HIPAA PRIVACY NOTICE

The HIPAA Privacy Rule: Establishes national standards to protect individuals' medical records and other individually identifiable health information (collectively “Protected Health Information” or “PHI”), which applies to and applies to health plans, health care clearinghouses, health care providers, businesses, health care facilities or any other related entities that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of PHI and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization. This also gives individuals rights over their Protected Health Information, including rights to examine and obtain a copy of their health records, to direct a covered entity to transmit an electronic copy of their Protected Health Information to a third party, and to request corrections.

Federal law requires that Southern Guaranty Insurance Company (“SGIC” or “we”) maintain the privacy of your Protected Health Information. Further, this notice is provided to you to give you notice of our legal duties and privacy practices with respect to Protected Health Information. We reserve the right to change the terms of this notice and make the provisions of this new notice effective for all non-public personal health information we maintain at that time. Federal law also requires that we provide an internal complaint process for privacy issues.

SGIC is committed to protecting the privacy and security of individuals' PHI in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and other applicable laws. This privacy policy outlines our practices for handling PHI and explains individuals' rights and how we safeguard their information.

Prohibitions: SGIC is prohibited from using or disclosing your genetic information for underwriting purposes. Unless otherwise permitted by applicable laws or rules or by your written authorization, SGIC may not directly or indirectly receive remuneration in exchange for your PHI. When using, disclosing, or requesting your PHI from another covered entity, we will make reasonable efforts to limit such use, disclosure, or request, to the relevant PHI.

Collections and Use: We collect PHI from individuals for the purpose of providing healthcare services, processing insurance claims, and other related activities necessary for our operations. This information may include but is not limited to: medical records, treatment plans, billing and payment information, and demographic data. PHI is used solely for authorized purposes, such as treatment, payment, and healthcare operations.

The following non-exclusive list contains examples of when we are permitted to disclose your PHI without your authorization:

1. We will use and disclose your PHI to administer your health benefits policy or contract, which may involve the determination of eligibility, claims payment, utilization review and management, medical necessity review, coordination of care, benefits, other services, responding to complaints, processing appeals, and external review requests. We may also use and disclose PHI for purposes of obtaining premiums, underwriting, ratemaking, and determining cost sharing amounts.
2. We may use and disclose your PHI to support other business activities, including without limitation, administration, underwriting, information systems management, customer service, determining premiums, ratemaking, administration of reinsurance, risk management, auditing, investigation of fraud, detecting unlawful conduct, conducting/arranging legal services, and examining stop loss and excess of loss policies.
3. We will disclose your PHI to health professionals (doctors, dentists, pharmacies, hospitals, and other care providers) who request it in connection with your treatment. The information exchanged may include, without limitation, the following: Information received directly or indirectly from you or your employer or benefits plan sponsor or one of their business associates through applications, surveys, or other forms (e.g., name, address, social security number, date of birth, marital status, dependent information, employment information and medical history), AND Information about your relationships and transactions with us and others (e.g., health care claims and encounters, medical history, eligibility information, payment information and appeal and complaint information). We may exchange your PHI electronically for treatment and other permissible purposes.
4. We may disclose your PHI in connection with the transfer of policies/contracts with other insurers (e.g., successor carriers), HMOs, third-party administrators, and in connection with any potential sale, transfer, merger, or consolidation of all or part of the "Covered Entity" with another covered entity including during the due diligence process.
5. We may disclose your PHI in connection with quality assessment and improvement activities, peer review, credentialing of providers, accreditation of independent organizations, health claims analysis and health services research, preventive health, early detection, disease and case management, coordination of care programs, identifying treatment options, analyzing therapies, identifying health care providers, and setting care or other health-related benefits/services.
6. We may share your PHI with affiliates and third party business associates (claims processors, records administrators, attorneys, accountants, etc.), in connection with their provision of services to us or in connection with the management and administration of the affiliate or associate. In addition, our business associate may redisclose your PHI to their subcontractors in the course of the provision of services. The subcontractors will be subject to the same restrictions and conditions that apply to the business associates. Whenever such an arrangement involves the use or disclosure of your PHI, we will have a written contract that contains terms designed to protect the privacy of your PHI.
7. SGIC may also use or disclose your PHI, when relevant to that person’s involvement in your care, to a member of your family, relative, or any other person you identify. If you are present for such disclosure (whether in person or on a telephone call), we will seek your verbal agreement to the disclosure or provide you with an opportunity to object to it. We may also make such disclosures to the people described above in situations where you are not present or you are unable to consent/object, if we determine that the disclosure is in your best interest. For example, if a family member or a caregiver calls our customer service line with basic information about you (address, date of birth, etc.) and with prior knowledge of a claim, we will confirm whether or not the claim has been received and paid, unless you have previously informed us in writing that you do not want us to make any such disclosures to that party.
8. Required By Law: We may use or disclose your PHI to the extent that the use or disclosure is required by law. The use or disclosure will be made in compliance with the law and will be limited to the relevant requirements of the law. You will be notified, as required by law, of any such uses or disclosures.
9. Public Health Disclosures: We may disclose your PHI for public health activities and purposes to a public health authority that is permitted by law to collect or receive the information. The disclosure will be made for the purpose of controlling disease, injury, or disability. We may also disclose your PHI, if directed by the public health authority, to a foreign government agency that is collaborating with the public health authority.
10. Health Regulation Compliance: We may disclose PHI to a health bureau for activities authorized by law in compliance with, audits, investigations, and inspections. The agencies seeking this information include government agencies that oversee the health care system, government benefit programs, other government regulatory programs, and civil rights laws.
11. Communicable Diseases: We may disclose your PHI, if authorized by law, to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading the disease or condition.
12. Legal Proceedings: We may, as required by law, to disclose PHI in the course of any judicial or administrative proceeding, in response to an order of a court or administrative tribunal (to the extent such disclosure is expressly authorized), in certain conditions in response to a subpoena, discovery request, or other lawful process.
13. Law Enforcement: We may also disclose PHI, so long as applicable legal requirements are met, for law enforcement purposes. These law enforcement purposes include (1) legal processes and otherwise required by law, (2) limited information requests for identification and location purposes, (3) pertaining to victims of a crime, (4) suspicion that death has occurred as a result of criminal conduct, (5) in the event that a crime occurs on the premises of the practice, and (6) medical emergency (not on the Practice’s premises) and it is likely that a crime has occurred.
14. Required Uses and Disclosures: Under the law, SGIC must make disclosures to you and when required by the Secretary of the Department of Health and Human Services to investigate or determine our compliance with the requirements of Section 164.500 et. Seq.

Policy Review and Updates: This notice is periodically reviewed and updated as necessary to ensure compliance with HIPAA regulations and changes within SGIC’s privacy rules and practices. We reserve the right to change the terms of this notice and to make the provisions of the new notice effective for all non-public personal health information we maintain at that time. Any updates or revisions to the policy will be distributed to our subscribers, employers, third-party affiliates, or to individuals on our website or upon request.

Violation of Privacy Rights and Complaints: Individuals also have the right to file a complaint with the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services. If you believe your privacy rights have been violated, you may file a complaint with SGIC’s compliance department. You also have the right to complain to the Secretary of the U.S. Department of Health and Human Services. SGIC will not retaliate against you for filing a complaint. We will promptly investigate and address any complaints submitted to: SGIC – Compliance Department, Email: compliance@sginsco.com.