Employee HIPAA Privacy Policy
The purpose of this policy is to establish appropriate guidelines in handling private health care information covered by the Health Insurance Portability and Accountability Act (HIPAA).
Policy Statement
Federal regulations, known as the Health Insurance Portability and Accountability Act (HIPAA) privacy law, generally prohibit the use and disclosure of health information without written permission from the patient.
Reason for Policy
The purpose of this policy is to establish appropriate guidelines in handling private health care information covered by the Health Insurance Portability and Accountability Act (HIPAA).
Who Is Governed by this Policy
Faculty and Staff
Policy
Use and Disclosure of Health Information
The Adelphi University Health and Welfare Plan (“the Health Plan”) and for purposes of this HIPAA Privacy Policies and Procedures, the Health Care Flexible Spending account may use your health information, that is, information that constitutes protected health information as defined in the Privacy Rule of the Administrative Simplification provision of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), for purposes of making or obtaining payment for your care and conducting health care operations. The Health Plan has established a policy to guard against unnecessary disclosure of your health information. The Health Plan includes Cigna Health plan and the Health Care Flexible Spending account.
The following is a summary of the circumstances under which and purposes for which your health information may be used and disclosed:
To Make or Obtain Payment
The Health Plan may use or disclose your health information to make payment to or collect payment from third parties, such as other health plans or providers, for the care you receive. For example, the Health Plan may provide information regarding your coverage or health care treatment to other health plans to coordinate payment of benefits.
To Conduct Health Care Operations
The Health Plan may use or disclose health information for its own operations to facilitate the administration of the Health Plan and as necessary to provide coverage and services to all of the Health Plan’s participants. Health care operations includes such activities as:
- Quality assessment and improvement activities.
- Activities designed to improve health or reduce health care costs.
- Clinical guideline and protocol development, case management and care coordination.
- Contacting health care providers and participants with information about treatment alternatives and other related functions.
- Health care professional competence or qualifications review and performance evaluation.
- Accreditation, certification, licensing or credentialing activities.
- Underwriting, premium rating or related functions to create, renew or replace health insurance or health benefits.
- Review and auditing, including compliance reviews, medical reviews, legal services and compliance programs.
- Business planning and development including cost management and planning related analyses and formulary development.
- Business management and general administrative activities of the Health Plan, including customer service and resolution of internal grievances.
For example, the Health Plan may use your health information to conduct case management, quality improvement and utilization review, and provider credentialing activities or to engage in customer service and grievance resolution activities.
For Treatment Alternatives
The Health Plan may use and disclose your health information to tell you about or recommend possible treatment options or alternatives that may be of interest to you.
For Distribution of Health-Related Benefits and Services
The Health Plan may use or disclose your health information to provide to you information on health-related benefits and services that may be of interest to you.
To Individuals Involved in Your Care or Payment for Your Care
The Health Plan may release medical information about you to a friend or family member who is involved in your medical care. The Health Plan may also give information to someone who helps pay for your care. In addition, the Health Plan may disclose medical information about you to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status, and location.
For Disclosure to the Plan Sponsor
The Health Plan may disclose your health information to the plan sponsor for plan administration functions performed by the plan sponsor on behalf of the Health Plan. In addition, the Health Plan may provide summary health information to the plan sponsor so that the plan sponsor may solicit premium bids from health insurers or modify, amend or terminate the plan. The Health Plan also may disclose to the plan sponsor information on whether you are participating in the Health Plan.
When Legally Required
The Health Plan will disclose your health information when it is required to do so by any federal, state or local law.
To Conduct Health Oversight Activities
The Health Plan may disclose your health information to a health oversight agency for authorized activities including audits, civil administrative or criminal investigations, inspections, licensure or disciplinary action. The Health Plan, however, may not disclose your health information if you are the subject of an investigation and the investigation does not arise out of or is not directly related to your receipt of health care or public benefits.
In Connection With Judicial and Administrative Proceedings
As permitted or required by state law, the Health Plan may disclose your health information in the course of any judicial or administrative proceeding in response to an order of a court or administrative tribunal as expressly authorized by such order or in response to a subpoena, discovery request or other lawful process, but only when the Health Plan makes reasonable efforts to either notify you about the request or to obtain an order protecting your health information.
For Law Enforcement Purposes
As permitted or required by state law, the Health Plan may disclose your health information to a law enforcement official for certain law enforcement purposes, including, but not limited to, if the Health Plan has a suspicion that your death was the result of criminal conduct or in an emergency to report a crime.
In the Event of a Serious Threat to Health or Safety
The Health Plan may, consistent with applicable law and ethical standards of conduct, disclose your health information if the Health Plan, in good faith, believes that such disclosure is necessary to prevent or lessen a serious and imminent threat to your health or safety or to the health and safety of the public.
For Specified Government Functions
In certain circumstances, federal regulations require the Health Plan to use or disclose your health information to facilitate specified government functions related to the military and veterans, national security and intelligence activities, protective services for the president and others, and correctional institutions and inmates.
For Workers’ Compensation
The Health Plan may release your health information to the extent necessary to comply with laws related to workers’ compensation or similar programs.
Authorization to Use or Disclose Health Information
Other than as stated above, the Health Plan will not disclose your health information other than with your written authorization. If you authorize the Health Plan to use or disclose your health information, you may revoke that authorization in writing at any time.
Your Rights With Respect to Your Health Information
You have the following rights regarding your health information that the Health Plan maintains:
Right to Request Restrictions
You may request restrictions on certain uses and disclosures of your health information. You have the right to request a limit on the Health Plan’s disclosure of your health information to someone involved in the payment of your care. However, the Health Plan is not required to agree to your request. If you wish to make a request for restrictions, please make your request in writing to the Privacy Officer.
Right to Receive Confidential Communications
You have the right to request that the Health Plan communicate with you in a certain way if you feel the disclosure of your health information could endanger you. For example, you may ask that the Health Plan only communicate with you at a certain telephone number or by email. If you wish to receive confidential communications, please make your request in writing to the Privacy Officer. The Health Plan will attempt to honor your reasonable requests for confidential communications.
Right to Inspect and Copy Your Health Information
You have the right to inspect and copy your health information. A request to inspect and copy records containing your health information must be made in writing to the Privacy Officer. If you request a copy of your health information, the Health Plan may charge a reasonable fee for copying, assembling costs and postage, if applicable, associated with your request.
Right to Amend Your Health Information
If you believe that your health information records are inaccurate or incomplete, you may request that the Health Plan amend the records. That request may be made as long as the information is maintained by the Health Plan. A request for an amendment of records must be made in writing to the Privacy Officer. The Health Plan may deny the request if it does not include a reason to support the amendment. The request also may be denied if your health information records were not created by the Health Plan, if the health information you are requesting to amend is not part of the Health Plan’s records, if the health information you wish to amend falls within an exception to the health information you are permitted to inspect and copy, or if the Health Plan determines the records containing your health information are accurate and complete.
Right to an Accounting
You have the right to request a list of certain disclosures of your health information that the Health Plan is required to keep a record of under the Privacy Rule, such as disclosures for public purposes authorized by law or disclosures that are not in accordance with the Plan’s privacy policies and applicable law. The request must be made in writing to the Privacy Officer. The request should specify the time period for which you are requesting the information, but may not start earlier than April 14, 2003. Accounting requests may not be made for periods of time going back more than six (6) years. The Health Plan will provide the first accounting you request during any 12-month period without charge. Subsequent accounting requests may be subject to a reasonable cost-based fee. The Health Plan will inform you in advance of the fee, if applicable.
Right to a Paper Copy of this Notice
You have a right to request and receive a paper copy of this Notice at any time, even if you have received this Notice previously or agreed to receive the Notice electronically. To obtain a paper copy, please contact the Privacy Officer.
Duties of the Health Plan
The Health Plan is required by law to maintain the privacy of your health information as set forth in this Notice and to provide to you this Notice of its duties and privacy practices. The Health Plan is required to abide by the terms of this Notice, which may be amended from time to time. The Health Plan reserves the right to change the terms of this Notice and to make the new Notice provisions effective for all health information that it maintains. If the Health Plan changes its policies and procedures, the Health Plan will revise the Notice and will provide a copy of the revised Notice to you within 60 days of the change. You have the right to express complaints to the Health Plan and to the Secretary of the Department of Health and Human Services if you believe that your privacy rights have been violated. Any complaints to the Health Plan should be made in writing to the Health Plan’s Privacy Officer. The Health Plan encourages you to express any concerns you may have regarding the privacy of your information. You will not be retaliated against in any way for filing a complaint.
Definitions
Business Associate means a person or entity who, on behalf of a group health plan (i) performs or assists in the performance of a function or activity involving the use or disclosure of Protected Health Information (“PHI”) (including claims processing or administrative instruction or data analysis) or (ii) provides legal, actuarial, accounting, consulting, data aggregation, management, accreditation or financial services, where the performance of such services gives the service provider access to PHI. A Business Associate is not a member of a group health plan’s workforce.
Business Associate Contract (BAC) means a written agreement between the Business Associate and a group health plan that provides reasonable assurance to the group health plan that the Business Associate will safeguard the Protected Health Information of the group health plan’s participants.
Designated Record Set means a group of records maintained by or for a group health plan that includes: (i) the enrollment, payment and claims adjudication records of a participant maintained by or for a group health plan; or (ii) other Protected Health Information used by or for a group health plan to make coverage decisions about a participant.
Disclosure means, with respect to Protected Health Information, any release, transfer, provision, access to, or divulging in any manner of information to persons not employed by or working within or for a group health plan.
Health Care Operations means any of the following activities to the extent that they are related to group health plan administration: conducting quality assessment and improvement activities; reviewing flexible spending accounts; conducting or arranging for legal services and auditing functions; business planning and development; and business management and general administrative activities.
HIPAA Tracking Log means the log maintained by Adelphi University for tracking of all HIPAA disclosures, complaints, training and training related activities.
Participant means an individual that is enrolled in applicable portions of the self-insured benefits of Adelphi University
Payment includes activities undertaken to obtain a group health plans contributions or to determine or fulfill a group health plan’s responsibility for provision of benefits under a group health plan, or to obtain reimbursement of health care.
Protected Health Information (“PHI”) means individually identifiable information that: (i) is created or received by a group health plan relating to the past, present, or future physical or mental health condition of a participant, provision of health care to a participant, or the past, present or future payment of health care provided to a participant; and (ii) identifies the participant or for which there is a reasonable basis to believe the information can be used to identify the participant. Protected Health Information includes information of persons living or deceased. Protected Health Information does not include employment records held by the employer.
Use means with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.
Procedures
Procedure for Authorized Access of PHI
If you are authorized to perform a Plan function, you may use or disclose PHI if the function relates to the Payment or Health Care Operations of the Plan if such action is necessary to the performance of that function.
If you perform services that relate to both the health care flexible spending accounts and the other non-health benefits provided by Adelphi University , you must not use PHI to perform payment or operation activities for those non-health benefits unless a valid authorization to do so by the Participant is received.
If while performing your functions for the non-health benefits, you believe that you require a Participant’s PHI, you must first contact the Privacy Officer to verify that a signed authorization from the Participant permitting us to use PHI has been obtained.
The Plan has in place appropriate safeguards to protect the privacy of the PHI.
If you have any uncertainty as to whether you are performing a service that classifies as a Payment or Health Care Operation, contact the Privacy Officer.
Forms
This policy does not have forms associated with it at this time. Upon periodic policy review this area will be evaluated to determine if additional information is needed to supplement the policy.
Related Information
Authorized Access To Participant PHI
We have examined our workforce to identify those persons or classes of persons who require access to PHI to perform Plan functions. The classes of persons and their responsibilities with respect to the Plan are set forth below.
Human Resources Department
The Human Resources Department has the primary responsibility of oversight and administration of the health care flexible spending accounts. The Human Resources Department may use PHI to perform the following activities:
Process enrollment forms
Process claims for payment
Process appeals
Assist with appeals determinations
Legal Counsel
A designated attorney may assist with the review of Participant claim questions, respond to subpoenas, governmental and regulatory body requests, and court orders or litigation related requests. In performing these functions, the attorney may have access to PHI.
Members of the Controller’s team may assist in the administration of the health care flexible spending accounts and therefore may have access to PHI.
Document History
- Policy Origination Date: November 1, 2012
- Last Reviewed Date: April 22, 2024
- Policy Reviewed by: Policy Owner and Policy Experts
- Last Approved Date: April 22, 2024
Who Approved This Policy
Executive Leadership
Policy Owner
-
Contact
-
Levermore Hall 203
Policy Experts
-
Contact
-
516.877.4970
-
Levermore Hall 203H