This is not a notice of privacy practices as required by the HIPAA Privacy regulations.* As a third-party administrator and utilization review agent acting on behalf of our health plan customers, Evernorth Behavioral Health** is committed to maintaining and protecting the confidentiality of participants' personal and sensitive information. This communication outlines how we do so.

Right to Inspect and Copy Confidential Information

Participants may ask to inspect or to obtain a copy of their confidential information that is included in certain records we maintain. Under limited circumstances, we may deny a participant access to a portion of their records. If the participant requests copies, we may charge the participant copying and mailing costs. If the participant's health plan has not delegated administration of this HIPAA Privacy right to Evernorth Behavioral Health, we will provide access to the health plan receiving the participant's request.

Right to Request Additional Restrictions

Participants may request restrictions on our use and disclosure of their confidential information for the treatment, payment and health care operations purposes explained in this document. While we will consider all requests for restrictions carefully, we are not required to agree to a requested restriction.

Right to Amend Records

Participants have the right to ask us to amend their confidential information that is included in our records. If we determine that the record is inaccurate, and the law permits us to amend it, we will correct it. If the participant's practitioner or another person created the information the participant wants to change, the participant should ask that person to amend the information. If the participant's health plan has not delegated administration of this HIPAA Privacy right to Evernorth Behavioral Health, we will provide access to the health plan receiving the participant's request, and amend information as the health plan requests and as is appropriate and legally permitted.

Right to Receive an Accounting of Disclosures

Upon request, a participant may obtain an accounting of disclosures we have made of the participant's confidential information. The accounting that we provide will not include disclosures made before April 14, 2003, disclosures made for treatment, payment or health care operations, disclosures made earlier than six years before the date of the participant's request, and certain other disclosures that are accepted by law. If the participant requests an accounting more than once during any 12-month period, we will charge the participant a reasonable fee for each accounting statement after the first one. If the participant's health plan has not delegated administration of this HIPAA Privacy right to Evernorth Behavioral Health, we will provide an accounting of any disclosures to the health plan receiving the participant's request.

Right to Receive Confidential Communications

Participants may ask to receive communications of their confidential information from us by alternative means of communication or at an alternative location. While we will consider reasonable requests carefully, we are not required to agree to all requests. Participants who wish to make a request for access, restriction, amendment, accounting, confidential communications, or inspection and copying, may contact Evernorth Behavioral Health's Privacy Office at 888.433.5768 extension 2350. You may be directed to make your request directly to your health plan, as your plan may not have delegated administration of this process to Evernorth Behavioral Health.

Internal Protection of Oral, Written and Electronic Protected Health Information

Evernorth Behavioral Health is bound by the Evernorth Behavioral Health Information Protection Policy, which is a set of principles concerning the safeguarding of Evernorth Behavioral Health information as it applies to all methods used to collect, store and access that information. Evernorth Behavioral Health employees must adhere to this policy in regards to Evernorth Behavioral Health specific information or individually identifiable protected health information of our participants, in any medium. Evernorth Behavioral Health employees must safeguard this information from any intentional and unintentional use. This policy includes procedures for corrective actions and employee sanctions if an Evernorth Behavioral Health employee inappropriately uses or discloses protected health information.

Routine Uses and Disclosures of Protected Health Information

Evernorth Behavioral Health will not use participants’ confidential information or disclose it to others without the participant’s authorization, except for the following purposes:

• Treatment: We may disclose participant’s confidential information to the participant’s health care practitioner for their provision, coordination or management of the participant’s health care and related services.
• Payment: We may use and disclose participant’s confidential information to obtain payment for the participant’s coverage, and to determine and fulfill our responsibility to administer the participant’s health plan benefits. We may also disclose the participant’s confidential information to a health plan, third-party administrator or health care provider for its payment activities.
• Health Care Operations: We may use and disclose participant’s confidential information for our health care operations. We may also disclose the participant’s confidential information to a health plan or practitioner who has a relationship with the participant, so that it can conduct quality assessment and improvement activities.

Upon termination of our business associate relationship with a participant's health plan, we have procedures in place to protect and restrict further use of and access to protected health information we have received or created for purposes of our benefit administration.

• Disclosures to participants' Employer, as Sponsor of participants' Health Plan As a business associate of employer-sponsored health plans, we may disclose participants' confidential information to a participant’s employer or to a company acting on the employer's behalf, so that it can monitor, audit and otherwise administer the employee health benefit plan in which the participant participates, as permitted by the plan’s documents, or as required by law. The employer or plan sponsor may not use this information for employment-related decisions, and must designate the employees who have access to the information for plan administration, monitoring or auditing purposes. Disclosures to Evernorth Behavioral Health Vendors and Accreditation Organizations. We may disclose participants' confidential information to companies with whom we contract, serving as our business associates, if they need it to perform the services we have requested. Our business associates are contractually bound to the same conditions and restrictions regarding the use and disclosure of protected health information as Evernorth Behavioral Health, and must notify us of any use inconsistent with those restrictions and conditions. Evernorth Behavioral Health also discloses confidential information to accreditation organizations such as the National Committee for Quality Assurance (NCQA) when the NCQA auditors collect Health Plan Employer Data and Information Sets (HEDIS^®)*** data for quality measurement purposes.
• Promotional Gift: We may use or disclose participant's confidential information to provide participants with a promotional gift of nominal value.
• Public Health Activities: We may disclose participant's confidential information for the following public health activities and purposes:
• To report health information to public health authorities that are authorized by law to receive such information for the purpose of preventing or controlling disease, injury or disability;
• To report child abuse or neglect to a government authority that is authorized by law to receive such reports;
• To report information about a product or activity that is regulated by the U.S. Food and Drug Administration (FDA) to a person responsible for the quality, safety or effectiveness of the product or activity;
• To alert a person who may have been exposed to a communicable disease, if we are authorized by law to give this notice.
• Health Oversight Activities: We may disclose participant's confidential information to a government agency that is legally responsible for oversight of the health care system or for ensuring compliance with the rules of government benefit programs, such as Medicare or Medicaid, or other regulatory programs that need health information to determine compliance.
• For Research: We may disclose participant's confidential information for research purposes, subject to strict legal restrictions.
• To Comply with the Law: We may use and disclose participant's confidential information to comply with the law.
• Judicial and Administrative Proceedings: We may disclose participant's confidential information in a judicial or administrative proceeding or in response to a legal order.
• Law Enforcement Official: We may disclose participant's confidential information to the police of other law enforcement officials, as required by law or in compliance with a court order or other process authorized by law.
• Health or Safety: We may disclose participant's confidential information to prevent or lessen a serious and imminent threat to the participant's health or safety or the health and safety of the general public.
• Government Functions: We may disclose participant's confidential information to various departments of the government such as the U.S. military or the U.S. Department of State.
• Workers Compensation: We may disclose participant's confidential information when necessary to comply with workers' compensation laws.

Protection of Information Disclosed to Plan Sponsors or Employer

Employers are not permitted to use confidential information we disclose for purposes of plan administration, for any purpose other than administration of the participant’s health benefit plan. The employer’s health benefit plan documents will say whether or not the employer receives confidential information and will identify the employees who are authorized to receive participant’s confidential information.

Use of Authorizations

We will not use or disclose participants' confidential information for any purpose other than those described in this communication, without the participant's written authorization. A participant may revoke an authorization the participant had previously given by sending a written request to our Privacy Office, but not with respect to any actions we already have taken.

Access to Protected Health Information

Access to our facilities is limited to authorize personnel. We restrict internal access to confidential information to Evernorth Behavioral Health employees who need to know that information to conduct our business. Evernorth Behavioral Health trains its employees on policies and procedures designed to protect privacy. Evernorth Behavioral Health employees must make reasonable efforts to limit use, disclosure or requests for protected health information to the minimum necessary to accomplish the intended purposes of the use, disclosure or request. Evernorth Behavioral Health employees will only access protected health information that is required by their specific job function.

^{* To obtain a copy of a health plan's HIPAA Privacy mandated Notice of Privacy Practices, please contact the participant services number on the participant's health plan ID card.
**Evernorth Behavioral Health refers to Evernorth Behavioral Health, Inc., and subsidiaries of Evernorth Behavioral Health, Inc., including Evernorth Behavioral Health of California, Inc.
***HEDIS® is a registered trademark of the National Committee for Quality Assurance (NCQA).}