THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Introduction. This notice applies to you if you are eligible (or may become eligible) as a participant for the Emeriti Reimbursement Benefit (reimbursement of qualified medical expenses) under your employer’s (or former employer’s) Emeriti Retiree Health Plan (the “Plan”). It also applies to you if you are a spouse, dependent domestic partner, dependent child, or dependent relative of such a participant, if you or the participant can obtain reimbursement from the Plan for your qualified medical expenses. A separate privacy notice will be provided to you by Aetna if you are covered under one of the Emeriti Health Insurance Plan Options.
Federal and State Law. The portion of the Plan providing the Emeriti Reimbursement Benefit is subject to the federal privacy regulations under the Health Insurance Portability and Accountability Act (“HIPAA”). These regulations, which may be found at 45 Code of Federal Regulations, Parts 160 and 164, are referred to in this notice as the “HIPAA privacy rules.” The HIPAA privacy rules regulate “covered entities,” including many doctors, hospitals, and health plans. The state in which you live may also impose restrictions on the use or disclosure of your health information that are more stringent than the HIPAA privacy rules. While these state laws often apply to doctors, hospitals, health insurance companies, and HMOs, they generally do not apply to employer-sponsored group health plans. The Health Privacy Project of the Institute for Health Care Research and Policy maintains information on state health privacy laws at its website, www.healthprivacy.org.
Protected Health Information. The HIPAA privacy rules regulate the use and disclosure by the Plan of “protected health information” (commonly referred to as “PHI”). PHI is any “individually identifiable health information” maintained or transmitted by the Plan (in any form or medium). Individually identifiable health information is health information that identifies you or creates a reasonable basis to believe that it could be used to identify you, including information relating to your health condition or receipt of health care. Health information that is merely in summary form and that does not identify you as its subject is not PHI and may be used or disclosed by the Plan without restriction under the HIPAA privacy rules. For example, your employer may use aggregated data regarding reimbursement claims paid for all Plan participants to help project benefit costs for future years. With respect to PHI, however, the HIPAA privacy rules prevent the Plan from using your PHI or disclosing it to your employer or anyone else except as permitted by the HIPAA privacy rules, as authorized by you, or as required by law.
Uses and Disclosure of Protected Health Information for Payment and Health Care Operations. The HIPAA privacy rules permit the Plan to use or disclose your PHI without your authorization for purposes of payment or health care operations. This is necessary in order to provide you with qualified reimbursement benefit services. The Plan’s business associates involved in the processing of reimbursement benefits may also use or disclose your PHI for payment or health care operations on the Plan’s behalf. Business associates may include the Plan’s third party administrators, as well as brokers, service providers, lawyers, accountants, consultants, and other appropriate persons who help to ensure that the Plan’s reimbursement benefit processes run properly and that you receive any benefits to which you are entitled. The terms “payment” and “health care operations” are explained below:
- “Payment” means any action undertaken by the Plan to obtain premiums or to provide reimbursement for your qualified medical expenses. This includes, but is not limited to, eligibility and coverage determinations, premium billing, claims management and processing, and reimbursement of qualified medical expenses.
- “Health care operations” means all the activities involved in the administration of the Plan. For example, the Plan may use PHI about you to refer you to project benefit costs and determine future employer contributions.
Other Uses and Disclosures Permitted Without Authorization. The Plan may disclose the Plan’s enrollment and disenrollment information to your employer without your authorization. This information merely indicates whether you are enrolled in the Plan. Your employer needs this information to properly administer the Plan. The Plan may also disclose your PHI to your employer or the Plan’s business associates without your authorization so that your employer may obtain bids for services or make decisions about modifying or terminating the Plan. Information provided to your employer for these purposes will be in summary form. This means that the information will be limited to claims history, claims expenses, or types of claims experienced, with your name and certain types of other identifying information removed. If required by the HIPAA privacy rules or other applicable law, the Plan may use or disclose your PHI without your authorization.
Disclosure of Your PHI to Personnel of Your Employer Without Authorization. In connection with the disclosures described in the previous two sections of this notice, the Plan may disclose your PHI personnel of your employer who are involved in the administration of the Plan. These disclosures will be made in connection with your employer’s role as the sponsor of the Plan, and will be made to enable those personnel to carry out their duties in administering the Plan (e.g., if you file an appeal of a denied claim). In many circumstances, it will be appropriate for such personnel to share your PHI with the Plan’s business associates. Your employer has amended the Plan documents to protect your PHI as required by the HIPAA privacy rules, and any disclosures or uses of PHI by your employer will be governed by the written provisions of the Plan documents. In addition, your employer has instituted policies and procedures to help ensure that your PHI is made available only to those individuals who need it to perform important Plan functions. PHI received from the Plan is not to be used for employment-related purposes or other purposes not related to your employer’s sponsorship or administration of the Plan.
Uses and Disclosures Requiring Your Written Authorization. Where use or disclosure is not otherwise permitted under the HIPAA privacy rules, the Plan is required to obtain your written authorization before using or disclosing your PHI. For example, the Plan must obtain your authorization to use or disclose your psychotherapy notes, to use your health information to contact you for fundraising or marketing purposes or to sell your health information. If you choose to sign an authorization to disclose information, you can later revoke that authorization to stop future uses and disclosures, except to the extent the Plan has acted in reliance upon your authorization.
Incidental Uses and Disclosures. The HIPAA privacy rules permit incidental uses and disclosures that occur as a by-product of a permissible or required use or disclosure. An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the HIPAA privacy rules. The Plan has instituted reasonable safeguards to protect against uses and disclosures not permitted by the HIPAA privacy rules and to limit incidental uses or disclosures. However, those safeguards cannot totally guarantee the privacy of your PHI. In implementing safeguards, the Plan considers the nature of the PHI held, the potential risks to privacy, the potential effects on patient care, and the financial and administrative burden of particular safeguards. The Plan is not required to obtain your authorization or notify you if an incidental disclosure occurs.
Reservation of the Plan’s Rights. Generally, it is the Plan’s policy to avoid the use and disclosure of your PHI whenever possible. Therefore, the Plan will not normally use or disclose your PHI, except when necessary for payment or health care operations or to comply with the HIPAA privacy rules or other applicable law. However, the Plan reserves the right to use or disclose your PHI in any manner permitted by the HIPAA privacy rules. Please remember that health information maintained by your employer (i.e., health-related employment records or the records of a benefit plan of your employer that is not a group health plan, such as a short- or long-term disability plan) is not subject to the HIPAA privacy rules and may be used or disclosed in accordance with your employer’s standard policies (subject to applicable law).
Your Rights. You have the right to review and receive copies of your PHI maintained by the Plan in a designated record set or used by the Plan to make decisions about your coverage or benefits. The term “designated record set” means the enrollment, payment, and claims adjudication records maintained by the Plan. You will be charged a reasonable copying fee if you request copies of this information. Your request should be made in writing on the appropriate form, which you may obtain by calling 1.866.EMERITI (1.866.363.7484) at which time you will be given instructions on how to file a written request. The Plan will respond to your written request within 30 days of receipt (60 days if the information is maintained offsite), subject to a possible 30-day extension. If your request is denied, you will receive a written explanation of the reasons for the denial. Please remember that the Plan is only responsible for providing you with information contained in its records. Hospital records and other records not maintained by the Plan must be procured directly from the individual or institution that maintains those records.
If you believe that information in your record is incorrect or if important information is missing, you have the right to request that the Plan correct existing information or add missing information. Your request should be made by calling 1.866.EMERITI (1.866.363.7484) at which time you will be given instructions on how to file a written request. The Plan has 60 days to respond to your written request, subject to a possible 30-day extension. If your request is denied, you will receive a written explanation of the reasons for the denial.
You have the right to restrict disclosure of your health information to a health plan if you choose to pay out-of-pocket in full for the services at the time they are provided. You have the right to request restrictions on the Plan’s use or disclosure of your PHI for payment and health care operations. You may also request restrictions on disclosures to your family members or other individuals who are involved in your care or payment for your care. The Plan will consider your request but is not required to agree to such restrictions and generally will not agree to restrictions on disclosures related to the Plan’s payment and health care operations. Your request should be made by calling 1.866.EMERITI (1.866.363.7484) at which time you will be given instructions on how to file a written request. The Plan will respond to your request in writing. The Plan will also accommodate reasonable requests for you to receive communications of your PHI at alternate locations or by alternate methods, if the normal method of communication could endanger you.
You may exercise your rights through a personal representative, provided that such individual produces evidence of his or her authority to act on your behalf. The Plan will only accept the following as evidence of such authority: (1) a power of attorney for health care purposes notarized by a notary public; (2) a court order appointing the individual as your conservator or guardian; or (3) proof that such individual is your parent (if you are a minor). Your personal representative will be treated as you would with respect to access to your PHI and your other rights under the HIPAA privacy rules. However, the Plan retains the discretion to deny your personal representative access to your PHI if the Plan finds evidence that such denial is necessary to protect you from abuse or neglect.
Notice of Breach. The Plan will notify you if your unsecured health information is breached.
The Plan’s Legal Duties. The HIPAA privacy rules require the Plan to maintain the privacy of your PHI, to provide this notice about its information practices, and to follow the practices described in this notice. The Plan may change its privacy policies at any time, and changes may apply to all PHI held by the Plan at the time of the change. When the Plan makes a significant change in policy, a revised Notice of Privacy Practices will be distributed to all current Plan participants within 60 days of the effective date of the change.
This notice and the privacy policies of the Plan and your employer do not create any legal rights, contractual or otherwise, under state or federal law, but simply give you notice of the Plan’s obligations, and your rights, under the HIPAA privacy rules.
Questions and Complaints. If you have questions regarding your privacy rights described in this Notice, if you are concerned that the Plan has violated your rights under the HIPAA privacy rules, or if you disagree with a decision made about access to or amendment of your health records, please call 1.866.EMERITI (1.866.363.7484). Alternatively, you may contact the Plan’s Privacy Officer through your employer’s Human Resources Department. You are permitted to send written complaints to the Secretary of the U.S. Department of Health and Human Services, Hubert H. Humphrey Building, 200 Independence Avenue SW, Washington, DC 20201. Neither the Plan nor your employer may retaliate against you in any way for exercising your right to file a complaint. This Notice is effective as of the date the Plan was established.