At PPI Benefit Solutions ("PPI") maintaining our customers' trust and confidence is of paramount importance. We are committed to safeguarding your personal information and providing you with facts and options about how this information may be shared. Please read this notice to learn more about our privacy policies and the options available to you.

NOTICE TO EMPLOYERS: The following describes how medical information about your employees and their dependents may be used. To ensure that members understand their rights under HIPAA, please distribute a copy of this notice to all employees, and to all COBRA beneficiaries.

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

PPI Benefit Solutions is required, by law (the Health Insurance Portability and Accountability Act of 1996 HIPAA), to protect the privacy of your health information. We are also required to send you this notice, which explains how we may use information about you and when we can give out or "disclose" that information to others. The terms "protected health information" or "PHI" in this notice include any information maintain by us that can reasonably be used to identify you, and that relates to your physical or mental health condition, the provision of health care to you, or the payment for such health care. We will comply with the requirements of applicable privacy laws related to notifying you in the event of a breach of your health information.

Permissible Uses and Disclosures of Your Healthcare Information

We will disclose PHI to you or someone who has the legal right to act for you (your personal representative) in order to administer your rights as described in this notice. We may also use or disclose your PHI under certain circumstances without your permission. The examples below are a generic list and may not apply to the administrative services that PPI performs.

• For Payment: We may use or disclose PHI to determine eligibility for Plan benefits, to facilitate payment for the treatment, to determine benefit responsibility under the Plan, or to coordinate Plan coverage. For example, upon request, we may tell a doctor whether you are eligible for coverage.
• For Health Care Operations: We may use and disclose PHI for other Plan operations that are needed to administer the Plan. For example, we may disclose information to your physicians or hospitals to help them provide medical care to you.
• To Business Associates: We may contract with individuals or entities known as Business Associates to perform various functions on our behalf or to provide certain types of services. Business Associates must agree to the same HIPAA rules for PHI. For example, we may disclose your PHI to a Business Associate to administer COBRA or to provide support services once the Business Associate enters into a Business Associate Agreement with us.
• As Required by Law: We will disclose PHI when required to do so by federal, state or local law. For example, we may disclose PHI to the Secretary of the Department of Health and Human Services to make sure that your privacy is protected, or when required to do so by national security laws or public health disclosure laws.
• To Plan Sponsors: For plan administration, we may disclose PHI to certain employees of the Employer as long as they use or disclose the PHI solely for plan administration functions. PHI cannot be used for employment purposes without your specific authorization.

Other Uses and Disclosures of Your Healthcare Information

• Workers' Compensation: If applicable, we may disclose your health information as necessary to comply with state Workers' Compensation Laws.
• Emergencies: We may disclose your health information to notify or assist in notifying a family member, or another person responsible for your care about your medical condition or in the event of an emergency or of your death.
• Public Health: As required by law, we may disclose your health information to public health authorities for purposes related to: preventing or controlling disease, injury or disability; reporting child abuse or neglect; reporting domestic violence; reporting to the Food and Drug Administration problems with products and reactions to medications; and reporting disease or infection exposure.
• Judicial and Administrative Proceedings: We may disclose your health information in the course of any administrative or judicial proceeding.
• Law Enforcement: We may disclose your health information to a law enforcement official for purposes such as identifying or locating a suspect, fugitive, material witness or missing person, complying with a court order or subpoena and other law enforcement purposes.
• Public Safety: It may be necessary to disclose your health information to appropriate persons in order to prevent or lessen a serious and imminent threat to the health or safety of a particular person or to the general public.
• Specialized Government Agencies: We may disclose your health information for military, national security, prisoner and government benefits purposes.
• Change of Ownership: In the event that PPI Benefit Solutions is sold or merged with another organization, your health information/record will become the property of the new owner.

Your Protected Health Information Rights

• You have the right to request restrictions on certain uses and disclosures of your PHI. Please be advised, however, that PPI Benefit Solutions is not required to agree to the restriction that you requested, as long as the disclosure is otherwise required by law or is to a health plan for purposes of carrying out payment or health care operations.
• You have the right to have your health information received or communicated through an alternative method or sent to an alternative location other than the usual method of communication or delivery, upon your request.
• You have a right to request that PPI Benefit Solutions amend your protected health information. Please be advised, however, that PPI Benefit Solutions is not required to agree to amend your protected health information. If your request to amend your health information has been denied, you will be provided with an explanation of our denial reason(s) and information about how you can disagree with the denial.
• You have a right to receive an accounting of disclosures of your protected health information made by PPI Benefit Solutions. Accountings of disclosures of electronic health records are limited to the past three years.
• You have a right to a paper copy of this Notice of Privacy Practices at any time upon request.
• You have the right to be notified by PPI Benefit Solutions whenever PPI Benefit Solutions discovers a breach of unsecured PHI or reasonably believes that your unsecured PHI has been accessed, acquired, used or disclosed in a manner not permitted by HIPAA. This notification is required to occur without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. "Breach" means the acquisition, access, use or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule or Security Rule. PHI is considered to be "secured" when it is rendered unusable, unreadable or undecipherable to unauthorized individuals through the use of a technology or methodology specified by the Department of Health and Human Services (HHS).

Changes to this Notice of Privacy Practices

PPI Benefit Solutions reserves the right to amend this Notice of Privacy Practices at any time in the future, and will make the new provisions effective for all information that it maintains. Until such amendment is made, PPI Benefit Solutions is required by law to comply with this Notice.

PPI Benefit Solutions is required by law to maintain the privacy of your health information and to provide you with notice of its legal duties and privacy practices with respect to your health information. If you have questions about any part of this notice, or if you want more information about your privacy rights, please contact our Privacy Office at (866) 824-3817 or privacyoffice@nfp.com.

Complaints

Complaints about your Privacy Rights, or how PPI Benefit Solutions has handled your health information should be directed to our Privacy Office at (866) 824-3817 or privacyoffice@nfp.com. If you are not satisfied with the manner in which this office handles your complaint, you may submit a formal complaint to: DHHS, Office for Civil Rights, 200 Independence Avenue, S.W. Room 509F HHH Building, Washington, DC 20201.

Authorization

This notice is effective upon receipt. You have the right to withhold authorization and consent for PPI to use and disclose your PHI for the purposes of treatment, payment and healthcare operations as described in this Privacy Notice. You may do so by sending written notice to NFP c/o Privacy Office, 1250 Capital of Texas Highway, Suite 600, Austin, TX 78746. Failure to submit such a request within 30 days of receipt of this notice will constitute acceptance of this Notice of Privacy Practices. Such acceptance, however, may be withdrawn at any time by sending written notice to NFP c/o Privacy Office, 1250 Capital of Texas Highway, Suite 600, Austin, TX 78746.