RadNet Privacy Statement

Effective Date: January 1, 2023

Last Updated: May 12, 2026

Who We Are

RadNet, Inc. and its subsidiaries and affiliated companies (collectively "RadNet," "our," or "we") are committed to respecting your privacy. This Privacy Statement describes our policies and practices on the collection, use, disclosure, and storage of Personal Information and the steps we take to protect it from unauthorized use or disclosure. To the extent permitted by applicable law, by providing us your Personal Information or otherwise interacting with us, you are agreeing to this Privacy Statement. We may change this Privacy Statement from time to time. If we make changes, we will notify you by revising the date at the top of this policy and, in some cases, we may provide you with additional notice (such as adding a statement to our website or sending you a notification). We encourage you to review this Privacy Statement regularly to stay informed about our information practices and the choices available to you.

Purpose and Scope of this Privacy Statement

This Privacy Statement applies to all RadNet websites, digital services activities, mobile applications and our other online or offline offerings which link to, or are otherwise subject to, this Privacy Statement, including, but not limited to RadNet marketing sites and patient/provider portals (collectively our "Sites") and, where applicable, will apply to Personal Information that we obtain and process other than through the Sites (for example, Personal Information collected when contacting our customer service team, engaging with us on social media, or otherwise interacting with us).

Special Note to RadNet Patients: If you are a patient, please note that this Privacy Statement is distinct from our HIPAA Notice of Privacy Practices, which describes how we use and disclose individually identifiable information about you that we collect, as well as any other privacy practices we apply to the data and information generated or created in connection with your receipt of healthcare services at our Sites. For patients receiving services at our Idaho facilities (including Intermountain Medical Imaging locations), please also review the Idaho-Specific Supplement below, which addresses additional protections under Idaho state law and federal regulations applicable to those facilities.

If you are a consumer residing in the United States ("U.S.") and your state has enacted a comprehensive privacy law, please review our Supplemental U.S. Privacy Notice provided pursuant to relevant U.S. state laws, including the California Consumer Privacy Act, as amended by the California Privacy Rights Act, the Delaware Personal Data Privacy Act, the Maryland Online Data Privacy Act, the New Jersey Senate Bill 332, the Texas Data Privacy and Security Act, the Virginia Consumer Data Protection Act, and the Indiana Consumer Data Protection Act. The Supplemental U.S. Privacy Notice includes general information regarding our collection, use, and disclosure of Personal Information of consumers in those respective states.

If you are a resident of California interacting with us as an applicant for a job posting or in a professional capacity—for example, if you are a healthcare provider or an employee of a company with which we do business, or when we undertake employment recruiting activities of California residents—please see the Supplemental U.S. Privacy Notice for information regarding the processing of your Personal Information.

If you are a California resident interacting with us as a current or former employee, or a dependent, beneficiary, or emergency contact of a current or former employee, this Privacy Statement does not apply to you. Please refer to our California Employee Privacy Notice for information regarding the processing of your Personal Information. Please email privacy@radnet.com to request a copy of this Notice.

Please note that our Sites might offer links to other websites that are owned or controlled by third parties. This Privacy Statement applies only to RadNet's Sites. We do not control or endorse the content of any third-party sites and cannot accept responsibility for the privacy practices of any websites not controlled by us and we encourage you to review the privacy policies of any third-party sites prior to providing them with any of your Personal Information.

Click on any of the links below to visit the specific area of this Privacy Statement or continue scrolling down to read this Privacy Statement in its entirety.

• HIPAA Notice of Privacy Practices

• Supplemental U.S. Privacy Notice

• Idaho-Specific Supplement

• HIPAA-Related Provisions

• Supplemental Disclosures for Texas, Virginia, and Indiana Residents

CONTENTS

• Collection of Information

• Use of Information

• Disclosure of Information

• Protection of Information

• Retention of Information

• Transfer of Information to the United States and Other Countries

• Your Privacy Choices

• Children's Privacy

• Supplemental U.S. Privacy Notice

• Supplemental Disclosures for Texas, Virginia, and Indiana Residents

• Idaho-Specific Supplement

• HIPAA-Related Provisions (Including 42 CFR Part 2 and Reproductive Health Care)

• Supplemental Disclosures for Individuals in Europe

• Contact Us

COLLECTION OF INFORMATION

This section describes Personal Information you may choose to provide to us, as well as our practices for the automatic collection and use of certain information related to the use and navigation of our Sites. We define Personal Information as information that can (directly or indirectly) identify, locate, or be used to contact you or communicate with you, such as your name, address, telephone number, e-mail address, characteristics, or descriptions (such as gender and date of birth), and other similar and associated information ("Personal Information").

Personal Information includes certain subsets of Personal Information that are considered "sensitive" pursuant to applicable laws; information including government-issued identifiers (such as social security, driver's license, or passport number), racial or ethnic origin, veteran or immigration status, or health or medical status, healthcare products used, or services received ("Sensitive Personal Information"). Personal Information is given the same protection by us, whether we receive it through a Site or by other means. The descriptions below apply to Personal Information collected or received by us, no matter how the information was received.

Information You Provide to Us

We collect information you provide directly to us. For example, you share information directly with us when you interact with us, such as when registering on our Sites, making payments, using any interactive features or applications, signing up to receive a newsletter, scheduling a service at one of our facilities, or applying online for a job with RadNet. Before providing Sensitive Personal Information to us, we urge you to carefully consider whether to disclose it. If you do provide Sensitive Personal Information to us, you are consenting to its use and disclosure for the purposes and in the manner described at the time of collection and as set forth in this Privacy Statement.

Information We Collect Automatically When You Interact with Us

When you access or use our Sites or otherwise engage with us, we automatically collect certain information, including:

• Device and Usage Information: We collect information about your activity with our Sites, such as entrance or access dates and times, pages viewed, links clicked, and the page you visited before navigating to our websites. We also collect information about how you access our Sites, including data about the device and network you use, such as your hardware model, operating system version, mobile network, IP address, unique device identifiers, browser type, app version, and system settings such as language your system uses (collectively, "Usage Data"). Usage Data also includes the IP Address of the device you use to connect to the Internet that is collected by our Site server logs. An IP Address is a unique identifier devices use to identify and communicate with each other on the Internet. In certain circumstances, where we link Usage Data and Personal Information, Usage Data may be considered Personal Information. Usage Data may also allow us to identify the country, region, and time zone in which your device is located so we may direct you automatically to the content that is appropriate for your location.

• Other Data Collection Technologies (e.g., Digital Advertising and Cookies): When you use our Sites, we collect different types of Usage Data by automated means, using technologies such as APIs, web services, scripts, cookies, pixels, tags, web beacons, browser analysis tools, and server logs. Using these technologies, we may also collect data about the website you were visiting before you came to our Site, and the website you visit after you leave our Site. We may also use vendors, such as Adobe and Google, to place cookies and collect data to enable certain services we use, including advertising, visitor tracking, personalization, site analytics and security services, including reCAPTCHA, and the data may be disclosed to our vendors for these purposes. Other data may be disclosed to vendors providing additional services integrated into our Sites, including performance monitoring, user experience components such as user interface frameworks, images and web fonts, maps, and ecommerce functionality. When we send email communications, we may place a web beacon or similar tracking technology in the email to know whether your device can receive HTML emails, or to collect data on whether the email or an attachment or link in the email has been opened or forwarded. When you use our Sites, we may place cookies on your computer. Cookies are small text files that websites or mobile apps send to your computer or other Internet-connected device to uniquely identify your browser or to store data or settings in your browser. Cookies allow us to recognize you when you return. They also help us provide a customized experience and enable us to detect certain kinds of fraud. Some of our Sites may use web storage instead of cookies. We may also use or permit cookies from third-party advertising companies that place an advertising tag on your web browser. The advertising tag allows third parties to serve our ads to you on other websites and digital services. These third-party companies may use information obtained from cookies and other data collection tools to measure advertising effectiveness and provide advertisements of interest to you on these other websites. You may opt-out of receiving targeted advertising by clicking on the My Privacy Choices link in the website footer. In many cases, the data we collect using cookies and other tools is only used in a non-identifiable way, without any reference to Personal Information. However, under some privacy and data protection laws, this data could be considered Personal Information. This Privacy Statement governs how we use this data when it is considered to be Personal Information. For more information about cookies and how to disable them, please review the Your Choices section below.

• Location Information: In accordance with your device permissions, we may collect information about the precise location of your device. You may stop the collection of precise location information at any time (see the Your Choices section below for details).

Information We Collect from Other Sources

We obtain information from third-party sources. For example, we may collect information about you from healthcare providers or their practices, professional associations, advertising networks, and data analytics providers. Additionally, if you contact RadNet through a third-party platform (such as Facebook or LinkedIn), we will have access to certain information from that platform, such as your name, birthday, and profile picture, in accordance with the authorization procedures determined by such platform. Additional information sources include job applicants' paper applications and attendance records from educational or other events. We also collect information from our vendors, suppliers, consultants, professional advisors, and other third parties for the purposes of managing and operating our business. For example, we collect business contact information, financial information, and other information necessary to engage and evaluate suppliers, business partners, and potential merger and/or acquisition targets.

Information We Derive

We may derive information or draw inferences about you based on the information we collect. For example, we may make inferences about your location based on your IP address.

USE OF INFORMATION

RadNet uses the information we collect to provide, maintain, and improve our services, products and Sites as well as for our business, operational, educational and legal purposes, including to:

• Provide, operate, and maintain the Sites;

• Process transactions and send you related information, including confirmations, receipts, invoices, and user experience surveys;

• Personalize and improve your experience on our Sites;

• Send you technical notices, security alerts, and support and administrative messages;

• Respond to your requests, comments and questions and provide customer service;

• Authenticate and verify individual identities, including requests to exercise your rights under this Privacy Statement;

• Communicate with you about products, services, and events offered by RadNet and others and provide news and information that we think will interest you (see the Your Choices section below for information about how to opt out of these communications at any time);

• Monitor and analyze trends, usage, and activities in connection with our Sites;

• Tailor and provide you with information about the services provided at our imaging centers and appointments you may have or need in the future;

• Create anonymized or de-identified data so it is no longer Personal Information;

• Carry out research and development activities to improve our products and services;

• Develop new products and services;

• Assess financial, credit, or insurance risks arising from any relationship or prospective relationship with a customer, supplier, distributor, or business partner;

• Detect, investigate, and prevent security incidents and other malicious, deceptive, fraudulent, or illegal activity and protect the rights and property of RadNet and others;

• Debug to identify and repair errors in our Sites;

• Comply with our legal and financial obligations; and

• Carry out any other purpose described to you at the time the information was collected.

We will give you an opportunity to tell us whether we may use your Personal Information to send you other information about RadNet's products, activities, or opportunities. In most circumstances, you will be able to "unsubscribe" from these communications by following the instructions provided at the time you sign up for the communications or that are included in such communications. Please see the Your Choices section below for information about how to opt out of these communications at any time.

We may use the Usage Data we and our partners collect during your future visits. This information allows us to direct you to relevant content on the Sites and to remember your computer/device the next time you visit. If you visit multiple RadNet Sites, we may aggregate the Usage Data from your visits to better understand usage of our Sites.

DISCLOSURE OF INFORMATION

We may disclose your Personal Information with companies, organizations, and individuals outside of RadNet as described below and throughout this Privacy Statement. For example, we disclose Personal Information:

• With vendors, service providers, and consultants that need access to Personal Information to perform services for us, such as companies that assist us with web hosting, payment processing, fraud prevention, customer service, and marketing and advertising. These vendors, service providers, and consultants are bound by law or contract to protect Personal

  Information and only use Personal Information in accordance with our instructions or the agreements we have signed, which align with our obligations under this Policy.

• Publicly on our Sites if you submit a review or post content in another public area of our Sites.

• With integration partners such as Google, Acquia, YouTube, Vimeo and others, if you choose to use integrations we offer on our Sites, such as sharing your location through our Google Maps integration.

• With third-party advertising partners who may set technologies and other tracking tools on our Sites to collect information regarding your activities and your device (e.g., your IP address, cookie identifiers, page(s) visited, location, time of day). These advertising partners may use this information (and similar information collected from other services) for purposes of delivering personalized advertisements to you when you visit digital properties within their networks. This practice is commonly referred to as "interest-based advertising", "personalized advertising", or "targeted advertising."

• If we believe that disclosure is in accordance with, or required by, any applicable law or legal process, including lawful requests by public authorities to meet national security or law enforcement requirements.

• If we believe: (i) your actions are inconsistent with our user agreements or policies; (ii) it necessary to investigate, prevent, or take action regarding illegal activities including fraud, or to protect the rights, property, and safety of RadNet, our users, the public, or others; (iii) it appropriate to support external, compliance, and corporate governance functions; and (iv) as otherwise required by law.

• With our lawyers, auditors, and other professional advisors where necessary to obtain advice or otherwise protect and manage our business interests.

• In connection with, or during negotiations concerning, any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company. We try to assure that no Personal Information that is transferred will be used or shared in a manner inconsistent with this Privacy Statement without your consent. However, in the event of a sale or merger, your continued use of this Site signifies your agreement to be bound by the Privacy Statement and other applicable terms of the subsequent owner or operator.

• Between and among RadNet and our current and future parents, affiliates, and subsidiaries and other companies under common control and ownership.

• With your consent or at your direction.

We also share aggregated or de-identified information that cannot reasonably be used to identify you. For example, we may publish reports that contain aggregate and statistical data about our customers.

Please note: While we do not directly sell, rent, or loan your Personal Information (except as set forth herein), certain state laws have adopted a broad definition of a "sale" and may treat certain of these disclosures as "sales" under their definitions. Please see the "Supplemental U.S. Privacy Statement" for additional information.

Sale of Protected Health Information: With respect to protected health information maintained by RadNet's healthcare facilities (including our Idaho imaging centers), we will not sell or exchange your health information for any type of financial remuneration without your written authorization, as required by HIPAA.

PROTECTION OF INFORMATION

Consistent with applicable laws and requirements, we have implemented reasonable physical, technical, and administrative safeguards designed to protect Personal Information from loss, misuse, alteration, theft, unauthorized access, and unauthorized disclosure consistent with legal obligations and industry practices. However, as is the case with all websites, applications, products, and services, we are not able to guarantee security for data collected through our Sites. We are not responsible for any interception or interruption of any communications or for changes to or losses of data through the internet. Users of the Sites are responsible for maintaining the security of any password, user ID, or other form of authentication involved in obtaining access to password protected or secure areas of the Sites. Any access to the Sites through your user ID and password will be treated as authorized by you. If we believe it is necessary or advisable to help protect your Personal Information and/or the integrity of the Sites, we may suspend your use of all or part of the Sites, without notice. Unauthorized access to any of the Sites is prohibited and may lead to criminal prosecution.

Notice of Unauthorized Disclosures (Breach Notification): If RadNet causes or permits your protected health information to be disclosed to an unauthorized person in a manner that constitutes a breach under HIPAA (45 CFR §§ 164.400–414) or applicable state law, RadNet will notify you of the breach and take reasonable steps to help you mitigate any potential adverse effects. For patients at our Idaho facilities, we will provide notification in accordance with both HIPAA breach notification requirements and the Idaho Identity Theft Protection Act (Idaho Code § 28-51-105), which requires notification to affected Idaho residents without unreasonable delay.

RETENTION OF INFORMATION

We retain information as is necessary and relevant for our business, operational, and legal purposes. In addition, we retain Personal Information pursuant to our record retention policies and schedules to comply with applicable law, prevent fraud, resolve disputes, troubleshoot problems, assist with any investigation, enforce our policies and other actions permitted by law. The criteria used to determine our retention periods include: (i) the length of time we have an ongoing relationship with you; (ii) whether there is a legal obligation to which we are subject that affects the Personal Information; and (iii) whether retention is determined to be necessary or advisable for RadNet due to applicable statutes of limitations, litigation, or other legal or regulatory obligations. We take reasonable steps to appropriately dispose of Personal Information upon the expiration of retention periods taking into consideration these litigation, legal, or regulatory obligations. Whenever possible, we de-identify the information or otherwise remove some or all information that may identify you from records that we may need to keep for periods beyond the specified retention period.

TRANSFER OF INFORMATION TO OTHER COUNTRIES

Although this Site content is intended for a United States' audience, RadNet is a global company and any information that you provide or we collect, will be available to RadNet affiliates and vendors around the world. This means that your information may be transmitted to or accessible by our affiliates and vendors located in a country other than the country in which you reside, including the U.S. Please know the privacy and data protection laws in these countries may not be as protective as those of the country in which you reside and could be subject to government access in these countries.

However, regardless of the country to which your Personal Information is transferred, it will be protected in a manner consistent with the protections described in this Privacy Statement. By using this Site, you consent to the collection, use, storage, and processing of your Personal Information in the U.S. and in any country to which we may transfer your Personal Information in the course of our business operations. In addition, where necessary and applicable, RadNet may transfer Personal Information relating to individuals in the European Economic Area, the United Kingdom, and Switzerland to other countries in reliance on Standard Contractual Clauses and in accordance with our Supplemental Disclosures for Individuals in Europe.

YOUR PRIVACY CHOICES

When using the Sites, you will be given opportunities to make choices about the data we receive and how we use it. Residents of California, Delaware, Maryland, New Jersey, Texas, Virginia, and Indiana and individuals within the EU, the United Kingdom, and Switzerland are encouraged to review the relevant supplemental notices provided below (Supplemental U.S. Privacy Notice; Supplemental Disclosures for Individuals in Europe). Individuals within Europe may opt out of receiving targeted advertising through the European Interactive Digital Advertising Alliance.

Account Information

You may update and correct certain account information at any time by logging into your account or, if you do not have an account, by mailing us at privacy@radnet.com or by calling 877-785-0009. If you wish to deactivate your account, please visit https://www.radnet.com/legal/form/privacy-rights-request, but note that we may retain certain information as required by law or for our legitimate business purposes.

Location Information

If you initially consent to our collection of such location information, you may later stop the collection of this information at any time by changing the preferences on your browser and/or computer. You may also stop our collection of this location information by following the standard uninstall process to remove all or some of our mobile apps from your device. If you stop our collection of this location information, some features of our mobile applications may no longer function properly.

Cookies

Most web browsers are set to accept cookies by default. If you prefer, you may usually adjust your personal browser settings to remove or reject browser cookies. Please note that removing or rejecting cookies may affect the availability and functionality of our Sites. You also have the options described above in the Digital Advertising, Cookies and Other Data Collection Technologies section of this Privacy Statement.

• Google Analytics. For more information about how Google uses your personal information, please visit Google Analytics' Privacy Policy. To learn more about how to opt-out of Google Analytics' use of your personal information, please click here.

• YouTube. For more information about how YouTube uses your personal information, please visit YouTube's Privacy Policy. To learn more about how to opt-out of YouTube's use of your personal information, please click here.

• DoubleClick. For more information about how DoubleClick uses your personal information, please visit DoubleClick's Privacy Policy. To learn more about how to opt-out of DoubleClick's use of your personal information, please click here.

• Meta Ads. For more information about Meta's use of your personal information, please visit Meta's Data Policy. To learn more about how to opt-out of Meta's use of your information, please click here while logged in to your Facebook account.

• Pinterest. For more information on how Pinterest uses your personal information, please visit Pinterest's Data Policy. To learn more about how to opt-out of Pinterest's use of your information, please click here.

• Vimeo. For more information on how Vimeo uses your personal information, please visit Vimeo's Data Policy. To learn more about how to opt-out of Vimeo's use of your information, please click here.

• Acquia. For more information on how Acquia uses your personal information, please visit Acquia's Data Policy. Acquia does not sell your Personal Information.

• Acquia Optimize. For more information on how Acquia Optimize uses your personal information, please visit Acquia Optimize's FAQ cookies.

Do Not Track Signals and Global Privacy Control

Certain web browsers and other programs may transmit "do-not-track" or "opt-out" signals, also called Global Privacy Control signals (collectively, "GPC Signals"), to websites with which the browser communicates. In most cases, you will need to change your web browser's settings or add an application to your web browser to enable it to send a GPC Signal. Our Sites will recognize GPC Signals for website users based on the location of the user when they access our websites. Some web browsers incorporate other "do-not-track" ("DNT") or similar features to signal websites with which the browser communicates that a visitor does not want to have their online activity tracked. As of the Effective Date, not all web browsers offer a DNT option and DNT signals are not yet uniform. For this reason, our Sites along with many other digital service operators do not respond to all DNT signals. We recognize GPC signals as required under certain state privacy laws, but we do not currently recognize other DNT signals. For more information about the Global Privacy Control, please visit https://globalprivacycontrol.org.

Communications Preferences

You may opt out of receiving promotional communications from RadNet (e.g., email and texts) by following the instructions in those communications or by submitting a request through Your Privacy Choices. If you opt out, we may still send you non-promotional communications, such as those about your account or our ongoing business relations.

Mobile Push Notifications

With your consent, we may send push notifications to your mobile device. You can deactivate these messages at any time by changing the notification settings on your mobile device. No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties, including affiliate or business partners. The opt-in is not transferable to another party involved in the process.

CHILDREN'S PRIVACY

RadNet does not intend to collect Personal Information from children under age 13 without consent from the child's parent or legal guardian. We do not share Personal Information of anyone under 13 years of age with anyone outside of RadNet except where required by law and with vendors, service providers, and consultants bound by law or contract to protect Personal Information and only use Personal Information in accordance with our instructions or the agreements we have signed with them. Children under 13 years of age should not submit any Personal Information to us without the express permission of their parent or legal guardian. If you believe that your child has submitted Personal Information and you would like for it to be removed from our systems, please submit a request through Your Privacy Choices. We will make reasonable efforts to comply with your request.

SUPPLEMENTAL U.S. PRIVACY STATEMENT

This Supplemental U.S. Privacy Statement ("U.S. Statement") section supplements this Privacy Statement and addresses legal obligations and rights arising from U.S. state privacy laws, including those in California, Delaware, Maryland, New Jersey, Texas, Virginia, and Indiana—respectively, the California Consumer Privacy Act ("CCPA"), which includes amendments and implementing regulations under the California Privacy Rights Act ("CPRA"), the Delaware Personal Data Privacy Act, the Maryland Online Data Privacy Act, the New Jersey Senate Bill 332, the Texas Data Privacy and Security Act ("TDPSA"), the Virginia Consumer Data Protection Act ("VCDPA"), and the Indiana Consumer Data Protection Act ("ICDPA"). This

U.S. Statement only applies to residents of those states.

We will process any Personal Information we collect in accordance with applicable law and as described in this Privacy Statement (unless, as explained above, a separate policy or notice governs). In some circumstances, if you do not provide us with your Personal Information, certain Sites may be unavailable to you.

This U.S. Statement provides the information required under applicable U.S. state laws and applies to both RadNet's online and offline activities relative to our processing of your Personal Information. This U.S. Statement and the relevant U.S. state laws do not apply to information that has been de-identified or aggregated. Some of the Personal Information that we collect, use, and disclose may, pursuant to provisions in the relevant laws, be exempt because it is regulated by other federal and state laws that apply to us.

Definition of Personal Information. "Personal Information" is any information—as electronically or otherwise recorded—that may be used to identify a person or that we may link to or associate with a specific individual. Personal Information may include information considered sensitive in some jurisdictions, such as biometric information, genetic information, health information, financial account information, specific geolocation, ethnic or racial origin, information concerning your sex life or your sexual orientation, social security number, driver's license, state identification card, passport number, and other similar information.

Notice at Collection

At or before the time of collection, U.S. consumers residing in a state with a comprehensive privacy law have a right to receive notice of our privacy practices. Such consumers can find this information below.

Personal Information Collected. See the section of this Supplemental U.S. Privacy Statement titled "Overview of Personal Information Collected, Disclosed, Sold and/or Shared" for a list of Personal Information which may be collected. If we have previously collected Personal Information in the past 12 months, we may collect that Personal Information from you.

Uses of Personal Information. See the section of this Supplemental U.S. Privacy Statement titled "Overview of Personal Information Collected, Disclosed, Sold and/or Shared" for a list of the purposes for which we use Personal Information.

Is Personal Information "Sold" or "Shared" for "Cross-Context Behavioral Advertising"?No.

How Long is Personal Information Retained For? To determine the appropriate retention period for Personal Information, we may consider applicable legal requirements, the amount, nature, and sensitivity of the Personal Information, certain risk factors, the purposes for which we process your Personal Information, and whether we can achieve those purposes through other means.

Additional Information. For more information on our privacy practices, please review this Supplemental U.S. Privacy Statement and our Privacy Statement.

Importantly, the section of our Privacy Notice titled "Your Personal Information Rights" includes important details about how you can exercise some of the rights afforded to U.S. consumers residing in a state with a comprehensive privacy law.

Overview of Personal Information Collected, Disclosed, Sold and/or Shared

U.S. consumers, affiliated medical professionals and California job applicants residing in a state with a comprehensive privacy law are provided with the right to know what categories of personal information we have collected about them, whether we disclosed that Personal Information for a business purpose (e.g., to a service provider), whether we "sold" that Personal Information, and whether we "shared" that personal information for "cross-context behavioral advertising" in the preceding twelve months. U.S. consumers residing in a state with a comprehensive privacy law may find this information in the detailed charts provided in the full Privacy Statement, organized by category of individual (Consumers/Patients/Caregivers/Facility Visitors; California Professionals; and California Job Applicants).

See Charts

Other Uses of Personal Information

• De-Identification. We may de-identify your Personal Information, which means it will remove certain data from your Personal Information, such as Contact Information, such that the resulting data would not be able to identify you or anyone else as the subject of the data. The de-identified data will no longer be Personal Information and may no longer be subject to data protection laws. We will not attempt to re-identify you or anyone else from this de-identified data and if we disclose it to third parties, we will require that they commit to not attempting to reidentify you or anyone else from the de-identified data. We will use de-identified data for our business purposes.

• Third Parties

• Third Party Advertising: We may share Personal Information about you (as set forth in the charts above) to third-party advertising network companies. We use third-party advertising network companies to place ads on other websites, including network advertising companies with whom we work who place their own cookies on your browser when you visit our Site. This enables these third-party advertising network companies to collect and use data from their cookie on your browser, which may include information about your visits to this and other websites. These advertising companies use and further disclose this information to deliver advertisements about our goods and services to you when you are on other websites. These advertisements will often be tailored to you. These advertisers may in turn disclose the information about you collected from their cookies to other advertisers to allow those advertisers to display ads to you as well. You may opt-out of our disclosure of your Personal Information for these purposes as set forth below. For further information about how else we use cookies and other digital technologies, please see the Digital Advertising, Cookies and Other Data Collection Technologies section of the Privacy Statement.

• Service Providers: Service providers acting on our behalf must execute agreements requiring them to maintain confidentiality and to process Personal Information as necessary to perform their functions in a manner consistent with this Statement, other applicable privacy notices, and as explicitly permitted or required by applicable laws, rules, and regulations.

• Combination of Data with Data Received from Third Parties: We may combine information we collect, including Personal Information, with Personal Information that we may obtain from third parties.

• Links to Other Websites: Our Products and Sites may contain links to other websites, applications, products, or services we do not own or operate, such as social media websites and applications like Facebook and LinkedIn. You should carefully review the privacy policies and practices of other websites, products, and services as we cannot control and are not responsible for privacy policies, notices, or practices of third-party websites, applications, products, and services.

Disclosure Regarding Individuals Under the Age of 16

RadNet has actual knowledge of a "sale" of personal information of minors under 16 years of age. RadNet has actual knowledge of "sharing" of personal information of minors under 16 years of age for "cross-context behavioral advertising."

Disclosure Regarding Sensitive Personal Information

We only use and disclose Sensitive Personal Information for the following purposes:

• To perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services.

• To prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, and or confidentiality of stored or transmitted Personal Information.

• To resist malicious, deceptive, fraudulent, or illegal actions directed at RadNet and to prosecute those responsible for those actions.

• To ensure the physical safety of natural persons.

• For short-term, transient use.

• Maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services.

• To verify or maintain the quality or safety of a product, service, or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured by, manufactured for, or controlled by us.

• For purposes that do not infer characteristics about individuals.

Your Personal Information Rights

Please note that in many circumstances, we cannot effectively do business with you without processing some Personal Information about you (e.g., your contact information). For example, when you contact our customer service representatives, we may require you to provide information to authenticate your identity to assist you with your request. If you are unable to provide this information, we may be unable to process your request.

To the extent that the state in which you live has a privacy law providing you with Personal Information rights, we will provide the following rights to you based on your state's law:

• To opt-out of sharing your Personal Information for cross-context behavioral advertising or, in other states, to opt-out of targeted advertising;

• To request access to and a copy of your Personal Information, including to provide your Personal Information directly to another organization;

• To request to know about the Personal Information we process about you or to request to acknowledge our processing of your Personal Information;

• To request that we correct your Personal Information;

• To request that we delete your Personal Information;

• To opt-out of or restrict processing of Sensitive Personal Information;

• To appeal the denial of a request; and

• To lodge a complaint with the data protection authority in your jurisdiction.

To opt-out of sharing Personal Information or opt-out of targeted advertising, please follow the instructions provided by clicking on the Your Privacy Choices link in the website footer.

We will not discriminate against you for exercising any of the rights described above, although we may not be able to continue to provide you Products and Sites, or it may otherwise affect the way we are able to interact with you. To learn if your state provides these or similar Personal Information rights, please review the following section on How to Submit a Data Privacy Rights Request.

How to Submit a Data Privacy Rights Request

To submit a Personal Information rights request pursuant to state privacy laws, please use one of the following methods:

• By completing and submitting the form found on the Your Privacy Choices link in the website footer

• By contacting us at 877-785-0009

We will make reasonable efforts to respond promptly to your requests in accordance with applicable laws. We may, after receiving your request, require additional information from you to honor your request and verify your identity. Please be aware that we may be unable to afford these rights to you under certain circumstances, such as if we are legally prevented from doing so.

You may designate an authorized agent to assist you in exercising any of your rights stated above. When you use an authorized agent to submit a rights request on your behalf, you must provide the authorized agent with written permission to do so, and, in certain circumstances, we may ask you to verify your own identity directly with us. We may deny a request from an authorized agent that does not submit proof that they have been authorized by you to act on your behalf.

In the event you wish to make a complaint about how we process your Personal Information, please contact us at privacy@radnet.com and we will handle your request as soon as possible. Even if you make a complaint to us, you may always lodge a complaint with the relevant authority in your location.

When we receive your Personal Information from our customers and process your Personal Information on their behalf, we do so at their request and subject to their instructions. We do not have control over our customers' privacy and security practices and processes. If your Personal Information has been submitted to us by a RadNet customer and you wish to exercise any of the above-mentioned rights, please contact the relevant customer directly.

Right of Non-Discrimination for Exercise of Personal Information Rights

RadNet will not discriminate against any person exercising their rights under applicable state privacy laws. Discrimination, in this context, includes that, as a result of exercising any of your Personal Information rights, you are denied goods or services, charged different prices for goods or services, or provided a different level of quality.

California, Virginia, Texas, or Indiana residents who are unable to review or access this Supplemental U.S. Privacy Statement due to a disability may contact us to request access to this Policy in an alternative format. Please call 877-785-0009 or email us at privacy@radnet.com.

Supplemental Disclosures for Texas, Virginia, and Indiana Residents

The following supplemental disclosures apply to residents of Texas, Virginia, and Indiana, in accordance with the Texas Data Privacy and Security Act ("TDPSA"), the Virginia Consumer Data Protection Act ("VCDPA"), and the Indiana Consumer Data Protection Act ("ICDPA"), respectively. These disclosures supplement the information provided elsewhere in this Privacy Statement and Supplemental U.S. Privacy Statement.

Important HIPAA Exemption Note: To the extent that RadNet acts as a HIPAA-covered entity, protected health information ("PHI") collected, used, or disclosed in connection with the provision of healthcare services is exempt from the TDPSA, VCDPA, and ICDPA. The rights and disclosures described in this section apply to Personal Information that is not otherwise subject to HIPAA or other exempt federal or state laws.

Applicability

• Texas (TDPSA): Effective July 1, 2024, the TDPSA applies to persons that conduct business in Texas or produce products or services consumed by Texas residents and that process or engage in the sale of personal data. Unlike certain other state privacy laws, the TDPSA does not impose revenue or data volume thresholds for applicability.

• Virginia (VCDPA): Effective January 1, 2023, the VCDPA applies to persons that conduct business in Virginia or produce products or services targeted to Virginia residents and that (i) control or process the personal data of at least 100,000 Virginia consumers during a calendar year, or (ii) control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

• Indiana (ICDPA): Effective January 1, 2026, the ICDPA applies to persons that conduct business in Indiana or produce products or services targeted to Indiana residents and that (i) control or process the personal data of at least 100,000 Indiana consumers during a calendar year, or (ii) control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

Categories of Personal Data Processed

RadNet may process the following categories of personal data of Texas, Virginia, and Indiana consumers in connection with our Sites and non-healthcare business activities:

• Identifiers and contact information (e.g., name, email address, phone number, postal address);

• Internet and device information (e.g., IP address, browser type, device identifiers, cookies, and browsing activity);

• Geolocation data (precise and imprecise);

• Commercial information (e.g., records of services obtained or considered, appointment information);

• Inferences drawn from the above categories;

• Audio/visual information (e.g., call recordings, CCTV footage at facilities); and

• Professional or employment-related information (where applicable).

For detailed information on the categories of Personal Information we collect and the purposes for which we use it, please refer to the "Overview of Personal Information Collected, Disclosed, Sold and/or Shared" section above.

Purposes of Processing

We process personal data of Texas, Virginia, and Indiana residents for the purposes described in the "Use of Information" section of this Privacy Statement, including to provide and improve our Sites and services, communicate with you, personalize your experience, conduct analytics, detect and prevent fraud, comply with legal obligations, and for advertising and marketing purposes.

Sensitive Data

Under the TDPSA, VCDPA, and ICDPA, "sensitive data" includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data processed for the purpose of uniquely identifying an individual, personal data collected from a known child, and precise geolocation data.

RadNet will not process sensitive data of Texas, Virginia, or Indiana residents without first obtaining the consumer's consent, except where processing is otherwise exempt under applicable law (including the HIPAA exemption described above). If we need to process your sensitive data for purposes other than those exempt under law, we will present you with a clear request for consent prior to such processing. You may withdraw your consent at any time by contacting us at privacy@radnet.com or by calling 877-785-0009.

Consumer Rights Under the TDPSA, VCDPA, and ICDPA

Residents of Texas, Virginia, and Indiana have the following rights with respect to their personal data that is not otherwise exempt:

• Right to Access: You have the right to confirm whether we are processing your personal data and to access such data.

• Right to Correct: You have the right to correct inaccuracies in your personal data, taking into account the nature of the data and the purposes of the processing.

• Right to Delete: You have the right to delete personal data that you have provided to us or that we have obtained about you.

• Right to Data Portability: You have the right to obtain a copy of your personal data in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the data to another controller without hindrance.

• Right to Opt Out of Targeted Advertising: You have the right to opt out of the processing of your personal data for purposes of targeted advertising.

• Right to Opt Out of Sale: You have the right to opt out of the sale of your personal data. As noted in this Privacy Statement, RadNet does not directly sell personal data; however, certain disclosures to third-party advertising partners may constitute a "sale" under the broad definitions in some state laws.

• Right to Opt Out of Profiling: You have the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

To exercise any of these rights, please use one of the following methods:

• By completing and submitting the form found on the Your Privacy Choices link in the website footer;

• By contacting us at 877-785-0009; or

• By emailing us at privacy@radnet.com.

Universal Opt-Out Mechanisms

RadNet recognizes and will process opt-out preference signals, including Global Privacy Control ("GPC") signals, sent by Texas, Virginia, and Indiana residents, as required by the TDPSA, VCDPA, and ICDPA. If we detect a GPC signal from your browser or device, we will treat it as a valid request to opt out of the sale of personal data and targeted advertising for that browser or device. For more information about GPC, please visit https://globalprivacycontrol.org.

Response Timelines

Upon receiving a verified consumer rights request from a Texas, Virginia, or Indiana resident, RadNet will respond within forty-five (45) days of receipt. If reasonably necessary due to the complexity of the request or the volume of requests received, we may extend the response period by an additional forty-five (45) days, provided we inform you of the extension within the initial forty-five (45) day period and explain the reason for the extension.

Verification of Requests

To protect your privacy, we will take reasonable steps to verify your identity before fulfilling your request. Verification methods may include matching information you provide with information we already maintain about you. If we cannot verify your identity to a reasonable degree of certainty, we may request additional information from you. If we are ultimately unable to verify your identity, we will inform you and explain why we cannot fulfill your request.

Right to Appeal

If we decline to take action on your consumer rights request, we will inform you of our decision and the reasons for that decision within the response period described above. You have the right to appeal our decision by contacting us at:

• Email: privacy@radnet.com

• Phone: 877-785-0009

Please include "Privacy Rights Appeal" in the subject line of your email or state this when calling. Upon receiving your appeal, we will respond within sixty (60) days (or within the timeframe required by applicable state law) with a written explanation of any action taken or not taken in response to the appeal, including a reasoned explanation of the basis for the decision.

• Texas residents: If your appeal is denied, you may contact the Texas Attorney General to submit a complaint at https://www.texasattorneygeneral.gov/consumer-protection/file-a-complaint.

• Virginia residents: If your appeal is denied, you may contact the Virginia Attorney General to submit a complaint at https://www.oag.state.va.us/consumer-protection/index.php/file-a-complaint.

• Indiana residents: If your appeal is denied, you may contact the Indiana Attorney General to submit a complaint at https://www.in.gov/attorneygeneral/consumer-protection-division/file-a-complaint/.

Data Protection Assessments

As required by the TDPSA, VCDPA, and ICDPA, RadNet conducts data protection assessments for processing activities that present a heightened risk of harm to consumers, including:

• Processing personal data for purposes of targeted advertising;

• The sale of personal data;

• Processing personal data for purposes of profiling where such profiling presents a reasonably foreseeable risk of certain harms; and

• Processing sensitive data.

These assessments evaluate the benefits of processing to RadNet, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer, with consideration given to the use of de-identification, consumer expectations, the context of the processing, and the relationship between RadNet and the consumer.

Sale of Personal Data

As stated elsewhere in this Privacy Statement, RadNet does not directly sell personal data in the traditional sense. However, certain disclosures of personal data to third-party advertising partners (such as through cookies, pixels, or similar tracking technologies) may constitute a "sale" under the TDPSA, VCDPA, or ICDPA. You may opt out of such disclosures by:

• Clicking on the Your Privacy Choices link in the website footer;

• Enabling a Global Privacy Control signal on your browser; or

• Contacting us at privacy@radnet.com or 877-785-0009.

De-Identified Data

RadNet maintains and uses de-identified data in compliance with the TDPSA, VCDPA, and ICDPA. We take reasonable measures to ensure that de-identified data cannot be associated with an individual, publicly commit to maintaining and using the data only in de-identified form, and contractually obligate any recipients to comply with the same requirements.

Non-Discrimination

RadNet will not discriminate against any Texas, Virginia, or Indiana consumer for exercising any of the rights described above. We will not deny you goods or services, charge you a different price or rate, or provide you with a different level or quality of goods or services as a result of your exercise of consumer privacy rights.

Additional Texas-Specific Provisions

Notice of Right to Opt Out (Texas): If RadNet engages in the sale of personal data or processes personal data for targeted advertising with respect to Texas consumers, we will clearly and conspicuously disclose such activity and provide a mechanism to opt out. Texas consumers may exercise this right through the Your Privacy Choices link on our website or by sending a GPC signal.

Small Business Exception (Texas): To the extent any RadNet subsidiary or facility qualifies as a small business under the TDPSA and processes personal data in a manner that would otherwise require compliance, RadNet will provide Texas consumers with notice and the opportunity to opt out of the sale of personal data, as required by TDPSA § 541.057.

Additional Virginia-Specific Provisions

Consent for Processing of Children's Data (Virginia): Under the VCDPA, personal data collected from a known child (under age 13) is considered sensitive data requiring opt-in consent. RadNet's practices regarding children's personal data are described in the "Children's Privacy" section of this Privacy Statement. We process children's data only with the consent of a parent or guardian, consistent with the Children's Online Privacy Protection Act (COPPA) and the VCDPA.

Processor Agreements (Virginia): Where RadNet engages processors (service providers) to process personal data on its behalf, RadNet enters into written contracts that set forth the nature and purpose of the processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties, in compliance with VCDPA § 59.1-580.

Additional Indiana-Specific Provisions

Effective Date Compliance (Indiana): The ICDPA takes effect on January 1, 2026. RadNet will ensure that all required disclosures, rights mechanisms, and consent processes are operative for Indiana residents on or before that date.

Opt-In for Sensitive Data (Indiana): Consistent with the ICDPA, RadNet will obtain affirmative consent from Indiana consumers before processing sensitive data that is not otherwise exempt under federal law (including HIPAA).

IDAHO-SPECIFIC SUPPLEMENT

This Idaho-Specific Supplement applies to individuals who receive healthcare services at RadNet's Idaho facilities, including Intermountain Medical Imaging locations. This supplement addresses requirements under Idaho state law and federal regulations that are applicable to our Idaho operations and should be read in conjunction with RadNet's HIPAA Notice of Privacy Practices and this Privacy Statement.

Applicability

This supplement applies to patients and individuals whose protected health information ("PHI") is created, received, maintained, or transmitted by RadNet's Idaho imaging centers, including all facilities formerly operated by Intermountain Medical Imaging, LLC. Idaho has not enacted a comprehensive consumer privacy law comparable to the California Consumer Privacy Act; however, Idaho patients are protected by HIPAA, other applicable federal regulations, and the Idaho-specific provisions described below.

Idaho Breach Notification

Under the Idaho Identity Theft Protection Act (Idaho Code § 28-51-104 et seq.), if RadNet becomes aware of a breach of the security of your personal information (as defined under Idaho law), we will provide notice to affected Idaho residents without unreasonable delay consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system. Notice may be provided by written notice sent to the most recent address we have on file, by telephone, by electronic notice (if you have consented to receive electronic notices), or by substitute notice if the cost of providing notice exceeds $25,000, the number of affected individuals exceeds 50,000, or we do not have sufficient contact information. In the event that a breach affects more than 1,000 Idaho residents, we will also notify the Idaho Attorney General's office.

Idaho Consumer Protection Act

RadNet is committed to ensuring that all representations made in this Privacy Statement and in our interactions with Idaho patients and consumers are truthful and not deceptive, in compliance with the Idaho Consumer Protection Act (Idaho Code § 48-601 et seq.). If you believe that RadNet has engaged in any unfair or deceptive act or practice related to the collection, use, or disclosure of your personal information, you may file a complaint with the Idaho Attorney General's Consumer Protection Division at:

Idaho Attorney General's Office Consumer Protection Division 954 W. Jefferson Street, 2nd Floor P.O. Box 83720 Boise, ID 83720-0010 Phone: (208) 334-2424 Toll-Free: (800) 432-3545

Reproductive Health Care Information

In accordance with the HIPAA Privacy Rule final rule on reproductive health care (effective June 25, 2024) and as reflected in our HIPAA Notice of Privacy Practices, RadNet will not disclose protected health information related to reproductive health care for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care. Before disclosing reproductive health care information in response to a request that is not for treatment, payment, or health care operations purposes, RadNet will require an attestation from the requesting party that the information is not being sought to investigate or impose liability for the lawful provision or receipt of reproductive health care. This protection applies to all RadNet facilities, including those in Idaho.

42 CFR Part 2 – Substance Use Disorder Treatment Records

Certain health information that RadNet's Idaho facilities (including Intermountain Medical Imaging locations) may receive is subject to additional federal protections under 42 CFR Part 2, which governs the confidentiality of substance use disorder ("SUD") treatment records received from a federally assisted substance use disorder treatment program ("Part 2 Program").

How We May Use and Disclose SUD Treatment Records

When we receive SUD treatment records from a Part 2 Program, we may use and disclose those records only as permitted by federal law, including for purposes of treatment, payment, and health care operations, unless a stricter limitation applies. Such uses and disclosures are subject to the same protections and safeguards required by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and applicable Part 2 regulations.

We will not use or disclose SUD treatment records in a manner that is prohibited by 42 CFR Part 2, and we will apply appropriate administrative, technical, and physical safeguards to protect the confidentiality of these records.

Fundraising Communications and Your Right to Opt Out

If we use health information for fundraising purposes, you have the right to receive a clear and conspicuous opportunity to opt out of receiving fundraising communications. We will not use SUD treatment records received from a Part 2 Program for fundraising purposes unless you have been given the opportunity to opt out and have not exercised that right. Your decision to opt out will not affect your treatment or payment for health care services.

Prohibition on Use in Legal Proceedings

Federal law strictly limits how SUD treatment records may be used in legal proceedings. SUD treatment records received from a Part 2 Program, or testimony describing the information contained in such records, may not be used or disclosed in any civil, criminal, administrative, or legislative proceeding against you by any federal, state, or local authority unless:

• You have provided specific written consent, or

• A court order authorizing such use or disclosure has been issued in accordance with applicable law.

Your Rights With Respect to SUD Treatment Records

In addition to the rights described elsewhere in this Privacy Statement and in our HIPAA Notice of Privacy Practices, you have specific rights regarding SUD treatment records, including rights related to confidentiality, consent, and limitations on redisclosure as required by 42 CFR Part 2 and HIPAA.

HIPAA Patient Rights Applicable to Idaho Facility Patients

The following rights apply to patients whose protected health information is maintained by RadNet's Idaho healthcare facilities. These rights are provided pursuant to the HIPAA Privacy Rule (45 CFR Part 164) and are described in detail in our HIPAA Notice of Privacy Practices. A summary is provided here for your convenience:

Right of Access

You have the right to look at or get copies of your protected health information, with limited exceptions. You may access your records through the patient portal. You may also request access by contacting the facility Privacy Contact listed below. If you request access to electronic records and the facility maintains records in that form, access will be provided. If you request hard copies, a reasonable cost-based fee will be charged for copying, staff time to locate and copy records, and postage if you want the copies mailed. If we maintain your health information in electronic form, you may request that we send it to you or another party in electronic form.

Right to Accounting of Disclosures

You have the right to receive a list of instances in which we or our business associates disclosed your non-electronic protected health information for purposes other than treatment, payment, health care operations, and certain other activities during the past six (6) years. For disclosures of electronic health information, our duty to provide an accounting covers disclosures for the three (3) years preceding your request. We will provide you with the date on which we made the disclosure, the name of the person or entity to whom we disclosed your protected health information, a description of the protected health information we disclosed, and the reason for the disclosure. If you request this list more than once in a 12-month period, we may charge you a reasonable, cost-based fee for responding to these additional requests.

Right to Request Restrictions

You have the right to request that we place additional restrictions on our use or disclosure of your protected health information. We are not required to agree to these additional restrictions, but if we do, we will abide by our agreement (except in an emergency). We are required to accept and follow requests for restrictions of health information to insurance companies if you have paid out-of-pocket and in full for the item or service we provide to you.

Right to Confidential Communication

You have the right to request that we communicate with you in confidence about your protected health information by alternative means or to an alternative location. You must make your request in writing. We must accommodate your request if it is reasonable, specifies the alternative means or location, and continues to permit us to bill and collect payment from you.

Right to Amendment

You have the right to request that we amend your protected health information. Your request must be in writing, and it must explain why the information should be amended. We may deny your request if we did not create the information you want amended or for certain other reasons. If we deny your request, we will provide you a written explanation. You may respond with a statement of disagreement to be appended to the information you wanted amended.

Right to Receive Notice in Written Form

If you receive this Privacy Statement or our HIPAA Notice of Privacy Practices on our website or by electronic mail, you are entitled to receive it in written form. Please contact us using the information listed below to obtain a copy in written form.

Right to File a Complaint

If you believe that we may have violated your privacy rights, or you disagree with a decision we made about access to your protected health information, you may complain to us using the contact information below. You also may submit a written complaint to the U.S. Department of Health and Human Services, Office for Civil Rights. We will provide you with the address to file your complaint upon request.

Non-Retaliation

We support your right to protect the privacy of your protected health information. We will not retaliate in any way if you choose to file a complaint with us or with the U.S. Department of Health and Human Services.

Business Associates

We will share your protected health information with third-party "business associates" that perform various activities (e.g., billing, transcription services) for our Idaho facilities. Whenever an arrangement between our office and a business associate involves the use or disclosure of your protected health information, we will have a written contract (a "Business Associate Agreement") that contains terms protecting the privacy of your protected health information, as required by HIPAA.

Marketing Communications (HIPAA Context)

We may use your protected health information to contact you with information about treatment alternatives or health-related benefits and services that may be of interest to you. We may disclose your protected health information to a business associate to assist us in these activities. If we are paid by a third party to make marketing communications to you about their products or services, we will not make such communications to you without your written authorization.

Fundraising Communications (HIPAA Context)

We may use or disclose your health information for fundraising purposes, but you have the right to opt out from receiving these communications. Your decision to opt out will not affect your treatment or payment for health care services. If you wish to opt out, please contact the Idaho facility Privacy Contact listed below.

Idaho Facility Privacy Contact

For questions, concerns, or complaints regarding the privacy practices at RadNet's Idaho facilities (including Intermountain Medical Imaging locations), or to exercise any of the rights described in this Idaho-Specific Supplement, please contact:

Privacy Contact for Idaho Operations Telephone: (208) 559-1967 Address: 877 W. Main St., Ste. 603, Boise, ID 83702

You may also contact RadNet's corporate Privacy Officer:

Attn: Privacy Officer 1516 Cotner Ave Los Angeles, CA 90025 Email: privacy@radnet.com Phone: 877-785-0009

HIPAA-RELATED PROVISIONS

This section provides supplemental information regarding RadNet's obligations under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and related federal regulations. These provisions apply to protected health information maintained by RadNet's healthcare facilities nationwide, including but not limited to our Idaho imaging centers. This section supplements, and does not replace, RadNet's separate HIPAA Notice of Privacy Practices, which is provided directly to patients at the time of service.

Uses and Disclosures of Protected Health Information

RadNet's healthcare facilities will use and disclose your protected health information for treatment, payment, and health care operations as described in our HIPAA Notice of Privacy Practices. Examples include:

• Treatment: Coordination or management of your health care with third parties, referrals to specialists, and sharing of diagnostic information necessary for your care.

• Payment: Activities undertaken by your health insurance plan to determine eligibility, review medical necessity, and process claims for services rendered.

• Health Care Operations: Quality assessment activities, employee review activities, training of students, licensing, and other business activities necessary to support our healthcare services.

Disclosures Not Requiring Your Authorization

In the following circumstances, we may disclose your protected health information without your written authorization, as permitted or required by law:

• To family members or close friends involved in your health care, unless you object;

• For certain limited research purposes;

• For purposes of public health and safety;

• To government agencies for purposes of their audits, investigations, and other oversight activities;

• To government authorities to prevent child abuse or domestic violence;

• To the FDA to report product defects or incidents;

• To law enforcement authorities to protect public safety or to assist in apprehending criminal offenders;

• When required by court orders, search warrants, subpoenas, and as otherwise required by law;

• To coroners, medical examiners, funeral directors, or organ procurement organizations regarding deceased individuals;

• For workers' compensation or similar programs as authorized by law; and

• To avert a serious and imminent threat to the health or safety of a person or the public.

Uses and Disclosures Requiring Your Written Authorization

Other uses and disclosures of your protected health information will be made only with your written authorization, unless otherwise permitted or required by law. You may give us written authorization to use or disclose your protected health information for any purpose. If you give us an authorization, you may revoke it in writing at any time. Your revocation will not affect any use or disclosures permitted by your authorization while it was in effect.

SUPPLEMENTAL DISCLOSURES FOR INDIVIDUALS IN EUROPE

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have certain rights and protections under the law regarding the processing of your personal data. Please click below to view your specific privacy rights.

Legal Basis for Processing

When we process your personal data, we will do so in reliance on the following lawful bases:

• To perform our responsibilities under our contract with you (e.g., providing services you requested).

• When we have a legitimate interest in processing your personal data to operate our business or protect our interests (e.g., to provide, maintain, and improve our products and services, conduct data analytics, and communicate with you).

• To comply with our legal obligations (e.g., to maintain a record of you).

• When we have your consent to do so (e.g., when you opt in to receive marketing communications from us). When consent is the legal basis for our processing your personal data, you may withdraw such consent at any time.

Data Retention

We store other personal data for as long as necessary to carry out the purposes for which we originally collected it and for other legitimate business purposes, including to meet our legal, regulatory, or other compliance obligations.

Data Subject Requests

Subject to certain limitations, you have the right to request access to the personal data we hold about you and to receive your data in a portable format, the right to ask that your personal data be corrected or erased, and the right to object to, or request that we restrict, certain processing. If you would like to exercise any of these rights, contact us at privacy@radnet.com or by calling 877-785-0009.

Cookies and Other Tracking Technologies

How We Use Cookies: We use cookies for a number of reasons, like helping us see which features are most popular, counting visitors to a page, improving our users' experience, keeping our services secure, and generally providing you with a better experience. The cookies we use generally fall into one of the following categories:

Cookie Category	Cookie Purpose
Technical	These cookies are essential for our services to function properly. Like the other cookies we use, technical cookies may be either first-party cookies or third-party cookies.
Preferences	We use these cookies to remember your settings and preferences. For example, we may use these cookies to remember your language preferences.
Security	We use these cookies to help identify and prevent security risks.
Performance	We use these cookies to collect information about how you interact with our services and to help us improve them. For example, may use these cookies to determine if you have interacted with a certain page.
Analytics	We use these cookies to help us understand and improve our services. For example, we can use these cookies to learn more about which features are the most popular with our users and where we may need to make improvements.
Advertising	We and our advertising partners use these cookies to deliver advertisements, to make them more relevant and meaningful to visitors to our website, and to track the efficiency of our advertising campaigns, both on our services and on other websites.

Please note, if you access our mobile applications, the advertising identifier associated with your device or other identifiers may be recorded and used for purposes similar to those of cookies.

Questions or Complaints

If you have a concern about our processing of personal data that we are not able to resolve, you have the right to lodge a complaint with the Data Protection Authority where you reside. Contact details for your Data Protection Authority can be found using the links below:

• For individuals in the EEA: https://edpb.europa.eu/about-edpb/board/members_en

• For individuals in the UK: https://ico.org.uk/global/contact-us/

• For individuals in Switzerland: https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html

CONTACT US

If you have any questions about this Privacy Statement or about your Personal Information, you may contact us as follows:

Attn: Privacy Officer 1516 Cotner Ave Los Angeles, CA 90025 Email: privacy@radnet.com

If you wish to receive a response by email, please be sure to include your name, postal address, and email address. If we do not receive an email address, we will respond by postal mail.

© 2026 RadNet, Inc. | All rights reserved. Unauthorized use is strictly prohibited.