Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT A PARTICIPANT MAY BE USED AND DISCLOSED AND HOW A PARTICIPANT CAN GET ACCESS TO THIS INFORMATION. PLEASE READ IT CAREFULLY.

This Notice describes the legal obligations of Prairie States Enterprises, Inc. (the “Business Associate”) and its legal responsibilities regarding protected health information held by the Business Associate of participants of health plans (“Covered Entities) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health information Technology for Economic and Clinical Health Act (“HITECH”). This Notice has been drafted in accordance with the HIPAA Privacy Rule, contained the in the Code of Federal Regulations at 45 CFR Parts 160 and 164. Terms not defined in this Notice have the same meaning as they have in the HIPAA Privacy Rule.

When we refer to participants in this Notice, we are referring to the participants of these Covered Entities.

Among other things, this Notice describes how this protected health information may be used or disclosed to carry out treatment, payment, or health care operations, or for any other purposes that are permitted or required by law on behalf of participants of these Covered Entities.

We are required to provide this Notice of Privacy Practices (the “Notice”) to you pursuant to HIPAA. The HIPAA Privacy Rule protects only certain medical information known as “protected health information.” Generally, protected health information is individually identifiable health information, including demographic information, collected from participants or created or received by a health care provider, a health care clearinghouse, a health plan, or the employer on behalf of its group health plan that relates to the participant’s:

• Past, present or future physical or mental health or condition;
• Provision of health care; or

Past, present or future payment for the provision of health care.

If you have any questions about this Notice or about our privacy practices, please contact Michou Reichelsdorfer, President, (920)-451-7020.

Effective Date

This Notice is effective August 23, 2013

Our Responsibilities

We are required by law to:

• Maintain the privacy of participant protected health information;
• Provide participants with certain rights with respect to their protected health information;
• Provide you with a copy of this Notice of our legal duties and privacy practices with respect to a participant’s protected health information; and
• Follow the terms of the Notice that is currently in effect.

We reserve the right to change the terms of this Notice and to make new provisions regarding a participant’s protected health information that we maintain, as allowed or required by law. If we make any material change to this Notice, we will provide a participant with a copy of our revised Notice of Privacy Practices by email to their last known email address, or mail to their last known mailing address.

How We May Use and Disclose Participants’ Protected Health Information

Under the law, we may use or disclose participant protected health information under certain circumstances without the participant’s permission. The following categories describe the different ways that we may use and disclose a participant’s protected health information. For each category of uses or disclosures we will explain what we mean and present some examples. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of the categories.

For Treatment

We may use or disclose a participant’s protected health information to facilitate medical treatment or services by providers. We may disclose medical information about a participant to providers, including doctors, nurses, technicians, medical students, or other hospital personnel who are involved in taking care of a participant. For example, we might disclose information about a participant’s prior prescriptions to a pharmacist to determine if prior prescriptions contra indicate a pending prescription.

For Payment

We may use or disclose a participant’s protected health information to determine a participant’s eligibility for benefits, to facilitate payment for the treatment and services a participant receives from health care providers, to determine benefit responsibility under the covered entity, or to coordinate covered entity’s coverage. For example, we may tell a participant’s health care provider about a participant’s medical history to determine whether a particular treatment is experimental, investigational, or medically necessary, or to determine whether the Plan will cover the treatment. We may also share a participant’s protected health information with a utilization review or pre-certification service provider. Likewise, we may share a participant’s protected health information with another entity to assist with the adjudication or subrogation of health claims or to another health plan to coordinate benefit payments.

For Health Care Operations

We may use and disclose a participant’s protected health information for other covered entity operations. These uses and disclosures are necessary to run the covered entity. For example, we may use medical information in connection with conducting quality assessment and improvement activities; underwriting, premium rating, and other activities relating to Plan coverage; submitting claims for stop-loss (or excess-loss) coverage; conducting or arranging for medical review, legal services, audit services, and fraud & abuse detection programs; business planning and development such as cost management; and business management and general administrative activities. If use or disclosure of protected health information is made for underwriting purposes, any such protected health information that is genetic information of an individual is prohibited from being used or disclosed.

To Other Parties

We may contract with other individuals or entities to perform various functions on our behalf or to provide certain types of services. In order to perform these functions or to provide these services, these individuals will receive, create, maintain, use and/or disclose a participant’s protected health information, but only after they agree in writing with us to implement appropriate safeguards regarding a participant’s protected health information. For example, we may disclose a participant’s protected health information to a third party to administer claims or to provide support services, such as utilization management, pharmacy benefit management or subrogation, but only after the third party enters into an agreement with us.

As Required by Law

We will disclose a participant’s protected health information when required to do so by federal, state or local law. For example, we may disclose a participant’s protected health information when required by national security laws or public health disclosure laws.

To Avert a Serious Threat to Health or Safety

We may use and disclose a participant’s protected health information when necessary to prevent a serious threat to a participant’s health and safety, or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat. For example, we may disclose a participant’s protected health information in a proceeding regarding the licensure of a physician.

To Plan Sponsors

For the purpose of administering a Covered Entity, we may disclose protected health information to certain employees of an employer. However, those employees will use or disclose that information only as necessary to perform plan administration functions or as otherwise required by HIPAA, unless the participant whose PHI is in question has authorized further disclosures. A participant’s protected health information cannot be used for employment purposes without a participant’s specific authorization.

Special Situations

In addition to the above, the following categories describe other possible ways that we may use and disclose a participant’s protected health information. For each category of uses or disclosures, we will explain what we mean and present some examples. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of the categories.

Organ and Tissue Donation

If a participant is an organ donor, we may release a participant’s protected health information to organizations that handle organ procurement or organ, eye or tissue transplantation or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.

Military and Veterans

If a participant is a member of the armed forces, we may release a participant’s protected health information as required by military command authorities. We may also release protected health information about foreign military personnel to the appropriate foreign military authority.

Workers’ Compensation

We may release a participant’s protected health information for workers’ compensation or similar programs. These programs provide benefits for work-related injuries or illness.

Public Health Risks

We may disclose a participant’s protected health information for public health actions. These actions generally include the following:

• To prevent or control disease, injury or disability;
• To report births and deaths;
• To report child abuse or neglect;
• To report reactions to medications or problems with products;
• To notify people of recalls of products they may be using;
• To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; and

To notify the appropriate government authority if we believe that a patient has been the victim of abuse, neglect or domestic violence. We will only make this disclosure if a participant agrees, or when required or authorized by law.

Health Oversight Activities

We may disclose a participant’s protected health information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.

Lawsuits and Disputes

If a participant is involved in a lawsuit or a dispute, we may disclose a participant’s protected health information in response to a court or administrative order. We may also disclose a participant’s protected health information in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell a participant about the request or to obtain an order protecting the information requested.

Law Enforcement

We may disclose a participant’s protected health information if asked to do so by a law enforcement official:

• In response to a court order, subpoena, warrant, summons or similar process;
• To identify or locate a suspect, fugitive, material witness, or missing person;
• About the victim of a crime if, under certain limited circumstances, we are unable to obtain the victim’s agreement;
• About a death that we believe may be the result of criminal conduct;
• About criminal conduct; and

In emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime.

Coroners, Medical Examiners and Funeral Directors

We may release protected health information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also release medical information about patients to funeral directors as necessary to carry out their duties.

National Security and Intelligence Activities

We may release a participant’s protected health information to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.

Inmates

If a participant is an inmate of a correctional institution or is under the custody of a law enforcement official, we may disclose a participant’s protected health information to the correctional institution or law enforcement official if necessary (1) for the institution to provide a participant with health care; (2) to protect a participant’s health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.

Research

We may disclose a participant’s protected health information to researchers when:

• The individual identifiers have been removed; or

When an institutional review board or privacy board (1) has reviewed the research proposal; and (2) established protocols to ensure the privacy of the requested information, and approves the research.

Required Disclosures

The following is a description of disclosures of a participant’s protected health information we are required to make.

Government Audits

We are required to disclose a participant’s protected health information to the Secretary of the United States Department of Health and Human Services when the Secretary is investigating or determining our compliance with the HIPAA privacy rule.

Disclosures to a Participant

When a participant requests, we are required to disclose to a participant the portion of that participant’s protected health information that contains medical records, billing records, and any other records used to make decisions regarding a participant’s health care benefits. We are also required, when requested, to provide a participant with an accounting of most disclosures of a participant’s protected health information where the disclosure was for reasons other than for payment, treatment or health care operations, and where the protected health information not disclosed pursuant to a participant’s individual authorization. Such requests must be made through the Covered Entity.

Other Disclosures

Personal Representatives

We will disclose a participant’s protected health information to individuals authorized by a participant, or to an individual designated as a participant’s personal representative, attorney-in- fact, etc., so long as a participant provides us with a written notice/authorization and any supporting documents (i.e., power of attorney). Note: Under the HIPAA privacy rule, we do not have to disclose information to a personal representative if we have a reasonable belief that:

• A participant has been, or may be, subjected to domestic violence, abuse or neglect by such person;
• Treating such person as a participant’s personal representative could endanger a participant; or

In the exercise of professional judgment, it is not in a participant’s best interest to treat the person as a participant’s personal representative.

Fundraising

Prior to disclosing a participant’s protected health information in the case of fundraising efforts, the participant will be notified prior to receiving such fundraising communications. Such communication will provide the participant with the option of opting-out of receiving such communications. Additionally, uses and disclosures of PHI for marketing purposes and disclosures that constitute a sale of PHI will require authorization.

Authorizations

Other uses or disclosures of a participant’s protected health information not described above will only be made with a participant’s written authorization. Where appropriate, most uses and disclosures of psychotherapy notes will require a participant’s authorization.

A participant may revoke written authorization at any time, so long as the revocation is in writing. Once we receive a participant’s written revocation, it will only be effective for future uses and disclosures. It will not be effective for any information that may have been used or disclosed in reliance upon the written authorization and prior to receiving a participant’s written revocation.

A Participant’s Rights

A Participant has the following rights with respect to his or her protected health information:

Right to Access

A participant has the right to inspect and copy certain protected health information that may be used to make decisions about a participant’s health care benefits. To inspect and copy a participant’s protected health information, a participant must submit a participant’s request in writing to the Covered Entity. If a participant requests a copy of the information, we may charge a reasonable fee for the costs of copying, mailing or other supplies associated with a participant’s request.

Additionally, a participant has the right to request electronic copies of certain protected health information in a designated record set. We will provide such information in the electronic form and format requested by the participant, provided it is readily producible. If the requested form and format are not readily producible, we will provide the information in a readable electronic form and format that is mutually agreed upon with the requesting participant. If a participant requests a copy of the electronic information, we may charge a reasonable fee for the labor costs and supplies involved in creating the information.

We may deny a participant’s request to inspect and copy in certain very limited circumstances. If a participant is denied access to his or her medical information, a participant may request that the denial be reviewed by submitting a written request to the Covered Entity.

Right to Amend

If a participant feels that the protected health information we have about that participant is incorrect or incomplete, a participant may ask the Covered Entity to amend the information. A participant has the right to request an amendment for as long as the information is kept by or for the Covered Entity.

To request an amendment, a participant’s request must be made in writing and submitted to the Covered Entity. In addition, a participant must provide a reason that supports a participant’s request.

We may deny a participant’s request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny a participant’s request if a participant asks us to amend information that:

• Is not part of the medical information kept by or for the Plan;
• Was not created by us, unless the person or entity that created the information is no longer available to make the amendment;
• Is not part of the information that a participant would be permitted to inspect and copy; or
• Is already accurate and complete.

If we deny a participant’s request, a participant has the right to file a statement of disagreement with us and any future disclosures of the disputed information will include the participant’s statement.

Right to an Accounting of Disclosures

A participant has the right to request an “accounting” of certain disclosures of his or her protected health information. The accounting will not include (1) disclosures for purposes of treatment, payment, or health care operations; (2) disclosures made to a participant; (3) disclosures made pursuant to a participant’s authorization; (4) disclosures made to friends or family in a participant’s presence or because of an emergency; (5) disclosures for national security purposes; and (6) disclosures incidental to otherwise permissible disclosures.

To request this list or accounting of disclosures, a participant must submit the participant’s request in writing to the Covered Entity. A participant’s request must state a time period of not longer than six years

A participant’s request should indicate in what form the participant wants the list (for example, paper or electronic). The first list a participant requests within a 12-month period will be provided free of charge. For additional lists, we may charge a participant for the costs of providing the list. We will notify a participant of the cost involved and a participant may choose to withdraw or modify a participant’s request at that time before any costs are incurred.

Right to Request Restrictions

A participant has the right to request a restriction or limitation on a participant’s protected health information that we use or disclose for treatment, payment or health care operations. A participant also has the right to request a limit on a participant’s protected health information that we disclose to someone who is involved in a participant’s care or the payment for a participant’s care, like a family member or friend. For example, a participant could ask that we not use or disclose information about a surgery that a participant had.

If a participant requests a restriction, it is the participant’s responsibility to notify any other entity that may be impacted by the requested restriction.

We are not required to agree to a participant’s request. However, if we do agree to the request, we will honor the restriction until a participant revokes it or we notify the participant.

To request restrictions, a participant must make a participant’s request in writing to the Covered Entity. In a participant’s request, the participant must tell us (1) what information a participant wants to limit; (2) whether a participant wants to limit our use, disclosure, or both; and (3) to whom a participant wants the limits to apply—for example, disclosures to a participant’s spouse.

Right to Request Confidential Communications

A participant has the right to request that we communicate with a participant about medical matters in a certain way or at a certain location. For example, a participant can ask that we only contact the participant at work or by mail.

To request confidential communications, a participant must make the participant’s request in writing to the Covered Entity. We will not ask a participant the reason for the participant’s request. A participant’s request must specify how or where the participant’s wishes to be contacted. We will accommodate all reasonable requests if the participant clearly provides information that the disclosure of all or part of a participant’s protected information could endanger a participant.

Right to Receive Notification of a Breach

A participant has the right to receive notification of any breach of your protected health information. Such notice will be provided to participants within sixty (60) days of the breach being identified.

Right to a Paper Copy of This Notice

You have the right to a paper copy of this notice. You may ask us to give you a copy of this notice at any time. Even if the participant has agreed to receive this notice electronically, you are still entitled to a paper copy of this notice.

You may obtain a copy of this notice at our website, www.prairieontheweb.com

To obtain a paper copy of this notice, contact Michou Reichelsdorfer, Prairie States Enterprises, Inc. PO Box 23, Sheboygan, WI 53082-0023

Complaints

If you believe that your privacy rights have been violated, you may file a complaint with us or with the Office for Civil Rights. To file a complaint with us, contact Michou Reichelsdorfer, President, 920-451-7020 All complaints must be submitted in writing. You will not be penalized, or in any other way retaliated against, for filing a complaint with the Office of Civil Rights or with us.