SOLSTICE PRIVACY POLICIES

Introduction
We are very sensitive to privacy issues. The purpose of this Website Privacy Policy is to let you know how we handle the information we receive from you through this website. Portions of this website may describe additional privacy practices applicable to specific types of information or to information provided on specific web pages.

This Website Privacy Policy does not apply to information collected through other means such as by telephone or in person, although that information may be protected by other privacy policies. As used in this Website Privacy Policy, terms such as “we” or “our” and “Company” refer to Solstice Benefits, Inc. and its current and future affiliated entities.

This website is intended for a United States audience. If you access this website from outside the U.S., you acknowledge, agree, and consent that any information you provide, including any personal information, will be transferred to and processed by a computer server located within the U.S. and subject to U.S. laws and regulations. Further, if you access this website from outside the U.S., you acknowledge and agree that you are responsible for compliance with any applicable local or national laws, rules, or regulations applicable to such use.

Children’s Information
This website is intended to be accessed and used only by adults and is not directed to minors. Solstice does not knowingly collect personally identifiable information by anyone under the age of thirteen (13). If you are under 13 years of age, please do not send or provide any information about yourself to us or on this website, including your name, address, telephone number, or e-mail address. In the event that we learn that we have collected personal information from a child, we will delete that information and otherwise comply with the requirements of the Children’s Online Privacy Protection Act and applicable law.

Cookies and Non-Personal Information
“Non-personal information” means information that does not permit us to specifically identify you by your full name or similar unique identifying information such as a social security number, member identification number, address, or telephone number. The Company uses “cookie” technology and similar technology to gather non-personal information from our website visitors such as which pages are used, how often they are used, and to enable certain features on this website.

You may disable these cookies and similar items by adjusting your browser preferences on your computer at any time; however, this may limit your ability to take advantage of all the features on this website. Keep in mind that cookies are not used to collect any personal information and do not tell us who you are. Some examples of the way we use cookies include:

• Tracking resources and data accessed on the website
• Recording general site statistics and activity
• Assisting users experiencing website problems
• Enabling certain functions and tools on this website, and
• Tracking paths of visitors to this website and within this website.

We may also collect other forms of non-personal information such as what web browsers are used to read our website and what websites are referring traffic or linking to our website. Aggregate and deidentified data regarding website users is also considered non-personal information.

With Whom is Non-Personal Information Shared?
Because non-personal information does not identify who you are, we do not limit the ways we may use or share non-personal information. For example, we may share non-personal information with our affiliates, suppliers, employees and agents, other businesses, and the government.

Personal Information Provided by You
“Personal information” means information that specifically identifies you as an individual, such as your full name, telephone number, e-mail address, postal address, or certain account numbers. As used in this Website Privacy Policy, personal information does not include any information protected under HIPAA, which would be protected as described in the HIPAA Notices of Privacy Practices of your health plans or physicians and other health care professionals.

This website may include web pages that give you the opportunity to provide us with personal information about yourself. You do not have to provide us with personal information if you do not want to; however, that may limit your ability to use certain functions of this website or to request certain services or information.

We may combine personal information that you provide us through this website with other personal information held by the Company, including with our affiliates or vendors. For example, if you have purchased a product or service from us, we may combine personal information you provide through this website with information regarding your receipt of the product or service.

We may use personal information for a number of purposes such as:

• To respond to an e-mail or particular request from you
• To personalize the website for you
• To process an application as requested by you
• To provide you with information that we believe may be useful to you, such as information about health products or services provided by us or other businesses
• To comply with applicable laws, regulations, and legal processes
• To protect someone’s health, safety, or welfare
• To protect our rights, the rights of affiliates or related third parties, or take appropriate legal action, such as to enforce our User Agreement
• To keep a record of our transactions and communications, and
• As otherwise necessary or useful for us to conduct our business, so long as such use is permitted by law.

You understand and specifically agree that we may use personal information to contact you through any contact information you provide through this website, including any email address, telephone number, cell phone number, text message number, or fax number.

With Whom is Personal Information Shared?
We will only share your personal information with third parties as outlined in this Website Privacy Policy (in its current or future form) and as otherwise permitted by law.

We share and give access to personal information to our employees and agents in the course of operating our businesses. For example, if you sent us an e-mail asking a question, we would provide your e-mail address to one of our employees or agents, along with your question, in order for that person to reply to your e-mail. We may share personal information with other affiliates or business units within the Company.

We may share and give access to personal information with other companies that we hire to perform services on our behalf or collaborate with. For example, we may hire an outside company to help us send and manage e-mail, and in that case we might provide the outside company with your e-mail address and certain other information in order for them to send you an e-mail message on our behalf. Similarly, we may hire outside companies to host or operate some of our websites and related computers and software applications.

However, if we share or give access to personal information to outside companies, we require them to use the personal information only for limited purposes, such as for sending you the e-mail in the example above. If you believe we or any company associated with the Company has misused any of your information, please contact us immediately and report such misuse. We may share personal information if all or part of the Company is sold, merged, dissolved, acquired, or in a similar transaction. We may share personal information in response to a court order, subpoena, search warrant, law or regulation. We may cooperate with law enforcement authorities in investigating and prosecuting website visitors who violate our rules, or engage in behavior that is harmful to other visitors, or is illegal.

Reviewing My Information
This website may permit you to view your visitor profile and related personal information. If this function is available, we will include a link on this website with a heading such as “My Profile” or similar words. Clicking on the link will take you to a page through which you may review your visitor profile and related personal information.

Website and Information Security
We use a number of physical security (such as locks and alarm systems), electronic security (such as passwords and encryption methods), and procedural security methods (such as rules regarding the handling and use of information), designed to protect the security and integrity of information submitted through this website. Due to the nature of the Internet and online communications, however, we cannot guarantee that any information transmitted online will remain absolutely confidential, and we are not liable for the illegal acts of third parties such as criminal hackers.

OUR ONLINE COMMUNICATION PRACTICES

General E-mail Communications
Most e-mail, including any e-mail functionality on our website, does not provide a completely secure and confidential means of communication. It is possible that your e-mail communication may be accessed or viewed inappropriately by another Internet user while in transit to us. If you wish to keep your information completely private, you should not use e-mail. We may send e-mail communications to you regarding topics such as general health benefits, website updates, health conditions, and general health topics.

Other Online Communications
The Company may send electronic newsletters, notification of account status, and other communications such as information marketing other products or services offered by us, on a periodic basis to various individuals and organizations. To opt-out of any specific electronic communication you’re receiving, click on the opt-out button associated with the specific communication.

Contact Us
To contact us regarding this Website Privacy Policy and our related privacy practices, please contact us at:
Solstice Benefits
P.O. Box 19199
Plantation, Florida 33318.

Effective Date
The Effective Date of this Privacy Policy is April 1, 2013.

Changes to This Website Privacy Policy
We may change this Website Privacy Policy. If we do so, such change will appear on this page of our website or in another location as indicated by us. It is your responsibility to review the Website Privacy Policy each time you use this website. By continuing to use this website, you consent to any changes to our Website Privacy Policy.

HIPAA Notice of Privacy Practices
To read more about our privacy practices regarding health and medical information under the Health Insurance Portability and Accountability Act (“HIPAA”), please access the links to our HIPAA Notice of Privacy Practices.

Your Information. Your Rights. Our Responsibilities.

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Your Rights
You have the right to: Get a copy of your health and claims records; Correct your health and claims records; Request confidential communication; Ask us to limit the information we share; Get a list of those with whom we’ve shared your information; Get a copy of this privacy notice; Choose someone to act for you; File a complaint if you believe your privacy rights have been violated.

Your Choices
You have some choices in the way that we use and share information as we: Answer coverage questions from your family and friends; Provide disaster relief; Market our services and sell your information.

Our Uses and Disclosures
We may use and share your information as we: Help manage the health care treatment you receive; Run our organization; Pay for your health services; Administer your health plan; Help with public health and safety issues; Do research; Comply with the law; Respond to organ and tissue donation requests and work with a medical examiner or funeral director; Address workers’ compensation, law enforcement, and other government requests; Respond to lawsuits and legal actions.

Your Rights

When it comes to your health information, you have certain rights. This section explains your rights and some of our responsibilities to help you.

1. Get a copy of health and claims records. You can ask to see or get a copy of your health and claims records and other health information we have about you. Ask us how to do this. We will provide a copy or a summary of your health and claims records, usually within 30 days of your request. We may charge a reasonable, cost-based fee.
2. Ask us to correct health and claims records. You can ask us to correct your health and claims records if you think they are incorrect or incomplete. Ask us how to do this. We may say “no” to your request, but we’ll tell you why in writing within 60 days.
3. Request confidential communications. You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address. We will consider all reasonable requests, and must say “yes” if you tell us you would be in danger if we do not.
4. Ask us to limit what we use or share. You can ask us not to use or share certain health information for treatment, payment, or our operations. We are not required to agree to your request, and we may say “no” if it would affect your care.
5. Get a list of those with whom we’ve shared information. You can ask for a list (accounting) of the times we’ve shared your health information for six years prior to the date you ask, who we shared it with, and why. We will include all the disclosures except for those about treatment, payment, and health care operations, and certain other disclosures (such as any you asked us to make). We’ll provide one accounting a year for free but will charge a reasonable, cost-based fee if you ask for another one within 12 months.
6. Get a copy of this privacy notice. You can ask for a paper copy of this notice at any time, even if you have agreed to receive the notice electronically. We will provide you with a paper copy promptly.
7. Choose someone to act for you. If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information. We will make sure the person has this authority and can act for you before we take any action.
8. File a complaint if you feel your rights are violated. You can complain if you feel we have violated your rights by contacting us using the information on page 1. You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to: 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting www.hhs.gov/ocr/privacy/hipaa/complaints. We will not retaliate against you for filing a complaint.

Your Choices

For certain health information, you can tell us your choices about what we share. If you have a clear preference for how we share your information in the situations described below, talk to us. Tell us what you want us to do, and we will follow your instructions. In these cases, you have both the right and choice to tell us to: Share information with your family, close friends, or others involved in payment for your care; Share information in a disaster relief situation. If you are not able to tell us your preference, for example if you are unconscious, we may go ahead and share your information if we believe it is in your best interest. We may also share your information when needed to lessen a serious and imminent threat to health or safety. In these cases we never share your information unless you give us written permission: Marketing purposes; Sale of your information.

Our Uses and Disclosures

How do we typically use or share your health information?
We typically use or share your health information in the following ways.

1. Help manage the health care treatment you receive. We can use your health information and share it with professionals who are treating you. Example: A doctor sends us information about your diagnosis and treatment plan so we can arrange additional services.
2. Run our organization. We can use and disclose your information to run our organization and contact you when necessary. We are not allowed to use genetic information to decide whether we will give you coverage and the price of that coverage. This does not apply to long term care plans. Example: We use health information about you to develop better services for you. Example: We disclose health information about you to our business associates who perform certain functions or activities on our behalf.
3. Pay for your health services. We can use and disclose your health information as we pay for your health services. Example: We share information about you with your dental plan to coordinate payment for your dental work. Example: We share information about you with your provider to determine your coverage and what percentage of the bill may be covered.
4. Administer your plan. We may disclose your health information to your health plan sponsor for plan administration. Example: Your company contracts with us to provide a health plan, and we provide your company with certain statistics to explain the premiums we charge.

How else can we use or share your health information?
We are allowed or required to share your information in other ways – usually in ways that contribute to the public good, such as public health and research. We have to meet many conditions in the law before we can share your information for these purposes. For more information see: www.hhs.gov.

1. Help with public health and safety issues. We can share health information about you for certain situations such as: Preventing disease; Helping with product recalls; Reporting adverse reactions to medications; Reporting suspected abuse, neglect, or domestic violence; Preventing or reducing a serious threat to anyone’s health or safety.
2. Do research. We can use or share your information for health research.
3. Comply with the law. We will share information about you if state or federal laws require it, including with the Department of Health and Human Services if it wants to see that we’re complying with federal privacy law.
4. Respond to organ and tissue donation requests and work with a medical examiner or funeral director. We can share health information about you with organ procurement organizations. We can share health information with a coroner, medical examiner, or funeral director when an individual dies.
5. Address workers’ compensation, law enforcement, and other government requests. We can use or share health information about you: For workers’ compensation claims; For law enforcement purposes or with a law enforcement official; With health oversight agencies for activities authorized by law; For special government functions such as military, national security, and presidential protective services.
6. Respond to lawsuits and legal actions. We can share health information about you in response to a court or administrative order, or in response to a subpoena.

Our Responsibilities
We are required by law to maintain the privacy and security of your protected health information. We will let you know promptly if a breach occurs that may have compromised the privacy or security of your information. We must follow the duties and privacy practices described in this notice, and give you a copy. We must also comply with any stricter requirements under federal or state law that may apply to our administration of your benefits. We will not use or share your information other than as described here unless you tell us we can in writing. If you tell us we can, you may change your mind at any time. Let us know in writing if you change your mind. We are unable to take back any disclosures already made with your permission, and we cannot guarantee that the person(s) to whom the information is provided will not disclose the information. For more information see: www.hhs.gov.

Changes to the Terms of this Notice
We can change the terms of this notice, and the changes will apply to all information we have about you, as well as any we receive in the future. The new notice will be available upon request, on our web site, and we will mail a copy to you, as required by law.

Effective Date: May 15, 2014

Privacy Officer: privacy@solsticebenefits.com; 1-877-760-2247 ext.1714

What does HIPAA privacy protect?

The HIPAA Privacy Regulation creates national standards to protect an individual's personal health information and gives patients and insureds increased access to their medical information. It has always been Solstice's goal to ensure the protection and integrity of our members' personal and health information. We will comply with the privacy requirements of the HIPAA as well as other laws aimed at safeguarding privacy. We also have our own privacy policies and procedures in place. These are designed to protect customer privacy. We will continue to make this a priority.

What is PHI?

Protected health information (PHI) is health information that is created or received by a covered entity and relates to the past, present or future medical or mental condition of an individual and the provision or payment of that health condition. In order to be PHI, the information must identify the individual or provide a reasonable basis for identifying the individual. Information acquired or maintained in connection with Life and Disability Income coverage is not considered PHI.

What is a covered entity?

Covered entities that must comply with the HIPAA Privacy Rule are health plans, health care clearinghouses and those health care providers that submit or maintain certain health information in electronic format.

What is the definition of a Health Plan?

The definition of a health plan under the regulation includes health insurers that provide treatment for medical, dental, vision and/or prescription drug services or reimbursement for these health benefits. Group Health Plans include employer sponsored plans.

What coverages are affected?

The HIPAA Privacy Rule affects health information provided under a Medical, Dental, and Vision and/or Prescription Drug plan.

How will HIPAA affect Solstice insureds?

As a covered entity, Solstice will be fully compliant with all aspects of the HIPAA Privacy Regulation. An important part of our compliance initiative includes fulfilling our obligations to enable our members to exercise certain rights assured them under the Privacy Rule. These rights include:

• The right to have access to designated records that contain protected health information (PHI).
• The right to request restrictions on the use and disclosure of PHI.
• The right to appoint personal representatives.
• The right to receive confidential communications at an alternate address or location.
• The right to request an accounting of disclosures of PHI.
• The right to request an amendment of PHI.
• The right to file a complaint.
• The right to receive a Privacy Notice.

While we will administer these rights for individuals we insure, as a general rule, we will look to our self-funded group health plans to administer these rights for their insureds.

How does the individual file a complaint?

An individual will not be penalized for filing a complaint. A person who believes a covered entity is not complying with a requirement of the Privacy Rule may file with Office of Civil Rights a written complaint, either on paper or electronically. This complaint must be filed within 180 days of when the complainant knew or should have known that the act had occurred.

Office for Civil Rights
U.S. Department of Health and Human Services
Jacob Javits Federal Building
26 Federal Plaza, Suite 3312
New York, New York 10278
Telephone: 212-264-3313
Fax: 212-264-3039
www.hhs.gov

In addition, individuals have a right to file a complaint directly with Solstice at the address below;

Solstice Compliance Officer

Address: Solstice
P.O. Box 19199
Plantation, FL 33318

What if a person wants a copy of their PHI?

The request to inspect and copy protected health information should be submitted in writing. The letter should include:

• Specifics of the requested information
• The covered time frame
• The name, address and telephone number of the individual who is to receive the PHI.

The letter should be directed to the following address:
Attention: Solstice Compliance Officer

Address: Solstice
P.O. Box 19199
Plantation, FL 33318

When can Solstice use PHI without an individual’s authorization?

Solstice will only use and disclose protected health information (PHI) without an individual's specific authorization as described in our Notice of Privacy Practices. Authorization is not required for the purposes of treatment, payment and health care operations.

What does HIPAA privacy protect?

The HIPAA Privacy Regulation creates national standards to protect an individual's personal health information and gives patients and insureds increased access to their medical information. It has always been Solstice's goal to ensure the protection and integrity of our members' personal and health information. We will comply with the privacy requirements of the HIPAA as well as other laws aimed at safeguarding privacy. We also have our own privacy policies and procedures in place. These are designed to protect customer privacy. We will continue to make this a priority.

What is PHI?

Protected health information (PHI) is health information that is created or received by a covered entity and relates to the past, present or future medical or mental condition of an individual and the provision or payment of that health condition. In order to be PHI, the information must identify the individual or provide a reasonable basis for identifying the individual. Information acquired or maintained in connection with Life and Disability Income coverage is not considered PHI.

What is a covered entity?

Covered entities that must comply with the HIPAA Privacy Rule are health plans, health care clearinghouses and those health care providers that submit or maintain certain health information in electronic format.

What is the definition of a Health Plan?

The definition of a health plan under the regulation includes health insurers that provide treatment for medical, dental, vision and/or prescription drug services or reimbursement for these health benefits. Group Health Plans include employer sponsored ERISA plans - both insured and self-insured, as well as non-ERISA plans such as church plans.

What coverages are affected?

The HIPAA Privacy Rule affects health information provided under a Medical, Dental, and Vision and/or Prescription Drug plan.

How will HIPAA affect Solstice members?

As a covered entity, Solstice will be fully compliant with all aspects of the HIPAA Privacy Regulation. An important part of our compliance initiative includes fulfilling our obligations to enable our members to exercise certain rights assured them under the Privacy Rule. These rights include:

• The right to have access to designated records that contain protected health information (PHI).
• The right to request restrictions on the use and disclosure of PHI.
• The right to appoint personal representatives.
• The right to receive confidential communications at an alternate address or location.
• The right to request an accounting of disclosures of PHI.
• The right to request an amendment of PHI.
• The right to file a complaint.
• The right to receive a Privacy Notice.

While we will administer these rights for individuals we insure, as a general rule, we will look to our self-funded group health plans to administer these rights for their insureds.

How can someone get a copy of Solstices’ privacy notice?

We are asking fully insured plans to hand out the Solstice Notice of Privacy at the time a new hire enrolls in a health plan. They can make copies of the Notice if they have one in their office or order a supply by calling the Account Manager that services your plan. Also, electronic version is located on this website. Self-Insured plans are required to create their own Notice of Privacy Practices.

How does the individual file a complaint?

An individual will not be penalized for filing a complaint. A person who believes a covered entity is not complying with a requirement of the Privacy Rule may file with Office of Civil Rights a written complaint, either on paper or electronically. This complaint must be filed within 180 days of when the complainant knew or should have known that the act had occurred.

Office for Civil Rights
U.S. Department of Health and Human Services
Jacob Javits Federal Building
26 Federal Plaza, Suite 3312
New York, New York 10278
Telephone: 212-264-3313
Fax: 212-264-3039
www.hhs.gov

In addition, individuals have a right to file a complaint directly with Solstice at the address below;

Attention: Solstice Compliance Officer

Address: Solstice
P.O. Box 19199
Plantation, FL 33318

What if a person wants a copy of their PHI?

The request to inspect and copy protected health information should be submitted in writing. The letter should include:

Specifics of the requested information
• The covered time frame
• The name, address and telephone number of the individual who is to receive the PHI.

The letter should be directed to the following address:
Attention: Solstice Compliance Officer

Address: Solstice
P.O. Box 19199
Plantation, FL 33318

When can Solstice use PHI without an individual’s authorization?

Solstice will only use and disclose protected health information (PHI) without an individual's specific authorization as described in our Notice of Privacy Practices. Authorization is not required for the purposes of treatment, payment and health care operations.

Will Solstice still release PHI to a self-insured plan?

Solstice can continue to release employee claim data, providing the plan has taken steps to comply with HIPAA. Some of the steps needed are Training of employees on HIPAA provisions;
Appointing a privacy officer to receive and protect employee claim information;
Modifying the plan documents (which are documents the plan would keep in their office on file not our certificate booklets or rider), etc.

What are the requirements of the fully insured employer under the Privacy Regulations?

The employer/plan sponsor is not a covered entity and technically is outside the direct scope of the Privacy Regulations. However, employers and plan sponsors will be impacted greatly. Of significant impact to employers are the rules regarding what PHI a group health plan, or its insurer or business associate, can provide to the employer. The group health plan or its insurer or business associate, may not disclose PHI to the employer unless certain conditions are met. For example, the employer will have to provide a certification to Solstice, that its plan documents (which are documents the plan would keep in their office on file not our certificate booklets or rider) have been amended, and the disclosure must be necessary for the employer to carry out plan administration functions. Then access to PHI must be restricted to only those employees performing these administrative functions.

What/Who is a Business Associate?

Under the HIPAA Privacy Rules, a business associate is a person or organization that performs certain functions or activities on behalf of the covered entity, but is not part of the covered entity's workforce. Examples of activities or functions that may be performed by a business associate of a covered entity include:

• Claims processing or administration
• Utilization review
• Data analysis, processing or administration
• Billing
• Quality Assurance
• Benefit Management
• Re-pricing

Solstice is considering parties with whom we share health information (e.g. PPO networks and other managed care vendors) to be our business associates.

What is a Business Associate Agreement?

Before a covered entity may share protected health information with a business associate, it must obtain satisfactory assurances that the business associate will appropriately safeguard the information. This would be done through the business contract with that associate (a/k/a business associate agreement).