Compliance, Privacy,
& Risk Management Program Overview 

 Introduction 

Ensora Health, all lines of business (“Specialties”), and all subsidiaries (together “Company”) is committed to maintaining the highest standards of integrity, accountability, and transparency. Our Compliance, Privacy, and Risk Management Program (the “Program”) is a cornerstone of our operations, focusing on compliance excellence, safeguarding privacy, risk identification and mitigation, ethical practices, and continuous improvement. By embedding these principles into our everyday business, we strive to protect the interests of our customers, partners, employees, and the communities we serve. 

With a dedicated team to support the Program, we have established the following components for its effectiveness. 

Leadership and Oversight 

At Ensora Health, we recognize that the foundation of any successful initiative starts with experienced leadership and clear governance. Oversight of our Program includes involvement at the highest levels: 

• Designated Chief Compliance & Privacy Officer: We have a senior-level Chief Compliance & Privacy Officer with the authority and resources necessary to oversee the Program. This individual reports directly to the organization’s highest governing body and has direct access to executive leadership to ensure transparency and independence in addressing compliance matters. 
• Compliance & Security Council: A multidisciplinary Compliance & Security Council supports the Chief Compliance & Privacy Officer and the Chief Information Security Officer, representing key functions such as legal, finance, human resources, and operations. This committee is responsible for reviewing, advising, and assisting with the implementation of compliance initiatives across the organization. 
• Board and Executive Oversight: The Board of Directors plays an active role in overseeing compliance, privacy, and risk management activities. Regular reports are provided to the Audit Committee of the Board, ensuring that they are informed about risks, investigations, and the overall effectiveness of the Program. This oversight ensures accountability and commitment at the highest level of the organization. 

Written Policies and Procedures

The Company is committed to the maintenance, management, and distribution of all policies, procedures, and other materials in accordance with industry standards and legal and regulatory requirements. Key documents must go through a review and approval process before distribution. This review process involves subject matter experts, legal and compliance teams, and relevant stakeholders to ensure accuracy, appropriateness, compliance with laws and regulations, and alignment with company objectives. 

Documentation is subject to continuous review to remain up to date with legal and regulatory changes, as well as internal operational needs. The responsible individual(s) reviews key documents at least annually, and more frequently if changes occur in relevant laws, regulations, or internal processes. Revisions are maintained in a version history log, with each version clearly labeled with the revision date and the nature of the updates. 

Following any revision or the release of a new document, workforce members acknowledge receipt and understanding of the material. This is completed through a documented acknowledgment process, where workforce members confirm that they have read, understood, and agree to comply with the policies and/or procedures outlined. 

Training and Education 

The Company provides comprehensive training and education programs to all workforce members, ensuring that they are equipped with the knowledge and tools necessary to uphold our standards and values. We utilize a leading training and awareness platform, to deliver specialized educational modules tailored to meet both organizational and compliance requirements. 

Upon onboarding, every new workforce member is required to complete a thorough training and education program, which includes mandatory compliance, privacy, and risk management curriculums. In addition to onboarding training, all workforce members must complete refresher courses on an annual basis. These courses are continuously updated to reflect changes in laws, regulations, and industry standards. 

Effective Lines of Communication and Disclosure Programs 

We provide multiple channels for employees, contractors, vendors, and other stakeholders to ask questions and raise concerns about potential violations of company policies, compliance requirements, and ethical standards. Encouraging open lines of workforce member communication is a core part of our Program. 

To effectuate this element, we have implemented our EthicsPoint Incident Management System, a secure and robust platform designed to allow individuals to report any compliance or ethical issues they may encounter. The system allows users to submit reports anonymously, ensuring they can raise concerns without fear of retaliation.

Reports submitted through this system are immediately reviewed by the Compliance, Privacy & Risk Management team and are investigated in a timely and thorough manner. 

In addition to the online system, we maintain a compliance telephone hotline that is available 24/7, providing another confidential and anonymous reporting channel. The hotline is operated by an independent third party to protect the privacy of individuals who report concerns, and it is accessible both domestically and internationally. Callers have the option to remain anonymous and can trust that all reports will be investigated with the utmost integrity and discretion. 

All reports—whether submitted through the EthicsPoint system, the hotline, or directly to the Compliance, Privacy, and Risk Management team—are treated with the highest degree of sensitivity. The organization has strict anti-retaliation policies in place, ensuring that individuals who come forward with information are protected from any adverse action. When a report is submitted anonymously, every effort is made to communicate updates to the reporter via their chosen reporting method while preserving their anonymity throughout the investigative process. 

For those who wish to discuss issues directly, the Chief Compliance & Privacy Officer is available for one-on-one consultations, via secure communication channels. We encourage proactive engagement to clarify any concerns about company policies, compliance obligations, or potential risks. Workforce members may reach out through one of our many communication channels, including email, Microsoft Teams, and Salesforce. 

Enforcing Standards 

A robust Code of Conduct & Values is essential for upholding the integrity and ethical standards within our Company. Enforcing these expectations ensures that all employees adhere to legal, regulatory, and Company policies. Our Program emphasizes clear communication of standards and provides training to support understanding and adherence. Consistent enforcement of these standards protects the Company’s reputation and promotes a positive work environment for all workforce members. 

Disciplinary guidelines are central to maintaining fairness and accountability. We apply sanctions equitably, with actions taken in response to violations that are proportionate to the severity of the misconduct. These measures include progressive steps, ranging from verbal coaching up to termination, depending on the nature and frequency of the behavior. By ensuring consistent application of disciplinary actions, we reinforce the importance of compliance and foster a culture of responsibility and trust. 

Risk Assessment, Auditing, and Monitoring

The Company has arranged the program to proactively identify and manage risks across the organization. This includes conducting a Company-wide enterprise risk assessment, which allows us to evaluate potential threats to operations, data security, and compliance requirements. Additionally, we perform a thorough HIPAA assessment to ensure our practices are aligned with privacy and security regulations, protecting sensitive health information and mitigating potential breaches. 

Ongoing monitoring and auditing are key components of our risk management strategy. Through continuous surveillance and periodic audits, we assess compliance with Company policies, and regulatory requirements, identifying areas of improvement. Regular monitoring ensures that any risks are promptly detected, enabling the Company to implement corrective actions as needed. This process helps us maintain compliance, safeguard business operations, and reduce the likelihood of non-compliance incidents or violations. 

Responding to Detected Offenses and Developing Corrective Actions Plans 

We emphasize swift and effective response to any detected offenses or non-compliance issues. When a violation is identified, whether through monitoring, reporting, or audits, we take immediate action to assess the situation thoroughly. This ensures that the root cause is understood and addressed, and that any necessary corrective steps are implemented to prevent recurrence. 

In addition to addressing the immediate concerns, we contribute to corrective action plans tailored to the specific circumstances of each violation. These plans outline the steps necessary to correct the issue, improve compliance, and mitigate future risks. The corrective action plans are tracked for effectiveness, and ongoing support is provided to ensure long-term adherence. 

 Last Updated March 31, 2025