HIPAA Notice of Privacy Practices

1. Purpose of This Notice

Benefits Life, Inc. ("Benefits Life," "we," "us," or "our") is committed to protecting the privacy and security of Protected Health Information ("PHI") in accordance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and applicable state laws.

As a Medicare Field Marketing Organization (FMO) and licensed insurance agency, Benefits Life may receive, use, and disclose PHI in the course of helping Medicare beneficiaries enroll in Medicare Advantage, Medicare Supplement, Prescription Drug, ACA, and related health insurance plans. This Notice explains how we handle that information.

2. What Is Protected Health Information?

Protected Health Information (PHI) is individually identifiable health information that relates to:

• Your past, present, or future physical or mental health or condition
• The provision of health care to you
• The past, present, or future payment for health care

PHI includes, for example, your name combined with health plan enrollment details, medical conditions discussed during needs analysis, prescription medications relevant to PDP plan selection, and provider information relevant to network adequacy.

3. How We Use and Disclose PHI

Benefits Life may use and disclose PHI for the following purposes, consistent with HIPAA and CMS regulations:

Treatment, Payment, and Health Care Operations

• Payment/Enrollment: to process enrollment applications, verify eligibility, and coordinate benefits with insurance carriers
• Health Care Operations: to administer our FMO services, including quality review, compliance monitoring, and agent training

To Carriers and Business Associates

We share PHI with insurance carriers (e.g., UnitedHealthcare, Humana, Aetna, Anthem) to process enrollment applications you authorize. We also share PHI with business associates — including technology vendors, enrollment platform providers, and compliance service providers — who have signed Business Associate Agreements (BAAs) and are contractually obligated to protect PHI.

As Required by Law

• To comply with federal or state law, including CMS and state insurance department requirements
• In response to valid subpoenas, court orders, or government investigations
• To report abuse, neglect, or domestic violence as required by law
• To health oversight agencies for activities authorized by law

Health-Related Communications

We may contact you about plan options, renewals, and Annual Enrollment Period (AEP) opportunities in accordance with CMS Medicare Communications and Marketing Guidelines, including the TPMO (Third Party Marketing Organization) disclaimer requirements.

4. Uses and Disclosures Requiring Your Authorization

We will not use or disclose your PHI for the following purposes without your specific written authorization:

• Marketing communications outside of treatment or operations
• Sale of PHI (which Benefits Life does not do)
• Most uses and disclosures of psychotherapy notes
• Any other uses not described in this Notice

You may revoke any authorization you provide at any time by submitting a written request. Revocation will not affect disclosures already made in reliance on the authorization.

5. Your Rights Regarding Your PHI

Under HIPAA, you have the following rights:

Right to Access

You have the right to inspect and obtain a copy of your PHI maintained by Benefits Life. Requests must be made in writing. We may charge a reasonable, cost-based fee for copies.

Right to Request Amendments

If you believe PHI we hold about you is incorrect or incomplete, you may request an amendment. We may deny your request if we did not create the record or if the information is accurate and complete.

Right to an Accounting of Disclosures

You have the right to request a list of certain disclosures of your PHI made by Benefits Life in the six (6) years prior to your request (excluding disclosures for treatment, payment, health care operations, and certain other purposes).

Right to Request Restrictions

You may request restrictions on how we use or disclose your PHI. We are not required to agree to every restriction, but we will consider each request.

Right to Request Confidential Communications

You may request that we communicate with you about your PHI by alternative means or at alternative locations (for example, by mail to a specific address, or by phone to a specific number).

Right to a Paper Copy of This Notice

You may request a paper copy of this Notice at any time, even if you previously agreed to receive it electronically.

Right to Be Notified of a Breach

You have the right to be notified if we discover a breach of your unsecured PHI.

6. Our Safeguards

Benefits Life maintains administrative, physical, and technical safeguards designed to protect PHI, including:

• Encrypted transmission of PHI using industry-standard protocols
• Access controls limiting PHI access to authorized personnel on a need-to-know basis
• Regular workforce training on HIPAA privacy and security requirements
• Business Associate Agreements (BAAs) with all vendors who handle PHI
• Secure storage systems with audit logging
• Incident response procedures for suspected breaches
• Ongoing risk analysis and periodic security review

7. Breach Notification

In the unlikely event of a breach of your unsecured PHI, we will notify you without unreasonable delay — and in no case later than sixty (60) days after discovery — as required by the HITECH Act. Notifications will include a description of the breach, the types of information involved, steps you should take to protect yourself, and what we are doing to investigate, mitigate, and prevent future incidents.

Depending on the scope of the breach, we may also notify the U.S. Department of Health and Human Services and, where required, state regulators and the media.

8. Agent & Workforce Training

All Benefits Life employees and contracted agents are required to:

• Complete HIPAA privacy and security training on a regular basis
• Comply with CMS Medicare Communications and Marketing Guidelines
• Adhere to the TPMO (Third Party Marketing Organization) disclaimer and scope-of-appointment rules
• Report suspected privacy or security incidents immediately
• Maintain active E&O coverage and state licensure

9. Filing a Complaint

If you believe your privacy rights have been violated, you may file a complaint with Benefits Life using the contact information below. You may also file a complaint with the U.S. Department of Health and Human Services, Office for Civil Rights:

• Online: hhs.gov/hipaa/filing-a-complaint
• Phone: 1-877-696-6775
• Mail: Office for Civil Rights, 200 Independence Avenue SW, Washington, D.C. 20201

We will not retaliate against you for filing a complaint.

10. Contact Our HIPAA Privacy Officer

For questions about this Notice, to exercise your rights, or to report a privacy concern:

This Notice is provided in accordance with 45 CFR § 164.520. Benefits Life reserves the right to change the terms of this Notice and to make new provisions effective for all PHI that we maintain. We will post any revised Notice on our website and provide a copy upon request.