Skip to main content

HIPAA Privacy

Commitment to Protecting Health Information

The Plan will comply with the Standards for Privacy of Individually Identifiable Health Information (i.e., the “Privacy Rule”) set forth by the U.S. Department of Health and Human Services (“HHS”) pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Such standards control the dissemination of “protected health information” (“PHI”) of Participants. Privacy Standards will be implemented and enforced in the offices of the Employer and Plan Sponsor and any other entity that may assist in the operation of the Plan.

The Plan is required by law to take reasonable steps to ensure the privacy of the Participant’s PHI, and inform him/her about:

  1. The Plan’s disclosures and uses of PHI.
  2. The Participant’s privacy rights with respect to his or her PHI.
  3. The Plan’s duties with respect to his or her PHI.
  4. The Participant’s right to file a complaint with the Plan and with the Secretary of HHS.
  5. The person or office to contact for further information about the Plan’s privacy practices.

The Plan provides each Participant with a separate Notice of Privacy Practices. This Notice describes how the Plan uses and discloses a Participant's personal health information. It also describes certain rights the Participant has regarding this information. Additional copies of the Plan's Notice of Privacy Practices are available by calling.

Within this provision capitalized terms may be used, but not otherwise defined. These terms shall have the same meaning as those terms set forth in 45 CFR Sections 160.103 and 164.501. Any HIPAA regulation modifications altering a defined HIPAA term or regulatory citation shall be deemed incorporated into this provision.

Definitions

  • Breach means an unauthorized acquisition, access, use or disclosure of Protected Health Information (“PHI”) or Electronic Protected Health Information (“ePHI”) that violates the HIPAA Privacy Rule and that compromises the security or privacy of the information.
  • Protected Health Information (“PHI”) means individually identifiable health information, as defined by HIPAA, that is created or received by the Plan and that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or for which there is a reasonable basis to believe the information can be used to identify the individual. PHI includes information of persons living or deceased.

How Health Information May Be Used and Disclosed

In general, the Privacy Rules permit the Plan to use and disclose, the minimum necessary amount, an individual’s PHI, without obtaining authorization, only if the use or disclosure is for any of the following:

  1. To carry out payment of benefits.
  2. If the use or disclosure falls within one of the limited circumstances described in the rules (e.g., the disclosure is required by law or for public health activities).

Primary Uses and Disclosures of PHI

  1. Treatment, Payment and Health Care Operations: The Plan has the right to use and disclose a Participant’s PHI for all activities as included within the definitions of Treatment, Payment, and Health Care Operations and pursuant to the HIPAA Privacy Rule.
  2. Business Associates: The Plan contracts with individuals and entities (Business Associates) to perform various functions on its behalf. In performance of these functions or to provide services, Business Associates will receive, create, maintain, use, or disclose PHI, but only after the Plan and the Business Associate agree in writing to contract terms requiring the Business Associate to appropriately safeguard the Participant’s information.
  3. Other Covered Entities: The Plan may disclose PHI to assist health care Providers in connection with their treatment or payment activities or to assist other covered entities in connection with payment activities and certain health care operations. For example, the Plan may disclose PHI to a health care Provider when needed by the Provider to render treatment to a Participant, and the Plan may disclose PHI to another covered entity to conduct health care operations. The Plan may also disclose or share PHI with other insurance carriers (such as Medicare, etc.) in order to coordinate benefits, if a Participant has coverage through another carrier.

Disclosure of PHI to the Plan Sponsor for Plan Administration Purposes

In order that the Plan Sponsor may receive and use PHI for plan administration purposes, the Plan Sponsor agrees to:

  1. Not use or further disclose PHI other than as permitted or required by the plan documents or as required by law (as defined in the Privacy Standards).
  2. Ensure that any agents, including a subcontractor, to whom the Plan Sponsor provides PHI received from the Plan, agree to the same restrictions and conditions that apply to the Plan Sponsor with respect to such PHI.
  3. Maintain the confidentiality of all PHI, unless an individual gives specific consent or authorization to disclose such data or unless the data is used for health care payment or Plan operations.
  4. Receive PHI, in the absence of an individual’s express authorization, only to carry out Plan administration functions.
  5. Report to the Plan any PHI use or disclosure that is inconsistent with the uses or disclosures provided for of which the Plan Sponsor becomes aware.
  6. Make available PHI in accordance with section 164.524 of the Privacy Standards (45 CFR 164.524).
  7. Make available PHI for amendment and incorporate any amendments to PHI in accordance with section 164.526 of the Privacy Standards (45 CFR 164.526).
  8. Make its internal practices, books and records relating to the use and disclosure of PHI received from the Plan available to the Secretary of the U.S. Department of Health and Human Services (“HHS”), or any other officer or Employee of HHS to whom the authority involved has been delegated, for purposes of determining compliance by the Plan with part 164, subpart E, of the Privacy Standards (45 CFR 164.500 et seq).
  9. If feasible, return or destroy all PHI received from the Plan that the Plan Sponsor still maintains in any form and retain no copies of such PHI when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.

Required Disclosures of PHI

  1. Disclosures to Participants: The Plan is required to disclose to a Participant most of the PHI in a Designated Record Set when the Participant requests access to this information. The Plan will disclose a Participant’s PHI to an individual who has been assigned as his or her representative and who has qualified for such designation in accordance with the relevant State law. Before disclosure to an individual qualified as a personal representative, the Plan must be given written supporting documentation establishing the basis of the personal representation.
    The Plan may elect not to treat the person as the Participant’s personal representative if it has a reasonable belief that the Participant has been, or may be, subjected to domestic violence, abuse, or neglect by such person, it is not in the Participant’s best interest to treat the person as his or her personal representative, or treating such person as his or her personal representative could endanger the Participant.
  2. Disclosures to the Secretary of the U.S. Department of Health and Human Services: The Plan is required to disclose the Participant’s PHI to the Secretary of the U.S. Department of Health and Human Resources when the Secretary is investigating or determining the Plan’s compliance with the HIPAA Privacy Rule.

Participant’s Rights

The Participant has the following rights regarding PHI about him/her:

  1. Request Restrictions: The Participant has the right to request additional restrictions on the use or disclosure of PHI for treatment, payment, or health care operations. The Participant may request that the Plan restrict disclosures to family members, relatives, friends or other persons identified by him/her who are involved in his or her care or payment for his or her care. The Plan is not required to agree to these requested restrictions.
  2. Right to Receive Confidential Communication: The Participant has the right to request that he or she receive communications regarding PHI in a certain manner or at a certain location. The request must be made in writing and include how the Participant would like to be contacted. The Plan will accommodate all reasonable requests.
  3. Right to Receive Notice of Privacy Practices: The Participant is entitled to receive a paper copy of the plan’s Notice of Privacy Practices at any time. To obtain a paper copy, contact the Privacy Officer.
  4. Accounting of Disclosures: The Participant has the right to request an accounting of disclosures the Plan has made of his or her PHI. The request must be made in writing and does not apply to disclosures for treatment, payment, health care operations, and certain other purposes. The Participant is entitled to such an accounting for the six years prior to his or her request. Except as provided below, for each disclosure, the accounting will include: (a) the date of the disclosure, (b) the name of the entity or person who received the PHI and, if known, the address of such entity or person; (c) a description of the PHI disclosed, (d) a statement of the purpose of the disclosure that reasonably informs the Participant of the basis of the disclosure, and certain other information. If the Participant wishes to make a request, please contact the Privacy Officer.
  5. Access: The Participant has the right to request the opportunity to look at or get copies of PHI maintained by the Plan about him/her in certain records maintained by the Plan. If the Participant requests copies, he or she may be charged a fee to cover the costs of copying, mailing, and other supplies. If a Participant wants to inspect or copy PHI, or to have a copy of his or her PHI transmitted directly to another designated person, he or she should contact the Privacy Officer. A request to transmit PHI directly to another designated person must be in writing, signed by the Participant and the recipient must be clearly identified. The Plan must respond to the Participant’s request within 30 days (in some cases, the Plan can request a 30-day extension). In very limited circumstances, the Plan may deny the Participant’s request. If the Plan denies the request, the Participant may be entitled to a review of that denial.
  6. Amendment: The Participant has the right to request that the Plan change or amend his or her PHI. The Plan reserves the right to require this request be in writing. Submit the request to the Privacy Officer. The Plan may deny the Participant’s request in certain cases, including if it is not in writing or if he or she does not provide a reason for the request.
  7. Other uses and disclosures not described in this section can only be made with authorization from the Participant. The Participant may revoke this authorization at any time.

Questions or Complaints

If the Participant wants more information about the Plan’s privacy practices, has questions or concerns, or believes that the Plan may have violated his or her privacy rights, please contact the Plan using the following information. The Participant may submit a written complaint to the U.S. Department of Health and HumanServices or with the Plan. The Plan will provide the Participant with the address to file his or her complaint with the U.S. Department of Health and Human Services upon request. 

The Plan will not retaliate against the Participant for filing a complaint with the Plan or the U.S. Department of Health and Human Services.

HIPAA SECURITY

Disclosure of Electronic Protected Health Information (“Electronic PHI”) to the Plan Sponsor for Plan Administration Functions

STANDARDS FOR SECURITY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION ("SECURITY RULE")

The Health Insurance Portability and Accountability Act (HIPAA) and other applicable law shall override the following wherever there is a conflict, or a term or terms is/are not hereby defined.

The Security Rule imposes regulations for maintaining the integrity, confidentiality and availability of protected health information that it creates, receives, maintains, or maintains electronically that is kept in electronic format (ePHI) as required under HIPAA.

Definitions

  • Electronic Protected Health Information (ePHI), as defined in Section 160.103 of the Security Standards (45 C.F.R. 160.103) and means individually identifiable health information transmitted or maintained in any electronic media.
  • Security Incidents, as defined within Section 164.304 of the Security Standards (45 C.F.R. 164.304) and means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with systems operation in an information system.

Plan Sponsor Obligations

To enable the Plan Sponsor to receive and use Electronic PHI for Plan Administration Functions (as defined in 45 CFR §164.504(a)), the Plan Sponsor agrees to:

  1. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of the Plan.
  2. Ensure that adequate separation between the Plan and the Plan Sponsor, as required in 45 CFR § 164.504(f)(2)(iii), is supported by reasonable and appropriate Security Measures.
  3. Ensure that any agent, including a subcontractor, to whom the Plan Sponsor provides Electronic PHI created, received, maintained, or transmitted on behalf of the Plan, agrees to implement reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of the Electronic PHI and report to the Plan any security incident of which it becomes aware.
  4. Report to the Plan any security incident of which it becomes aware. 
  5. Establish safeguards for information, including security systems for data processing and storage. 
  6. Not use or disclose PHI for employment-related actions and decisions or in connection with any other benefit or Employee benefit plan of the Plan Sponsor, except pursuant to an authorization which meets the requirements of the Privacy Standards.
  7. Ensure that adequate separation between the Plan and the Plan Sponsor, as required in section 164.504(f)(2)(iii) of the Privacy Standards (45 CFR 164.504(f)(2)(iii)), is established as follows:
    1. The following Employees, or classes of Employees, or other persons under control of the Plan Sponsor, shall be given access to the PHI to be disclosed:
      1. Privacy Officer.
      2. Director of Employee Benefits.
      3. Employee Benefits Department employees.
      4. Information Technology Department.
    2. The access to and use of PHI by the individuals identified above shall be restricted to the plan administration functions that the Plan Sponsor performs for the Plan.

Disclosure of Summary Health Information to the Plan Sponsor

The Plan may disclose PHI to the Plan Sponsor of the group health plan for purposes of plan administration or pursuant to an authorization request signed by the Participant. The Plan may use or disclose “summary health information” to the Plan Sponsor for obtaining premium bids or modifying, amending, or terminating the group health plan. “Summary health information” may be individually identifiable health information and it summarizes the claims history, claims expenses or the type of claims experienced by individuals in the plan, but it excludes all identifiers that must be removed for the information to be de-identified, except that it may contain geographic information to the extent that it is aggregated by five-digit zip code.

Disclosure of Certain Enrollment Information to the Plan Sponsor

Pursuant to section 164.504(f)(1)(iii) of the Privacy Standards (45 CFR 164.504(f)(1)(iii)), the Plan may disclose to the Plan Sponsor information on whether an individual is participating in the Plan or is enrolled in or has un-enrolled from a health insurance issuer or health maintenance organization offered by the Plan to the Plan Sponsor.

Disclosure of PHI to Obtain Stop-loss or Excess Loss Coverage

The Plan Sponsor may hereby authorize and direct the Plan, through the Plan Administrator or the Third Party Administrator, to disclose PHI to stop-loss carriers, excess loss carriers or managing general underwriters (“MGUs”) for underwriting and other purposes in order to obtain and maintain stop-loss or excess loss coverage related to benefit claims under the Plan. Such disclosures shall be made in accordance with the Privacy Standards.

Resolution of Noncompliance

In the event that any authorized individual of the Employer's workforce uses or discloses Protected Health Information other than as permitted by the Privacy Standards, the incident shall be reported to the Privacy Officer. The Privacy Officer shall take appropriate action, including:

  1. Investigation of the incident to determine whether the breach occurred inadvertently, through negligence, or deliberately; whether there is a pattern of breaches; and the degree of harm caused by the breach.
  2. Applying appropriate sanctions against the persons causing the breach, which, depending upon the nature of the breach, may include oral or written reprimand, additional training, or termination of employment.
  3. Mitigating any harm caused by the breach, to the extent practicable.
  4. Documentation of the incident and all actions taken to resolve the issue and mitigate any damages.
  5. Training Employees in privacy protection requirements and appoint a Privacy Officer responsible for such protections.
  6. Disclosing the Participant’s PHI to the Secretary of the U.S. Department of Health and Health and Human Resources when the Secretary is investigating or determining the Plan’s compliance with the HIPAA Privacy Rule.