NOTICE OF INFORMATION PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

PLEASE REVIEW IT CAREFULLY.

This Notice is effective as of September 23, 2013. The last revision date is November 8, 2018.

To Our Customers and Potential Customers:

Horizon Blue Cross Blue Shield of New Jersey and its affiliated companies* want you to know that we are legally obligated to keep information about you secure and confidential. Unlike many other financial and health institutions, we do not sell information about you and we do not share your information except to conduct our business.

As required by law, we publish this Notice to explain the information that we collect and how we maintain, use and disclose it in administering your benefits. We will abide by the statements made in this Notice. Except as permitted by law and as explained in this Notice, we do not disclose any information about our past, present or future customers to anyone. Uses and disclosures not described in this Notice will be made only with your written authorization.

When we use the term “Customer Information,” we are referring to financial or health information that is “nonpublic,” including any information from which a judgment could possibly be made about you. When we use the term “Protected Health Information” or “PHI,” we are referring to individually identifiable oral, written and electronic information concerning the provision of, or payment for, health care to you. We refer to Customer Information and PHI collectively as “Private Information.”

Members of self-funded plans

If you are a participant or beneficiary of a self-funded group health plan, we may use and disclose your Private Information as described in this Notice. However, our use or disclosure is dictated by an arrangement with your employer (or other sponsor of your benefits plan) or that plan itself. That plan may use and disclose your Private Information differently than is described here. With respect to your individual rights, you should ask your

plan administrator how to exercise those rights, along with any other questions you may have regarding your plan’s privacy policies and practices. This Notice also applies to Horizon BCBSNJ’s employee health benefit plan.

What information do we collect?

In providing your health coverage, we collect Private Information from the following sources:

• Information we receive from you or your policyholder on applications, other forms or websites we sponsor.
• Information we obtain from your transactions with us, our affiliates or others, such as health care professionals.
• Information we receive from consumer-reporting agencies or others, such as Medicare, state regulators and law enforcement agencies.

How do we protect Private Information?

Our employees are trained on the need to maintain your Private Information in the strictest confidence. They agree to be bound by that promise of confidentiality and are subject to disciplinary action if they violate that promise. We also maintain appropriate administrative, technical and physical safeguards to reasonably protect your Private Information.

In addition, in those situations where we rely on a third party to perform business, professional or insurance services or functions for us, that third party must agree to safeguard your Private Information. That business associate must also agree to use it only as required to perform its functions for us and as otherwise permitted by our contract and the law. Finally, if we or our business associate causes a “breach” of privacy as that term is defined under federal law, we will notify you without unreasonable delay of the occurrence. In these ways, we carry out our confidentiality commitments to you.

When must we seek your authorization before disclosing Private Information?

There may be circumstances where we will seek your authorization before making a disclosure of your Private Information. This is to ensure that we have your permission to make that disclosure. For example, you may have asked someone who is not your personal representative (or the policyholder) to contact us on your behalf to obtain information about your claims. Before we disclose your Private Information to that person, we would seek your authorization to do so, unless otherwise permitted or described in this Notice. Your written authorization is required for (1) uses and disclosures of Private Information for marketing activities, when such authorization is required by law; (2) uses and disclosures of psychotherapy notes; and (3) uses and disclosures that constitute a sale of your Private Information.

If you give us your authorization, you are permitted to revoke that authorization at any time in writing. We will honor your revocation once it is processed, except to the extent that we have taken action in reliance upon your original authorization, or the authorization was obtained as a condition of obtaining coverage.

Uses and disclosures of Private Information that do not require authorization

Most of our routine use and disclosure of your Private Information occurs in administering your coverage. In those instances, we are not required to seek your authorization. For instance, we are generally permitted to make disclosures of your Private Information without authorization for purposes of treatment, payment and health care operations. In this

Notice, we provide examples of those routine purposes, although not every use or disclosure that falls into those categories is listed.

Please note that we will limit the disclosure of certain information in accordance with laws governing the special nature of the information (e.g., HIV/AIDS, substance abuse, genetic information). We are prohibited from using and disclosing your genetic information for underwriting purposes. Also, where a state permits minors of a certain age or status to seek treatment without parental consent, information that would normally be provided to our customers may be limited.

Payment Activities

We routinely use and disclose Private Information in connection with your health care coverage, to determine your eligibility for coverage and benefits, and to see that the treatment and services you receive are properly billed and paid. To do this, we may share Private Information with health care providers, their billing agents, insurance companies and others. Our payment activities can also include the use of Private Information for: risk adjustment, billing, claims management, collection activities, utilization review, medical necessity determinations and drug rebate contract reporting of drug utilization. For example, a claim for medical services rendered to you may be submitted electronically from a billing service on behalf of your provider. Our claims processors will then use your Private Information to process your claim. If we need additional information to process it, we may contact your provider to obtain that information. When we do that, we disclose Private Information to your provider in order to identify and discuss your claim with him or her.

Your provider then discloses the needed, additional Private Information that will enable us to properly process your claim. In this example, each of these entities involved – your provider, his or her billing service and Horizon BCBSNJ and/or its affiliated companies – is covered by and must protect and safeguard your Private Information either because they are “covered entities” or “business associates” of covered entities under the federal privacy regulations.

Health Care Operations Activities

We routinely use and disclose Private Information to conduct our health care business, including all the activities that are defined by federal regulation as “health care operations.” They include, but are not limited to, case management and care coordination, utilization review, quality assessment and improvement, network provider credentialing, population-based research to improve health or reduce health care costs, and contacting providers and members with information about treatment alternatives. For example, we may use and disclose Private Information to remind you about the availability or value of preventive care or of a disease management program. Other health care operations activities include compliance and auditing activities, evaluating provider performance, underwriting and other rate setting activities, formulary development, information systems management, fraud and abuse detection (by ourselves or for other plans or providers), facilitation of a sale, transfer, merger or consolidation of all or part of Horizon BCBSNJ and/or its affiliated companies with another entity (including due diligence related to the transaction), customer service and general business management, among others.

Health-Related Activities

We may use or disclose your Private Information for a number of treatment-related activities. We are permitted to tell you about possible treatment options or alternatives, inform you of health-related benefits or services, inform you of a relevant disease management program that may be of interest to you, and seek your voluntary participation in such programs to help improve your health and assist in the coordination of your overall health care. For example, our diabetes disease management business associate may, after reviewing PHI that we had provided, determine that you might suffer from diabetes. You may then receive notice that we have enrolled you in our disease management program.

Treatment, Payment and Health Care Operations of Other Covered Entities

We may use and disclose your PHI for another covered entity’s treatment, payment and health care operations purposes. For example, we may disclose your PHI when disclosure would facilitate payment for services under another health plan. In addition, we are permitted to disclose PHI to other covered entities so they can conduct certain aspects of their health care operations. We may also disclose it for purposes of their fraud and abuse detection or compliance. But we will only disclose PHI to another covered entity for these purposes if that covered entity has or had a relationship with you.

Disclosures to Individuals Involved in Care or Payment

Under certain circumstances, we may disclose your Private Information to a person, such as the policy holder,
a family member or a friend, who is involved in your care or payment for that care.

Additional Reasons for Disclosure

We may also use or disclose Private Information to:

• The certificate holder or policyholder of your coverage, if it is information regarding the status of an insurance transaction, as permitted by law
• Military authorities, if you are or were a member of the armed forces; Further public safety or, when requested by federal officials, for national security or intelligence activities or for the protection of public officials
• Appropriate bodies for public health activities, including the reporting of child abuse or neglect, adverse events, product defects, or for Food and Drug Administration reporting
• A health oversight agency for activities such as audits, investigations, licensure, disciplinary actions or civil, administrative or criminal proceedings

These disclosures are necessary for the government to:

• Oversee the health care system and government benefits programs, as well as for compliance with standards and civil rights laws
• Carry out appropriate research, but only as expressly permitted and limited by the federal privacy rules
• Communicate with legislators and regulators about legislative and regulatory developments and proposals that may impact access to affordable, quality health care
• Appropriate bodies in response to a subpoena or court order, or in response to litigation that directly involves us or your group health plan
• A correctional institution or law enforcement agency, if you are an inmate or in the custody of law enforcement
• Plan sponsor employees that are designated by the plan administrator as assisting in plan administration
• Conduct marketing-type activities, either through ourselves or through other companies on our behalf, with a valid authorization
• Inform you of health-related products or services that are included in or add value to your plan of benefits
• Engage in face-to-face marketing communication
• Distribute promotional gifts of nominal value
• Perform other functions and activities, as permitted by the federal privacy rules.

You should understand that, except as permitted or described in this document, we will not disclose your Private Information without a written authorization from you. For example, adult dependents or emancipated minors must appoint the policyholder as a personal representative in order for the policy holder to have access to their Private Information. And except for disclosures of PHI made directly to you or your personal representative, for your treatment, or pursuant to your authorization, the federal rules require us to use and disclose only the minimum PHI necessary to accomplish our purpose. For example, if we need to disclose your PHI to our utilization review case manager to help determine the medical necessity of a particular claim, we would likely not disclose your entire claim history and medical record. That is because your entire record is probably not necessary to make the determination for that one claim.

Legal rights related to Private Information

The federal privacy rules entitle you to inspect and obtain a copy of your PHI that we maintain about you that is included in what is called a “designated record set.” This includes your right to request access to PHI in an electronic format if we hold it that way. But we are not required to maintain it, except for certain documentation related to privacy rules compliance or as may otherwise be required by law.

This does not include information that relates to, and is collected in connection with or in anticipation of, a claim or civil or criminal proceeding involving you. It also does not include information which we are prohibited by law from releasing. You must reasonably describe the information you seek in your written request, and the information must be reasonably locatable and retrievable by us. We may charge you a fee to cover the cost of providing this Private Information.

Information is usually provided within 30 days of your request. You may have a right by state law to request, in writing, to inspect and obtain a copy of Private Information about you.

• The federal privacy rules create a right to request amendment of your PHI included in the designated record set. We may deny your request under those rules if we determine that our records are accurate and complete or were not created by us, the information is not contained in our designated record set, or access is otherwise restricted by law.

State law may entitle you to request that we amend or delete Private Information about you in our records if you believe the information is incorrect or incomplete. We may deny this request. However, if we do so, we must advise you of the reasons for the denial and advise you of your right to file a statement of rebuttal.

• The federal privacy rules entitle you to request restrictions on our use and disclosure of PHI for treatment, payment or health care operations (described in this Notice). We will consider each request, but are not required to agree to any restrictions, except a reasonable request for confidential communications.
• The federal privacy rules entitle you to request to receive confidential communications of PHI if disclosing this information by the usual means could endanger you. We will accommodate all reasonable requests, subject to the restrictions and capabilities of our information processing systems. A verbal request may be considered, but must be followed up in writing.
• The federal privacy rules entitle you to request to receive an accounting of certain disclosures of your PHI made by us, such as disclosures to health oversight agencies. These do not include disclosures made for purposes of treatment, payment or health care operations, disclosures to you or authorized by you, and for certain other reasons. A similar right may exist under state law.
• You have the right to request and obtain a paper copy of this Notice, even if you previously agreed to receive it electronically. If you wish to exercise any of the legal rights described in this Notice, you must do so in writing. For more information about these rights, or if you would like to make such a request, please contact:

Member Services
PO Box 820
Newark, NJ 07101-0820
Phone: 1-800-355-BLUE (2583)

Keeping up to date with our Privacy Practices

Horizon BCBSNJ and its affiliated companies reserve the right to change the terms of this

Notice and to make the new Notice provisions effective for all information that we maintain. Our policies may change as we periodically review and revise them. We will provide you with a new Notice if the changes are significant. A copy of our Privacy and Nondiscrimination Notices and additional language taglines can be found at HorizonBlue.com, under the section titled “Privacy Policy.” We will also provide you with a Notice of Information Privacy Practices (or a summary of the Notice) annually, as long as you maintain an ongoing insured customer relationship with us.

It may be necessary to use or disclose your Private Information as described in this Notice even after coverage has terminated. In addition, it may be infeasible to destroy your private information. Thus, we do not necessarily destroy it upon the termination of your coverage. However, any information we keep must be kept secure and private, and used only for permissible purposes.

Complaints

If you believe that your privacy rights have been violated, you may file a complaint with

Horizon BCBSNJ and its affiliated companies in writing to:

Privacy Office
Three Penn Plaza East, PP-16C
Newark, NJ 07105-2200

Or contact the Member Services telephone number on the back of your member ID card.

Or, to the Secretary of Health and Human Services. You will not be retaliated against for

filing a complaint. All complaints must be submitted in writing. Complaints to Horizon BCBSNJ may be submitted in writing or verbally by contacting Member Services.

If you have any questions regarding the content of this Notice, you may call Member Services at 1-800-355-BLUE.

* The Horizon Blue Cross Blue Shield of New Jersey-affiliated companies, all of which are independent licensees of the Blue Cross and Blue Shield Association, are:

– Horizon Healthcare Services, Inc. d/b/a/ Horizon Blue Cross Blue Shield of New Jersey.

– Horizon Healthcare of New Jersey, Inc., including its Horizon NJ Health (Medicaid/NJ FamilyCare) line of business.

– Horizon Insurance Company

– Horizon Healthcare Dental, Inc.

– Horizon Casualty Services, Inc.**

** This affiliate is not a covered entity subject to the federal privacy rules.

Horizon BCBSNJ complies with applicable Federal civil rights laws and does not discriminate on the basis of race, color, national origin, age, disability, or sex.

The Blue Cross® and Blue Shield® names and symbols are registered marks of the Blue Cross and Blue Shield Association. The Horizon® name and symbols are registered marks of Horizon Blue Cross Blue Shield of New Jersey. © 2018 Horizon Blue Cross Blue Shield of New Jersey Three Penn Plaza East, Newark, New Jersey 07105.

Spanish (Español): Para ayuda en español, llame al 1-855-477-AZUL (2985).

Chinese (中文)：如需中文協助，請 致電1-800-355-BLUE (2583)。