve employee health or prevent disease, including the Americans
with Disabilities Act of 1990, the Genetic Information Nondiscrimination Act of 2008, and the Health
Insurance Portability and Accountability Act, as applicable, among others.
If you and your covered spouse/partner choose to participate in the wellness program you will be asked
to complete certain voluntary wellness activities – a health questionnaire, a biometric health screening,
and an attestation that you have a primary care provider (PCP) and have had an annual physical with your
PCP in the last 12 months. The questionnaire, often referred to as a health risk assessment, asks a series
of questions about your health-related activities and behaviors and whether you have or had certain
medical conditions (e.g., cancer, diabetes, or heart disease). The biometric health screening includes a
non-fasting blood test for total cholesterol. The PCP/Annual Physical attestation is an electronic
confirmation that you have a primary care provider (PCP) and have had an annual physical with your PCP
in the last 12 months. You and your spouse/ partner are not required to complete the wellness activities.
However, employees and covered spouses/partners who choose to complete and submit the health risk
assessment and biometric health screening activities will each retain a credit of up to $250 toward the
annual medical plan premium. For those who also choose to complete the PCP attestation, they will each
retain up to an additional $250 credit toward the annual medical premium. Although you are not
required to complete the voluntary wellness activities only employees and covered spouses/partners
who do so will maintain the credit of up to $500, respectively, toward the annual medical plan premium.
Additional incentives and/or surcharges may be included for employees and/or covered spouse/partners
who do or do not participate in certain health-related activities or achieve certain health outcomes such
as quitting tobacco use. If you are unable to participate in any of the health-related activities or achieve
any of the health outcomes required to earn an incentive, you may be entitled to a reasonable
accommodation or an alternative standard. The recommendation of your personal physician will be
accommodated. You may request a reasonable accommodation or an alternative standard by contacting
the Global HR Service Center at 800.556.6044.
The information from your health risk assessment and the results from your biometric health screening
will be used to provide you with information to help you understand your current health and potential
risks and may also be used to offer you services through the wellness program, such as health coaching
and condition management. You also are encouraged to share your results or concerns with your own
provider.

Protections from Disclosure of Medical Information

We are required by law to maintain the privacy and security of your personally identifiable health
information. Although Bank of America may use aggregate information collected to design programs based
on identified health risks in the workplace, the wellness program administrators will never disclose any of
your personal information either publicly or back to Bank of America, except as necessary to respond to a
request from you for a reasonable accommodation needed to participate in the wellness program, or as
expressly permitted by law. Medical information that personally identifies you that is provided in connection
with the wellness program will not be provided to your managers and may never be used to make decisions
regarding your employment.
Your health information will not be sold, exchanged, transferred, or otherwise disclosed except to the extent
permitted by law to carry out specific activities related to the wellness program, and you will not be asked or
required to waive the confidentiality of your health information as a condition of participating in the
wellness program or receiving an incentive. Anyone who receives your information for purposes of providing
you services as part of the wellness program will abide by the same confidentiality requirements. The only
individuals who will receive your personally identifiable health information are health coaches or nurses who
work for your insurance carrier or other third parties who have developed specific programs for Bank of
America employees in order to provide you with services under the wellness program.
In addition, all medical information obtained through the wellness program will be maintained separate
from your personnel records, information stored electronically will be encrypted, and no information you
provide as part of the wellness program will be used in making any employment decision. Appropriate
precautions will be taken to avoid any data breach, and in the event a data breach occurs involving
information you provide in connection with the wellness program, we will notify you immediately.
You may not be discriminated against in employment because of the medical information you provide as
part of participating in the wellness program, nor may you be subjected to retaliation if you choose not to
participate.
If you have questions or concerns regarding this notice, or about protections against discrimination and
retaliation, please contact the Global HR Service Center at 800.556.6044.

Your privacy is paramount — HIPAA privacy notice enclosed

We believe your personal information under our health plans should be kept between you, your health care
providers and the plan administrators.
Your health benefit information is also protected by HIPAA (the Health Insurance Portability and
Accountability Act of 1996), which provides strict privacy guidelines from the federal government.
Enclosed is a legal notice that outlines these HIPAA requirements. No action is required on your part.
We’re happy to answer any questions you may have about the HIPAA privacy notice. If you’d like to speak
with a benefits representative, please contact the Global HR Service Center at 800.556.6044, 8 a.m. to
8 p.m. Eastern, Monday through Friday, except certain holidays. When calling the Global HR Service Center,
have your phone PIN ready. If you haven’t established a phone PIN or need to reset your phone PIN, log on
to My Benefits Resources > My Profile > Log On Information > Service Center PIN and select the Change
button. If you need to reset your My Benefits Resources password, ensure you know the last four digits of
your Bank of America Person Number.

Important note: Receipt of this document does not entitle you to benefits. To be entitled to a benefit from
the health and insurance plans, you must meet the eligibility requirements for each individual benefit.

Notice of Privacy Practices

Overview
This notice describes how medical information about you may be used and disclosed and how you can
get access to this information. Please review it carefully.

This is the HIPAA Notice of Privacy Practices for participants in the Bank of America Group Benefits Program
(“Plan” or “We”). This Notice describes how we protect health information that we have about you
(“Protected Health Information” or “PHI”) and how we may use and disclose this information. PHI is
information about you, including demographic information, that can reasonably be used to identify you and
that relates to your past, present or future physical or mental health or condition, the provision of health
care to you or the payment for that care. This Notice also describes your rights with respect to the PHI and
how you can exercise those rights.
We are required to provide this Notice to you by the federal laws known as the Health Insurance Portability
and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health
Act (“HITECH Act”). We must follow the terms of this Notice while it is in effect. Some of the uses and
disclosures described in this Notice may be limited in certain cases by applicable state laws that are more
stringent than the federal standards. If you have any questions about this Notice or about the Plan’s privacy
practices, please reach out to the Contact Person listed at the end of this Notice.
We are required by law to do all of the following:
• Maintain the privacy and security of your PHI
• Provide you with certain rights with respect to your PHI
• Provide you notice promptly if a breach occurs that may have compromised the privacy or security of
your information
• Provide you this Notice of the Plan’s legal duties and privacy practices with respect to your PHI
• Follow the terms of this Notice
We reserve our rights to change the terms and policies described in this Notice at any time. We also reserve
the right to make the revised or changed terms and policies effective for any PHI that we already have about
you, as well as any PHI we may receive in the future. If we do make material changes to the terms and
policies in this Notice, we will send you, by mail (to your last known address on file), an updated version of
this Notice, which will include the date that the new terms and policies are effective.

Permitted uses and disclosures of your PHI

In order to provide you with medical benefits, we need personal information about you, and we may obtain
that information from many different sources — from you, third-party administrators, insurers, HMOs or
health care providers. In administering your health benefits, we may use and disclose this information in
various ways, including:
• For treatment — Treatment means the provision, coordination or management of your health care by
one or more health care providers. We may disclose medical information about you to health care
providers, including doctors, nurses, technicians, medical students or other hospital personnel who
are involved in your care. For example, we may send certain information to doctors for patient safety
or other treatment-related reasons.
• For payment — Payment means activities the Plan undertakes to pay for the health or dental care
that has been provided to you, including determinations of eligibility and coverage. We may use and
disclose your PHI to facilitate payment for treatment and services you receive from health care
providers, to determine benefit responsibility under the Plan or to coordinate Plan coverage. For
example, we may disclose PHI for payment-related functions, such as eligibility determinations,
resolution of benefit claims or to assist you with your inquiries or disputes.
• For health care operations — Health care operations are the support functions of a medical plan,
such as quality assessment and improvement activities, case management, receiving and responding
to participant complaints, business planning, development, management and administrative activities.
We may use and disclose your PHI to enable these functions to operate or operate more efficiently or
make certain all of the Plan’s participants receive their health benefits. For example, we may use the
information to provide disease management programs for members with specific conditions, such as
diabetes, asthma or heart failure. We will not use your genetic information for underwriting purposes.
Generally, genetic information involves information about differences in a person’s DNA that could
increase or decrease his or her chance of getting a disease (for example, diabetes, heart disease,
cancer or Alzheimer’s disease).

Other uses and disclosures of PHI

We also may disclose your PHI, without your authorization, as permitted or required by HIPAA, including,
without limitation, to the following persons or entities for the following reasons:
• Plan administration — to the Plan Administrator or Plan Sponsor, as specified in the plan documents,
for purposes of Plan administrative activities. Unless authorized by you in writing, your PHI: (1) may
not be disclosed by us to any employee, official or department other than those individuals involved
in Plan administrative activities and (2) will not be used for any employment-related actions and
decisions or in connection with any other employee benefit plan. In addition, we may disclose
“summary health information” to obtain premium bids or modify, amend or terminate the Plan.
Summary health information summarizes the claims history, claims expenses or type of claims
experienced under a group health plan. It does not include information that would identify
any individual.
The Plan may disclose your PHI to the respective plan sponsors for the Plan for purposes related to
payment of benefits, plan operations and other matters pertaining to administration of the Plan that
involve the plan sponsor, for example in connection with appeals that you file following a denial of a benefit claim. When disclosing PHI to the plan sponsors, the Plan will make reasonable efforts not to
disclose more than the minimum necessary amount of PHI to achieve the particular purpose of the
disclosure. In accordance with the plan documents, the plan sponsors have agreed not to use or
disclose your PHI: (1) other than as permitted in this Notice or as required by law, (2) with respect to
any employment-related actions or decisions or (3) with respect to any other benefit plan sponsored
by or maintained by the plan sponsors.
In addition, the Plan may disclose “summary health information” to their respective plan sponsors for
obtaining premium bids or modifying, amending or terminating the benefits provided under the Plan.
Summary health information summarizes the claims history, claims expenses or type of claims
experienced by individuals for whom a plan sponsor has provided health benefits under a group
health plan. Identifying information will be deleted from summary health information in accordance
with federal privacy rules.
• Business associates — to persons or entities that provide services to the Plan. Examples of business
associates include third-party administrators, data processing companies or companies that provide
general administrative services. For example, we may input information about your health care
treatment into an electronic claims processing system maintained by the Plan’s business associate so
your claim may be paid. In so doing, we will disclose your PHI to business associates so they can
perform their claims payment functions. However, we will require our business associates, through
written contract, to appropriately safeguard your health information.
• Treatment alternatives or health-related benefits and services — to you about treatment
alternatives or other health-related benefits and services that might be of interest to you.
• As required by law — to a person or entities as required to do so by federal, state or local law.
For example, we may disclose your PHI when required by national security laws or public health
disclosure laws.
• Law enforcement, legal proceedings — to federal, state and local law enforcement officials or in
response to a court or administrative order. We may also disclose your PHI in response to a subpoena,
discovery request or other lawsuit process by someone involved in a legal dispute, but only if efforts
have been made to tell you about the request or to obtain a court or administrative order protecting
the information requested.
• Public health risks or to avert a serious threat to health or safety — to someone able to help prevent
a serious threat to your health and safety or the health and safety of the public or another person. For
example, we may disclose your PHI in a proceeding regarding the licensure of a physician.
• Workers’ compensation, public health activities, and welfare and industry regulation — to workers’
compensation officials, to address matters of public health or public interest as required or permitted
by law (e.g., child abuse and neglect, serious threats to your or public health and safety, to coroners
and medical examiners) or to state insurance departments, the U.S. Department of Labor, the U.S.
Department of Health and Human Services and other government agencies that may regulate the Plan.
• Military and national security and intelligence — if you are a member of the armed forces, to the
armed forces to provide information as required by military command authorities or to authorized
federal officials to conduct intelligence, counterintelligence or other national security activities.

• Organ and tissue donation — if you are an organ donor, we may release medical information to
organizations that handle organ procurement or organ, eye or tissue transplantation or to an organ
donation bank to facilitate organ or tissue donation and transplantation.
• Coroners, medical examiners and funeral directors — to a coroner or medical examiner. This may be
necessary, for example, to identify a deceased person or to determine the cause of death. We may
also release your PHI to a funeral director, as necessary, to carry out their duties.
• Inmates — if you are an inmate of a correctional institution or are in the custody of a law
enforcement official, to the correctional institution or law enforcement official, if necessary (1) for the
institution to provide you with health care; (2) to protect your health and safety or the health and
safety of others; or (3) for the safety and security of the correctional institution.
• Research — to researchers when their research has been approved by an institutional review board or
privacy board that has established protocols to ensure the privacy of your PHI.
• Government audits — to the Secretary of the U.S. Department of Health and Human Services when
the Secretary is investigating or determining the Plan’s compliance with HIPAA.
• Your personal representatives — to your personal representative in accordance with applicable state
law (e.g., to parents of unemancipated children under 18, to those with unlimited powers of attorney
or health care proxies). Under HIPAA, we do not have to disclose information to a personal
representative if we have a reasonable belief that: (1) you have been, or may be, subjected to
domestic violence, abuse or neglect by such person; or (2) treating such person as your personal
representative could endanger you; and (3) in the exercise of personal judgment, it is not in your best
interest to treat the person as your personal representative.
• Individuals involved in your care or payment for your care — to a family member involved in or who
helps pay for your health care, but only to the extent relevant to that family member’s involvement in
your care or payment for your care. Such disclosures will not be made if you request in writing that we
do not make these types of disclosures, and we have agreed to such request.

Special situations

In all situations other than those described above, you must provide us with your written authorization
before we use or disclose PHI about you. For example, we will not share your information for marketing
purposes or sell your information unless you give us written authorization. In addition, most uses of and
disclosures of psychotherapy notes require your authorization. If you have given us an authorization, you
may revoke it in writing at any time. Your revocation will not apply to any disclosure we have already made
in reliance on your previous authorization. However, we will not make any further disclosures until a new
authorization is received. If you have questions regarding authorizations, please call the Contact Person
listed at the end of this Notice.
The Plan is prohibited by law from using or disclosing PHI that is genetic information of an individual for
underwriting purposes. Generally, genetic information involves information about differences in a person’s
DNA that could increase or decrease his or her chance of getting a disease (for example: diabetes, heart
disease, cancer or Alzheimer’s disease).

If a use or disclosure of health information is prohibited or materially limited by other applicable state law, it
is the Plan’s intention to meet the requirements of the more stringent state law. For instance, special
privacy protections may apply to certain sensitive information, HIV-related information, alcohol and
substance abuse treatment information and mental health information. If you would like more information,
contact the Contact Person listed at the end of this Notice.

Substance use disorder records

If you were treated by a health care provider or program that is subject to the federal privacy laws under
42 CFR Part 2 and you give consent for your Part 2 treatment records to be used and disclosed for purposes
of treatment, payment or health care operations, the Plan may rely on such consent for its own future uses
and disclosures of such records for treatment, payment or health care operations under the Plan.
Substance use disorder treatment records received from programs subject to 42 CFR Part 2, or testimony
relaying the content of such records, may not be used or disclosed in civil, criminal, administrative or
legislative proceedings against you unless: (1) you provide written consent; or (2) the Plan receives a court
order accompanied by a subpoena or other legal requirement compelling disclosure and you, or the holder
of your substance use disorder treatment record, are provided notice and an opportunity to be heard.

Other privacy laws

Under the HIPAA privacy and security rules, the Plan may be required to comply with other more stringent
state or federal privacy laws that require greater limits on disclosure of your PHI, such as 42 CFR Part 2
related to substance use disorder treatment records.

Your rights

When it comes to your health information, you have certain rights. This section explains your rights and
some of our responsibilities to help you. If you have questions about any of your rights, please write to or
call the Contact Person at the number listed at the end of this Notice.
• Right to request restrictions — You have the right to request a restriction or limitation on PHI that we
are otherwise permitted to use or disclose about you for treatment, payment or health care
operations. You also have the right to request a limit on your PHI that the Plan uses or discloses to
someone who may be involved in your care or payment for your care, such as a family member or
friend. You should note that we are not required to agree to your request. To request a restriction,
you must make your request in writing to the Contact Person. You must advise: (1) what information
you want to limit; (2) whether you want to limit the Plan’s use, disclosure or both; and (3) to whom
you want the limit(s) to apply — for example, disclosures to your spouse.
• Right to request confidential communications — You have the right to request that we communicate
with you about PHI in a certain way or at a certain location if communication in another manner may
endanger you. For example, you can ask that we only contact you at work or by mail. To request
confidential communications, you must make your request in writing to the Contact Person listed at
the end of this Notice, and you must specify how or where you wish to be contacted. We will
accommodate reasonable requests.
• Right to inspect and copy your PHI — In most cases, you have the right to inspect and obtain a copy
of the PHI that the Plan maintains about you. To inspect and copy your PHI, you must submit your
request in writing to the Contact Person listed at the end of this Notice. To receive a copy of your PHI, you may be charged a fee for the costs of preparing, copying, mailing or other supplies associated
with your request. If the information you requested is maintained electronically, and you request an
electronic copy, we will provide a copy in the electronic form and format you request; if the
information cannot be readily produced in that form and format, we will provide you with a paper
copy. We will usually provide the information within 30 days of your request. In limited circumstances,
we may deny your request to inspect and copy your PHI. Generally, if you are denied access to your
PHI, you may request a review of the denial by submitting a written request to the Contact Person.
• Right to amend your PHI — If you believe that your PHI is incorrect or that an important part of it is
missing, you have the right to ask the Plan to amend your PHI while it is kept by or for the Plan. You
must provide your request and your reason for the request in writing to the Contact Person listed at
the end of this Notice. We may say “no” to your request, but we’ll tell you why in writing within
60 days.
In addition, we may deny your request if you ask us to amend PHI that is any of the following:
– Not accurate and complete
– Not created by the Plan, unless the person or entity that created the PHI is no longer available to
make the amendment
– Not part of the PHI kept by or for the Plan
– Not part of the PHI which you would be permitted to inspect and copy
• Right to a list of disclosures — You have the right to request a list of the disclosures of PHI about you
that we have made. This list will not include disclosures made for treatment, payment or health care
operations, for purposes of national security, made to law enforcement personnel, made pursuant to
your authorization, made to family or friends in your presence or because of an emergency or made
directly to you. To request this list, you must submit your request in writing to the Contact Person
listed at the end of this Notice.
Your request must state the time period for which you want to receive a list of disclosures, which time
period shall be no more than six years from the date on which the list is requested. Your request should
indicate in what form you want the list (for example, on paper or electronically). The first list you
request within a 12-month period will be free. We may charge you for responding to any additional
requests. We will notify you of the cost involved, and you may choose to withdraw or modify your
request at that time before any costs are incurred.
• Right to be notified of a breach — You have the right to be notified in the event that the Plan (or a
business associate) discovers a breach of unsecured PHI.
• Right to a paper copy of this Notice — You have the right to a paper copy of this Notice at any time,
even if you have agreed to receive the notice electronically. You may write to the Contact Person to
request a written copy of this Notice at any time.
• Changes to this Notice — The Plan reserves its rights to change this Notice at any time and to make
the revised or changed notice effective for health information the Plan already has about you, as well
as any information the Plan receives in the future.

 

Complaints

If you believe that your privacy rights have been violated, you may contact the Plan’s Contact Person in
writing at the address below. You may also file a complaint with the Secretary of the U.S. Department of
Health and Human Services Office for Civil Rights at 200 Independence Ave., S.W., Washington, DC 20201,
by calling 800.368.1019 or by visiting hhs.gov/hipaa/filing-a-complaint/index.html.
We will not retaliate against you if you file a complaint.

Contact person

If you have any questions or would like further information about the policies described in this Notice,
please contact:

Bank of America Global HR Service Center
Department 01487
P.O. Box 64083
The Woodlands, TX 77387-4083

About this Notice

This Notice of Privacy Practices is effective Sept. 2, 2025.

We reserve the right to change the terms of this Notice and to make the new provisions effective for all PHI
we maintain. We will provide you with a copy of the new notice (or notice of the revisions) whenever we
make a material change to the privacy practices described in this Notice.