Privacy Notice
This notice describes how medical information about employees may be used and disclosed and how you may get access to this information. Please review it carefully.
Effective Date of Notice: January 1, 2004
Your Employer sponsored Flexible Benefit Plan is required by law to take reasonable steps to ensure the privacy of your personally identifiable health information and to inform you about:
- The Plan’s uses and disclosure of Protected Health Information (PHI)
- Your privacy rights with respect to your PHI
- The Plan’s duties with respect to your PHI
- Your right to file a complaint with the Plan and to the Secretary of the US Department of Health and Human Services
- The person or office to contact for further information about the Plan’s privacy practices
The term "Protected Health Information" (PHI) includes all individually identifiable health information transmitted or maintained by the Plan, regardless of form (oral, written, electronic).
Section 1: Notice of PHI Uses and Disclosures
Required PHI Uses and Disclosures
Upon your request, the Plan is required to give you access to certain PHI in order to inspect and copy it.
Use and disclosure of your PHI may be required by the Secretary of the Department of Health and Human Services to investigate or determine the Plan’s compliance with the privacy regulations.
Uses and Disclosure to Carry Out Treatment, Payment and Health Care Operations
The Plan and its business associates will use PHI without your consent, authorization or opportunity to agree or object to carry out treatment, payment and health care operations. The Plan also will disclose PHI to the Plan Sponsor for purposes related to treatment, payment and health care operations. The Plan Sponsor has amended its plan document to protect your PHI as required by federal law.
Treatment is the provision, coordination or management of health care and related services. It also includes but is not limited to consultations and referrals between one or more of your providers.
For example, the Plan may disclose to a treating cardiologist the name of your treating family practice physician so the cardiologist may ask for your medical records from the treating family practice physician.
Payment includes but is not limited to actions to make coverage determinations and payment including billing, claims management, subrogation, plan reimbursement, review for medical necessity and appropriateness of care and utilization review and pre-authorizations.
For example, the Plan may tell a doctor whether you are eligible for coverage or what percentage of the bill will be paid by the Plan.
Health Care Operations include but are not limited to quality assessment and improvement, reviewing competence or qualification of health care professionals, underwriting, premium rating and other insurance activities relating to creating or renewing insurance contracts. It also includes disease management, case management, conducting or arranging for medical review, legal services and auditing functions including fraud and abuse compliance programs, business planning and development, business management and general administrative activities.
For example, the Plan may use information about your claims to refer you to a disease management program, project future benefit costs or audit the accuracy of its claim processing functions.
Uses and Disclosures that Require Your Written Authorization
Your written authorization generally will be obtained before the Plan will use or disclose psychotherapy notes about you from your psychotherapist. Psychotherapy notes are separately filed notes about your conversations with your mental health professional during a counseling session. They do not include summary information about your mental health treatment. The Plan may use and disclose such notes when needed by the Plan to defend against litigation filed by you.
Uses and Disclosures that Require You be Given an Opportunity to Agree or Disagree Prior to Use or Release Disclosure of your PHI to family members, other relatives and your close personal friends is allowed if:
- the information is directly relevant to the family or friend’s involvement with your care or payment for that care
- you have either agreed to the disclosure or have been given an opportunity to object and have not objected.
Uses and Disclosures for Which Consent, Authorization or Opportunity to Object is Not Required
Use and disclosure of your PHI is allowed without your consent, authorization or request under the following circumstances:
- When required by law.
- When permitted for purposes of public health activities, including when necessary to report product defects, to permit product recalls and to conduct post-marketing surveillance. PHI may also be used or disclosed if you have been exposed to a communicable disease or are at risk of spreading a disease or condition, if authorized by law.
- When authorized by law to report information about abuse, neglect or domestic violence to public authorities if there exists a reasonable belief that you may be a victim of abuse, neglect or domestic violence. In such case, the Plan will promptly inform you that such a disclosure has been or will be made unless that notice would cause a risk of serious harm. For the purpose of reporting child abuse or neglect, it is not necessary to inform the minor that such a disclosure has been or will be made. Disclosure may generally be made to the minor’s parents or other representatives although there may be circumstances under federal or state law when the parents or other representatives may not be given access to the minor’s PHI.
- The Plan may disclose your PHI to a public health oversight agency for oversight activities authorized by law. This includes uses or disclosures in civil, administrative or criminal investigations; inspections; licensure or disciplinary actions (for example, to investigate complaints against providers); and other activities necessary for appropriate oversight of government benefit programs (for example, to investigate Medicare or Medicaid fraud).
- The Plan may disclose your PHI when required for judicial or administrative proceedings. For example, your PHI may be disclosed in response to a subpoena or discovery request provided certain conditions are met. One of those conditions is that satisfactory assurances must be given to the Plan that the requesting party has made a good faith attempt to provide written notice to you and the notice provided sufficient information about the proceeding to permit you to raise an objection and no objections were raised or were resolved in favor of disclosure by the court or tribunal.
- When required for law enforcement purposes (for example, to report certain types of wounds).
- For law enforcement purposes, including for the purpose of identifying or locating a suspect, fugitive, material witness or missing person. Also, when disclosing information about an individual who is or is suspected to b e a victim of a crime but only if the individual agrees to the disclosure or the covered entity is unable to obtain the individual’s agreement because of emergency circumstances. Furthermore, the law enforcement official must represent that the information is not intended to be used against the individual, the immediate law enforcement activity would be materially and adversely affected by waiting to obtain the individual’s agreement and disclosure is in the best interest of the individual as determined by the exercise of the Plan’s best judgment.
- When required to be given to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death or other duties as authorized by law. Also, disclosure is permitted to funeral directors, consistent with applicable law, as necessary to carry our their duties with respect to the decedent.
- The Plan may use or disclose PHI for research, subject to conditions.
- When consistent with applicable law and standards of ethical conduct if the Plan, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and the disclosure is to a person reasonably able to prevent or lessen the threat, including the target of the threat.
- When authorized by and to the extent necessary to comply with workers’ compensation or other similar programs established by law.
- Except as otherwise indicated in this notice, uses and disclosures will be made only with your written authorization subject to your right to revoke such authorization.
Section 2: Rights of Individuals
Right to Request Restrictions on PHI Uses and Disclosures
You may request the Plan to restrict uses and disclosures of your PHI to carry out treatment, payment or health care operations, or to restrict uses and disclosures to family members, relatives, friends or other persons identified by you who are involved in your care or payment for your care. However the Plan is not required to agree to your request.
The Plan will accommodate reasonable requests to receive communications of PHI by alternative means or at alternative locations.
You or your personal representative will be required to complete a form to request restrictions on uses and disclosures of your PHI.
Such requests should be made to the Plan Administrator at the address listed in the Plan and Summary Plan Description or to the Privacy Officer, SIEBA, LTD., PO Box 5000, Endicott, New York 13761-5000 or (800) 252-4624.
Right to Inspect and Copy PHI
"Protected Health Information" (PHI) includes all individually identifiable health information transmitted or maintained by the Plan, regardless of form.
"Designated Record Set" includes the medical records and billing records about individuals maintained by or for a covered health care provider; enrollment, payment, billing, claims adjudication and case or medical management record systems maintained by or for a health plan; or other information used in whole or in part by or for the covered entity to make decisions about individuals. Information used for quality control or peer review analyses and not used to make decisions about individuals is not in the designated record set.
The requested information will be provided within 30 days if the information is maintained on site or within 60 days if the information is maintained offsite. A single 30-day extension is allowed if the Plan is unable to comply with the deadline.
You or your personal representative will be required to complete a form to request access to the PHI in your designated record set. Requests for access to PHI should be made to the Plan Administrator at the address listed in the Plan and Summary Plan Description or to the Privacy Officer, SIEBA, LTD., PO Box 5000, Endicott, New York 13761-5000 or (800) 252-4624.
If access is denied, you or your personal representative will be provided with a written denial setting forth the basis for denial, a description of how you may exercise those review rights and a description of how you may complain to the Secretary of the US Department of Health and Human Services.
Right to Amend PHI
You have the right to request the Plan to amend your PHI or a record about you in a designated record set for as long as the PHI is maintained in the designated record set.
The Plan has 60 days after the request is made to act on the request. A single 30-day extension is allowed if the Plan is unable to comply with the deadline. If the request is denied in whole or in part, the Plan must provide you with a written denial that explains the basis for the denial. You or your personal representative may then submit a written statement disagreeing with the denial and have that statement included with any future disclosures of your PHI.
Requests for amendment of PHI in a designated record set should be made to the Plan Administrator at the address listed in the Plan and Summary Plan Description or to the Privacy Officer, SIEBA, LTD, PO Box 5000, Endicott, New York 13761-5000 or (800) 252-4624.
The Right to Receive and Accounting of PHI Disclosures
At your request, the Plan will also provide you with an accounting of disclosures by the Plan of your PHI during the six years prior to the date of your request. However such accounting need not include PHI disclosures made (1) to carry our treatment, payment or health care operations; (2) to individuals about their own PHI; or (3) prior to the compliance date.
If the accounting cannot be provided within 60 days, an additional 30 days is allowed if the individual is given a written statement of the reasons for the delay and the date by which the accounting will be provided.
If you request more than one accounting within a 12-month period, the Plan will charge a reasonable, cost-based fee for each subsequent accounting.
The Right to Receive a Paper Copy of This Notice Upon Request
To obtain a paper copy of this Notice contact the Plan Administrator at the address listed in the Plan and Summary Plan Description or to the Privacy Officer, SIEBA, LTD., PO Box 5000, Endicott, New York 13761-5000 or (800) 252-4624.
A Note About Personal Representatives
You may exercise your rights through a personal representative. Your personal representative will be required to produce evidence of his/her authority to act on your behalf before that person will be given access to your PHI or allowed to take any action for you. Proof of such authority may take one of the following forms:
- a power of attorney for health care purposes, notarized by a notary public
- a court order of appointment of the person as the conservator or guardian of the individual
- an individual who is the parent of a minor child
The Plan retains discretion to deny access to your PHI to a personal representative to provide protection to those vulnerable people who depend on others to exercise their rights under these rules and who may be subject to abuse or neglect. This also applies to personal representatives of minors.
Section 3: The Plan’s Duties
The Plan is required by law to maintain the privacy of PHI and to provide individuals (participants and beneficiaries) with notice of its legal duties and privacy practices.
This notice is effective beginning January 1, 2004, and the Plan is required to comply with the terms of this notice. However, the Plan reserves the right to change its privacy practices and to apply the changes to any PHI received or maintained by the Plan prior to that date. If a privacy practice is changed, a revised version of this notice will be provided to all past and present participants and beneficiaries for whom the Plan still maintains PHI. The Privacy Officer will send any revised versions to the Plan’s Human Resources Department.
Any revised version of this notice will be distributed within 60 days of the effective date of any material change to the uses or disclosures, the individual’s rights the duties of the Plan or other privacy practices stated in this notice.
Minimum Necessary Standard
When using or disclosing PHI or when requesting PHI from another covered entity, the Plan will make reasonable efforts not to use, disclose or request more than the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request, taking into consideration practical and technological limitations.
However, the minimum necessary standard will not apply in the following situations:
- disclosures to or requests by a health care provider for treatment
- uses or disclosures made to the individual
- disclosures made to the Secretary of the US Department of Health and Human services
- Uses or disclosures that are required by law and
- uses or disclosures that are required for the Plan’s compliance with legal regulations
This notice does not apply to information that has been de-identified. De-identified information is information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.
In addition, the Plan may use or disclose "summary health information" to the plan sponsor for obtaining premium bids or modifying, amending or termination the group health plan, which summarizes the claims history, claims expenses or type of claims experienced by individuals for whom a plan sponsor has provided health benefits under a group health plan, and from which identifying information has been deleted in accordance with HIPAA.
Section 4: Your Right to File a Complaint with the Plan or HHS Secretary
If you believe that your privacy rights have been violated, you may complain to the Plan in care of the Plan Administrator at the address listed in the Plan and Summary Plan Description or to the Privacy Officer, SIEBA, LTD., PO Box 5000, Endicott, New York 13761-5000 or (800) 252-4624.
You may file a complaint with the Secretary of the US Department of Health and Human Services, Hubert H. Humphrey Building, 200 Independence Avenue SW, Washington, DC 20201.
The Plan will not retaliate against you for filing a complaint.
Section 5: Whom to Contact at the Plan for More Information
If you have any questions regarding this notice or the subjects addressed in it, you may contact the Plan Administrator at the address listed in the Plan and Summary Plan Description or to the Privacy Officer, SIEBA, LTD., PO Box 5000, Endicott, New York 13761-5000 or (800) 252-4624.
Conclusion
PHI use and disclosure by the Plan is regulated by a federal law known as HIPAA (the Health Insurance Portability and Accountability Act). You may find these rules at 45 Code of Federal Regulations Parts 160 and 164. This notice attempts to summarize the regulations. The regulations will supersede any discrepancy between the information in this notice and the regulations.