Health Insurance Portability and Accountability Act (HIPAA)
THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
The effective date of this Notice of Privacy Practices of DETROIT MERCY HEALTH BENEFIT PLAN (the “Notice”) is April 14, 2003, as amended September 23, 2013.
The DETROIT MERCY HEALTH BENEFIT PLAN (the “Plan”) provides health benefits to eligible individuals and their eligible dependents as described in the summary plan description(s) for the Plan. The Plan creates, receives, uses, maintains and discloses health information about participating individuals and dependents in the course of providing these health benefits.
For ease of reference, in the remainder of this Notice, the words “you,” “your,” and “yours” refers to any individual with respect to whom the Plan receives, creates or maintains Protected Health Information (PHI), including individuals, COBRA qualified beneficiaries, if any, and their respective dependents.
The Plan is required by law to provide notice to you of the Plan’s duties and privacy practices with respect to your PHI, and is doing so through this Notice. This Notice describes the different ways in which the Plan uses and discloses PHI. It is not feasible in this Notice to describe in detail all of the specific uses and disclosures the Plan may make of PHI, so this Notice describes all of the categories of uses and disclosures of PHI that the Plan may make and, for most of those categories, gives examples of those uses and disclosures.
The Plan is distributing this Notice, and will distribute any revisions, only to participating individuals and COBRA qualified beneficiaries, if any. If you have coverage under the Plan as a dependent of an associate or COBRA qualified beneficiary, you can get a copy of the Notice by requesting it from the contact named at the end of this Notice.
Please note that this Notice applies only to your PHI that the Plan maintains. It does not affect your doctor’s or other health care provider’s privacy practices with respect to your PHI that they maintain.
Receipt of Your PHI by the Plan Sponsor, Business Associates and Subcontractors
The Plan may disclose your PHI to, and allow use and disclosure of your PHI by, the Plan Sponsor and Business Associates without obtaining your authorization.
Plan Sponsor: UNIVERSITY OF DETROIT MERCY is the Plan Sponsor and Plan Administrator. The Plan may disclose to the Plan Sponsor, in summary form, claims history and other information so that the Plan Sponsor may solicit premium bids for health benefits, or to modify, amend or terminate the Plan. This summary information omits your name and Social Security Number and certain other identifying information. The Plan may also disclose information about your participation and enrollment status in the Plan to the Plan Sponsor and receive similar information from the Plan Sponsor. If the Plan Sponsor agrees in writing that it will protect the information against inappropriate use or disclosure, the Plan also may disclose to the Plan Sponsor a limited data set that includes your PHI, but omits certain direct identifiers, as described later in this Notice.
The Plan may disclose your PHI to the Plan Sponsor for plan administration functions performed by the Plan Sponsor on behalf of the Plan, if the Plan Sponsor certifies to the Plan that it will protect your PHI against inappropriate use and disclosure.
Business Associates and Subcontractors: The Plan and the Plan Sponsor hire third-parties, such as an insurance carrier acting as the third-party administrator (the “Claims Administrator”), to help the Plan provide health benefits. These third-parties are known as the Plan’s “Business Associates.” Subcontractors that perform services for a Business Associate are themselves considered Business Associates to the extent their services involve the creation, receipt, maintenance or transmission of PHI on behalf of the Business Associate. The Plan may disclose your PHI to Business Associates, like the Claims Administrator, who are hired by the Plan or the Plan Sponsor to assist or carry out the terms of the Plan. In addition, these Business Associates may receive PHI from third-parties or create PHI about you in the course of carrying out the terms of the Plan. The Plan and the Plan Sponsor must require all Business Associates and Subcontractors to agree in writing that they will protect your PHI against inappropriate use or disclosure, and will require their Subcontractors to do so, too.
For purposes of this Notice, all actions of the Plan Sponsor and the Business Associates that are taken on behalf of the Plan are considered actions of the Plan. For example, health information maintained in the files of the Claims Administrator is considered maintained by the Plan. So, when this Notice refers to the Plan taking various actions with respect to health information, those actions may be taken by the Plan Sponsor or a Business Associate on behalf of the Plan.
How the plan may use or disclose your PHI
The Plan may use and disclose your PHI for the following purposes without obtaining your authorization.
Your Health Care Treatment: The Plan may disclose your PHI for treatment (as defined in applicable federal rules) activities of a health care provider.
Example: If your doctor requested information from the Plan about previous claims under the Plan to assist in treating you, the Plan could disclose your PHI for that purpose.
Example: The Plan might disclose information about your prior prescriptions to a pharmacist for the pharmacist’s reference in determining whether a new prescription may be harmful to you.
Making or Obtaining Payment for Health Care or Coverage: The Plan may use or disclose your PHI for payment (as defined in applicable federal rules) activities, including making payment to or collecting payment from third-parties, such as health care providers and other health plans.
Example: The Plan will receive bills from physicians for medical care provided to you that will contain your PHI. The Plan will use this PHI, and create PHI about you, in the course of determining whether to pay, and paying, benefits with respect to such a bill.
Example: The Plan may consider and discuss your medical history with a health care provider to determine whether a particular treatment for which Plan benefits are or will be claimed is medically necessary as defined in the Plan.
The Plan’s use or disclosure of your PHI for payment purposes may include uses and disclosures for the following purposes, among others.
- Obtaining payments required for coverage under the Plan
- Determining or fulfilling its responsibility to provide coverage and/or benefits under the Plan, including eligibility determinations and claims adjudication
- Obtaining or providing reimbursement for the provision of health care (including coordination of benefits, subrogation, and determination of cost sharing amounts)
- Claims management, collection activities, obtaining payment under a stop-loss insurance policy, and related health care data processing
- Reviewing health care services to determine medical necessity, coverage under the Plan, appropriateness of care, or justification of charges
- Utilization review activities, including pre-certification and preauthorization of services, concurrent and retrospective review of services
The Plan also may disclose your PHI for purposes of assisting other health plans (including other health plans sponsored by the Plan Sponsor), health care providers, and health care clearinghouses with their payment activities, including activities like those listed above with respect to the Plan.
Health Care Operations: The Plan may use and disclose your PHI for health care operations (as defined in applicable federal rules) which includes a variety of facilitating activities.
Example: If claims you submit to the Plan indicate that you have diabetes or another chronic condition, the Plan may use and disclose your PHI to refer you to a disease management program.
Example: If claims you submit to the Plan indicate that the stop-loss coverage that the Plan Sponsor has purchased in connection with the Plan may be triggered, the Plan may use or disclose your PHI to inform the stop-loss carrier of the potential claim and to make any claim that ultimately applies.
The Plan’s use and disclosure of your PHI for health care operations purposes may include uses and disclosures for the following purposes.
- Quality assessment and improvement activities
- Disease management, case management and care coordination
- Activities designed to improve health or reduce health care costs
- Contacting health care providers and patients with information about treatment alternatives
- Accreditation, certification, licensing or credentialing activities
- Fraud and abuse detection and compliance programs
The Plan also may use or disclose your PHI for purposes of assisting other health plans (including other plans sponsored by the Plan Sponsor), health care providers and health care clearinghouses with their health care operations activities that are like those listed above, but only to the extent that both the Plan and the recipient of the disclosed information have a relationship with you and the PHI pertains to that relationship.
The Plan’s use and disclosure of your PHI for health care operations purposes may include uses and disclosures for the following additional purposes, among others.
- Underwriting, premium rating and performing related functions to create, renew or replace insurance related to the Plan
The Plan’s Use or Disclosure of GINA Protected Health Information is Prohibited
If the Plan would use PHI for underwriting purposes, the Plan is prohibited from using genetic information protected by the Genetic Information Nondiscrimination Act (GINA) for underwriting purposes. “Genetic information” generally means (1) an individual’s genetic tests, (2) the genetic tests of an individual’s family members, (3) the manifestation of a disease or disorder in an individual’s family members (i.e., family medical history), or (4) any request for, or receipt of, genetic services. A “genetic test” is an analysis of human DNA, RNA, chromosomes, proteins or metabolites that detects genotypes, mutations or chromosomal changes. “Genetic services” means (1) a genetic test, (2) genetic counseling or (3) genetic education.
- Planning and development, such as cost-management analyses
- Conducting or arranging for medical review, legal services, and auditing functions
- Business management and general administrative activities, including implementation of, and compliance with, applicable laws, and creating de- identified health information or a limited data set
The Plan also may use or disclose your PHI for purposes of assisting other health plans sponsored by the Plan Sponsor, and any insurers and/or HMOs with respect to those plans, with their health care operations activities similar to both categories listed above.
Limited Data Set: The Plan may disclose a limited data set to a recipient who agrees in writing that the recipient will protect the limited data set against inappropriate use or disclosure. A limited data set is health information about you and/or others that omits your name and Social Security Number and certain other identifying information.
Legally Required: The Plan will use or disclose your PHI to the extent required to do so by applicable law. This may include disclosing your PHI in compliance with a court order, or a subpoena or summons. In addition, the Plan must allow the Department of Health and Human Services to audit Plan records.
Health or Safety: When consistent with applicable law and standards of ethical conduct, the Plan may disclose your PHI if the Plan, in good faith, believes that such disclosure is necessary to prevent or lessen a serious and imminent threat to your health or the health and safety of others.
Law Enforcement: The Plan may disclose your PHI to a law enforcement official if the Plan believes in good faith that your PHI constitutes evidence of criminal conduct that occurred on the premises of the Plan. The Plan also may disclose your PHI for limited law enforcement purposes.
Lawsuits and Disputes: In addition to disclosures required by law in response to court orders, the Plan may disclose your PHI in response to a subpoena, discovery request or other lawful process, but only if certain efforts have been made to notify you of the subpoena, discovery request or other lawful process or to obtain an order protecting the information to be disclosed.
Workers’ Compensation: The Plan may use and disclose your PHI when authorized by and to the extent necessary to comply with laws related to workers’ compensation or other similar programs.
Emergency Situation: The Plan may disclose your PHI to a family member, friend, or other person, for the purpose of helping you with your health care or payment for your health care, if you are in an emergency medical situation and you cannot give your agreement to the Plan to do this.
Personal Representatives: The Plan will disclose your PHI to your personal representatives appointed by you or designated by applicable law (a parent acting for a minor child, or a guardian appointed for an incapacitated adult, for example) to the same extent that the Plan would disclose that information to you.
Public Health: To the extent that other applicable law does not prohibit such disclosures, the Plan may disclose your PHI for purposes of certain public health activities, including, for example, reporting information related to an FDA-regulated product’s quality, safety or effectiveness to a person subject to FDA jurisdiction.
Health Oversight Activities: The Plan may disclose your PHI to a public health oversight agency for authorized activities, including audits, civil, administrative or criminal investigations; inspections; licensure or disciplinary actions.
Coroner, Medical Examiner, or Funeral Director: The Plan may disclose your PHI to a coroner or medical examiner for the purposes of identifying a deceased person, determining a cause of death or other duties as authorized by law. Also, the Plan may disclose your PHI to a funeral director, consistent with applicable law, as necessary to carry out the funeral director’s duties.
Organ Donation: The Plan may use or disclose your PHI to assist entities engaged in the procurement, banking, or transplantation of cadaver organs, eyes, or tissue.
Specified Government Functions: In specified circumstances, federal regulations may require the Plan to use or disclose your PHI to facilitate specified government functions related to the military and veterans, national security and intelligence activities, protective services for the president and others, and correctional institutions and inmates.
Authorization to Use or Disclose Your PHI:
Except as stated above, the Plan will not use or disclose your PHI unless it first receives written authorization from you. For example, the following uses and disclosure of PHI will only be made with your authorization: (i) most uses and disclosures of psychotherapy notes (if recorded by the Plan), (ii) uses and disclosures of PHI for marketing purposes, including subsidized treatment communications, (iii) disclosures that constitute a sale of PHI; and (iv) other uses and disclosure not described in this Notice of Privacy Practices. If you authorize the Plan to use or disclose your PHI, you may revoke that authorization in writing at any time, by sending notice of your revocation to the contact person named at the end of this Notice. To the extent that the Plan has taken action in reliance on your authorization (entered into an agreement to provide your PHI to a third-party, for example) you cannot revoke your authorization.
The Plan May Contact You:
The Plan may contact you for various reasons, usually in connection with claims and payments and usually by mail.
You should note that the Plan may contact you about treatment alternatives or other health-related benefits and services that may be of interest to you.
Your rights with respect to your PHI
Confidential Communication by Alternative Means: The Plan will accommodate a reasonable request to communicate with you by alternative means or at alternative locations. For example, you might request the Plan to communicate with you only at a particular address. If you wish to request confidential communications, you must make your request in writing to the contact person named at the end of this Notice.
Request Restriction On Certain Uses and Disclosures: You may request the Plan to restrict the uses and disclosures it makes of your PHI. The Plan is required to agree to a restriction on the disclosure to a health plan for payment or health care operations purposes and the PHI pertains solely to self-pay services for which you paid the health care provider out-of-pocket and in-full unless the Plan is required by law to make a disclosure. In other situations, the Plan is not required to agree to a restriction. If it does agree to your requested restriction, the Plan is bound by that agreement, unless the information is needed in an emergency situation. There are some restrictions, however, that are not permitted even with the Plan’s agreement. To request a restriction, please submit your written request to the contact person identified at the end of this Notice. In the request please specify: (1) what information you want to restrict; (2) whether you want to limit the Plan’s use of that information, its disclosure of that information, or both; and (3) to whom you want the limits to apply (a particular physician, for example). The Plan will notify you if it agrees to a requested restriction on how your PHI is used or disclosed. You should not assume that the Plan has accepted a requested restriction until the Plan confirms its agreement to that restriction in writing.
Paper Copy of This Notice: You have a right to request and receive a paper copy of this Notice at any time, even if you received this Notice previously, or have agreed to receive this Notice electronically. To obtain a paper copy please call or write the contact person named at the end of this Notice.
Right to Access Your PHI: You have a right to access your PHI in the Plan’s enrollment, payment, claims adjudication and case management records, or in other records used by the Plan to make decisions about you, in order to inspect it and obtain a copy of it. This applies to PHI that is maintained in traditional medical records and to electronic copies. If you request an electronic copy of PHI that is maintained electronically in a Designated Record Set, the Plan must provide access in the form and format requested, or in another agreed-upon format and may charge you a reasonable, cost-based fee. Your request for access to this PHI should be made in writing to the contact person named at the end of this Notice. The Plan may deny your request for access, for example, if you request information compiled in anticipation of a legal proceeding. If access is denied, you will be provided with a written notice of the denial, a description of how you may exercise any review rights you might have, and a description of how you may complain to the Plan or the Secretary of Health and Human Services.
Right to Amend: You have the right to request amendments to your PHI in the Plan’s records if you believe that it is incomplete or inaccurate. A request for amendment of PHI in the Plan’s records should be made in writing to the contact person named at the end of this Notice. The Plan may deny the request if it does not include a reason to support the amendment. The request also may be denied if, for example, your PHI in the Plan’s records was not created by the Plan, if the PHI you are requesting to amend is not part of the Plan's records, or if the Plan determines the records containing your health information are accurate and complete. If the Plan denies your request for an amendment to your PHI, it will notify you of its decision in writing, providing the basis for the denial, information about how you can include information on your requested amendment in the Plan’s records, and a description of how you may complain to the Plan or the Secretary of Health and Human Services.
Accounting: You have the right to receive an accounting of certain disclosures made of your health information. Most of the disclosures that the Plan makes of your PHI are not subject to this accounting requirement because routine disclosures (those related to payment of your claims, for example) generally are excluded from this requirement. Also, disclosures that you authorize, or that occurred prior to April 14, 2003, are not subject to this requirement. However, if PHI is maintained in an electronic medical record, you have a right to receive an accounting for disclosures that occurred prior to three years from the date of your written request. To request an accounting of disclosures of your PHI, you must submit your request in writing to the contact person named at the end of this Notice. Your request must state a time period which may not be longer than six years and may not include dates before April 14, 2003. Your request should indicate in what form you want the accounting to be provided (for example on paper or electronically). The first list you request within a 12-month period will be free. If you request more than one accounting within a 12-month period, the Plan may charge a reasonable, cost-based fee for each subsequent accounting.
Personal Representatives: You may exercise your rights through a personal representative. Your personal representative will be required to produce evidence of his/her authority to act on your behalf before that person will be given access to your PHI or allowed to take any action for you. The Plan retains discretion to deny a personal representative access to your PHI to the extent permissible under applicable law.
Right to Consent or Opt-Out of Certain Communications for Purposes of Marketing or Fundraising: The Plan will give you the opportunity to opt out of communications regarding fundraising and marketing designed to encourage the purchase of a product or service. The Plan will inform you how to consent or opt-out with each communication. However, the Plan will continue to communicate with you via newsletters, mailing, or other means regarding treatment options, health related information, disease management programs, wellness programs or other community based initiatives or activities in which the Plan participates. The Plan will not receive payment from a third party in exchange for communicating with our members nor will the Plan sell PHI without your specific advance authorization.
Right to a Notice of a Breach of Unsecured PHI: In the event that there is a breach or unauthorized acquisition, access, use or disclosure of your PHI, which compromises the security or privacy of such PHI, the Plan is required to undertake a risk assessment. Unless there is a low probability that PHI has been compromised, the Plan is required to notify you and the Department of Health and Human Services. Within 60 days of the discovery of a breach, the Plan will provide notice via first class main to your last known address, unless you have requested an alternative means of communication. We will describe what happened and the date of the breach, a description of the information involved in the breach, the steps you should take to protect yourself, and a description of our investigation and mitigation efforts. However, the Plan’s obligation to notify you does not apply in certain circumstances where the breach was unintentional or inadvertent by an authorized person or business associate and not further used or disclosed, or where an unauthorized person to whom the information was disclosed would not reasonable be able to retain the information. We will also provide you with contact information so that you can reach us.
Right to Have Your PHI Sent to Third Parties: You have the right to ask the Plan to send your PHI to a third party if you give us a name and address and may charge you a reasonable, cost-based fee.
Complaints: If you believe that your privacy rights have been violated, you have the right to express complaints to the Plan and to the Secretary of the Department of Health and Human Services. Any complaints to the Plan should be made in writing to the contact person named at the end of this Notice. The Plan encourages you to express any concerns you may have regarding the privacy of your information. You will not be retaliated against in any way for filing a complaint.
The Plan has designated Juanita Deloach, Benefits Manager as its Privacy Officer as its Privacy Contact for all issues regarding the Plan’s privacy practices and your privacy rights. You can reach these persons by the following methods: