Privacy and Security Information
Privacy and Security Information - THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Note: The Plan Administrator may condition enrollment into the Plan or eligibility for benefits on you providing authorization to disclose Protected Health Information (PHI) when the authorization is requested by the Plan prior to your enrollment in the Plan if (1) the authorization sought is for the Plan's eligibility or enrollment determinations relating to you or for the Plan's underwriting or risk rating determinations and (2) the authorization is not for use of disclosure of psychotherapy notes.
PHI may be accessed by the Plan Administrator, privacy officer, or their designee, and business associates who perform administrative functions on behalf of the Plan, such as, but not limited to, benefit management, claim processing, utilization review, disease management programs, managed care programs, billing, data analysis, legal, actuarial, consulting, accounting or other related services. Business associates will safeguard this information in the same manner as the Plan Administrator.
The Standards for Privacy of Individually Identifiable Health Information ("Privacy Standards") protect medical records and other confidential health information that identifies (or could reasonably be used to identify) an individual, and relate to a past, present or future physical or mental condition of the individual or the provision of health care to an individual, or the payment for the provision of health care to the individual. This individually identifiable health information can be in any form (including electronic, written, or oral) that is created or received by a health plan (or other Covered Entity, as defined in the Privacy Standards) or employer.
Disclosure of Summary Health Information to the Plan Sponsor
In accordance with the Privacy Standards, the Plan may disclose Summary Health Information to the Plan Sponsor, if the Plan Sponsor requests the Summary Health Information for the purpose of (a) obtaining premium bids from health plans for providing health insurance coverage under this Plan or (b) modifying, amending or terminating the Plan.
“Summary Health Information” may be individually identifiable health information and it summarizes the claims history, claims expenses or the type of claims experienced by individuals in the plan, but it excludes all identifiers that must be removed for the information to be de-identified, except that it may contain geographic information to the extent that it is aggregated by five-digit zip code.
Disclosure of Protected Health Information (“PHI”) to the Plan Sponsor for Plan Administration Purposes
In order that the Plan Sponsor may receive and use PHI for Plan Administration purposes, the Plan Sponsor agrees to:
a) Not use or further disclose PHI other than as permitted or required by the Plan Documents or as Required by Law (as defined in the Privacy Standards);
b) Ensure that any agents, including a subcontractor, to whom the Plan Sponsor provides PHI received from the Plan agree to the same restrictions and conditions that apply to the Plan Sponsor with respect to such PHI;
c) Not use or disclose PHI for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the Plan Sponsor, except pursuant to an authorization which meets the requirements of the Privacy Standards;
d) Report to the Plan any PHI use or disclosure that is inconsistent with the uses or disclosures provided for of which the Plan Sponsor becomes aware;
e) Make available PHI in accordance with Section 164.524 of the Privacy Standards (45 CFR 164.524);
f) Make available PHI for amendment and incorporate any amendments to PHI in accordance with Section 164.526 of the Privacy Standards (45 CFR 164.526);
g) Make available the information required to provide an accounting of disclosures in accordance with Section 164.528 of the Privacy Standards (45 CFR 164.528);
h) Make its internal practices, books and records relating to the use and disclosure of PHI received from the Plan available to the Secretary of the U.S. Department of Health and Human Services (“HHS”), or any other officer or employee of HHS to whom the authority involved has been delegated, for purposes of determining compliance by the Plan with Part 164, Subpart E, of the Privacy Standards (45 CFR 164.500 et seq);
i) If feasible, return or destroy all PHI received from the Plan that the Plan Sponsor still maintains in any form and retain no copies of such PHI when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible; and
j) Ensure that adequate separation between the Plan and the Plan Sponsor, as required in Section 164.504(f)(2)(iii) of the Privacy Standards (45 CFR 164.504(f)(2)(iii)), is established as follows:
(ii) The access to and use of PHI by the individuals described in subsection (i) above shall be restricted to the Plan Administration functions that the Plan Sponsor performs for the Plan.
(iii) In the event any of the individuals described in subsection (i) above do not comply with the provisions of the Plan Documents relating to use and disclosure of PHI, the Plan Administrator shall impose reasonable sanctions as necessary, in its discretion, to ensure that no further non-compliance occurs. Such sanctions shall be imposed progressively (for example, an oral warning, a written warning, time off without pay and termination), if appropriate, and shall be imposed so that they are commensurate with the severity of the violation.
“Plan Administration” activities are limited to activities that would meet the definition of payment or health care operations, but do not include functions to modify, amend or terminate the Plan or solicit bids from prospective issuers. “Plan Administration” functions include quality assurance, claims processing, auditing, monitoring and management of carve-out plans, such as vision and dental. It does not include any employment-related functions or functions in connection with any other benefit or benefit plans.
The Plan shall disclose PHI to the Plan Sponsor only upon receipt of a certification by the Plan Sponsor that (a) the Plan Documents have been amended to incorporate the above provisions and (b) the Plan Sponsor agrees to comply with such provisions.
Disclosure of Certain Enrollment Information to the Plan Sponsor
Pursuant to Section 164.504(f)(1)(iii) of the Privacy Standards (45 CFR 164.504(f)(1)(iii)), the Plan may disclose to the Plan Sponsor information on whether an individual is participating in the Plan or is enrolled in or has disenrolled from a health insurance issuer or health maintenance organization offered by the Plan to the Plan Sponsor.
Disclosure of PHI to Obtain Stop-loss or Excess Loss Coverage
The Plan Sponsor hereby authorizes and directs the Plan, through the Plan Administrator or the Claims Administrator, to disclose PHI to stop-loss carriers, excess loss carriers or managing general underwriters (MGUs) for underwriting and other purposes in order to obtain and maintain stop-loss or excess loss coverage related to benefit claims under the Plan. Such disclosures shall be made in accordance with the Privacy Standards.
Other Disclosures and Uses of PHI
With respect to all other uses and disclosures of PHI, the Plan shall comply with the Privacy Standards.
HIPAA Security Standards
The Plan shall comply with the HIPAA Security rules (45 C.F.R. parts 160, 162 and 164) as they apply to electronic protected health information (EPHI) that is created, received, maintained or transmitted by or on behalf of the Plan. The HIPAA Security Standards apply effective April 20, 2005 (April 20, 2006 for small group plans). The Plan Administrator shall implement administrative, physical, and technical safeguards that reasonably protect the confidentiality, integrity, and availability of EPHI that is created, received, maintained or transmitted by or on behalf of the Plan. The Plan shall ensure that any independent contractor, agent or subcontractor with which the Plan enters into services agreements that involve EPHI shall implement reasonable and appropriate safeguards to protect such information. Any security incident (as defined in 45 CFR Section 164.304) relating to EPHI of which the Plan Administrator becomes aware shall be reported to the Plan and appropriate action shall be taken in conformance with applicable regulations.