NOTICE OF PRIVACY PRACTICES AULTCARE INSURANCE COMPANY


THIS NOTICE DESCRIBES HOW PROTECTED HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

AultCare Insurance Company (also d/b/a AultCare HMO, d/b/a PrimeTime Health Plan, and Aultra), which is part of an Organized Health Care Arrangement with AultCare Corporation
and Aultra Administrative Group (collectively referred to as “AultCare,” “We,” or “Our”) is a Group Health Plan Covered Entity under HIPAA.

AultCare is committed to safeguarding the Privacy and Security of Protected Health Information of its enrollees and their eligible dependents (referred to as “You”) whether it is oral, paper or in electronic form (“PHI/ePHI”).

This Notice of Privacy Practices (“NPP”) describes our HIPAA-compliant policies and procedures for the Use and Disclosure of your PHI/ePHI. It also describes how you can access your
PHI/ePHI and your legal rights.

This NPP is available on our website www.aultcare.com. If you do not have a computer or internet access, or if you prefer a paper copy of this Notice, please call our Service Center at 330-363-6361 or
1-800-344-8858. Please read this Notice. Feel free to share it with your family or personal representative.

Not every use or disclosure of PHI, with or without a signed Authorization, may be listed in this Notice. Uses or disclosures not specified in this Notice generally will require an Authorization.
Terms Used in this Notice
Business Associates. We contract with outside persons or entities called business associates, who may access, use, or disclose PHI/ePHI to perform covered services for us, such as auditing, accounting,
accreditation, actuarial services, and legal services. Business associates must protect the privacy and security of your PHI/ePHI to the same extent we do. If a business associate delegates responsibilities for performing services to a subcontractor or agent, that subcontractor or agent also is considered to be a business associate, which must comply with HIPAA.

Covered Entities. Covered entities include health care providers (e.g. hospitals, doctors, nurses, nursing homes, home health agencies, durable medical equipment suppliers, and other health
care professionals and suppliers), group health plans, and health care clearinghouses. AultCare is a group health plan covered entity.

Disclose. Disclose means our releasing, transferring, providing access to, or divulging your PHI/ePHI to a third party, including covered entities and their business associates: (1) for
treatment, payment, and health care operations; or (2) when you permit us by your signed authorization; or (3) as permitted or required by law.

Health Plan. Health plan means an individual or group health plan that provides, or pays the cost of, medical care and includes a health insurance issuer, HMO, Part A or B of Medicare,
Medicaid, voluntary prescription drug benefit program, issuer of Medicare supplemental policy, issuer or a long-term care policy, employee welfare benefit plan, plan for uniformed services, veterans' health care program, CHAMPUS, Indian health service program, federal employee health benefit program, Medicare+Choice program, Medicare Advantage plan, approved state child
health plan, high risk pool, and any other individual or group health plans or combination that provides or pays for the cost of medical care. AultCare is a group health plan.

Health Care Operations. We will use PHI/ePHI for health care operations that include quality assurance, performance improvement, utilization review, accreditation, licensing, legal compliance, provider and supplier credentialing, peer review, business management, auditing, enrollment, underwriting, reinsurance, and other functions related to your health plan and
its status as a group health plan, as well as offering and providing preventive, wellness, case management, and related services. We may disclose your PHI/ePHI to another health care facility, health care professional, or health plan for purposes of quality assurance, case management and related services if that facility, professional, or plan also has a relationship with you.

Minimum Necessary. We will limit the use or disclosure of your PHI/ePHI to the minimum needed to accomplish the intended purpose of the use, disclosure, or request.

Payment. Payment means the activities undertaken a group health plan to obtain premiums or to determine or fulfill its responsibility for coverage and the provisions of benefits under
your plan and includes eligibility or coverage determination, coordination of benefits, adjudication and subrogation of health benefit claims, billing, claims management, health care data processing, reinsurance (including stop-loss and excess), determination of medical necessity, utilization review (including pre-certification and retrospective review), and related activities.

Protected Health Information (PHI/ePHI). PHI/ePHI means individually identifiable medical and health information regarding your medical condition, treatment of your medical condition, and payment of your medical condition, and includes oral, written, and electronically generated and stored information. PHI/ePHI excludes de-identified information or health information regarding a person who has been deceased for more than 50 years.

Treatment. Treatment means the provision, coordination, and management of health care and related services by one or more health care providers, including referrals and consultations
between providers or suppliers.

Use. Use means our accessing, sharing, employing, applying, utilizing, examining, or analyzing your PHI/ePHI within the AultCare organization for payment and health care operation purposes. Your PHI/ePHI accessible only to members of AultCare’s workforce who have been trained in HIPAA Privacy and have signed a confidentiality agreement that limits their access and use of PHI/ePHI, according to the minimum necessary standard, to perform the authorized purpose.
Use and Disclosure of PHI for Treatment, Payment, and Health Care Operations
No Authorization Needed. We will create, receive, or access your PHI/ePHI, which we may use or disclose to other covered entities for treatment, payment, and health care operations, without the need for you to
sign an authorization.

        • Disclosures for Treatment. We will disclose your PHI/ePHI necessary for treatment. For example, a doctor or health facility involved in your care may request your PHI/ePHI that we hold to make           decisions about your care.

        • Uses and Disclosures for Payment. We will use or disclose your PHI needed for payment. For example, we will use information about your medical procedures and treatment to process and pay            claims, to determine whether services are medically necessary, and to pre-authorize or certify services covered by your health plan. We may disclose PHI/ePHI to other governmental or            commercial health plans that may be obligated under coordination of benefit rules to process and pay your claims.

        • Uses and Disclosures for Health. Care Operations. We will use and disclose your PHI/ePHI as necessary or permitted by law for our health care operations. For example, we may use or disclose            PHI/ePHI for underwriting purposes; however, we will not use or disclose your genetic information for underwriting purposes.

No Authorization Needed for Business Associates. We may disclose PHI/ePHI to business associates with whom we contract to perform certain covered services, It is not necessary for you to sign an authorization for us to share PHI/ePHI with our business associates.
Other Uses and Disclosures of PHI/ePHI
Authorization. Except for treatment, payment, or health care operations, or as stated below, we will not use or disclose your PHI/ePHI for any other purpose without your signed HIPAA-compliant authorization, unless required by law. We will not condition your treatment or coverage on your signing an authorization.

We will not disclose psychotherapy notes without a signed authorization unless required by law.

We will not disclose your PHI/ePHI to your employer without your signed authorization. We will not release medical records if we are subpoenaed, unless you sign an authorization, or the lawyers enter into a qualified protective order, or if we receive a valid court or administrative order.

You may cancel your authorization at any time by notifying us in writing. Once we receive your written cancellation, we no longer will disclose your PHI/ePHI. We are not responsible for any use or disclosure of PHI/ePHI according to your authorization before we receive your written cancellation.

Communications With You. We may communicate with you about your claims, premiums, or other things connected with your health plan. You may request us to communicate with you by alternative means or at alternatives locations. For example, you may request that messages not to be left on voice mail or that explanation of benefits (EOBs) be sent to post office box or address other than your home. You may send your request to: Privacy Coordinator, P.O. Box 6029, Canton, Ohio 44706. We will honor reasonable requests.

Communications with Family or Others Involved In Your Care. With your approval, we may disclose your PHI/ePHI to designated family, friends, guardians, persons authorized by a durable or general power of attorney, personal representative, or others involved in your care or payment for your care to assist that person’s caring for you or paying your medical bills. If you are unavailable,
incapacitated, or facing an emergency medical situation, and we determine that a limited disclosure may be in your best interest, we may share limited PHI/ePHI with these individuals without your approval. We may disclose limited PHI/ePHI to a public or private entity authorized to assist in disaster relief efforts, so it may locate a family member or other persons who may be involved
in caring for you.

Minors and Emancipated Minors. We will disclose PHI/ePHI of a minor (a person less than 18 years old) to the minor’s parent(s) or guardian. We will not disclose PHI/ePHI to the parent(s) or guardian of an emancipated minor. A minor is considered emancipated if he/she: (1) does not live with his/her parent(s); (2) is not covered by parental health insurance; (3) is financially independent of
parent(s); (4) is married; (5) has children; or (6) is in the military.

Deceased Enrollees and their Dependents. If you die, we will disclose your PHI/ePHI to the probate court’s appointed executor or administrator of your estate. We may disclose PHI/ePHI to your spouse, family, personal representative, or others who were involved in your care or management of your affairs, unless doing so would be inconsistent with your expressed wishes made known to us.

Other Health-Related Products or Services. We may periodically use your PHI/ePHI to determine whether you may be interested in, or benefit from, treatment alternatives, wellness, preventive, disease management, or health-related programs, products or services that may be available to you as an enrollee or eligible beneficiary under your health plan. For example, we may use your
PHI/ePHI to identify whether you have a particular illness, and contact you to advise you that a disease management program is available to help manage your illness. If you do not want to be contacted or receive information about these services and programs, you may opt out by contacting the Service Center. Your opting out will not affect any coverage or services we provide to you. We will
not use your information to communicate with you about products or services that are not health-related without your authorization. We will not sell or disclose your PHI/ePHI to third-parties for marketing without your authorization, which will indicate whether we receive remuneration for selling PHI.

Fundraising. We may contact you about charitable fundraising. If you do not want to be contacted or receive fundraising materials, you may opt out by contacting our Service Center. Your opting out
will not affect any coverage or services we provide to you.

Research. In limited circumstances, we may use and disclose your PHI/ePHI for research. For example, a research organization wishing to compare outcomes of patients by payer source
would need to review a series of records we hold. In all cases where your specific authorization has not been obtained, your privacy will be protected by strict confidentiality requirements applied by an Institutional Review Board or privacy board that oversees the research.
Use and Disclosure of Health Information Permitted or Required by Law
We may use or disclose PHI/ePHI, without your authorization, as permitted or required by law, including, but not limited to, the following:

Plan Sponsor. We may disclose PHI/ePHI to the plan sponsor of your health benefit plan on condition that the plan sponsor certifies that it will maintain PHI/ePHI provided a confidential manner and will not use it for employment-related decisions, other improper employee benefit determinations, or in any other manner not permitted by law.

Workers' Compensation. Ohio law permits us to disclose PHI/ePHI to workers’ compensation agencies and for related purposes when an employee files a workers’ compensation claim or seeks benefits for
work-related injuries or illnesses.

Public Health Agencies. Ohio law requires us to disclose PHI/ePHI to public health agencies for reporting births and deaths, to help control disease, injury or disability and for reporting cases of suspected
abuse, neglect, or domestic violence.

FDA and OSHA. Certain Federal laws from the FDA and OSHA require us to disclose PHI/ePHI for reporting adverse events, product problems, and biological product deviations, so safety precautions, recalls, and notifications can be conducted.

Regulatory and Licensing Agencies. We will disclose PHI/ePHI to certain Ohio and Federal governmental regulatory and licensing agencies (including the Ohio Department of Insurance) and health oversight agencies for purposes of their reviewing health care system, civil rights, privacy laws, and compliance with other governmental programs.

National and Homeland Security. We may disclose information concerning enrollees and their eligible dependents to authorized federal officials for intelligence and other National and Homeland Security purposes.

Protective Services for the President and Others. We may disclose PHI/ePHI to authorized federal officials, so they may protect the President, other authorized persons and foreign heads of state and officials, or to conduct special investigations.

Red Cross and Armed Forces. We may disclose PHI/ePHI to the Red Cross or Armed Forces to assist them in notifying family members of your location, general condition, or death.

Coroners, Medical Examiners, and Funeral Directors. We may disclose PHI/ePHI to coroners, medical examiners, or funeral directors for them to perform legally authorized responsibilities.

Law Enforcement. We may disclose PHI to law enforcement officials when it: (1) is limited to identification purposes; (2) applies to victims of crime; (3) involves a suspicion that injury or death has occurred because of criminal conduct; (4) is needed for a criminal investigation; (5) is needed to prevent or lessen the threat to the health or safety of a person or to the public; (6) is in response to a valid court order;
(7) is used to identify or locate a suspect, fugitive or missing person; (8) is used to report a crime on our premises; or (9) is otherwise required by law.

Reporting of Wounds. We may disclose PHI/ePHI to law enforcement officials as required by law to report gunshot wounds, stabbing, burns, injuries and crimes.

Emergency or Disaster. If the President declares an emergency or disaster, and the Secretary of HHS declares a public health emergency, the Secretary may waive our obligation to comply with any or
all of the following Privacy requirements to: (1) obtain your agreement to speak to family members or friends involved in your care; (2) your right to request privacy restrictions; or (3) your right to request confidential communications. Waiver only applies during an emergency period up to 72 hours.

Prevent Threat of Serious Harm. We will disclose PHI/ePHI if a reasonable belief exists that it may prevent or lessen a serious and imminent threat to the health or safety to you, another person, or the public, and disclosure is made to a person(s) reasonably able to prevent or lessen the threat, including the target or intended victim of the threat.

Proof of Immunization. We may disclose PHI to schools for the limited purpose of showing proof of immunization of a student or prospective student, and the parent, guardian, or person acting in loco parentis does not object.

Organ and Tissue Donation. If you are an organ or tissue donor, we may disclose medical information to the organizations that handle: (1) organ procurement; (2) organ, eye, or tissue transplantation; or
(3) an organ donation bank, as applicable, to facilitate organ or tissue donation and transplantation.

Correction Institution or Custody. If you are an inmate of a jail, prison, correctional institution, or under the custody of law enforcement officials, we may use or disclose medical information about you for purposes of: (1) the institution’s providing you with health care; (2) protecting your health and safety and the health and safety of others; and (3) protecting the safety and security of the correctional institution or custodial facility.

Institutional Review Board. We may release PHI/ePHI for certain research purposes where the research is approved by a formal institutional review board with established rules to ensure privacy.
Your Rights
Restrictions on Use and Disclosure of Your PHI. You have the right to request restrictions on our use and disclosures of your PHI/ePHI for treatment, payment, or health care operations by notifying us in writing of your request. A restriction request form can be obtained by calling the AultCare Service Center or by visiting our website at www.aultcare.com. We are not required to agree to your request for restriction, unless disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law, or the PHI/ePHI pertains solely to a health care
item or service for which you or your personal representative has paid out-of-pocket the covered entity in full. In other instances, we will attempt to accommodate reasonable requests, if appropriate. We reserve the right to terminate a restriction at any time if we believe termination is appropriate. We will notify you if we terminate the restriction. You also have the right to terminate any by calling or sending the termination notice to the Privacy Coordinator.

Access to Your PHI.You have the right to copy and/or inspect your PHI/ePHI maintained in a designated record set. There are exceptions. You may not have the right to inspect or copy psychotherapy notes or information compiled for civil, criminal or administrative proceedings. Your right may not extend to information covered by other laws or information obtained from someone other than another covered entity. We may deny you access if, in our judgment, seeing the information could endanger the life or safety of you or another. All requests for access must be made in writing and signed by you or your personal representative. If the subject of the request for access is ePHI maintained in one or more designated record sets electronically, and if you request an electronic copy,
we will provide you with access to your ePHI in the electronic form and format requested if it is readily producible in such form or format or, if not, in a mutually agreed-to readable electronic form and format. If your request for access directs us to transmit a copy of the ePHI to another person whom you designate, we will provide a copy of the requested ePHI to that designated person. We may charge you for postage if you request a mailed paper copy and can charge per page and for preparing a summary of the requested information if you request such summary. You may obtain an access request form by calling the AultCare Service Center or by visiting our website at www.aultcare.com.

Amendments to Your PHI. You have the right to request in writing that PHI/ePHI we maintain about you in a designated record set be amended or corrected. We are not obligated to make all requested amendments but will give each request careful consideration. All amendment requests, in order to be considered by us, must be in writing, signed by you or your personal representative, and must state the reasons for the amendment/correction request. If an amendment or correction you request is made by us, we may also notify others who work with us and have copies of the uncorrected record if we believe that such notification is necessary. You may obtain an amendment request form by calling the AultCare Service Center or by visiting our website at www.aultcare.com.

Accounting for Disclosures of Your PHI. You have the right to receive an accounting of certain disclosures we made of your PHI after April 14, 2003. There are certain exceptions and limitations, including, but not limited to disclosures made: (1) for treatment, payment, and health care operations; (2) to you or personal representative of your own PHI; and (3) according to your signed
authorization. Requests must be made in writing and signed by you or your personal representative. Accounting request forms are available by calling the AultCare Service Center or by visiting our website at www.aultcare.com. The first accounting in any 12-month period is free. You may be charged a fee for each subsequent accounting you request within the same 12- month period.

Breach Notification. You have the right to notification if a breach of your PHI/ePHI occurs. We will promptly notify you by first-class mail, at your last known address, or by email (if you prefer) if we discover a breach of unsecured PHI/ePHI, which includes the unauthorized acquisition, access, use, or disclosure of your PHI/ePHI, unless we determine that a low probability exists that the compromise of your PHI would cause you financial, reputational, or other harm. We will include in the breach notification a brief description of what happened, a description of the types of unsecured PHI
involved, steps you should take to protect yourself from potential harm, a brief description of what we are doing to investigate the breach and mitigate any potential harm, as well as contact information for you to ask questions and learn additional information.
Patient Concern and Complaint Resolution
We are committed to protecting your PHI/ePHI. Despite our best efforts, questions, concerns, or problems may occur. If you have a concern, or if you believe that your privacy rights have been violated or breached, we encourage you to contact us immediately. You may ask a question, express a concern, or file a complaint by writing to the Privacy Coordinator, P.O. Box 6029, Canton, Ohio 44706. You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services in Washington D.C. in writing within 180 days of a violation of your rights. Under no circumstances, will we “retaliate” against you for expressing a concern or filing a complaint regarding your privacy rights.
Changes to this Notification of Privacy Practices
We reserve the right to change this Notice of Privacy Practices at any time, which we may make effective for PHI/ePHI we already used or disclosed, and/or for any PHI/ePHI we may create, receive, use, or disclose in the future. We will make material amendments based on changes in the HIPAA laws. The revised notice will be posted on our website www.aultcare.com. Copies of revised notices will be mailed to all enrollees covered by the plan, and copies may be obtained by mailing a request to: Privacy Coordinator, P.O. Box 6029, Canton, Ohio 44706.

If you have questions or need further assistance regarding this Notice, you may contact the Service Center at 330-363-6360 or 1-800-344-8858. If you are hearing impaired and have access to a TTY phone, you may reach us at our TTY line at 330-363-2393 or 1-866-633-4752. Our call center hours of business are from 7:30 a.m. to 5:00 p.m., Monday-Friday.
EFFECTIVE DATE
This Notice of Privacy Practices became effective on April 14, 2003.

Reviewed: 07/31/06, 09/25/06, 04/06/07, 02/15/12, 6/15/12 (name change),9/18/13, 9/3/14, 9/10/15; 5/24/16, 7/31/16

Revised: 07/31/06, 09/25/06, 04/06/07, 02/15/12, 6/15/12 (name change), 7/17/13; 5/24/16, 8/1/16.

Approved 9/3/14; 7/31/16 in Privacy Committee. MK, KKT