PRIVACY STATEMENT: USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION
THIS NOTICE DESCRIBES HOW MEDICAL AND DENTAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Use and disclosure of Protected Health Information (PHI).
PHI is any individually identifiable health information that is transmitted or maintained by electronic media, or in any other form or medium. It is information that is created or received by your health care provider, health plan, or Participating Employer which relates to your past, present, or future (1) physical or mental health or condition; (2) receipt of health care; or (3) payment for health care and which identifies you as an individual or creates a reasonable basis to believe the information can be used to identify you.
This Plan’s will use PHI only to the extent and in accordance with the uses and disclosures permitted by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Specifically, our Plan will use and disclose protected health information for purposes related to health care treatment, payment for health care and health care operations.
“Payment” includes activities undertaken by our Plan to obtain premium payments or determine or fulfill its responsibility for coverage and provision of Plan benefits that relate to an individual to whom health care is provided. For example, our Plan may share information about you with your separate dental Benefit to coordinate payment for your dental work. Payment activities include, but are not limited to, the following:
- Determination of eligibility, coverage, and cost sharing amounts (e.g., cost of a benefit, plan maximums, and copayments as determined for your claim);
- Coordination of benefits;
- Adjudication of health benefit claims (including appeals and other payment disputes);
- Subrogation of health benefit claims;
- Establishing employee contributions;
- Risk adjusting amounts due based on enrollee health status and demographic characteristics;
- Billing, collection activities and related health care data processing;
- Claims management and related health care data processing, including auditing payments, investigating and resolving payment disputes and responding to your (and your authorized representatives’) inquiries about payments;
- Obtaining payment under a contract for reinsurance (including stop-loss and excess of loss insurance);
- Medical necessity reviews, or reviews of appropriateness of care or justification of charges;
- Utilization review, including pre-certification, pre-authorization, concurrent review and retrospective review;
- Disclosure of consumer reporting agencies related to collection of premiums or reimbursement (the following PHI may be disclosed for payment purposes: name and address, date of birth, SSN, payment history, account number, and name and address of the provider and/or health plan);
- Reimbursement to our Plan.
“Health Care Operations” consist of activities necessary to run our organization. For example, we may use health information about you to develop better services for you. Health Care Operations include, but are not limited to, the following activities:
- Quality Assessment.
- Population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, disease management, contacting of healthcare providers and patients with information about treatment alternatives; and related functions.
- Rating provider and Plan performance, including accreditation, certification, licensing, or credentialing activities.
- Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract of reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance).
- Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs. Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development ad administrations, development or improvement of methods of payment or coverage policies.
- Business management and general administrative activities of our Plan, including, but not limited to:
- Management activities relating to implementation of and compliance with the requirements of HIPAA Administrative Simplification
- Customer service, including the provision of data analyses for policyholders or Participating Employers; and
- Resolution of internal grievances.
- Due diligence in connection with the sale or transfer of assets to a potential successor in interest, if the potential successor in interest is a covered entity or, following completion of the sale or transfer, will become a covered entity.
HIPAA allows a Plan to disclose for certain purposes other than payment, health care operations and those required by law if our Plan includes a description of such additional uses/disclosures in its Notice of Privacy Practice. The following are examples of such uses/disclosures for our Plan to consider including:
Other Disclosures. In addition to the above, HIPAA allows a Plan to disclose for certain purposes other than payment, health care operations and those required by law if our Plan includes a description of such additional uses/disclosures in its Notice of Privacy Practice. The following are examples of such uses/disclosures for our Plan to consider including:
- Public Health and Health Oversight Activities. This Plan may disclose your PHI to public health authorities that are authorized by state, federal or local law to collect information for purposes such as preventing or controlling disease, injury or disability or notification of exposure to communicable diseases. This Plan may also disclose your PHI to a federal, state or local agency required by law to oversee, license, inspect or investigate programs where health related information is collected or used.
- Lawsuits or Similar Proceedings. This Plan may disclose your PHI in response to a court order or an administrative order. This Plan may also disclose your PHI in response to a subpoena or other type of lawful request from an attorney involved in a lawsuit, or from a government agency or investigator involved in an administrative proceeding. In the case of a subpoena or other lawful request, our Plan is required to make sure you or your covered dependent are aware of the request or obtain an assurance that your PHI will be used appropriately.
- Law Enforcement. This Plan may disclose your relevant PHI in response to a court ordered warrant, subpoena or summons; a grand jury subpoena; or a civil investigative demand made by an agency or officer for legitimate law enforcement purpose.
- Coroners, Medical Examiners, and Funeral Directors. This Plan may disclose your PHI to a coroner or medical examiner for purposes of identifying a deceased person or determining the cause of death, or to a funeral director.
- Organ, Eye or Tissue Donation. This Plan may disclose your PHI to facilitate organ, eye or tissue donation or transplantation as allowed by the state’s organ procurement laws.
- Threats to Public Health. This Plan may be required to disclose limited PHI to the extent our Plan in good faith determines such disclosure is necessary to prevent or lessen a serious and imminent threat to public health or safety, or to the health or safety of a specific individual.
- Specialized Government Functions. This Plan may be required to disclose your PHI to the United States or a State government if you or your covered dependent are an active or veteran member of the military, seeking a government security clearance or permission to travel abroad, if you or your covered dependent are in lawful custody, or if the government requires such information to conduct lawful national security activities.
- Worker’s Compensation. This Plan may disclose your PHI as authorized by the state’s workers’ compensation laws.
No Disclosures Other Than As Permitted by Law. This Plan will use and disclose PHI as required by law and as permitted by your written authorization. Only with your written authorization will our Plan disclose PHI to pension plans, disability plans, workers’ compensation insurers, etc.) for purposes related to administration of these plans.
No Sale or Marketing. This Plan will never sell your PHI or use your PHI for marketing purposes without your prior, written permission.
Disclosures to MIT. For purposes of this section, MIT is the Plan Sponsor. To the extent that PHI is disclosed to MIT, SCMA, MIT has agreed to:
- Not use or further disclose the information other than as permitted or required by the SPD or as required by law;
- Ensure that any agents, including a subcontractor, to whom MIT provides PHI received from our Plan agree to the same restrictions and conditions that apply to MIT with respect to such information;
- Not use or disclose the information for employment-related actions and decisions unless authorized by the individual in writing;
- Not use or disclose the information in connection with any other benefit or employee benefit plan of MIT unless authorized by the individual in writing;
- Report to our Plan any use or disclosure of the PHI that is inconsistent with the uses or disclosures provided for of which MIT becomes aware;
- Make PHI available to the individual in accordance with the access requirements of HIPAA;
- Make PHI available for amendment and incorporate any amendments to PHI in accordance with HIPAA;
- Make available the information required to provide an accounting of disclosures;
- Make internal practices, books, and records relating to the use and disclosure of PHI received from our Plan available to the Secretary of HHS for the purposes of determining our Plan’s compliance with HIPAA. If feasible, return or destroy all PHI received from our Plan that MIT still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made. If return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction infeasible.
Disclosures to Participating Employers. Under no circumstances will your PHI be shared with your Participating Employer, except where you have specifically authorized such release in writing or where such information has been de-identified in accordance with HIPAA so that your information is no longer capable of being attributed to you.
Adequate Separation. Adequate separation between our Plan and MIT must be maintained. Therefore, in accordance with HIPAA, only the following employees or classes of employees may be given access to PHI.
|· SCMA or MIT staff designated by MIT||· MIT Marketing Services Manager|
|· MIT Vice President||· MIT Board of Trustees|
|· MIT Director of Operations||· SCMA Vice President of Information Technology|
|· MIT Insurance Coordinator||· CEO|
|· SCMA Executive Director|
The persons described above may only have access to and use and disclose PHI for Plan administration functions that MIT performs for our Plan. If the persons described above do not comply with our Plan document, MIT shall provide a mechanism for resolving issues of noncompliance, including disciplinary sanctions.
Hybrid Entity Designation. For purposes of complying with the HIPAA privacy rules, our Plan is a “Hybrid Entity” because it has both health plan and non-health plan functions. This Plan designates that its health care components that are covered by the privacy rules include only health benefits and no other plan functions or benefits.
Your Rights. You may make a written request to our Plan to do one or more of the following concerning your PHI that our Plan maintains:
- To put additional restrictions on our Plan’s use and disclosure of your PHI for payment, health care operations, or to someone who is involved in your care or the payment for it. Except in limited circumstances, our Plan does not have to agree to your request.
- To ask our Plan to communicate with you in confidence about your PHI by a different means or at a different location than our Plan is currently using. This Plan will consider and accommodate reasonable requests. Your request must specify the alternative means or location to communicate with you in confidence.
- To see and get copies of your PHI that is created or maintained by our Plan or its business associates. For any portion of your health record maintained in an electronic health record, you may request we provide that information to you in an electronic format. If you make that request, we are required to provide that information to you electronically. In limited cases, our Plan does not have to agree to your request.
- To correct your PHI that is created or maintained by our Plan. In some cases, our Plan does not have to agree to your request but will respond in writing within 60 days.
- To receive a list of disclosures of your PHI that our Plan and its business associates made for the last 6 years (but not for disclosures made before April 14, 2004, and subject to Section 13405(c) of the HITECH Act). This Plan is not required to list disclosures made for treatment, payment or health care operations (except when required by, and upon the effective date of, Section 13405(c) of the HITECH Act), or disclosures made with your authorization. We will provide one accounting a year for free but will charge a reasonable, cost-based fee if you ask for another one within 12 months.
- To send you a paper copy of this notice even if you have previously agreed to receive this notice by e-mail or on the internet.
- To be notified if there is a breach to the security or privacy of your PHI due to your information being unsecured. We are required to notify you within 60 days of discovery of a breach.
If you want to exercise any of these rights described in this Notice, please contact the designated MIT Contact at the address provided below. He or she will give you the necessary information and forms for you to complete and return. In some cases, our Plan may charge you a nominal, cost-based fee to carry out your request.
Complaints. If you believe your privacy rights have been violated by our Plan, you have the right to complain to our Plan or to the Secretary of the U.S. Department of Health and Human Services. You may file a complaint with the MIT Contact designated below, or ask for the address of the appropriate regional office of the Secretary of the USDHHS. Neither our Plan, MIT nor your Participating Employer will retaliate against you if you choose to file a complaint.
Contact Office. To request additional copies of this notice or to receive more information about our privacy practices or to exercise any of your rights, including your right to file a complaint, please contact our Plan at the following Contact Office:
Contact Office: SCMA Members’ Insurance Trust
Privacy Officer: Chief Legal Officer
Address: P.O. Box 11188, Columbia, SC 29221
Security Protections. MIT has taken the following steps to protect your PHI:
- Implemented administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic PHI that it creates, receives, maintains, or transmits on behalf of the group health plan.
- Ensured that the adequate separation as discussed above, specific to electronic PHI, is supported by reasonable and appropriate security measures,
- Ensured that any agent, including a subcontractor, to whom it provides electronic PHI agrees to implement reasonable and appropriate security measures to protect the electronic PHI, and
- Reports to our Plan a security incident of which it becomes aware concerning electronic PHI.