Institute for Advanced Learning & Research (IALR)
Policy on Use and Disclosure of Protected Health Information
It is the policy of the Institute for Advanced Learning & Research (IALR) (the “Employer”) and its group health plans to treat with confidentiality the individually identifiable health information received or maintained by the Employer’s group health plans, pursuant to the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health Act, and HIPAA privacy rules (collectively, “HIPAA”).
This policy applies to the Employer’s medical and dental plans and medical expense reimbursement plan offered through the Institute for Advanced Learning & Research Health and Welfare Benefits Plan, which are part of an “organized health care arrangement” under the HIPAA privacy rules, and are therefore treated as a single covered entity for purposes of HIPAA privacy compliance. Hereafter, the medical, dental and medical reimbursement plans shall be referred to as the “Health Plan.”
This Policy and the HIPAA privacy rules do not apply to medical information obtained by the Employer from any sources other than the Health Plan. For example, this Policy and the HIPAA privacy rules do not apply to health information received in connection with matters relating to life insurance plans, short or long term disability plans, fitness for duty, Family and Medical Leave Act, sick or accident leave, workers compensation, OSHA, drug, alcohol or other pre-employment or post-employment medical examinations, receipt of medical information pursuant to authorizations, or any other non-Plan disclosures made to the Employer, including all employment records maintained by the Employer or other medical information the Employer or its employees may receive from sources other than Employer group health plans.
Although the Employer’s Health Plan is a “covered entity” under the HIPAA privacy rules, the Employer is not a covered entity under HIPAA privacy rules. This Policy does not afford any rights or cause of action against the Employer, its officers, employees, or others, but simply states the Employer’s policy of compliance with HIPAA privacy rules to the extent specifically applicable to Employer group health plans.
Health Plan and Protected Health Information
The Employer has amended its Health Plan documents in accordance with the HIPAA privacy rules. Employer employees must follow this Policy with respect to use and disclosure of Protected Health Information (“PHI”). “Protected Health Information” or “PHI” means any individually identifiable health information that meets all of the following requirements:
(i)Is created or received by the Health Plan, including individually identifiable health information received by Employer employees acting on Health Plan administration and received in that capacity;
(ii)Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual;
(iii)Identifies the individual or creates a reasonable basis to believe that the information could be used to identify the individual; and
(iv)That is maintained or transmitted in any form or media.
PHI Does Not Include Medical Information Unrelated to Health Plan
Protected Health Information or PHI does not include medical information that is received by the Employer or its employees in non-Health Plan capacities, including without limitation, health information received in connection with matters relating to life insurance plans, short or long term disability plans, Family and Medical Leave Act, sick or accident leave, workers compensation, OSHA, drug, alcohol or other pre-employment or post-employment medical examinations, receipt of medical information pursuant to authorizations, or any other non-Health Plan disclosures made to the Employer, including all employment records maintained by the Employer or other medical information the Employer or its employees may receive from sources other than Employer group health plans.
Privacy Officer
The Employer has appointed its Manager of Human Resources as the Privacy Officer to oversee the Health Plan’s HIPAA privacy compliance and to oversee the development and implementation of the Health Plan’s privacy policies and procedures in accordance with HIPAA privacy rules. In addition to his or her other duties, the Privacy Officer will oversee the receipt and resolution of complaints related to the privacy rules, and provide further information regarding matters covered by the Health Plan’s Notice of Privacy Practices. The Privacy Officer may appoint others to assist in these duties.
Health Plan Workforce
The following employees designated by the Employer need access to PHI to carry out their duties in administering the Health Plan: Manager of Human Resources and Director of Finance & Administration, and any other employee designated by the Privacy Officer. These employees will be considered the Health Plan’s “workforce” for purposes of this Policy and will have access to all categories of PHI in possession of the Employer.
Training
The Employer will give privacy training to Employer employees involved in Health Plan administration or who otherwise provide services to the Health Plan. Employer employees that work in close proximity to employees working on Health Plan administration or that are likely to come into contact with Health Plan PHI will be trained concerning privacy matters, as appropriate. The Employer will document such training and retain the documentation for six years.
Safeguarding Protected Health Information
The Health Plan will reasonably safeguard PHI from any use or disclosure that is not authorized by the individual to which the PHI pertains or otherwise permitted or required by the HIPAA privacy rules. Employer employees who handle PHI shall take reasonable precautions to physically safeguard PHI from being viewed by, accessed by, used by, or otherwise disclosed to anyone not authorized to handle PHI.
Use and Disclosure of Protected Health Information
PHI may be disclosed directly to the individual who is the subject of the PHI upon the individual’s request. No authorization is necessary.
PHI may be used or disclosed for Health Plan-related purposes of treatment, payment, or Health Plan administration without obtaining an authorization.An individual’s PHI may be used or disclosed for the following Health Plan-related purposes:
Payment activities, such as:
obtaining premiums;
determining responsibility for coverage;
claims processing and management; and,
providing reimbursement for health care.
The following plan administration/plan sponsor functions:
quality assessment;
evaluating of providers;
activities relating to obtaining or amending insurance contracts;
disease management; and,
cost management.
HIPAA Privacy Rule Not Intended to Impede Customary and Essential Communications Concerning Health Care and Health Care Benefits
The HIPAA privacy rules recognize that many customary health care communications and practices play an important, even essential role in ensuring that individuals receive prompt and effective health care and health care benefits. The U.S. Department of Health and Human Services (HHS) has emphasized that the HIPAA Privacy Rule is not intended to impede these customary and essential communications and practices. The HIPAA privacy rule does not require that all risk of incidental use or disclosure be eliminated to satisfy privacy standards. Rather, the Privacy Rule permits certain incidental uses and disclosures of protected health information to occur where, as here, the Employer has in place reasonable safeguards and minimum necessary policies and procedures to protect an individual’s privacy. This policy recognizes that prompt and effective health care plan administration is a goal respected and encouraged by the HIPAA privacy rule.
Disclosure of Enrollment Information
The fact that an individual is participating in the Health Plan or has enrolled or disenrolled from a health insurance issuer or HMO offered under the Health Plan may be disclosed to Employer personnel (for appropriate reasons related to Plan administration) without the individual’s authorization.
Disclosure for Treatment
An individual’s PHI may be disclosed to a health care provider (such as a doctor, hospital, or pharmacy) for treatment purposes. This disclosure is not subject to the “minimum necessary” standard. The doctor can have access to any health information the doctor feels is necessary to provide quality treatment.
No Disclosure of PHI for Employment Purposes
An individual’s PHI may not be disclosed to any employee of the Employer for the purpose of employment-related actions or decisions or in connection with any other benefit or employee benefit plan (e.g., a disability or life insurance plan).
Personally Identifiable Medical Information Needed for Employment Decisions Will Not Be Obtained from the Health Plan
Consistent with past practices, where medical information is needed for employment decisions, the Employer will obtain the medical information from sources other than the Health Plan. Thus the Employer will continue to receive medical information in connection with non-Health Plan functions, including health information received in connection with matters relating to life insurance plans, short or long term disability plans, fitness for duty, Family and Medical Leave Act, sick or accident leave, workers compensation, OSHA, drug, alcohol or other pre-employment or post-employment medical examinations, and receipt of medical information pursuant to authorizations. Such medical information and any other non-Health Plan disclosures made to the Employer are employment records of the Employer and not governed by the HIPAA privacy rules.
HIPAA Privacy Rules Do Not Apply to Disclosures of Medical Information for Non-Health Plan Purposes
Employer employees frequently communicate medical information about themselves or their family to fellow employees for non-Health Plan purposes. For example, employees may tell their co-workers about anticipated operations, pregnancies, or other medical conditions or procedures. These non-Health Plan informal disclosures are not governed by the HIPAA privacy rules.
Disclosures Pursuant to Written Authorizations
An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual. An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization.
A use or disclosure of PHI that is not for treatment, payment or health plan administration may be disclosed if the affected individual gives a proper written authorization. The written authorization must meet specific requirements and care should be taken that those requirements are met.
An individual cannot be required to sign an authorization as a condition of receiving health care treatment or health care benefits. For non-health care benefit plans, authorizations can be a condition of receiving benefits. For example, consistent with the terms of Employer policies, plans, programs and applicable law, individuals who refuse to authorize release of appropriate medical information may be denied employment, short or long term disability benefits, return to work, Family and Medical Leave, sick or accident leave, workers compensation benefits, and other non-health plan benefits.
Likewise, before enrollment in the Health Plan, an authorization may be required for eligibility and enrollment purposes or for underwriting or risk rating determinations. Moreover the Health Plan may use or disclose PHI for treatment, payment, and other Health Plan administration purposes that are permitted without authorization.
Revocation of Authorization
An individual may revoke a valid authorization, except to the extent that the Health Plan has taken action in reliance on the authorization, or the authorization was obtained as a condition of obtaining insurance coverage.
Documentation of Authorization
A copy of the signed authorization form must be provided to the individual and retained by the Health Plan.
Required Elements of a Valid Authorization
An authorization directing the Health Plan to release information is valid under the HIPAA privacy rules, if it meets all of the following requirements:
It must be written in plain language;
It must not have expired or have been revoked;
It must not contain material information known to be false by Health Plan personnel relying on the authorization;
It must (1) contain a specific description of the information to be used or disclosed; (2) identify the person(s), or class of persons, authorized to make the requested use or disclosure; (3) identify the person(s), or class of persons, to whom the Health Plan may make the requested use or disclosure; (4) describe the purpose of the requested use or disclosure (where the individual initiates the authorization and the statement “at the request of the individual” is sufficient); (5) contain an expiration date or expiration event; and (6) contain the signature of the individual and date signed (and description of authority if signed by a personal representative).
It must contain statements putting the individual on notice of: (1) the individual’s right to revoke the authorization in writing; (2) the exceptions to the right to revoke and a description of how to revoke the authorization (if such information is contained in the Notice of Privacy Practices, a reference to the Notice of Privacy Practices is sufficient); (3) if applicable, a statement that the Health Plan may not condition treatment, payment, enrollment, or eligibility for benefits on whether the individual signs the authorization or the consequences to the individual of refusing to sign the authorization, when the Health Plan conditions enrollment in the Plan or eligibility for benefits on the individual’s provision of an authorization before enrollment for purposes of the Health Plan’s eligibility or enrollment determinations relating to the individual or for its underwriting or risk rating determinations (but not for psychotherapy notes).
It must contain a statement advising the individual of the potential for information disclosed pursuant to the authorization to be subject to re-disclosure by the recipient and no longer be protected under HIPAA privacy rules.
Workers’ Compensation
The HIPAA Privacy Rule does not apply to entities that are either workers’ compensation insurers, workers’ compensation administrative agencies, or employers. The HIPAA Privacy Rule recognizes that these entities need access to the health information of individuals who are injured on the job or who have a work-related illness to process or adjudicate claims, or to coordinate care under workers’ compensation systems. Generally, this health information is obtained from health care providers who treat these individuals and who may be covered by the Privacy Rule. The Privacy Rule recognizes the legitimate need of insurers and other entities involved in the workers’ compensation systems to have access to individuals’ health information as authorized by State or other law. The Department of Health and Human Services has said:
The Privacy Rule is not intended to impede the flow of health information to those who need it to process or adjudicate claims, or coordinate care, for injured or ill workers under workers’ compensation systems. The minimum necessary standard generally requires covered entities to make reasonable efforts to limit uses and disclosures of, as well as requests for, protected health information to the minimum necessary to accomplish the intended purpose.
For disclosures of protected health information made for workers’ compensation purposes. . ., the minimum necessary standard permits covered entities to disclose information to the full extent authorized by State or other law. In addition, where protected health information is requested by a State workers’ compensation or other public official for such purposes, covered entities are permitted reasonably to rely on the official’s representations that the information requested is the minimum necessary for the intended purpose.
For disclosures of protected health information for payment purposes, covered entities may disclose the type and amount of information necessary to receive payment for any health care provided to an injured or ill worker.
The minimum necessary standard does not apply to disclosures that are required by state or other law or made pursuant to the individual’s authorization.
Disclosures to Business Associates of the Health Plan
.
The Health Plan may contract with third party entities to perform functions on behalf of the Health Plan that may involve creation, use or disclosure of PHI. Such creation, use or disclosure of PHI is governed by business associate agreements the Health Plan enters into with these Business Associates. Business associate agreements must meet specific HIPAA privacy requirements. Employer employees should not disclose PHI to third parties unless appropriate business associate agreements have been executed and disclosures are made in accordance with those business associate agreements.
When the Individual is Present or Available and Can Agree or Object to the Use and Disclosure
In certain circumstances, the HIPAA privacy rules permit use or disclosure
of PHI without a written authorization provided (1) the individual knows in advance of the proposed use or disclosure notice, (2) has the opportunity to agree or object, (3) orally agrees to the use or disclosure, and (4) meets the other requirements discussed below. This section will often apply when the individual wants the Health Plan to disclose PHI to family or friends.
When the individual is present or available the Health Plan may disclose to a relative, friend, or other person identified by the individual PHI directly related to that person’s involvement with the individual’s care or payment related to the health care, if Health Plan personnel (1) obtain the individual’s oral agreement, or (2) give the individual an opportunity to object to the disclosure and the individual does not object or (3) reasonably infer from the circumstances based on professional judgment that the individual does not object to the disclosure.