HIPAA requires employer health plans to maintain the privacy and security of your health information. HIPAA also requires the Citigroup Health Benefit Plan, Citi Be Well Program, Health Care Spending Account (HCSA), and Limited Purpose Health Care Spending Account (LPSA) (collectively, the Plans, individually the Plan) to provide you with a notice of the Plans' legal duties and privacy practices with respect to your health information. The notice will describe how the Plans may use or disclose your health information and under what circumstances they may share your health information without your authorization (generally, to carry out treatment, payment or health care operations). In addition, the notice will describe your rights with respect to your health information. Please refer to the "Notice of HIPAA Privacy Practices" for more information. You can obtain a copy of the notice by contacting the Citi Benefits Center through ConnectOne at 1 (800) 881-3938. See the For More Information section for detailed instructions, including TDD and international assistance.

Citigroup (the Plan Sponsor) shall use and disclose individually identifiable health information, also known as Protected Health Information (PHI), as defined in 45 C.F.R. Parts 160 and 164, and specifically 45 C.F.R. sec. 164.504(f) (the HIPAA Privacy Rule), only to perform administrative functions on behalf of the Plans. The HIPAA Privacy Rule defines "PHI" to include any individually identifiable health information (1) that is created or received by a health care provider, health plan, employer, insurance company or health care clearinghouse; (2) that relates to the past, present or future physical or mental health or condition of such individual; the provision of health care to such individual; or payment for such provision of health care; and (3) that is in the possession or control of an entity covered by the HIPAA Privacy Rule (called "covered entities"), including a group health plan. The Plan Sponsor shall not use or disclose such information for any purpose other than as permitted to administer the Plans or as permitted by applicable law.

The Plans shall disclose PHI to the Plan Sponsor only upon receipt of a certification by the Plan Sponsor that the Plan Documents have been amended to incorporate the provisions herein. The Plan Sponsor shall ensure that any agents, including subcontractors, to whom it provides PHI received from any of these Plans agree to the same restrictions and conditions that apply to the Plan Sponsor with respect to such information. The Plan Sponsor shall not use or disclose PHI for employment-related actions and decisions or in connection with any other benefit or employee benefits Plan of the Plan Sponsor. The Plan Sponsor shall report to the Plans any use or disclosure of PHI that is inconsistent with the uses or disclosures provided for herein of which it becomes aware.

The Plans shall make PHI available to individuals in accordance with 45 C.F.R. sec. 164.524. The Plans shall make PHI available to these individuals for purposes of amending the Plans and shall incorporate any amendments to PHI in accordance with 45 C.F.R. sec. 164.526. The Plans shall make PHI available and any disclosures as required to provide an accounting of disclosures in accordance with 45 C.F.R. sec. 164.528.

The Plan Sponsor shall make its internal practices, books and records relating to the use and disclosure of PHI received from the Plans available to the Secretary of the U.S. Department of Health and Human Services for purposes of determining compliance by the Plans with the HIPAA Privacy Rules; the Plan Sponsor shall notify the Plans of any such request by the Secretary prior to making such practices, books and records available. The Plan Sponsor shall, if feasible, return or destroy all PHI received from the Plans that the Plan Sponsor maintains in any form and retain no copies of such information when no longer needed for the purposes for which the disclosures were made, except that, if such return or destruction is not feasible, the Plan Sponsor shall limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

The Plan Sponsor shall ensure that only its employees or other persons within the Plan Sponsor's control who participate in administering the Plans shall be given access to PHI to be disclosed, including those employees or persons who receive PHI relating to Payment, Health Care Operations (as defined in the HIPAA Privacy Rules) of, or other matters pertaining to the Plans in the ordinary course of the Plan Sponsor's business and perform Plan administration functions ("firewall"). The Plan Sponsor agrees to demonstrate to the satisfaction of the Plans that it has put in place effective procedures to address any issues of noncompliance with the Privacy Rules described in this section by its employees or other persons within its control.

In addition, the Plan Sponsor shall implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of any electronic PHI (as defined in the applicable HIPAA regulations) that it creates, receives, maintains or transmits on behalf of the Plans. The Plan Sponsor will also support the "firewall" described in the preceding paragraph with reasonable and appropriate security measures. The Plan Sponsor shall ensure that any agents or subcontractors to whom the Plan Sponsor supplies electronic PHI agree to implement reasonable and appropriate security measures to protect such information. The Plan Sponsor shall report any Security Incident (as defined in the applicable HIPAA regulations) of which it becomes aware to the applicable plan.