HIPAA Notice of Privacy Rules
Effective date of this notice is October 1, 2020
This notice describes how your medical information may be used and disclosed and how you can get access to this information. Please review it carefully.
A federal law, commonly known as HIPAA (the Health Insurance Portability and Accountability Act of 1996), governs all group health plans’ use and disclosure of medical information. You may find HIPAA’s privacy rules at 45 Code of Federal Regulations Parts 160 and 164.
This notice describes the EUTF’s privacy practices and your rights regarding the uses and disclosures of your medical information as it relates to the EUTF group health plan. The EUTF self-funded group health plan includes the Outpatient Prescription Drug Program Benefits (hereafter referred to as the “Plan”) and is required by law to take reasonable steps to maintain the privacy of your personally identifiable health information (called Protected Health Information or PHI) and to inform you about the Plan’s legal duties and privacy practices with respect to protected health information.
You may receive a Privacy Notice from various insured group health benefit programs. Each of these notices will describe your rights as it pertains to that plan and in compliance with the Federal regulation, HIPAA. This Privacy Notice however, pertains to your protected health information related to the EUTF benefit plan (the “Plan”) and outside companies contracted to help administer Plan benefits, also called “business associates.”
The EUTF acknowledges that your medical and health information is personal – and is committed to protecting your privacy.
For administration purposes, the EUTF has access to a record of your claims reimbursed under your health insurance benefits plan. This notice applies to all of the medical records that the EUTF maintains or can access. Your personal doctor, health care provider, or health insurance carrier might have different policies or notices regarding their use and disclosure of medical information that they maintain or create. However, HIPAA applies to all organizations or persons that maintain personal health information, if they fall under HIPAA’s definition of “Covered Entities.”
By law, the EUTF MUST:
- Make sure that medical information that identifies you is kept private,
- Give you this notice of the EUTF’s legal duties and privacy practices with respect to your medical information,
- Retain copies of the notices the EUTF issues to you,
- Retain any written acknowledgments that you received the notices, or document the EUTF’s good faith efforts to obtain such written acknowledgments from you,
- Follow the terms of the notice that is currently in effect, and
- Notify affected individuals following a breach of unsecured protected health information.
HIPAA also requires the EUTF to tell you about:
- The EUTF’s uses and disclosures of your medical information,
- Your privacy rights with respect to your medical information,
- Your right to file a complaint with the EUTF and with the Secretary of the Department of Health and Human Services, and
- The person or office at the EUTF whom you may contact for additional information about the EUTF’s privacy practices.
How the EUTF May Use and Disclose Your Medical Information
The following categories describe the different ways the EUTF may use and disclose your medical information. Some uses and disclosures of your medical information require your authorization or the opportunity to agree or object to the use or disclosure. Other uses and disclosures do not. This notice clearly identifies whether or not the use or disclosure of your medical information requires your authorization or the opportunity to agree or object. Each category contains an explanation of what is meant by the “use and disclosure” of your medical information, and some examples. Not every use or disclosure in a category will be listed. However, the ways the EUTF is allowed to use and disclose your medical information will generally fall into one of the categories listed.
The following categories DO NOT REQUIRE the EUTF to obtain your consent, authorization, or to provide you the opportunity to agree or object to the use or disclosure.
- For Treatment: the EUTF may use or disclose your medical information to help you get medical treatment or services through the EUTF. The EUTF may disclose your medical information to health care providers, including doctors, nurses, technicians, medical students, or other health care professionals who are providing you with services covered under the your insurance plan. For example, the EUTF might disclose the name of your child’s dentist to your child’s orthodontist so that the orthodontist may ask the dentist for your child’s dental X-rays.
- For Payment: the EUTF may use and disclose your medical information in the process of determining your eligibility for benefits under the EUTF, to facilitate payment to health care providers for the treatment or services you have received from them, to determine benefit responsibility under the EUTF, and to facilitate reviews for medical necessity/appropriateness of your care. For example, the EUTF may tell your doctor whether you are eligible for coverage under the EUTF, or what percentage of the bill may be paid by the EUTF. Likewise, the EUTF may share your medical information with another entity to assist with the adjudication or subrogation of your claims or to another health plan to coordinate benefit payments.
- For EUTF Operations: the EUTF may use and disclose your medical information for health care operations and other EUTF operations. This can include disclosures to the EUTF’s Board of Trustees, the sponsoring public employers (Human Resources Officer (HRO) or any other person who functions as your employer’s personnel officer), and the Employees’ Retirement System (ERS). These uses and disclosures are necessary to administer the EUTF benefit plans. For example, the EUTF may use and disclose your medical information to conduct or facilitate quality assessments and improvement activities, patient safety activities, performance and compliance reviews, auditing, fraud and abuse detection, underwriting, enrollment, premium rating and other activities related to creating, renewing or replacing insurance contracts or benefit plans, claims review and appeals, legal functions and services, business planning and development, and other activities related to business management and administration. In connection with the foregoing, the EUTF may disclose your medical information to third parties who perform various health care operations or EUTF operations on its behalf.
- Disclosure to Business Associates: the EUTF may disclose your medical information to business associates in carrying out treatment, payment, health care operations and EUTF operations. For example, the EUTF may disclose your medical information to a utilization management organization to review the appropriateness of a proposed treatment under your insurance plan.
- Disclosure to Health Insurance Companies or Health Maintenance Organizations: In carrying out treatment, payment or health care operations, the EUTF may disclose your medical information to health insurance companies or health maintenance organizations (HMOs) that it contracts with to provide services or benefits under its health benefits plans. For example, the EUTF may disclose your medical information to the Hawaii Medical Service Association in order to verify your eligibility for benefits or services.
- Disclosure to the Plan Sponsor and Its Representatives: the EUTF is sponsored by State, county and other public employers who are represented on the EUTF’s Board of Trustees. The EUTF may disclose information to the EUTF’s Board of Trustees, the sponsoring public employers, and the Employees’ Retirement System (ERS) for payment, health care operations, and EUTF operations. For example, the EUTF may disclose information to the sponsoring employers about whether you are participating in a group health plan that is offered by the EUTF, or whether you are enrolled or disenrolled in any such group health plan. Disclosure to the sponsoring employers may include disclosures to your departmental personnel officer (DPO) or any other person who functions as your employer’s personnel officer. In the event you appeal a denied eligibility issue or other matter to the EUTF’s Board of Trustees, the EUTF may disclose your medical information to the EUTF’s Board of Trustees and its staff, consultant, and legal counsel as may be necessary to allow the EUTF’s Board of Trustees to make a decision on your appeal. The EUTF may also disclose your medical information to the EUTF’s Board of Trustees for plan administration functions, including such functions as quality assurance and auditing or monitoring the operations of group health plans that are part of the EUTF.
- As Required By Law: the EUTF will disclose your medical information when required to do so by federal, state or local law. For example, the EUTF may disclose your medical information when required to do so by a court order in a civil proceeding such as a malpractice lawsuit. Or, the Secretary of the Department of Health and Human Services might require the use and disclosure of your medical information to investigate or determine the EUTF’s compliance with federal privacy regulations (this notice).
- To Avert a Serious Threat to Health or Safety: the EUTF may use and disclose your medical information when necessary to prevent a serious threat to your health or safety, or to the health and safety of the public or another person. However, any such disclosure would be made only to a person able to help prevent the threat. For example, the EUTF may disclose your medical information in a legal proceeding regarding the licensure of a doctor.
- Public Health Activities: the EUTF may disclose your medical information to a public health authority for the purpose of preventing or controlling disease, injury or disability or to report child abuse or neglect.
Immunizations: To a school about an individual who is a student or prospective student of the school if the protected health information this is disclosed is limited to proof of immunization, the school is required by State or other law to have such proof of immunization prior to admitting the individual and the covered entity obtains and documents the agreements to this disclosure from either a parent, guardian or other person acting in loco parentis of the individual, if the individual is an unemancipated minor; or the individual, if the individual is an adult or emancipated.
Organ and Tissue Donation: If you are an organ donor, the EUTF may release your medical information to organizations that handle organ procurement or organ, eye or tissue transplantation, or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.
Military and Veterans: If you are a member of the armed forces, the EUTF may release your medical information as required by military command authorities. The EUTF may also release medical information about foreign military personnel to the appropriate foreign military authority.
Workers’ Compensation: the EUTF may release your medical information for Workers’ Compensation or similar programs. These programs provide benefits for work-related injuries or illnesses.
Health Oversight Activities: the EUTF may disclose your medical information to a health oversight agency for activities authorized by law. These oversight activities can include audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.
Lawsuits and Disputes: If you are involved in a lawsuit or a dispute, the EUTF may disclose your medical information in response to a court order or administrative ruling. The EUTF may also disclose your medical information in response to a subpoena, discovery request, or other lawful process by someone involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the medical information requested.
Law Enforcement: the EUTF may release your medical information if asked to do so by a law enforcement official:
- In response to a court order, subpoena, warrant, summons or similar process,
- To identify or locate a suspect, fugitive, material witness or missing person,
- About the victim of a crime if, under certain limited circumstances, the EUTF is able to obtain the person’s agreement,
- About a death the EUTF believes might be the result of criminal conduct, and
- In emergency circumstances to report a crime, the location of a crime or victims, or the identity, description or location of the person who committed the crime.
Coroners, Medical Examiners and Funeral Directors: the EUTF may release your medical information to a coroner or medical examiner. This might be necessary, for example, to identify a deceased person or determine the cause of death.
National Security and Intelligence Activities: the EUTF may release your medical information to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.
The following category REQUIRES the EUTF to obtain your written authorization for the use or disclosure.
Generally, the Plan will require that you sign a valid authorization form in order to use or disclose your PHI other than when you request your own PHI, a government agency requires it, or the Plan uses it for treatment, payment or health care operation. You have the right to revoke an authorization.
The Plan does not engage in the use or disclosure of PHI with respect to marketing (communication about a product or service that encourages recipients to purchase or use the product or service, an arrangement between a covered entity and any other entity whereby the covered entity discloses PHI in exchange for direct or indirect financial remuneration). This Plan does not engage in the use or disclosure of PHI with respect to the sale of PHI. The Plan does not use or disclose PHI that is genetic information for underwriting purposes, including enrollment, premium or contribution amounts or other activities related to the placement or renewal of health insurance or health benefits. Genetic information includes information about the individual’s genetic tests and the genetic tests of the individual’s family members.
Psychotherapy Notes: Generally the EUTF must obtain your written authorization to use and disclose psychotherapy notes about you from your psychotherapist. Psychotherapy notes are separately filed notes about your conversations with your mental health professional during a counseling session. They do not include summary information about your mental health treatment. However, the EUTF may use and disclose your psychotherapy notes when needed by the EUTF to defend against a lawsuit filed by you.
The following category REQUIRES that the EUTF gives you an opportunity to agree or disagree prior to the use or disclosure.
Family or Friends Involvement: the EUTF may disclose your medical information to family members, other relatives, or your friends without your written consent or authorization if:
- The medical information is directly relevant to the family or friend’s involvement with your care or payment for that care, and
- You have either agreed to the disclosure or have been given the opportunity to object to the disclosure and have not objected.
Any other Plan uses and disclosures not described in this Notice will be made only if you provide the Plan with written authorization, subject to your right to revoke your authorization, and information used and disclosed will be made in compliance with the minimum necessary standards of the regulation.
Your Rights Regarding Your Medical Information
You have the following rights regarding your medical information maintained by the EUTF:
Right to Inspect and Copy Your Medical Information: You have the right to inspect and obtain a copy (in hard copy or electronic form) of your PHI (except psychotherapy notes and information compiled in reasonable contemplation of an administrative action or proceeding) contained in a “designated record set,” for as long as the Plan maintains the PHI. The designated record set includes enrollment, payment, billing, claims adjudication and case or medical management record systems maintained by or for a health plan; or other information used in whole or in part by or for the EUTF to make decisions about people covered under the EUTF’s health benefit plans. Information used for quality control or peer review analyses and not used to make decisions about people covered by the EUTF health benefits plans is not contained in the designated record set. You may request your hard copy or electronic information in a format that is convenient for you, and the Plan will honor that request to the extent possible. You may also request a summary of your PHI.
If you request a copy of your medical information, it will be provided to you in accordance with the time limits required under Part II of Chapter 92F, Hawaii Revised Statutes, and the rules enacted thereunder. Under those laws, the EUTF will generally provide a copy of your medical information to you within ten (10) days. However, in certain circumstances, the EUTF may be entitled to additional time to respond to your request.
You or your personal representative must complete a form to request access to your medical information contained in the designated record set. You must submit the completed request form to the EUTF Privacy Officer whose address is provided at the end of this HIPAA notice.
If you request a copy of the information, the EUTF may charge a fee for the costs of copying and mailing the information to you, for creating the PHI or preparing a summary of your PHI, or for other supplies associated with complying with your request.
The EUTF may deny your request to inspect and copy medical information in certain, very limited circumstances. If you are denied access to medical information, you may appeal.
If the EUTF denies your request to inspect or copy your medical information, the EUTF will provide you or your personal representative with a written denial identifying the reason(s) for the denial. The denial will also include a description of how you may exercise your appeal rights, and a description of how you may file a complaint with the Secretary of the Department of Health and Human Services.
Right to Amend Your Medical Information: If you think that your medical information is incorrect or incomplete, you may ask the EUTF to amend the information. You have the right to request an amendment for as long as the information is kept by, or for, the EUTF.
To request an amendment, you must submit your request, in writing, to the EUTF Privacy Officer. Your written request must include a reason that supports your request.
After you request that the EUTF amend your medical information, the EUTF must comply with your request within twenty (20) business days or notify you that your request has been denied.
The EUTF may deny your request for an amendment to your medical information if your request is not in writing or does not include a reason to support the request. In addition, the EUTF may deny your request if you ask the EUTF to amend information that:
- Is not part of the medical information kept by or for the EUTF,
- Was not created by the EUTF, unless the person or entity that created the information is no longer available to make the amendment,
- Is not part of the information which you would be permitted to inspect and copy, or
- Is accurate and complete.
If the EUTF denies your request in the whole or in part, the EUTF must provide you with a written denial that explains the basis for the denial. You or your personal representative may then submit a written statement disagreeing with the denial, and have that statement included with any future disclosure of your medical information.
Right to an Accounting of Disclosures: You have the right to request an “accounting of disclosures” if a disclosure was made without your authorization for any purpose other than treatment, payment, or health care operations, or where the disclosure was to you about your own medical information.
To request this list of disclosures, you must submit a written request to the EUTF Privacy Officer. Your request must state a time period for which you are requesting the list of disclosures. This period may not be longer than six (6) years and may not include dates before April 14, 2003. Your request should indicate in what form you want the list (for example, paper or electronic). The first list you request within any 12-month period will be provided free of charge. For additional lists, the EUTF may charge you for the costs of providing the list. The EUTF will notify you of the cost involved, and you may choose to withdraw or modify your request at that time before you incur any costs.
The EUTF has sixty (60) days from the date it receives your request to provide you the list of disclosures, and is allowed an additional thirty (30) days to comply, if it provides you with a written statement of the reasons for the delay and the date by which the accounting will be provided.
Right to Request Restrictions: You have the right to request a restriction or limitation on your medical information uses or disclosures for treatment, payment or health care operations. You also have the right to request a limit on your medical information that the EUTF discloses to someone involved in your care or payment for your care, like a family member or friend. For example, you could ask that the EUTF not use or disclose information about a surgical procedure you had.
The EUTF is not required by law to agree to your request.
You or your personal representative must complete a form to request restrictions on the use or disclosure of your medical information. You must submit the completed form to the EUTF Privacy Officer whose address is provided at the end of this HIPAA notice. In your request, you must indicate:
- What information you want to limit,
- Whether you want to limit the EUTF’s use, disclosure, or both, and
- To whom you want the limits to apply, for example, disclosures to your spouse.
Right to Request Confidential Communications: You have the right to request that the EUTF communicate with you about your medical information or other medical matters in a certain way, or at a certain location. For example, you may ask that the EUTF contact you only at work or by mail.
To request confidential communications, you must submit a written request to the EUTF Privacy Officer, whose address is provided at the end of this HIPAA notice. The EUTF will not ask you the reason for your request and will accommodate all reasonable requests. Your request must specify how and/or where you wish to be contacted.
Right to a Paper Copy of This Notice: You have the right to receive a paper copy of this notice. You may ask the EUTF to give you a copy of this notice at any time. Even if you have agreed to receive this notice electronically, you are still entitled to request a paper copy of this notice.
To obtain a paper copy of this notice, submit a written request to the EUTF Privacy Officer, whose address is provided at the end of this HIPAA notice.
Breach Notification Right: If a breach of your unsecured protected health information occurs, the Plan will notify you.
A Note about Personal Representatives
You may exercise your privacy rights through a personal representative. Your personal representative will be required to provide evidence of his or her authority to act on your behalf before that person will be given access to your medical information or allowed to take any action on your behalf with respect to your medical information. Proof of such authority may take one of the following forms:
- A power of attorney for health care purposes, notarized by a notary public,
- A court order appointing the person as the your conservator or guardian, or
- An individual who is the parent of a minor child.
The EUTF may decide to deny a personal representative access to medical information of a person if it thinks this will protect the person represented from abuse or neglect. This also applies to personal representatives of minors.
However, state or other applicable law will govern whether the EUTF is permitted to disclose an unemancipated minor dependent child’s medical information to the child’s parent(s). State or other applicable law will also govern whether the EUTF is permitted to provide a parent’s access to his or her child’s medical information.
Changes to This Notice
The EUTF reserves the right to change this notice. The EUTF also reserves the right to make the revised or changed notice effective for medical information it already maintains, or has access to about you – as well as any information the EUTF receives in the future. The EUTF will post a copy of the current notice on the EUTF’s web site. This notice will contain the effective date of the current notice on the first page, in the top right-hand corner.
Any revised version of this notice will be distributed within sixty (60) days of the effective date of any material change to the uses or disclosures, your rights, the duties of the EUTF or other privacy practices stated in this notice. Material changes are changes to the uses and disclosures of PHI, an individual’s rights, the duties of the Plan or other privacy practices stated in the Privacy Notice. Because our health plan posts its Notice on its web site, we will prominently post the revised Notice on that web site by the effective date of the material change to the Notice. We will also provide the revised notice, or information about the material change and how to obtain the revised Notice, in our next annual Notice distribution to individuals covered by the Plan.
Minimum Necessary Standard
When the EUTF uses or discloses your medical information, or requests your medical information from another entity, the EUTF will make reasonable efforts not to use, disclose or request more than the minimum amount of your medical information needed to accomplish the intended purpose of the use, disclosure or request, taking into consideration practical and technological limitations. However, the minimum necessary standard will not apply to:
- Disclosures to or requests by a health care provider for treatment,
- Uses by you or disclosures to you of your own medical information,
- Disclosures made to the Secretary of the Department of Health and Human Services,
- Uses or disclosures that may be required by law,
- Uses or disclosures that are required by the EUTF’s compliance with legal regulations, and
- Uses and disclosures for which the EUTF has obtained your authorization.
The Plan may share PHI with the Plan Sponsor for limited administrative purposes, such as determining claims and appeals, performing quality assurance functions and auditing and monitoring the Plan. The Plan shares the minimum information necessary to accomplish these purposes.
This notice does not apply to medical information that has been “de-identified.” De-identified information is medical information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.
In addition, the EUTF may use or disclose “summary health information” to obtain premium bids or to modify, amend or terminate the EUTF’s health benefits plans. Summary health information is information that summarizes the claims history, claims expenses, or types of claims experienced by individuals for whom the EUTF has provided benefits, and from which identifying information has been deleted in accordance with the Health Insurance Portability and Accountability Act (HIPAA).
If you believe your privacy rights have been violated, you may file a complaint with the EUTF Privacy Officer, whose address is provided at the end of this HIPAA notice. You may also file a complaint (within 180 days of the date you know or should have known about an act or omission) with the Secretary of the U.S. Department of Health and Human Services by contacting their nearest office as listed in your telephone directory or contact the Privacy Officer for more information about how to file a complaint. You must submit any complaints in writing. The EUTF will not penalize or retaliate against you for filing a complaint.
Other Uses and Disclosures of Your Medical Information
Other uses and disclosures of medical information not covered by this notice or the laws that apply to the EUTF will be made only with your written authorization. If you provide the EUTF with authorization to use or disclose your medical information, you may revoke that authorization, in writing, at any time. If you revoke your authorization, the EUTF will no longer use or disclose your medical information for the reasons covered by your written authorization.
You should understand that the EUTF is unable to take back any disclosures that have already been made with your authorization, and that the EUTF is required to retain any records regarding any care or services provided to you.
EUTF may not (and does not) use your genetic information that is PHI for underwriting purposes.
If you have any questions about this notice, contact the EUTF Privacy Officer, at the address below.
If there is any discrepancy between the information in this notice and the actual HIPAA regulations, the regulations will prevail, and the EUTF will use and disclose your medical information in a manner consistent with the regulations.
You may contact the EUTF Privacy Officer at the following address:
201 Merchant Street, Suite 1700, Honolulu, HI 96813
Telephone number: (808) 586-7390, Toll-free number: 1-800-295-0089
201 Merchant Street, Suite 1700, Honolulu, HI 96813
Telephone number: (808) 586-7390, Toll-free number: 1-800-295-0089