           
|
HIPAA Notice of Privacy Practices
Following this note is a copy of the Notice of Privacy Practices
which is required by the Health Insurance Portability and Accountability
Act of 1996. Questions concerning this document and the rights of
covered employees and dependents can be directed to the university’s
HIPAA Privacy Officer at the Office of General Counsel in 356 University
Hall or at 937-775-2475.
Wright State University - Notice of Privacy Practices
This notice describes how medical information about you
may be used and disclosed and how you can get access to this information.
Please review it carefully.
The Health Insurance Portability and Accountability Act of 1996
(HIPAA) imposes numerous requirements concerning the use and disclosure
of individual health information. This information, known as protected
health information, includes virtually all individually identifiable
health information held by Wright State University whether received
in writing, in an electronic medium, or as an oral communication.
This notice describes the privacy practices of the following:
| WSU Group Health Plan |
(Administered by Anthem Blue Cross/Blue Shield) |
| WSU Dental Plan |
Delta Dental Plan of Ohio |
| WSU Vision Plan |
Vision Service Plan |
| WSU Maintenance Drug Plan |
Express Scripts Inc. & WSU Pharmacy |
All of the entities listed will share personal health information
as necessary to carry out treatment, payment, and health care operations
as permitted by law.
The entities covered by this notice may share health information
with each other to carry out Treatment, Payment, or Health Care
Operations. These entities are collectively referred to as the Entity
in this notice, unless specified otherwise.
The Entity’s duties with respect to health information
about you
The Entity is required by law to maintain the privacy of your health
information and to provide you with this notice of the Entity’s
legal duties and privacy practices with respect to your health information.
If you participate in an insured plan option, you will receive a
notice directly from the Insurer. It’s important to note that
these rules apply to the Entity, not Wright State University as
an employer — that’s the way the HIPAA rules work. Different
policies may apply to other Wright State University programs or
to data unrelated to the health Entity.
How the Entity may use or disclose your health information
The privacy rules generally allow the use and disclosure of your
health information without your permission (known as an authorization)
for purposes of health care Treatment, Payment activities, and Health
Care Operations. Here are some examples of what that might entail:
-
Treatment includes providing, coordinating,
or managing health care by one (1) or more health care providers
or doctors. Treatment can also include coordination or management
of care between a provider and a third party, and consultation
and referrals between providers. For example, the Entity may
share health information about you with physicians who are treating
you.
-
Payment includes activities by this Entity,
other health plans, or providers to obtain premiums, make coverage
determinations and provide reimbursement for health care. This
can include eligibility determinations, reviewing services for
medical necessity or appropriateness, utilization management
activities, claims management, and billing; as well as “behind
the scenes” Entity functions such as risk adjustment,
collection, or reinsurance. For example, the Entity may share
information about your coverage or the expenses you have incurred
with another health Entity in order to coordinate payment of
benefits.
-
Health care operations include activities
by this Entity (and in limited circumstances other plans or
providers) such as wellness and risk assessment programs, quality
assessment and improvement activities, customer service, and
internal grievance resolution. Health care operations also include
vendor evaluations, credentialing, training, accreditation activities,
underwriting, premium rating, arranging for medical review and
audit activities, and business planning and development. For
example, the Entity may use information about your claims to
review the effectiveness of wellness programs.
The amount of health information used or disclosed will be limited
to the “Minimum Necessary” for these purposes, as defined
under the HIPAA rules. The Entity may also contact you to provide
appointment reminders or information about treatment alternatives
or other health-related benefits and services that may be of interest
to you.
How the Entity may share your health information with Wright
State University
The Entity, or its health insurer or HMO, may disclose your health
information without your written authorization to Wright State University
for Entity administration purposes. Wright State University may
need your health information to administer benefits under the Entity.
Wright State University agrees not to use or disclose your health
information other than as permitted or required by the Entity documents
and by law.
Here’s how additional information may be shared between the
Entity and Wright State University, as allowed under the HIPAA rules:
-
The Entity, or its Insurer or HMO, may disclose “summary
health information” to Wright State University if requested,
for purposes of obtaining premium bids to provide coverage under
the Entity, or for modifying, amending, or terminating the Entity.
Summary health information is information that summarizes participants’
claims information, but from which names and other identifying
information have been removed.
-
The Entity, or its Insurer or HMO, may disclose to Wright State
University information on whether an individual is participating
in the Entity, or has enrolled or disenrolled in an insurance
option or HMO offered by the Entity.
In addition, you should know that Wright State University cannot
and will not use health information obtained from the Entity for
any employment-related actions. However, health information collected
by Wright State University from other sources, for example under
the Family and Medical Leave Act, Americans with Disabilities Act,
or workers’ compensation is not protected under HIPAA (although
this type of information may be protected under other federal or
state laws).
Other allowable uses or disclosures of your health information
In certain cases, your health information can be disclosed without
authorization to a family member, close friend, or other person
you identify who is involved in your care or payment for your care.
Information describing your location, general condition, or death
may be provided to a similar person (or to a public or private entity
authorized to assist in disaster relief efforts). You’ll generally
be given the chance to agree or object to these disclosures (although
exceptions may be made, for example if you’re not present
or if you’re incapacitated). In addition, your health information
may be disclosed without authorization to your legal representative.
The Entity is also allowed to use or disclose your health information
without your written authorization for the following activities:
| Workers’ compensation |
Disclosures to workers’ compensation or similar legal programs
that provide benefits for work-related injuries or illness without
regard to fault, as authorized by and necessary to comply with such
laws |
| Necessary to prevent serious threat to health or safety |
Disclosures made in the good-faith belief that releasing your health
information is necessary to prevent or lessen a serious and imminent
threat to public or personal health or safety, if made to someone
reasonably able to prevent or lessen the threat (including disclosures
to the target of the threat); includes disclosures to assist law
enforcement officials in identifying or apprehending an individual
because the individual has made a statement admitting participation
in a violent crime that the Entity reasonably believes may have
caused serious physical harm to a victim, or where it appears the
individual has escaped from prison or from lawful custody |
| Public health activities |
Disclosures authorized by law to persons who may be at risk of
contracting or spreading a disease or condition; disclosures to
public health authorities to prevent or control disease or report
child abuse or neglect; and disclosures to the Food and Drug Administration
to collect or report adverse events or product defects |
| Victims of abuse, neglect, or domestic violence |
Disclosures to government authorities, including social services
or protected services agencies authorized by law to receive reports
of abuse, neglect, or domestic violence, as required by law or if
you agree or the Entity believes that disclosure is necessary to
prevent serious harm to you or potential victims (you’ll be
notified of the Entity’s disclosure if informing you won’t
put you at further risk) |
| Judicial and administrative proceedings |
Disclosures in response to a court or administrative order, subpoena,
discovery request, or other lawful process (the Entity may be required
to notify you of the request, or receive satisfactory assurance
from the party seeking your health information that efforts were
made to notify you or to obtain a qualified protective order concerning
the information) |
| Law enforcement purposes |
Disclosures to law enforcement officials required by law or pursuant
to legal process, or to identify a suspect, fugitive, witness, or
missing person; disclosures about a crime victim if you agree or
if disclosure is necessary for immediate law enforcement activity;
disclosure about a death that may have resulted from criminal conduct;
and disclosure to provide evidence of criminal conduct on the Entity’s
premises |
| Decedents |
Disclosures to a coroner or medical examiner to identify the deceased
or determine cause of death; and to funeral directors to carry out
their duties |
| Organ, eye, or tissue donation |
Disclosures to organ procurement organizations or other entities
to facilitate organ, eye, or tissue donation and transplantation
after death |
| Research purposes |
Disclosures subject to approval by institutional or private privacy
review boards, and subject to certain assurances and representations
by researchers regarding necessity of using your health information
and treatment of the information during a research project |
| Health oversight activities |
Disclosures to health agencies for activities authorized by law
(audits, inspections, investigations, or licensing actions) for
oversight of the health care system, government benefits programs
for which health information is relevant to beneficiary eligibility,
and compliance with regulatory programs or civil rights laws |
| Specialized government functions |
Disclosures about individuals who are Armed Forces personnel or
foreign military personnel under appropriate military command; disclosures
to authorized federal officials for national security or intelligence
activities; and disclosures to correctional facilities or custodial
law enforcement officials about inmates |
| HHS investigations |
Disclosures of your health information to the Department of Health
and Human Services (HHS) to investigate or determine the Entity’s
compliance with the HIPAA privacy rule |
Except as described in this notice, other uses and disclosures
will be made only with your written authorization. You may revoke
your authorization as allowed under the HIPAA rules. However, you
can’t revoke your authorization if the Entity has taken action
relying on it. In other words, you can’t revoke your authorization
with respect to disclosures the Entity has already made.
Your individual rights
You have the following rights with respect to your health information
the Entity maintains. These rights are subject to certain limitations,
as discussed below. This section of the notice describes how you
may exercise each individual right. See the table at the end of
this notice for information on how to submit requests.
Right to request restrictions on certain uses and disclosures of
your health information and the Entity’s right to refuse
You have the right to ask the Entity to restrict the use and disclosure
of your health information for Treatment, Payment, or Health Care
Operations, except for uses or disclosures required by law. You
have the right to ask the Entity to restrict the use and disclosure
of your health information to family members, close friends, or
other persons you identify as being involved in your care or payment
for your care. You also have the right to ask the Entity to restrict
use and disclosure of health information to notify those persons
of your location, general condition, or death — or to coordinate
those efforts with entities assisting in disaster relief efforts.
If you want to exercise this right, your request to the Entity must
be in writing.
The Entity is not required to agree to a requested restriction.
And if the Entity does agree, a restriction may later be terminated
by your written request, by agreement between you and the Entity
(including an oral agreement), or unilaterally by the Entity for
health information created or received after you’re notified
that the Entity has removed the restrictions. The Entity may also
disclose health information about you if you need emergency treatment,
even if the Entity has agreed to a restriction.
Right to receive confidential communications of your health information
If you think that disclosure of your health information by the
usual means could endanger you in some way, the Entity will accommodate
reasonable requests to receive communications of health information
from the Entity by alternative means or at alternative locations.
If you want to exercise this right, your request to the Entity
must be in writing, and you must include a statement that disclosure
of all or part of the information could endanger you.
Right to inspect and copy your health information
With certain exceptions, you have the right to inspect or obtain
a copy of your health information in a “Designated Record
Set.” This may include medical and billing records maintained
for a health care provider; enrollment, payment, claims adjudication,
and case or medical management record systems maintained by a Entity;
or a group of records the Entity uses to make decisions about individuals.
However, you do not have a right to inspect or obtain copies of
psychotherapy notes or information compiled for civil, criminal,
or administrative proceedings. In addition, the Entity may deny
your right to access, although in certain circumstances you may
request a review of the denial.
If you want to exercise this right, your request to the Entity
must be in writing. Within 30 days of receipt of your request (60
days if the health information is not accessible onsite), the Entity
will provide you with:
- The access or copies you requested;
- A written denial that explains why your request was denied
and any rights you may have to have the denial reviewed or file
a complaint; or
- A written statement that the time period for reviewing
your request will be extended for no more than 30 more days, along
with the reasons for the delay and the date by which the Entity
expects to address your request.
The Entity may provide you with a summary or explanation of the
information instead of access to or copies of your health information,
if you agree in advance and pay any applicable fees. The Entity
may also charge reasonable fees for copies or postage.
If the Entity doesn’t maintain the health information but
knows where it is maintained, you will be informed of where to direct
your request.
Right to amend your health information that is inaccurate or incomplete
With certain exceptions, you have a right to request that the Entity
amend your health information in a Designated Record Set. The Entity
may deny your request for a number of reasons. For example, your
request may be denied if the health information is accurate and
complete, was not created by the Entity (unless the person or entity
that created the information is no longer available), is not part
of the Designated Record Set, or is not available for inspection
(e.g., psychotherapy notes or information compiled for civil, criminal,
or administrative proceedings).
If you want to exercise this right, your request to the Entity
must be in writing, and you must include a statement to support
the requested amendment. Within 60 days of receipt of your request,
the Entity will:
- Make the amendment as requested;
- Provide a written denial that explains why your request
was denied and any rights you may have to disagree or file a complaint;
or
- Provide a written statement that the time period for reviewing
your request will be extended for no more than 30 more days, along
with the reasons for the delay and the date by which the Entity
expects to address your request.
Right to receive an accounting of disclosures of your health information
You have the right to a list of certain disclosures the Entity
has made of your health information. This is often referred to as
an “accounting of disclosures.” You generally may receive
an accounting of disclosures if the disclosure is required by law,
in connection with public health activities, or in similar situations
listed in the table earlier in this notice, unless otherwise indicated
below.
You may receive information on disclosures of your health information
going back for six (6) years from the date of your request, but
not earlier than April 14, 2003 (the general date that the HIPAA
privacy rules are effective). You do not have a right to receive
an accounting of any disclosures made:
- For Treatment, Payment, or Health Care Operations;
- To you about your own health information;
- Incidental to other permitted or required disclosures;
- Where authorization was provided;
- To family members or friends involved in your care (where
disclosure is permitted without authorization);
- For national security or intelligence purposes or to correctional
institutions or law enforcement officials in certain circumstances;
or
- As part of a “limited data set” (health information
that excludes certain identifying information).
In addition, your right to an accounting of disclosures to a health
oversight agency or law enforcement official may be suspended at
the request of the agency or official.
If you want to exercise this right, your request to the Entity
must be in writing. Within 60 days of the request, the Entity will
provide you with the list of disclosures or a written statement
that the time period for providing this list will be extended for
no more than 30 more days, along with the reasons for the delay
and the date by which the Entity expects to address your request.
You may make one (1) request in any 12-month period at no cost to
you, but the Entity may charge a fee for subsequent requests. You’ll
be notified of the fee in advance and have the opportunity to change
or revoke your request.
Right to obtain a paper copy of this notice from the Entity
upon request
You have the right to obtain a paper copy of this Privacy Notice
upon request. Even individuals who agreed to receive this notice
electronically may request a paper copy at any time.
Changes to the information in this notice
The Entity must abide by the terms of the Privacy Notice currently
in effect. This notice takes effect on April 14, 2003. However,
the Entity reserves the right to change the terms of its privacy
policies as described in this notice at any time, and to make new
provisions effective for all health information that the Entity
maintains. This includes health information that was previously
created or received, not just health information created or received
after the policy is changed. If changes are made to the Entity’s
privacy policies described in this notice, you will be provided
with a revised Privacy Notice to your e-mail address.
Complaints
If you believe your privacy rights have been violated, you may
complain to the Entity and to the Secretary of U.S. Department of
Health and Human Services in Washington D.C. in writing within 180
days of a violation of your rights. You won’t be retaliated
against for filing a complaint. You may also file a complaint with
the University’s HIPAA Privacy Officer at:
Office of General Counsel, 356 University Hall, Wright State University,
Dayton, Ohio 45435.
Contact
For more information on the Entity’s privacy policies or
your rights under HIPAA, contact the Office of General Counsel at
(937) 775-2475.
HR Home
> Benefits
> General
Information > HIPAA Notice of Privacy Practices
|
