HIPAA

HIPAA Privacy Notice

Background: Under HIPAA's final regulations (45 CFR Parts 160 and 164), "covered entities" (e.g., health plans) are required to provide a notice of their privacy practices for protected health information (PHI). The notice must be issued to individuals whose PHI will be used or maintained by the covered entity. Group health plans must provide a notice no later than the regulations' compliance date - April 14, 2003. Small health plans (i.e., those with annual receipts of $5 million or less) have until April 14, 2004 to comply.

After the compliance date, notices must be provided at enrollment time and to all enrollees within 60 days after the notice is materially changed. Also, plans must provide notice of the availability of the privacy notice at least once every three (3) years.

Administration: Self-funded plans must issue their own privacy notices. However, the privacy rule allows self-funded plans to contract this function out to their third party administrators (TPAs), or HIPAA "business associates." If a plan arranges for another entity to distribute the notice on its behalf and the plan participants do not receive it, the plan will be in violation of the privacy rule.

For fully insured plans, the obligation to issue a notice rests with the insurer. If the employer as plan sponsor has access to PHI (other than enrollment information), the plan must maintain a notice and provide it upon request. However, if the employer has no access to PHI (other than enrollment information), an insured plan need not maintain a notice or provide it upon request.

The notice requirement is satisfied by providing a single notice to each covered employee of the plan sponsor, regardless of the number enrolled dependents. Plans may distribute the notice in writing [e.g., in Open Enrollment materials, Summary Plan Descriptions (SPDs), etc.] or electronically. Electronic distribution requires prior plan participant approval, but no particular form of agreement is needed. Individuals who agree to electronic distribution retain the right to receive hard copy of the notice upon request.

Instructions: Except for a standard header and the use of plain language, the rule does not prescribe a model notice or format. All notices must, however, describe when an individual's authorization to use or disclose PHI is not required, when PHI will be disclosed to a health plan sponsor, and certain other information. Within this framework, the notice may adapted to conform to individual plans' privacy policies.

Before being issued by their health plans, plan sponsors should have their legal department review and approve this notice. Aon Consulting does not practice law.

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Summary: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires health plans to notify plan participants and beneficiaries about its policies and practices to protect the confidentiality of their health information. This document is intended to satisfy HIPAA's notice requirement with respect to all health information created, received, or maintained by Carleton College’s group health plan (the "Plan"), as sponsored by the college.

The Plan needs to create, receive, and maintain records that contain health information about you to administer the Plan and provide you with health care benefits. This notice describes the Plan’s health information privacy policy with respect to your Health Care Flexible Spending Arrangement (FSA) and Employee Assistance Plan (EAP) benefits. The notice tells you the ways the Plan may use and disclose health information about you, describes your rights, and the obligations the Plan has regarding the use and disclosure of your health information. However, it does not address the health information policies or practices of your health care providers.

Carleton College’s Pledge Regarding Health Information Privacy

The privacy policy and practices of the Plan protects confidential health information that identifies you or could be used to identify you and relates to a physical or mental health condition or the payment of your health care expenses. This individually identifiable health information is known as "protected health information" (PHI). Your PHI will not be used or disclosed without a written authorization from you, except as described in this notice or as otherwise permitted by federal and state health information privacy laws.

Privacy Obligations of the Plan

The Plan is required by law to:

• make sure that health information that identifies you is kept private;

• give you this notice of the Plan’s legal duties and privacy practices with respect to health information about you; and

• follow the terms of the notice that is currently in effect.

How the Plan May Use and Disclose Health Information About You

The following are the different ways the Plan may use and disclose your PHI:

• For Treatment. The Plan may disclose your PHI to a health care provider who renders treatment on your behalf. For example, if you are unable to provide your medical history as the result of an accident, the Plan may advise an emergency room physician about the types of prescription drugs you currently take.

• For Payment. The Plan may use and disclose your PHI so claims for health care treatment, services, and supplies you receive from health care providers may be paid according to the Plan's terms. For example, the Plan may receive and maintain information about surgery you received to enable the Plan to process a hospital’s claim for reimbursement of surgical expenses incurred on your behalf.

• For Health Care Operations. The Plan may use and disclose your PHI to enable it to operate or operate more efficiently or make certain all of the Plan’s participants receive their health benefits. For example, the Plan may use your PHI for case management or to perform population-based studies designed to reduce health care costs. In addition, the Plan may use or disclose your PHI to conduct compliance reviews, audits, actuarial studies, and/or for fraud and abuse detection. The Plan may also combine health information about many Plan participants and disclose it to the college in summary fashion so it can decide what coverages the Plan should provide. The Plan may remove information that identifies you from health information disclosed to the college so it may be used without the college learning who the specific participants are.

• To the College. The Plan may disclose your PHI to designated college personnel so they can carry out their Plan-related administrative functions, including the uses and disclosures described in this notice. Such disclosures will be made only to the college’s the Plan Administrator and/or the members of the college’s Human Resources Department and the Office of the Controller. These individuals will protect the privacy of your PHI and ensure it is used only as described in this notice or as permitted by law. Unless authorized by you in writing, your PHI: (1) may not be disclosed by the Plan to any other college employee or department and (2) will not be used by the college for any employment-related actions and decisions or in connection with any other employee benefit plan sponsored by the college.

• To a Business Associate. Certain services are provided to the Plan by third party administrators known as "business associates." For example, the Plan may input information about your health care treatment into an electronic claims processing system maintained by the Plan's business associate so your claim may be paid. In so doing, the Plan will disclose your PHI to its business associate so it can perform its claims payment function. However, the Plan will require its business associates, through contract, to appropriately safeguard your health information.

• Treatment Alternatives. The Plan may use and disclose your PHI to tell you about possible treatment options or alternatives that may be of interest to you.

• Health-Related Benefits and Services. The Plan may use and disclose your PHI to tell you about health-related benefits or services that may be of interest to you.

• Individual Involved in Your Care or Payment of Your Care . The Plan may disclose PHI to a close friend or family member involved in or who helps pay for your health care. The Plan may also advise a family member or close friend about your condition, your location (for example, that you are in the hospital), or death.

• As Required by Law. The Plan will disclose your PHI when required to do so by federal, state, or local law, including those that require the reporting of certain types of wounds or physical injuries.

Special Use and Disclosure Situations

The Plan may also use or disclose your PHI under the following circumstances:

• Lawsuits and Disputes. If you become involved in a lawsuit or other legal action, the Plan may disclose your PHI in response to a court or administrative order, a subpoena, warrant, discovery request, or other lawful due process.

• Law Enforcement. The Plan may release your PHI if asked to do so by a law enforcement official, for example, to identify or locate a suspect, material witness, or missing person or to report a crime, the crime's location or victims, or the identity, description, or location of the person who committed the crime.

• Workers’ Compensation. The Plan may disclose your PHI to the extent authorized by and to the extent necessary to comply with workers' compensation laws other similar programs.

• Military and Veterans. If you are or become a member of the U.S. armed forces, the Plan may release medical information about you as deemed necessary by military command authorities.

• To Avert Serious Threat to Health or Safety. The Plan may use and disclose your PHI when necessary to prevent a serious threat to your health and safety, or the health and safety of the public or another person.

• Public Health Risks. The Plan may disclose health information about you for public heath activities. These activities include preventing or controlling disease, injury or disability; reporting births and deaths; reporting child abuse or neglect; or reporting reactions to medication or problems with medical products or to notify people of recalls of products they have been using.

• Health Oversight Activities. The Plan may disclose your PHI to a health oversight agency for audits, investigations, inspections, and licensure necessary for the government to monitor the health care system and government programs.

• Research. Under certain circumstances, the Plan may use and disclose your PHI for medical research purposes.

• National Security, Intelligence Activities, and Protective Services. The Plan may release your PHI to authorized federal officials: (1) for intelligence, counterintelligence, and other national security activities authorized by law and (2) to enable them to provide protection to the members of the U.S. government or foreign heads of state, or to conduct special investigations.

• Organ and Tissue Donation. If you are an organ donor, the Plan may release medical information to organizations that handle organ procurement or organ, eye, or tissue transplantation or to an organ donation bank to facilitate organ or tissue donation and transplantation.

• Coroners, Medical Examiners, and Funerals Directors. The Plan may release your PHI to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or to determine the cause of death. The Plan may also release your PHI to a funeral director, as necessary, to carry out his/her duty.

Your Rights Regarding Health Information About You

Your rights regarding the health information the Plan maintains about you are as follows:

• Right to Inspect and Copy. You have the right to inspect and copy your PHI. This includes information about your plan eligibility, claim and appeal records, and billing records, but does not include psychotherapy notes.

To inspect and copy health information maintained by the Plan, submit your request in writing to the Plan Administrator. The Plan may charge a fee for the cost of copying and/or mailing your request. In limited circumstances, the Plan may deny your request to inspect and copy your PHI. Generally, if you are denied access to health information, you may request a review of the denial.

• Right to Amend. If you feel that health information the Plan has about you is incorrect or incomplete, you may ask the Plan to amend it. You have the right to request an amendment for as long as the information is kept by or for the Plan.

To request an amendment, send a detailed request in writing to the Plan Administrator. You must provide the reason(s) to support your request. The Plan may deny your request if you ask the Plan to amend health information that was: accurate and complete, not created by the Plan; not part of the health information kept by or for the Plan; or not information that you would be permitted to inspect and copy.

• Right to An Accounting of Disclosures. You have the right to request an "accounting of disclosures." This is a list of disclosures of your PHI that the Plan has made to others, except for those necessary to carry out health care treatment, payment, or operations; disclosures made to you; or in certain other situations.

To request an accounting of disclosures, submit your request in writing to the Plan Administrator. Your request must state a time period, which may not be longer than six years prior to the date the accounting was requested.

• Right to Request Restrictions. You have the right to request a restriction on the health information the Plan uses or disclosures about you for treatment, payment, or health care operations. You also have the right to request a limit on the health information the Plan discloses about you to someone who is involved in your care or the payment for your care, like a family member or friend. For example, you could ask that the Plan not use or disclose information about a surgery you had.

To request restrictions, make your request in writing to the Plan Administrator. You must advise us: (1) what information you want to limit; (2) whether you want to limit the Plan’s use, disclosure, or both; and (3) to whom you want the limit(s) to apply.

Note: The Plan is not required to agree to your request.

• Right to Request Confidential Communications. You have the right to request that the Plan communicate with you about health matters in a certain way or at a certain location. For example, you can ask that the Plan send you explanation of benefits (EOB) forms about your benefit claims to a specified address.

To request confidential communications, make your request in writing to the Plan Administrator. The Plan will make every attempt to accommodate all reasonable requests. Your request must specify how or where you wish to be contacted.

• Right to a Paper Copy of this Notice. You have the right to a paper copy of this notice. You may write to the Plan Administrator to request a written copy of this notice at any time.

Changes to this Notice

The Plan reserves the right to change this notice at any time and to make the revised or changed notice effective for health information the Plan already has about you, as well as any information the Plan receives in the future. The Plan will post a copy of the current notice in the college’s Benefits Office at all times.

Complaints

If you believe your privacy rights under this policy have been violated, you may file a written complaint with the Plan Administrator at the address listed below. Alternatively, you may complain to the Secretary of the U.S. Department of Health and Human Services, generally, within 180 days of when the act or omission complained of occurred.

Note: You will not be penalized or retaliated against for filing a complaint.

Other Uses and Disclosures of Health Information

Other uses and disclosures of health information not covered by this notice or by the laws that apply to the Plan will be made only with your written authorization. If you authorize the Plan to use or disclose your PHI, you may revoke the authorization, in writing, at any time. If you revoke your authorization, the Plan will no longer use or disclosure your PHI for the reasons covered by your written authorization; however, the Plan will not reverse any uses or disclosures already made in reliance on your prior authorization.

Contact Information

If you have any questions about this notice, please contact:

Privacy Official and Contact Person:
Kerstin Cardenas
Director of Human Resources
507-222-4068
kcardena@carleton.edu

Notice Effective Date: April 2004