Privacy Policy for Self-Funded and Shared-Funded Group Plans

This policy explains how ASR Health Benefits collects nonpublic personal information, the type of information that we may collect, and what information we may disclose to other companies not affiliated with ASR Health Benefits.

Acquisition of Personal Information

We collect nonpublic personal information about the individual participants of group plans, which the employers/plan sponsors and health care providers afford us.

Categories of Information We Disclose

We do not disclose any nonpublic personal information about our customers or former customers to anyone, except as permitted by law. For example, we only disclose nonpublic personal information when it is related to a request or transaction from the employer/plan sponsor, where authorized by the participant, or where required by law.

Parties to Whom We Disclose Information

We only permit disclosure of nonpublic personal information to our employees who are working on clients’ accounts and to unrelated third parties who need to know that information in order to assist us in providing services to clients.

Confidentiality and Security of Nonpublic Personal Information

We restrict access to nonpublic personal information to those individuals who need to know that information in order to provide services or products for the policy. We maintain physical, electronic, and procedural safeguards that comply with federal regulations to secure nonpublic personal information.

Notice of Patient Protection

If your health plan generally requires the designation of a primary care provider, you have the right to designate any primary care provider who participates in our network and who is  available to accept you or your family members. For children, you may designate a pediatrician as the primary care provider. For information on how to select a primary care provider, and for a list of the participating primary care providers, contact ASR Health Benefits at (800) 968-2449.

You do not need prior authorization from the health plan or from any other person (including a primary care provider) in order to obtain access to obstetrical or gynecological care from a health care professional in our network who specializes in obstetrics or gynecology. However, the health care professional may be required to comply with certain procedures, including obtaining authorization for certain services, following a pre-approved treatment plan, or following certain procedures for making referrals. For a list of participating health care professionals who specialize in obstetrics or gynecology, contact ASR Health Benefits at (800) 968-2449.

Notice to Plan Participants – Notice of Privacy Practices Available

The U.S. Department of Health and Human Services has issued regulations as part of the Health Insurance Portability and Accountability Act of 1996. These regulations, known as the Standards for Privacy of Individually Identifiable Health Information, were effective on April 14, 2003 (or April 14, 2004 for small health plans) and control how your medical information may  be used and disclosed and how you can access this information. Please be advised that your health benefits plans maintain a current Notice of Privacy Practices to inform you of the policies that they have established to comply with the Standards for Privacy. This Notice describes the responsibilities of the plans and any third party assisting in the administration of claims regarding the use and disclosure of your protected health information, and your rights concerning the same.

This Notice is available to you upon request by contacting your company’s Privacy Official or Human Resources Director.

Notice of Privacy Practices

Please review this notice carefully, as it describes how one or more of the health plans of
Kalamazoo College (collectively the “Plan”) and any third party assisting in the administration of
claims may use and disclose your health information, and how you can access this information. This
notice is being provided to you pursuant to the federal law known as HIPAA and an amendment to that
law known as HITECH and is effective January 1, 2015. If you have any questions about
this notice, please contact Renee Boelcke, the Privacy Officer at Kalamazoo College, at
1200 Academy Street, Kalamazoo, Michigan 49006, or at Renee.boelcke@kzoo.edu. The Plan
has been amended to comply with the requirements described in this notice.
The Plan’s Pledge Regarding Health Information. The Plan is committed to protecting
your personal health information. The Plan is required by law to protect medical information
about you. This notice applies to medical records and information the Plan maintains concerning
the Plan. Your personal doctor or health care provider may have different policies or notices
regarding the use and disclosure of your health information created in his or her facility.
This notice will describe how the Plan may use and disclose health information (known as
“protected health information” under federal law) about you, as well as the Plan’s obligations
and your rights regarding this use and disclosure.
Use and Disclosure of Health Information. The following categories describe different ways that
the Plan uses and discloses protected health information. The Plan will explain and present
examples for each category but will not list every possible use or disclosure.
However, all of the permissible uses and disclosures fall within one of these categories:
▪ For Treatment. The Plan may use or disclose your health information to
facilitate treatment or services by providers. For example, the Plan may disclose your
health information to providers, including doctors, nurses, or other hospital personnel who are
involved in your care.
▪ For Payment. The Plan may use and disclose your health information to determine eligibility
for Plan benefits, to facilitate payment for the treatment and services you receive from health
care providers, or to determine benefit responsibility under the Plan. For example, the Plan may
disclose your health history to your health care provider to determine whether a particular
treatment is a qualifying health expense or to determine whether the Plan will reimburse the
treatment. The Plan may also share your health information with a utilization review or
precertification service provider, with another entity to assist with the adjudication or
subrogation of health claims, or with another health plan to coordinate benefit payments.
▪ For Health Care Operations. The Plan may use and disclose your health
information in order to operate the Plan. For example, the Plan may use health information in
connection with the following:
(1) quality assessment and improvement; (2) underwriting, premium rating, and Plan
coverage; (3) stop-loss (or excess-loss) claim submission; (4) medical review, legal
services, audit services, and fraud and abuse detection programs; (5) business
planning and development, such as cost management; and (6) business management and
general Plan administration.
▪ To Business Associates and Subcontractors. The Plan may contract with individuals
and entities known as business associates to perform various functions or provide certain
services. In order to perform these functions or provide these services, business associates
may receive, create, maintain, use, or disclose your health information, but only after they sign
an agreement with the Plan requiring them to implement appropriate safeguards regarding your health
information. For example, the Plan may disclose your health information to a business
associate to administer claims or to provide support services, but only after the business
associate enters into a Business Associate Agreement with the Plan. Similarly, a business
associate may hire a subcontractor to assist in performing functions or providing services in
connection with the Plan. If a subcontractor is hired, the business associate may not disclose
your health information to the subcontractor until after the subcontractor enters into
a Subcontractor Agreement with the business associate.
▪ As Required by Law. The Plan will disclose your health information when required
to do so by federal, state, or local law. For example, the Plan may disclose health
information when required by a court order in a litigation proceeding, such as a malpractice
action.

▪ To Avert a Serious Threat to Health or Safety. The Plan may use and disclose your health
information when necessary to prevent a serious threat to the health and safety of
you, another person, or the public. The Plan would disclose this information only to someone
able to help prevent the threat. For example, the Plan may disclose your health information in a
proceeding regarding the licensure of a physician.
▪ To Health Plan Sponsor. The Plan may disclose health information to another health plan
maintained by the Plan sponsor for purposes of facilitating claims payments under that plan. In
addition, the Plan may disclose your health information to the Plan sponsor and its
personnel for purposes of administering benefits under the Plan or as otherwise permitted by law
and the Plan sponsor’s HIPAA privacy policies and procedures.
Special Situations. The Plan may also use and disclose your protected health information in the
following special situations:
▪ Organ and Tissue Donation. The Plan may release health information to organizations that
handle organ procurement or organ, eye, or tissue transplantation or to an organ donation bank as
necessary to facilitate organ or tissue donation and transplantation.
▪ Military and Veterans. If you are a member of the armed forces, the Plan may release your
health information as required by military command authorities. The Plan may also
release health information about foreign military personnel to the appropriate foreign military
authority.
▪ Workers’ Compensation. The Plan may release health information for Workers’
Compensation or similar programs that provide benefits for work-related injuries or illnesses.
▪ Public Health Risks. The Plan may disclose health information for public health activities,
such as prevention or control of disease, injury, or disability; report of births and deaths; and
notification of disease exposure or risk of disease contraction or proliferation.
▪ Health Oversight Activities. The Plan may disclose health information to a health oversight
agency for activities authorized by law, e.g., audits, investigations, inspections, and
licensure, which are necessary for the government to monitor the health care
system, government programs, and compliance with civil rights laws.
▪ Law Enforcement. The Plan may release health information if requested by a law enforcement
official in the following circumstances: (1) in response to a court order, subpoena, warrant, or
summons; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) to
report a crime; and
(4) to disclose information about the victim of a crime if (under certain limited
circumstances) the Plan is unable to obtain the person’s agreement.
▪ Coroners and Medical Examiners. The Plan may release health information to a coroner or
medical examiner if necessary (e.g., to identify a deceased person or determine the cause of
death).
Rights Regarding Health Information. You have the following rights regarding your
protected health information that the Plan maintains:
▪ Right to Access. You may request access to health information containing your enrollment,
payment, and other records used to make decisions about your Plan benefits, including the right to
inspect the information and the right to a copy of the information. You may request that the
information be sent to a third party. You must submit a request for access in writing to the
Privacy Officer. The Plan may charge a fee for the costs of copying, mailing, or other supplies
associated with your request. The Plan may deny your request in certain very limited
circumstances, and you may request that such denial be reviewed. If the Plan maintains your
health information electronically in a designated record set, the Plan will provide you with access
to the information in the electronic form and format you request if readily producible or, if not,
in a readable electronic form and format as agreed to by the Plan and you.
▪ Right to Amend. If you feel that the Plan’s records of your health information
are incorrect or incomplete, you may request an amendment to the information for as long as the
information is kept by or for the Plan. You must submit a request for amendment in writing to the
Privacy Officer. Your written request must include a supporting reason; otherwise the Plan may
deny your request for an amendment. In addition, the Plan may deny your request to amend
information that is not part of the health information kept by or for the Plan, was not created by
the Plan (unless the person or entity that created the information is no longer available to make the amendment), is not part of the information that you would be permitted to inspect and copy, or is accurate and complete.
▪ Right to an Accounting of Disclosures. You may request an accounting of your health
information disclosures except disclosures for treatment, payment, health care operations;
disclosures to you about your own health information; disclosures pursuant to an individual
authorization; or other disclosures as set forth in the Plan sponsor’s HIPAA privacy policies and
procedures. You must submit a request for accounting in writing to the Privacy Officer.
Your request must state a time period for the accounting not longer than six years and
indicate your preferred form (e.g., paper or electronic). The Plan will provide for free the first
accounting you request within a 12-month period, but the Plan may charge you for the costs of
providing additional lists (the Plan will notify you prior to provision and you may cancel your
request). Effective at the time prescribed by federal regulations, you may also request an
accounting of uses and disclosures of your health information maintained as an electronic health
record if the Plan maintains such records.
▪ Right to Request Restrictions. You may request a restriction or limitation on your health
information that the Plan uses or discloses for treatment, payment, or health care
operations or that the Plan discloses to someone involved in your care or the payment for your
care (e.g., a family member or friend). For example, you could ask that the Plan not use or
disclose information about a surgery you had. You must submit a request for restriction in
writing to the Privacy Officer. Your request must describe what information you want to limit;
whether you want to limit the Plan’s use, disclosure, or both; and to whom you want the limits to
apply (e.g., your spouse). The Plan is not required to agree to your request.
▪ Right to Request Confidential Communications. You may request that the Plan communicate with
you about health matters in a certain way or at a certain location (e.g., only by mail or at work),
and the Plan will accommodate all reasonable requests. You must submit a request for
confidential communications in writing to the Privacy Officer. Your written request must specify
how or where you wish to be contacted. You do not need to state the reason for your request.
▪ Right to a Paper Copy of this Notice. If you received this notice electronically, you may
receive a paper copy at any time by contacting the Privacy Officer.
Genetic Information. If the Plan uses or discloses protected health information for
Plan underwriting purposes, the Plan will not (except in the case of any long-term
care benefits) use or disclose health information that is your genetic information for such
purposes.
Breach Notification Requirements. In the event unsecured protected health information
about you is “breached,” the Plan will notify you of the situation unless the Plan determines the
probability is low that the health information has been compromised. The Plan will also inform HHS
of the breach and take any other steps required by law.
Changes to this Notice. The Plan reserves the right to revise or change this
notice, which may be effective for your protected health information the Plan already possesses
as well as any information the Plan receives in the future. The Plan will notify you if this
notice changes.
Complaints. If you believe your privacy rights have been violated, you may file a complaint with
the Plan by contacting the Privacy Officer in writing. You may also file a written complaint with
the Secretary of the U.S. Department of Health and Human Services. You will not be penalized for
filing a complaint.
Other Uses of Health Information. The Plan will use and disclose protected health
information not covered by this notice or applicable laws only with your written permission. If
you permit the Plan to use or disclose your health information, you may revoke that
permission, in writing, at any time. If you revoke your permission, the Plan will no longer
use or disclose your health information for the reasons authorization. However, the Plan is
unable to retract any disclosures it has
ade with your permission.