Overview

The HIPAA Privacy Rule was passed as part of the Health Insurance Portability and Accountability Act (HIPAA) in 1996. The HIPAA Privacy Rule governs the use and disclosure of Protected Health Information as defined under HIPAA. 

The HIPAA Privacy Rule applies to all employer sponsored health plans. However, some plans that have limited access to Protected Health Information may elect more streamlined compliance methods which allow for less complicated compliance procedures. This is referred to as Covered Entity status, which is either Incidental PHI or Detailed PHI for the Privacy Rule. Some of the processes outlined below are not required of Incidental PHI entities, however, the same obligation to maintain the confidentiality of Protected Health Information applies to the Covered Entity. The Covered Entity status is identified in your plan’s Summary Plan Description. 

This article provides general information about how the HIPAA Privacy Rule typically applies to health plans and general language that you might find in the Privacy Rule section of your plan documents. Please refer to your Summary Plan Description and other plan documentation for the specific details of how your plan applies the HIPAA Privacy Rule. 

General Use and Disclosure Authorization

The HIPAA Privacy Rule generally allows the use and disclosure of your health information without your permission (known as authorization) for purposes of health care treatment, payment activities, and health care operations (as outlined below in more detail). It is likely some of the examples noted below are inapplicable because they don’t generally apply to employer sponsored welfare benefit plans. Regardless, please find an overview of the uses and disclosures permitted without authorization:

• Treatment includes providing, coordinating, or managing health care by one or more health care providers or doctors. Treatment can also include coordination or management of care between a provider and third party, and consultation and referrals between providers. For example, the Plan may share your health information with physicians who are treating you.

• Payment includes activities by the Plan, other plans, or providers to obtain premiums, make coverage determinations, reviewing services for medical necessity or appropriateness, utilization management activities, claims management, and billing; as well as “behind the scenes” plan functions such as risk adjustment, collection, or reinsurance. For example, the Plan may share information about your coverage or the expenses you have incurred with another health plan in order to coordinate payment of benefits.

• Health Care Operations include activities by this Plan for plan administration purposes (and in limited circumstances other plans or providers) such as wellness and risk assessment programs, quality assessment and improvement activities, customer service, and internal grievance resolution. Health care operations also include vendor evaluations, credentialing, training, accreditation activities, underwriting, premium rating, arranging for medical review and audit activities, and business planning and development. For example, the Plan may use information about your claims to audit the third parties that approve payment for Plan benefits.

The amount of health information used, disclosed or requested will be limited and, when needed, restricted to the minimum necessary to accomplish the intended purposes, as defined under the HIPAA rules. If the Plan uses or discloses PHI for underwriting purposes, the Plan will not use or disclose PHI that is your genetic information for such purpose. The HIPAA Privacy Rule also prohibits the use of "genetic information" for "underwriting purposes," with the exception of the underwriting of long-term care policies.

Use and Disclosure Rules

The following section describes how medical information about you and your dependents may be used and disclosed and how you can obtain access to this information.Employers are required by law to maintain the privacy of “Protected Health Information.” Protected Health Information (PHI) includes any identifiable health information obtained from the Plan by you or others that relates to your physical or mental health, the health care you have received, or payment for your health care. This information includes almost all individually identifiable health information held by this Plan, whether received in writing, in an electronic medium, or as a verbal communication. 

1. Duties with Respect to Protected Health Information. The following information addresses the uses and disclosures the Plan may make of your protected health information. It’s important to note that these rules apply to the Plan, not as an employer - that’s the way the HIPAA rules work. If you participate in an insured plan or an HMO option, you will also receive a privacy notice directly from the Insurer or HMO. The Plan must comply with the general HIPAA provisions of this notice, although we reserve the right to change the terms from time to time and to make any revised notice effective for all PHI that the Plan maintains. You can always request a copy of the most current privacy notice from our Privacy Official.

2. General Disclosure Rule. The Plan and any Contract Administrator, health insurance issuer or business associate servicing the Plan will disclose Protected Health Information to the Employer/Plan Sponsor only to permit the Employer/Plan Sponsor to carry out plan administrative functions for the Plan consistent with the requirements of the HIPAA Privacy Rule ((45 CFR §164.501). Any disclosure to and use by the Employer/Plan Sponsor of Protected Health Information will be subject to and consistent with this Section.

3. Participant Disclosure. This Plan complies with the Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). If you have questions about the privacy of your health information under the Plan, please contact the Plan Administrator or the Privacy Officer named in the Employer/Plan Sponsor’s Privacy Policy.

Employer/Plan Sponsor’s Obligations

Employer/Plan Sponsor is in compliance with the following practices regarding using/not using or disclosing/not disclosing your PHI. 

1. Not use or further disclose the information other than as permitted or required by this Section, the Plan, or such other plan documents or as Required by Law, which shall have the same meaning as the term “required by law” under the HIPAA Privacy Rule.

2. Restrict sharing of information between the Plan and Employer/Plan Sponsor to the following circumstances:

• To provide coverage under the plan or for modifying, amending, or terminating the Plan. Summary Health Information is information that summarizes participants’ claims information from which names and other identifying information have been removed. 

• The Plan may disclose to Employer information on whether an individual is participating in the Plan or has enrolled or dis-enrolled in an insurance option offered by the Plan.

3. Ensure that any agents, including a subcontractor, to whom it provides Protected Health Information received from the Plan agree, by signing a Business Associate Agreement, that the agent agrees to implement reasonable and appropriate privacy and security measures to protect any Protected Health Information received or created to a level that is equivalent to the protections required by HIPAA of the Covered Entity.

4. Not use or disclose the information for employment-related actions or decisions or in connection with any other benefit or employee benefit plan of Employer/Plan Sponsor. In addition, you should know that Employer cannot and will not use health information obtained from the Plan for any employment-related actions. However, health information collected by Employer from other sources, for example under the Family and Medical Leave Act, Americans with Disabilities Act, any sick leave or PTO program, or workers compensation is not protected under HIPAA (although this type of information may be protected under other federal or state laws).

5. Report to the Plan any use or disclosure of the information that is inconsistent with the uses and disclosures provided for in this Section or the Plan of which it becomes aware. Report to the Privacy Officer any security incident of which it becomes aware.

6. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Protected Health Information (including electronic Protected Health Information) created, received, maintained, or transmitted.

7. Make available Protected Health Information (including electronic Protected Health Information) to Plan Participants upon their request of Protected Health Information or electronic Protected Health Information disclosures in accordance with the Privacy Rule.

8. Make available Protected Health Information for amendment and incorporate any amendments to Protected Health Information in accordance with the Privacy Rule.

9. Make available the information required to provide an accounting of disclosures in accordance with the Privacy Rule and document such disclosures of Protected Health Information.

10. Make its internal practices, books, and records relating to the use and disclosure of Protected Health Information or electronic Protected Health Information received from the Plan available to the Secretary of the Department of Health and Human Services for purposes of determining compliance by the Plan with HIPAA.

11. If feasible, return or destroy all Protected Health Information received from the Plan that Employer/Plan Sponsor still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

12. Ensure that adequate separation between the Plan and Employer/Plan Sponsor, is established pursuant to the Privacy Rule. Certain employees, equivalently titled employees or classes of employees, or other workforce members under the control of the Employer/Plan Sponsor may be given access to Protected Health Information received from the Plan or a health insurance issuer or business associate servicing the Plan. The specific classes of employees or workforce members who may have access to Protected Health Information are identified in the Employer/Plan Sponsor’s separate Privacy Policy. The Plan Administrator or the Privacy Official named in the Employer/Plan Sponsor’s Privacy Policy can provide information on the specific employees or classes of employees who have access to Protected Health Information. The list provided in the Privacy Policy shall include every class of employees or other workforce members under the control of the Employer/Plan Sponsor who may receive Protected Health Information relating to payment under, health care operations of, or other matters pertaining to the Plan in the ordinary course of business. The classes of employees or other workforce members identified in the Employer/Plan Sponsor’s Privacy Policy will have access to Protected Health Information only to perform the plan administration functions that the Employer/Plan Sponsor provides for the Plan.

13. The classes of employees or other workforce members identified in the Employer/Plan Sponsor’s Privacy Policy will be subject to disciplinary action and sanctions, including termination of employment or affiliation with Employer/Plan Sponsor, for any use or disclosure of Protected Health Information in breach or violation of or noncompliance with the provisions of this Section. Employer/Plan Sponsor will promptly report such breach, violation or noncompliance to the Plan, and will cooperate with the Plan to correct the breach, violation or noncompliance, to impose appropriate disciplinary action or sanctions on each employee or other workforce member causing the breach, violation or noncompliance, and to mitigate any deleterious effect of the breach, violation or noncompliance on any participant or beneficiary, the privacy of whose Protected Health Information may have been compromised by the breach, violation or noncompliance.

14. The classes of employees or other workforce members identified in the Employer/Plan Sponsor’s Privacy Policy will be subject to disciplinary action and sanctions, including termination of employment or affiliation with Employer/Plan Sponsor, for any use or disclosure of Protected Health Information in breach or violation of or noncompliance with the provisions of this Section. Employer/Plan Sponsor will promptly report such breach, violation or noncompliance to the Plan. 

15. Provide participants in the Plan with such notice of privacy practices as required pursuant to the Privacy Rule.

How Your PHI May Be Used/Disclosed by Employer

Your Employer may use or disclose your health information to provide coverage under the Plan, or for modifying, amending, or terminating the Plan. "Summary health information" is information that summarizes participants’ claims information, from which names and other identifying information have been removed.

Other Allowable Uses or Disclosures of Your Health Information

Following is additional information about how and when your PHI may be shared and/or disclosed outside of the Plan and/outside of Employer. In certain cases, your health information can be disclosed without authorization to a family member, close friend, or other person you identify who is involved in your care or payment for your care. Information about your location, general condition, or death may be provided to a similar person (or to a public or private entity authorized to assist in disaster relief efforts). You’ll generally be given the chance to agree or object to these disclosures (although exceptions may be made - for example, if you’re not present or if you’re incapacitated). In addition, your health information may be disclosed without authorization to your legal representative. The Plan is allowed to use or disclose your health information without your written authorization for the following activities:

1. Workers’ Compensation. Disclosures to workers’ compensation or similar legal programs that provide benefits for work-related injuries or illness without regard to fault, as authorized by and necessary to comply with the laws.

2. Necessary to Prevent Serious threat to Health or Safety. Disclosures made in the good-faith belief that releasing your health information is necessary to prevent or lessen a serious and imminent threat to public or personal health or safety, if made to someone reasonably able to prevent or lessen the threat (or to target of the threat); includes disclosures to help law enforcement officials identify or apprehend an individual who has admitted participation in a violent crime that the Plan reasonably believes may have caused serious physical harm to a victim, or where it appears the individual has escaped from prison or from lawful custody.

3. Public Health Activities. Disclosures authorized by law to persons who may be at risk of contracting or spreading a disease or condition; disclosures to public health authorities to prevent or control disease or report child abuse or neglect; and disclosures to the Food and Drug Administration to collect or report adverse events or product defects.

4. Victims of Abuse, Neglect or Domestic Violence. Disclosures to government authorities, including social services or protective services agencies authorized by law to receive reports of abuse, neglect, or domestic violence, as required by law or if you or the Plan believes that disclosure is necessary to prevent serious harm to you or potential victims (you’ll be notified of the Plan’s disclosure if informing you won’t put you at further risk).

5. Judicial and Administrative Proceedings. Disclosures in response to a court or administrative order, subpoena, discovery request, or other lawful process (the Plan may be required to notify you of the request or receive satisfactory assurance from the party seeking your health information that efforts were made to notify you or to obtain a qualified protective order concerning the information).

6. Law Enforcement Purposes. Disclosures to law enforcement officials required by law or legal process, or to identify a suspect, fugitive, witness, or missing person; disclosures about a crime victim if you agree or if disclosure is necessary for immediate law enforcement activity; disclosure about a death that may have resulted from criminal conduct; and disclosure to provide evidence of criminal conduct on the Plan’s premises.

7. Decedents. Disclosures to a coroner or medical examiner to identify the deceased or determine cause of death; and to funeral directors to carry out their duties.

8. Organ, Eye or Tissue Donation. Disclosures to organ procurement organizations or other entities to facilitate organ, eye, or tissue donation and transplantations after death.

9. Research Purposes. Disclosures subject to approval by institutional or private privacy review boards, subject to certain assurances and representations by researchers about the necessity of using your health information and the treatment of the information during a research project.

10. Health Oversight Activities. Disclosures to health agencies for activities authorized by law (audits, inspections, investigations, or licensing actions) for oversight of the health care system, government benefits programs for which health information is relevant to beneficiary eligibility, and compliance with regulatory programs or civil rights laws.

11. Specialized Government Functions. Disclosures about individuals who are Armed Forces personnel or foreign military personnel under appropriate military command; disclosures to authorized federal officials for national security or intelligence activities; and disclosures to correctional facilities or custodial law enforcement officials about inmates.

12. HHS Investigations. Disclosures of your health information to the Department of Health and Human Services to investigate or determine the Plan’s compliance with the HIPAA privacy rule.

13. Specialized Government Functions. Disclosures about individuals who are Armed Forces personnel or foreign military personnel under appropriate military command; disclosures to authorized federal officials for national security or intelligence activities; and disclosures to correctional facilities or custodial law enforcement officials about inmates.

14. Disclosures Required by Law. Disclosures of your health information as required by law provided such use or disclosure complies with and is limited to the relevant requirements of such law.

Except as described in this HIPAA section, other uses and disclosures will be made only with your written authorization. You may revoke your authorization as allowed under the HIPAA rules. However, you can’t revoke your authorization with respect to disclosures the Plan has already made. You will be notified of any unauthorized access, use or disclosure of your unsecured health information as required by law.

Your Individual Rights

You have the following rights with respect to your health information the Plan maintains. These rights are subject to certain limitations, as discussed below. This section describes how you may exercise each individual right.

Right to request restrictions on certain uses and disclosures of your health information and the Plan’s right to refuse. You have the right to ask the Plan to restrict the use and disclosure of your health information for treatment, payment, or health care operations, except for uses and disclosures required by law. You have the right to ask the Plan to restrict the use and disclosure of your health information to family members, close friends, or other persons you identify as being involved in your care or payment for care. You also have the right to ask the Plan to restrict use and disclosure of health information to notify those persons of your location, general condition, or death – or to coordinate those efforts with entities assisting in disaster relief. If you want to exercise this right, your request to the Plan must be in writing. The Plan is not required to agree to a requested restriction. If the Plan does agree, a restriction may later be terminated by your written request, by agreement between you and the Plan (including an oral agreement), or unilaterally by the Plan for health information created or received after you’re notified that the Plan has removed the restrictions. The Plan may also disclose health information about you if you need emergency treatment, even if the Plan has agreed to restriction. 

Right to receive confidential communication of your health information.With certain exceptions, you have the right to inspect or obtain a copy of your health information in a “designated record set.” This may include medical and billing records maintained for a health care provider; enrollment, payment, claims adjudication, and case or medical management record systems maintained by a Plan; or a group of records the Plan uses to make decisions about individuals. However, you do not have a right to inspect or obtain copies of psychotherapy notes or information compiled for civil, criminal, or administrative proceedings. The Plan may deny your right to access, although in certain circumstances you may request a review of the denial. If you want to exercise your right, your request to the Plan must be in writing. Within 90 days of receipt of your request, the Plan will provide you with:

• The access or copies you requested;

• A written denial that explains why your request was denied and any rights you may have to have denial reviewed or file a complaint; or

• A written statement that the time period for reviewing your request will be extended for no more than 30 more days, along with the reasons for the delay and the date by which the Plan expects to address your request.

The Plan may provide you with a summary or explanation of the information instead of access to or copies of your health information, if you agree in advance and pay any applicable fees. The Plan also may charge reasonable fees for copies or postage. If the Plan doesn’t maintain the health information but knows where it is maintained, you will be informed of where to direct your request. You may request an electronic copy of your protected health information. If it can be readily produced, then it must be supplied to you. You may also request that such electronic health information be sent to another entity or person, so long as that request is clear, conspicuous and specific. Any charge that is assessed to you for these copies, if any, must be reasonable, based on the Plan’s cost and identify separately the labor for copying PHI (if any).

Right to amend your health information that is inaccurate or incomplete.With certain exceptions, you have a right to request that the Plan amend your health information in a designated record set. The Plan may deny your request for a number of reasons. For example, your request may be denied if the health information is accurate and complete, was not created by the Plan (unless the person or entity that created that information is no longer available), is not part of the designated record set, or is not available for inspection (e.g., psychotherapy notes or information compiled for civil, criminal, or administrative proceedings). If you want to exercise this right, your request to the Plan must be in writing, and you must include a statement to support the requested amendment. Within 60 days of receipt of your request, the Plan will:

• Make the amendment as requested;

• Provide a written denial that explains why your request was denied and any rights you may have to disagree or file a complaint; or

• Provide a written statement that the time period for reviewing your request will be extended for no more than 30 more days, along with the reasons for the delay and the date by which the Plan expects to address your request.

Right to receive an accounting of disclosures of your health information.You have the right to a list of certain disclosures of your health information the Plan has made. This is often referred to as an “accounting of disclosures.” You generally may receive this accounting if the disclosure is required by law, in connection with public health activities, or in similar situations listed in the table earlier in this notice, unless otherwise indicated below. You may receive information on disclosures of your health information for up to six years before the date of your request. You do not have a right to receive an accounting of any disclosures made:

• For treatment, payment, or health care operations;

• To you about your own health information;

• Incidental to other permitted or required disclosures;

• Where authorization was provided;

• To family member or friends involved in your care (where disclosure is permitted without authorization);

• For national security or intelligence purposes or to correctional institutions or law enforcement officials in certain circumstances; or

• As part of a “limited data set”, (health information that excludes certain identifying information).

In addition, your right to an accounting of disclosures to a health oversight agency or law enforcement official may be suspended at the request of the agency or official. If you want to exercise this right, your request to the Plan must be in writing. Within 60 days of the request, the Plan will provide you with the list of disclosures or a written statement that the time period for providing this list will be extended for no more than 30 more days, along with the reasons for the delay and the date by which the Plan expects to address your request. You may make one request in any 12-month period at no cost you, but the Plan may charge a fee for subsequent requests. You will be notified of the fee in advance and have the opportunity to change or revoke your request.

Right to obtain a paper copy of this notice from the Plan upon request.You have the right to obtain a paper copy of this privacy notice upon request. Even individuals who agreed to receive this notice electronically may request a paper copy at any time.

Right to be notified if you are affected by a breach. You have the right to be notified should you be affected by a breach of unsecured protected health information. The 2013 Amendments modify this definition by providing that an impermissible use or disclosure of PHI is presumed to be a breach, unless it can be demonstrated that there is a low probability that PHI has been compromised based upon a four-part risk assessment that will be conducted by our HIPAA Privacy and/or Security Official(s). 

Changes to the HIPAA Privacy Information

The plan must abide by the terms of the privacy notice currently in effect. However, the Plan reserves the right to change the terms of its privacy policies, as described here at any time and to make new provisions effective for all health information that the Plan maintains. This includes health information that was previously created or received, not just health information created or received after the policy is changed. If changes are made to the Plan’s privacy policies described in this document, you will be provided with a revised privacy notice. The revised notice will either be hand delivered or mailed via first class to your residence at the address that we have on file.

Complaints

If you believe your privacy or security rights have been violated or your Plan has not followed its legal obligations under HIPAA, you may contact our Privacy and/or Security Official(s). You won’t be retaliated against for filing a complaint. To file a complaint, please contact the HIPAA Official.