This privacy statement ("Privacy Statement") explains what information UPMC Health Plan, Inc. and its affiliates (collectively, "UPMC Health Plan") collect, how we collect personal information, and why we collect personal information when you visit or use our websites, applications, and other electronic services ("onlineservices"). It also explains when, why, and with whom we share that personal information when you use the online services. The term "personal information" means information about a natural person that identifies or describes such natural person. UPMC Health Plan's affiliates include, but are not limited to, UPMC Health Network, Inc., UPMC Health Options, Inc., UPMC Health Coverage, Inc., UPMC Health Benefits, Inc., UPMC for You, Inc., Community Care Behavioral Health Organization, UPMC Work Alliance, Inc., Workpartners National, Inc., HCMS Group LLC (dba "Workpartners"), and any other entity affiliated with UPMC's Insurance Services Division.

Your personal information is private and confidential. We take this pledge seriously. Whether you are a prospective, current, or former member-living or deceased-we respect and safeguard the privacy and confidentiality of the information that we create, collect, and maintain about you.

Privacy is one of your rights as a consumer as well as a UPMC Health Plan member or employee of a HCMS Group LLC (dba "Workpartners") client. UPMC Health Plan members and beneficiaries and "Workpartners' members are collectively referred to herein as "Members." It also is a right that you retain even when you are no longer a Member of UPMC Health Plan or Workpartners.

a. Collection and Use of Personal Information

Generally, members of the public can access our public online services, such as UPMCHealthPlan.com, without providing us with your personal information. For certain services, such when completing a registration form to access the MyHealthOnline portal, we may ask you to provide us with your personal information. This information is collected and used for the purposes described in this Privacy Statement, as indicated where and when the information is requested or collected, and as permitted by law.

When you provide us your personal information, you are also doing two important things:

• Verifying the correctness and truthfulness of the information that you have provided to us; and
• Acknowledging that UPMC Health Plan can use the information we collect or receive about you and your family for the purposes set forth in this Privacy Statement and without further authorization.

b. Information We Collect and Why We Collect It

We collect information you provide directly to us, such as when you create an account or profile to access your Member account on the UPMC Health Plan's MyHealthOnline Portal, or to complete and sign an online enrollment or renewal application form, use the interactive areas and features of the online services, subscribe to our email list, participate in a survey or events, pay a bill, request support, or otherwise communicate with us. Depending on the online services, when you access and use our online services, we may collect the following kinds of information from you:

• Account information, such as your name, email address, password, postal address, phone number, date of birth and any other information you choose to provide.
• Transaction information, such as your Member account number and limited payment information from you, such as payment method and payment card information.
• Information about others, such as the names and the contact information of your providers, your representatives, and any dependents in your care.
• Health information, such as your past and present medical condition, medication information, and treatment history.
• Other information you choose to provide, such as when you participate in a survey, assessment, contest, promotion or interactive area of the online services, live audio and video visit, or when you request technical or customer support.

We also automatically collect the following information from you when you visit or use some of our online services:

• Membership information, to arrange for the provision of healthcare treatment and services to you and your family members that you are enrolling as dependents on your application.
• Claims and payment information, to make payments to doctors, hospitals, and other health care professionals for the treatment and services you and your family receive, and to process and assess claims we have received and paid for the services provided to you, or the health care premiums that you or your company have paid.
• Health care information, to perform certain health care operations that UPMC Health Plan uses to monitor the quality of the healthcare coverage and services that you have purchased for you and your family. These operations include measurement and review of all our data to see how many of our Members receive certain services, such as childhood immunizations, mammograms, and other preventive health services. All these measurements are used so that we can assess how well we are doing in providing quality health care to all our Members.
• Login information, where our servers record certain log file information, such as your Internet Protocol ("IP") address, operating system, browser type and language, referring URLs, access times, pages viewed, links clicked and other information about your activities on the online services.
• Device information, such as the device used to access or use the online services, including the hardware model, operating system and version, unique device identifiers, and mobile network information. If your device settings permit, we may also collect information about the precise location of your device and access and collect information from certain native applications on your device (such as your device's camera, photo album and phonebook applications) to facilitate your use of certain features of the online services.
• Online tracking information, such as through the use of tracking technologies, including cookies, pixel tags, local stored objects, and web beacons to collect information about you when you interact with our online services. We may allow others to provide analytics services on our behalf using these technologies to collect information about your use of the online services and other websites. We also place Cookies of third parties in the online services that track your interactions with that third party's website, content, advertisements, website links, and/or other online services. For more information about how and why we use these technologies, and how to disable them, please see our cookies notice, which is incorporated here by reference. Some of this information may be used for re-identification. Re-identification is a process by which anonymized data collected on our online services are matched with personally identifiable information. Re-identified data are used, among other ways, to provide website users with a more relevant and user-friendly online experience.

We also collect some of the above information to:

• Provide, maintain and improve our online services and provide you with relevant information;
• Send you technical notices, updates, and alerts;
• Provide support, customer service, and administrative messages;
• Respond to your comments and inquiries, and provide customer services;
• Communicate with you about products and services offered by us and others, and to provide news and information about products, services, and events we think will be of interest to you;
• Plan, administer and coordinate events, community groups and outreach activities;
• Monitor and analyze trends, usage and activities in connection with our online services;
• Detect, investigate and prevent fraudulent transactions and other illegal activities and protect the rights and property of UPMC and others;
• Maintain appropriate records for internal administrative purposes;
• Comply with applicable laws, regulations, and court orders; and
• Carry out any other purpose described to you at the time the information was collected.

c. Social Media Plug-Ins

We may collect information that you have made public via your social media accounts. As a convenience to you, some of our public online services may use plug-ins from social media networks like Facebook, Twitter, and LinkedIn. These plug-ins are indicated by the social networks' respective logos on the online services and are used to establish a direct connection with these social networks. Integration of the plug-in may allow the social media network to receive information that you have loaded onto the online services. For example, if you are logged in with Facebook while you visit our online services, the plug-in may be able to assign your visit of our online service to your Facebook account. This information exchange takes place automatically. You may prevent this exchange if you log out of your social network before using the online services, disable this feature on your social network application or service, and/or disable cookies as described in our Cookies Notice.

d. How We Share Your Information

We may share the information we collect from or about you as follows:

• With our service providers to maintain, improve, and protect our online services. These providers may only use your information to accomplish the purposes described in this Privacy Statement and our Terms and Conditions.
• With other entities that are subsidiaries of UPMC.
• With our advertising partners in order to display advertisements that we think are relevant to you. While much of the information we share is anonymized, we may permit selected advertising partners to match and re-identify you.
• With social network platforms when you access our site while logged into a social network platform or when you post content from our online services to your social network platform.
• In the course of legal proceedings or in response to legal orders or government requests, and as otherwise required by law.
• As needed to support compliance and corporate governance functions.
• In connection with a transfer of ownership or assets, a corporate reorganization, merger, or acquisition.
• With your employer, provided we have your authorization. Otherwise, any reports to employers about the services provided to their employees are based only on total employee group percentages and totals-and not on any individual Member data or information that could be used to identify a past, present, or future health status or condition.

e. How we handle Protected Health Information under HIPAA

All health insurance carriers and health care providers may be subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and applicable regulations that government agencies have issued for HIPAA implementation and compliance. HIPAA Privacy Regulations require certain employee benefit plans involved in your health care to have a "Notice of Privacy Practices." We collect, use and share your protected health information (PHI) as provided in the applicable UPMC Health Plan's Notice of Privacy Practices listed below.

We also share PHI as follows:

• In connection with UPMC Insurance Services Division's participation with ClinicalConnect HIE. The individual PHI and health information stored within ClinicalConnect HIE includes data such as test results, medication lists, consultation and progress notes, and clinical claims information. UPMC Insurance Services Division data will be shared only if the Member has been to a ClinicalConnect HIE provider or facility and, while there, did not choose to opt out of such information sharing. Members must notify their ClinicalConnect HIE provider if they do not wish to participate in the HIE.
• In connection with the Organized Health Care Arrangement (OHCA) between UPMC Insurance Services Division and UPMC to conduct analysis for quality assessment and improvement activities, utilization review, payment activities, and clinical solutions development to facilitate more effective and efficient delivery of health care services to patients and Members. This includes participation in various health care quality measures. Individual PHI may be accessed, used, and/or shared in the course of carrying out such OHCA activities.

In addition to this Privacy Statement, UPMC Health Plan's Notice of Privacy Practices will give you even more specific information and details about how we ensure the privacy of your health information Is covered by HIPAA. The UPMC Health Plan's Notice of Privacy Practices will also explain all the HIPAA rights that you have concerning the privacy of your health information, and how you can exercise those rights.

We continually review our policies and procedures to ensure that we are meeting the needs of privacy laws and our commitment to our Members. As new laws are passed and new regulations are issued or clarified, we will be providing you with revised information with any changes or updates.

If you have any questions concerning your right to the privacy and confidentiality of your personal information and data that have been entrusted to UPMC Health Plan, please contact our Member Services Department at the phone number on the back of your ID Card.

Contact Information:
Specific inquiries about this statement regarding HIPAA readiness and compliance should be directed to:

UPMC Health Plan Privacy Officer
U.S. Steel Tower
600 Grant Street
Pittsburgh, PA 15219
Email: HealthPlanCPO@upmc.edu
Click here for general inquires about UPMC Health Plan