NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Effective Date of Notice: October 14, 2020
Huron-Erie School Employee Insurance Association Health Benefit Plan (“Health Plan”) is required by law to take reasonable steps to ensure the privacy of your Individually Identifiable Health Information, regardless of form, whether oral, written or electronic, transmitted or maintained by or on behalf of Health Plan (“PHI”), and to inform you about:
Sec. 1 Health Plan’s Uses and Disclosures of PHI;
Sec. 2 Your PHI privacy rights;
Sec. 3 Health Plan’s duties concerning PHI;
Sec. 4 Your right to file a complaint with Health Plan and the Secretary of the U.S. Department of Health and Human Services; and
Sec. 5 The person or office to contact for further information about Health Plan’s privacy practices and procedures.
Section 1. Health Plan’s Uses and Disclosures of PHI
All Uses and Disclosures by Health Plan will be made only with your written authorization, which you may revoke at any time in writing, except as follows:
Required PHI Uses and Disclosures
Health Plan is required to Disclose all books, records, accounts, and other sources of information, including PHI, to the Secretary of the U.S. Department of Health and Human Services in order to allow the Department to investigate or determine Health Plan’s compliance with the privacy regulations.
Uses and Disclosures for which Your Authorization is not Required
Health Plan may Use or Disclose PHI, without your authorization, to carry out its own “Payment” and “Health Care Operations” (see definitions below). Health Plan may Disclose PHI, without your authorization, to health care providers for “Treatment” (see definition below). Health Plan may Disclose PHI, without your authorization, to other Covered Entities and providers for their Payment activities. Health Plan may Disclose PHI, without your authorization, to other Covered Entities participating in its organized health care arrangement for Health Care Operations or to other Covered Entities having a relationship with you for limited purposes. Health Plan also may Disclose PHI, without your authorization, to the Plan Sponsor so that the Plan Sponsor will be able to carry out Health Plan administration functions, such as Health Plan’s Payment and Health Care Operations. The Plan Sponsor has amended its plan documents to protect your PHI. 2 Health Plan contracts with individuals and/or entities (Business Associates) to perform various functions on its behalf or to provide certain types of services. To perform these functions or to provide the services, Health Plan’s Business Associates will receive, create, maintain, Use or Disclose PHI, but only after Health Plan requires the Business Associates to agree in writing to contract terms designed to appropriately safeguard your PHI. Business Associates have a statutory obligation to comply with the terms of such agreement and HIPAA.
“Treatment” is the provision, coordination or management of health care and related services. It includes but is not limited to consultations and referrals between one or more of your providers. (Example: Health Plan may disclose to a specialist the name of your primary physician so that they may confer concerning your health.)
“Payment” includes but is not limited to actions to make coverage determinations and payment (including billing, claims management, subrogation, plan reimbursement, reviews for medical necessity and appropriateness of care and utilization review and preauthorizations). (Example: Health Plan may disclose to a doctor whether you are eligible for coverage and what percentage of the bill will be paid by Health Plan.)
“Health Care Operations” include but are not limited to quality assessment and improvement, reviewing competence or qualifications of health care professionals, underwriting, enrollment, premium rating insurance activities relating to creating or renewing insurance contracts, disease management, case management, conducting or arranging for medical review, legal services and auditing functions including fraud and abuse compliance programs, business planning and development, business management and general administrative activities. (Example: Health Plan may use information about your claims to audit the accuracy of its claims processing functions.)
Health Plan is prohibited from Using or Disclosing PHI that is Genetic Information for underwriting purposes.
Use or Disclosure of your PHI is also allowed without your authorization under the following circumstances:
(1) When required by law;
(2) When permitted for purposes of public health activities, including when you have been exposed to a communicable disease or are at risk of spreading a disease or condition, if authorized by law;
(3) When authorized by law to report information about abuse, neglect or domestic violence to public authorities or if Health Plan, in the exercise of professional judgment, believes Disclosure is necessary to prevent serious harm to you or another. If Health Plan makes such a Disclosure you will, unless informing you poses a risk of harm, be promptly informed that such a report has been made;
(4) To public health oversight agency(ies) for oversight activities authorized by law, including Uses or Disclosures in: audits; civil, administrative or criminal investigations, proceedings or actions; inspections; licensure or disciplinary actions and other necessary and appropriate oversight activities;
(5) When required for judicial or administrative proceedings in response to an order of court, or subpoena, discovery request or other lawful process when satisfactory assurance is given;
(6) For law enforcement purposes, when required by law;
(7) In response to a law enforcement official’s request for identification/location information (including Disclosure of information about an Individual who is or is suspected to be a victim of a crime but only if the Individual agrees to the Disclosure or Health Plan is unable to obtain the Individual’s agreement because of emergency circumstances and the law enforcement official makes all required representations and Disclosure is in the best interests of the Individual as determined by the exercise of Health Plan’s best judgment);
(8) When required to be given to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death or fulfilling other duties authorized by law. Also, Disclosure is permitted to a funeral director, consistent with applicable law, as necessary to carry out his duties with respect to the decedent;
(9) For research if a review or privacy board determines your authorization is not necessary and the researcher(s) provide all required representations;
(10) To organ procurement organizations or similar entities for the purpose of facilitating donation or transplantation;
(11) When consistent with applicable law and standards of ethical conduct if Health Plan, in good faith, believes the Use or Disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and the Disclosure is to a person reasonably able to prevent or lessen the threat;
(12) When authorized for specialized government functions; and
(13) When authorized by and to the extent necessary to comply with worker’s compensation or other similar programs established by law.
Uses and Disclosures that Require Your Written Authorization
Your written authorization generally will be required before Health Plan may Use or Disclose psychotherapy notes about you from your psychotherapist.
Your written authorization generally will be required before Health Plan may Use or Disclose your PHI for Marketing purposes.
Your written authorization will be required before Health Plan may sell your PHI.
Your written authorization will be required for all other Uses and Disclosures of your PHI except as otherwise set forth in this Notice or as required or permitted by law.
If you provide Health Plan with your written authorization, you may revoke it at any time by submitting a written revocation to Health Plan’s Privacy Officer and Health Plan will no longer Use or Disclose PHI under the authorization. Any prior Use or Disclosure of PHI made in reliance on your authorization before revoked will not be affected by the revocation.
Uses and Disclosures that Require You be given an Opportunity to Agree or Disagree
Health Plan may Disclose PHI to your family members, other relatives or close personal friends if: (a) the PHI is directly relevant to a family member’s or friend’s involvement with your care or payment for your care; and (b) you have agreed to the Disclosure, have been given an opportunity to object and have not objected, or are unavailable to ask and Health Plan has determined, in the exercise of its professional judgment, that the Disclosure is in your best interests.
Section 2. Your Rights
All of your rights discussed below may be initiated by your written request to Health Plan, directed to the person and at the address indicated in Section 5 below. Health Plan may require your completion of an applicable form for each request.
Right to Request Restrictions on PHI and Disclosures
You may request that Health Plan restrict Uses and Disclosures of your PHI other than as set forth above. However, Health Plan is not required to agree to your request unless the request is to Health Plan to restrict the Disclosure for purposes of carrying out Payment or Health Care Operations and is not otherwise required by law and the PHI pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.
Right to Receive Confidential Communications
Health Plan will accommodate reasonable requests to receive communications of PHI by alternative means or at alternative locations if you clearly state that Disclosure of all or part of your PHI could endanger you.
Right to Access and Copy PHI
You have the right to access and obtain a copy of your PHI contained in a Designated Record Set, subject to certain exceptions, for as long as Health Plan maintains the PHI. The requested information will be provided to you as soon as reasonably possible, but no later than thirty (30) days after your request, unless Health Plan provides a written statement of the reasons for delay and the date by which it will provide the requested information, in no event more than thirty (30) additional days. If access is denied, you or your personal representative will be provided with a written denial explaining the basis for the denial, a description of how you may exercise review rights and a description of how you may complain to the Secretary of the U.S. Department of Health and Human Services.
Health Plan does not use or maintain electronic health records, which are defined as “an electronic record of health-related information on an [i]ndividual that is created, gathered, managed, and consulted by authorized health care clinicians and staff” with respect to 5 Individuals’ PHI. However, if Health Plan were to do so, and you request to access your PHI in a Designated Record Set, then you have the right to receive a copy of such PHI in an electronic format or to have Health Plan (or its Business Associate, if appropriate) transmit such copy to any person or entity that you designate, provided that your choice is clear, conspicuous, and specific. Health Plan may charge you a reasonable, cost-based fee for providing such copy.
Right to Amend PHI
You have the right to request that Health Plan amend your PHI or a record about you in a Designated Record Set, subject to certain exceptions, for as long as the PHI is maintained in the Designated Record Set.
“Designated Record Set” includes the medical records and billing records about Individuals maintained by or for a covered health care provider; enrollment, payment, billing, claims adjudication and case or medical management record systems maintained by or for Health Plan; or other information used in whole or in part by or for Health Plan to make decisions about Individuals.
Health Plan will act on your request as soon as reasonably possible, but no later than sixty (60) days after your request. If the request is denied, in whole or in part, Health Plan must provide you with a written denial explaining the basis for the denial, a description of how you may exercise review rights and a description of how you may complain to the Secretary of the U.S. Department of Health and Human Services. You or your personal representative may submit to Health Plan a written statement disagreeing with the denial or require that your request and the denial be provided with any further Disclosures of your PHI.
Right to Receive an Accounting of PHI Disclosures
You have the right to receive an accounting of Disclosures by Health Plan of your PHI during the six (6) years prior to the date of your request. The form and substance of the accounting to be given you will be in accordance with legal requirements. Health Plan will act on your request as soon as reasonably possible, but no later than sixty (60) days after your request. If you request more than one accounting within a 12-month period, Health Plan will charge a reasonable, cost-based fee for each accounting after the first one.
A Note About Personal Representatives
You may exercise your rights through a personal representative. Your personal representative will be required to produce evidence of his/her authority to act on your behalf before he/she will be given access to your PHI. Evidence of authority may take one of the following forms:
• a notarized power of attorney;
• a court order of appointment of the person as the conservator or guardian of the Individual; or
• being the parent of a minor child.
Health Plan retains discretion to deny access to your PHI to a personal representative if there are any safety concerns.
Section 3. Health Plan’s Duties
Privacy Notice
Health Plan is required by law to maintain the privacy of PHI, to provide participants with notice of its legal duties and privacy practices with respect to PHI, and to notify affected Individuals following a Breach of Unsecured PHI. This Notice is effective beginning October 14, 2020 and Health Plan is required to comply with the terms of this Notice. However, Health Plan reserves the right to change its privacy practices and the terms of this Notice, and to apply any such change to and make the new notice provisions effective for all PHI that Health Plan maintains, including any received or maintained by Health Plan prior to the date of such change. This Notice is posted on Health Plan’s website and is available electronically through the website. If there is a material change to this Notice, Health Plan will prominently post the change or a revised Notice of Privacy Practices on its website by the effective date of the material change to the Notice of Privacy Practices, and include the revised Notice of Privacy Practices, or information about the material change and how to obtain the revised Notice of Privacy Practices, in Health Plan’s next annual mailing to Individuals then covered by Health Plan, such as the annual mailing of the Women’s Health and Cancer Rights Act of 1998 notice and/or the Medicare Prescription Drug notice.
Minimum Necessary Standard
When Using or Disclosing PHI or when requesting PHI from another Covered Entity, Health Plan will limit the Use, Disclosure or request to a “limited data set” to the extent practicable or, if needed, will limit the Use, Disclose or request to the minimum amount of PHI necessary to accomplish its intended purpose(s). For purposes of compliance with HIPAA, a “limited data set” is PHI that excludes your direct identifiers (listed in 45 CFR §164.514(e)(2)) or those of relatives, employers, or household members.
The minimum necessary standard will not apply in the following situations:
• Disclosure to or requests by a health care provider for Treatment; • Uses or Disclosures made to you; • Uses or Disclosures made pursuant to your authorization;
• Disclosures made to the Secretary of the U.S. Department of Health and Human Services;
• Uses or Disclosures that are required by law; and
• Uses or Disclosures that are required for Health Plan’s compliance with legal regulations.
This Notice does not apply to information that has been de-identified. “De-identified information” is information that does not identify an Individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an Individual.
Breach
If you are affected in the event that Health Plan or a Business Associate of Health Plan has a Breach of Unsecured PHI, Health Plan must notify you by regular mail without unreasonable delay and in no case later than sixty (60) days after discovering the Breach. If you are one of more than five hundred (500) residents of a State or jurisdiction whose Unsecured PHI is, or is reasonably believed to have been, accessed, acquired, Used or Disclosed as a result of a Breach, then Health Plan must notify you, the Secretary and prominent local media outlets in your State or jurisdiction of the Breach.
“Breach” means the acquisition, access, Use, or Disclosure of PHI in a manner not permitted under HIPAA’s privacy rules, which compromises the security, or privacy of the PHI.
“Unsecured PHI” is PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through encryption, destruction or other methodologies that may be approved by the Secretary.
Exceptions to Breach
• Any unintentional acquisition, access, or Use of PHI by a workforce member or person acting under the authority of Health Plan or Business Associate of Health Plan, if such acquisition, access, or Use was made in good faith and within the scope of authority and does not result in further Use or Disclosure in a manner not permitted by HIPAA.
• Any inadvertent Disclosure by a person who is authorized to access PHI at Health Plan or Business Associate of Health Plan to another person authorized to access PHI within Health Plan or the same Business Associate of Health Plan, or organized health care arrangement in which Health Plan participates, and the information received as a result of such Disclosure is not further Used or Disclosed in a manner not permitted by HIPAA.
• A Disclosure of PHI where Health Plan or Business Associate of Health Plan has a good faith belief that an unauthorized person to whom the Disclosure was made would not reasonably have been able to retain such information.
Section 4. Your Right to File a Complaint with Health Plan or DHHS Secretary
If you believe that your privacy rights have been violated, you may file a complaint with Health Plan by sending your complaint in writing to Huron-Erie School Employee Insurance Association Health Benefit Plan, Attention: Matthew Bauer, Privacy Officer, 4918 Milan Road, Sandusky, Ohio 44870.
You may file a complaint with the Secretary of the U.S. Department of Health and Human Services, Hubert H. Humphrey Building, 200 Independence Avenue S.W., Washington, D.C. 20201. Health Plan will not retaliate against you for filing a complaint.
Section 5. Whom to Contact at Health Plan for More Information
If you have any questions regarding this Notice or the subjects addressed in it, or if you would like to make requests of Health Plan or receive sample forms for the exercise of your legal privacy rights, you may contact Health Plan’s Privacy Officer, Matthew Bauer, at Huron-Erie School Employee Insurance Association Health Benefit Plan, 4918 Milan Road, Sandusky, Ohio 44870, phone: (419) 627-3901.
Conclusion
PHI Use and Disclosure by Health Plan is regulated by a federal law known as HIPAA (Health Insurance Portability and Accountability Act of 1996) as amended, including without limitation the amendments in the American Recovery and Reinvestment Act of 2009, and the implementing regulations. You may find these rules, as well as the capitalized terms not defined in this Notice, at 45 Code of Federal Regulations Parts 160 and 164. This Notice attempts to summarize the regulations. The regulations will supersede any discrepancy between the information in this Notice and the regulations. If a Use or Disclosure required or permitted by this Notice is prohibited or materially limited by state privacy or other applicable laws, Health Plan may be required to follow those state or other applicable laws. You have the right to obtain a paper copy of this Notice upon request, even if you have agreed to receive this Notice electronically.