Institutional Privacy Policy & Data Governance

Josh Insurance Services (hereinafter referred to as the "Firm", "we", "us", or "our") maintains the highest standards of data integrity, confidentiality, and regulatory compliance. This exhaustive Privacy Policy dictates the protocols by which we collect, store, transmit, and protect both corporate data and Personally Identifiable Information (PII) / Protected Health Information (PHI).

Section I: Categorization of Collected Data

In the execution of our fiduciary and brokerage duties, the Firm collects the following data classifications:

• Corporate Identifiers: Entity names, EIN/Tax ID numbers, SIC/NAICS codes, physical corporate locations, and financial documentation required for underwriting self-funded architectures.
• Census and Actuarial Data: De-identified or securely encrypted employee rosters, ages, zip codes, and historical claims data utilized exclusively for predictive modeling and carrier negotiation.
• Authorized Representative PII: Names, corporate titles, direct telephone lines, and email addresses of the executives engaging our services.
• Digital Telemetry: IP addresses, cryptographic protocols, browser agent strings, and session duration data collected automatically to ensure the security and integrity of our web portals.

Section II: Regulatory Compliance Frameworks

The Firm operates in strict adherence to federal and state privacy statutes. Data handling procedures are audited against the following regulatory frameworks:

Health Insurance Portability and Accountability Act (HIPAA)

Where the Firm operates as a Business Associate (BA) to a Covered Entity (CE), all transmission and storage of PHI is executed via AES-256 encrypted environments. Business Associate Agreements (BAAs) must be fully executed prior to the intake of any PHI.

Gramm-Leach-Bliley Act (GLBA)

We maintain comprehensive administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information as mandated by GLBA regulations regarding financial and insurance institutions.

Section III: Data Transmission to Third-Party Carriers

As an independent brokerage, the Firm must transmit specific data points to licensed insurance carriers, Stop-Loss vendors, and Pharmacy Benefit Managers (PBMs) to secure institutional coverage. We warrant that:

• Data is transmitted strictly for the purposes of underwriting, quoting, and policy issuance.
• We mandate that all receiving carriers adhere to commensurate data security standards.
• The Firm explicitly prohibits the monetization, sale, or lease of client data to third-party marketing or data brokerage entities.

Section IV: Telecommunications and SMS Governance

Pursuant to the Telephone Consumer Protection Act (TCPA), the Firm will only transmit Short Message Service (SMS) communications to individuals who have provided explicit, documented, opt-in consent. Such communications are strictly limited to transactional updates, compliance deadlines, and advisory scheduling. Consent to SMS is severable and may be revoked at any time by transmitting the string "STOP" to the originating number.

Section V: CCPA / CPRA Disclosures

For corporate entities and their representatives domiciled in the State of California, the California Consumer Privacy Act (as amended by CPRA) grants specific rights regarding the disclosure of data collection methodologies. Institutional representatives may request a formal Data Inventory Report by submitting a written request to the Firm's compliance department.

Section VI: Designated Compliance Officer

All inquiries regarding data governance, HIPAA compliance audits, or requests for data deletion should be directed to the Chief Compliance Officer via formal written communication:

Josh Insurance Services
Attn: Office of the Chief Compliance Officer
1 Bubbling Brook Road, Franklin, MA 2038
Institutional Email: support@joshinsuranceservicescompany.com