All employed positions are filled.
2016 Personnel Policy Manual Completed.p[...]
Adobe Acrobat document [895.7 KB]
Human Resources / Employee Notices
III-A Annual Creditable Coverage Notice [...]
Adobe Acrobat document [210.9 KB]
III-A Annual Notice-CHIP Notice.pdf
Adobe Acrobat document [104.6 KB]
III-A Annual Notice-Women's Health Cance[...]
Adobe Acrobat document [99.1 KB]
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND
AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
HIPAA PRIVACY NOTICE AND PRACTICES
EFFECTIVE SEPTEMBER 23, 2013
The Plan must provide this notice (i) no later than the compliance date for the health plan, to individuals covered by the plan; (ii) thereafter, at the time of enrollment, to individuals who are new enrollees. No less frequently than once every three years, the health plan must notify individuals then covered by the Plan of the availability of the notice and how to obtain the notice. The Plan may satisfy the requirement to provide notice if the notice is provided to the named insured of a policy under which coverage is provided to the named insured and one or more dependents. If the Plan has more than one notice, it may satisfy the requirement to provide notice by providing the notice that is relevant to the individual or other person requesting the notice.
What is Protected Health Information (PHI)?
Under the privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Protected Health Information, or PHI, is health information, including demographic information collected from an individual that:
- Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
- Relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the
provision of health care to an individual; and
- That identifies the individual; or
- With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Protected health information cannot be used or disclosed without the Covered Person's written permission except in certain specified circumstances stated in the HIPAA privacy regulations and described in this Notice.
What are the Plan's Responsibilities Concerning PHI?
The Plan maintains procedural, electronic, and physical safeguards that comply with applicable federal and state regulations to protect PHI. Procedural safeguards include providing only the minimum necessary PHI and limiting access to PHI to individuals with a legitimate need to know for healthcare operations purposes. Electronic safeguards include electronic claims submission, secured storage and retrieval of electronic information, limiting the number of individuals with access to claims and recording all telephone conversations concerning claims and benefits. Physical safeguards include storage of original documents in a secure, locked cold storage for a period of not less than six (6) years and subsequently shredded or returned to the Plan Administrator. Discarded materials are placed in a secured location until they are shredded or recycled.
To Whom and Under What Circumstances Will the Plan Use or Disclose PHI?
The Plan will not disclose any PHI about Covered Persons or former Covered Persons to anyone, except as described in this Notice and as permitted by law. The Plan will only disclose PHI:
- Without a signed written authorization to the Covered Person to whom the PHI pertains (or to a minor child's parent or guardian, if applicable);
- Without a signed written authorization as required for healthcare operations purposes. The Plan is permitted to disclose PHI, without an additional authorization, for healthcare operations purposes. Healthcare Operations includes, but is not necessarily limited to, any of the following activities of the Plan to the extent that the activities are related to covered functions: claims payment, quality assessment; case management; care coordination; contacting of health care providers and patients with information about treatment alternatives; reviewing the competence or qualifications of health care professionals; evaluating practitioner and provider performance; health plan performance; accreditation, certification licensing, or credentialing activities; underwriting; premium rating; and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits; ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance); conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the Plan, including formulary development and administration, development or improvement of methods of payment or coverage policies; and other business management and general administrative activities of the Plan as allowed by law.
- To an individual who provides the Plan with a written authorization signed by the Covered Person to whom the PHI pertains;
- As required by state or federal law, regulation or order of a court with jurisdiction.
As required by Sec. 164.520(b)(1)(ii)(A), examples of uses and disclosures for purposes of health care operations, treatment, and payment include:
- Health care operations: e.g. quality review activities to implementing compliance programs;
- Treatment: e.g. treatment by a specialist which requires sharing of PHI with a patient’s primary care physician;
- Payment: e.g. completing a claim form to obtain payment from an insurer.
In accordance with regulations in Sec. 164.508(a)(2)-(a)(4), the Covered Entity must obtain a valid authorization from the Covered Person for its use or disclosure of PHI relating to the following:
- Psychotherapy Notes. Other than the transition provisions in Sec. 164.532, the Covered Entity must obtain an authorization for use and disclosure of psychotherapy notes, except
(a) To carry out the following treatment, payment, or health care operations: (i) use by the originator of the psychotherapy notes for treatment; (ii) use or disclosure by the Covered Entity for its own training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling; or (iii) use or disclosure by the Covered Entity to defend itself in a legal action or other proceeding brought by the individual; and
(b) A use or disclosure that is required with respect to the oversight of the originator of the psychotherapy notes.
(a) Other than the transition provisions in Sec. 164.532, the Covered Entity must obtain an authorization for any use or disclosure of PHI for marketing, except if the communication is in the form of (i) a face-to-face communication made by the covered entity to an individual; or (ii) a promotional gift of nominal value provided by the Covered Entity.
(b) If the marketing involves financial remuneration, as defined in Sec. 164.501, to the Covered Entity from a third party, the authorization must state that such remuneration is involved.
- Sale of PHI.
(a) Other than the transition provisions in Sec. 164.532, the Covered Entity must obtain an authorization for any disclosure of PHI which is a sale of PHI, as defined in Sec. 164.501.
(b) Such authorization must state that the disclosure will result in remuneration to the Covered Entity.
Any other uses and disclosures not specifically described above will be made only with the Covered Person's (or the Covered Person's guardian's, if a minor) written authorization. This signed authorization will remain in effect until affirmatively revoked by the Covered Person in writing. A Covered Person may revoke his or her written authorization at any time, as provided by Sec. 164.508(b)(5), by sending written notice to the contract claims payor, except that the authorization cannot be revoked retroactively after action has taken place, such as releasing information in reliance on the authorization. The Plan will not have violated HIPAA' s privacy requirements for disclosures made based on a valid authorization on file with the Plan prior to receipt of written revocation.
The Covered Entity is prohibited from using or disclosing PHI that is genetic information of an individual for purposes of underwriting. NOTE: If a use or disclosure for any purpose described in the paragraphs above is prohibited or materially limited by other applicable federal or state law, including state privacy law, the Plan will comply with the use or disclosure requirements of the most stringent applicable law.
When, and Under What Circumstances, Will the Plan Sponsor Have Access to PHI?
The Plan may disclose PHI to the Plan Sponsor under certain limited circumstances relative to the Plan's healthcare operations. The Plan Sponsor hereby certifies that the Plan Documents have been amended to comply with the regulations by incorporation of the following provisions. With regard to PHI disclosed to the Plan Sponsor, the Plan Sponsor agrees to:
- Not use or further disclose the information other than as permitted or required by the Plan Documents or as required by law;
- Ensure that any agents, including a subcontractor, to whom it provides PHI received from the Plan agree to the same restrictions and conditions that apply to the Plan Sponsor with respect to such information;
- Not use or disclose the information for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the Plan Sponsor;
- Report to the Plan any use or disclosure of the information that is inconsistent with the uses or disclosures provided for of which it becomes aware;
- Make available PHI as required to allow the Covered Person a right of access to his or her PHI as required and permitted by the regulations;
- Make available PHI for amendment and incorporate any amendments into PHI as required and permitted by the regulations;
- Make available the information required to provide an accounting of disclosures as required by the regulations;
- Make its internal practices, books, and records relating to the use and disclosure of PHI received from the Plan available to any applicable regulatory authority for purposes of determining the Plan's compliance with the law's requirements;
- If feasible, return or destroy all PHI received from the Plan that the Plan Sponsor still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible; and
- Ensure that the adequate separation required between the Plan and the Plan Sponsor is established. To fulfill this requirement, the Plan Sponsor will restrict access to nonpublic personal information to the Plan Administrator(s) designated in this Plan Document or employees designated by the Plan Administrator(s) who need to know that information to perform plan administration and healthcare operations functions or assist Covered Persons enrolling and disenrolling from the Plan.
The Plan Sponsor will maintain physical, electronic, and procedural safeguards that comply with applicable federal and state regulations to guard such information and to provide the minimum PHI necessary for performance of healthcare operations duties. The Plan Administrator(s) and any employee so designated will be required to maintain the confidentiality of nonpublic personal information and to follow policies the Plan Sponsor establishes to secure such information.
When information is disclosed to entities that perform services or functions on the Plan's behalf, such entities are required to adhere to procedures and practices that maintain the confidentiality of the Covered Person's nonpublic personal information, to use the information only for the limited purpose for which it was shared, and to abide by all applicable privacy laws.
What Information Makes Up the Designated Record Set?
The Designated Record Set means:
1. A group of records maintained by or for a Covered Entity that is:
a) The medical records and billing records about individuals maintained by or for a covered health care provider;
b) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
c) Used, in whole or in part, by or for the Covered Entity to make decisions about individuals.
2. For purposes of this paragraph, the term "record" means any item, collection or grouping of information that includes protected health information and is maintained, collected, used or disseminated by or for a Covered Entity.
3. Designated Record Set does not include:
a) Chronological notes maintained by the contract claims payor;
b) Internal memoranda of the Plan Administrator or contract claims payor;
c) Information created or obtained in anticipation of litigation;
d) Any legally privileged, work product or proprietary information of the Plan; or
e) Any legally privileged, work product or proprietary information of the contract claims payor.
What Rights Does a Covered Person Have Regarding Access to or Amendment of PHI?
Upon written request to the Plan, an individual has a right of access to inspect and obtain a copy of PHI about himself/herself in a Designated Record Set for as long as the PHI is maintained in the Designated Record Set except for:
a) Psychotherapy notes;
b) Information compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding; and
c) Subject to the Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C. 263a to the extent the provision of access to the individual would be prohibited by law, or exempt from the Clinical Laboratory Improvements Amendments of 1988, pursuant to 42 CFR 493.3(a)(2).
All requests to the Plan for access to PHI must be in writing. The Plan must act on a request for access no later than thirty (30) days after receipt by granting and providing access or providing a written determination as to why access will not be provided. If the Plan is unable to provide access within these timeframes, the Plan may have an additional thirty (30) days to provide the requested access so long as written notice of the delay and the reasons for it is provided to the requesting individual prior to expiration of the applicable time period.
In providing the requested access, the Plan must timely permit an individual to request access to inspect or to obtain a copy of the PHI about the individual that is maintained in a Designated Record Set. If the Plan is asked to provide a photocopy or summary of the PHI, the individual requesting the PHI will be responsible for any reasonable fees incurred by the Plan in producing the same.
The Plan may deny an individual access to PHI in the following circumstances:
- the PHI is excepted from the right of access,
- the PHI relates to a correctional facility inmate's request,
- the PHI is obtained by a covered health care provider in the course of research that includes treatment,
- the individual's access to the PHI is governed by the Privacy Act and the denial is consistent with the provisions of that Act,
- the PHI was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information, or
- a licensed health care professional has determined, in the exercise of professional judgment, that the access requested by an individual or personal representative is reasonably likely to endanger the life or physical safety of the individual or another person referenced in the PHI.
In some of these instances, the individual is given the right to have such denials reviewed and in others the Plan does not need to provide the opportunity for review of the denial. The Plan will provide the opportunity for review of the denial upon receipt of a written request if required to do so by the regulations. Such review will be performed in the manner, and within the time periods, prescribed in the regulations. Please contact the Plan Administrator if you have questions.
An individual has the right to ask the Plan to amend PHI or a record about the individual in a Designated Record Set for as long as the PHI is maintained in the Designated Record Set. The Plan may deny an individual's request for amendment if it is determined that the PHI or record that is the subject of the request:
- was not created by the Plan, unless the individual provides a reasonable basis to believe that the originator of the PHI is no longer available to act on the requested amendment;
- is not part of the Designated Record Set;
- would not be available for inspection according to the provisions of the applicable regulations; or
- is accurate and complete.
All requests to the Plan for amending PHI must be in writing. The Plan must act on a request for amendment no later than sixty (60) days after receipt by granting the requested amendment or providing a written determination as to why access will not be provided. If the Plan is unable to act on the amendment within these timeframes, the Plan may have an additional thirty (30) days to provide the requested access so long as written notice of the delay and the reasons for it is provided to the requesting individual prior to expiration of the applicable time period. If the request for amendment is granted, the Plan must amend the PHI in the Designated Record Set(s) as requested, must timely inform the individual of the amendment and obtain from that individual relative to other entities who need to be informed of the amendment, and advise those entities and any persons, including business associates, who the Plan knows has the PHI that is the subject of the amendment and may have relied, or could foreseeably rely on such information to the detriment of the individual. If the request for amendment is denied, in whole or in part, the Plan must permit the individual to submit to the Plan a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such disagreement. The Plan may reasonably limit the length of the statement of disagreement. The Plan has the right to prepare a written rebuttal to the individual's statement of disagreement. If such a rebuttal is prepared, a copy of it must be sent to the individual who submitted the statement of disagreement. Where permitted by the regulations, the statement of disagreement and rebuttal will be incorporated into any future disclosures of PHI to which the disagreement relates.
A Covered Person has the right to request restrictions on certain uses and disclosures of PHI as provided by Section 164.522(a) of the HIPAA regulations; however, the Plan is not required to agree to a requested restriction, except in the case of a disclosure restricted under Section § 164.522(a)(1).
A Covered Person has the right to receive confidential communications of PHI as provided by Section 164.522 of the HIPAA regulations.
A Covered Person has the right to receive an accounting of disclosures of PHI as provided by Section 164.528 of the HIPAA regulations.
TO FILE A COMPLAINT, OR TO REPORT A POSSIBLE VIOLATION OF AN INDIVIDUAL'S PRIVACY RIGHTS
Individuals have the right to file a complaint with the Plan and/or the Secretary of the Department of Health and Human Services if they believe their privacy rights have been violated. Any complaint filed with the Plan must be in writing and directed to the Plan Administrator at the address stated in the Summary Plan Description. The regulations provide that no individual will be retaliated against for filing a complaint.
FOR FURTHER INFORMATION