NOTICE OF PRIVACY
PRACTICES
THIS
NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED, STORED,
DISCLOSED, OR TRANSMITTED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This
Notice of Privacy Practices describes how protected health information and/or
electronic protected health information (“ePHI”) (collectively, “PHI”) may be
used, stored, disclosed, or transmitted by us or your Group Health Plan to
carry out payment, health care operations, and for other purposes that are
permitted or required by law. This Notice also sets out our legal obligations
concerning your PHI, and describes your rights to access, amend, manage, or
transmit your PHI.
PHI
is individually identifiable health information, including demographic
information, collected from you or stored, created, received, or transmitted by
a health care provider, a health plan, your employer (when functioning on
behalf of the Group Health Plan), or a health care clearinghouse and that
relates to: (i) your past, present, or future
physical or mental health or condition; (ii) the provision of health care to
you; or (iii) the past, present, or future payment for the provision of health
care to you. The above-referenced
entities may also be referred to as covered entities.
In
addition to the above-listed entities, their business associates and
contractors must comply with HIPAA standards regarding their handling of
PHI. A business associate is any person
or group that generates, stores, receives or transmits PHI on behalf of a
covered entity with which they are affiliated.
In order for the business associates and contractors to remain
compliant, they must be vigilant about consistency and evaluating and modifying
its HIPAA security and compliance strategy.
Prior to performing a service related to the use, storage, disclosure,
or transmittal of PHI, a business associate must sign a Business Associate
Agreement. The business associates may
be subject to the same penalties and fines as a covered entity in the event
that they are not in compliance with HIPAA regulations. Business Associate
Agreements must comply with HIPAA Omnibus Rule.
Sufficient
training should be held to inform staff of the definitions and procedure
changes as a result of the HIPAA Omnibus Rule.
Business associates are required to implement training for their
employees and all instructional efforts must be documented.
This
Notice of Privacy Practices had been drafted to be consistent with what is
known as the “HIPAA Privacy Rule,” and any of the terms not defined in this
Notice should have the same meaning as they have in the HIPAA Privacy Rule.
If
you have any questions or want additional information about this Notice or the
policies and procedures described in this Notice, please contact Member
Services by mail at Good Samaritan Direct Health, P.O. Box 2109, Columbus, IN
47202, or by phone toll-free at (888) 690-3044 or, if local, at (812) 245-5303.
EFFECTIVE DATE
This
Notice of Privacy Practices becomes effective on January 1, 2023.
OUR
RESPONSIBILITIES
We
are required by law to maintain the privacy of your PHI. We are obligated to:
provide you with a copy of this Notice of our legal duties and of our privacy
practices related to your PHI; abide by the terms of the Notice that is currently
in effect; and notify you in the event of a breach of your unsecured PHI. We
reserve the right to change the provisions of our Notice and make the new
provisions effective for all PHI that we maintain. If we make a material change
to our Notice, we will make the revised Notice available by posting on our
website at www.gshvindirect.org.
PERMISSIBLE USES
AND DISCLOSURES OF PHI
The
following is a description of how we are most likely to use and/or disclose
your PHI.
TPO (Treatment,
Payment, and Health Care Operations) Uses
To
avoid interfering with an individual’s access to quality health care or the
efficient payment for such health care, we have the right to use, store, disclose,
and transmit your PHI for all activities that are included within the
definitions of “treatment”, “payment”, and “health care operations” as set out
in 45 C.F.R. § 164.501 (this provision is a part of the HIPAA Privacy Rule). We
have not listed in this Notice all of the activities included within these
definitions, so please refer to 45 C.F.R. § 164.501 for a complete list.
Treatment
Treatment generally means the
provision, coordination, or management of health care and related services
among health care providers, or by a health care provider with a third-party,
consultation between health care providers regarding a patient, or the referral
of a patient from one health care provider to another.
Payment
We will use or disclose your PHI
to pay claims for services provided to you and to obtain stop-loss
reimbursements or to otherwise fulfill our responsibilities for coverage and
providing benefits. For example, we may disclose your PHI when a provider
requests information regarding your eligibility for coverage under our health
plan, or we may use your information to determine if a treatment that you
received was medically necessary.
Health
Care Operations
We will use or disclose your PHI
to support the Plan’s business functions. These functions include, but are not
limited to: quality assessment and improvement, reviewing provider performance,
licensing, stop-loss underwriting, business planning, and business development.
For example, we may use or disclose your PHI: (i) to
provide you with information about a disease management program; (ii) to
respond to a customer service inquiry from you; or (iii) in connection with
fraud and abuse detection and compliance programs.
De-Identified
Health Information
There
are no restrictions on the use or disclosure of de-identified health
information. De-identified health
information neither identifies nor provides a reasonable basis to identify an
individual. There are two ways to
de-identify information, either: (1) a formal determination by a qualified
statistician; or (2) the removal of specified identifiers of the individual and
of the individual’s relatives, household members, and employers is required,
and is adequate only if the covered entity has no actual knowledge that the
remaining information could be used to identify the individual.
OTHER PERMISSIBLE
USES AND DISCLOSURES OF PHI
The
following is a description of other possible ways in which we may (and are
permitted to) use and/or disclose your PHI.
Required by Law
We
may use or disclose your PHI to the extent the law requires the use or
disclosure. When used in this Notice, “required by law” is defined as it is in
the HIPAA Privacy Rule. For example, we may disclose your PHI when required by
national security laws or public health disclosure laws.
Public Health
Activities
We
may use or disclose your PHI for public health activities that are permitted or
required by law. For example, we may use or disclose information for the
purpose of preventing or controlling disease, injury, or disability, or we may
disclose such information to a public health authority authorized to receive
reports of child abuse or neglect. We also may disclose PHI, if directed by a
public health authority, to a foreign government agency that is collaborating
with the public health authority.
Health Oversight
Activities
We
may disclose your PHI to a health oversight agency for activities authorized by
law, such as: audits; investigations; inspections; licensure or disciplinary
actions; or civil, administrative, or criminal proceedings or actions.
Oversight agencies seeking this information include government agencies that
oversee: (i) the health care system; (ii) government
benefit programs; (iii) other government regulatory programs; and (iv)
compliance with civil rights laws.
Abuse or Neglect
We
may disclose your PHI to a government authority that is authorized by law to
receive reports of abuse, neglect, or domestic violence when required by law.
Legal Proceedings
We
may disclose your PHI: (i) in the course of any
judicial or administrative proceeding; (ii) in response to an order of a court
or administrative tribunal (to the extent such disclosure is expressly
authorized); and (iii) in response to a subpoena, a discovery request, or other
lawful process, once we have met all administrative requirements of the HIPAA
Privacy Rule. For example, we may disclose your PHI in response to a subpoena
for such information, but only after we first meet certain conditions required
by the HIPAA Privacy Rule.
Law Enforcement
Under
certain conditions, we also may disclose your PHI to law enforcement officials.
For example, some of the reasons for such a disclosure may include, but not be
limited to: (i) it is required by law or some other
legal process; (ii) it is necessary to locate or identify a suspect, fugitive,
material witness, or missing person; and (iii) it is necessary to provide
evidence of a crime that occurred on our premises.
Coroners, Medical
Examiners, Funeral Directors; Organ Donation Organizations
We
may disclose PHI to a coroner or medical examiner for purposes of identifying a
deceased person, determining a cause of death, or for the coroner or medical
examiner to perform other duties authorized by law. We also may disclose, as
authorized by law, information to funeral directors so that they may carry out
their duties. Further, we may disclose PHI to organizations that handle organ,
eye, or tissue donation and transplantation.
Research
We
may disclose your PHI to researchers when an institutional review board or
privacy board has: (i) reviewed the research proposal
and established protocols to ensure the privacy of the information; and (ii)
approved the research.
To Prevent a
Serious Threat to Health or Safety
Consistent
with applicable federal and state laws, we may disclose your PHI if we believe
that the disclosure is necessary to prevent or lessen a serious and imminent
threat to the health or safety of a person or the public. We also may disclose
PHI if it is necessary for law enforcement authorities to identify or apprehend
an individual.
Military Activity
and National Security, Protective Services
Under
certain conditions, we may disclose your PHI if you are, or were, Armed Forces
personnel for activities deemed necessary by appropriate military command
authorities. If you are a member of foreign military service, we may disclose,
in certain circumstances, your information to the foreign military authority.
We also may disclose your PHI to authorized federal officials for conducting
national security and intelligence activities, and for the protection of the
President, other authorized persons, or heads of state.
Inmates
If
you are an inmate of a correctional institution, we may disclose your PHI to
the correctional institution or to a law enforcement official for: (i) the institution to provide health care to you; (ii) your
health and safety and the health and safety of others; or (iii) the safety and
security of the correctional institution.
Workers’ Compensation
We
may disclose your PHI to comply with workers’ compensation laws and other
similar programs that provide benefits for work-related injuries or illnesses.
Emergency
Situations
We
may disclose your PHI in an emergency situation, or if you are incapacitated or
not present, to a family member, close personal friend, authorized disaster
relief agency, or any other person previous identified by you. We will use
professional judgment and experience to determine if the disclosure is in your
best interests. If the disclosure is in your best interest, we will disclose
only the PHI that is directly relevant to the person's involvement in your
care.
Fundraising
Activities
We
may use or disclose your PHI for fundraising activities, such as raising money
for a charitable foundation or similar entity to help finance its activities.
If we do contact you for fundraising activities, we will give you the
opportunity to opt-out, or stop, receiving such communications in the future.
Group
Health Plan Disclosures
We
may disclose your PHI to a sponsor of the Group Health Plan – such as an
employer or other entity – that is providing a health care program to you. We
can disclose your PHI to that entity if that entity has contracted with us to
administer your health care program on its behalf.
Underwriting
Purposes
We
may use or disclose your PHI for underwriting purposes, such as to make a
determination about a coverage application or request. If we do use or disclose
your PHI for underwriting purposes, we are prohibited from using or disclosing
in the underwriting process your PHI that is genetic information.
Others Involved in
Your Health Care
Using
our best judgment, we may make your PHI known to a family member, other
relative, close personal friend or other personal representative that you
identify. Such a use will be based on how involved the person is in your care,
or payment that relates to your care. We may release information to parents or
guardians, if allowed by law. If you are not present or able to agree to these
disclosures of your PHI, then, using our professional judgment, we may
determine whether the disclosure is in your best interest.
USES AND
DISCLOSURES OF YOUR PHI THAT REQUIRE YOUR AUTHORIZATION
Sale of PHI
We
will request your written authorization before we make any disclosure that is
deemed a sale of your PHI, meaning that we are receiving compensation for
disclosing the PHI in this manner.
Marketing
We
will request your written authorization to use or disclose your PHI for
marketing purposes with limited exceptions, such as when we have face-to-face
marketing communications with you or when we provide promotional gifts of
nominal value.
Psychotherapy Notes
We
will request your written authorization to use or disclose any of your
psychotherapy notes that we may have on file with limited exception, such as
for certain treatment, payment or health care operation functions.
Other
uses and disclosures of your PHI that are not described above will be made only
with your written authorization. If you provide us with such an authorization,
you may revoke the authorization in writing, and this revocation will be
effective for future uses and disclosures of PHI. However, the revocation will
not be effective for information that we already have used or disclosed,
relying on the authorization.
REQUIRED
DISCLOSURES OF YOUR PHI
The
following is a description of disclosures that we are required by law to make.
Disclosures to the
Secretary of the U.S. Department of Health and Human Services
We
are required to disclose your PHI to the Secretary of the U.S. Department of
Health and Human Services when the Secretary is investigating or determining
our compliance with the HIPAA Privacy Rule.
Disclosures to You
We
are required to disclose to you most of your PHI in a “designated record set”
when you request access to this information. Generally, a “designated record
set” contains medical and billing records, as well as other records that are
used to make decisions about your health care benefits. We also are required to
provide, upon your request, an accounting of most disclosures of your PHI that
are for reasons other than payment and health care operations and are not
disclosed through a signed authorization. We will disclose your PHI to an
individual who has been designated by you as your personal representative and
who has qualified for such designation in accordance with relevant state law.
However, before we will disclose PHI to such a person, you must submit a
written notice of his/her designation, along with the documentation that
supports his/her qualification (such as a power of attorney). Even if you
designate a personal representative, the HIPAA Privacy Rule permits us to elect
not to treat the person as your personal representative if we have a reasonable
belief that: (i) you have been, or may be, subjected
to domestic violence, abuse, or neglect by such person; (ii) treating such
person as your personal representative could endanger you; or (iii) we
determine, in the exercise of our professional judgment, that it is not in your
best interest to treat the person as your personal representative.
Business Associates
We
contract with individuals and entities (Business Associates) to perform various
functions on our behalf or to provide certain types of services. To perform
these functions or to provide the services, our Business Associates will
receive, create, maintain, use, or disclose PHI, but only after we require the
Business Associates to agree in writing to contract terms designed to
appropriately safeguard your information. For example, we may disclose your PHI
to a Business Associate to administer claims or to provide member service
support, utilization management, subrogation, or pharmacy benefit management.
Examples of our business associates would be our Third Party Administrator,
SIHO Insurance Services, which will be handling many of the functions in
connection with the operation of our Group Health Plan; the retail pharmacy;
and the mail order pharmacy.
Other Covered
Entities
We
may use or disclose your PHI to assist health care providers in connection with
their treatment or payment activities, or to assist other covered entities in
connection with payment activities and certain health care operations. For
example, we may disclose your PHI to a health care provider when needed by the
provider to render treatment to you, and we may disclose PHI to another covered
entity to conduct health care operations in the areas of quality assurance and
improvement activities, or accreditation, certification, licensing or
credentialing. This also means that we may disclose or share your PHI with
other insurance carriers in order to coordinate benefits, if you or your family
members have coverage through another carrier.
Plan Sponsor
We
may disclose your PHI to the plan sponsor of the Group Health Plan for purposes
of plan administration or pursuant to an authorization request signed by you.
POTENTIAL IMPACT OF
STATE LAW
The
HIPAA Privacy Rule regulations generally do not “preempt” (or take precedence
over) state privacy or other applicable laws that provide individuals greater
privacy protections. As a result, to the extent state law applies, the privacy
laws of a particular state, or other federal laws, rather than the HIPAA
Privacy Rule regulations, might impose a privacy standard under which we will
be required to operate. For example, where such laws have been enacted, we will
follow more stringent state privacy laws that relate to uses and disclosures of
PHI concerning HIV or AIDS, mental health, substance abuse/chemical dependency,
genetic testing, reproductive rights, etc.
YOUR RIGHTS
The
following is a description of your rights with respect to your PHI.
Right to Request a
Restriction
You
have the right to request a restriction on the PHI we use or disclose about you
for payment or health care operations. We are not required to agree to any
restriction that you may request. If we do agree to the restriction, we will
comply with the restriction unless the information is needed to provide
emergency treatment to you. You may request a restriction by contacting the
designated contact listed on the first page of this Notice. It is important that you direct your request
for restriction to the designated contact so that we can begin to process your
request. Requests sent to persons or offices other than the designated contact
might delay processing the request.
We
will want to receive this information in writing and will instruct you where to
send your request when you call. In your request, please tell us: (1) the
information whose disclosure you want to limit; and (2) how you want to limit
our use and/or disclosure of the information.
Right to Request
Confidential Communications
If
you believe that a disclosure of all or part of your PHI may endanger you, you
may request that we communicate with you regarding your information in an
alternative manner or at an alternative location. For example, you may ask that
we only contact you at your work address or via your work e-mail.
You
may make such a request by contacting the designated contact listed on the
first page of this Notice. It is important that you direct your request for
confidential communications to the designated contact so that we can begin to
process your request. Requests sent to persons or offices other than the one
indicated might delay processing the request.
We
will want to receive this information in writing and will instruct you where to
send your written request when you call. In your request, please tell us: (1)
that you want us to communicate your PHI with you in an alternative manner or
at an alternative location; and (2) that the disclosure of all or part of the
PHI in a manner inconsistent with your instructions would put you in danger.
We
will accommodate a request for confidential communications that is reasonable
and that states that the disclosure of all or part of your PHI could endanger
you. As permitted by the HIPAA Privacy Rule, "reasonableness" will
(and is permitted to) include, when appropriate, making alternate arrangements
regarding payment.
Accordingly,
as a condition of granting your request, you will be required to provide us
information concerning how payment will be handled. For example, if you submit
a claim for payment, state or federal law (or our own contractual obligations)
may require that we disclose certain financial claim information to the plan
participant (e.g., an Explanation of Benefits, or “EOB”). Unless you
have made other payment arrangements, the EOB (in which your PHI might be
included) will be released to the plan participant.
Once
we receive all of the information for such a request (along with the
instructions for handling future communications), the request will be processed
promptly, usually within two business days.
Prior
to receiving the information necessary for this request, or during the time it
takes to process it, PHI might be disclosed (such as through an EOB).
Therefore, it is extremely important that you contact the designated contact
listed on the first page of this Notice as soon as you determine that you
need to restrict disclosures of your PHI.
If
you terminate your request for confidential communications, the restriction
will be removed for all your PHI that we hold, including PHI that was
previously protected. Therefore, you should not terminate a request for
confidential communications if you remain concerned that disclosure of your PHI
will endanger you.
Right to Inspect
and Copy
You
have the right to inspect and copy your PHI that is contained in a “designated
record set.” Generally, a “designated record set” contains medical and billing
records, as well as other records that are used to make decisions about your
health care benefits. However, you may not inspect or copy psychotherapy notes
or certain other information that may be contained in a designated record set.
To
inspect and copy your PHI that is contained in a designated record set, you
must submit your request to the designated contact listed on the first page
of this Notice. It is important that you contact the designated contact to
request an inspection and copying so that we can begin to process your request.
Requests sent to persons, offices, other than the designated contact might
delay processing the request. If you request a copy of the information, we may
charge a fee for the costs of copying, mailing, or other supplies associated
with your request.
We
may deny your request to inspect and copy your PHI in certain limited
circumstances. If you are denied access to your information, you may request
that the denial be reviewed. To request a review, you must contact the
designated contact listed on the first page of this Notice. A licensed
health care professional chosen by us will review your request and the denial.
The person performing this review will not be the same one who denied your
initial request. Under certain conditions, our denial will not be reviewable.
If this event occurs, we will inform you in our denial that the decision is not
reviewable.
Right to Amend
If
you believe that your PHI is incorrect or incomplete, you may request that we
amend your information. You may request that we amend your information by
contacting the designated contact listed on the first page of this Notice.
Additionally, your request should include the reason the amendment is
necessary. It is important that you direct your request for amendment to the
designated contact so that we can begin to process your request. Requests sent
to persons or offices, other than the designated contact might delay processing
the request.
In
certain cases, we may deny your request for an amendment. For example, we may
deny your request if the information you want to amend is not maintained by us,
but by another entity. If we deny your request, you have the right to file a
statement of disagreement with us. Your statement of disagreement will be
linked with the disputed information and all future disclosures of the disputed
information will include your statement.
Right of an
Accounting
You
have a right to an accounting of certain disclosures of your PHI that are for
reasons other than treatment, payment, or health care operations. No accounting
of disclosures is required for disclosures made pursuant to a signed
authorization by you or your personal representative. You should know that most
disclosures of PHI will be for purposes of payment or health care operations,
and, therefore, will not be subject to your right to an accounting. There also
are other exceptions to this right.
An
accounting will include the date(s) of the disclosure, to whom we made the
disclosure, a brief description of the information disclosed, and the purpose
for the disclosure.
You
may request an accounting by submitting your request in writing to the
designated contact listed on the first page of this Notice. It is important
that you direct your request for an accounting to the designated contact so
that we can begin to process your request. Requests sent to persons or offices
other than the designated contact might delay processing the request.
Your
request may be for disclosures made up to 6 years before the date of your
request. The first list you request within a 12-month period will be free. For
additional lists, we may charge you for the costs of providing the list. We
will notify you of the cost involved and you may choose to withdraw or modify
your request at the time before any costs are incurred.
Right to a Copy of
This Notice
You
have the right to request a copy of this Notice at any time by contacting
the designated contact listed on the first page of this Notice. If you
receive this Notice on our Website or by electronic mail, you also are entitled
to request a paper copy of this Notice.
COMPLAINTS
You
may complain to us if you believe that we have violated your privacy rights.
You may file a complaint with us by calling us at the number listed on the
first page of this Notice. A copy of a complaint form is available from this
contact office. You also may file a complaint with the Secretary of the U.S.
Department of Health and Human Services. Complaints filed directly with the
Secretary must: (1) be in writing; (2) contain the name of the entity against
which the complaint is lodged; (3) describe the relevant problems; and (4) be
filed within 180 days of the time you became or should have become aware of the
problem. We will not penalize or any other way retaliate against you for filing
a complaint with the Secretary or with us.