HIPAA Use and Disclosure of Protected Health Information
Effective April 14, 2003, a Federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH), requires that health plans like the Hawaii Employer-Union Health Benefits Trust Fund (EUTF) group health plan (hereafter referred to in this section as the “Plan”), maintain the privacy of your personally identifiable health information (called Protected Health Information or PHI).
- The term “Protected Health Information” (PHI) includes all information related to your past, present or future health condition(s) that individually identifies you or could reasonably be used to identify you and is transferred to another entity or maintained by the Plan in oral, written, electronic or any other form.
- PHI does not include health information contained in employment records held by your employer in its role as an employer, including but not limited to health information on disability, work-related illness/injury, sick leave, Family and Medical Leave (FMLA), life insurance, dependent care FSA, drug testing, etc.
A complete description of your rights under HIPAA can be found in the Plan’s Notice of Privacy Practices, which was distributed to you upon enrollment in the Plan and is available from the EUTF Privacy Officer or on the EUTF website at eutf.hawaii.gov. Information about HIPAA in this document is not intended and cannot be construed as the Plan’s Notice of Privacy Practices.
The Plan, and the Plan Sponsor (the Board of Trustees of the Hawaii Employer-Union Health Benefits Trust Fund (EUTF)), will not use or further disclose information that is protected by HIPAA (“protected health information” or “PHI”) except as necessary for treatment, payment, health care operations and Plan administration, or as permitted or required by law.
In particular, the Plan will not, without your written authorization, use or disclose protected health information for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the Plan Sponsor.
Except as permitted by HIPAA, the Plan will only use or disclose your PHI for marketing purposes or sell (exchange) your PHI for remuneration (payment), with your written authorization. The Plan may disclose PHI to the Plan Sponsor for the purpose of reviewing a benefit claim or for other reasons related to the administration of the Plan.
- The Plan’s Use and Disclosure of PHI: The Plan will use protected health information (PHI), without your authorization or consent, to the extent and in accordance with the uses and disclosures permitted by HIPAA. Specifically, the Plan will use and disclose protected health information for purposes related to health care treatment, payment for health care, and health care operations (sometimes referred to as TPO), as defined below.
- Treatment is the provision, coordination or management of health care and related services. It also includes but is not limited to consultations and referrals between one or more of your health care providers. The Plan rarely, if ever, uses or discloses PHI for treatment purposes.
- Payment includes activities undertaken by the Plan to obtain premiums or determine or fulfill its responsibility for coverage and provision of Plan benefits with activities that include, but are not limited to, the following:
- Determination of eligibility, coverage, cost sharing amounts (e.g. cost of a benefit, Plan maximums, and copayments as determined for an individual’s claim), and establishing employee contributions for coverage;
- Claims management and related health care data processing, adjudication of health benefit claims (including appeals and other payment disputes), coordination of benefits, subrogation of health benefit claims, billing, collection activities and related health care data processing, and claims auditing;
- Medical necessity reviews, reviews of appropriateness of care or justification of charges, utilization review, including precertification, concurrent review and/or retrospective review.
- Health Care Operations includes, but is not limited to:
- Business planning and development, such as conducting cost-management and planning-related analyses for the management of the Plan, development or improvement of methods of payment or coverage policies, quality assessment, patient safety activities;
- Population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, disease management, contacting of health care providers and patients with information about treatment alternatives and related functions;
- Underwriting (the Plan does not use or disclose PHI that is genetic information as defined in 45 CFR 160.103 for underwriting purposes as set forth in 45 CFR 164.502(a)(5)(1)), enrollment, premium rating, and other activities relating to the renewal or replacement of a contract of health insurance or health benefits, rating provider and Plan performance, including accreditation, certification, licensing, or credentialing activities;
- Conducting or arranging for medical review, legal services and auditing functions, including fraud and abuse detection and compliance programs;
- Business management and general administrative activities of the Plan, including, but not limited to management activities relating to implementation of and compliance with the requirements of HIPAA Administrative Simplification, customer service, resolution of internal grievances, or the provision of data analyses for policyholders, Plan sponsors, or other customers.
- When an Authorization Form is Needed: Generally the Plan will require that you sign a valid authorization form (available from the EUTF Privacy Officer or on the EUTF website) in order for the Plan to use or disclosure your PHI other than when you request your own PHI, a government agency requires it, or the Plan uses it for treatment, payment or health care operations or other instance in which HIPAA explicitly permits the use or disclosure without authorization.
The Plan’s Notice of Privacy Practices also discusses times when you will be given the opportunity to agree or disagree before the Plan uses and discloses your PHI.
- The Plan will disclose PHI to the Plan Sponsor only upon receipt of a certification from the Plan Sponsor that the Plan documents have been amended to incorporate the following provisions. With respect to PHI, the Plan Sponsor agrees to:
- Not use or disclose the information other than as permitted or required by the Plan Document or as required by law,
- Ensure that any agents to whom the Plan Sponsor provides PHI received from the Plan agree to the same restrictions and conditions that apply to the Plan Sponsor with respect to such information. This Plan hires professionals and other companies, referred to as Business Associates, to assist in the administration of benefits. The Plan requires these Business Associates to observe HIPAA privacy rules.
- Not use or disclose the information for employment-related actions and decisions,
- Not use or disclose the information in connection with any other benefit or employee benefit Plan of the Plan Sponsor, (unless authorized by the individual or disclosed in the Plan’s Notice of Privacy Practices).
- Report to the Plan any use or disclosure of the information that is inconsistent with the uses or disclosures provided for of which it becomes aware,
- Make PHI available to the individual in accordance with the access requirements of HIPAA,
- Make PHI available for amendment and incorporate any amendments to PHI in accordance with HIPAA,
- Make available the information required to provide an accounting of PHI disclosures,
- Make internal practices, books, and records relating to the use and disclosure of PHI received from the group health Plan available to the Secretary of the Dept. of Health and Human Services (HHS) for the purposes of determining the Plan’s compliance with HIPAA, and
- If feasible, return or destroy all PHI received from the Plan that the Plan Sponsor maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made. If return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction if feasible.
- Notify you if a breach of your unsecured protected health information (PHI) occurs.
- In order to ensure that adequate separation between the Plan and the Plan Sponsor is maintained in accordance with HIPAA, only the following employees or classes of employees may be given access to use and disclose PHI:
- The Plan’s Privacy Officer;
- EUTF Member Services Office staff involved in the administration of this Plan;
- Business Associates under contract to the Plan including but not limited to the outpatient retail and mail order prescription drug benefit plan administrator and any independent review organizations for assistance with external reviews, the COBRA administrator, the Plan’s consultants and actuaries.
- The persons described in the section may only have access to and use and disclose PHI for Plan administration functions for the Plan. If these persons do not comply with this obligation, the Plan Sponsor has designed a mechanism for resolution of noncompliance. Issues of noncompliance (including disciplinary sanctions as appropriate) will be investigated and managed by the Plan’s Privacy Officer, whose address and phone number are listed here:
EUTF Member Services Branch Manager
201 Merchant Street, Suite 1700
Honolulu, HI 96813
Phone: 808-586-7390 or 800-295-0089
- Effective April 21, 2005, in compliance with HIPAA Security regulations, the Plan Sponsor will:
- Implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic PHI that it creates, receives, maintains or transmits on behalf of the group health plan,
- Ensure that the adequate separation discussed in D above, specific to electronic PHI, is supported by reasonable and appropriate security measures,
- Ensure that any agent, including a subcontractor, to whom it provides electronic PHI agrees to implement reasonable and appropriate security measures to protect the electronic PHI, and
- Report to the Plan any security incident of which it becomes aware concerning electronic PHI.
- Hybrid Entity: For purposes of complying with the HIPAA Privacy rules, this Plan is a “hybrid entity” because it has both group health plan functions (a health care component of the entity) and non-group health plan functions. The Plan designates that its health care group health plan functions are covered by the privacy rules. The health care group health plan functions include the services related to the “Plan.”