HIPAA, Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THE INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Notice of Privacy Practices ("NPP") is made in compliance with the Standards for Privacy of Individually Identifiable Health Information (the "Privacy Standards") established by the United States Department of Health and Human Services ("DHHS") pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). This NPP summarizes the privacy practices of Syracuse University's Group Health Plans. The Privacy Standards shall control in the event of a discrepancy between this NPP and the Privacy Standards.
Syracuse University's Group Health Plans, which include, the Syracuse University Medical Benefits Plan; the Syracuse University Retiree Medical Benefits Plan; the Syracuse University Retiree Prescription Drug Plan; the Syracuse University Dental and Vision Benefits Plan, the Syracuse University Graduate Assistant Dental and Vision Benefits Plan; and the Syracuse University Health Care Reimbursement Plan (included within the Syracuse University Cafeteria Plan and Summary Plan Description; (collectively, the "Health Plans"), are required by law to maintain the privacy of your Protected Health Information ("PHI") as defined below, and to inform you, through this NPP, about:
- the Health Plans' duties with respect to your PHI;
- how the Health Plans may use and disclose your PHI;
- your privacy rights with respect to your PHI;
- your right to file a complaint with the Health Plans and with the Secretary of DHHS; and
- who to contact for further information about the Health Plans' privacy practices.
PHI, as defined by HIPAA, includes all individually identifiable information about you that is transmitted or maintained by the Health Plans, including demographic information, and includes information that is created or received by the Health Plans that relates to:
- your past, present or future physical or mental health or condition;
- the provision of health care services to you; or
- the past, present, or future payment for the provision of health care to you.
The Health Plans are required to abide by the terms of the NPP that is currently in effect for the Health Plans. The Health Plans reserve the right to revise or amend the terms of this NPP. Any revision or amendment will be effective for all records that the Health Plans have created or maintained in the past, and for any of your records that we may create or maintain in the future. You will be informed of any material changes made to this NPP. In addition, the Health Plans will post, at all times, a copy of its most current NPP online at http://supolicies.syr.edu/emp_ben/hipaa.htm
. You may also obtain a copy of the most current NPP at any time by calling the Syracuse University Office of Human Resources at 315.443.4042.
If you have any questions about this NPP or would like further information about HIPAA, please contact Human Resources at 315.443.4042.
HOW THE HEALTH PLANS MAY USE AND DISCLOSE YOUR PHI
HIPAA permits the Health Plans, its Business Associates, and their agents/subcontractors, if any, to use and/or disclose your PHI, without prior authorization, for the purposes of treatment, payment, and other health care operations of the Health Plans, which are described below. Consistent with the Genetic Information Nondiscrimination Act (GINA), the Health Plans are prohibited from using or disclosing genetic information for underwriting purposes. The Health Plans will disclose your PHI to its Business Associates only if it has received satisfactory assurances that the Business Associates will appropriately safeguard your PHI. HIPAA also permits the Health Plans to use and disclose of your PHI, without prior authorization, for other specific purposes that are also described below. For each category, a description and some examples of the permitted uses and/or disclosures has been provided. The following examples are illustrative and are not meant to be a complete description of the permitted uses and disclosures of the Health Plans.
- Treatment. The Health Plans may use and/or disclose your PHI to health care providers who are involved in your care and treatment. The Health Plans may use or disclose PHI about you to physicians, nurses, paraprofessionals, technicians, or other health care providers who are involved in your care and treatment. For example, we may disclose your PHI to a physician or a pharmacy to assist in the management of your health care.
- Payment. The Health Plans may use and/or disclose your PHI to fulfill its obligation for coverage and the provision of health benefits under the Health Plans. For example, the Health Plans may use or disclose PHI to obtain or provide reimbursement for the provision of health care. Payment includes, but is not limited to, actions relating to eligibility or coverage determinations, billing, claims management, collection activities, reviews for medical necessity determinations and appropriateness of care, utilization review and pre-authorizations.
- Health Care Operations. The Health Plans may use and/or disclose PHI in order to conduct its normal business operations. For example, the Health Plans may use your PHI to conduct quality assessment and improvement activities, population-based activities relating to improving or reducing health care costs, contacting health care providers and patients with information regarding treatment alternatives, reviewing the competence or qualifications of health care professionals, evaluating health plan performance, and other insurance related activities.
- Follow up Telephone Calls/Emails. The Health Plans may call you to follow up on care or treatment you received by a health care provider, or to ask questions relating to treatment, payment, or other health care operations of the Health Plans.
- Treatment Alternatives or Other Health-Related Benefits and Services. The Health Plans may use and/or disclose PHI to tell your health care providers about or recommend possible treatment alternatives or health-related benefits or services that may be of interest to you or your health care provider.
- Individuals Involved in Your Care or Payment for Your Care. HIPAA permits the Health Plans to disclose PHI to a family member, other relative, a close personal friend, or any other person identified by you if:
- you are present for, or otherwise available prior to the disclosure and we have either obtained your agreement to the disclosure, provided you the opportunity to object to the disclosure, or the Health Plans have reasonably inferred from the circumstances that you do not object to the disclosure;
- due to your incapacity or an emergency circumstance the Health Plans have determined that a disclosure is in your best interest - in such circumstances, the Health Plans will only disclose PHI that is directly relevant to the person's involvement with your health care.
- As Required By Law. The Health Plans may use and/or disclose your PHI if we are required to do so under any federal, state or local law.
- Public Health Risks. The Health Plans may use and/or disclose your PHI to authorized public health officials (or a foreign government agency collaborating with such officials) so such officials may carry out public health activities. For example, The Health Plans may disclose your PHI to public health officials for the following reasons:
- to prevent or control disease, injury or disability;
- to report vital events such as births and deaths;
- to report child abuse or neglect;
- to report quality, safety or effectiveness of FDA-regulated products or activities;
- to notify people of product recalls they may be using;
- to notify a person who may have been exposed to a communicable disease or may be at risk for contracting or spreading a disease or condition; or
- to your employer, in order to comply with employment laws.
- Victims of Abuse, Neglect, or Domestic Violence. The Health Plans may disclose your PHI to government authorities, including a social service or protective services agency, authorized by law to receive reports of abuse, neglect or domestic violence. For example, the Health Plans may report your PHI to government officials if it reasonably believes that you have been a victim of abuse, neglect or domestic violence. The Health Plans will make every effort to obtain your permission before releasing this information, however, in some cases the Health Plans may be required or authorized to act without your permission.
- Health Oversight Activities. The Health Plans may disclose your PHI to a health oversight agency for activities authorized by law. These agencies typically monitor the operation of the health care system, government benefits programs, and compliance with government regulatory programs. The oversight activities may include audits; civil, criminal, or administrative investigations or actions; inspections; and/or licensure or disciplinary actions.
- Lawsuits and Similar Proceedings. The Health Plans may use or disclose your PHI in response to a court or administrative order, if you are involved in a lawsuit or similar proceeding. The Health Plans may also disclose your PHI in response to a discovery request, subpoena, or other lawful process that is not accompanied by an order of a court or administrative tribunal, but only if we have first received satisfactory assurances from the party requesting the information that reasonable efforts have been made to inform you of the request, or if the Health Plans have received satisfactory assurances that efforts have been made by the party seeking the information to obtain a qualified protective order. A qualified protective order is an order of a court or an administrative tribunal or a stipulation by parties to the litigation that prohibits the parties from using or disclosing PHI for any purpose other than the litigation or proceeding. A qualified protective order will require the return of PHI to the Health Plans at the end of the litigation or proceeding.
- Law Enforcement Purposes. The Health Plans may disclose your PHI to law enforcement officials for the following reasons:
- in response to court orders, warrants, subpoenas, or summons or similar legal process;
- to assist law enforcement officials with identifying or locating a suspect, fugitive, material witness, or missing person;
- if you have been or are suspected of being a victim of a crime and you agree to the disclosure, or if we are unable to obtain your agreement because of incapacity or other emergency;
- if we suspect that a death resulted from criminal conduct;
- to report evidence of criminal conduct that occurred on our premises;
- in response to a medical emergency, to report a crime (including the location or victims of the crime; or the identity, description or location of the person who committed the crime).
- Coroners, Medical Examiners and Funeral Directors. The Health Plans may disclose your PHI to a coroner or medical examiner for the purpose of identifying a deceased person, determining cause of death, or other duties as authorized by law. The Health Plans may also release PHI to funeral directors as necessary to carry out their duties.
- Organ, Eye, or Tissue Donation Purposes. The Health Plans may use or disclose your PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of organs, eyes, or ties for the purpose of facilitating donation and transplantation.
- Research. In most cases, the Health Plans will ask for your written authorization before using and/or disclosing your PHI to conduct research. However, in limited circumstances we may use and/or disclose PHI without authorization if: (i) the use or disclosure was approved by an Institutional Review Board or a Privacy Board; and (ii) we obtain representations from the researcher that the information is necessary for the research protocol, PHI will not be removed from our location, and the information will be used solely for research purposes; or (iii) the PHI sought by the researcher relates only to decedents and the researcher agrees that the use or disclosure is necessary for the research.
- Uses that Require Your Written Authorization.
- Any use or disclosure of any PHI for marketing purposes and disclosures that constitute the sale of PHI require your written authorization;
- Psychotherapy notes will only be used and disclosed with your written authorization;
- Any other uses and disclosures not specified in this Notice require your written authorization.
- To Avert Serious Threat to Health or Safety. The Health Plans may use or disclose your PHI when necessary to prevent or lessen a serious and imminent threat to your health or safety, or the health or safety of another person or the public. In such cases, the Health Plans will only share your PHI with a person or persons reasonably able to prevent or lessen the threat, including the target of the threat; or if it is necessary for law enforcement authorities to identify or apprehend an individual.
- Specialized Government Functions. The Health Plans may use and disclose PHI regarding:
- Military and veteran activities;
- Intelligence, counter-intelligence, and other national security activities authorized by law;
- Protective services for the President, to foreign heads of state, or to other persons authorized by law;
- Inmates to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual.
- Workers' Compensation. The Health Plans may disclose your PHI for workers' compensation or other similar programs that provide benefits for work-related injuries or illnesses.
Except as otherwise indicated in this NPP, uses and disclosures for all other purposes will be made only with your written authorization. You may revoke an authorization at any time, provided that your revocation is done in writing, and except to the extent that the Health Plans have already relied upon your authorization.
YOUR RIGHTS REGARDING YOUR PHI
HIPAA provides you with the following rights regarding the PHI we maintain about you:
- Right to Inspect and Copy. You have the right to inspect and receive a copy of your PHI contained in a "designated record set" for as long as the Health Plan maintains the PHI in the designated record set, except for psychotherapy notes; information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; and PHI maintained by the Health Plans that is subject to the Clinical Laboratory Improvements Amendments of 1988. If your PHI is in an electronic file, you may request an electronic copy of the record.
A "designated record set" is a group of records maintained by or for a health plan that is the enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or use in whole or in part, by or for the health plan to make decisions about individuals. To inspect or obtain a copy of your PHI contained in a designated record set, please submit a request in writing to the Office of Human Resources at Syracuse University, Skytop Office Building, Suite 101, 640 Skytop Road, Syracuse, New York 13244-5300. If you request a copy of your record set, we may charge a fee for the costs of copying, mailing or other supplies we use to fulfill your request. The standard fee is $0.75 per page and must generally be paid before or at the time we provide you with copies of your PHI.
The Health Plans will respond to your request for inspection of records within 10 days, and will respond to requests for copies within 30 days if the information is located within our facility and within 60 days if the information is located off-site at another facility. If the Health Plans needs additional time to respond to your request for copies, we will notify you in writing within the time frame above to explain the reason(s) for such delay and when you can expect to have a final answer to your request.
Under certain circumstances, the Health Plans may deny your request to inspect or obtain a copy of your PHI. If your request for inspection is denied, we will provide you with a written notice explaining our reasons for such denial, and will include a complete description of your rights to have the decision reviewed and how you can exercise those rights.
- Right to Amend. You have the right to request that the Health Plans amend your PHI or a record about you in a designated record set for as long as the information is kept by the Health Plans, if you feel that the PHI the Health Plans have about you is incorrect or incomplete. The Health Plans may deny your request for amendment if it determines that the PHI or record that is the subject of the request:
To request an amendment, your request must be made in writing and submitted to the Office of Human Resources at Syracuse University, Skytop Office Building, Suite 101, 640 Skytop Road, Syracuse, New York 13244-5300. In addition, your request should include the reasons(s) why you believe the Health Plans should amend your PHI.
- was not created by the Health Plans, unless you provide a reasonable basis to believe that the originator of the PHI is no longer available to act on the requested amendment;
- is not part of the designated record set;
- would not be available for your inspection under the Privacy Standards (as described in Right to Inspect and Copy Section, above); or
- is accurate and complete.
The Health Plans will respond to your request for amendment no later than 60 days after the receipt of your request. If the Health Plans need additional time to respond to your request, we will notify you in writing within 60 days to explain the reason(s) for the delay and the date by which it will complete your request.
If the Health Plans deny your request for an amendment it will provide you with a written notice of the denial that explains the reasons for doing so. You will have the right to submit a written statement disagreeing with the denial. You will also be informed of how to file a complaint with the Health Plans or with the Secretary of the DHHS. These procedures will be explained in greater detail in any written denial notice.
- Right to an Accounting of Disclosures. You have the right to request an "accounting of disclosures." An "accounting of disclosures" is a list of disclosures the Health Plans have made regarding your PHI. An accounting of disclosures will include all disclosures except the following:
The accounting of disclosures will be in a format that is consistent with the requirements of the Privacy Standards. To request an accounting of disclosures, you must submit your request in writing to the Office of Human Resources at Syracuse University, Skytop Office Building, Suite 101, 640 Skytop Road, Syracuse, New York 13244-5300. Your request must include a time period of requested disclosures, which may not be longer than six years and may not include dates before April 14, 2003. The first list you request within a 12-month period will be free. Additional lists within the same 12 month period will be assessed a charge for the costs of providing the list.
- Disclosures to carry out treatment, payment, and health care operations;
- Disclosures made to you;
- Disclosures made pursuant to your authorization;
- Disclosures made in a facility directory or to persons involved in your care;
- Disclosures for national security or intelligence purposes;
- Disclosures to correctional institutions or law enforcement officials; or
- Disclosures made before April 14, 2003.
The Health Plans will notify you of the cost involved, at which time you may choose to withdraw or modify your request before any costs are incurred. The Health Plans will respond to your request for an accounting of disclosures within 60 days from the receipt of such request. If the Health Plans need additional time to prepare the accounting, they will notify you in writing within 60 days about the reason for the delay and provide you with the date when you can expect to receive the accounting.
- Right to Receive Notifications of Breaches. You have the right to receive notifications of breaches of your unsecured PHI. You need not specifically request such notification; it will be provided to the extent required by the privacy rules.
- Right to Request Restrictions. You have the right to request a restriction or limitation on the PHI the Health Plans use or disclose about you for treatment, payment or health care operations. You also have the right to request a limit on the medical information that the Health Plans disclose about you to someone who is involved in your care, like a family member, relative, friend, or other person(s) identified by you.
The Health Plans are not required to agree to your request for restriction. If the Health Plans do agree to a requested restriction, the Health Plans may not use or disclose PHI in violation of such restriction, unless the information is needed to provide you with emergency care or treatment, or as otherwise required by law. Under certain circumstances, the Health Plans may terminate its agreement to a restriction.
To request restrictions, you must make your request in writing to the Office of Human Resources at Syracuse University, Skytop Office Building, Suite 101, 640 Skytop Road, Syracuse, New York 13244-5300. In your request, you must tell us (1) what information you want to limit; (2) whether you want to limit our use, disclosure or both; and (3) to whom you want the limits to apply, for example, disclosures to your spouse.
- Right to Request Confidential Communications. You have the right to receive a paper copy of this NPP at any time. Even if you have agreed to receive this NPP electronically, you are still entitled to a paper copy of this NPP. To obtain a paper copy of this NPP please contact the Office of Human Resources at Syracuse University at 315.443.4042.
The Health Plans will not ask you the reason for your request, and will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted, and how payment for your health care will be handled if we communicate with you through this alternative method or location. To request confidential communications, you must make your request in writing to the Office of Human Resources at Syracuse University, Skytop Office Building, Suite 101, 640 Skytop Road, Syracuse, New York 13244-5300.
- Right to Receive a Paper Copy of This NPP. You have the right to receive a paper copy of this NPP at any time. Even if you have agreed to receive this NPP electronically, you are still entitled to a paper copy of this NPP. To obtain a paper copy of this NPP please contact the Office of Human Resources at Syracuse University at (315) 443-4042.
If you believe your privacy rights have been violated, you may file a complaint with the Privacy Official at the Office of Human Resources at Syracuse University, with Syracuse University's Privacy Officer, and/or with the Secretary of the DHHS. To file a complaint with the Privacy Official at the Office of Human Resources at Syracuse University, please submit a written complaint to Privacy Official, Office of Human Resources at Syracuse University, Skytop Office Building, Suite 101, 640 Skytop Road, Syracuse, New York 13244-5300. To file a complaint with Syracuse University's Privacy Officer, please submit a written complaint to Privacy Officer, Office of Risk Management and Regulatory Compliance Services, 119 Euclid Avenue, Syracuse, New York 13244. The Health Plans will not retaliate against you for filing a complaint with a Privacy Official of Syracuse University, or with Secretary of the DHHS.
If you have any questions about this Notice of Privacy Practices or subjects addressed in it, please contact: Privacy Official Office of Human Resources at Syracuse University, Skytop Office Building, Suite 101, 640 Skytop Road, Syracuse, New York 13244-5300 315.443.5462.
Date: April 2003
© 1995 - 2008 Syracuse University, Syracuse, NY 13244 (315) 443-1870
For technical assistance contact firstname.lastname@example.org