Privacy Notice

You may download a copy of this notice.

NOTICE OF PRIVACY PRACTICES

 

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION

ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

PLEASE REVIEW IT CAREFULLY.

 

This Notice is effective as of September 23, 2013 and shall remain in effect until you are notified of any changes, modifications or amendments. This Notice applies to health information the health care components of ISAS Group Benefits Trust Plan (referred to herein as the “Plan”) create or receive about you.

You may receive notices about your medical information and how it is handled by other plans or insurers. The Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), mandated the issuance of regulations to protect the privacy of individually identifiable health information, which were issued at 45 CFR Parts 160 through 164 (the “Privacy Regulations”). Since their initial publication, the Privacy Regulations were amended by the Genetic Information Nondiscrimination Act of 2008 (“GINA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”) under the American Recovery and Reinvestment Act of 2009 (“ARRA”), and by modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules, as published in the Federal Register on January 25, 2013. As a participant or beneficiary of the Plan, you are entitled to receive a notice of the Plan’s privacy procedures with respect to your health information, including “genetic information” (as defined in Section 105 of GINA), that is created or received by the Plan (your “Protected Health Information” or “PHI”). This Notice is intended to inform you about how the Plan will use or disclose your PHI, your privacy rights with respect to the PHI, the Plan’s duties with respect to your PHI, your right to file a complaint with the Plan or with the Secretary of the U.S. Department of Health and Human Services (“HHS”) and the office to contact for further information about the Plan’s privacy practices. 

How the Plan Will Use or Disclose Your PHI

Other than the uses or disclosures discussed below, any use or disclosure of your PHI will be made only with your written authorization. Any authorization by you must be in writing. You will receive a copy of any authorization you sign. You may revoke your authorization in writing, except your revocation cannot be effective to the extent the Plan has taken any action relying on your authorization for disclosure. Your authorization may not be revoked if your authorization was obtained as a condition for obtaining insurance coverage and any law provides the insurer with the right to contest a claim under the policy or the policy itself provides such right.

When using or disclosing PHI or when requesting PHI from another covered entity, the Plan will make reasonable efforts not to use, disclose or request more than the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request, taking into consideration practical and technological limitations. Effective for uses and disclosures on or after February 17, 2010 until the date the Secretary of HHS issues guidance on what constitutes the “minimum necessary” for purposes of the privacy requirements, the Plan shall limit the use, disclosure or request of PHI (1) to the extent practicable, to the limited data set or (2) if needed by such entity, to the minimum necessary to accomplish the intended purpose of such use, disclosure or request. The minimum necessary standard will not apply in the following situations:

  • disclosures to or requests by a health care provider for treatment;
  • uses or disclosures made to the individual;
  • disclosures made to HHS;
  • uses or disclosures that are required by law;
  • uses or disclosures that are required for the Plan’s compliance with legal regulations; and
  • uses and disclosures made pursuant to a valid authorization.

The following uses and disclosures of your PHI may be made by the Plan: 

For Payment.  Your PHI may be used or disclosed to obtain payment, including disclosures for coordination of benefits paid with other plans and medical payment coverages, disclosures for subrogation in order for the Plan to pursue recovery of benefits paid from parties who caused or contributed to the injury or illness, disclosures to determine if the claim for benefits are covered under the Plan, are medically necessary, experimental or investigational, and disclosures to obtain reimbursement under insurance, reinsurance, stop loss or excessive loss policies providing reimbursement for the benefits paid under the Plan on your behalf. Your PHI may be disclosed to other health plans maintained by the Plan sponsor for any of the purposes described above.  Uses and disclosures of PHI for payment purposes are limited by the minimum necessary standard.

For Treatment.  Your PHI may be used or disclosed by the Plan for purposes of treating you. One example would be if your doctor requests information on what other drugs you are currently receiving during the course of treating you.

For the Plan’s Operations . Your PHI may be used as part of the Plan’s health care operations. Health care operations include quality assurance, underwriting and premium rating to obtain renewal coverage, and other activities that are related to creating, renewing, or replacing the contract of health insurance or health benefits or securing or placing a contract for reinsurance of risk, including stop loss insurance, reviewing the competence and qualification of health care providers and conducting cost management and quality improvement activities, and customer service and resolution of internal grievances. The Plan is prohibited from using or disclosing your PHI that is genetic information for underwriting purposes. Uses and disclosures of PHI for health care operations are limited by the minimum necessary standard.

The following use and disclosure of your PHI may be made by the Plan with your written authorization or by providing you with an opportunity to agree or object to the disclosure: 

To Individual Involved in Your Care.  The Plan is permitted to disclose your PHI to your family members, other relatives and your close personal friends involved in your health care or the payment for your health care if:

  • the PHI is directly relevant to the family or friend’s involvement with your care or payment for that care;
  • you have either agreed to the disclosure or have been given an opportunity to object and have not objected; and
  • the PHI is needed for notification purposes, or, if you are deceased, the PHI is relevant to such person’s involvement, unless you have previously expressed to the Plan your preference that such information not be disclosed after your death.

The following uses and disclosures of your PHI may be made by the Plan without your authorization or without providing you with an opportunity to agree or object to the disclosure: 

For Appointment Reminders.  Your PHI may be used so that the Plan, or one of its contracted service providers, may contact you to provide appointment reminders, refill reminders, information on treatment alternatives, or other health related benefits and services that may be of interest to you, such as case management, disease management, wellness programs, or employee assistance programs. 

To the Plan Sponsor. PHI may be provided to the sponsor of the Plan provided that the sponsor has certified that this PHI will not be used for any other benefits, employee benefit plans or employment-related activities.

When Required by Law.  The Plan may also be required to use or disclose your PHI as required by law. For example, the law may require reporting of certain types of wounds or a disclosure to comply with a court order, a warrant, a subpoena, a summons, or a grand jury subpoena received by the Plan. 

For Workers’ Compensation.  The Plan may disclose your PHI as authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs, established by law, that provide benefits for work-related injuries or illnesses without regard to fault. 

For Public Health Activities.  When permitted for purposes of public health activities, including when necessary to report product defects, to permit product recalls and to conduct post-marketing surveillance. Your PHI may also be used or disclosed if you have been exposed to a communicable disease or are at risk of spreading a disease or condition, if authorized or required by law. 

To Report Abuse, Neglect or Domestic Violence.  When authorized or required by law to report information about abuse, neglect or domestic violence to public authorities if there exists a reasonable belief that you may be a victim of abuse, neglect or domestic violence. In such case, the Plan will promptly inform you that such a disclosure has been or will be made unless that notice would cause a risk of serious harm. For the purpose of reporting child abuse or neglect, the Plan is not required to inform the minor that such a disclosure has been or will be made. Disclosure may generally be made to the minor’s parents or other representatives, although there may be circumstances under federal or state law when the parents or other representatives may not be given access to a minor’s PHI. 

For School Records.  The Plan may disclose immunization records for a student or prospective student to the school to comply with a state or other law requiring the student to provide proof of immunization prior to admitting the student to school.

For Public Health Oversight Activities.  The Plan may disclose your PHI to a public health oversight agency for oversight activities authorized or required by law. This includes uses or disclosures in civil, administrative or criminal investigations; inspections; licensure or disciplinary actions (for example, to investigate complaints against providers); and other activities necessary for appropriate oversight of government benefit programs (for example, to investigate Medicare or Medicaid fraud).

For Judicial or Administrative Proceedings. The Plan may disclose your PHI when required for judicial or administrative proceedings. For example, your PHI may be disclosed in response to a subpoena or discovery request provided certain conditions are met. One of those conditions is that satisfactory assurances must be given to the Plan that the requesting party has made a good faith attempt to provide written notice to you, and the notice provided sufficient information about the proceeding to permit you to raise an objection and no objections were raised or any raised were resolved in favor of disclosure by the court or tribunal.

For Other Law Enforcement Purposes.  The Plan may disclose your PHI for other law enforcement purposes, including for the purpose of identifying or locating a suspect, fugitive, material witness or missing person. Disclosures for law enforcement purposes include disclosing information about an individual who is or is suspected to be a victim of a crime, but only if the individual agrees to the disclosure, or the Plan is unable to obtain the individual’s agreement because of emergency circumstances. Furthermore, the law enforcement official must represent that the information is not intended to be used against the individual, the immediate law enforcement activity would be materially and adversely affected by waiting to obtain the individual’s agreement, and disclosure is in the best interest of the individual as determined by the exercise of the Plan’s best judgment.

To a Coroner or Medical Examiner. When required to be given to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death or other duties as authorized or required by law. Also, disclosure is permitted to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent.

For Research.  The Plan may use or disclose PHI for research, subject to certain conditions.

To Prevent or Lessen a Serious and Imminent Threat. When consistent with applicable law and standards of ethical conduct, if the Plan, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and the disclosure is to a person reasonably able to prevent or lessen the threat, including the target of the threat.

State Privacy Laws. Some of the uses or disclosures described in this Notice may be prohibited or materially limited by other applicable state laws to the extent such laws are more stringent than the Privacy Regulations. The Plan shall comply with any applicable state laws that are more stringent when using or disclosing your PHI for any purposes described by this Notice. 

Your Privacy Rights With Respect to PHI

Right to Request Restrictions on PHI Uses and Disclosures

You may request the Plan to restrict uses and disclosures of your PHI to carry out treatment, payment or health care operations, or to restrict uses and disclosures to family members, relatives, friends or other persons identified by you who are involved in your care or payment for your care. The Plan is required to comply with your request only if (1) the disclosure is to a health care plan for purposes of carrying out payment or health care operations, and (2) the PHI pertains solely to a health care item or service for which the health care provider involved has already been paid in full. Otherwise, the Plan is not required to agree to your request.  The Plan will accommodate reasonable requests to receive communications of PHI by alternative means or at alternative locations. You or your personal representative will be required to complete a form to request restrictions on uses and disclosures of your PHI. 

Right to Inspect and Copy PHI

You have a right to inspect and obtain a copy of your PHI contained in a “designated record set,” for as long as the Plan maintains the PHI, other than psychotherapy notes and any information compiled in reasonable anticipation of or for the use of civil, criminal, or administrative actions or proceedings or PHI that is maintained by a covered entity that is a clinical laboratory. Psychotherapy notes are separately filed notes about your conversations with your mental health professional during a counseling session. Psychotherapy notes do not include summary information about your mental health treatment. To the extent that the Plan uses or maintains an electronic health record, you have a right to obtain a copy of your PHI from the Plan in an electronic format. In addition, you may direct the Plan to transmit a copy of your PHI in such electronic format directly to an entity or person.

A “designated record set” includes the medical records and billing records about individuals maintained by or for a covered health care provider; enrollment, payment, billing, claims adjudication and case or medical management record systems maintained by or for the Plan; or other information used in whole or in part by or for the Plan to make decisions about individuals. Information used for quality control or peer review analyses and not used to make decisions about individuals is not in the designated record set. 

You or your personal representative will be required to complete a form to request access to the PHI in your designated record set. If access is denied, you or your personal representative will be provided with a written denial setting forth the basis for the denial, a statement of your review rights, a description of how you may exercise those review rights and a description of how you may complain to HHS.

Right to Amend

You have the right to request the Plan to amend your PHI or a record about you in a designated record set for as long as the PHI is maintained in the designated record set. If the request is denied in whole or part, the Plan must provide you with a written denial that explains the basis for the denial. You or your personal representative may then submit a written statement disagreeing with the denial and have that statement included with any future disclosures of your PHI.

You or your personal representative will be required to complete a form to request amendment of the PHI in your designated record set. You must make requests for amendments in writing and provide a reason to support your requested amendment. 

Right to Receive an Accounting of PHI Disclosures

At your request, the Plan will also provide you with an accounting of disclosures by the Plan of your PHI during the six years prior to the date of your request. However, such accounting need not include PHI disclosures made: (1) to carry out treatment, payment or health care operations; (2) to individuals about their own PHI; (3) pursuant to a valid authorization; (4) incident to a use or disclosure otherwise permitted or required under the Privacy Regulations; (5) as part of a limited data set; or (6) prior to the date the Privacy Regulations were effective for the Plan on April 14, 2004. If you request more than one accounting within a 12-month period, the Plan will charge a reasonable, cost-based fee for each subsequent accounting. Notwithstanding the foregoing, if your Plan maintained electronic PHI as of January 1, 2009, you can request an accounting of all disclosures of your electronic PHI made by the Plan during the three years prior to the date of your request (but on and after January 1, 2014).

Right to Receive Confidential Communications

You have the right to request to receive confidential communications of your PHI. This may be provided to you by alternative means or at alternative locations if you clearly state that the disclosure of all or part of the information could endanger you.

Right to Receive a Paper Copy of This Notice Upon Request

To obtain a paper copy of this Notice, contact the Privacy Official at the address and telephone number set forth in the Contact Information section below.

A Note About Personal Representatives

You may exercise your rights through a personal representative. Your personal representative will be required to produce evidence of his or her authority to act on your behalf before that person will be given access to your PHI or allowed to take any action for you. Proof of such authority may take one of the following forms:

  • a power of attorney for health care purposes, notarized by a notary public;
  • a court order of appointment of the person as the conservator or guardian of the individual; or
  • an individual who is the parent of a minor child.

The Plan retains discretion to deny access to your PHI to a personal representative to provide protection to those vulnerable people who depend on others to exercise their rights under these rules and who may be subject to abuse or neglect. This also applies to personal representatives of minors.

The Plan’s Duties With Respect to Your PHI

The Plan has the following duties with respect to your PHI:

  • The Plan is required by law to maintain the privacy of PHI and provide individuals with notice of its legal duties and privacy practices with respect to the PHI.
  • The Plan is required to abide by the terms of the notice that are currently in effect.
  • The Plan reserves the right to make amendments or changes to any and all of its privacy policies and practices described in this Notice and to apply such changes to all PHI the Plan maintains. Any PHI that the Plan previously received or created will be subject to such revised policies and practices and the Plan may make the changes applicable to all PHI it receives or maintains. In the event of any material change to the uses or disclosures, the individual’s rights, the duties of the Plan or other privacy practices stated in this Notice, the Plan will post the change or the revised Notice on its customer service and benefits web site by the effective date of the material change to the Notice, and a copy of the revised Notice, or, alternatively, information about the change to the Notice and the means to obtain the revised Notice, will be provided to you in the Plan's next annual benefits (or similar) mailing.
  • The Plan is required to notify you of any “breach” (as defined in 45 CFR 164.402 of the Privacy Regulations) of you unsecured PHI. 

Your Right to File a Complaint

You have the right to file a complaint with the Plan or HHS if you believe that your privacy rights have been violated. You may file a complaint with the Plan by filing a written notice with the Complaint Official, describing when you believe the violation occurred, and what you believe the violation was. You will not be retaliated against for filing a complaint.

Contact Information

If you would like to exercise any of your rights described in this Notice or to receive further information regarding HIPAA privacy, how the Plan uses or discloses your PHI, or your rights under HIPAA, you should contact the Privacy Official and Complaint Official for the Plan, Don Graham, Executive Director, ISAS Group Benefits Trust, 12712 Park Central Drive, Suite 100, Dallas, TX 75251, (214) 706-5459.