Policies and Procedures Manual 2023-2024

7.17 HIPAA Privacy Policy

  1. Policy 
     
    Piedmont University has adopted a policy that protects the privacy and confidentiality of protected health information (PHI) whenever it is used by company representatives. The private and confidential use of such information will be the responsibility of all individuals with job duties requiring access to PHI in the course of their jobs.  The Plan (as defined below) hereby adopts this document as its the Privacy Policy (“Policy”) for the health plans maintained by Piedmont University (“Employer”). This Policy applies to the following health plans (collectively referenced in this document as the Plan): 
    1. Meritain Health and Wellness Plan
    2. Ameritas Dental Plan
    3. Ameritas Vision Plan
    4. Alera Edge/Alera Pay – Medical FSA Plan

 

  1. DEFINITIONS.   As used in this Policy, these terms are defined as follows:

 

  1. HIPAA means The Health Insurance Portability and Accountability Act of 1996 as amended from time to time and its implementing privacy and security regulations at 45 CFR Parts 160, 162 and 164 as applicable.
  2. Protected Health Information or PHI has the meaning given that term in 45 CFR §160.103. PHI refers to individually identifiable health information received by the company’s group health plans or received by a health care provider, health plan or health care clearinghouse that relates to the past or present health of an individual or to payment of health care claims. PHI information includes medical conditions, health status, claims experience, medical histories, physical examinations, genetic information, and evidence of disability.
  3. Covered Entity means an entity listed in 45 CFR §160.102.
  4. Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.
  5. Payment means the activities undertaken:
    1. by the Plan to obtain premiums or determine or fulfill its obligations to provide benefits.
    2. by a health care provider or another Covered Entity to obtain or provide reimbursement for the provision of health care.
  6. Health Care Operations means any of the following activities needed to operate the Plan, a health care provider, or other Covered Entity including:
    1. Underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance). 
    2. Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs.
    3. Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development, or improvement of methods of payment or coverage policies.
    4. Business management and general administrative activities of the Plan.
    5. Any other activities considered Health Care Operations under HIPAA.
  7. Business Associate means an entity that creates, receives, maintains, or transmits PHI for a function or activity covered by the Policy, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, or other services that involve the disclosure of PHI to the entity.
  8. Business Associate Contract means an agreement between a Covered Entity and a Business Associate that meets all the requirements set forth in 45 CFR §164.504(2).
  9. Marketing means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.  The term Marketing does not include communications from the Plan regarding the entities participating in Plan provider network; replacement of, or enhancements to, the Plan; and health-related products or services available only to a Plan enrollee that add value to, but are not part of, the Plan’s benefits; provided however, that the Plan does not receive any direct or indirect financial remuneration for making the communication.
  10. Workforce means persons who are common-law employees of the Plan or the Employer, as applicable.
     
     
  1. PERMITTED USES AND DISCLOSURES.  The Plan will not use or disclose PHI except as provided in this Policy and as permitted by HIPAA.
    1. The Plan may use and disclose PHI for purposes of:
      1. Its own Treatment, Payment, or Healthcare Operations.
      2. The Treatment activities of a health care provider.
      3. The Payment activities of another health plan.
      4. The Health Care Operations of another Covered Entity if (1) each entity either has or had a relationship with the individual who is the subject of the PHI being requested, (2) the PHI pertains to such relationship, and (3) the disclosure is for conducting quality assessment and improvement activities; 
        1. Population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers, and providing patients with information about treatment alternatives and related functions that do not include treatment.
        2. Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider and health plan performance. 
        3. Conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers.
        4. Training of non-health care professionals, accreditation, certification, licensing, or credentialing activities; or 
        5. For health care fraud and abuse detection or compliance.
    2. The Plan may disclose an individual’s own PHI to the individual as provided below.
    3. The Plan may disclose PHI to the Secretary of Health and Human Services as needed to investigate or determine the Plan’s compliance with HIPAA.
    4. The Plan may disclose PHI to a Business Associate only pursuant to the terms of a HIPAA-compliant Business Associate Contract between the Business Associate and the Plan.
    5. When using or disclosing PHI, or when requesting PHI from another Covered Entity or Business Associate, the Plan must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.  The Plan will not request an individual’s entire medical record unless the entire record is reasonably necessary.  The Plan will maintain documentation supporting standard recurring requests and explaining its rationale for other non-standard or non-recurring requests. The minimum necessary requirement does not apply to:
      1. Disclosures to or requests by a health care provider for treatment.
      2. Uses or disclosure to an individual of his or her own PHI.
      3. Uses or disclosures made pursuant an authorization.
      4. Disclosures made to the Secretary of Health and Human Services for enforcement purposes.
    6. The Plan may use PHI to create de-identified information as that term is defined in 45 CFR §514 or disclose PHI for that purpose to a Business Associate.  The de-identified information is not considered PHI for purposes of this Policy.
    7. The Plan may disclose PHI about an individual to his or her personal representative as follows:
      1. In the case of an adult or emancipated minor, the Plan may disclose PHI to someone who is the authorized to act for the individual under applicable law regarding health care decisions.
      2. In the case of an unemancipated minor, the Plan may disclose the minor’s PHI to his or her parent, guardian, or other person acting in loco parentis under applicable law.  However, this does not apply for a given health care service if:
        1. The minor consents to such health care service; no other consent to such health care service is required by law; and the minor has not requested that such person be treated as the personal representative.
        2. The minor may lawfully obtain such health care service without the consent of a parent, guardian, or other person acting in loco parentis, and the minor, a court, or another person authorized by law consents to such health care service.
        3. Regardless of any State law or provision of this Policy, the Plan may elect not to treat a person as a personal representative of an individual if the Plan reasonably believes that the person has subjected the individual to domestic violence, abuse, or neglect; or that release of PHI would endanger the individual; or for other good reason, it would not be in the best interest of the individual to release the PHI.  
        4. In the case of a deceased person, the Plan may disclose PHI to the representative of the deceased’s estate.
    8. The Plan may use and disclose PHI to the extent that it is permitted or required to do so by applicable law and in accordance with provisions of 45 CFR §164.512.
    9. Before making any disclosure permitted by this Policy, the Plan must verify the identity of the person requesting the information.  Except in the case of disclosures pursuant to Paragraph 4 of this Policy, the Plan must also verify the authority of the person to whom the disclosure is made. 
       
       
  2. PROHIBITED USES AND DISCLOSURES.
    1. The Plan will not use or disclose PHI except as permitted or required by this Policy and permitted or required by law.
    2. The Plan will not use or disclose PHI that is genetic information (as defined at 29 CFR §2590.702-1(a)) for underwriting purposes). This includes:
      1. Rules for, or determination of, eligibility (including enrollment and continued eligibility) for, or determination of, benefits under the Plan, (including changes in deductibles or other cost-sharing mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program);
      2. The computation of premium or contribution amounts under the Plan (including discounts, rebates, payments in kind, or other premium differential mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program); and
      3. The application of any pre-existing condition exclusion under the plan.
         
         
  3. AUTHORIZATIONS.  
    1. Unless permitted or required by some other section of this Policy, the Plan will not use or disclose PHI without a valid authorization.
    2. The Plan will not sell PHI nor will it use or disclose PHI for Marketing without a valid authorization.
    3. An authorization will not be valid unless it meets the requirements and contains the elements set forth in 45 CFR §508(b) and (c). 
    4. The Plan will disclose PHI to the Employer for purposes other than those described in Paragraph 2 of this Policy only pursuant to a valid authorization.
       
       
  4. DISCLOSURES TO PERSONS INVOLVED IN THE CARE OF AN INDIVIDUAL. The Plan may disclose an individual’s PHI to the individual’s family member, other relative, close friend, or any other person identified by the individual, but only to the extent that the PHI is directly relevant to such person's involvement with the individual's health care or payment related to the individual's health care as set forth in this Paragraph.
    1. If the individual is present for, or otherwise available prior to, a use or disclosure, and has the capacity to make health care decisions, the Plan may use or disclose the PHI if: it obtains the individual's agreement; or the individual does not object when given the opportunity to do so; or reasonably infers from the circumstances that the individual does not object to the disclosure.
    2. If the individual is not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual's incapacity or an emergency circumstance, the Plan may, in the exercise of good judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the PHI directly relevant to the person's involvement with the individual's care, or payment related to the individual's health care, or needed for notification purposes.
       
       
  5. INAPPROPRIATE USES AND DISCLOSURES OF PHI
    1. All Workforce members shall promptly report in writing to the Privacy Office any use or disclosure of PHI that is not permitted or required by this Policy.
    2. The Privacy Officer shall promptly investigate the report and determine in writing whether there has been a breach of unsecured PHI.  
    3. If the Privacy Officer determines there has been a breach of unsecured PHI, the Plan shall notify affected individuals electronically or in writing without unreasonable delay (and in no case more than 60 days after discovery of the breach.)   The notice shall include a brief description of the PHI; steps individuals should take to protect themselves from potential harm; steps the Plan is taking to mitigate the harm and prevent further breaches; and provide contact information for individuals seeking more information.4
    4. In the case of a breach involving 500 or more individuals, the Plan shall notify the Secretary of Health and Human Services as required by 45 CFR §164.408 and the media as required by 45 CFR §164.406.
    5. In the case of a breach involving 500 or more individuals in a given State or jurisdiction, the Plan shall notify prominent media outlets in the affected States or jurisdictions without unreasonable delay (and in no case more than 60 days after discovery of the breach.) The notice shall include the same content as described in Paragraph 6.3 of this Policy.
    6. For breaches involving fewer than 500 individuals, the Plan shall maintain a log of the breaches and annually submit information regarding them to HHS.
    7. Regardless of whether an inappropriate use and disclosure is a breach of unsecured PHI, the Plan shall mitigate, to the extent practicable, any harmful effects that become known to it from a use or disclosure of an individual's PHI in violation of HIPAA or this Policy.
    8. For inappropriate uses and disclosures reported by a Business Associate, the Plan shall take the same steps outlined above, or shall ensure that the Business Associate does so on behalf of the Plan.
       
       
  6. INDIVIDUAL RIGHTS
    1. An individual has the right to request, in writing, restrictions on certain uses and disclosures of the individual’s PHI the Plan makes for payment or health care operations, disclosures made to persons involved in the individual’s care, and disclosures for disaster relief purposes.  The request must describe in detail the requested restriction.  The Plan is not required to agree to the request.   The Plan has the right to terminate a restriction to which it previously agreed.  In that case, the Plan will notify the individual of the termination. An individual also has the right to terminate, in writing or orally, any agreed-to restriction.
    2. An individual has the right to request that communications regarding his or her PHI be made by alternative means or at alternative locations. The Plan must agree to such request unless the individual informs the Plan that disclosure of all or part of the information could place the individual in danger.
    3. Requests related to the exercise of individual rights as provided in this Policy must be in writing, except as expressly provided, signed by the individual or the individual’s personal representative, and sent to the Privacy Officer.
    4. An individual has the right to request a copy of and/or inspect his or her PHI the Plan maintains and uses to make decisions about the individual.   
      1. The Plan will normally respond to requests within 30 days, but it may take an additional 30 days to respond if it notifies the individual during the initial 30-day period. 
      2. The Plan may deny access if the request involves psychotherapy notes or information compiled in anticipation of litigation. The Plan may deny the request if a licensed health care provider determines that the release of the PHI may cause harm to the individual or someone else identified in the PHI.  If the request is denied for this reason, the individual has the right to have the denial reviewed by a designated licensed health care professional that did not participate in the original decision. Regardless of the reason for the denial, the Plan will notify the individual in writing of the reason for its determination.
      3. If the Plan grants the request, it will provide the information in the form and format requested if it is readily reproducible in that form; otherwise, in readable hard copy, or if it exists, in electronic form, as the Plan and individual may mutually agree.  The Plan may also substitute a summary of the requested information if the parties mutually agree.
      4. The Plan may impose a reasonable cost-based fee to the individual, consisting of the cost of labor, copying, supplies, postage, and the mutually agreed cost of preparing a summary, if applicable.
    5. An individual has the right to request that PHI the Plan maintains about him or her be amended or corrected.  
      1. The Plan is not obligated to make requested amendments to PHI not created by the Plan, not maintained by the Plan, not used by the Plan to make decisions about the individual’s benefits, not available for inspection under the federal rules governing PHI, or that is accurate and complete.  The Plan will respond in writing within 60 days.  The Plane may take an additional 30 days to respond if it notifies the individual during the initial 60-day period.
      2. If the Plan grants a request for amendment, it will make a reasonable effort to notify persons identified by the individual as needing it.
      3. If the Plan denies the request for an amendment, it will notify the individual in writing of the reasons for its denial.  The individual may send the Plan a statement of disagreement with the decision and the Plan will include that statement with the individual’s PHI.
    6. An individual has the right to request an accounting of certain disclosures of his or her PHI that the Plan has made as provided in HIPAA. An accounting request must state a time period no longer than six years and may not include dates before April 14, 2004.  The Plan will provide a list of the disclosures within 60 days.  However, the Plan may take an additional 30 days to provide the accounting if it notifies the individual within the initial 60-day period.  The Plan may charge a fee for providing the accounting as permitted by HIPAA.
    7. Requests related to the exercise of individual rights as provided in this Policy must be in writing, except as expressly provided, signed by the individual or the individual’s personal representative, and sent to the Privacy Officer.

 

  1. DESIGNATION AND DUTIES OF THE PRIVACY OFFICER
    1. The Plan hereby designates the Employer’s Director of Human Resources as the Plan’s Privacy Officer.  The Privacy Officer may designate in writing other members of the Workforce to perform specified functions; however, the Privacy Officer will remain responsible for the discharge of those functions.
    2. The Privacy Officer shall serve as the contact person responsible for receiving complaints and handling communications related to this Policy.
    3. The Privacy Officer shall develop training materials and ensure that all members of the Employer’s or Plan’s Workforce who handle PHI are appropriately trained in the requirements of this Policy and applicable procedures. The training of an individual must occur prior to his handling of any PHI.  Retraining of all affected members of the Workforce must occur whenever there is a material change in this Plan’s policies or procedures. 
    4. The Privacy Officer shall:
      1. develop, implement, and administer written procedures as needed to give effect to all provisions of this Policy;
      2. create, maintain, revise, and distribute the Plan’s Notice of Privacy Practices as required by 45 CFR §164.520;
      3. create, implement, and administer a procedure to manage complaints concerning the Plan’s policies, procedures, and compliance therewith;
      4. ensure the Plan and Employer maintain and apply appropriate sanctions against Workforce members who violate the Plan’s and Employer’s policies and procedures regarding the handling of PHI;
      5. handle all uses and disclosures of PHI that do not comply with the requirements of this Policy; and
      6. maintain all documentation required by this Policy for a period of 6 years from its creation or whenever it was last in effect, including, but not limited to:
        1. This Privacy Policy, any procedures implemented pursuant to this Policy, and all Notices of Privacy Practices maintained by the plan;
        2. All written communications required by this Policy;
        3. Training of workforce members and training materials;
        4. Complaints and complaint procedures;
        5. Sanction policies and sanctions applied in specific cases;
        6. Business Associate contracts;
        7. Authorizations signed pursuant Paragraph 4 of this Policy; and
        8. Documentation related to the exercise of individual rights pursuant to Paragraph 7 of this Policy.
           
           
  2. RETALIATION AND WAIVER
    1. The Plan shall not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for filing a complaint or exercising any right of the individual under this Policy.

The Plan shall not require individuals to waive their rights under this Policy as a condition of the provision of treatment, payment, enrollment in the Plan, or eligibility for benefits.