blank
 



Notice of Privacy Practices Cover Letter

Notice of Privacy Practices

UCAR HIPAA Privacy Policy

UCAR HIPAA Procedures

CIGNA Authorization Form

HIPAA Privacy Rights Forms
HIPAA Privacy Procedures

April 2010

Definitions

1.     Protected Health Information (PHI)

“Individually identifiable health information” that is transmitted or maintained by electronic media or is transmitted or maintained in any other form or medium. PHI is health information (including demographic information collected from an individual) that:

     --     Relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual.

     --     Identifies the individual, or provides a reasonable basis to believe that the information could be used to identify the individual.

2.     Disclose/Disclosure

Release, transfer or provision of access to, or divulging in any other manner of information outside the entity holding the information.

3.     Use/Usage

The sharing, application, utilization, examination, or analysis of such information within an entity or individual that maintains such information.

4.     Privacy Officer

An individual responsible for the development and implementation of UCAR’s policies and procedures for handling PHI and otherwise complying with the HIPAA privacy regulations.

5.     Contact Person

An individual responsible for acting as the contact for employees and third parties with regard to any information, policies or training pertaining to PHI or the related policies and procedures.

HIPAA Privacy Procedures

1.     Uses and Disclosures of Protected Health Information (PHI)

UCAR may only use or disclose PHI when at least one of the following conditions is true:

     a.     The individual who is the subject of the information has authorized the use or disclosure.
     b.     The individual who is the subject of the information agrees or does not object to the disclosure and the disclosure is to persons involved in the health care of the individual.
     c.     The disclosure is to the individual who is the subject of the information.
     d.     The use or disclosure is for one of the HIPAA “public purposes” (i.e., required by law, etc.).
     e.     The disclosure is in furtherance of UCAR’s health care operations as set forth in HIPAA.

To the extent possible, UCAR will attempt to mitigate the effects of any unauthorized use or disclosure of PHI.

2.     Notice of HIPAA Privacy Practices

UCAR has published a Notice of HIPAA Privacy Practices. Individuals have received this notice and any revisions to it will be made available at the earliest practicable time.

3.     Access to Protected Health Information by the Individual

Access to PHI will be granted to the individual who is the subject of such information within the timeframes set forth below. The individual requesting access will be informed of the location of PHI if it is not physically located on the premises.

Location of PHITime Limit
PHI that is maintained in the UCAR Benefits office Provide approval and access or notice of denial within 30 days of the request
PHI that is maintained outside the UCAR Benefits office Provide approval and access or notice of denial within 60 days

4.     Verification of Identity

The identity of any individual who requests access to PHI will be verified before such access is granted.

5.     Right to Request Restrictions

An individual may request restrictions on certain uses and disclosures of his/her PHI. The individual has the right to request a limit on UCAR's disclosure of his/her PHI to someone involved in the payment of his/her care. However, UCAR is not required to agree to such a request.

6.     Right to receive Confidential Communications Channels

Upon specific request made by an individual, UCAR will use confidential communications channels, to the extent possible, with that individual.

7.     Amendment of Incomplete or Incorrect Protected Health Information

All requests for amendment of incorrect PHI maintained by UCAR will be considered in a timely fashion. If such requests demonstrate that the information is actually incorrect, UCAR will allow amending language to be added to the appropriate document. UCAR may deny a request to amend if the health information records are not created or maintained by UCAR, if the request does not include a supporting reason, if there is an exception, or if UCAR determines that the existing information is accurate and complete. If there is an amendment or correction, UCAR will notify any organization with whom the incorrect information was shared.

8.     Disclosure Accounting

An individual may make a written request for an accounting of all disclosures of PHI made by UCAR to others. The request must set forth a specific time period for the disclosures not going back for more than 6 (six) years.

9.     Access by Personal Representatives

Access to PHI must be granted to personal representatives of individuals, including deceased individuals, as though they were the individuals themselves, except in cases of abuse, where granting said access might endanger the individual or someone else. HIPAA privacy protections extend to information concerning deceased individuals. UCAR will conform to the relevant custody status and the federal, state, and local applicable law when disclosing information about minors to their parents.

10.     UCAR Employee Access to Protected Health Information and Prohibited Conduct

Only certain employees within UCAR, primarily within UCAR’s Human Resources Department, will have access to PHI, in order for UCAR to facilitate the payment of health care benefits or work with health care providers. No employee with authorized access to PHI may engage in any intimidating or retaliatory acts against persons who file complaints or otherwise exercise their rights under the HIPAA regulations. Enrollment or eligibility for benefits for any individual may not be conditioned on an individual providing an authorization to disclose PHI. Any employee authorized to handle PHI who intentionally or unintentionally violates any of the applicable policies or any procedures may be subject to disciplinary procedures up to and including termination.

11.     Judicial and Administrative Proceedings

Information will be disclosed for the purposes of a judicial or administrative proceeding only when: accompanied by a court or administrative order, including a protective order, or grand jury subpoena; when accompanied by a subpoena or discovery request that includes either the authorization of the individual to whom the information applies, or documented assurances that good faith effort has been made to adequately notify the individual of the request for their information and there are no outstanding objections by the individual. If a subpoena or discovery request is submitted to UCAR without one of these assurances, UCAR will seek to notify the individual or obtain his or her authorization. In no case will UCAR disclose information other than that required by the court order, subpoena, or discovery request.

12.     De-Identified Data and Limited Data Sets

UCAR will disclose de-identified data only if it has been properly de-identified by removing all the relevant identifying data. UCAR will make use of limited data sets, but only after the relevant identifying data have been removed and then only to organizations with whom UCAR has data use agreements and only for public health or health plan administration purposes.

13.     Authorizations

A valid authorization will be obtained for all disclosures that are not: to the individual or his/her personal representative, to persons involved with the individual’s care, to business associates in their legitimate duties, or for public purposes. Any authorizations generated from outside UCAR will be reviewed to determine validity.

14.     Complaints

All complaints relating to the use and/or disclosure of PHI by UCAR must be in writing and addressed to UCAR’s Privacy Officer or Contact Person. Within 30 days of receipt of a complaint, it will be investigated. A written response to the complainant will occur within 10 days after the investigation is complete. If the complaint stems from a valid area of non-compliance with the HIPAA Privacy Regulations, UCAR will implement a resolution within a timely fashion.

15.     Physical Safeguards

Appropriate physical safeguards are in place to reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the HIPAA Privacy Regulations. These safeguards will include physical protection of premises and PHI, technical protection of PHI maintained electronically and administrative protection. These safeguards will extend to the oral communication of PHI. These safeguards will extend to PHI that is removed from UCAR.

16.     Retention of Records

UCAR will retain all records subject to the HIPAA Privacy Rule for six years. All records designated by HIPAA in this retention requirement will be maintained in a manner that allows for access within a reasonable period of time by an individual making a request. The six year records retention period may be extended at UCAR’s discretion to meet with other governmental regulations or those requirements imposed by UCAR’s professional liability carrier.

17.     Cooperation with Privacy Oversight Authorities

Oversight agencies such as the Office for Civil Rights of the Department of Health and Human Services will be given full support and cooperation in their efforts to ensure the protection of PHI within UCAR.

Authorization Form: CIGNA Authorization for Release and Request for Medical Records form

Contact Person information

April 2010

Questions or comments about this site? Contact: webmaster@fanda.ucar.edu

©2003 UCAR