Institute for Advanced Learning & Research (IALR)
Policy on Use and Disclosure of Protected Health Information
It is the policy of the Institute for Advanced Learning & Research (IALR) (the “Employer”) and its
group health plans to treat with confidentiality the individually identifiable health information received or
maintained by the Employer’s group health plans, pursuant to the Health Insurance Portability and
Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act, and
HIPAA privacy rules (collectively, “HIPAA”).
This policy applies to the Employer’s medical and dental plans and medical expense reimbursement
plan offered through the Institute for Advanced Learning & Research Health and Welfare Benefits Plan,
which are part of an “organized health care arrangement” under the HIPAA privacy rules, and are therefore
treated as a single covered entity for purposes of HIPAA privacy compliance. Hereafter, the medical, dental
and medical reimbursement plans shall be referred to as the “Health Plan.”
This Policy and the HIPAA privacy rules do not apply to medical information obtained by
the Employer from any sources other than the Health Plan. For example, this Policy and the
HIPAA privacy rules do not apply to health information received in connection with matters
relating to life insurance plans, short or long term disability plans, fitness for duty, Family and
Medical Leave Act, sick or accident leave, workers compensation, OSHA, drug, alcohol or other
pre-employment or post-employment medical examinations, receipt of medical information
pursuant to authorizations, or any other non-Plan disclosures made to the Employer, including all
employment records maintained by the Employer or other medical information the Employer or its
employees may receive from sources other than Employer group health plans.
Although the Employer’s Health Plan is a “covered entity” under the HIPAA privacy rules, the
Employer is not a covered entity under HIPAA privacy rules. This Policy does not afford any rights or
cause of action against the Employer, its officers, employees, or others, but simply states the Employer’s
policy of compliance with HIPAA privacy rules to the extent specifically applicable to Employer group
health plans.
Health Plan and Protected Health Information
The Employer has amended its Health Plan documents in accordance with the HIPAA privacy
rules. Employer employees must follow this Policy with respect to use and disclosure of Protected Health
Information (“PHI”). “Protected Health Information” or “PHI” means any individually identifiable health
information that meets all of the following requirements:
(i)
Is created or received by the Health Plan, including individually identifiable health
information received by Employer employees acting on Health Plan administration and
received in that capacity;
(ii)
Relates to the past, present, or future physical or mental health or condition of an individual;
the provision of health care to an individual; or the past, present, or future payment for the
provision of health care to an individual;
1
(iii)
Identifies the individual or creates a reasonable basis to believe that the information could be
used to identify the individual; and
(iv)
That is maintained or transmitted in any form or media.
PHI Does Not Include Medical Information Unrelated to Health Plan
Protected Health Information or PHI does not include medical information that is received by the
Employer or its employees in non-Health Plan capacities, including without limitation, health information
received in connection with matters relating to life insurance plans, short or long term disability plans,
Family and Medical Leave Act, sick or accident leave, workers compensation, OSHA, drug, alcohol or other
pre-employment or post-employment medical examinations, receipt of medical information pursuant to
authorizations, or any other non-Health Plan disclosures made to the Employer, including all employment
records maintained by the Employer or other medical information the Employer or its employees may
receive from sources other than Employer group health plans.
Privacy Officer
The Employer has appointed its Manager of Human Resources as the Privacy Officer to oversee the
Health Plan’s HIPAA privacy compliance and to oversee the development and implementation of the
Health Plan’s privacy policies and procedures in accordance with HIPAA privacy rules. In addition to his or
her other duties, the Privacy Officer will oversee the receipt and resolution of complaints related to the
privacy rules, and provide further information regarding matters covered by the Health Plan’s Notice of
Privacy Practices. The Privacy Officer may appoint others to assist in these duties.
Health Plan Workforce
The following employees designated by the Employer need access to PHI to carry out their duties in
administering the Health Plan: Manager of Human Resources and Director of Finance & Administration,
and any other employee designated by the Privacy Officer. These employees will be considered the Health
Plan’s “workforce” for purposes of this Policy and will have access to all categories of PHI in possession of
the Employer.
Training
The Employer will give privacy training to Employer employees involved in Health Plan
administration or who otherwise provide services to the Health Plan. Employer employees that work in
close proximity to employees working on Health Plan administration or that are likely to come into contact
with Health Plan PHI will be trained concerning privacy matters, as appropriate. The Employer will
document such training and retain the documentation for six years.
Safeguarding Protected Health Information
The Health Plan will reasonably safeguard PHI from any use or disclosure that is not authorized by
the individual to which the PHI pertains or otherwise permitted or required by the HIPAA privacy rules.
Employer employees who handle PHI shall take reasonable precautions to physically safeguard PHI from
being viewed by, accessed by, used by, or otherwise disclosed to anyone not authorized to handle PHI.
2
Use and Disclosure of Protected Health Information
PHI may be disclosed directly to the individual who is the subject of the PHI upon the individual’s
request. No authorization is necessary.
PHI may be used or disclosed for Health Plan-related purposes of treatment, payment, or Health
Plan administration without obtaining an authorization. An individual’s PHI may be used or disclosed for
the following Health Plan-related purposes:
Payment activities, such as:
obtaining premiums;
determining responsibility for coverage;
claims processing and management; and,
providing reimbursement for health care.
The following plan administration/plan sponsor functions:
quality assessment;
evaluating of providers;
activities relating to obtaining or amending insurance contracts;
disease management; and,
cost management.
HIPAA Privacy Rule Not Intended to Impede Customary and Essential Communications
Concerning Health Care and Health Care Benefits
The HIPAA privacy rules recognize that many customary health care communications and practices
play an important, even essential role in ensuring that individuals receive prompt and effective health care
and health care benefits. The U.S. Department of Health and Human Services (HHS) has emphasized that
the HIPAA Privacy Rule is not intended to impede these customary and essential communications and
practices. The HIPAA privacy rule does not require that all risk of incidental use or disclosure be
eliminated to satisfy privacy standards. Rather, the Privacy Rule permits certain incidental uses and
disclosures of protected health information to occur where, as here, the Employer has in place reasonable
safeguards and minimum necessary policies and procedures to protect an individual’s privacy. This policy
recognizes that prompt and effective health care plan administration is a goal respected and encouraged by
the HIPAA privacy rule.
3
Disclosure of Enrollment Information
The fact that an individual is participating in the Health Plan or has enrolled or disenrolled from a
health insurance issuer or HMO offered under the Health Plan may be disclosed to Employer personnel
(for appropriate reasons related to Plan administration) without the individual’s authorization.
Disclosure for Treatment
An individual’s PHI may be disclosed to a health care provider (such as a doctor, hospital, or
pharmacy) for treatment purposes. This disclosure is not subject to the “minimum necessary” standard.
The doctor can have access to any health information the doctor feels is necessary to provide quality
treatment.
No Disclosure of PHI for Employment Purposes
An individual’s PHI may not be disclosed to any employee of the Employer for the purpose of
employment-related actions or decisions or in connection with any other benefit or employee benefit plan
(e.g., a disability or life insurance plan).
Personally Identifiable Medical Information Needed for Employment Decisions Will Not Be
Obtained from the Health Plan
Consistent with past practices, where medical information is needed for employment decisions, the
Employer will obtain the medical information from sources other than the Health Plan. Thus the Employer
will continue to receive medical information in connection with non-Health Plan functions, including health
information received in connection with matters relating to life insurance plans, short or long term disability
plans, fitness for duty, Family and Medical Leave Act, sick or accident leave, workers compensation, OSHA,
drug, alcohol or other pre-employment or post-employment medical examinations, and receipt of medical
information pursuant to authorizations. Such medical information and any other non-Health Plan
disclosures made to the Employer are employment records of the Employer and not governed by the
HIPAA privacy rules.
HIPAA Privacy Rules Do Not Apply to Disclosures of Medical Information for Non-Health Plan
Purposes
Employer employees frequently communicate medical information about themselves or their family
to fellow employees for non-Health Plan purposes. For example, employees may tell their co-workers about
anticipated operations, pregnancies, or other medical conditions or procedures. These non-Health Plan
informal disclosures are not governed by the HIPAA privacy rules.
Disclosures Pursuant to Written Authorizations
An authorization is a detailed document that gives covered entities permission to use protected
health information for specified purposes, which are generally other than treatment, payment, or health care
operations, or to disclose protected health information to a third party specified by the individual. An
authorization must specify a number of elements, including a description of the protected health
information to be used and disclosed, the person authorized to make the use or disclosure, the person to
whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for
4
which the information may be used or disclosed. With limited exceptions, covered entities may not
condition treatment or coverage on the individual providing an authorization.
A use or disclosure of PHI that is not for treatment, payment or health plan administration may be
disclosed if the affected individual gives a proper written authorization. The written authorization must
meet specific requirements and care should be taken that those requirements are met.
An individual cannot be required to sign an authorization as a condition of receiving health care
treatment or health care benefits. For non-health care benefit plans, authorizations can be a condition of
receiving benefits. For example, consistent with the terms of Employer policies, plans, programs and
applicable law, individuals who refuse to authorize release of appropriate medical information may be
denied employment, short or long term disability benefits, return to work, Family and Medical Leave, sick or
accident leave, workers compensation benefits, and other non-health plan benefits.
Likewise, before enrollment in the Health Plan, an authorization may be required for eligibility and
enrollment purposes or for underwriting or risk rating determinations. Moreover the Health Plan may use
or disclose PHI for treatment, payment, and other Health Plan administration purposes that are permitted
without authorization.
Revocation of Authorization
An individual may revoke a valid authorization, except to the extent that the Health Plan has taken
action in reliance on the authorization, or the authorization was obtained as a condition of obtaining
insurance coverage.
Documentation of Authorization
A copy of the signed authorization form must be provided to the individual and retained by the
Health Plan.
Required Elements of a Valid Authorization
An authorization directing the Health Plan to release information is valid under the HIPAA privacy
rules, if it meets all of the following requirements:
It must be written in plain language;
It must not have expired or have been revoked;
It must not contain material information known to be false by Health Plan personnel relying on the
authorization;
It must (1) contain a specific description of the information to be used or disclosed; (2) identify the
person(s), or class of persons, authorized to make the requested use or disclosure; (3) identify the
person(s), or class of persons, to whom the Health Plan may make the requested use or disclosure;
(4) describe the purpose of the requested use or disclosure (where the individual initiates the
authorization and the statement “at the request of the individual” is sufficient); (5) contain an
expiration date or expiration event; and (6) contain the signature of the individual and date signed
(and description of authority if signed by a personal representative).
5
It must contain statements putting the individual on notice of: (1) the individual’s right to revoke the
authorization in writing; (2) the exceptions to the right to revoke and a description of how to revoke
the authorization (if such information is contained in the Notice of Privacy Practices, a reference to
the Notice of Privacy Practices is sufficient); (3) if applicable, a statement that the Health Plan may
not condition treatment, payment, enrollment, or eligibility for benefits on whether the individual
signs the authorization or the consequences to the individual of refusing to sign the authorization,
when the Health Plan conditions enrollment in the Plan or eligibility for benefits on the individual’s
provision of an authorization before enrollment for purposes of the Health Plan’s eligibility or
enrollment determinations relating to the individual or for its underwriting or risk rating
determinations (but not for psychotherapy notes).
It must contain a statement advising the individual of the potential for information disclosed
pursuant to the authorization to be subject to re-disclosure by the recipient and no longer be
protected under HIPAA privacy rules.
Workers’ Compensation
The HIPAA Privacy Rule does not apply to entities that are either workers’ compensation insurers,
workers’ compensation administrative agencies, or employers. The HIPAA Privacy Rule recognizes that
these entities need access to the health information of individuals who are injured on the job or who have a
work-related illness to process or adjudicate claims, or to coordinate care under workers’ compensation
systems. Generally, this health information is obtained from health care providers who treat these
individuals and who may be covered by the Privacy Rule. The Privacy Rule recognizes the legitimate need
of insurers and other entities involved in the workers’ compensation systems to have access to individuals’
health information as authorized by State or other law. The Department of Health and Human Services has
said:
The Privacy Rule is not intended to impede the flow of health information to those who need it to process or adjudicate
claims, or coordinate care, for injured or ill workers under workers’ compensation systems. The minimum necessary
standard generally requires covered entities to make reasonable efforts to limit uses and disclosures of, as well as
requests for, protected health information to the minimum necessary to accomplish the intended purpose.
For disclosures of protected health information made for workers’ compensation purposes. . ., the minimum necessary
standard permits covered entities to disclose information to the full extent authorized by State or other law. In
addition, where protected health information is requested by a State workers’ compensation or other public official for
such purposes, covered entities are permitted reasonably to rely on the official’s representations that the information
requested is the minimum necessary for the intended purpose.
For disclosures of protected health information for payment purposes, covered entities may disclose the type and amount
of information necessary to receive payment for any health care provided to an injured or ill worker.
The minimum necessary standard does not apply to disclosures that are required by state or other
law or made pursuant to the individual’s authorization.
Disclosures to Business Associates of the Health Plan.
The Health Plan may contract with third party entities to perform functions on behalf of the Health
Plan that may involve creation, use or disclosure of PHI. Such creation, use or disclosure of PHI is
6
governed by business associate agreements the Health Plan enters into with these Business Associates.
Business associate agreements must meet specific HIPAA privacy requirements. Employer employees
should not disclose PHI to third parties unless appropriate business associate agreements have been
executed and disclosures are made in accordance with those business associate agreements.
When the Individual is Present or Available and Can Agree or Object to the Use and Disclosure
In certain circumstances, the HIPAA privacy rules permit use or disclosure of PHI without a written
authorization provided (1) the individual knows in advance of the proposed use or disclosure notice, (2) has
the opportunity to agree or object, (3) orally agrees to the use or disclosure, and (4) meets the other
requirements discussed below. This section will often apply when the individual wants the Health Plan to
disclose PHI to family or friends.
When the individual is present or available the Health Plan may disclose to a relative, friend, or other
person identified by the individual PHI directly related to that person’s involvement with the individual’s
care or payment related to the health care, if Health Plan personnel (1) obtain the individual’s oral
agreement, or (2) give the individual an opportunity to object to the disclosure and the individual does not
object or (3) reasonably infer from the circumstances based on professional judgment that the individual
does not object to the disclosure.
Example: An employee and spouse together telephone Health Plan personnel to inquire about the
Health Plan’s treatment of a particular medical procedure experienced by the employee. The employee
orally states that she wants the Health Plan personnel to disclose her PHI to her husband. The Health Plan
personnel may disclose the PHI even without a written authorization.
Limited Disclosures When the Individual is Not Present
If the individual is not present or the opportunity to object or agree cannot be provided because of
the individual’s incapacity or an emergency situation, the Health Plan may, in the exercise of professional
judgment, determine whether disclosure to a family member or friend is in the best interests of the
individual. If so, the Health Plan may disclose to a relative, friend, or other person identified by the
individual the PHI that is directly related to that person’s involvement with the individual’s health care.
Disclosures Required by Law or to Government Entities
Disclosure of an individual’s PHI is permitted to comply with state or federal law. Also, there are
numerous instances where it may be appropriate to disclose PHI to law enforcement or as required by
another government entity. In these cases, the request for a disclosure of PHI should be referred to the
Privacy Officer. Such requests for PHI may come from public health authorities, social service agencies,
persons or companies claiming to have responsibility for quality, safety, or effectiveness of FDA-regulated
products (such as prescription drugs or medical devices), persons claiming to have been exposed to a
communicable disease or claiming to be at risk of contracting or spreading a disease or condition, health
oversight agencies conducting activities related to audits, investigations, disciplinary actions, government
benefit eligibility, or civil rights law compliance, courts, parties involved in litigation, law enforcement
officials, coroners and medical examiners, funeral directors, organ procurement organizations (and similar
organizations), researchers and research organizations, persons or other entities claiming to need PHI to
avert a serious threat to the health or safety of a person or the public, military authorities, federal officials
conducting national security activities, correctional institutions and other law enforcement custodial
7
situations requesting information regarding an inmate, individuals or agencies in relation to workers’
compensation matters, and any other individual or entity claiming to require the disclosure of PHI pursuant
to legal authority.
Disclosure of Limited Data Sets and De-Identified Information
The terms limited data set and de-identified information refer to health information that has had
most or all of the identifying information removed so that it cannot be used to identify an individual. If a
request is received for use or disclosure of a limited data set or de-identified information (or if a request for
such a disclosure is received), contact the Privacy Officer.
Reasonable Efforts to Limit Disclosure or Use to Minimum Necessary
Health Plan personnel should make reasonable efforts to limit the use or disclosure of PHI to the
“minimum necessary” to accomplish the intended purpose. For example, an individual’s particular medical
condition or treatment received should not be disclosed if it is sufficient to indicate the individual’s name
and date of service to accomplish a particular payment activity. This minimum necessary standard does not
apply to (1) disclosures to a health care provider for treatment; (2) uses or disclosures made to the
individual; (3) disclosures authorized by the individual; (4) required disclosures to the Department of Health
and Human Services; (5) uses or disclosures required by law; and (6) uses or disclosures required for
compliance with the privacy rules.
The Plan may rely, if such reliance is reasonable under the circumstances, on a requested disclosure
as the minimum necessary for the stated purpose when:
Making disclosures to public officials (as permitted under the privacy rules), provided that the
official represents that the information requested is the minimum necessary for the stated purpose;
The information is requested by another Covered Entity; or
The information is requested by a member of the Health Plan’s workforce or a Business Associate
of the Health Plan for the purpose of providing professional services to the Covered Entity,
provided the professional represents that the information requested is the minimum necessary for
the stated purpose.
When requesting PHI from another Covered Entity, members of the Health Plan’s workforce
should make reasonable efforts to limit the request to that which is reasonably necessary to accomplish the
purpose for which the request is made.
Uses of, Disclosures of, and Requests for, an Individual’s Entire Medical Record
An individual’s entire medical record may not be used, disclosed, or requested by a member of the
Health Plan’s workforce, except where the entire medical record is specifically justified as the amount that is
reasonably necessary to accomplish the purpose of the use, disclosure, or request.
8
Verification of Identity and Authority Prior to Disclosure
Before any disclosure is permitted in this policy, the identity and authority of the person to receive
the disclosure of PHI should be verified, unless the identity or authority of such person is already known to
the Health Plan.
Incidental Disclosures
The HIPAA Privacy Rule explicitly permits certain incidental disclosures that occur as a by-product
of an otherwise permitted disclosure - for example, inadvertent disclosure to other employees of PHI in
connection with administration of the Health Plan. The Privacy Officer shall be advised of significant
incidental disclosures in order to determine whether the Health Plan’s safeguards should be revised or
additional training or other steps taken to prevent or reduce future such disclosures.
Accounting of Disclosures of PHI
An accounting shall be maintained of disclosures of PHI as required by HIPAA privacy rules.
Disclosures of PHI are to be included in the accounting only if they do not fall into any of the following
categories:
Disclosures to carry out treatment, payment, or other Plan administration functions that are allowed
without authorization other than through an electronic health record;
Disclosures to the individual of his or her own PHI;
Disclosures incident to a use or disclosure otherwise permitted;
Disclosures pursuant to an individual’s valid authorization;
Disclosures for which the individual was given an opportunity to object;
Disclosures for national security or intelligence purposes, or to correctional institutions or law
enforcement; or,
Disclosures that were part of a limited data set used for Plan administration functions.
The accounting must include (1) the date of the disclosure; (2) the name of the entity or person who
received the PHI (and address if known); (3) a brief description of the PHI disclosed; and (4) a brief
statement of the purpose of the disclosure or a copy of the written request for the disclosure (if any).
If, during the applicable period, the Plan has made multiple disclosures of PHI to the same person
or entity for a single purpose as required by the Department of Health and Human Services or disclosures
of PHI under the accounting may provide the information required for the first disclosure, then state the
frequency of disclosures made during the period and the date of the last such disclosure.
A log shall be maintained that contains the information required above, which shall be used to
record each disclosure of PHI that is required to be included in the content of an accounting. The Privacy
Officer shall maintain the accounting.
9
Mitigation of Harmful Effects of Improper Use or Disclosure
A use or disclosure of PHI made in violation of the HIPAA privacy rules by the Plan or any
Business Associate will be promptly brought to the attention of the Privacy Officer. At the direction of the
Privacy Officer, the Health Plan will make reasonable efforts to mitigate, if practicable, known harmful
effects of a use or disclosure violating the HIPAA privacy rules.
Right to Receive Notice of Privacy Practices and Request Further Information
An individual has the right to receive a Notice of Privacy Practices.
An individual may request further information regarding matters discussed in the Notice of Privacy
Practices. An individual should direct such requests to the Privacy Officer.
A response to an individual’s inquiry shall be made as soon as practicable under the circumstances.
Where a response will take longer than twenty business days, the individual should be notified in writing that
the individual’s inquiry is under consideration and that a longer period of time is needed to respond.
Right to Access PHI
Pursuant to the HIPAA privacy rules an individual generally has a right of access to inspect and
obtain a copy of the Health Plan’s PHI about that individual held in a designated record set.
Requests for access to PHI must be in writing addressed to the Privacy Officer. A request for
access must be acted upon no later than 30 days after receipt of the request (60 days if the PHI is not
maintained or accessible on-site). The 30-day period (but not the 60-day period) may be extended by up to
30 days if written notice is given to the individual.
Reasonable cost-based fees will be imposed for copies and written summaries or explanations,
(supplies and labor), postage (if mailed), and preparation of the explanation or summary (if agreed to by the
individual).
If access to PHI is denied, in whole or part, the individual must be informed within the applicable
timeframe and be provided with access to any other PHI to which the individual has been granted access
(after excluding the PHI for which access was denied). Notice of any denial must be written in plain
language and:
indicate the basis for the denial;
describe the individual’s rights (if any) to request a review of the denial and the requirements for
doing so;
describe how the individual may file a complaint with the Privacy Officer; and file a complaint with
HHS.
If the Health Plan does not maintain the requested PHI, and the Health Plan knows where the PHI
is maintained, the individual will be given information to redirect his or her request.
10
Right to Correct or Amend PHI
An individual may request that the Health Plan correct or amend PHI or other records about the
individual held in a designated record set for as long as the PHI or record is so maintained. Such requests
will be considered by the Privacy Officer or delegated under the standards set forth by HIPAA privacy rule.
The request must be in writing to the Privacy Officer and must contain reasons sufficient to support
the request. A request for amendment of PHI must be acted upon no later than 60 days after receipt of the
request. The 60-day period may be extended by up to 30 days if written notice is given to the individual.
If a request to amend PHI is denied, in whole or part, the individual must be provided with notice
of the denial within the timeframes described above. The notice must be written in plain language and
indicate the basis for the denial; describe the individual’s right to submit a written statement disagreeing with
the denial and the requirements for doing so; state that, if the individual does not submit a statement of
disagreement, the individual may request that the Plan provide the individual’s request for amendment and
the denial with any future disclosures of the PHI; describe how the individual may file a complaint with the
Privacy Officer; and describe how the individual may file a complaint with HHS.
The individual may then submit a written statement disagreeing with the denial of all or part of a
requested amendment and the basis of such disagreement. If upon review of the written statement the
request is still denied, the Health Plan will provide written denial to the individual. Then, the individual’s
request for an amendment, the Plan’s denial, the individual’s statement of disagreement (if any), and the
Plan’s denial (if any) must be appended or linked to the record or PHI in the Designated Record Set.
If a statement of disagreement is submitted by the individual, any future disclosure of the PHI that
was the subject of the dispute must include the material appended to the record or PHI. Inclusion of this
material is not required if the individual has not submitted a written disagreement, unless the individual so
requests.
Right to Request Restrictions on Use and Disclosure of PHI
An individual has the right to make a written request that the Health Plan restrict uses and
disclosures of the individual’s PHI used to carry out treatment, payment, or Plan administration functions
and other disclosures otherwise permitted.
The Health Plan is not required to agree to such restrictions, and generally does not accommodate
such requests. The Privacy Officer will consider these requests in the first instance and is authorized to
deny them without further approval. Before approving any such request, the Privacy Officer will determine
whether appropriate Business Associates can accommodate such requests. The individual will be advised in
writing whether or not the Health Plan agrees to the request.
Right to Request Confidential Communications
An individual has the right to request, in writing directed to the Privacy Officer, that
communications of PHI to the individual be made by alternative means or at alternative locations. The Plan
is required to accommodate any reasonable request if the individual clearly states in the request that the
disclosure of all or part of the PHI by the usual means could endanger the individual.
11
The Health Plan only accommodates such requests to avoid endangerment of the individual or for
some other reasonable purpose that does not create administrative burdens on the Health Plan. The Health
Plan will advise the individual of its decision in writing.
Right to an Accounting of Disclosures of PHI
An individual may make a written request to the Privacy Officer for an accounting of disclosures of
the individual’s PHI made by the Health Plan as provided above. The requested accounting period cannot
exceed the six (6) year period prior to the date on which the request for an accounting was received, except
for disclosures through an electronic health record for treatment, payment, and health care operations,
which cannot exceed the three (3) year period prior to the date on which the request for an accounting was
received.
The accounting will be provided within 60 days after receipt of the request. The 60-day period may
be extended by up to 30 days if written notice is given to the individual. The first accounting in any 12month period will be provided without charge. The Plan will impose a reasonable, cost-based fee for each
subsequent request within the 12-month period, provided that the individual is given prior notice of the fee
so that the individual may withdraw or modify the request.
The Health Plan must document any written accounting that is provided to an individual.
Personal Representatives
In general, a personal representative may exercise the same rights as the individual with respect to
the individual’s PHI.
If under applicable law a person has authority to act on behalf of an individual in making decisions
related to health care (including without limitation a parent, guardian, or other person acting in loco
parentis), the Health Plan must treat such person as that individual’s personal representative with respect to
PHI, except that applicable state law may limit a parent’s authority over a minor’s PHI. A person claiming
to have such authority to act on behalf of another must submit appropriate evidence of such authority.
The Health Plan may elect not to treat a person as the personal representative of an individual if (1)
it is reasonable to believe that the individual has been or may be subject to domestic violence, abuse, or
neglect by such person or that treating such person as the personal representative could endanger the
individual; or (2) based upon advice of a health care provider exercising professional judgment, the Health
Plan after consultation with the Privacy Officer decides that it is not in the best interest of the individual to
treat the person as the individual’s personal representative.
Deceased Individuals
The HIPAA privacy rules apply to the PHI of deceased individuals. If an executor, administrator, or
other person has authority to act on behalf of a deceased individual or the individual’s estate, the Health
Plan must treat such person as a personal representative with respect to PHI relevant to such personal
representation.
12
Notice of Privacy Practices
Individuals have the right to receive a Notice of Privacy Practices issued by the Health Plan
(“Notice”). This Notice describes the various uses and disclosures that the Health Plan, the Employer, and
the Plan’s Business Associates may make of an individual’s PHI. It also describes the various rights that
individuals have with respect to their PHI.
The Notice will be provided to all employees of the Employer enrolled in the Health Plan. Under
HIPAA privacy rules, giving the Notice to the employee is deemed to be notice to the employee’s covered
spouse and/or dependents.
The Notice will be provided at the time an employee enrolls in the Health Plan. Within 60 days of a
material revision to the Notice, a new Notice will be provided to all employees then covered under the
Health Plan. At least once every three years, the Health Plan must inform all employees covered under the
Health Plan of the availability of the Notice and how to obtain the Notice.
The Notice will be provided by paper copy, unless the employee agrees to receive the Notice by email. If an e-mail transmission is unsuccessful, the individual shall be provided paper copy. Any individual
may obtain a paper copy of the Notice at any time upon request. The Notice may also be made available on
the Employer’s website.
The Health Plan may issue a joint Notice for all the group health plans that make up the Health Plan
Revisions to the Notice shall apply to PHI created or received prior to the effective date of the revision.
Complaints and Investigations
The Health Plan provides a process for individuals to file complaints concerning the Health Plan’s
privacy policies and procedures, its compliance with those policies and procedures, and its compliance with
the privacy rules. Individuals also have the right to file complaints with HHS.
An individual may file a complaint with the Privacy Officer regarding:
The content of the Plan’s privacy policies and procedures;
Any violation of the Plan’s privacy policies and procedures by the Plan, the Employer, or a
Business Associate; and,
Any violation of the HIPAA Privacy Rules.
No individual shall be required to waive his or her right to file a complaint with HHS as a condition
of enrollment in the Plan or eligibility for benefits.
No Employer employee should intimidate, threaten, coerce, discriminate against, or take other
retaliatory action against any individual for (1) filing a complaint under the privacy rules or exercising rights
under the privacy rules; (2) filing a complaint with HHS; (3) participating in any investigation, review or
proceeding under the privacy rules; or (4) reasonably opposing in good faith any act prohibited by the
privacy rules, provided the individual does not disclose PHI in violation of the privacy rules.
13
No Right of Action or Contract Rights Created by this Policy
The HIPAA privacy rule does not authorize individuals to file private lawsuits for violations of the
privacy rules, nor does this policy create any contract or other right enforceable in court. This Policy
describes the Employer’s policy of complying with HIPAA privacy rules and remedies under this policy are
limited to those specifically provided under the HIPAA privacy rules, including the right to file a complaint
with the Health Plan or with HHS. The Privacy Officer has authority and discretion to interpret this policy,
and the Privacy Officer‘s interpretations shall be final and binding on all persons.
Discipline of Employees who Fail to Follow Privacy Policy
Failure to follow the privacy policies is grounds for disciplinary action. The Privacy Officer will
determine appropriate discipline in accordance with the Employer’s normal disciplinary policies, which may
include mandatory training, suspension (with or without pay); demotion, and other disciplinary action up to
and including termination of employment.
Maintenance of Records
The Health Plan will maintain written or electronic records of its policies and procedures, any
communications that are required to be in writing by the privacy rules, and any actions, activities or
designations that are required by the privacy rules to be documented. Such records will be maintained until
six years after the later of
the date the record was created; or,
the date when it was last effective.
Reportable Breach Notification Policy
I. Introduction
Under the Breach Regulations at 45 C.F.R. § 164.400 et seq., if a Reportable Breach of unsecured protected
health information has occurred, the Plan must comply with certain notice requirements with respect to the
affected individuals, HHS, and, in certain instances, the media.
II. Identifying a Reportable Breach
The first step is to determine whether a Reportable Breach has occurred. If a Reportable Breach has not
occurred, the notice requirements do not apply.
The Privacy Officer is responsible for reviewing the circumstances of possible breaches brought to his or
her attention and determining whether a Reportable Breach has occurred in accordance with this Reportable
Breach Notification Policy and the Breach Regulations. All Business Associates, and all workforce members
who have access to PHI, are required to report to the Privacy Officer any incidents involving possible
breaches.
Acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted under the HIPAA
Privacy Rules is presumed to be a Reportable Breach, unless the Privacy Officer determines that there is a
14
low probability that the privacy or security of the protected health information has been or will be
compromised.
The Privacy Officer’s determination of whether a Reportable Breach has occurred must include the
following considerations:





Was there a violation of HIPAA Privacy Rules? There must be an impermissible use or disclosure
resulting from or in connection with a violation of the HIPAA Privacy Rules by the Plan or a
Business Associate of the Plan. If not, then the notice requirements do not apply.
Was PHI involved? If not, then the notice requirements do not apply.
Was the PHI secured? For electronic protected health information to be “secured,” it must have
been encrypted to NIST standards or destroyed. For paper PHI to be “secured,” it must have been
destroyed. If yes, then the notice requirements do not apply.
Was there unauthorized access, use, acquisition, or disclosure of PHI? The violation of HIPAA
Privacy Rules must have involved one of these. If it did not, then the notice requirements do not
apply.
Is there a low probability that privacy or security was compromised? If the Privacy Officer
determines that there is only a low probability of compromise, then the notice requirements do not
apply.
To determine whether there is only a low probability that the privacy or security of the PHI was
compromised, the Privacy Officer must perform a risk assessment that considers at least the following
factors:




The nature and extent of the PHI involved, including the types of identifiers and the likelihood of
re-identification. For example, did the disclosure involve financial information, such as credit card
numbers, Social Security numbers, or other information that increases the risk of identity theft or
financial fraud; did the disclosure involve clinical information such as a treatment plan, diagnosis,
medication, medical history, or test results that could be used in a manner adverse to the individual
or otherwise to further the unauthorized recipient's own interests.
The unauthorized person who used the PHI or to whom the disclosure was made. For example,
does the unauthorized recipient of the PHI have obligations to protect the privacy and security of
the PHI, such as another entity subject to the HIPAA privacy and security rules or an entity required
to comply with the Privacy Act of 1974 or the Federal Information Security Management Act of
2002, and would those obligations lower the probability that the recipient would use or further
disclose the PHI inappropriately? Also, was the PHI impermissibly used within a covered entity or
business associate, or was it disclosed outside a covered entity or business associate?
Whether the PHI was actually acquired or viewed. If there was only an opportunity to actually view
the information, but the Privacy Officer determines that the information was not, in fact, viewed,
there may be a lower (or no) probability of compromise. For example, if a laptop computer with was
lost or stolen and subsequently recovered, and the Privacy Officer is able to determine (based on a
forensic examination of the computer) that none of the information was actually viewed, there may
be no probability of compromise.
The extent to which the risk to the protected health information has been mitigated. For example, if
the Plan can obtain satisfactory assurances (in the form of a confidentiality agreement or similar
documentation) from the unauthorized recipient of that the information will not be further used or
15
disclosed or will be destroyed, the probability that the privacy or security of the information has
been compromised may be lowered. The identity of the recipient (e.g., another covered entity) may
be relevant in determining what assurances are satisfactory.
If the Privacy Officer determines that there is only a low probability that the privacy or security of the
information was compromised, then the Plan will document the determination in writing, keep the
documentation on file, and not provide notifications. On the other hand, if the Privacy Officer is not able to
determine that there is only a low probability that the privacy or security of the information was
compromised, the Plan will provide notifications.
If an exception applies, then a Reportable Breach has not occurred, and the notice requirements are not
applicable.



Exception 1: A Reportable Breach does not occur if the breach involved an unintentional access,
use, or acquisition of PHI by a workforce member or Business Associate, if the unauthorized access,
use, acquisition, or disclosure: (a) was in good faith; (b) was within the scope of authority of the
workforce member or Business Associate; and (c) does not involve further use or disclosure in
violation of the HIPAA privacy rules. For example, the exception might apply if an employee
providing administrative services to the Plan were to access the claim file of a participant whose
name is similar to the name of the intended participant; but if the same employee intentionally looks
up PHI of his neighbor, the exception does not apply.
Exception 2: A Reportable Breach has not occurred if the breach involved an inadvertent disclosure
from one person authorized by the Plan to have access to PHI to another person at the same
covered entity or Business Associate also authorized to have access to the PHI, provided that there
is no further use or disclosure in violation of the HIPAA Privacy Rules. For example, the exception
might apply if an employee providing administrative services to the Plan inadvertently emailed PHI
to the wrong co-worker; but if the same employee emailed the PHI to an unrelated third party, the
exception likely does not apply.
Exception 3: A Reportable Breach has not occurred if the breach involved a disclosure where there
is a good faith belief that the unauthorized person to whom the disclosure was made would not
reasonably have been able to retain the PHI. For example, the exception may apply to an EOB
mailed to the wrong person and returned to the Plan unopened, or if a report containing PHI is
handed to the wrong person, but is immediately retrieved before the person can read it. However,
the exception does not apply if an EOB was mailed to the wrong person and the unintended
recipient opened the envelope before realizing the mistake.
III. If a Reportable Breach Has Occurred: Notice Timing and Responsibilities
If the Privacy Officer determines that a Reportable Breach has occurred, the Privacy Officer will determine
(in accordance with the Breach Regulations) the date the breach was discovered in order to determine the
time periods for giving notice of the Reportable Breach. The Plan must have reasonable systems and
procedures in place to discover the existence of possible breaches, and train workforce members to notify
the Privacy Officer or other responsible person immediately so the Plan can act within the applicable time
periods.
16
The Privacy Officer is responsible for the content of notices and for the timely delivery of notices in
accordance with the Breach Regulations. However, the Privacy Officer may, on behalf of the Plan, engage a
third party (including a Business Associate) to assist with preparation and delivery of any required notices.
The Breach Regulations may require a breach to be treated as discovered on a date that is earlier than the
date the Plan had actual knowledge of the breach. The Privacy Officer will determine the date of discovery
as the earlier of: (1) the date that a workforce member (other than a workforce member who committed the
breach) knows of the events giving rise to the breach; and (2) the date that a workforce member or agent of
the Plan, such as a Business Associate (other than the person who committed the breach) would have
known of the events giving rise to the breach by exercising reasonable diligence.
Except as otherwise specified in the notice sections that follow, notices must be given “without
unreasonable delay” and in no event later than 60 calendar days after the discovery date of the breach.
Accordingly, the investigation of a possible breach, to determine whether it is a Reportable Breach and the
individuals who are affected, must be undertaken in a timely manner that does not impede the notice
deadline.
There is an exception to the timing requirements if a law-enforcement official asks the Plan to delay giving
notices.
IV. Business Associates
If a Business Associate commits or identifies a possible Reportable Breach relating to Plan participants, the
Business Associate must give notice to the Plan. The Plan is responsible for providing any required notices
of a Reportable Breach to individuals, HHS, and (if necessary) the media.
Unless otherwise required under the Breach Regulations, the discovery date for purposes of the Plan's
notice obligations is the date that the Plan receives notice from the Business Associate.
In its Business Associate contracts, the Plan will require Business Associates to:



report incidents involving breaches or possible breaches to the Privacy Officer in a timely manner;
provide to the Plan any and all information requested by the Plan regarding the breach or possible
breach, including, but not limited to, the information required to be included in notices (as described
below); and,
establish and maintain procedures and policies to comply with the Breach Regulations, including
workforce training.
V. Notice to Individuals
Notice to the affected individual(s) is always required in the event of a Reportable Breach. Notice will be
given without unreasonable delay and in no event later than 60 calendar days after the date of discovery (as
determined above).
17
A. Content of Notice to Individuals
Notices to individuals will be written in plain language and contain all of the following, in accordance with
the Breach Regulations:








A brief description of the incident.
If known, the date of the Reportable Breach and the Discovery Date.
A description of the types of unsecured PHI involved in the Reportable Breach (for example, full
name, Social Security numbers, address, diagnosis, date of birth, account number, disability code, or
other).
The steps individuals should take to protect themselves (such as contacting credit card companies
and credit monitoring services).
A description of what the Plan is doing to investigate the Reportable Breach, such as filing a police
report or reviewing security logs or tapes.
A description of what the Plan is doing to mitigate harm to individuals.
A description of what measures the Plan is taking to protect against further breaches (such as
sanctions imposed on workforce members involved in the Reportable Breach, encryption,
installation of new firewalls).
Contact information for individuals to learn more about the Reportable Breach or ask other
questions, which must include at least one of the following: Toll-free phone number, email address,
website, or postal address.
B. Types of Notice to Individuals
The Plan will deliver individual notices using the following methods, depending on the circumstances of the
breach and the Plan's contact information for affected individuals.
Actual Notice will be given in all cases, unless the Plan has insufficient or out-of-date addresses for the
affected individuals. Actual written notice:




will be sent via first-class mail to last known address of the individual(s);
may be sent via email instead, if the individual has agreed to receive electronic notices;
will be sent to the parent on behalf of a minor child; and,
will be sent to the next-of-kin or personal representative of a deceased person, if the Plan knows the
individual is deceased and has the address of the next-of-kin or personal representative.
Substitute Notice will be given if the Plan has insufficient or out-of-date addresses for the affected
individuals.
If addresses of fewer than ten living affected individuals are insufficient or out-of-date, substitute notice
may be given by telephone, an alternate written notice, or other means.
If addresses of ten or more living affected individuals are insufficient or out-of-date, substitute notice must
be given via either website or media.
18
Substitute notice via website. Conspicuous posting on home page of the website of the Plan for 90 days,
including a toll-free number that remains active for at least 90 days where individuals can learn whether the
individual's unsecured information may have been included in the breach. Contents of the notice can be
provided directly on the website or via hyperlink.
Substitute notice via media. Conspicuous notice in major print or broadcast media in the geographic areas
where the affected individuals likely reside, including a toll-free number that remains active for at least 90
days where individuals can learn whether the individual's unsecured information may have been included in
the breach. It may be necessary to give the substitute notice in both local media outlet(s) and statewide
media outlet(s) and in more than one state.
Substitute Notice is not required if the individual is deceased and the Plan has insufficient or out-of-date
information that precludes written notice to the next-of-kin or personal representative of the individual.
Urgent Notice will be given, in addition to other required notice, in circumstances where imminent misuse
of unsecured PHI may occur. Urgent notice must be given by telephone or other appropriate means.
Example: Urgent notice is given to an individual by telephone. The Plan must also send an individual notice
via first-class mail.
VI. Notice to Health and Human Services (“HHS”)
Notice of all Reportable Breaches will be given to HHS. The time and manner of the notice depends on the
number of individuals affected. The Privacy Officer is responsible for both types of notice to HHS.
Immediate Notice to HHS. If the Reportable Breach involves 500 or more affected individuals, regardless of
where the individuals reside, notice will be given to HHS without unreasonable delay, and in no event later
than 60 calendar days after the date of discovery (as determined above). Notice will be given in the manner
directed on the HHS website.
Annual Report to HHS. The Privacy Officer will maintain a log of Reportable Breaches that involve fewer
than 500 affected individuals, and will report to HHS the Reportable Breaches that were discovered in the
preceding calendar year. The reports are due within 60 days after the end of the calendar year. The reports
will be submitted as directed on the HHS website.
VII. Notice to Media (Press Release)
Notice to media (generally in the form of a press release) will be given if a Reportable Breach affects more
than 500 residents of any one state or jurisdiction. For example:


If a Reportable Breach affects 600 individuals who are residents of Virginia, notice to media is
required.
If a Reportable Breach affects 450 individuals who are residents of Virginia and 60 individuals who
are residents of West Virginia, notice to media is not required.
If notice to media is required, notice will be given to prominent media outlets serving the state or
jurisdiction. For example:
19


If a Reportable Breach involves residents of one city, the prominent media outlet would be the city’s
newspaper or TV station.
If a Reportable Breach involves residents of various parts of the state, the prominent media outlet
would be a statewide newspaper or TV station.
If a Reportable Breach affects 600 individuals who are residents of Virginia, and 510 individuals who are
residents of West Virginia, notice to media in both states is required.
If notice to media is required, it will be given without unreasonable delay, and in no event more than 60
calendar days after the date of discovery (as determined above). The content requirements for a notice to
media are the same as the requirements for a notice to individuals. The Privacy Officer is responsible for
giving notice to media.
20