14.3 HIPAA Privacy Policy – Hands Off
14.3.1 POLICY STATEMENT
The Macalester College Health Plan, a “covered entity” for purposes of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), has developed this HIPAA Privacy Policy in order to comply with the requirements under the HIPAA privacy regulations and guidelines. The Health Plan is a fully-insured health plan sponsored by Macalester College (Plan Sponsor). The Health Plan intends to maintain a “hands-off” approach to medical information associated with or generated by the Health Plan. The Health Plan shall conduct its business in accordance with this HIPAA Privacy Policy.
14.3.2 POLICY INTERPRETATION AND IMPLEMENTATION
| Protected Health Information (PHI) | Neither the Health Plan nor the Plan Sponsor (or any member of the Plan Sponsor’s workforce) shall create or receive protected health information (PHI) other than specifically described below.The Health Plan does not create, maintain or receive PHI except for:Enrollment/disenrollment information;Summary health information; andPeriodic review of status.Summary health information may be used by the Plan Sponsor for two limited purposes, (1) obtaining premium bids for providing health insurance coverage under the Health Plan, and (2) modifying, amending or terminating the Health Plan. |
| Summary Health Info rmation | Summary health information is information that summarizes the claims history, expenses, or types of claims by individuals for whom the Plan Sponsor has provided health benefits under the Health Plan. |
| Notice of Privacy Practices | The insurance company for the Health Plan is a covered entity under HIPAA in its own right. As such, it provides a Notice of Privacy Practices (NPP) and will satisfy the other requirements under HIPAA related to the PHI of individuals covered under the Health Plan. That NPP will notify individuals of the potential disclosure of summary health information and enrollment/disenrollment information to the Health Plan and the Plan Sponsor. |
| Restrictions on Intimidating or Retaliatory Acts | The Health Plan shall refrain from intimidating, threatening, coercing, discriminating against, or taking other retaliatory action against individuals for:Exercising their HIPAA privacy rights;Filing a complaint;Participating in an investigation; orOpposing any improper practice under HIPAA.If such an action should occur by one of the Plan Sponsor’s employees, the action shall not be attributed to the Health Plan unless the employee was acting in a capacity on behalf of the Health Plan as a covered entity. |
| No Waiver Required | The Health Plan shall not require an individual to waive his or her privacy rights under HIPAA as a condition of treatment, payment, enrollment or eligibility. If such an action should occur by one of the Plan Sponsor’s employees, the action shall not be attributed to the Health Plan unless the employee was acting in a capacity on behalf of the Health Plan as a covered entity. |
| Periodic Review | Periodically, the Health Plan will review its operating practices to ensure they are in compliance with this HIPAA Privacy Policy. |
| Violations | Violations of this policy will be subject to discipline. |