Health Insurance Portability and Accountability Act (HIPAA)
This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) imposes numerous requirements on employer health plans concerning the use and disclosure of individual health information. This information, known as protected health information, includes virtually all individually identifiable health information held by a plan – whether received in writing, in an electronic medium, or as an oral communication. This notice describes the privacy practices of the following plans: EAP (Employee Assistance Program), Healthcare FSA (Flexible Spending Account) and the Employer Health Plan. The plans covered by this notice may share health information with each other to carry out Treatment, Payment, or Health Care Operations. These Plans are collectively referred to as the Plan in this notice, unless specified otherwise.
The Plan’s duties with respect to health information about you
The Plan is required by law to maintain the privacy of your health information and to provide you with this notice of the Plan’s legal duties and privacy practices with respect to your health information. If you participate in an insured plan option, you will receive a notice directly from the Insurer. It’s important to note that these rules apply to the Plan, not the Employer as an employer.
How the Plan may use or disclose your health information
The privacy rules generally allow the use and disclosure of your health information without your permission (known as an authorization) for purposes of health care Treatment, Payment activities, and Health Care Operations. Here are some examples of what that might entail:
- Treatment includes providing, coordinating, or managing health care by one (1) or more health care providers or doctors. Treatment can also include coordination or management of care between a provider and a third party, and consultation and referrals between providers. For example, the Plan may share health information about you with physicians who are treating you.
- Payment includes activities by this Plan, other plans, or providers to obtain premiums, make coverage determinations and provide reimbursement for health care. This can include eligibility determinations, reviewing services for medical necessity or appropriateness, utilization management activities, claims management, and billing; as well as “behind the scenes” plan functions such as risk adjustment, collection, or reinsurance. For example, the Plan may share information about your coverage or the expenses you have incurred with another health plan in order to coordinate payment of benefits.
- Health care operations include activities by this Plan (and in limited circumstances other plans or providers, such as wellness and risk assessment programs, quality assessment and improvement activities, customer service, and internal grievance resolution). Health care operations also include vendor evaluations, credentialing, training, accreditation activities, underwriting, premium rating, arranging for medical review and audit activities, and business planning and development. For example, the Plan may use information about your claims to review the effectiveness of wellness programs.
The amount of health information used or disclosed will be limited to the “Minimum Necessary” for these purposes, as defined under the HIPAA rules. The Plan may also contact you to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to you.
How the Plan may share your health information with the Employer
The plan, or its health insurer, may disclose “summary health information” to the Employer if requested, for purposes of obtaining premium bids to provide coverage under the Plan, or for modifying, amending, or terminating the Plan. Summary health information is information that summarizes participants’ claims information, but from which names and other identifying information has been removed.
The Plan, or its Insurer, may disclose to the Employer information on whether an individual is participating in the Plan, or has enrolled or de-enrolled in an insurance option offered by the Plan.
In addition, the Plan, or its Insurer, may disclose your health information without your written authorization to the Employer for plan administration purposes, if the Employer adopts Plan amendments describing its administration activities.
The Employer cannot and will not use health information obtained from the Plan for any employment-related actions. However, health information collected by the Employer from other sources, for example under the Family and Medical Leave Act, Americans with Disabilities Act, or workers’ compensation is not protected under HIPAA (although this type of information may be protected under other federal or state laws).
Other allowable uses or disclosures of your health information
In certain cases, your health information can be disclosed without authorization to a family member, close friend, or other person you identify who is involved in your care or payment for your care. Information describing your location, general condition, or death may be provided to a similar person (or to a public or private entity authorized to assist in disaster relief efforts). You’ll generally be given the chance to agree or object to these disclosures (although exceptions may be made, for example, if you’re not present or if you’re incapacitated). In addition, your health information may be disclosed without authorization to your legal representative. If you die, the Plan may disclose to a family member, close personal friend or someone else that you have identified who was involved with your care or payment for your care prior to your death, protected health information that is relevant to such person’s involvement, unless doing so is inconsistent with your prior expressed preference, which is known to the Plan.
The Plan is also allowed to use or disclose your health information without your written authorization for uses and disclosures required by law, for public health activities, and other specific situations, including:
- Disclosures to Workers’ Compensation or similar legal programs, as authorized by and necessary to comply with such laws
- Disclosures related to situations involving threats to personal or public health or safety
- Disclosures related to situations involving judicial proceedings or law enforcement activity
- Disclosures to a coroner or medical examiner to identify the deceased or determine cause of death; and to funeral directors to carry out their duties
- Disclosures related to organ, eye or tissue donation, and transplantation after death
- Disclosures subject to approval by institutional or private privacy review boards and subject to certain assurances by researchers regarding necessity of using your health information and treatment of information during research project, or when the individual identifiers have been removed
- Certain disclosures related to health oversight activities, specialized government or military functions and Health and Human Services investigations
Except as described in this notice, other uses and disclosures will be made only with your written authorization. You may revoke your authorization as allowed under the HIPAA rules. However, you can’t revoke your authorization if the Plan has taken action relying on it. In other words, you can’t revoke your authorization with respect to disclosures the Plan has already made.
When a state law requires the Plan to impose stricter standards to protect your protected health information, the Plan will follow state law rather than HIPAA. For example, where such laws have been enacted, the Plan will follow more stringent state privacy laws that relate to uses and disclosures of protected health information concerning HIV or AIDS, mental health, substance abuse, chemical dependency, genetic testing or reproductive rights.
The Plan will not use or disclose protected health information that is genetic information for underwriting purposes. Genetic information is generally defined as information about your genetic tests and the genetic tests of your family members, the manifestation of a disease or disorder in your family members or any request for, or receipt of, genetic services, or participation in clinical research which includes genetic services, by you or any of your family members. Underwriting includes the determination of eligibility for, or determination of, benefits under the Plan, the computation of premiums or contribution amounts under the Plan and other activities related to the creation, renewal or replacement of a contract of health insurance or health benefits.
Your individual rights
You have the following rights with respect to your health information the Plan maintains. These rights are subject to certain limitations, as discussed below. This section of the notice describes how you may exercise each individual right. See the information at the end of this notice for instructions on how to submit requests.
Right to request restrictions on certain uses and disclosures of your health information and the Plan’s right to refuse
You have the right to ask the Plan to restrict the use and disclosure of your health information for Treatment, Payment, or Health Care Operations, except for uses or disclosures required by law. You have the right to ask the Plan to restrict the use and disclosure of your health information to family members, close friends, or other persons you identify as being involved in your care or payment for your care. You also have the right to ask the Plan to restrict use and disclosure of health information to notify those persons of your location, general condition, or death – or to coordinate those efforts with entities assisting in disaster relief efforts. If you want to exercise this right, your request to the Plan must be in writing.
The Plan generally is not required to agree to a requested restriction. However, the Plan must agree to your request to restrict a disclosure of protected health information to a health plan if the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law and the protected health information pertains solely to a health care item or service for which you, or a person other than the health plan on your behalf, has paid the covered entity in full. If the Plan does agree, a restriction may later be terminated by your written request, by agreement between you and the Plan (including an oral agreement), or unilaterally by the Plan for health information created or received after you’re notified that the Plan has removed the restrictions. The Plan may also disclose health information about you if you need emergency treatment, even if the Plan has agreed to a restriction.
Right to receive confidential communications of your health information
If you think that disclosure of your health information by the usual means could endanger you in some way, the Plan will accommodate reasonable requests to receive communications of health information from the Plan by alternative means or at alternative locations.
If you want to exercise this right, your request to the Plan must be in writing and you must include a statement that disclosure of all or part of the information could endanger you. This right may be conditioned on you providing an alternative address or other method of contact and, when appropriate, on you providing information on how payment, if any, will be handled.
Right to inspect and copy your health information
With certain exceptions, you have the right to inspect or copy your health information in a “Designated Record Set.” This may include medical and billing records maintained for a health care provider; enrollment, payment, claims, adjudication, and case or medical management record systems maintained by a plan; or a group of records the Plan uses to make decisions about individuals. However, you do not have a right to inspect or obtain copies of psychotherapy notes or information compiled for civil, criminal, or administrative proceedings. In addition, the Plan may deny your right to access, although in certain circumstances you may request a review of the denial. If you want to exercise this right, your request to the Plan must be in writing.
If the information you request is maintained electronically, and you request an electronic copy, the Plan will provide a copy in the electronic form and format you request, if the information can be readily produced in that form and format. If the information cannot be readily produced in that form and format, the Plan will work with you to come to an agreement on form and format. If agreement cannot be reached on an electronic form and format, the Plan will provide you with a paper copy.
If you request a copy of your protected health information, the Plan may charge a reasonable fee for the costs of copying, mailing or other supplies associated with the request.
If the Plan doesn’t maintain the health information but knows where it is maintained, you will be informed of where to direct your request.
Right to amend your health information that is inaccurate or incomplete
With certain exceptions, you have a right to request that the Plan amend your health information in a Designated Record Set. The Plan may deny your request for a number of reasons. For example, your request may be denied if the health information is accurate and complete, was not created by the Plan (unless the person or entity that created the information is no longer available), is not part of the Designated Record Set, or is not available for inspections (e.g., psychotherapy notes or information compiled for civil, criminal, or administrative proceedings). If your request is denied, you have the right to file a statement of disagreement with the Plan and any future disclosures of the disputed information will include your statement. If you want to exercise this right, your request to the Plan must be in writing, and you must include a statement to support the requested amendment.
Right to receive an accounting of disclosures of your health information
You have the right to a list of certain disclosures the Plan has made of your health information. This is often referred to as an “accounting of disclosures.” You generally may receive an accounting of disclosures if the disclosure is required by law, in connection with public health activities, or in similar situations listed in this notice, unless otherwise indicated below. You may also be entitled to an accounting of disclosures that the Plan should not have made without authorization.
You may receive information on disclosures of your health information going back for six (6) years from the date of your request, but not earlier than April 14, 2003 (the general date that the HIPAA privacy rules are effective). You do not have a right to receive an accounting of any disclosures made:
- For Treatment, Payment, Or Health Care Operations;
- To you about your own health information;
- Incidental to other permitted or required disclosures;
- Where authorization was provided;
- To family members or friends involved in your care (where disclosure is permitted without authorization);
- For national security or intelligence purposes or to correctional institutions or law enforcement officials in certain circumstances; or
- As part of a “limited data set” (health information that excludes certain identifying information).
In addition, your right to an accounting of disclosures to a health oversight agency or law enforcement official may be suspended at the request of the agency or official.
If you want to exercise this right, your request to the Plan must be in writing. You may make one (1) request in any 12-month period at no cost to you, but the Plan may charge a fee for subsequent requests. You’ll be notified of the fee in advance and may change or revoke your request if desired.
Right to obtain a paper copy of this notice from the Plan upon request
You have the right to obtain a paper copy of this Privacy Notice upon request. Even individuals who agreed to receive this notice electronically may request a paper copy at any time by contacting Human Resources.
Right to be notified of a breach
You have the right to be notified in the event that the Employer, the Plan or a Business Associate discovers a breach of unsecured protected health information.
If you believe your privacy rights have been violated, you may complain to the Plan and to the Secretary of Health and Human Services. To file a complaint with the Plan, please contact:
Your HIPAA Privacy officer. This information can be found by contacting your HR department.
You may also file a complaint with the Office of Civil Rights, U.S. Department of Health and Human Services, by emailing your complaint to [email protected] or by mailing or faxing your complaint to the appropriate Office of Civil Rights regional office, based on where the alleged violation took place. A list of regional offices can be obtained by visiting https://www.hhs.gov/ocr/about-us/contact-us/index.html.
You won’t be retaliated against for filing a complaint.
Changes to the information in this notice
The Plan must abide by the terms of the Privacy Notice currently in effect. This notice takes effect July 1, 2023 However, the Plan reserves the right to change the terms of its privacy policies as described in this notice at any time, and to make new provisions effective for all health information that the Plan maintains. This includes health information that was previously created or received, not just health information created or received after the policy is changed. If changes are made to the Plan’s privacy policies described in this notice, any revised notice will be posted on the Plan’s website at [insert web address] by the effective date of the material change, and Employer will provide the revised notice, or information about the material change and how to obtain the revised notice, in the next annual mailing to individuals then covered by the Plan.
Whom to Contact for More Information
If you have any questions regarding this notice or the policies and practices it describes, you may contact the following person: Privacy Officer, [insert telephone number and address of privacy officer].
The Plan’s use and disclosure of protected health information is regulated by HIPAA, as amended. This notice attempts to summarize the regulations. The regulations will supersede any discrepancy between the information in this notice and the regulations.
Policy effective: July 1, 2023