HIPAA NOTICE OF PRIVACY PRACTICES
THIS DOCUMENT IS REQUIRED BY FEDERAL LAW. IT DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU ACCESS THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Your employer, as the sponsor of a group health plan administered by Redwood Health Services (RHS), is required by law to take steps to ensure the privacy of your personally identifiable health information and to provide you with this Notice of Privacy Practices (“Privacy Notice”). This Privacy Notice is provided to you as a covered person under the health coverage that is provided by your employer (for purposes of this Privacy Notice, referred to as the “Health Plan”).
A federal law, known as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), requires the Health Plan to maintain the privacy of your protected health information (“PHI”). PHI encompasses substantially all “individually identifiable health information” which is transmitted or maintained by the Health Plan, regardless of its form. PHI includes medical information relating to your physical or mental health or condition, the provision of health care to you, or the payment for health care provided to you. However, PHI does not include all health information that may be maintained by your employer or its benefit plans. For example, PHI does not include health information that is used or maintained by your employer’s non-health benefit plans, such as life insurance, accidental death and dismemberment (AD&D) and short and long term disability benefits. PHI also does not include any health information that was obtained by your employer in its capacity as an employer (e.g., through an FMLA or leave of absence request). If health information is not PHI, then the health information is not protected by HIPAA and is not covered by this Privacy Notice.
RHS and the Health Plan understand that your PHI is personal and private, and both are committed to maintaining the privacy of your PHI. This Privacy Notice summarizes the Health Plan’s and RHS’ privacy practices and those of any third party that assists in the administration of the Health Plan. In particular, this Privacy Notice describes the ways in which the Health Plan may use or disclose your PHI. It also describes the Health Plan’s obligations to you and your individual rights regarding the use and disclosure of your PHI. HIPAA requires the Health Plan to provide this Privacy Notice to you and to comply with its terms.
Please note you may also receive a separate Notice of Privacy Practices from your primary health insurance carrier with respect to the privacy practices of the insurer. This Privacy Notice does not cover benefits that are fully insured or provided through an HMO.
Use and Disclosure of your Health Information
The following categories describe different ways that the Health Plan uses and discloses your health information. For each category, the Privacy Notice will outline the uses or disclosures included in the category, but not every use or disclosure within a category can be listed.
For Treatment. The Health Plan may use and disclose your PHI to provide, coordinate or manage your health care treatment and any related services provided to you by health care providers. This includes the coordination or management of your health care by a health care provider. For example, the Health Plan may use and disclose your PHI in order to describe or recommend treatment alternatives to you or to provide information about health-related benefits and services that may be of interest to you.
For Payment. The Health Plan may use and disclose your PHI to make coverage determinations and provide payment for health care services you have received. These activities include determining your eligibility for benefits under the Health Plan (including coordination of benefits or the determination of cost sharing amounts); processing your claims for benefits under the Health Plan; resolving subrogation rights under the Health Plan; billing, claims management and collection activities; obtaining payment under stop-loss and excess-loss insurance policies; reviewing health care services you receive for Health Plan coverage, medical necessity and appropriateness; and conducting utilization review activities (including precertification, preauthorization, concurrent review and retrospective review activities). For example, the Health Plan may disclose your health information to a third party (for instance, a medical reviewer) when necessary to resolve the payment of a claim for health care services that have been provided to you.
For Health Care Operations. The Health Plan may use and disclose your PHI for administration and operations, including quality assessment and quality improvement activities; underwriting, premium rating and other activities relating to the creation, renewal or replacement of a health insurance or health benefits contract or a stop-loss or excess-loss insurance contract; conducting or arranging for medical assessments, legal services and auditing functions (including fraud and abuse detection and compliance programs), and other general administrative activities such as customer service and HIPAA compliance. For example, the Health Plan may disclose your health information to potential health insurance carriers in order to obtain a premium bid from the carrier.
Disclosure of your Health Information in Special Situations
Outlined below are situations in which the Health Plan may disclose your PHI without your authorization.
Disclosure to You or Your Personal Representative. The Health Plan may disclose your PHI to you or your personal representative.
Disclosure to the Employer. The Health Plan, or an insurer of benefits provided under the Health Plan, may disclose your PHI without your written authorization to your employer for plan administration purposes. The employer agrees not to use or disclose your health information other than as permitted or required by the plan document(s) for the Health Plan and by applicable law. In particular, your health information that is PHI will not be used for employment decisions.
Public Health Activities. The Health Plan may use or disclose your PHI for public health activities. Permitted disclosures include:
- Disclosure to a person subject to the jurisdiction of the Food and Drug Administration (“FDA”) in connection with activities related to the quality, safety or effectiveness of FDA-regulated products.
- Disclosure to report births and deaths.
- Disclosure to report reactions to medications, problems with health-related products or to notify a person of recalls of medications or products the person may be using.
- Disclosure to a public health authority for the purpose of controlling disease or injury or to report child abuse or neglect.
- Disclosure, if authorized by law, to a person who may have been exposed to or be at risk of contracting a communicable disease.
Abuse or Neglect. The Health Plan may disclose your PHI to an appropriate government authority that is authorized by law to receive reports of child abuse, neglect or domestic violence, including a social services or protective services agency, if the Health Plan reasonably believes you to be a victim of abuse, neglect or domestic violence. However, the Health Plan will only disclose your PHI in these situations, if (1) the disclosure is required by law; (2) you agree to the disclosure; or (3) the Health Plan reasonably believes that the disclosure is necessary to prevent harm to you or other potential victims. The Health Plan will notify you of a disclosure for abuse or neglect purposes if doing so will not place you at further risk.
Health Oversight Activities. The Health Plan may disclose your PHI to a health oversight agency for certain activities authorized by law including audits; civil, administrative, or criminal investigations; inspections; licensure or other activities necessary for appropriate oversight of the health care system.
Judicial and Administrative Proceedings. In certain limited situations, the Health Plan may disclose your PHI in response to a valid court or administrative order. The Health Plan may also disclose your PHI in response to a subpoena, discovery request or other lawful process, but only if the Health Plan receives satisfactory assurances that the party seeking the information has tried to inform you of the request or to obtain a qualifying protective order to safeguard the information requested.
Required by Law. The Health Plan will disclose your PHI where required to do so by federal, state or local law. The Health Plan may also disclose your PHI to the Department of Health and Human Services regarding HIPAA compliance matters.
Coroners, Medical Examiners and Funeral Directors. The Health Plan may disclose your PHI to a coroner or medical examiner for identification purposes, for determining cause of death or for the coroner or medical examiner to perform other duties authorized by law. The Health Plan may also disclose PHI to a funeral director, as necessary to allow the funeral director to carry out his or her duties.
Organ and Tissue Donation. If you are an organ donor, the Health Plan may disclose your PHI as necessary to facilitate organ or tissue donation, including transplantation.
Research. The Health Plan may disclose your PHI to researchers without your authorization if their research has been approved by an institutional review board or privacy board that has reviewed the research proposal and established protocols to ensure the privacy of your PHI and the researchers have provided certain necessary representations regarding the research.
Serious Threat to Health or Safety. The Health Plan may disclose your PHI, consistent with applicable law and standards of ethical conduct, if necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public in general or, in certain cases, when the information is necessary for law enforcement authorities to identify or apprehend an individual.
Military Activity and National Security. When the appropriate conditions apply and if you are a member of the Armed Forces, the Health Plan may disclose your PHI (1) for activities deemed necessary by appropriate military command authorities, (2) for the purpose of a determination by the Department of Veterans Affairs of your eligibility for benefits, or (3) to a foreign military authority if you are a member of that foreign military service. The Health Plan may also disclose your PHI to authorized federal officials for conducting national security and intelligence activities for the conduct of lawful intelligence, counter-intelligence and national security activities. The Health Plan may also disclose PHI to authorized federal officials for the provision of protective services to the President or others that are authorized by law.
Inmates. If you are an inmate of a correctional institution or in the custody of a law enforcement official, the Health Plan may disclose your PHI to the institution or official if the information is necessary for (1) the provision of health care to you, (2) your health and safety or the health and safety of other inmates, the officers, employees, or others at the correctional institution, (3) law enforcement on the premises of the correctional institution, or (4) the safety and security of the correctional institution.
Workers’ Compensation. The Health Plan may disclose your PHI as necessary to comply with workers’ compensation laws and other similar legally established programs that provide benefits for work-related injuries or illness without regard to fault.
Law Enforcement Purposes. The Health Plan may disclose your PHI, in certain situations, to law enforcement officials, including: (1) when directed by a court order, subpoena, warrant, summons or similar process; (2) if necessary to identify or locate a suspect, fugitive, material witness or missing person; and (3) if necessary to report information about the victim of a crime in limited circumstances where the victim is unable to provide consent.
Other Uses and Disclosures of Health Information
In order to use or disclose your PHI for any reason other than those described in this Privacy Notice, the Health Plan must obtain your written authorization. If you sign an authorization form, you may revoke your authorization by submitting a request in writing. If you revoke your authorization, the Health Plan will no longer use or disclose your PHI for the reasons covered by the authorization. However, the Health Plan is unable to retract or invalidate any uses or disclosures that were already made with your permission prior to your revocation of the authorization.
Your Rights Regarding your Health Information
You have several important rights with regard to your PHI, which are summarized below. Please contact your employer or RHS to exercise any of these rights. (Please see the last page of this Privacy Notice for appropriate contact information.)
Right to Inspect and Copy. With certain exceptions described below, you have the right to inspect and copy your PHI if it is part of a “designated record set” or “DRS.” The DRS is the group of records maintained by or on behalf of the Health Plan and contained in the enrollment, payment, claims adjudication, and case or medical management record systems of the Health Plan, and any other records which are used by the Health Plan to make decisions about individuals. This right does not extend to psychotherapy notes, information gathered for certain civil, criminal or administrative proceedings, and information maintained by the employer that duplicates information maintained by the Health Plan’s third-party administrator in its DRS. If you request a copy of your PHI contained in a DRS, the Health Plan may charge you a reasonable, cost-based fee for the expense of copying, mailing and/or other supplies associated with your request. To inspect and obtain a copy of your PHI that is part of a DRS, you must submit your request in writing. In most cases, you must use a specific form, which you can request directly from the health carrier or vendor.
If you exercise your right to access your PHI, the Health Plan will respond to your request within 30 days, unless the information is stored off-site, in which case the Health Plan will respond to your request within 60 days. If the Health Plan is unable to respond within these time periods, it may have a one-time 30-day extension by providing you with a written explanation for the delay and the date by which it will respond to your request.
The Health Plan may deny your request to inspect and copy your PHI in certain limited situations. If you are denied access to your PHI, you will be notified in writing. The notice of denial will include the basis for the denial, and a description of any appeal rights you may have and the right to file a complaint with the Health Plan or with the Department of Health and Human Services. If the Health Plan does not maintain the PHI that you are seeking but knows where it is maintained, the Health Plan will notify you of where to direct your request.
Right to Amend. If you believe that your PHI in a Designated Record Set is incorrect or incomplete, you may request that the Health Plan amend the PHI. Any such request must be made in writing and must include a reason that supports your requested amendment. In most cases, you must use a specific form, which you can request directly from the health carrier or vendor. The Health Plan must respond to your request within 60 days. If the Health Plan is not able to respond within this 60-day period, it may have a one-time 30-day extension by providing you with a written explanation for the delay and the date by which it will respond to your request.
In limited situations, the Health Plan may deny your request to amend your PHI. For example, the Health Plan may deny your request if (1) the PHI was not created by the Health Plan (unless the person who created the information is no longer available to make the amendment); (2) the Health Plan determines the information to be accurate or complete; (3) the information is not part of the DRS; or (4) the information is not part of the information which you would be permitted to inspect and copy, such as psychotherapy notes. If your request is denied, you will be notified in writing. The notice of denial will include the basis for the denial, and a description of your right to submit a statement of disagreement and the right to file a complaint with the Health Plan or with the Department of Health and Human Services.
Right to an Accounting of Disclosures. You have the right to request an accounting of certain types of disclosures of your PHI made by the Health Plan during a specified period of time. You do not have the right to request an accounting of all disclosures of your PHI. For example, you do not have the right to receive an accounting of (1) disclosures for purposes of Treatment, Payment or Health Care Operations; (2) disclosures to you or your personal representative regarding your own PHI; (3) disclosures pursuant to an authorization; or (4) disclosures prior to April 14, 2003.
Your request must indicate the time period for which you are seeking the accounting, such as a single month, six months or two calendar years. This time period may not be longer than six  years and may not include any disclosures of PHI made before April 14, 2003. The Health Plan must respond to your request within 60 days. If the Health Plan is not able to respond within this 60-day period, it may have a one-time 30-day extension by providing you with a written explanation for the delay and the date by which it will respond to your request.
The Health Plan will provide the first accounting you request in any 12-month period free of charge. The Health Plan may impose a reasonable, cost-based fee for each subsequent accounting request within the same 12-month period. The Health Plan will notify you in advance of the fee and provide you with an opportunity to withdraw or modify your request.
Right to Request Restrictions. You have the right to request a restriction or limitation on the PHI that the Health Plan uses or discloses about you in certain situations. However, the Health Plan is not required to agree to your request. The Health Plan has determined that approving these requests would generally interfere with the resolution of benefit claims and, therefore, a restriction request will only be approved in special and compelling circumstances in the sole discretion of the Health Plan.
Right to Request Confidential Communications. You have the right to request that the Health Plan communicate with you about health matters in a specific manner or specific location. To request confidential communications, you must make your request in writing and must specify how and/or where you wish to be contacted, for example, by mailings to a post office box. In most cases, you must use a specific form, which you can request directly from the health carrier or vendor. The Health Plan will consider all reasonable requests.
Right to a Paper Copy of this Notice. You have the right to request a paper copy of this Privacy Notice, even if you previously received this Privacy Notice electronically. Any such request should be submitted using the contact information below.
Personal Representatives. You may exercise your rights though a personal representative. The representative must produce appropriate evidence of his or her authority to act on your behalf. Examples of acceptable authority include (1) a power of attorney, notarized by a notary public, (2) a court order of appointment as conservator or guardian and (3) a parent of an unemancipated minor. The Health Plan may deny access to PHI to a personal representative, including a parent of an unemancipated minor, if the denial is in the best interest of the individual.
Changes to this Privacy Notice
The Health Plan reserves the right to change, at any time, its privacy practices and this Privacy Notice. If this Privacy Notice is revised, a revised copy of the Privacy Notice will be delivered to you, within 60 days of the revision. The revised Privacy Notice will be effective for all PHI that the Health Plan maintains at the time of the revision as well as PHI the Health Plan receives in the future.
If you believe your privacy rights have been violated, you may submit a complaint to the Health Plan or the Secretary of the Department of Health and Human Services. Your employer or RHS will not retaliate against you for filing a complaint with the Health Plan or with the Department of Health and Human Services.
To submit a complaint to the Health Plan, you must submit the complaint in writing using the contact information below. To submit a complaint to the Department of Health and Human Services, you must contact the Office for Civil Rights of the Department of Health and Human Services, Hubert H. Humphrey Building, 200 Independence Avenue, SW, Washington, DC 20201. Further information is also available on the Office’s website at www.hhs.gov/ocr/hipaa/.
If you have any questions about this Privacy Notice or would like to submit a complaint to the Health Plan, please contact your employer or RHS. RHS may be contacted at 3510 Unocal Pl. #108, Santa Rosa, CA 95403 or 1-800-548-7677.
If you would like to exercise any of your rights concerning your health information (such as your right to request access to your health information), you should contact your health carrier or vendor directly. For example, if your request concerns health information maintained by RHS, you should contact RHS using the above contact information.