STATEMENT OF PRIVACY PRACTICES
A federal law, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), provides your health information with important protections. HIPAA requires that the Fund
maintain the privacy of your protected health information (PHI). PHI is information the Fund has or receives that can identify an individual and that relates to any medical, prescription, dental,
vision and/or Employees Assistance Program benefits that you receive from the Fund, regardless of the form in which it is provided.
The Fund also is required by HIPAA to provide you with this description of the privacy policies and practices adopted by the Fund to safeguard PHI. The Fund must follow these policies and practices but, as permitted by law, the Fund reserves the right to amend or modify them. Revisions to these policies and practices may be required by changes in federal and state laws and regulations. Regardless of the reason for the change, we will provide you with notice of any material change to the Fund’s privacy policies and practices within sixty (60) days of the change.
Does HIPAA permit the Fund to disclose my PHI to my employer? Under HIPAA, the Fund generally cannot disclose your PHI to your employer without your written authorization. It is
important to note, however, that HIPAA does permit the Fund to disclose your PHI without your authorization to workers’ compensation carriers, or others involved in the workers’ compensation
system, to the extent the disclosure is required by law as described below in further detail.
The privacy policy of the Fund is broken down into the following categories:
- The Fund’s uses and disclosures of PHI;
- Your privacy rights with respect to your PHI;
- The Fund’s duties with respect to your PHI;
- Your right to file a complaint with the Fund and to the Secretary of the U.S. Department of Health and Human Services; and
- The person or office to contact for further information about the Fund’s privacy practices.
I. The Fund’s Uses and Disclosures of PHI
Permitted PHI Uses and Disclosures that do not require your permission to use or release.
The use and disclosure of your PHI may be required by the Secretary of the Department of Health and Human Services to investigate or determine the Fund’s compliance with the privacy
regulations. The Fund is also allowed to use and disclose your PHI without your permission under the following circumstances:
- For treatment, payment and health care operations.How may the Fund use my PHI with respect to payment for my treatment, payment and health care operations? The Fund may use your PHI for the broad range of actions needed to make sure that the Fund can make payments for the services that you and your family are eligible to receive. The Fund may use your PHI for making payments to providers for services or treatment that you receive, for making arrangements for payments through one of the networks of providers through which the Fund provides benefits to you, and for coordinating payments to providers through other health Funds under the Fund’s coordination of benefit rules.
- Treatment is the provision, coordination or management of health care and related services. It also includes but is not limited to consultations and referrals between one or more of your providers. For example, the Fund may disclose to a treating physician the name of your treating radiologist so that the physician may ask for your X-rays from the treating radiologist.
- Payment includes but is not limited to actions to make coverage determinations and payment (including billing, claims processing, subrogation, reviews for medical necessity and appropriateness of care, utilization review and preauthorization). For example, the Fund may tell a treating doctor whether you are eligible for coverage or what percentage of the bill will be paid by the Fund.
- Health care operations include but are not limited to quality assessment and improvement, reviewing competence or qualifications of health care professionals, underwriting, premium rating and other insurance activities relating to creating or renewing insurance contracts. It also includes case management, conducting or arranging for medical review, legal services and auditing functions including fraud and abuse compliance programs, business Funding and development, business management and general administrative activities. However, no genetic information can be used or disclosed for underwriting purposes. For example, the Fund may use information to project future benefit costs or audit the accuracy of its claims processing functions
How may the Fund use my PHI with respect to health care operations? HIPAA allows the Fund to disclose an individual’s PHI, without an authorization, to help the Fund assess the quality of the Fund’s benefits as well as to monitor the Fund’s administration and operations. These disclosures include, but are not limited to, disclosures to ensure that participants or their beneficiaries are eligible for benefits prior to making payments; disclosures to recover overpayments; disclosures to assess health Fund performance; disclosures to review the Fund’s benefits and determine whether a reduction in costs is possible; disclosures to pursue case management and coordination of care; disclosures for actuarial studies relating to the cost of benefits and management studies relating to the operation and administration of the Fund; disclosures to resolve internal grievances; and disclosures as part of medical review, legal, and auditing functions. For example, the Fund may use PHI to determine the most cost-effective manner of providing vision benefits to its participants and beneficiaries. The Fund and its business associates (and any health insurers providing benefits to Fund participants) may also disclose the following to the Fund’s Board of Trustees: (1) PHI for purposes related to Fund administration (payment and health care operations); (2) summary health information for purposes of health or stop loss insurance underwriting or for purposes of modifying the Fund; and (3) enrollment information (whether an individual is eligible for benefits under the Fund). The Trustees have amended the Fund to protect your PHI as required by federal law.
- Enrollment information provided to the Trustees.
- Summary health information provided to the Trustees for the purposes of treatment, payment, and health care operations.
- When required by law.
- When permitted for purposes of public health activities, including when necessary to report product defects and to permit product recalls. PHI may also be disclosed if you have been
exposed to a communicable disease or are at risk of spreading a disease or condition, if required by law. - When required by law to report information about abuse, neglect or domestic violence to public authorities if there exists a reasonable belief that you may be a victim of abuse, neglect or domestic violence. In such case, the Fund will promptly inform you that such a disclosure has been or will be made unless that notice would cause a risk of serious harm. For the purpose of reporting child abuse or neglect, it is not necessary to inform a minor that such a disclosure has been or will be made. Disclosure may generally be made to the minor’s parents or other representatives although there may be circumstances under federal or state law when the parents or other representatives may not be given access to the minor’s PHI.
- To a public health oversight agency for oversight activities required by law. This includes uses or disclosures in civil, administrative or criminal investigations; inspections; licensure or disciplinary actions (for example, to investigate complaints against providers); and other activities necessary for appropriate oversight of government benefit programs (for example, to
investigate Medicare or Medicaid fraud). - The Fund may disclose your PHI when required for judicial or administrative proceedings. For example, your PHI may be disclosed in response to a subpoena or discovery request.
- When required for law enforcement purposes, including for the purpose of identifying or locating a suspect, fugitive, material witness or missing person. Also, when disclosing information about an individual who is or is suspected to be a victim of a crime but only if the individual agrees to the disclosure or the Fund is unable to obtain the individual’s agreement because of emergency circumstances. Furthermore, the law enforcement official must represent that the information is not intended to be used against the individual, the immediate law enforcement activity would be materially and adversely affected by waiting to obtain the individual’s agreement and disclosure is in the best interest of the individual as determined by the exercise of the Fund’s best judgment.
- When required to be given to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death or other duties as authorized by law. Also, disclosure is permitted to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent.
- When consistent with applicable law and standards of ethical conduct if the Fund, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and the disclosure is to a person reasonably able to prevent or lessen the threat, including the target of the threat.
- When authorized by and to the extent necessary to comply with workers’ compensation or other similar programs established by law.
PHI Use and Disclosures that require you the opportunity to object prior to its use or release.
There are instances where uses and disclosures of your PHI require that you be given an opportunity to agree or disagree prior to the use or release. Unless you object, the Fund may provide relevant portions of your PHI to a family member, friend or other person you indicate is involved in your health care or in helping you receive payment for your health care. Also, if you are not capable of agreeing or objecting to these disclosures because of, for instance, an emergency situation, the Fund will disclose PHI (as the Fund determines) in your best interest. After the emergency, the Fund will give you the opportunity to object to future disclosures to family and friends.
Because I am always working, my spouse often calls to find out the status of my health claims and to get other information about me or my benefits. Can the Fund release information relating to payment of my claims to my spouse? The Fund will not provide claims payment or other PHI about you to your spouse unless you file a written authorization form with the Fund office, as described later in this Notice.
May I call the Fund to get information about my children’s health claims? The Fund will provide a minor child’s parent, guardian (or person standing in loco parentis with respect to the child) with payment information about the child’s claims.
The Fund will carefully consider your written request for information other than claims payment information, and will respond as permitted by its privacy policies and applicable state law.
If your child is not a minor, the Fund cannot provide you with the child’s PHI, even if the child is still covered under the Fund as your dependent, unless the child files an authorization form with the Fund office, as described later in this Notice.
PHI Use and Disclosures that you must give us authorization to use or release.
Other uses or disclosures of your PHI not described above will only be made with your written authorization. For example, in general and subject to specific conditions, the Fund will not use or
disclose your psychiatric notes; the Fund will not use or disclose your PHI for marketing; and the Fund will not sell your PHI, unless you provide a written authorization to do so. You may revoke
written authorizations at any time, so long as the revocation is in writing. Once the Fund receives your written revocation, it will only be effective for future uses and disclosures. It will not be
effective for any information that may have been used or disclosed in reliance upon the written authorization and prior to receiving your written revocation.
Except as otherwise indicated in this notice, uses and disclosures will be made only with your written authorization subject to your right to revoke such authorization.
II. Rights of Individuals
Do I have rights under the federal privacy standards? Yes. Your rights to information under HIPAA include:
- The right to request restrictions on the use and disclosure of your PHI. You may request the Fund to restrict the uses and disclosures of your PHI. However, the Fund is not required
to agree to your request (except that the Fund must comply with your request to restrict a disclosure of your confidential information for payment or health care operations if you paid
for the services to which the information relates in full, out of pocket). You or your personal representative will be required to submit a written request to exercise this right. Such requests should be made to the Fund’s Privacy Official. - The right to receive confidential communications concerning your medical condition or treatment if you believe that disclosure of this information could endanger you. For example, you can make a written request that the Fund send information about your medical treatment to a post office box or an address different from your home address in order to ensure that your PHI remains confidential. You or your personal representative will be required to submit a written request to exercise this right. Such requests should be made to the Fund’s Privacy Official. The Fund will attempt to honor reasonable requests for confidential communications.
- The right to inspect and copy your PHI. The Fund may charge a reasonable fee for copying, assembling and mailing your requested PHI. You have a right to inspect and obtain a copy
of your PHI contained in a “designated record set,” for as long as the Fund maintains the PHI. If the information you request is in an electronic designated record set, you may request that these records be transmitted electronically to yourself or a designated individual. “Designated Record Set” includes the medical records and billing records about individuals maintained by or for a covered health care provider; enrollment, payment, billing, claims adjudication and case or medical management record systems maintained by or for the Fund; or other information used in whole or in part by or for the Fund to make decisions about individuals. Information used for quality control or peer review analyses and not used to make decisions about individuals is not in the designated record set. The requested information will be provided within 30 days if the information is maintained on site or within 60 days if the information is maintained off site. A single 30-day extension is allowed if the Fund is unable to comply with the deadline. You or your personal representative will be required to submit a written request to request access to the PHI in your designated record set. Such requests should be made to the Fund’s Privacy Official. If access is denied, you or your personal representative will be provided with a written denial, setting forth the basis for the denial, a description of how you may appeal the Fund’s decision and a description of how you may complain to the Secretary of the U.S.
Department of Health and Human Services. The Fund may charge a reasonable, cost-based fee for copying records at your request. The right to receive an electronic copy of your electronic medical records. The Fund will make every effort to provide access to PHI in the form or format you request, if it is readily producible in such form or format. - The right to receive notice of a breach of your unsecured PHI.
- The right to amend or submit corrections to your PHI. If you believe that the information in your records is inaccurate or incomplete, you may submit a written request to correct these
records. The Fund may deny your request if, for example, you do not include the reason that you wish to correct your records or if the records were not created by the Fund. You have
the right to request the Fund to amend your PHI or a record about you in your designated record set for as long as the PHI is maintained in the designated record set. The Fund has 60
days after the request is made to act on the request. A single 30-day extension is allowed if the Fund is unable to comply with the deadline. If the request is denied in whole or part, the
Fund must provide you with a written denial that explains the basis for the denial. You or your personal representative may then submit a written statement disagreeing with the denial
and have that statement included with any future disclosures of your PHI. Such requests should be made to the Fund’s Privacy Official. You or your personal representative will be
required to submit a written request to request amendment of the PHI in your designated record set. - The right to receive an accounting of how and to whom you’re PHI has been disclosed, if it was disclosed for reasons other than payment or health care operations. At your request, the Fund will also provide you an accounting of disclosures by the Fund of your PHI during the six years prior to the date of your request. However, such accounting will not include PHI disclosures made: (1) to carry out treatment, payment or health care operations; (2) to individuals about their own PHI; (3) pursuant to your authorization; (4) prior to April 14, 2003; and (5) where otherwise permissible under the law and the Fund’s privacy practices. In addition, the Fund need not account for certain incidental disclosures. If the accounting cannot be provided within 60 days, an additional 30 days is allowed if the individual is given a written statement of the reasons for the delay and the date by which the accounting will be provided. If you request more than one accounting within a 12-month period, the Fund will charge a reasonable, cost-based fee for each subsequent accounting.
- The right to file a complaint that your privacy rights have been violated, with the Fund and with the Secretary of U.S. Department of Health & Human Services. You will not be
penalized or otherwise retaliated against for filing a complaint. - The right to receive a printed copy of this Notice.
To exercise these rights, you may file requests with the Fund office, to the attention of the Fund’s Privacy Officer, whose name, address, and telephone number appear below. The Fund office will
let you know if the Fund accepts or rejects your request (and why) in writing within the time set by law.
A Note About Personal Representatives
You may exercise your rights through a personal representative. Your personal representative will be required to produce evidence of his/her authority to act on your behalf before that person will be given access to your PHI or allowed to take any action for you. Proof of such authority may take one of the following forms:
- a power of attorney for health care purposes;
- a court order of appointment of the person as the conservator or guardian of the individual; or
- an individual who is the parent of an unemancipated minor child may generally act as the child’s personal representative (subject to state law).
The Fund retains discretion to deny access to your PHI by a personal representative to provide protection to those vulnerable people who depend on others to exercise their rights under these rules and who may be subject to abuse or neglect.
III. The Fund’s Duties
The Fund is required by law to maintain the privacy of PHI and to provide individuals (participants and beneficiaries) with notice of the Fund’s legal duties and privacy practices. However, the Fund reserves the right to change its privacy practices and to apply the changes to any PHI received or maintained by the Fund prior to that date. If a privacy practice is changed, a revised version of this Notice will be provided to all participants for whom the Fund still maintains PHI. The revised Notice will be distributed in the same manner as the initial Notice was provided or in any other
permissible manner. If the revised version of this Notice is posted on the Fund’s website you will also receive a copy of the Notice, or information about any material change and how to receive a copy of the Notice in the Fund’s next annual mailing. Otherwise, the revised version of this Notice will be distributed within 60 days of the effective date of any material change to the Fund’s policies regarding the uses or disclosures of PHI, the individual’s privacy rights, the duties of the Fund or other privacy practices stated in this Notice.
Minimum Necessary Standard
When using or disclosing PHI or when requesting PHI from another covered entity, the Fund will make reasonable efforts not to use, disclose or request more than the minimum amount of PHI
necessary to accomplish the intended purpose of the use, disclosure or request, taking into consideration practical and technological limitations. When required by law, the Fund will restrict
disclosures to the limited data set, or otherwise as necessary, to the minimum necessary information to accomplish the intended purpose.
However, the minimum necessary standard will not apply in the following situations:
- disclosures to or requests by a health care provider for treatment;
- uses or disclosures made to the individual;
- disclosures made to the Secretary of the U.S. Department of Health and Human Services;
- uses or disclosures that are required by law; and
- uses or disclosures that are required for the Fund’s compliance with legal regulations.
De-Identified Information
This notice does not apply to information that has been de-identified. De-identified information is information that does not identify an individual and with respect to which there is no reasonable
basis to believe that the information can be used to identify an individual.
Summary Health Information
The Fund may disclose “summary health information” to the Trustees for obtaining insurance premium bids or modifying, amending or terminating the Fund. “Summary health information” summarizes the claims history, claims expenses or type of claims experienced by participants and excludes identifying information in accordance with HIPAA.
Notification of Breach
The Fund is required by law to maintain the privacy of participants’ PHI and to provide individuals with notice of its legal duties and privacy practices. In the event of a breach of unsecured PHI, the Fund will notify affected individuals of the breach.
IV. Your Right to File a Complaint With the Fund or the HHS Secretary
If you believe that your privacy rights have been violated, you may complain to the Fund. Such complaints should be made to the Fund’s Privacy Official. You may file a complaint with the
Secretary of the U.S. Department of Health and Human Services, Hubert H. Humphrey Building, 200 Independence Avenue SW, Washington, D.C. 20201. The Fund will not retaliate against you
for filing a complaint.
V. Whom to Contact at the Fund for More Information
The Fund has designated Andrew Bub as the Privacy Officer. If you wish to file an authorization, request information to which you have a right, or file a complaint with the Fund, or if you have any
questions regarding this Notice, you should address them to:
Mr. Paul Heinzel
HIPAA Privacy Officer
372 Vanderbilt Motor Parkway
Hauppauge, NY 11788
CONCLUSION
PHI use and disclosure by the Fund is regulated by a federal law known as HIPAA (the Health Insurance Portability and Accountability Act). You may find these rules at 45 Code Federal
Regulations Parts 160 and 164. The Fund intends to comply with these regulations. This notice attempts to summarize the regulations. The regulations will supersede any discrepancy between the
information in this notice and the regulations. Please remember that the Fund can assess reasonable charges for copying, assembling and mailing to you any documents that you request.