|
HEALTH PLAN NOTICE OF
PRIVACY PRACTICES
THIS NOTICE DESCRIBES
HOW PROTECTED HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW
YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Privacy Notice
(this “Privacy Notice”) is provided pursuant to section 164.520 of Title 45
of the Code of Federal Regulations to provide written notification of the
privacy policies and practices (the “Privacy Practices”) governing the use,
access and disclosure of Protected Health Information (as defined below) by
or on behalf of a Health Plan (as defined below), sponsored or maintained by
Dallas Nephrology Associates, P.A. (“DNA”). If an individual has any
questions about this Privacy Notice, want additional information about the
notice or the policies or procedures it describes or wish to make a comment
or complaint about these policies, please contact the Privacy Officer for
the Health Plan using the procedures provided at the end of this Privacy
Notice.
A.
Who Will Follow These
Practices?
The policies and
practices described in this Privacy Notice apply to the use, access,
security and disclosure of Protected Health Information by or on behalf of
the Health Plan beginning April 14, 2004 (the “Effective Date”).
For purposes of this
Privacy Notice only, the term “Health Plan” means a welfare plan, benefit
program, fund or arrangement sponsored or maintained by DNA that meets the
following conditions:
·
It offers or provides medical
care or the payment or reimbursement of all or a part of the costs of
medical care (“Medical Benefits”) for qualifying DNA employees and or
dependents (collectively referred to as “Members”);
·
It is a “health plan” within
the meaning of 45 C.F.R. § 160.102, which is a “covered entity” within the
meaning of sections 262 and 264 of the Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”) and the associated implementing
privacy regulations set forth in Parts 106 and 164 of Title 45 of the Code
of Federal Regulations (the “Privacy Rule”); and
·
It is not otherwise identified
in this Privacy Notice as excluded from coverage by the policies described
in this Privacy Notice.
If any welfare plan, benefit program, fund or
arrangement of DNA includes or provides coverage or benefits in addition to
Medical Benefits, the term “Health Plan” only refers to those portions of
the arrangement that provide Medical Benefits.
The Health Plan generally relies upon one or
more appointed Health Plan fiduciaries to carry out the activities necessary
to administer the Health Plan. The Health Plan and its fiduciaries may rely
upon or be assisted with performance of the activities and operations
involved in operating and administering the Health Plan by various third
parties including DNA and certain of its employees, agents or
representatives. The Health Plan has in place policies and procedures that
require the Health Plan’s fiduciaries, employees, business associates,
agents, contractors and other third parties that participate or assist in
the operation or administration of the Health Plan to comply with the
Privacy Rule when engaging in activities by or on behalf of the Health Plan.
B.
What Protected Health
Information Is Covered By This Privacy Notice?
The policies described
in this Privacy Notice only apply to “Protected Health Information” or “PHI”
for short. “Protected Health Information” means information that meets each
of the following conditions:
§
Is created or received by the
Health Plan;
§
Relates to the past, present or
future physical or mental health or condition of an individual; the
provision of health care to an individual; or the past, present or future
payment for the provision of health care to an individual;
§
Either identifies the
individual or there exists a reasonable basis to believe the information can
be used to identify the individual;
§
Is not individually
identifiable information in education records covered by the Family
Education Rights and Privacy Act;
§
Is not individually
identifiable information contained in records described at 20 U.S.C.
1232g(a)(4)(B)(iv);
§
Is not individually
identifiable information held by a HIPAA-covered entity in its role as an
employer;
§
Is not “identified” within the
meaning of the Privacy Rule; and
§
Is not otherwise excluded from
the definition of Protected Health Information for purposes of the Privacy
Rule.
C.
What Generally Are the Health
Plan’s Responsibilities Under the Privacy Rule?
Beginning April 14, 2004, HIPAA generally
requires the Health Plan:
§
To safeguard and protect the
privacy of Protected Health Information as specified in the Privacy Rule;
§
To use or disclose Protected
Health Information only as allowed by the Privacy Rule;
§
To adopt and apply certain
policies regarding the use, protection and disclosure of Protected Health
Information;
§
To give Members this Privacy
Notice describing the Health Plan’s Privacy Practices with respect to
Protected Health Information; and
§
To follow the Privacy Practices
as described in this Privacy Notice until modified as described in this
Privacy Notice.
D.
How May The Health Plan
Generally Use and Disclose Protected Health Information?
The Privacy Practices
prohibit the use or disclosure of Protected Health Information by or on
behalf of the Health Plan, except as permitted or required by the HIPAA
Privacy Regulations. For purposes of this Privacy Notice:
§
Use means, with respect to
Protected Health Information, the sharing, employment, application,
utilization, examination or analysis of such information within an entity
that maintains such information.
§
Disclosure means the release,
transfer, provision of access to or divulging in any other manner Protected
Health Information outside the entity holding the information.
Consistent with the
Privacy Rule, the Health Plan’s Privacy Practices permit any use or access
of Protected Health Information by or on behalf of the Health Plan that
qualifies as a permitted or required disclosure under the Privacy Rule, as
well as any use or disclosure made
incidental to a required or permitted disclosure.
When using or disclosing Protected Health
Information or when requesting Protected Health Information from another
covered entity, the Privacy Practices generally require that reasonable
efforts be made to limit use or disclosure of Protected Health Information
to the minimum necessary to accomplish the intended purpose of the use,
disclosure or request. Except as otherwise required to comply with the
Privacy Rule, however, this minimum necessary requirement does not apply to:
§
Disclosures to or requests by a
health care provider for treatment;
§
Uses or disclosures made to the
individual, as permitted or required under paragraph E.17 of this Privacy
Notice;
§
Uses or disclosures made
pursuant to an authorization that complies with the Privacy Rule;
§
Disclosures made to the
Secretary of Health and Human Services;
§
Uses or disclosures that are
required by law; or
§
Uses or disclosures that is
required for compliance with applicable requirements of the Privacy Rule.
The paragraphs that
follow describe various categories of circumstances when the Health Plan may
be required or permitted to use or disclose Protected Health Information. In
connection with its description of the categories of permitted or required
uses and disclosures, this Privacy Notice in certain instances also may
provide one or more examples of permitted uses or disclosures to help
illustrate a situation where that category might apply. Where provided,
these examples are for illustrative purposes only and are not exhaustive.
Not every use or disclosure permitted by a category will be listed. However,
the Privacy Practices require that each use or disclosure of Protected
Health Information by or on behalf of the Health Plan fall within a category
of permitted or required disclosures described below.
Except under those
circumstances identified in this Privacy Notice as requiring advance
authorization, the Health Plan has the right to use or disclose Protected
Health Information without notification to or the authorization or consent
of the individual who is the subject of the information.
E.
Uses and Disclosures Permitted
by Privacy Rule Without Authorization
In accordance with the
Privacy Rule, the Privacy Practices permit the use or disclosure of
Protected Health Information by or on behalf of the Health Plan without
authorization from the subject of the Protected Health Information or any
other person under the following categories of circumstances:
1.
Disclosures to Business Associates.
As part of the Health Plan administration
function, the Health Plan discloses Protected Health Information to outside
entities or persons (business associates) involved in the operation or
administration of the Health Plan. In connection with their performance of
Health Plan related responsibilities on behalf of the Health Plan, business
associates also may create or receive Protected Health Information from
Members, health care providers and other covered entities and other third
parties. Each business associate is required to sign an agreement
obligating the business associate to protect and safeguard the
confidentiality of the Protected Health Information and limiting their use
of the information to specified purposes.
2.
De-identified Protected Health Information.
Consistent with the Privacy Rule, the Privacy
Practices exclude from the definition of Protected Health Information that
health information that qualifies as “de-identified” for purposes of the
Privacy Rule. Therefore, the Health Plan may use or disclose health
information that qualifies as de-identified by the Health Plan or any other
party for any purpose.
The Health Plan also may use Protected Health
Information to create information that is not individually identifiable
health information or disclose Protected Health Information to a business
associate for such purpose. If de-identified information is re-identified,
however, the Privacy Practices require that the re-identified health
information be treated as Protected Health Information and used or disclosed
only as allowed by the Privacy Rule.
3.
For Treatment, Payment or
Health Care Operations.
The Health Plan has the right to use or
disclose Protected Health Information for treatment, payment or health care
operations purposes within the meaning of the Privacy Rule.
(i)
For Treatment.
The Health Plan may use or disclose Protected
Health Information to carry out its own treatment related activities. The
Health Plan also may disclose Protected Health Information to a health care
provider for purposes of the treatment of a Member or other patient, whether
or not the health care provider is a covered entity under HIPAA.
For this purpose, “treatment” means the
provision, coordination or management of health care and related services by
one or more health care providers, including the coordination or management
of health care by a health care provider with a third party; consultation
between health care providers relating to a patient; or the referral of a
patient for health care from one health care provider to another.
For example:
§
The Health Plan might disclose
Protected Health Information to a health care provider or other party for
purposes of evaluating or coordinating alternative treatment opportunities
for purposes of administering utilization management provisions of the
Health Plan with respect to a Member.
§
The Health Plan may disclose
Protected Health Information about prior prescriptions to a pharmacist to
facilitate his assessment if a pending prescription that he has been asked
to fill is contraindicative with prior prescriptions.
§
The Health Plan may disclose
Protected Health Information about a Member’s blood-type to assist a health
care provider to assess the potential suitability of an individual to serve
as a blood or transplant donor for another patient.
§
The Health Plan also may
disclose Protected Health Information to a parent, spouse or other person
participating in the delivery of health care.
(ii) For Payment.
The Health Plan may use and disclose
Protected Health Information for purposes of its payment activities and may
disclose Protected Health Information to a health care provider or other
covered entity or its business associates for purposes of the recipient’s
payment activities.
Examples of payment activities of the Health
Plan for which the Health Plan may use or disclose Protected Health
Information for payment purposes include, but are not limited to, activities
associated with the Health Plan’s investigation, determination or payment of
Medical Benefits under the Health Plan including uses and disclosures made
to determine eligibility for Health Plan benefits, to facilitate payment for
the treatment and services the individual receives from health care
providers, to determine the respective benefit responsibility of the Health
Plan or another health plan, to coordinate the Health Plan coverage, to
obtain or confirm information that the Health Plan determines relevant to
determine or pay the Medical Benefits under the Health Plan, to investigate,
pursue and recover potential sources of payment or reimbursement of Medical
Benefits or other costs paid or payable under the Health Plan by other
health plans, insurers, reinsurers or other third parties.
For example:
§
The Health Plan might use or
disclose a Member’s Protected Health Information to health care providers,
insurers, re-insurers, the Health Plan’s pharmacy benefit management
company, other health plans or the parties as part of its investigation of a
claim for benefits made to the Health Plan.
§
The Health Plan may disclose
Protected Health Information to a health care provider seeking to
investigate or receive payments under the Health Plan.
§
The Health Plan may tell a
broker specific claims that have been denied or paid at an incorrect level
in order to investigate and determine the proper payment amounts.
§
The Health Plan may share
Protected Health Information with a utilization review or pre-certification
service provider.
§
The Health Plan may share claim
detail information with DNA for purposes of requesting or obtaining payments
of contributions from DNA to pay benefits under the Health Plan.
§
The Health Plan may share
Protected Health Information with another insurer, health plan, worker’s
compensation carrier or fund, liability insurance carrier or other third
party to investigate and coordinate benefits and coverages or identify and
apply subrogation or assignment rights and obligations.
§
The Health Plan also may
disclose Protected Health Information to someone who is or may be
responsible for payment for the health care of a Member or other patient.
For instance, the Health Plan may disclose Protected Health Information
about a Member with a spouse, family member, workers' compensation or other
insurer, social services agency or other party who is or may be responsible
for payment for purposes of investigating or pursuing sources of payment.
The Health Plan also will share PHI about a Member, who is enrolled in
Dependent Coverage with the employee who has enrolled that Member in the
Health Plan, the designated representative of a child enrolled in dependent
coverage under the Health Plan pursuant to a "qualified medical child
support order."
(iii)
For Health Care Operations.
The Health Plan may use or
disclose Protected Health Information for its own health care operations
within the meaning of the Privacy Rule.
The Health Plan also may
disclose Protected Health Information to another covered entity for health
care operations activities of the entity that receives the information, if
the following conditions are met:
§
Each entity either has or had a
relationship with the individual who is the subject of the Protected Health
Information being requested,
§
The Protected Health
Information pertains to such relationship, and
§
The disclosure is for purposes
of conducting quality assessment and improvement activities, including
outcomes evaluation and development of clinical guidelines as allowed by the
Privacy Rule; for purposes of population-based activities relating to
improving health or reducing health care costs, protocol development, case
management and care coordination, contacting of health care providers and
patients with information about treatment alternatives and related functions
that do not include treatment; or for the purpose of health care fraud and
abuse detection or compliance.
To the extent that the Health Plan
participates in an organized health care arrangement within the meaning of
the Privacy Rule, the Health Plan also may disclose Protected Health
Information about an individual to another covered entity that participates
in the organized health care arrangement for any health care operations
activities of the organized health care arrangement.
For these purposes, the term “health care
operations” has the meaning provided in the Privacy Rule. It generally
includes any of the following activities:
§
Conducting quality assessment
and improvement activities, including outcomes evaluation and development of
clinical guidelines, provided that the obtaining of generalizable knowledge
is not the primary purpose of any studies resulting from such activities;
§
Population-based activities
relating to improving health or reducing health care costs, protocol
development, case management and care coordination, contacting of health
care providers and patients with information about treatment alternatives
and related functions that do not include treatment;
§
Reviewing the competence or
qualifications of health care professionals, evaluating practitioner and
provider performance, health plan performance, conducting training programs
in which students, trainees or health care practitioners learn under
supervision to practice or improve their skills as health care providers,
training of non-health care professionals, accreditation, certification,
licensing or credentialing activities;
§
Underwriting, premium rating
and other activities relating to the creation, renewal or replacement of a
contract of health insurance or health benefits and ceding, securing or
placing a contract for reinsurance of risk relating to claims for health
care (including stop-loss insurance and excess of loss insurance);
§
Conducting or arranging for
medical review, legal services, and internal and external auditing
functions, including fraud and abuse detection and compliance programs;
§
Business planning and
development, such as conducting cost-management and planning-related
analyses related to managing and operating the entity, including formulary
development and administration, development or improvement of methods of
payment or coverage policies;
§
Management activities relating
to implementation of and compliance with the Privacy Rule;
§
Customer service, including
investigation of potential problems and concerns relating to claims, the
facilitation of communications between claimants and others involved in plan
administration, the provision of data analyses for members, policy holders,
plan sponsors or other Members and their beneficiaries, as allowed by the
HIPAA Regulations;
§
Administration of claims and
appeals and other activities associated with the resolution of internal
grievances;
§
The sale, transfer, merger or
consolidation of all or part of the Health Plan with another Health Plan or
other covered entity or an entity that following such activity will become a
covered entity and due diligence related to such activity;
§
Creating de-identified health
information or a limited data set and fundraising for the benefit of the
Health Plan consistent with the Privacy Rule; and
§
Other business management and
general administrative activities of the Health Plan or other covered
entity.
For example:
§
The Health Plan will disclose
Protected Health Information about a Member, who is enrolled in dependent
coverage under the Health Plan, to the employee whose employment
relationship with DNA qualifies the Member for enrollment in dependent
coverage in connection with the administration of the Health Plan.
§
The Health Plan also may use
Protected Health Information in connection with: conducting quality
assessment and improvement activities; underwriting, premium rating and
other activities relating to Health Plan coverage; submitting claims for
stop-loss (or excess loss) coverage; conducting or arranging for medical
review, legal services, audit services and fraud and abuse detection
programs; business planning and development such as cost management; and
business management and general Health Plan administrative activities.
4.
As Required By Law.
The Health Plan will disclose Protected
Health Information when required to do so by federal, state or local law
consistent with the applicable Privacy Rule if the use is limited to the
relevant requirements of the law for any of the following purposes:
(i)
Abuse or Neglect.
The Health Plan may disclose an individual’s
Protected Health Information to a government authority that is authorized by
law to receive reports of abuse, neglect or domestic violence.
Additionally, as required by law, if the Health Plan believes the individual
has been a victim of abuse, neglect or domestic violence, it may disclose an
individual’s Protected Health Information to a governmental entity
authorized to receive such information.
(ii)
Lawsuits and Other Legal Proceedings.
The Health Plan may disclose an individual’s
Protected Health Information in the course of any judicial or administrative
proceeding or in response to an order of a court or administrative tribunal
to the extent such disclosure is expressly authorized. If certain
conditions are met, the Health Plan may also disclose an individual’s
Protected Health Information in response to a subpoena, a discovery request
or other lawful process.
(iii)
Law Enforcement.
Under certain conditions, the Health Plan may
also disclose an individual’s Protected Health Information to law
enforcement officials for law enforcement purposes. These law enforcement
purposes include, by way of example:
§
Responding to a court order,
subpoena, warrant, summons or similar process.
§
Identifying or locating a
suspect, fugitive, material witness or missing person.
§
Pertaining to the victim of a
crime if, under certain limited circumstances, the Health Plan is unable to
obtain the person’s agreement.
§
Pertaining to a death the
Health Plan believes may be the result of criminal conduct.
§
Pertaining to criminal conduct
at the worksite.
§
In emergency circumstances
reporting a crime; the location of the crime or victims; or the identity,
description or location of the person who committed a crime.
(iv)
Other Legally Required Purposes
Consistent With The Privacy Rule.
The Health Plan also may disclose Protected
Health Information when required by law as otherwise allowed or required by
the Privacy Rule.
5.
Public Health Activities.
The Health Plan may disclose Protected Health
Information for public health activities as permitted or required by the
Privacy Rule. Public health activities generally include the following:
§
To prevent or control disease,
injury or disability;
§
To report births and deaths;
§
To report child abuse or
neglect;
§
To report reactions to
medications or problems with products;
§
To notify people of recalls of
products they may be using;
§
To notify a person who may have
been exposed to a disease or may be at risk for contracting or spreading a
disease or condition; and
§
To notify the appropriate
government authority if the Health Plan reasonably believes the Member has
been the victim of abuse, neglect or domestic violence. The Health Plan will
only make this disclosure if the individual agrees or when required or
authorized by law.
For example, the Health Plan may use or
disclose Protected Health Information to a public health authority for the
purpose of reporting, preventing or controlling disease, injury, disability
or to report births, deaths or other vital events. It also may disclose
such information to a public health authority authorized to conduct health
surveillance, public health investigations or interventions or receive
reports of child abuse or neglect. It may disclose Protected Health
Information, if directed by a public health authority, to a foreign
government agency that is collaborating with the public health authority.
It may disclose Protected Health Information to a person subject to the
jurisdiction of the Food and Drug Administration (FDA) with respect to an
FDA-regulated product or activity for which that person has responsibility
for the purpose of activities related to the quality, safety or
effectiveness of such FDA-regulated product or activity. It may also
disclose Protected Health Information about a person who may have been
exposed to a communicable disease or may otherwise be at risk of contracting
or spreading a disease or condition, to an appropriate public health
authority or other party as allowed by the Privacy Rule.
6.
Health Oversight Activities.
The Health Plan may disclose Protected Health
Information to a health oversight agency for activities authorized by law.
These oversight activities include, for example, audits, investigations,
inspections and licensure. These activities are necessary for the
government to monitor the health care system, government programs and
compliance with civil rights laws.
7.
To Avert a Serious Threat to Health or Safety.
The Health Plan may use and disclose
Protected Health Information when the Health Plan, in good faith, believes
the use or disclosure is necessary to prevent a serious threat to the health
and safety of a Member, the public or another person. Any disclosure,
however, would only be to someone able to help prevent the threat. For
example, the Health Plan may disclose Protected Health Information in a
proceeding regarding the licensure of a physician.
8.
Coroners, Medical Examiners and Funeral Directors.
The Health Plan may release Protected Health
Information to a coroner or medical examiner. This may be necessary, for
example, to identify a deceased person or determine the cause of death or to
perform other duties authorized by law. The Health Plan also may disclose
Protected Health Information to a funeral director consistent with
applicable law to enable him to carry out his duty with respect to a
decedent.
9.
Organ and Tissue Donation.
The Health Plan may release Protected Health
Information to organizations that handle organ procurement or organ, eye or
tissue transplantation or to an organ donation bank, for the purpose of
facilitating organ or tissue donation and transplantation.
10.
Research.
The Health Plan may disclose Protected Health
Information consistent with the Privacy Rule to researchers when their
research has been approved by an institutional review board that has
reviewed the research proposal and established protocols to ensure the
privacy of the Protected Health Information, the research involves a limited
data set which includes no unique identifiers that would reasonably identify
the subject of the information or as otherwise allowed by the Privacy Rule.
11.
Military and Veterans.
The Health Plan may release Protected Health
Information about an individual who is a member of the Armed Forces as
required by military command authorities.
12.
National Security and Intelligence Activities.
The Health Plan may release Protected Health
Information about an individual to authorized federal officials for
intelligence, counterintelligence and other national security activities
authorized by law.
13.
Inmates.
The Health Plan may disclose Protected Health
Information about an inmate or other person in custody (“Inmate”) to a
correctional institution or a law enforcement official having lawful custody
of the Inmate or other person if the correctional institution or law
enforcement official represents that the Protected Health Information is
necessary (1) for the institution to provide the Inmate with health care;
(2) to protect the health and safety of the Inmate or the health and safety
of others; (3) law enforcement on the correctional institution premises; (4)
for the administration and maintenance of the safety, security and good
order of the correctional institution.
14.
Workers’ Compensation.
The Health Plan may release Protected Health
Information about an individual as authorized by and to the extent necessary
to comply with laws relating to workers’ compensation or similar programs
established by law that provide benefits for work-related injuries or
illnesses without regard to fault.
15.
Lawsuits and Disputes.
If an individual is involved in a lawsuit or
a dispute, the Health Plan may disclose Protected Health Information about
the individual in response to a court or administrative order. The Health
Plan may also disclose Protected Health Information about the individual in
response to a subpoena, discovery request or other lawful process by someone
involved in the dispute, but only if efforts have been made to tell the
individual about the request or to obtain an order protecting the
information requested.
16.
Others Involved in The Patient’s Health Care.
The Health Plan may disclose an individual’s
Protected Health Information to a friend or family member who is involved in
the individual’s health care unless the individual objects or requests a
restriction (in accordance with the process described below under “Right to
Request Restrictions”). The Health Plan also may disclose an individual’s
information to an entity assisting in a disaster relief effort so that the
individual’s family can be notified about the individual’s condition, status
and location. If the individual is not present or able to agree to these
disclosures of his Protected Health Information then, using professional
judgment, the Health Plan may determine whether the disclosure is in the
individual’s best interest.
17.
To The Individual.
The Health Plan is required to disclose most
Protected Health Information possessed by the Health Plan about an
individual in response to its receipt of a request for access to or an
accounting of disclosures of, his Protected Health Information from the
individual to which he has a right under the Privacy Rule.
18.
To the Personal Representative of the Individual.
The Health Plan will disclose Protected
Health Information to an individual designated by the individual as his
personal representative who has qualified for such designation in accordance
with relevant law. Prior to such a disclosure, however, the Health Plan
must be given written documentation that supports and establishes the basis
for the personal representation. The Health Plan may elect not to treat the
person as an individual’s personal representative if it has a reasonable
belief that the individual has been or may be, subjected to domestic
violence, abuse or neglect by such person; treating such person as the
individual’s personal representative could endanger the individual; or the
Health Plan determines, in the exercise of its professional judgment, that
it is not in the individual’s best interest to treat the person as his
personal representative.
19.
To the Secretary of Health and Human Services.
The Health Plan will disclose Protected
Health Information when required by the Secretary of Health and Human
Services to investigate or determine compliance with the Privacy Rule.
20.
Contacting the Individual.
The Health Plan (or its health insurance
issuers, HMOs or business associates) may use or disclose Protected Health
Information about an individual to contact the individual about treatment
alternatives or other health benefits or services that might be of interest
to the individual.
21.
With Authorization.
The Health Plan may use or disclose Protected
Health Information consistent with a valid authorization under the Privacy
Rule from the individual that is the subject of the Protected Health
Information. The minimum necessary requirement does not apply to uses or
disclosures made in accordance with a valid authorization.
22.
Disclosure To The Health Plan Sponsor.
Protected Health Information maintained by or
on behalf of the Health Plan may be disclosed to another health plan,
including another arrangement maintained by DNA, any affiliated company or
any other entity. In addition, Protected Health Information may be
disclosed to DNA, any affiliated company or its employees and agents without
the authorization of the individual for purposes of administering benefits
under the Health Plan, certain underwriting and plan design purposes, or as
otherwise allowed by the Privacy Rule. Where required by the Privacy Rule,
the Health Plan requires that DNA provide certain certifications or
establish certain other procedures to help safeguard the Protected Health
Information obtained from the Health Plan.
23.
Incidental Use or Disclosure.
The Health Plan may use or disclose Protected
Health Information incidental to a use or disclosure otherwise permitted or
required under the Privacy Rule. The Health Plan has adopted practices to
limit incidental uses of Protected Health Information in accordance with the
Privacy Rule.
24.
Other Uses and Disclosures of Protected Health Information.
Except as otherwise permitted by the Privacy
Rule under the circumstances described in this Privacy Notice, the Health
Plan prohibits the use or disclosure of Protected Health Information by or
on behalf of the Health Plan without a valid authorization. If an
individual provides the Health Plan with an authorization, the individual
may revoke the authorization in writing and this revocation will be
effective for future uses and disclosures of Protected Health Information.
However, the revocation will not be effective for Protected Health
Information if the Health Plan has used or disclosed Protected Health
Information in reliance on the authorization or the authorization was
obtained as a condition of obtaining insurance coverage or other law
provides the Health Plan with the right to contest a claim under the policy
or the policy itself. Also, the Health Plan is unable to take back any
disclosures the Health Plan made in reliance on an authorization before it
is revoked. The Health Plan is required to retain records of the disclosures
the Health Plan provided on a Member’s behalf unless the disclosure is
excluded from the recordkeeping requirements by the Privacy Rule.
F.
Individual’s Rights Regarding
Protected Health Information.
An individual generally has the following
rights regarding the Protected Health Information about the individual
maintained by the Health Plan:
1.
Right to Inspect and Copy.
An individual has the right to inspect and
copy Protected Health Information about the individual that may be used to
make decisions about the individual’s Health Plan benefits. To inspect and
obtain a copy of the individual’s Protected Health Information that may be
used to make decisions about the individual, the individual must submit a
written request to the Privacy Officer for the Plan at the address at the
end of this notice. If an individual requests a copy of the Protected
Health Information, the Health Plan may charge a fee for the costs of
copying, mailing or supplies associated with the individual’s request. The
Health Plan may deny a request to inspect and copy in certain very limited
circumstances. If the Health Plan denies such a request, the individual can
request that the denial be reviewed.
2.
Right to Amend.
If an individual feels that Protected Health
Information the Health Plan has about the individual is incorrect or
incomplete, the individual may make a written request that the Health Plan
amend the information. An individual has the right to request an amendment
for as long as the information is kept by or for the Health Plan.
To request an amendment, an individual’s
request must be made in writing and submitted to the Privacy Officer for the
Plan at the address at the end of this Notice. In addition, the individual
must provide a reason that supports the individual’s request.
The Health Plan may deny the individual’s
request for an amendment if it is not in writing or does not include a
reason to support the request. In addition, the Health Plan may deny any
request if the individual asks the Health Plan to amend information that:
§
Is not part of the Protected
Health Information kept by or for the Health Plan;
§
Was not created by the Health
Plan, unless the person or entity that created the information is no longer
available to make the amendment;
§
Is not part of the information
the individual would be permitted to inspect and copy; or
§
Is accurate and complete.
3.
Right to an Accounting of Disclosures.
An individual has the right to request an
“accounting of disclosures” where such disclosure was made for any purpose
other than treatment, payment or health care operations.
To request this list or accounting of
disclosures, the individual must submit a request in writing to the Privacy
Officer of the Plan at the address at the end of this Notice. The
individual’s request must state a time period which may not be longer than
six years and may not include dates before April 14, 2004.
The individual’s request should indicate in
what form the individual wants the list (e.g., paper or electronic). The
first list an individual requests within a 12 month period will be free. For
additional lists, the Health Plan may charge the individual for the costs of
providing the list. The Health Plan will notify the individual of the cost
involved and the individual may choose to withdraw or modify the request
before any costs are incurred.
4.
Right to Request
Restrictions.
An individual has the right to request a
restriction on the Protected Health Information the Health Plan uses or
discloses about an individual for treatment, payment or health care
operations. The individual also has a right to request a limit on
disclosures of the individual’s Protected Health Information to family
members or friends who are involved in the individual’s care or the payment
for the individual’s care. The Health Plan is not required to agree to any
restriction an individual requests. If the Health Plan agrees to a
restriction, it can stop complying with the restriction upon notice to the
individual.
To request restrictions, an individual must
make a written request to the Privacy Officer for the Plan at the address at
the end of this Notice. In the individual’s request, the individual must
tell the Health Plan (1) the Protected Health Information the individual
wants to limit; (2) whether the individual wants to limit the Health Plan
use, disclosure or both; (3) the reasons the individual wants these
restrictions and (4) to whom the individual wants the limits to apply, for
example, disclosures to an individual’s spouse.
5.
Right to Request Confidential Communications.
An individual has the right to request that
the Health Plan communicate with the individual about medical matters in a
certain way or at a certain location. For example, the individual can ask
that the Health Plan only contact the individual at work or by mail.
To request confidential communications, the
individual must make his request in writing to the Privacy Officer for the
Plan at the address set forth at the end of this Notice. The Health Plan
Privacy Officer will not ask the reason for the individual’s request. The
Health Plan may or may not agree to the individual’s request at its
discretion. The individual’s request must specify how or where the
individual wishes to be contacted.
G.
Changes to This Privacy Notice
The Health Plan
reserves the right to change its Privacy Practices and amend this Privacy
Notice. The Health Plan reserves the right to make the revised or changed
notice effective for Protected Health Information the Health Plan already
has about an individual as well as any information the Health Plan may
receive in the future. If the Health Plan makes a material change to the
Privacy Practices described in this Privacy Notice, it will provide a
revised Privacy Notice to enrolled Members at the last known address that
the Health Plan has on record for that Member. The Health Plan will post a
copy of the current Privacy Notice on DNA’s intranet website, if any, and
DNA’s Human Resource’s employee bulletin boards or other prominent location.
The Privacy Notice will state the effective date on the first page, in the
top right-hand corner, the effective date.
H.
Right to a Paper Copy of This
Privacy Notice
The individual has the right to a paper copy
of this notice. The individual may ask the Health Plan to give the
individual a copy of this notice at any time. The individual may obtain a
copy of this notice on DNA’s website,
www.dneph.com. A copy of this notice also is available for Members
employed by DNA on the common drive of DNA at W:Human Resources/HIPAA/Health
Plan Notice of Privacy Practices. To obtain a paper copy of this notice,
contact the Health Plan Privacy Officer.
I.
Complaints
If an individual believes his privacy rights
under this Privacy Notice have been violated, the individual may file a
complaint with the Health Plan or with the Secretary of the Department of
Health and Human Services. To file a complaint with the Health Plan, contact
the Privacy Officer. All complaints must be submitted in writing within 180
days of the event of concern. The individual will not be retaliated
against for filing a complaint.
J.
Health Plan Privacy Officer
Identity and Contact Information
As of the Effective Date, the name, address
and telephone number of the Health Plan Privacy Officer for a Health Plan
subject to this Notice is:
John C. Schwartz, M.D.
Health Plan Privacy Officer
1420 Viceroy, Dallas, Texas 75235
(214) 358-2300
|
