Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION AND/OR PERSONAL IDENTIFIABLE INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

This Notice of Privacy Practices describes how protected health information may be used or disclosed by your Group Health Plan or Individual Marketplace Plan to carry out payment, health care operations, and for other purposes that are permitted or required by law. This Notice also sets out our legal obligations concerning your protected health information, and describes your rights to access and control your protected health information.

Protected health information (or “PHI”) is individually identifiable health information, including demographic information, collected from you or created or received by a health care provider, a health plan, your employer (when functioning on behalf of the group health plan), or a health care clearinghouse and that relates to: (i) your past, present, or future physical or mental health or condition; (ii) the provision of health care to you; or (iii) the past, present, or future payment for the provision of health care to you.

Personal Identifiable Information (or “PII”) is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors).

This Notice of Privacy Practices had been drafted to be consistent with what is known as the “HIPAA Privacy Rule,” and any of the terms not defined in this Notice should have the same meaning as they have in the HIPAA Privacy Rule.

If you have any questions or want additional information about the Notice or the policies and procedures described in the Notice, please contact:

Matt Webb
1301 Old Graves Mill Road
Lynchburg, VA 24502
(434) 832-2299
mwebb@scottins.com

Effective Date
This Notice of Privacy Practices becomes effective on 01/01/2011

---

Our Responsibilities

We are required by law to maintain the privacy of your protected health information and/or personal identifiable information. We are obligated to provide you with a copy of this Notice of our legal duties and of our privacy practices with respect to protected health information and/or personal identifiable information and we must abide by the terms of this Notice. We reserve the right to change the provisions of our Notice and make the new provisions effective for all protected health information and/or personal identifiable information that we maintain. If we make a material change to our Notice, we will mail a revised Notice to the address that we have on record for the contract holder for your member contract.

Primary Uses and Disclosures of Protected Health Information and/or Personal Identifiable Information

The following is a description of how we are most likely to use and/or disclose your protected health information and/or personal identifiable information.

• Payment and Health Care Operations

  We have the right to use and disclose your protected health information and/or personal identifiable information for all activities that are included within the definitions of “payment” and “health care operations” as set out in 45 C.F.R. § 164.501 (this provision is a part of the HIPAA Privacy Rule). We have not listed in this Notice all of the activities included within these definitions, so please refer to 45 C.F.R. § 164.501 for a complete list.

  • PaymentWe will use or disclose your PHI to pay claims for services provided to you and to obtain stop-loss reimbursements or to otherwise fulfill our responsibilities for coverage and providing benefits. For example, we may disclose your protected health information and/or personal identifiable information when a provider requests information regarding your eligibility for coverage under our health plan, or we may use your information to determine if a treatment that you received was medically necessary.
  • Health Care OperationsWe will use or disclose your protected health information and/or personal identifiable information to support our business functions. These functions include, but are not limited to: quality assessment and improvement, reviewing provider performance, licensing, stop-loss underwriting, business planning, and business development. For example, we may use or disclose your protected health information and/or personal identifiable information: (i) to provide you with information about one of our disease management programs; (ii) to respond to a customer service inquiry from you; or (iii) in connection with fraud and abuse detection and compliance programs.

• Business Associates

  We contract with individuals and entities (Business Associates) to perform various functions on our behalf or to provide certain types of services. To perform these functions or to provide the services, our Business Associates will receive, create, maintain, use, or disclose protected health information, but only after we require the Business Associates to agree in writing to contract terms designed to appropriately safeguard your information. For example, we may disclose your protected health information and/or personal identifiable information to a Business Associate to administer claims or to provide member service support, utilization management, subrogation, or pharmacy benefit management. An example of a business associates would be a Third Party Administrator, which may be handling many of the functions in connection with the operation of a Group Health Plan or Individual Marketplace Plan.

• Other Covered Entities

  We may use or disclose your protected health information and/or personal identifiable information to assist health care providers in connection with their treatment or payment activities, or to assist other covered entities in connection with payment activities and certain health care operations. For example, we may disclose your protected health information and/or personal identifiable information to a health care provider when needed by the provider to render treatment to you, and we may disclose protected health information and/or personal identifiable information to another covered entity to conduct health care operations in the areas of quality assurance and improvement activities, or accreditation, certification, licensing or credentialing. This also means that we may disclose or share your protected health information and/or personal identifiable information with other insurance carriers in order to coordinate benefits, if you or your family members have coverage through another carrier.

• Plan Sponsor

  We may disclose your protected health information and/or personal identifiable information to the plan sponsor of the Group Health Plan or Individual Marketplace Plan for purposes of plan administration or pursuant to an authorization request signed by you.

Potential Impact of State Law

The HIPAA Privacy Regulations generally do not “preempt” (or take precedence over) state privacy or other applicable laws that provide individuals greater privacy protections. As a result, to the extent state law applies, the privacy laws of a particular state, or other federal laws, rather than the HIPAA Privacy Regulations, might impose a privacy standard under which we will be required to operate. For example, where such laws have been enacted, we will follow more stringent state privacy laws that relate to uses and disclosures of protected health information and/or personal identifiable information concerning HIV or AIDS, mental health, substance abuse/chemical dependency, genetic testing, reproductive rights, etc.

OTHER POSSIBLE USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION AND/OR PERSONAL IDENTIFIABLE INFORMATION

The following is a description of other possible ways in which we may (and are permitted to) use and/or disclose your protected health information and/or personal identifiable information.

• Required by Law

  We may use or disclose your protected health information and/or personal identifiable information to the extent that federal law requires the use of disclosure. When used in this Notice, “required by law” is defined as it is in the HIPAA Privacy Rule. For example, we may disclose your protected health information and/or personal identifiable information when required by national security laws or public health disclosure laws.

• Health Oversight Activities

  We may disclose your protected health information and/or personal identifiable information to a health oversight agency for activities authorized by law, such as: audits; investigations; inspections; licensure or disciplinary actions; or civil, administrative, or criminal proceedings or actions. Oversight agencies seeking this information include government agencies that oversee: (i) the health care system; (ii) government benefit programs; (iii) other government regulatory programs; and (iv) compliance with civil rights laws.

• Abuse or Neglect

  We may disclose your protected health information and/or personal identifiable information to a government authority that is authorized by law to receive reports of abuse, neglect, or domestic violence. Additionally, as required by law, we may disclose to a governmental entity authorized to receive such information your information if we believe that you have been a victim of abuse, neglect, or domestic violence.

• Legal Proceedings

  We may disclose your protected health information and/or personal identifiable information: (1) in the course of any judicial or administrative proceeding; (2) in response to an order of a court or administrative tribunal (to the extent such disclosure is expressly authorized); and (3) in response to a subpoena, a discovery request, or other lawful process, once we have met all administrative requirements of the HIPAA Privacy Rule. For example, we may disclose your protected health information and/or personal identifiable information in response to a subpoena for such information, but only after we first meet certain conditions required by the HIPAA Privacy Rule.

• Law Enforcement

  Under certain conditions, we also may disclose your protected health information and/or personal identifiable information to law enforcement officials. For example, some of the reasons for such a disclosure may include, but not be limited to: (1) it is required by law or some other legal process; (2) it is necessary to locate or identify a suspect, fugitive, material witness, or missing person; and (3) it is necessary to provide evidence of a crime that occurred on our premises.

• Coroners, Medical Examiners, Funeral Directors, and Organ Donation

  We may disclose protected health information and/or personal identifiable information to a coroner or medical examiner for purposes of identifying a deceased person, determining a cause of death, or for the coroner or medical examiner to perform other duties authorized by law. We also may disclose, as authorized by law, information to funeral directors so that they may carry out their duties. Further, we may disclose protected health information and/or personal identifiable information to organizations that handle organ, eye, or tissue donation and transplantation.

• Research

  We may disclose your protected health information and/or personal identifiable information to researchers when an institutional review board or privacy board has: (1) reviewed the research proposal and established protocols to ensure the privacy of the information; and (2) approved the research.

• To Prevent a Serious Threat to Health or Safety

  Consistent with applicable federal and state laws, we may disclose your protected health information and/or personal identifiable information if we believe that the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. We also may disclose protected health information and/or personal identifiable information if it is necessary for law enforcement authorities to identify or apprehend an individual.

• Military Activity and National Security, Protective Services

  Under certain conditions, we may disclose your protected health information and/or personal identifiable information if you are, or were, Armed Forces personnel for activities deemed necessary by appropriate military command authorities. If you are a member of foreign military service, we may disclose, in certain circumstances, your information to the foreign military authority. We also may disclose your protected health information and/or personal identifiable information to authorized federal officials for conducting national security and intelligence activities, and for the protection of the President, other authorized persons, or heads of state.

• Inmates

  If you are an inmate of a correctional institution, we may disclose your protected health information and/or personal identifiable information to the correctional institution or to a law enforcement official for: (1) the institution to provide health care to you; (2) your health and safety and the health and safety of others; or (3) the safety and security of the correctional institution.

• Workers’ Compensation

  We may disclose your protected health information and/or personal identifiable information to comply with workers’ compensation laws and other similar programs that provide benefits for work-related injuries or illnesses.

• Others Involved in Your Health Care

  Using our best judgment, we may make your protected health information and/or personal identifiable information known to a family member, other relative, close personal friend or other personal representative that you identify. Such a use will be based on how involved the person is in your care, or payment that relates to your care. We may release information to parents or guardians, if allowed by law.

  We also may disclose your information to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status, and location.

  If you are not present or able to agree to these disclosures of your protected health information and/or personal identifiable information, then, using our professional judgment, we may determine whether the disclosure is in your best interest.

REQUIRED DISCLOSURES OF YOUR PROTECTED HEALTH INFORMATION AND/OR PERSONAL IDENTIFIABLE INFORMATION

The following is a description of disclosures that we are required by law to make.

• Disclosures to the Secretary of the U.S. Department of Health and Human Services

  We are required to disclose your protected health information and/or personal identifiable information to the Secretary of the U.S. Department of Health and Human Services when the Secretary is investigating or determining our compliance with the HIPAA Privacy Rule.

• Disclosures to You

  We are required to disclose to you most of your protected health information and/or personal identifiable information in a “designated record set” when you request access to this information. Generally, a “designated record set” contains medical and billing records, as well as other records that are used to make decisions about your health care benefits. We also are required to provide, upon your request, an accounting of most disclosures of your protected health information and/or personal identifiable information.

  We will disclose your protected health information and/or personal identifiable information to an individual who has been designated by you as your personal representative and who has qualified for such designation in accordance with relevant state law. However, before we will disclose protected health information and/or personal identifiable information to such a person, you must submit a written notice of his/her designation, along with the documentation that supports his/her qualification (such as a power of attorney).

  Even if you designate a personal representative, the HIPAA Privacy Rule permits us to elect not to treat the person as your personal representative if we have a reasonable belief that: (i) you have been, or may be, subjected to domestic violence, abuse, or neglect by such person; (ii) treating such person as your personal representative could endanger you; or (iii) we determine, in the exercise of our professional judgment, that it is not in your best interest to treat the person as your personal representative.

OTHER USES AND DISCLOSURES OF YOUR PROTECTED HEALTH INFORMATION AND/OR PERSONAL IDENTIFIABLE INFORMATION

Other uses and disclosures of your protected health information and/or personal identifiable information that are not described above will be made only with your written authorization. If you provide us with such an authorization, you may revoke the authorization in writing, and this revocation will be effective for future uses and disclosures of protected health information and/or personal identifiable information. However, the revocation will not be effective for information that we already have used or disclosed, relying on the authorization.

YOUR RIGHTS

The following is a description of your rights with respect to your protected health information and/or personal identifiable information.

• Right to Request a Restriction

  You have the right to request a restriction on the protected health information and/or personal identifiable information we use or disclose about you for payment or health care operations.

  We are not required to agree to all restrictions that you may request. If we do agree to the restriction, we will comply with the restriction unless the information is needed to provide emergency treatment to you. Health care providers are required to comply with your request that protected health information and/or personal identifiable information regarding a specific health care item or service not be disclosed to a health plan for purposes of payment or health care operations if you paid out of your own pocket, in full, for that item or service.

  You may request a restriction by writing to the Privacy Officer at 1301 Old Graves Mill Road, Lynchburg, VA 24502. It is important that you direct your request for restriction to this address so that we can begin to process your request. Requests sent to persons or offices other than the number/address indicated might delay processing the request.

  We will want to receive this information in writing and will instruct you where to send your request when you call. In your request, please tell us: (1) the information whose disclosure you want to limit; and (2) how you want to limit our use and/or disclosure of the information.

• Right to Request Confidential Communications

  If you believe that a disclosure of all or part of your protected health information and/or personal identifiable information may endanger you, you may request that we communicate with you regarding your information in an alternative manner or at an alternative location. For example, you may ask that we only contact you at your work address or via your work email.

  You may request a restriction by calling/writing to: Josh McGee, 4700 Falls of Neuse, Ste. 320, Raleigh, NC 27609 at 800-508-3310. It is important that you direct your request for confidential communications to this number/address so that we can begin to process your request. Requests sent to persons or offices other than the one indicated might delay processing the request.

  We will want to receive this information in writing and will instruct you where to send your written request when you call. In your request, please tell us: (1) that you want us to communicate your protected health information and/or personal identifiable information with you in an alternative manner or at an alternative location; and (2) that the disclosure of all or part of the protected health information and/or personal identifiable information in a manner inconsistent with your instructions would put you in danger.

  We will accommodate a request for confidential communications that is reasonable and that states that the disclosure of all or part of your protected health information and/or personal identifiable information could endanger you. As permitted by the HIPAA Privacy Rule, “reasonableness” will (and is permitted to) include, when appropriate, making alternate arrangements regarding payment.

  Accordingly, as a condition of granting your request, you will be required to provide us information concerning how payment will be handled. For example, if you submit a claim for payment, state or federal law (or our own contractual obligations) may require that we disclose certain financial claim information to the plan participant (e.g., an EOB). Unless you have made other payment arrangements, the EOB (in which your protected health information and/or personal identifiable information might be included) will be released to the plan participant.

  Once we receive all of the information for such a request (along with the instructions for handling future communications), the request will be processed usually within fifteen business days.

  Prior to receiving the information necessary for this request, or during the time it takes to process it, protected health information and/or personal identifiable information may be disclosed (such as through an Explanation of Benefits, “EOB”). Therefore, it is extremely important that you contact us at the number listed in the summary page of this Notice as soon as you determine that you need to restrict disclosures of your protected health information and/or personal identifiable information.

  If you terminate your request for confidential communications, the restriction will be removed for all your protected health information and/or personal identifiable information that we hold, including protected health information and/or personal identifiable information that was previously protected. Therefore, you should not terminate a request for confidential communications if you remain concerned that disclosure of your protected health information and/or personal identifiable information will endanger you.

• Right to Inspect and Copy

  You have the right to inspect and copy your protected health information and/or personal identifiable information that is contained in a “designated record set.” Generally, a “designated record set” contains medical and billing records, as well as other records that are used to make decisions about your health care benefits. However, you may not inspect or copy psychotherapy notes or certain other information that may be contained in a designated record set.

  To inspect and copy your protected health information and/or personal identifiable information that is contained in a designated record set, you must submit your request by calling us at the number listed in the summary page of this Notice. It is important that you call this number to request an inspection and copying so that we can begin to process your request.

  You have the right to receive an electronic copy of your protected health information and/or personal identifiable information if the protected health information and/or personal identifiable information is maintained in an electronic health record. You may also designate that the protected health information and/or personal identifiable information be sent to another entity or person.

  Requests sent to persons, offices, other than the one indicated might delay processing the request. If you request a copy of the information, we may charge a fee for the costs of copying, mailing, or other supplies associated with your request.

  We may deny your request to inspect and copy your protected health information and/or personal identifiable information in certain limited circumstances. If you are denied access to your information, you may request that the denial be reviewed. To request a review, you must contact us at the number provided in this Notice. A licensed health care professional chosen by us will review your request and the denial. The person performing this review will not be the same one who denied your initial request. Under certain conditions, our denial will not be reviewable. If this event occurs, we will inform you in our denial that the decision is not reviewable.

• Right to Amend

  If you believe that your protected health information and/or personal identifiable information is incorrect or incomplete, you may request that we amend your information. You may request that we amend your information by calling / writing to: Josh McGee, 4700 falls of Neuse, Ste. 320, Raleigh, NC 27609 / 800-508-3310. Additionally, your request should include the reason the amendment is necessary. It is important that you direct your request for amendment to this number/address so that we can begin to process your request. Requests sent to persons or offices, other than the one indicated might delay processing the request.

  In certain cases, we may deny your request for an amendment. For example, we may deny your request if the information you want to amend is not maintained by us, but by another entity. If we deny your request, you have the right to file a statement of disagreement with us. Your statement of disagreement will be linked with the disputed information and all future disclosures of the disputed information will include your statement.

• Right of an Accounting

  You have a right to an accounting of certain disclosures of your protected health information and/or personal identifiable information that are for reasons other than treatment, payment, or health care operations unless otherwise dictated by HIPAA Privacy Provisions or by law. No accounting of disclosures is required for disclosures made pursuant to a signed authorization by you or your personal representative. You should know that most disclosures of protected health information and/or personal identifiable information will be for purposes of payment or health care operations, and, therefore, unless these disclosures were made through an electronic health record, they will not be subject to your right to an accounting. There also are other exceptions to this right.

  An accounting will include the date(s) of the disclosure, to whom we made the disclosure, a brief description of the information disclosed, and the purpose for the disclosure.

  You may request an accounting by submitting your request in writing to Josh McGee, Privacy Officer. It is important that you direct your request for an accounting to this address so that we can begin to process your request. Requests sent to persons or offices other than the one indicated might delay processing the request.

  Your request may be for disclosures made up to 6 years before the date of your request, (or 3 years in some cases where the disclosures were made through an electronic health record for the treatment, payment or health care operations) but not for disclosures made before April 14, 2004. The first list you request within a 12-month period will be free. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at the time before any costs are incurred.

• Right to a Paper Copy of This Notice

  You have the right to a paper copy of this Notice, even if you have agreed to accept this Notice electronically.

COMPLAINTS

You may complain to us if you believe that we have violated your privacy rights. You may file a complaint with us by calling us at the number listed in this Notice. A copy of a complaint form is available from this contact office.

You also may file a complaint with the Secretary of the U.S. Department of Health and Human Services. Complaints filed directly with the Secretary must:  (1) be in writing; (2) contain the name of the entity against which the complaint is lodged; (3) describe the relevant problems; and (4) be filed within 180 days of the time you became or should have become aware of the problem.

We will not penalize or any other way retaliate against you for filing a complaint with the Secretary or with us.

 

Artificial Intelligence Strategy Statement

Scott Insurance uses artificial intelligence (“AI”) as a supportive tool to enhance the quality, efficiency, and consistency of the services we provide. Our approach to AI is intentional and responsible, designed to augment human expertise, not replace it. All coverage recommendations, advisory services, and professional decisions remain human-led and subject to established compliance, review, and accountability standards.

We use AI to help our professionals anticipate risk more effectively, deliver clearer and more timely communication, and operate more efficiently in support of better client outcomes. AI may be used to identify patterns and trends across claims, to utilize risk data for proactive planning, and to assist with the organization and preparation of communications and educational materials. AI is also used internally to streamline workflows and reduce repetitive administrative tasks so our teams can focus on advisory services and client relationships.

Scott Insurance does not use AI to make automated coverage determinations, underwriting decisions, or claim outcomes, and does not sell or share client data for AI model training. All AI-assisted work remains subject to human review and professional accountability and is governed by our data privacy, security, and confidentiality standards.