United Service Workers Union 138-50 Queens Boulevard
Briarwood, NY 11435
Tel: (718) 658-4848
Fax: (718) 523-5722
Notice of Privacy Practices
NOTICE OF PRIVACY PRACTICES
We understand that medical information about you and your health is
personal and should be kept private.
Moreover, federal law imposes requirements on the United Welfare Fund – Welfare Division (the “Plan”
or the “Fund”) to ensure the privacy of your personally identifiable health
information. This Notice is
intended to summarize these rules and to inform you about:
We understand that medical information about you and your health is personal and should be kept private. Moreover, federal law imposes requirements on the United Welfare Fund – Welfare Division (the “Plan” or the “Fund”) to ensure the privacy of your personally identifiable health information. This Notice is intended to summarize these rules and to inform you about:
· The Plan’s uses and disclosures of Protected Health Information (“PHI”) (as defined below);
· Your privacy rights with respect to your PHI;
· The Plan’s duties with respect to your PHI;
· Your right to file a complaint with the Plan and the Secretary of the U.S. Department of Health and Human Services (the “Secretary”); and
· Who (the person or office) to contact for further information about the Plan’s privacy practices.
Generally, the term “Protected Health Information” (“PHI”) includes all individually identifiable health information concerning you that is maintained by the Plan. If you are a Fund employee, PHI does not include health information that is held by the Plan Sponsor (i.e., the Board of Trustees) in its role as your employer (for example, health information held for purposes of your employment records). “Unsecured PHI” is PHI that is not secured through the use of a technology or methodology that renders the PHI unusable, unreadable, or indecipherable.
PHI uses and disclosures by the Plan are regulated by a
federal law called the Health Insurance Portability and Accountability Act of
1996 (referred to as “HIPAA”) and the regulations that enforce HIPAA, as
amended by the Health Information Technology for Economic and Clinical Health
Act of 2009 (“HITECH”). You may
find these regulations at 45 Code of Federal Regulations Parts 160 and 164.
PHI uses and disclosures by the Plan are regulated by a federal law called the Health Insurance Portability and Accountability Act of 1996 (referred to as “HIPAA”) and the regulations that enforce HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”). You may find these regulations at 45 Code of Federal Regulations Parts 160 and 164.
Where group health plan benefits are provided through certificates of insurance, or as part of an organized health care arrangement that includes benefits provided under a certificate of insurance, the notice of privacy practices is provided directly by the applicable insurance company. Most Fund benefits are provided through certificates of insurance, and therefore you will also receive notices of privacy practices from the applicable health insurance company regarding their practices. This Notice describes the Fund’s practices with respect to any PHI that it handles directly or with respect to self-insured benefits.
This Notice is effective September 23, 2013.
Notice of PHI Uses and Disclosures
Generally, except for the purposes discussed below, the Plan cannot use or disclose your PHI without your written authorization. Moreover, if you provide authorization to use or disclose your PHI, you have the right to revoke your authorization at any time, except to the extent that the Plan has already relied upon it. To revoke a written authorization, please write to the Plan’s Privacy Officer.
Uses and Disclosures of PHI to Carry Out Treatment, Payment and Health Care Operations
The Plan and individuals or entities who the Plan has engaged to assist in its administration (called “business associates”) will use PHI to carry out “treatment,” “payment” and “health care operations” (these terms are described below). Neither the Plan, nor the business associates, requires your consent or authorization to use or disclose your PHI to carry out these functions.
“Treatment” includes the provision, coordination or management of health care and related services. This includes consultations and referrals between one or more of your health care providers, and the coordination or management of health care by a health care provider with a third party. For example, the Plan can disclose and discuss with your doctor or pharmacist other medications you may be receiving to reduce the chances that your taking a particular medication will result in unintended side effects.
“Payment” includes actions to determine your eligibility for Plan benefits, to facilitate payment for the treatment and services you receive from health care providers, to determine benefit responsibility under the Plan, or to coordinate coverage. Payment activities include billing, claims processing, subrogation, plan reimbursement, reviews for medical necessity and appropriateness of care, utilization review, and pre-authorizations. For example, the Plan can discuss your PHI with your doctor to make sure your claims are properly paid.
“Health care operations” include quality assessment and improvement, underwriting, premium rating, stop-loss (or excess-loss) coverage claims submissions, creation or renewal of insurance contracts, and other activities relating to Plan coverage. It also includes disease management, case management, conducting or arranging for medical review, legal services and auditing functions (including fraud and abuse compliance programs), business planning and development, business management, and general administrative activities. For example, the Plan may submit your health information to external auditors or agencies to assess the quality of a health plan. The Plan may also submit your health information to a stop-loss insurance carrier or to obtain pricing information.
Business associates provide business services to the Plan related to transactions with you like plan administration, claim processing, or audit services. Examples of third parties include medical insurers, third party administrators, consultants and reinsurance companies. The Plan requires business associates to agree, in writing, to maintain the confidentiality of the health information to which they are provided access and to notify us if there is a probable compromise of your Unsecured PHI. If a business associate discloses your health information to a subcontractor or vendor, the business associate will have a written contract to ensure that the subcontractor or vendor also protects the privacy of the information.
The Plan also may disclose PHI to employees of the Plan Sponsor if such employees assist in carrying out treatment, payment and health care operations, provided that the PHI is used for such purposes. These individuals receive training to ensure that they will protect the privacy of your health information and that it is used only as described in this notice or as permitted by law. Health information will generally not be disclosed to the Plan Sponsor in its capacity as Plan Sponsor, except that information regarding enrollment in the Plan or enrollment in a specific benefit will be disclosed to allow for payroll processing of premium payments. Summary health information may be provided to the Plan Sponsor, which may be used to shop for insurance or amend the Plan, but identifying information, such as your name or social security number, will not be included. Nonetheless, the Plan cannot use or disclose genetic information for underwriting purposes. Unless authorized by you in writing, your health information: (1) may not be disclosed by the Plan to any other employee or department of the Plan Sponsor, and (2) will not be used by the Plan Sponsor for any employment-related actions and decisions or in connection with any other employee benefit plan that it sponsors.
Most uses and disclosures of psychotherapy notes, uses and disclosures of PHI for marketing purposes, and disclosures that constitute a sale of PHI require your written authorization. The Plan will not disclose any of your health information for marketing purposes if the Plan will receive direct or indirect financial remuneration not reasonably related to the Plan’s cost of making the communication. The Plan will not sell your PHI to third parties. The sale of PHI, however, does not include a disclosure for public health purposes, for research purposes where the Plan will only receive remuneration for our costs to prepare and transmit the health information, for treatment and payment purposes, for sale, transfer, merger or consolidation of all or part of the Plan, for a business associate or its subcontractor to perform health care functions on the Plan’s behalf, or for other purposes as required and permitted by law.
Uses and disclosures not described in this Notice will be made only with your written authorization.
Uses and Disclosures of PHI for which Consent, Authorization or Opportunity to Object Is Not Required
HIPAA sets forth a limited number of additional situations in which the Plan may use or disclose your PHI without your authorization, including:
· When such uses or disclosures are required by law.
· When uses or disclosures are permitted for purposes of public health activities, including, but not limited to, preventing or controlling disease, injury or disability, and when necessary to report product defects in connection with FDA regulated products, to permit product recalls with respect to such products, and to conduct post-marketing surveillance. PHI may also be used or disclosed if you have been exposed to a communicable disease or are at risk of spreading a disease or condition, if authorized by law.
· When the Plan is authorized by law to allow reporting of information about abuse, neglect or domestic violence to public authorities, and there exists a reasonable belief that you may be a victim of abuse, neglect or domestic violence. In such cases, the Plan will promptly inform you that such a disclosure has been or will be made unless the notice would cause you a risk of serious harm. In instances of reports of child abuse or neglect, it is not necessary to inform the minor that such a disclosure has been or will be made. Disclosure may generally be made to the minor’s parents or other representatives, although there may be circumstances under federal or state law when the parents or other representatives may not be given access to the minor’s PHI.
· To a public health oversight agency for oversight activities authorized by law. This includes uses or disclosures in civil, administrative or criminal investigations; inspections; licensure or disciplinary actions (for example, to investigate complaints against providers); and other activities necessary for appropriate oversight of government benefit programs (for example, to investigate Medicare or Medicaid fraud).
· When required by judicial or administrative order, or in response to a subpoena, discovery request or other lawful process which is not accompanied by an order, provided that certain conditions are met. One of those conditions is that satisfactory assurances must be given to the Plan that (1) the requesting party has made a good faith attempt to provide written notice to you, or (2) the party seeking the information has made reasonable efforts to secure a qualified protective order.
· For law enforcement purposes, including for the purpose of identifying or locating a suspect, fugitive, material witness or missing person. Also, for disclosing information about you if you are suspected of being a victim of a crime, but only if you agree to the disclosure or the Plan is unable to obtain your agreement because of incapacity or emergency circumstances. Furthermore, the law enforcement official must represent that the information is not intended to be used against you, that the immediate law enforcement activity would be materially and adversely affected by waiting to obtain your agreement, and that disclosure is in your best interest as determined by the exercise of the Plan’s best judgment.
· When required to be given to a coroner or medical examiner for the purpose of identifying a deceased person, determining the cause of death, or other duties as authorized by law. Also, disclosure is permitted to funeral directors, consistent with applicable law, as necessary to carry out funeral directors’ duties with respect to the decedent.
· We may release your PHI to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.
· If you are an inmate of a correctional institution or are in the custody of a law enforcement official, we may disclose your protected health information to the correctional institution or law enforcement official if necessary (1) for the institution to provide you with health care; (2) to protect your health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.
· For cadaveric organ, eye or tissue donation purposes, to organ procurement or like entities.
· For research, when: (1) the individual identifies have been removed; or (2) when an institutional review board or privacy board has (a) reviewed the research proposal; and (b) established protocols to ensure the privacy of the requested information, and approves the research.
· When consistent with applicable law and standards of ethical conduct, if the Plan, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and the disclosure is to a person reasonably believed to be able to prevent or lessen the threat, including the target of the threat.
· When authorized by and to the extent necessary to comply with workers’ compensation or other similar programs established by law.
· If you are a member of the armed forces, we may release your PHI as required by military command authorities. We may also release PHI about foreign military personnel to the appropriate foreign military authority.
· If you do not object, you are not present, or your consent cannot be obtained because of your incapacity or an emergency circumstance, the Plan may, in the exercise of its professional judgment, disclose to your family member, relative, or other person who is responsible for your care, or for the payment of your care, your PHI directly relevant to such care or payment, if the Plan concludes that disclosure is in your best interests, including following your death.
· For fundraising purposes, if the information used or disclosed is demographic information, including name, address, or other contact information, age, gender, and date of birth, dates of health service information, department of service information, treating physician, outcome information, and/or health insurance status. Each fundraising communication made to you will provide you with an opportunity to opt-out of receiving any further fundraising communications. The Plan will also provide you with an opportunity to opt back in to receive such communications if you should choose to do so.
· For those specialized government functions set forth in the regulations promulgated pursuant to HIPAA or such other purposes provided under HIPAA.
Your Rights as Individuals
Right to Request Restrictions on Uses and Disclosures of PHI
If you wish, you may (1) request that the Plan restrict uses and disclosures of your PHI to carry out treatment, payment or health care operations, or (2) request that the Plan restrict uses and disclosures of your PHI to family members, relatives, friends or other persons identified by you who are involved in your care or the payment for your care. Please note, however, that the Plan is not required to agree to your request. You have the right to request that your provider not disclose health information to the plan if you have paid for a service in-full, and the disclosure is not otherwise required by law. The request for restriction to the Plan will only be applicable to that particular service. You will have to request a restriction for each service thereafter from your provider.
We are required to disclose your PHI to the Secretary when the Secretary is investigating or determining our compliance with the HIPAA privacy rule.
You or your personal representative will be required to complete a form to request restrictions on uses and disclosures of your PHI.
The Plan will accommodate reasonable requests to receive communications of PHI by alternative means or at alternative locations to better ensure your privacy. Requests for restrictions and to receive communications by alternative means or at alternative locations should be made to the following: Joseph M. Pecora, Fund Administrator and Privacy Officer, 138-50 Queens Boulevard, Briarwood, New York 11435.
Right to Inspect and Copy PHI
You also have a right to inspect and obtain paper or electronic copies of your PHI to the extent that it is contained in a “designated record set.” If you would like an electronic copy of your health information maintained by the Plan, it will provide you a copy in the electronic form and format as requested as long as it can readily be produced in such form and format. Otherwise, the Plan will cooperate with you to provide a readable electronic form and format as agreed. This right extends for as long as the Plan maintains the PHI, but does not apply to: psychotherapy notes; information compiled in anticipation of, or for use in, a civil, criminal or administrative action or proceeding; or information subject to the Clinical Laboratory Improvement Amendments of 1988 (to the extent that providing access to that information would be prohibited by law), and information which is exempt from those Amendments. If the Plan denies your request to inspect and copy your PHI, we will provide such denial in writing. Generally, if you are denied access to health information, you may request a review of the denial in accordance with the instructions in the denial letter.
A “designated record set” includes: medical records and billing records about individuals which are maintained by or for a covered health care provider; enrollment, payment, billing, claims adjudication and case or medical management record systems maintained by or for a health plan; and other information used by or for a covered entity to make decisions about individuals. Information used for quality control or peer review analyses and not used to make decisions about individuals is not considered part of a designated record set.
The requested information will be provided within 30 days if the information is maintained on site, or within 60 days if the information is maintained offsite. A single 30-day extension is allowed if the Plan is unable to comply with the deadline.
You or your personal representative will be required to complete a form to request access to the PHI in your designated record set. Requests for access to PHI should be made to the following officer: Joseph M. Pecora, Fund Administrator and Privacy Officer, 138-50 Queens Boulevard, Briarwood, New York 11435.
If access is denied, you or your personal representative will be provided with a written denial setting forth the basis for the denial, a description of how you may exercise review rights with respect to the denial, and a description of how you may complain to the Secretary.
Right to Amend PHI
You have the right to request that the Plan amend your PHI or a record about you in a designated record set that is inaccurate or incomplete for as long as the PHI is maintained in the designated record set.
The Plan has 60 days after the request is made to act on the request. A single 30-day extension is allowed if the Plan is unable to comply with the deadline. If the request is denied in whole or part, the Plan must provide you with a written denial that explains the basis for the denial. You or your personal representative may then submit a written statement disagreeing with the denial and have that statement included with any future disclosure of your PHI.
Requests for amendment of PHI in a designated record set should be made in written form, including a statement explaining the reason for the amendment: Joseph M. Pecora, Fund Administrator and Privacy Officer, 138-50 Queens Boulevard, Briarwood, New York 11435.
You or your personal representative will be required to complete a form to request amendment of the PHI in your designated record set.
The Right to Receive an Accounting of PHI Disclosures
· At your request, the Plan will also provide you with an accounting of disclosures of your PHI by the Plan and/or the Plan’s business associates during the period covered by your request (which may be a period of up to six years prior to the date of your request for paper records or three years prior to the date of your request for “Electronic Health Records,” as defined in HITECH). Unless required by law, the accounting will not include disclosures: for purposes of treatment, payment, or health care operations (except in the case of disclosures that involve “Electronic Health Records,” as defined in HITECH);
· made to you;
· made pursuant to your authorization;
· made to friends or family in your presence or because of an emergency;
· made for national security purposes;
· incidental to a use or disclosure otherwise permitted or required by law;
· as part of a limited data set; and
· incidental to otherwise permissible disclosures.
If the accounting cannot be provided within 60 days, an additional 30 days is allowed if the Plan gives you a written statement of the reasons for the delay and the date by which the accounting will be provided.
If you request more than one accounting within a 12-month period, the Plan will charge a reasonable, cost-based fee for each subsequent accounting.
You have the right to be notified if there is a probable compromise of your Unsecured PHI within sixty (60) days of the discovery of the breach. The notice will include:
· a brief description of what happened, including the date of the breach and the discovery of the breach;
· a description of the type of Unsecured PHI that was involved in the breach;
· any steps you should take to protect yourself from potential harm resulting from the breach;
· a brief description of the investigation into the breach, mitigation of harm to you and protection against further breaches; and
· contact procedures to answer your questions.
An individual may exercise his/her rights under this notice through a personal representative. If you have a personal representative, he/she will, unless otherwise allowed by law, be required to produce evidence of his/her authority to act on your behalf before he/she will be given access to your PHI or allowed to take any action for you. Proof of such authority may take one of the following forms:
· A power of attorney for health care purposes, notarized by a notary public;
· a court order of appointment of the person as your conservator or guardian; or
· proof that the representative is your parent (if you are a minor child).
The Plan retains discretion to deny access to your PHI to a personal representative to provide protection to you if it is believed that you may be subject to abuse or neglect. This also applies to personal representatives of minors.
Copies of This Notice
You have a right to obtain a paper copy of this notice from the Plan upon request. You may ask us to give you a copy of this notice at any time. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice.
To obtain a paper copy of this notice, contact Joseph M. Pecora, Fund Administrator and Privacy Officer, 138-50 Queens Boulevard, Briarwood, New York 11435, 718-658-4848.You may obtain a copy of this notice on the Plan’s webpage:
The Plan’s Duties
Federal law requires the Plan to maintain the privacy of PHI in accordance with HIPAA and provide individuals (participants and beneficiaries) with notice of the Plan’s legal duties and privacy practices. The Plan is required to abide by the terms of the privacy notice then in effect. The Plan reserves the right to change its privacy practices and to apply the changes to any PHI received or maintained by the Plan. If a privacy practice is materially changed, a revised version of this notice will be provided to all current Plan participants.
In the event of any material change to the uses or disclosures, the individual’s rights, the duties of the Plan or other privacy practices stated in this notice, a revised version of this notice will be posted to the Plan’s website by the effective date of the material change, and a hard copy of the revised notice (or information about the material change and how to obtain the revised notice) will be provided in the Plan’s next annual mailing. Alternatively, a revised copy may be distributed within 60 days of the effective date of any material change, and the revised notice will also be available on the Plan’s website.
Minimum Necessary Standard
Until DHHS releases further guidance regarding the minimum necessary standard, the Plan will limit disclosures and uses of PHI to the information contained in a limited data set. However, if it is not practicable for the Plan to limit its use or disclosure of PHI to a limited data set, then the Plan will make reasonable efforts not to use, disclose or request more than the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure or request, taking into consideration practical and technological limitations. Where practicable, the Plan will limit uses or disclosures to a limited data set.
However, the minimum necessary standard will not apply in the following situations:
· disclosures to or requests by a health care provider for treatment purposes;
· uses or disclosures made to you;
· uses or disclosures authorized by you;
· disclosures made to the Secretary;
· uses or disclosures that are required by law; and
· uses or disclosures that are required by the Plan’s compliance with legal requirements.
De-Identified Information, Limited Data Sets, and Summary Information
This notice does not apply to health information that has been de-identified. De-identified information is information that does not identify an individual (i.e., you) and with respect to which there is no reasonable basis to believe that the information can be used to identify you.
In addition, the Plan may use or disclose information in a limited data set, provided that the Plan enters into a data use agreement with the limited data set recipient that complies with the federal privacy regulations. A limited data set is PHI which excludes certain direct identifiers relating to you and your relatives, employers and household members.
The Plan may disclose “summary health information” to the Plan Sponsor without your authorization if the Plan Sponsor requests the summary information for the purpose of obtaining premium bids from health plans for providing health insurance coverage under the Plan, or for modifying, amending or terminating the Plan. “Summary health information” means information that summarizes the claims history, claims expenses, or type of claims experienced by individuals for whom the Plan Sponsor has provided health benefits under the Plan, and from which most identifying information has been deleted. The Plan may also disclose to the Plan Sponsor information on whether an individual is participating in the Plan and the coverage in which an individual has enrolled.
Your Right to File a Complaint With the Plan or the Secretary
If you believe that your privacy rights have been violated, you may complain to the Plan by contacting the following individual, at the following street address, telephone number and e-mail address: Joseph M. Pecora, Fund Administrator and Privacy Officer, 138-50 Queens Boulevard, Briarwood, New York 11435, 718-658-4848, email@example.com.
You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services, Hubert H. Humphrey Building, 200 Independence Avenue S.W., Washington, D.C. 20201.
The Plan will not retaliate against you for filing a complaint.
Who to Contact at the Plan for More Information
If you have any questions regarding this notice or the subjects addressed in the notice, you may contact the privacy officer at the following street address, telephone number and e-mail address: Joseph M. Pecora, Fund Administrator and Privacy Officer, 138-50 Queens Boulevard, Briarwood, New York 11435, 718-658-4848, firstname.lastname@example.org.
This notice represents the Plan’s efforts to summarize the privacy regulations under HIPAA. In the event of a discrepancy between the terms or requirements of this notice and the privacy regulations themselves, the terms of the regulations shall prevail.
| | Share