Notice of Privacy Policies and Practices

At Glatfelter Insurance Group, protecting your privacy is very important to us. We recognize that our relationships with current and prospective clients are based on integrity and trust. We work hard to maintain your privacy and are very careful to preserve the private nature of our relationship with you. At the same time, the very nature of our business sometimes requires that we collect or share certain information about you with other organizations or companies. Therefore, we want you to be aware of how we handle personal information.

Purpose of this notice

This Notice of Privacy Policies and Practices is being provided on behalf of Glatfelter Insurance Group (“GIG”) and its affiliates to the extent required by the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Gramm-leach-bliley act (GLBA)

Title V of the Gramm-Leach-Bliley Act (GLBA) generally prohibits any financial institution, directly or through its affiliates, from sharing nonpublic personal information about you with a non-affiliated third party unless the institution provides you with a notice of its privacy policies and practices, such as the type of information that it collects about you and the categories of persons or entities to whom it may be disclosed. In compliance with the GLBA, we are providing you with this document, which notifies you of the privacy policies and practices of GIG and its affiliated companies. For a complete list of GIG affiliated companies, please see the section below titled, "Glatfelter Insurance Group Family of Companies."

GIG and its affiliated companies do not and will not sell or share nonpublic personal information about you with any non-affiliated third party for any purpose unless you authorize it or it is otherwise permitted by law.

Our "affiliates" are companies with which we share common ownership and which offer property and casualty, life and health and certain benefit products.

Information we collect:

We collect nonpublic personal information about you from various sources to help serve your financial and insurance needs, provide customer service, offer new products or services and fulfill legal and regulatory requirements. “Personal Information” means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.

The type of information that GIG collects varies according to the products or services you request, and may include:

Information we receive from you on applications, interviews, or by other means (such as name, address, Social Security number, assets and income)
Information about your transactions with us, our affiliates or others (such as products or services purchased, account balances and payment history)
Information from your employer, benefit plan sponsor, or association for any insurance product you may purchase through GIG (such as name, address, Social Security number, age and marital status)
Information we receive from a consumer reporting agency (such as credit relationships and history) Information from other non-GIG sources (such as motor vehicle reports, medical information, and demographic information)
Information from visitors to GIG websites (such as that provided through online forms, site visitor data and online information collecting devices known as "cookies"). GIG may collect technical information about you when you visit our websites, which your web browser automatically sends whenever you visit a website on the Internet. “Technical Information” is information that does not, by itself, identify a specific individual but which could be used to indirectly identify you. Our servers automatically record this information, which may include your Internet Protocol (“IP”) address, browser type, browser language, and the date and time of your request.
- This website or its third-party tools use cookies, which are necessary to its functioning and required to achieve the purposes illustrated in the Google Analytics cookie policy. These cookies provide a richer and more customized experience for our users. By continuing to browse, you agree to the use of cookies on all Glatfelter websites. You can opt-out from data being used by Google Analytics by going to the Google Analytics opt-out page.

Under the Fair Credit Reporting Act, you may exercise your right to opt out of Glatfelter Insurance Group’s sharing of non- transactional information about you with GIG affiliates. GIG may share other information about you with its affiliates as permitted by law.

What does GIG do with your personal information?

Why?

Financial companies choose how they share your personal information. Federal and state laws give consumers the right to limit some but not all sharing. Federal and state laws also require us to tell you how we collect, share and protect your personal information. Please read this notice carefully to understand what we do.

What?

The types of personal information we collect and share depend on the product or service you have with us. This information can include:

Name, address, age, Social Security number, marital status, assets, income, credit history, demographic information, IP address, browser information
Products or services purchased, account balances and payment history, employment Information, motor vehicle reports, medical information

How?

Financial companies need to share customers’ personal information to run their everyday business. In the section below, we list the reasons financial companies can share their customers’ personal information; the reasons GIG chooses to share; and whether you can limit this sharing.

Reasons we can share your nonpublic personal information	Does GIG share?	Can you limit sharing?
For our everyday business purposes — as permitted or required by law, such as to process your transactions, maintain your account(s), conduct research including data analytics, respond to court orders/legal investigations, or report to credit bureaus	Yes	No
For our marketing purposes — to offer our products and services to you	Yes	No
For joint marketing with other financial companies	Yes	No
For our affiliates’ everyday business purposes — information about your transactions and experiences	Yes	No
For our affiliates’ everyday business purposes — information about your creditworthiness	Yes	Yes
For no naffiliates to market to you	No	We don't share

To limit our sharing/Questions?

Call us at 888.855.4782 and ask for Privacy Coordinator.

Please note: When you are no longer a customer, we continue to share your information as described in this notice. However, you can contact us at any time to limit our sharing.

Who we are / Companies to which this notice applies

This notice applies to, and is being provided on behalf of, the following Glatfelter Insurance Group affiliates: Arthur J. Glatfelter Agency, Inc., Glatfelter Brokerage Services, Glatfelter Claims Management, Inc., Glatfelter Commercial Ambulance, Glatfelter Healthcare Practice, Glatfelter Insurance Services, Glatfelter Program Managers, Glatfelter Public Entities, Glatfelter Ministry Care, Glatfelter Underwriting Services, Inc., Susquehanna Agents Alliance, LLC, The Glatfelter Agency, Inc., VFIS, and Volunteer Firemen’s Insurance Services, Inc.

What we do

How does GIG protect my personal information?

To protect your personal information from unauthorized access and use, we use security measures that comply with federal law. These measures include physical, electronic, and procedural safeguards. We require and train our employees to comply with our privacy standards and policies, which are designed to protect customer information.

How does GIG collect my personal information?

We collect your personal information, for example when you: visit our websites, apply for insurance or pay insurance premiums, file an insurance claim or give us your income information, provide employment information. We also collect your personal information from others, such as credit bureaus, affiliates, or other companies.

Why can’t I limit all sharing?

Federal law gives you the right to limit only: sharing for affiliates’ everyday business purposes – information about your creditworthiness, affiliates from using your information to market to you, sharing for nonaffiliates to market to you. State laws may give you additional rights to limit sharing. See below for more on your rights under state law.

Definitions

Affiliates: Companies related by common ownership or control. They can be financial and nonfinancial companies.

Our affiliates are companies with which we share common ownership and which offer P&C, life and health, and certain benefit products.

Nonaffiliates: Companies not related by common ownership or control. They can be financial and nonfinancial companies.

GIG does not share with nonaffiliates so they can market to you.

Joint marketing: A formal agreement between nonaffiliated financial companies that together market financial products or services to you.

Our joint marketing partners include insurance companies and other companies that provide financial products and services.

Other important information

CA and VT Residents: We will not share your information except for our everyday business purposes, for marketing our products and services to you, as required by law, or with your consent. For VT Residents, we also will not share your credit information to our affiliates without your consent.

NV Residents: We are providing this notice to you pursuant to NV state law. To stop marketing calls from us follow the directions in the section “To limit our sharing.” NV law requires that we also provide you with the following contact information: Bureau of Consumer Protection, Office of the Nevada Attorney General, 555 E. Washington Street, Suite 3900, Las Vegas, NV 89101; Phone #: 702-486-3132; email: bcpinfo@ag.state.nv.us.

For more information, contact: Glatfelter Insurance Group, Attn: Privacy Coordinator, P.O. Box 2726, York, Pennsylvania 17406, 717.741.0911.

In connection with the potential sale or transfer of its interests, GIG and its affiliates reserves the right to sell or transfer your information (including but not limited to your address, name, age, sex, zip code, state and country of residency and other information that you provide through other communications) to a third party entity that:

Concentrates its business in a similar practice or service
Agrees to be GIG’s successor in interest with regard to the maintenance and protection of the information collected; and
Agrees to the obligations of this privacy statement

Health insurance portability & accountability act of 1996 (HIPPA)

Any medical or health information we collect about you will be disclosed to third parties only to underwrite insurance or administer your policy or claim, as permitted by law or as authorized by you, consistent with our HIPAA Privacy Policy below.

HIPPA Privacy Notice

This HIPAA Privacy Notice is effective as of October 16, 2017.

Statement of Our Duties
We are committed to protecting the privacy of your protected health information (PHI). PHI is your individually identifiable health information, including demographic information, collected from you or created or received by a health care provider, a health plan, your employer, or health care clearinghouse which is then provided to us and that relates to: (i) your past, present or future physical or mental health or condition; (ii) the provision of health care to you; or (iii) the past, present or future payment for the provision of health care to you. We are required by law to maintain the privacy of your PHI and to provide you with this notice of our privacy practices and legal duties. We are required to abide by the terms of this notice.

We reserve the right to change the terms of this notice and make any new provisions effective to all the PHI we maintain about you. If we change our notice, we will post it on our website and send a copy in our annual mailing, or you may obtain a copy of the revised notice bu contacting our privacy coordinator using the information in paragraph 9.
Statement of Your Rights
You have a right to know how we may use or disclose your PHI. This notice informs you of those uses and disclosures. There are certain uses and disclosures of your PHI that we are permitted or required to make by law without your permission. For all other uses and disclosures, we first must obtain your permission or written authorization. In addition, you have the following rights:
- The right to request, in writing, that we place additional restrictions on our uses and disclosures of your PHI. However, we are not obligated to agree to impose any such additional restrictions.
- The right to access, inspect and copy the protected information pertaining to you that we maintain in our files about you, and the right to have us correct or amend any information that we create in error. Requests to access or amend your PHI must be made in writing and sent to the contact person and address provided in paragraph 9.
- The right to receive an accounting of the disclosures of your PHI that we make for purposes other than activities related to your treatment, or our payment functions or other health care operations. You must request an accounting in writing by contacting us at the address in paragraph 9. Your request may be for disclosures made up to 6 years before the date of your request, but in no event, for disclosures made before April 14, 2003.
- The right to request, in writing, that you receive communications about your PHI in a confidential manner, for example, by alternative means or an alternative location, such as your work address or work email.
- The right to request an amendment to your PHI if you believe that your PHI is incorrect or incomplete. Your request must be in writing and explain why the PHI should be amended.
- The right to obtain a paper copy of this notice from us on request.
Information We Collect About You
In order to administer your health benefit programs effectively, we collect the following categories of PHI about you from the following sources:
- PHI that we obtain directly from you, in conversations or on applications or other forms that you fill out.
- PHI that we obtain as a result of our transactions with you.
- PHI that we obtain from your medical records or from medical professionals, which is provided by you or to us with your permission.
- PHI that we obtain from other entities, such as health care providers or other insurance companies, in order to service your policy or carry out other insurance-related needs.
Uses and Disclosures of Protected Information
1. For Treatment, Payment and Operations.
  In order to administer your health benefit programs effectively, we use and disclose PHI for certain of our activities, including:
  - To Carry Out Treatment Functions. We may use or disclose your PHI without your permission to enable health care providers to provide you with treatment.
  - To Carry Out Payment Functions. We may use or disclose your PHI without your permission to carry out activities relating to reimbursing you for the provision of health care, obtaining premiums, determining coverage, and providing benefits under the policy of insurance that you are purchasing, such as enabling a health care provider to make payment arrangements. Such functions may include reviewing health care services with respect to medical necessity, coverage under the policy, appropriateness of care, or justification of charges.
  - To Carry Out Certain Operations Relating To Your Benefit Plan. We also may use or disclose your PHI without your permission to carry out certain limited activities relating to your health insurance benefits, including reviewing the competence or qualifications of health care professionals, placing contracts for stop-loss insurance and conducting quality assessment activities.
  - To facilitate the underwriting of insurance; however, we are prohibited from using or disclosing your genetic information for the purpose of underwriting insurance.
2. Uses and Disclosures of PHI to Other Entities.
  We also may use and disclose PHI to other covered entities, business associates or other individuals (as permitted by the HIPAA Privacy rule) who assist us in administering your benefit plan and delivering services to its members. In connection with our payment and operations activities, we may contact individuals and other entities (“Business Associates”) to perform various functions on our behalf or to provide certain types of services (such as enrollment or member service support). To perform these functions, Business Associates must agree in writing to contract terms designed to appropriately safeguard your PHI.
3. Other Possible Uses and Disclosures of PHI
  We may use and disclose your PHI without your written permission for the following purposes:
  - To plan sponsors of your group health plan to permit the plan sponsor to perform administrative functions, such as to address member questions, concerns or issue regarding claims, benefits, services, coverage, etc., and summary health information about enrollees in the plan to obtain premium bids for health insurance coverage offered through the group health plan or to modify, amend or terminate your group plan.
  - To the extent that federal or state law requires the use or disclosure, such as to Health and Human services upon request for purposes of determining compliance with federal privacy laws, as required by law enforcement officials or pursuant to a court order or subpoena.
  - As authorized by and to the extent necessary to comply with workers’ compensation or other similar programs that provide benefits for work-related injuries or illnesses.
  - As authorized by law and to the extent necessary to service insurance policies and benefits that are exempt benefits, such as in connection with servicing life, disability, property and casualty, accident and sickness, workers’ compensation and auto insurance or other similar insurance coverage under which benefits for medical care are secondary or incidental to other insurance benefits.
  - To a public health authority for purposes of public health activities as permitted or required by law.
  - To a coroner/medical examiner for purposes of identifying a deceased person, determining cause of death or for such official to perform other duties authorized by law. Also to funeral directors so they may carry out their duties, and to organizations that handle organ, eye or tissue donation or transplantation.
  - To a government authority, including a social service or protective services agency, authorized to receive reports of abuse, neglect or domestic violence or to prevent a serious threat to the health or safety of the public.
4. For Any Purposes to Which You Have Not Objected.
  Unless you object, we may disclose your PHI to a friend or family member that you have identified as being involved in your health care. We also may disclose your PHI to an entity to assist in disaster relief efforts and so that your family can be notified about your condition, status and location. If you are not present or able to agree to these disclosures of your PHI, then we may determine whether the disclosure is in your best interest.
5. As Permitted By Plan Documents.
  In certain limited circumstances where we may be acting as a third party administrator, we may disclose your PHI to plan sponsors pursuant to the restrictions imposed on the plan sponsor in the sponsor’s plan documents.
Required Disclosures of Your PHI
We are required to disclose your PHI to the Secretary of the U.S. Department of Health and Human Services when the Secretary is investigating or determining compliance with the HIPAA Privacy Rule. We are required to disclose to you most of your PHI that is in a “designated record set” when you request access to this information. We are also required to provide, upon written request, an accounting of any disclosures of PHI that are for reasons other than payment or health benefits operations.
Other Uses and Disclosures of Your PHI
Sometimes we are required to obtain written authorization for use and disclosure of your health information. The uses and disclosures that require an authorization under 45 C.F.R. §164.508(a) are: (i) for marketing purposes; (ii) if we intend to sell your PHI; or (iii) for psychotherapy notes. We do not and will not sell or share your PHI with any non-affiliated third party for any purpose unless you authorize it or it is otherwise permitted by law. Other uses and disclosures of your PHI that are not described above will be made only with your written, permission, and any permission that you give us may be revoked by you at any time. However, the revocation will not be effective for information that we already have used or disclosed, relying on the authorization.
Questions and Complaints About Use of PHI
If you want more information about our privacy policies or practices or have any questions or concerns, please contact us using the information in paragraph 9. You may submit a written complaint either directly to us or to the U.S. Department of Health and Human Services (HHS) if you believe that your rights with respect to our protection of your PHI have been violated. We will provide you with the address to file your complaint with HHS upon request. To file a complaint with us, you may submit a complaint in writing that includes as many details (such as names and dates) as possible to our Privacy Officer at the address in Paragraph 9. We support your right to protect the privacy of your PHI. You will not be retaliated against in any way for filing a complaint.
Our Practices Regarding Confidentiality and Security
We restrict access to PHI about you to those employees who need to know that information in order to provide products or services to you. We maintain physical, electronic, and procedural safeguards that comply with federal regulations to guard your PHI. We do not engaged in fundraising activities using PHI, however, if we did engage in such activity, then you would have the opportunity to opt out of receiving fundraising communications. Subject to applicable regulatory reporting requirements, exceptions and safe harbors, we will notify affected individuals following a breach of their unsecured PHI.
Contact Person For Filing Complaint or Obtaining Further Information
Glatfelter Insurance Group
ATTN: Privacy Coordinator
P.O. BOX 2726
York, Pennsylvania 17405
717.741.0911

Our Policy Regarding Dispute Resolution

Any controversy or claim arising out of or relating to our privacy policy, or the breach thereof, shall be settled by arbitration in accordance with the rules of the American Arbitration Association, and judgment upon the award rendered by the arbitrator(s) may be entered in any court having jurisdiction thereof.

Glatfelter Insurance Group Family of Companies

This Notice is being provided on behalf of the following Glatfelter Insurance Group affiliates:

Arthur J. Glatfelter Agency, Inc.
Glatfelter Brokerage Services
Glatfelter Claims Management, Inc.
Glatfelter Commercial Ambulance
Glatfelter Healthcare Practice
Glatfelter Insurance Services
Glatfelter Program Managers
Glatfelter Public Entities
Glatfelter Ministry Care
Glatfelter Underwriting Services, Inc.
Susquehanna Agents Alliance, LLC
The Glatfelter Agency, Inc.
VFIS
Volunteer Firemen’s Insurance Services, Inc.