JOhnston & Matthews
HIPAA Privacy policy

Introduction

Johnston & Matthews and/or certain of its affiliates (collectively, the "Company") sponsors a group health plan (the "Plan"). Members of the Company's workforce may have access to the individually identifiable health information of Plan participants on behalf of the Plan itself or on behalf of the Company, for administrative functions. Members of the Company's workforce may also have access to the individually identifiable health information of customers or others with whom the Company transacts business.

It is the Company's policy to comply fully with the Privacy Rule requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). To that end, all members of the Company's workforce who have access to any private health information ("PHI") must comply with this Privacy Policy.

Responsibilities as Covered Entity

I. Privacy Officer and Contact Person
Lynn Johnston will be the Privacy Officer for the Company. The Privacy Of ficer will be responsible for the development and implementation of policies and procedures relating to privacy, including but not limited to this Privacy Policy and the Company's more detailed use and disclosure procedures. The Privacy Officer will also serve as the contact person for those who have questions, concerns or complaints about the privacy of their PHI.

II. Workforce Training
The Company's policy is to train those employees who have access to PHI on its privacy policies and procedures. The Privacy Officer will develop training schedules and programs so that all workforce members receive the training necessary and appropriate to permit them to carry out their functions which may involve PHI.

III.Technical and Physical Safeguards
The Company will establish appropriate technical (if and when PHI is stored electronically) and physical safeguards to prevent PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA's requirements. Technical safeguards include limiting access to information by creating computer firewalls if and when PHI is stored electronically. Physical safeguards include locking doors or filing cabinets where PHI is stored.

IV. Privacy Notice
The Privacy Officer is responsible for developing and maintaining a notice of the Company's privacy practices that describes:

- the uses and disclosures of PHI that may be made by the Company;

- the individual's rights; and

- the Company's legal duties with respect to the PHI.

The privacy notice will inform Plan participants that the Company will have access to PHI in connection with its plan administrative functions. The policy will also inform others that the Company may have access to PHI in connection with its business functions. The privacy notice will also provide a description of the Company's complaint procedures, the name and telephone number of the contact person for further information, and the date of the notice.

The notice of privacy practices will be individually delivered to all employees:

-no later than April 14, 2006; on an on-going basis, at the time of an individual's employment by the Company; and

- within 60 days after a material change to the notice.

The notice of privacy practices will be made available to others upon written request.

In the event that any group health benefits are provided under a policy of insurance, the insurance company will develop and distribute a Notice of Privacy Policies describing how the insurance company will use and disclose medical and personal health information. Such notice prepared by the insurance company will govern the uses and disclosures and medical and personal health information by the insurance company and not this Policy.

V. Complaints
The Privacy Officer, Lynn Johnston, will be the Company's contact person for receiving complaints. The Privacy Officer is responsible for creating a process for individuals to lodge complaints about the Company's privacy procedures and for creating a system for handling such complaints. A copy of the complaint procedure shall be provided to any employee or other individual upon request.

VI. Sanctions for Violations of Privacy Policy
Sanctions for Violations of Privacy Policy Sanctions for using or disclosing PHI in violation of this HIPAA Privacy Policy will be imposed in accordance with the Company's employment discipline policies and practices, up to and including termination.

VII. Mitigation of Inadvertent Disclosures of Protected Health Information
The Company shall mitigate, to the extent possible, any harmful effects that become known to it of a use or disclosure of an individual's PHI in violation of the policies and procedures set forth in this Policy. As a result, if an employee or anyone else becomes aware of a disclosure of PHI, either by an employee of the Company o r an outside consultant/contractor that is not in compliance with this Policy, that employee or anyone else should immediately contact the Privacy Officer so that the appropriate steps to mitigate harm can be taken.

VIII. No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy
No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA.

No individual shall be required to waive his or her privacy rights under HIPAA as a condition of treatment, payment, enrollment, or eligibility for any benefit or any other product or service provided by the Company.

IX. Documentation
The Plan's and the Company's privacy policies and procedures shall be documented and maintained for at least six years. Policies and procedures must be changed as necessary or appropriate to comply with changes in the law, standards, requirements, and implementation specifications (including changes and modifications in regulations). Any changes to policies or procedures must be promptly documented.

If a change in law impacts the privacy notice, the privacy policy must promptly be revised and made available. Such change is effective only with respect to PHI created or received after the effective date of the notice. The Plan and the Company shall document certain events and actions (including authorizations, requests for information, sanctions, and complaints) relating to an individual's privacy rights. The documentation of any policies and procedures, actions, activities, and designations may be maintained in either written or electronic form.

Policies on Use and Disclosure of PHI

I. Use and Disclosure Defined
The Company and the Plan will use and disclose PHI only as permitted under HIPAA. The terms "use" and "disclosure" are defined as follows:

- Use. The sharing, employment, application, utilization, examination, or analysis of individually identifiable health information by any person working for or within the Human Resources department of the Company, or by a Business Associate (defined below) of the Plan as to Plan participants, and the sharing, employment, application, utilization, examination or analysis of individually identifiable health information by any employee gained in connection with transacting the Company's business as to all others.

- Disclosure. For information that is protected health information, disclosure means any release, transfer, provision of access to, or divulging in any other manner of individually identifiable health information to persons not employed by or working within the Human Resources department of the Company as to Plan participants, and any release, transfer, provision of access to, or divulging in any other manner of individually identifiable health information concerning all others to persons not strictly necessary for the transaction of the Company's business.

II. Access to PHI is Limited to Certain Employees
The following employees ("employees with access") have access to all PHI of Company Plan participants:

- President

- CFO

- COO

- Vice President of IT and Project Management

- Secretary

- HR Manager

- HR Assistants and Associates

- Privacy Officer

These employees may use and disclose PHI for Plan administrative functions, and they may disclose PHI to other employees with access f or Plan administrative functions (but the PHI disclosed must be limited to the minimum amount necessary to perform the Plan administrative function). Concerning all PHI of individuals who are not Plan participants, these employees, and their designees, may use and disclose PHI for the proper transacting of the Company's business. Employees with access may not disclose PHI to employees (other than employees with access) unless an authorization is in place or the disclosure otherwise is in compliance with t his Policy. Employees who have access to PHI must comply with this Policy.

Access to PHI which is not associated with Plan participant, and which is gathered in the ordinary course of the Company's business shall be granted to, but also limited to, only those individuals with a need to utilize such information for the conducting of the Company's business.

III. Permitted Uses and Disclosures
PHI may be disclosed for the Company's own payment or health care operation s. PHI may be disclosed to another covered entity for the payment purposes of that covered entity, or for purposes of the other covered entity's quality assessment and improvement, case management, or health care fraud and abuse detection programs, if the other covered entity has (or had) a relationship with the employee and the PHI requested pertains to that relationship.

Payment. Payment includes activities undertaken to obtain Plan contributions or to determine or fulfill the Plan's responsibility for provision of benefits under the Plan, or to obtain or provide reimbursement for health care. Payment also includes:

- eligibility and coverage determinations including coordination of benefits and adjudication or subrogation of health benefit claims;

- risk adjusting based on enrollee status and demographic characteristics; and

- billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess loss insurance), and related health care data processing.

Health Care Operations. Health care operations means any of the following activities to the extent that they are related to Plan administration, including but not limited to:

- conducting quality assessment and improvement activities;

- reviewing health plan performance;

- underwriting and premium rating;

- conducting or arranging for medical review, legal services and auditing functions;

- business planning and development; and

- business management and general administrative activities.

PHI of individuals who are not Plan participants may be disclosed for all proper purposes in transacting Company business which are consistent with HIPAA and this Policy.

IV. No Disclosure of PHI for Non-Health Plan Purposes
PHI of Plan participants may no t be used or disclosed for the payment or operations of the Company's "non-health" benefits, unless the Plan participant has provided an authorization for such use or disclosure (as discussed below in "Disclosures Pursuant to an Authorization") or such use or disclosure is required by applicable state law and particular requirements under HIPAA are met.

V. Mandatory Disclosures of PHI: to Individual and DHHS
A Plan participant's PHI must be disclosed as required by HIPAA in two situations:

- the disclosure is to the individual who is the subject of the information; and

- the disclosure is made to the U.S. Department of Health and Human Services for purposes of enforcing of HIPAA.

VI. Permissive Disclosures of PHI: for Legal and Public Policy Purposes
PHI may be disclosed in certain circumstances, including the following circumstances without prior authorization, when specific requirements are satisfied, including prior approval of the Company's Privacy Officer. Permitted disclosures are:

a. about victims of abuse, neglect, or domestic violence, if:

- the individual agrees with the disclosure; or

- the disclosure is expressly authorized by statute or regulation and the disclosure prevents harm to the individual (or other victim) or the individual is incapacitated and unable to agree and information will not be used against the individual and is necessary for an imminent enforcement activity. In this case, the individual must be promptly informed of the disclosure unless this would place the individual at risk or if the informing would involve a personal representative who is believed to be responsible for the abuse, neglect, or violence.

b. for judicial and administrative proceedings in response to:

- an order of a court or administrative tribunal (disclosure must be limited to PHI expressly authorized by the order); and

- a subpoena, discovery request, or other lawful process, not accompanied by a court order or administrative tribunal, upon receipt of assurances that the individual has been given notice of the request, or that the party seeking the information has made reasonable efforts to receive a qualified protective order.

c. for law enforcement purposes, if:

- pursuant to a process and as otherwise required by law, but only if the information sought is relevant and material, the request is specific and limited to amounts reasonably necessary, and it is not possible to use de - identified information;

- information requested is limited information to identify or locate a suspect, fugitive, material witness, or missing person;

- information about a suspected victim of a crime (1) if the individual agrees to disclosure, or (2) without agreement from the individual, if the information is not to be used against the victim, if need for information is urgent, and if disclosure is in the best interest of the individual;

- information about a deceased individual upon suspicion that the individual's death resulted from criminal conduct; or

- information that constitutes evidence of criminal conduct that occurred on the Company's premises.

d. to a coroner or medical examiner about decedents, for the purpose of identifying a deceased person, determining the cause of death, or other duties as authorized by law;

e. that relate to workers' compensation programs, to the extent necessary to comply with laws relating to workers' compensation or other similar programs; and

f. for other legal or public policy purposes authorized by the HIPAA Privacy Regulations, 45 C.F.R. § 164.512.

VII. Complying With the "Minimum-Necessary" Standard
Minimum Necessary When Disclosing and Requesting PHI. For making disclosures or requests for PHI to any party for any purpose, information must be the minimum necessary to accomplish the purpose of the disclosure.

The "minimum-necessary" standard does not apply to any of the following:

- uses or disclosures made to the individual;

- uses or disclosures made pursuant to a valid authorization;

- disclosures made to the Department of Labor;

- uses or disclosures required by law; and

- uses or disclosures required to comply with HIPAA.

VIII. Disclosures of PHI to Business Associates
Employees with access may disclose PHI to the Company's business associates and allow the Company's business associates to create or receive PHI on its behalf. However, prior to doing so, the Company must first obtain assurances from the business associate that it will appropriately safeguard the information. Before sharing PHI with outside consultants or contractors who meet the definition of a "business associate," employees with access must contact the Privacy Officer and verify that a business associate contract is in place.

Business Associate is an entity that:

- performs or assists in performing function or activity involving the use and disclosure of protected health information (including claims processing or administration, data analysis, underwriting, etc.); or

- provides legal, accounting, actuarial, consulting, data aggregation, management, accreditation, or financial services, where the performance of such services involves giving the service provider access to PHI.

IX. Disclosures of De-Identified Information
The Plan and the Company may freely use and disclose de -identified information. De - identified information is health information that does no t identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. There are two ways a covered entity can determine that information is de -identified: either by professional statistical analysis, or by removing 18 specific identifiers specified in 45 C.F.R. § 164.514.

X. Requests for Disclosure of PHI From Spouses, Family Members, and Friends
The Plan and the Company will not disclose PHI to family and friends of any individual except as required or permitted by HIPAA. Generally, an authorization is required before another party, including spouse, family member, or friend, will be able to access PHI. The Plan may disclose without prior authorization a limited amount of PHI (excluding diagnosis) in an explanation of benefits as part of the Plan's payment functions. Legal counsel should be consulted before implementing this type of disclosure.

If the request for disclosure of an individual's PHI is from a spouse, family member, or personal friend of an individual, and the spouse, family member, or personal friend is either (1) the parent of the individual and the individual is a minor child; or (2) the personal representative of the individual, then the PHI may be released by following the procedure below for "Verification of Identity of Those Requesting Protected Health Information."

All other requests from spouses, family members, and friends must be authorized by the individual whose PHI is involved pursuant to the procedures for "Disclosures Pursuant to Individual Authorization."

Policies on Individual Rights

I. Access to Protected Health Information and Requests for Amendment
HIPAA gives Plan participants the right to access and obtain copies of their PHI that the Company (or its business associates) maintains in designated record sets. HIPAA also provides that Plan participants may request to have their PHI amended. The Company will provide access to PHI and it will consider requests for amendment that are submitted in writing by participants pursuant to the procedures specified in the Plan's Privacy Notice. The Privacy Officer may deny requests for documents that were compiled for a legal proceeding or information obtained under a promise of confidentiality.

Designated Record Set is a group of records maintained by or for the Company that includes:

- the enrollment, payment, and claims adjudication record of an individual maintained by or for the Plan; or

- other PHI used, in whole or in part, by or for the Plan to make coverage decisions about an individual.

II. Accounting
A Plan participant has the right to obtain an accounting of certain disclosures of his or her own PHI by submitting a written request to the Privacy Officer. This right to an accounting extends to disclosures made in the last six years, other than disclosures:

- to carry out treatment, payment, or health care options;

- to individuals about their own PHI;

- pursuant to an otherwise permitted use or disclosure;

- pursuant to an authorization;

- for purposes of creation of a facility directory or to persons involved in the patient's care or other notification purposes;

- as part of a limited data set; or

- for other national security or law enforcement purposes.

The Company shall respond to an accounting request within 60 days. If the Company is unable to provide the accounting within 60 days, it may extend the period by 30 days, provided that it gives the participant notice (including the reason for the delay and the date the information will be provided) within the original 60-day period.

The accounting must include the date of the disclosure, the name of the receiving party, a brief description of the information disclosed, and a brief statement of the purpose of the disclosure (or a copy of the written request for disclosure, if any).

The first accounting in any 12 -month period shall be provided free of charge. The Privacy Officer may impose reasonable production and mailing costs for subsequent accountings.

III. Requests for Alternative Communication Means or Locations
Plan participants may request to receive communications regarding their PHI by alternative means or at alternative locations. For example, Plan participants may ask to be called only at work rather than at home. Such request s may be honored if, in the sole discretion of the Company, the requests are reasonable.

However, the Company shall accommodate such a request if the Plan participant clearly provides information that the disclosure of all or part of that information could endanger the participant. The Privacy Officer has the responsibility for administering requests for confidential communications.

IV. Requests for Restrictions on Uses and Disclosures of Protected Health Information
A Plan participant may request restrictions on the use and disclosure of the participant's PHI. It is the Company's policy to attempt to honor such requests if, in the sole discretion of the Company, the requests are reasonable. The Privacy Officer is responsible for administering requests for restrictions.

V. Verification of Identity of Those Requesting Protected Health Information
The identity of individuals who request access to PHI will be verified. The authority of any person requesting access to PHI will be verified if the identity or authority of such person is not known.

- Request Made by Individual. When a Plan participant requests access to his or her own PHI, the individual must present a valid driver's license, passport, or other photo identification issued by a government agency, which will be copied and filed with the individual's designated record set.

- Request Made by Parent Seeking PHI of Minor Child. When a Plan participant parent requests access to the PHI of the parent's minor child, the person's relationship with the child will be verified by confirming enrollment of the child in the parent's plan as a dependent, and the same identification procedure will be followed as for an individual request.

- Request Made by Personal Representative. When a personal representative requests access to a Plan participant's PHI, a valid power of attorney will be copied and filed with the individual's designated record set.

- Request Made by Public Official. If a public official requests access to PHI, and if the request is for o ne of the purposes set forth above in "Mandatory Disclosures of PHI," or "Permissive Disclosures of PHI," the following steps will be followed to verify the official's identity and authority:

- An agency identification badge, other official credentials, or other proof of government status will be copied and filed with the individual's designated record set.

- If the request is in writing, it will be verified that the request is on the appropriate government letterhead.

- If the request is by a person purporting to act on behalf of a public official, a written statement on appropriate government letterhead will be requested stating that the person is acting under the government's authority, or other evidence or documentation of agency, such as a contract for ser vices, memorandum of understanding, or purchase order, that establishes that the person is acting on behalf of the public official.

- A written statement of the legal authority under which the information is requested or, if a written statement would be impracticable, an oral statement of such legal authority will also be required. If the individual's request is made pursuant to legal process, warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal, contact the Company's President.