HIPAA PRIVACY

Commitment to Protecting Health Information

The Plan will comply with the Standards for Privacy of Individually Identifiable Health Information (i.e., the "Privacy Rule") set forth by the U.S. Department of Health and Human Services ("HHS") pursuant to the Health Insurance Portability and Accountability Act ("HIPAA"). Such standards control the dissemination of "protected health information" ("PHI") of Plan Participants. Privacy standards will be implemented and enforced in the offices of the Employer and Plan Sponsor and any other entity that may assist in the operation of the Plan.

The Plan is required by law to take reasonable steps to ensure the privacy of the Plan Participant's PHI, and inform him/her about:

  1. The Plan's disclosures and uses of PHI;
  2. The Plan Participant's privacy rights with respect to his/her PHI;
  3. The Plan's duties with respect to his/her PHI;
  4. The Plan Participant's right to file a complaint with the Plan and with the Secretary of HHS;
  5. The person or office to contact for further information about the Plan's privacy practices.

Within this provision capitalized terms may be used, but not otherwise defined. These terms shall have the same meaning as those terms set forth in 45 CFR Sections 160.103 and 164.501. Any HIPAA regulation modifications altering a defined HIPAA term or regulatory citation shall be deemed incorporated into this provision.

How Health Information May be Used and Disclosed

In general, the Privacy Rules permit the Plan to use and disclose an individual's PHI, without obtaining authorization, only if the use or disclosure is:

  1. To carry out Payment of benefits;
  2. For Health Care Operations;
  3. For Treatment purposes; or
  4. If the use or disclosure falls within one of the limited circumstances described in the rules (e.g., the disclosure is required by law or for public health activities).

Disclosure of PHI to the Plan Sponsor for Plan Administration Purposes

In order that the Plan Sponsor may receive and use PHI for plan administration purposes, the Plan Sponsor agrees to:

  1. Not use or further disclose PHI other than as permitted or required by the Plan documents or as required by law (as defined in the privacy standards);
  2. Ensure that any agents, including a subcontractor, to whom the Plan Sponsor provides PHI received from the Plan, agree to the same restrictions and conditions that apply to the Plan Sponsor with respect to such PHI;
  3. Establish safeguards for information, including security systems for data processing and storage;
  4. Maintain the confidentiality of all PHI, unless an individual gives specific consent or authorization to disclose such data or unless the data is used for health care payment or Plan operations;
  5. Receive PHI, in the absence of an individual's express authorization, only to carry out Plan administration functions;
  6. Not use or disclose PHI for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the Plan Sponsor, except pursuant to an authorization which meets the requirements of the privacy standards;
  7. Report to the Plan any PHI use or disclosure that is inconsistent with the uses or disclosures provided for of which the Plan Sponsor becomes aware;
  8. Make available PHI in accordance with section 164.524 of the privacy standards (45 CFR 164.524);
  9. Make available PHI for amendment and incorporate any amendments to PHI in accordance with section 164.526 of the privacy standards (45 CFR 164.526);
  10. Make available the information required to provide an accounting of disclosures in accordance with section 164.528 of the privacy standards (45 CFR 164.528);
  11. Make its internal practices, books and records relating to the use and disclosure of PHI received from the Plan available to the Secretary of the U.S. Department of Health and Human Services ("HHS"), or any other officer or employee of HHS to whom the authority involved has been delegated, for purposes of determining compliance by the Plan with part 164, subpart E, of the privacy standards (45 CFR 164.500 et seq);
  12. Report to the Plan any inconsistent uses or disclosures of PHI of which the Plan Sponsor becomes aware;
  13. Train employees in privacy protection requirements and appoint a privacy compliance coordinator responsible for such protections;
  14. If feasible, return or destroy all PHI received from the Plan that the Plan Sponsor still maintains in any form and retain no copies of such PHI when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible;
  15. Ensure that adequate separation between the Plan and the Plan Sponsor, as required in section 164.504(f)(2)(iii) of the privacy standards (45 CFR 164.504(f)(2)(iii)), is established as follows:
    • The following employees, or classes of employees, or other persons under control of the Plan Sponsor, shall be given access to the PHI to be disclosed:
      • Privacy Officer: The access to and use of PHI by the individuals described above shall be restricted to the plan administration functions that the Plan Sponsor performs for the Plan.
    • In the event any of the individuals described in above do not comply with the provisions of the Plan documents relating to use and disclosure of PHI, the Plan Administrator shall impose reasonable sanctions as necessary, in its discretion, to ensure that no further non-compliance occurs. The Plan Administrator will promptly report such violation or non-compliance to the Plan, and will cooperate with the Plan to correct violation or non-compliance to impose appropriate disciplinary action or sanctions. Such sanctions shall be imposed progressively (for example, an oral warning, a written warning, time off without pay and termination), if appropriate, and shall be imposed so that they are commensurate with the severity of the violation.

Disclosure of Summary Health Information to the Plan Sponsor

The Plan may disclose PHI to the Plan Sponsor of the group health plan for purposes of plan administration or pursuant to an authorization request signed by the Plan Participant. The Plan may use or disclose "summary health information" to the Plan Sponsor for obtaining premium bids or modifying, amending, or terminating the group health plan.

Disclosure of Certain Enrollment Information to the Plan Sponsor

Pursuant to section 164.504(f)(1)(iii) of the privacy standards (45 CFR 164.504(f)(1)(iii)), the Plan may disclose to the Plan Sponsor information on whether an individual is participating in the Plan or is enrolled in or has un-enrolled from a health insurance issuer or health maintenance organization offered by the Plan to the Plan Sponsor.

Disclosure of PHI to Obtain Stop-loss or Excess Loss Coverage

The Plan Sponsor may hereby authorize and direct the Plan, through the Plan Administrator or the third party administrator, to disclose PHI to stop-loss carriers, excess loss carriers or managing general underwriters ("MGUs") for underwriting and other purposes in order to obtain and maintain stop-loss or excess loss coverage related to benefit claims under the Plan. Such disclosures shall be made in accordance with the privacy standards.

Other Disclosures and Uses of PHI:

Permissible Uses and Disclosures of PHI

  1. Treatment, Payment and Health Care Operations: The Plan has the right to use and disclose a Plan Participant's PHI for all activities as included within the definitions of Treatment, Payment, and Health Care Operations and pursuant to the HIPAA Privacy Rule.
  2. Business Associates: The Plan contracts with individuals and entities (Business Associates) to perform various functions on its behalf. In performance of these functions or to provide services, Business Associates will receive, create, maintain, use, or disclose PHI, but only after the Plan and the Business Associate agree in writing to contract terms requiring the Business Associate to appropriately safeguard the Plan Participant's information.
  3. Other Covered Entities: The Plan may disclose PHI to assist health care Providers in connection with their treatment or payment activities or to assist other covered entities in connection with payment activities and certain health care operations. For example, the Plan may disclose PHI to a health care Provider when needed by the Provider to render treatment to a Plan Participant, and the Plan may disclose PHI to another covered entity to conduct health care operations. The Plan may also disclose or share PHI with other insurance carriers (such as Medicare, etc.) in order to coordinate benefits, if a Plan Participant has coverage through another carrier.

Other Permissible Uses and Disclosures of PHI

  1. Required by Law: The Plan may use or disclose PHI when required by law, provided the use or disclosure complies with and is limited to the relevant requirements of such law.
  2. Public Health and Safety: The Plan may use or disclose PHI when permitted for purposes of public health activities, including disclosures to:
    • a public health authority or other appropriate government authority authorized by law to receive reports of child abuse, neglect or domestic violence;
    • report reactions to medications or problems with products or devices regulated by the Federal Food and Drug Administration or other activities related to quality, safety, or effectiveness of FDA-regulated products or activities;
    • locate and notify persons of recalls of products they may be using; and
    • a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if authorized by law.
  3. The Plan may disclose PHI to a government authority, except for reports of child abuse or neglect permitted by (5) above, when required or authorized by law, or with the Plan Participant's agreement, if the Plan reasonably believes he/she to be a victim of abuse, neglect, or domestic violence. In such case, the Plan will promptly inform the Plan Participant that such a disclosure has been or will be made unless the Plan believes that informing him/her would place him/her at risk of serious harm (but only to someone in a position to help prevent the threat). Disclosure generally may be made to a minor's parents or other representatives although there may be circumstances under Federal or State law when the parents or other representatives may not be given access to the minor's PHI.
  4. Health Oversight Activities: The Plan may disclose PHI to a health oversight agency for oversight activities authorized by law. This includes civil, administrative or criminal investigations; inspections; claim audits; licensure or disciplinary actions; and other activities necessary for appropriate oversight of a health care system, government health care program, and compliance with certain laws.
  5. Lawsuits and Disputes: The Plan may disclose PHI when required for judicial or administrative proceedings. For example, the Plan Participant's PHI may be disclosed in response to a subpoena, discovery requests, or other required legal processes when the Plan is given satisfactory assurances that the requesting party has made a good faith attempt to advise the Plan Participant of the request or to obtain an order protecting such information, and done in accordance with specified procedural safeguards.
  6. Law Enforcement: The Plan may disclose PHI to a law enforcement official when required for law enforcement purposes concerning identifying or locating a suspect, fugitive, material witness or missing person. Under certain circumstances, the Plan may disclose the Plan Participant's PHI in response to a law enforcement official's request if he/she is, or are suspected to be, a victim of a crime and if it believes in good faith that the PHI constitutes evidence of criminal conduct that occurred on the Sponsor's or Plan's premises.
  7. Decedents: The Plan may disclose PHI to a coroner, funeral director or medical examiner for the purpose of identifying a deceased person, determining a cause of death or as necessary to carry out their duties as authorized by law.       The Plan may also disclose, as authorized by law, PHI to organizations that handle organ, eye, or tissue donation and transplantation.
  8. Research: The Plan may use or disclose PHI for research, subject to certain limited conditions.
  9. To Avert a Serious Threat to Health or Safety: The Plan may disclose PHI in accordance with applicable law and standards of ethical conduct, if the Plan, in good faith, believes the use or disclosure is necessary to prevent or lessen a threat to health or safety of a person or to the public.
  10. Workers' Compensation: The Plan may disclose PHI when authorized by and to the extent necessary to comply with workers' compensation or other similar programs established by law.
  11. Inmates: The Plan may disclose PHI when to the correctional institution or law enforcement official for: the institution to provide health care to the Plan Participant; the Plan Participant's health and safety and the health and safety of others; or the safety and security of the correctional institution.
  12. Military and National Security: The Plan may disclose PHI to military authorities of armed forces personnel under certain circumstances. As authorized by law, the Plan may disclose PHI required for intelligence, counter-intelligence, and other national security activities to authorized Federal officials.
  13. Emergency Situations: The Plan may disclose PHI in an emergency situation, or if the Plan Participant is incapacitated or not present, to a family member, close personal friend, authorized disaster relief agency, or any other person previously identified by you. The Plan will use professional judgment and experience to determine if the disclosure is in the Plan Participant's best interest. If the disclosure is in the Plan Participant's best interest, the Plan will disclose only the PHI that is directly relevant to the person's involvement in the Plan Participant's care.
  14. Fundraising Activities: The Plan may disclose PHI for fundraising activities, such as raising money for a charitable foundation or similar entity to help finance its activities. If the Plan does not contact the Plan Participant for fundraising activities, the Plan will give the Plan Participant the opportunity to opt-out, or stop, receiving such communications in the future.
  15. Group Health Plan Disclosures: The Plan may disclose PHI to a sponsor of the group health plan – such as an employer or other entity – that is providing a health care program to the Plan Participant. The Plan can disclose PHI to that entity if that entity has contracted with the Plan to administer the Plan Participant's health care program on its behalf.
  16. Underwriting Purposes: The Plan may disclose PHI for underwriting purposes, such as to make a determination about a coverage application or request. If the Plan does not disclose the Plan Participant's PHI for underwriting purposes, the Plan is prohibited from using or disclosing in the underwriting process the PHI that is genetic information.

Uses and Disclosures of PHI that Require Authorization

  1. Sale of PHI: The Plan will request written authorization before it makes any disclosure that is deemed a sale of PHI, meaning the Plan is receiving compensation for disclosing the PHI in that manner.
  2. Marketing: The Plan will request written authorization to use or disclose PHI for marketing purposes with limited exceptions, such as when the Plan has face-to-face marketing communications with the Plan Participant or when the Plan provides promotional gifts of nominal value.
  3. Psychotherapy Notes: The Plan will request written authorization to use or disclose any of the Plan Participant's psychotherapy notes that may be on file with limited exception, such as for certain treatment, payment or health care operation functions.

Other uses and disclosures of PHI that are not described above will be made only with written authorization. If the Plan Participant provides the Plan with such authorization, it may be revoked in writing and the revocation will be effective for future uses and disclosures of PHI. However, the revocation will not be effective for information that the Plan already used or disclosed, relying on the authorization.

Required Disclosures of PHI

  1. Disclosures to Plan Participants: The Plan is required to disclose to a Plan Participant most of the PHI in a Designated Record Set when the Plan Participant requests access to this information.   The Plan will disclose a Plan Participant's PHI to an individual who has been assigned as his/her representative and who has qualified for such designation in accordance with the relevant State law.       Before disclosure to an individual qualified as a personal representative, the Plan must be given written supporting documentation establishing the basis of the personal representation.The Plan may elect not to treat the person as the Plan Participant's personal representative if it has a reasonable belief that the Plan Participant has been, or may be, subjected to domestic violence, abuse, or neglect by such person, it is not in the Plan Participant's best interest to treat the person as his/her personal representative, or treating such person as his/her personal representative could endanger the Plan Participant.
  2. Disclosures to the Secretary of the U.S. Dept of Health and Human Services: The Plan is required to disclose the Plan Participant's PHI to the Secretary of the U.S. Department of Health and Human Resources when the Secretary is investigating or determining the Plan's compliance with the HIPAA Privacy Rule.
  3. Business Associates: The Plan contracts with individuals and entities (Business Associates) to perform various functions on its behalf. In performance of these functions or to provide services, Business Associates will receive, create, maintain, use, or disclose PHI, but only after the Plan and the Business Associate agree in writing to contract terms requiring the Business Associate to appropriately safeguard the Plan Participant's information.
  4. Other Covered Entities: The Plan may disclose PHI to assist health care Providers in connection with their treatment or payment activities or to assist other covered entities in connection with payment activities and certain health care operations. For example, the Plan may disclose PHI to a health care Provider when needed by the Provider to render treatment to a Plan Participant, and the Plan may disclose PHI to another covered entity to conduct health care operations. The Plan may also disclose or share PHI with other insurance carriers (such as Medicare, etc.) in order to coordinate benefits, if a Plan Participant has coverage through another carrier.

Potential Impact of State Law

The HIPAA Privacy Rule regulations generally do not "preempt" (or take precedence over) state privacy or other applicable laws that provide individuals greater privacy protections. As a result, to the extent state law applies, the privacy laws of a particular state, or other federal laws, rather than the HIPAA Privacy Rule regulations, might impose a privacy standard under which the Plan will be required to operate. For example, where such laws have been enacted, the Plan will follow more stringent state privacy laws that relate to uses and disclosures of PHI concerning HIV or AIDS, mental health, substance abuse/chemical dependency, genetic testing, reproductive rights, etc.

Rights to Individuals

The Plan Participant has the following rights regarding PHI about him/her:

  1. Request Restrictions: The Plan Participant has the right to request additional restrictions on the use or disclosure of PHI for treatment, payment, or health care operations. The Plan Participant may request the Plan restrict disclosures to family members, relatives, friends or other persons identified by him/her who are involved in his/her care or payment for his/her care. The Plan is not required to agree to these requested restrictions.
  2. Right to Receive Confidential Communication: The Plan Participant has the right to request that he/she receive communications regarding PHI in a certain manner or at a certain location. The request must be made in writing and how the Plan Participant would like to be contacted. The Plan will accommodate all reasonable requests.
  3. Copy of this Notice: The Plan Participant is entitled to receive a paper copy of this notice at any time. To obtain a paper copy, contact the Privacy Compliance Coordinator.
  4. Accounting of Disclosures: The Plan Participant has the right to request an accounting of disclosures the Plan has made of his/her PHI. The request must be made in writing and does not apply to disclosures for treatment, payment, health care operations, and certain other purposes. The Plan Participant is entitled to such an accounting for the six (6) years prior to his/her request, though not earlier than April 14, 2003. Except as provided below, for each disclosure, the accounting will include: (a) the date of the disclosure, (b) the name of the entity or person who received the PHI and, if known, the address of such entity or person; (c) a description of the PHI disclosed, (d) a statement of the purpose of the disclosure that reasonably informs the Plan Participant of the basis of the disclosure, and certain other information. If the Plan Participant wishes to make a request, please contact the Privacy Compliance Coordinator.
  5. Access: The Plan Participant has the right to request the opportunity to look at or get copies of PHI maintained by the Plan about him/her in certain records maintained by the Plan. If the Plan Participant requests copies, he/she may be charged a fee to cover the costs of copying, mailing, and other supplies.       To inspect or copy PHI contact the Privacy Compliance Coordinator.   In very limited circumstances, the Plan may deny the Plan Participant's request. If the Plan denies the request, the Plan Participant may be entitled to a review of that denial.
  6. Amendment: The Plan Participant has the right to request that the Plan change or amend his/her PHI. The Plan reserves the right to require this request be in writing. Submit the request to the Privacy Compliance Coordinator. The Plan may deny the Plan Participant's request in certain cases, including if it is not in writing or if he/she does not provide a reason for the request.

Questions or Complaints

If the Plan Participant wants more information about the Plan's privacy practices, has questions or concerns, or believes that the Plan may have violated his/her privacy rights, please contact the Plan using the following information. The Plan Participant may submit a written complaint to the U.S. Department of Health and Human Services or with the Plan. The Plan will provide the Plan Participant with the address to file his/her complaint with the U.S. Department of Health and Human Services upon request.

The Plan will not retaliate against the Plan Participant for filing a complaint with the Plan or the U.S. Department of Health and Human Services.

Contact Information:

Privacy Compliance Contact Information:

1401 West Capitol Ave., Suite 430
Little Rock, AR 72201
Local: 501-372-1164
Toll-Free: 1-844-372-1164
Fax: 501-372-1932
compliance@www.tributehealthplans.com

H1587_C_TRIBWEBPRIVACY_1014 CMS Approved 10/27/2014