This Notice of Privacy Practices describes how the Citigroup Health Benefit Plan, Citigroup Be Well Plan, Health Care Spending Account (HCSA), and Limited Purpose Health Care Spending Account (LPSA)(collectively referred to in this section as an "Organized Health Care Arrangement" and each individually referred to in this section as a "Component Plan") may use and disclose your PHI.

This notice also sets out Component Plans' legal obligations concerning your PHI and describes your rights to access and control your PHI. All Component Plans have agreed to abide by the terms of this notice. This notice has been drafted in accordance with the HIPAA (Health Insurance Portability and Accountability Act of 1996) Privacy Rule, contained in the Code of Federal Regulations at 45 C.F.R. Parts 160 and 164 as amended by Title XIII, Subtitle D of the American Recovery and Reinvestment Act of 2009 (ARRA, P.L. 111--5) and regulations promulgated thereunder. Terms that are not defined in this notice have the same meaning as they have in the HIPAA Privacy Rule, as amended, and its related regulations.

If you have any questions or want additional information about this notice, call the Citi Benefits Center as instructed under "Contact Information." To exercise any of the rights described in this notice, contact the third-party administrator for the relevant Component Plan as instructed under "Contact Information."

Each Component Plan is required by law to maintain the privacy of your PHI. The HIPAA Privacy Rule defines "PHI" to include any individually identifiable health information (1) that is created or received by a health care provider, health plan, employer, insurance company or health care clearinghouse; (2) that relates to the past, present or future physical or mental health or condition of such individual; the provision of health care to such individual; or payment for such provision of health care; and (3) that is in the possession or control of an entity covered by the HIPAA Privacy Rule (called "covered entities"), including a group health plan. The Component Plans were required to limit the use of, disclosure of or request for PHI to the extent practical to either limited data sets or, if needed, the minimum necessary to accomplish the intended purpose of the use, disclosure or request.

Component Plans are obligated to provide to you a copy of this notice setting forth their legal duties and privacy practices regarding your PHI. Component Plans must abide by the terms of this notice. If any of the Component Plans use or disclose PHI for underwriting purposes, the Component Plan will not use or disclose PHI that is your genetic information for such purposes.

The following describes when any Component Plan is permitted or required to use or disclose your PHI. This list is mandated by the HIPAA Privacy Rule.

Each Component Plan has the right to use and disclose your PHI for all activities included within the definitions of "payment" and "health care operations" as defined in the HIPAA Privacy Rule, as amended by ARRA.

Payment: Component Plans will use or disclose your PHI to fulfill their responsibilities for coverage and provide benefits as established under their governing documents. For example, Component Plans may disclose your PHI when a provider requests information about your eligibility for benefits under a Component Plan, or it may use your information to determine if a treatment that you received was medically necessary.

Health care operations: Component Plans will use or disclose your PHI to fulfill Component Plans' business functions. These functions include, but are not limited to, quality assessment and improvement, reviewing provider performance, licensing, business planning and business development. For example, a Component Plan may use or disclose your PHI (1) to provide information about a disease management program to you; (2) to respond to a customer service inquiry from you; (3) in connection with fraud and abuse detection and compliance programs; or (4) to survey you concerning how effectively such Component Plan is providing services, among other issues.

Business associates: Each Component Plan may enter into contracts with service providers — called business associates — to perform various functions on its behalf. For example, Component Plans may contract with a service provider to perform the administrative functions necessary to pay your medical claims. To perform these functions or to provide the services, business associates will receive, create, maintain, use or disclose PHI, but only after such Component Plan and the business associate agree in writing to contract terms requiring the business associate to appropriately safeguard your information.

Organized health care arrangement: Component Plans may share your PHI with each other to carry out payment and health care activities.

Other covered entities: Component Plans may use or disclose your PHI to assist health care providers in connection with their treatment or payment activities or to assist other covered entities in connection with certain health care operations. For example, Component Plans may disclose your PHI to a health care provider when needed by the provider to render treatment to you. Component Plans may disclose PHI to another covered entity to conduct health care operations in the areas of quality assurance and improvement activities or accreditation, certification, licensing or credentialing.

Component Plans may also disclose or share your PHI with other health care programs or insurance carriers (including, for example, Medicare or a private insurance carrier, etc.) to coordinate benefits if you or your family members have other health insurance or coverage.

Required by law: Component Plans may use or disclose your PHI to the extent required by federal, state or local law.

Public health activities: Each Component Plan may use or disclose your PHI for public health activities permitted or required by law. For example, each Component Plan may use or disclose information for the purpose of preventing or controlling disease, injury or disability, or it may disclose such information to a public health authority authorized to receive reports of child abuse or neglect. Component Plans may also disclose PHI, if directed by a public health authority, to a foreign government agency collaborating with the public health authority.

Health oversight activities: Component Plans may disclose your PHI to a health oversight agency for activities authorized by law. For example, these oversight activities may include audits; investigations; inspections; licensure or disciplinary actions; or civil, administrative or criminal proceedings or actions. Oversight agencies seeking this information include government agencies that oversee the health care system, government benefit programs, other government regulatory programs and government agencies that ensure compliance with civil rights laws.

Lawsuits and other legal proceedings: Component Plans may disclose your PHI in the course of any judicial or administrative proceeding or in response to an order of a court or administrative tribunal (to the extent such disclosure is expressly authorized in the court order). If certain conditions are met, Component Plans may also disclose your PHI in response to a subpoena, a discovery request or another lawful process.

Abuse or neglect: Component Plans may disclose your PHI to a government authority authorized by law to receive reports of abuse, neglect or domestic violence. Additionally, as required by law, if a Component Plan believes you have been a victim of abuse, neglect or domestic violence, it may disclose your PHI to a government entity authorized to receive such information.

Law enforcement: Under certain conditions, Component Plans may also disclose your PHI to law enforcement officials for law enforcement purposes. These law enforcement purposes include, for example, (1) responding to a court order or similar process; (2) as necessary to locate or identify a suspect, fugitive, material witness or missing person; or (3) as relating to the victim of a crime.

Coroners, medical examiners and funeral directors: Component Plans may disclose PHI to a coroner or medical examiner when necessary to identify a deceased person or determine a cause of death. Component Plans may also disclose PHI to funeral directors as necessary to carry out their duties.

Organ and tissue donation: Component Plans may disclose PHI to organizations that handle organ, eye or tissue donation and transplantation.

Research: Component Plans may disclose your PHI to researchers when (1) their research has been approved by an institutional review board that has reviewed the research proposal and established protocols to ensure the privacy of your PHI or (2) the research involves a limited data set that includes no unique identifiers, such as name, address, Social Security number, etc.

To prevent a serious threat to health or safety: Consistent with applicable laws, Component Plans may disclose your PHI if disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. Component Plans may also disclose PHI if it is necessary for law enforcement authorities to identify or apprehend an individual.

Military: Under certain conditions, Component Plans may disclose your PHI if you are, or were, Armed Forces personnel for activities deemed necessary by appropriate military command authorities. If you are a member of a foreign military service, Component Plans may disclose, in certain circumstances, your PHI to the foreign military authority.

National security and protective services: Component Plans may disclose your PHI to authorized federal officials for conducting national security and intelligence activities and for the protection of the president, other authorized persons or heads of state.

Inmates: If you are an inmate of a correctional institution or are under the custody of a law enforcement official, Component Plans may disclose your PHI to the correctional institution or to a law enforcement official for (1) the institution to provide health care to you; (2) your health and safety and the health and safety of others; or (3) the safety and security of the correctional institution.

Workers' Compensation: Component Plans may disclose your PHI to comply with Workers' Compensation laws and other similar programs that provide benefits for work-related injuries or illnesses.

Disclosures to the Plan Sponsor: Component Plans (or their respective health insurance issuers or HMOs) may disclose your PHI to Citi and its employees and representatives in the capacity of the sponsor of the Component Plans.

Others involved in your health care: Component Plans may disclose your PHI to a friend or family member involved in your health care, unless you object or request a restriction (in accordance with the process described in "Right to request a restriction" under "Your Rights"). Component Plans may also disclose your PHI to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status and location. If you are not present or able to agree to these disclosures of your PHI, then, using professional judgment, Component Plans may determine whether the disclosure is in your best interest.

Disclosures to the Secretary of the U.S. Department of Health and Human Services: Each Component Plan is required to disclose your PHI to the Secretary of the U.S. Department of Health and Human Services when the Secretary is investigating or determining a Component Plan's compliance with the HIPAA Privacy Rule.

Disclosures to you: Each Component Plan is required to disclose to you or to your personal representative most of your PHI when you request access to this information. Component Plans will disclose your PHI to an individual who has been designated by you as your personal representative and who is qualified for such designation in accordance with relevant law.

Prior to such a disclosure, however, each Component Plan must be given written documentation that supports and establishes the basis for the personal representation. A Component Plan may elect not to treat the person as your personal representative if it has a reasonable belief that you have been, or may be, subjected to domestic violence, abuse or neglect by such person, or that treating such person as your personal representative could endanger you, or if such Component Plan determines, in the exercise of its professional judgment, that it is not in your best interest to treat the person as your personal representative.

Other uses and disclosures of your PHI that are not described above will be made only with your written authorization as provided to each Component Plan. If you provide such authorization to a Component Plan, you may revoke the authorization in writing, and such revocation will be effective for future uses and disclosures of PHI upon receipt. However, the revocation will not be effective for information that such Component Plan has used or disclosed in reliance on the authorization.

Each Component Plan (or its health insurance issuers, HMOs or third-party administrators) may contact you about treatment alternatives or other health benefits or services that might be of interest to you, as permitted as part of health care operations, as defined in the HIPAA Privacy Rules.

As required by law, in the event of an unauthorized disclosure, use or access of your unsecured PHI, you will receive written notification.

The following is a description of your rights regarding your PHI. If you wish to exercise any of these rights, you must contact the third-party administrator of the Component Plan that you wish to have comply with your request, using the contact information in "Contact Information."

Right to request a restriction: You have the right to request a restriction on the PHI that a Component Plan uses or discloses about you for payment or health care operations. You also have a right to request a limit on disclosures of your PHI to family members or friends involved in your care or the payment for your care. You may request such a restriction using the contact information as instructed under "Contact Information."

A Component Plan is not required to agree to any restriction that you request. If a Component Plan agrees to the restriction, it can stop complying with the restriction upon providing notice to you. Your request must include the PHI you wish to limit; whether you want to limit such Component Plan's use, disclosure or both; and (if applicable) to whom you want the limitations to apply (for example, disclosures to your spouse).

A health care provider must comply with your request that PHI regarding a specific health care item or service not be disclosed to the Component Plan for purposes of payment and health care operations if you have paid for the item or service in full out of pocket.

Right to request confidential communications: If you believe that a disclosure of all or part of your PHI may endanger you, you may request that a Component Plan communicate with you in an alternative manner or at an alternative location. For example, you may ask that all communications be sent to your work address. You may request a confidential communication using the contact information in "Contact Information."

Your request must specify the alternative means or location for communicating with you. It also must state that the disclosure of all or part of the PHI in a manner inconsistent with your instructions would put you in danger. A Component Plan will accommodate a request for confidential communications that is reasonable and states that the disclosure of all or part of your PHI could endanger you.

Right to request access: You have the right to inspect and have a copy PHI that may be used to make decisions about you. If you request copies, the relevant Component Plan may charge you for photocopying your PHI, and, if you request that copies be mailed to you, for postage. The third-party administrators of the Component Plans have indicated that they do not currently intend to charge for this service, although they reserve the right to do so.

You may request an electronic copy of your PHI if it is maintained in an electronic health record. In addition, you may request a copy of all electronic PHI maintained in a designated record set in the electronic form and format (e.g., web portal, email or on portable electronic media) in which you and the Component Plan can reach an agreement that such information will be provided. You may also request that such electronic PHI be sent to another entity or person. Any charge that is assessed, if any, must be reasonable and based on the Component Plan's cost.

Note: Under federal law, you may not inspect or copy the following records: psychotherapy notes; information compiled in reasonable anticipation of, or use in, a civil, criminal, or administrative action or proceeding; and PHI subject to law that prohibits access to PHI. Depending on the circumstances, a decision to deny access may be reviewable. In some, but not all, circumstances, you may have a right to have this decision reviewed.

Right to request an amendment: You have the right to request an amendment of your PHI held by a Component Plan if you believe that information is incorrect or incomplete. If you request an amendment of your PHI, your request must be submitted in writing, using the contact information in "Contact Information", and must set forth a reason(s) to support the proposed amendment. In certain cases, a Component Plan may deny your request for an amendment.

For example, a Component Plan may deny your request if the information you want to amend is accurate and complete or was not created by such Component Plan. If a Component Plan denies your request, you have the right to file a statement of disagreement. Your statement of disagreement will be linked with the disputed PHI, and all future disclosures of the disputed information by such Component Plan will include your statement.

Right to request an accounting: You have the right to request an accounting of certain disclosures Component Plans have made of your PHI. You may request an accounting using the contact information in "Contact Information." You can request an accounting of disclosures made up to six years prior to the date of your request, except that Component Plans are not required to account for disclosures made prior to April 14, 2003.

You are entitled to one accounting from each Component Plan free of charge during a 12-month period. There may be a charge to cover a Component Plan's costs for any additional requests within that 12-month period. Component Plans will notify you of the cost involved, and you may choose to withdraw or modify your request before any costs are incurred.

Right to a paper copy of this notice: You have the right to a paper copy of this notice, even if you have agreed to accept this notice electronically. To obtain such a copy, call the Citi Benefits Center. See "Contact Information."

Notwithstanding the permitted disclosures noted above, all participants' PHI is deemed confidential and shall be protected to the fullest extent possible under applicable law. Such disclosure, beyond permitted payment and health care operations, shall not be authorized unless the specific request strictly complies with HIPAA requirements (i.e., court order, subpoena, etc.) with respect to the requested information, and is subject to review by the plan administrator.

If you believe a Component Plan has violated your privacy rights or is not fulfilling its obligation under the breach notice rules, you may complain to such Component Plan or to the Secretary of the U.S. Department of Health and Human Services. You may file a complaint with such Component Plan using the contact information under "Contact Information." Component Plans will not penalize you for filing a complaint.

Component Plans reserve the right to change the provisions of this notice and to make the new provisions effective for all PHI that they maintain. If a Component Plan makes a material change to this notice, it will provide a revised notice to you at the address that it has on record for the participant enrolled with such Component Plan (or, if you agreed to receive revised notices electronically, at the email address you provided to such Component Plan).

This Notice of HIPAA Privacy Practices became effective April 14, 2003, and was last revised effective October 10, 2017 (last reviewed on October 26, 2022).

For more information about any of the rights in this notice, or to file a complaint, contact:

To exercise any of the rights described in this notice, contact the third-party administrators for the Component Plans as follows: