14.5 Notice of Privacy Practices
14.5.1 POLICY STATEMENT
Each individual that is the subject of Protected Health Information (PHI) must receive a Notice of Privacy Practices (NPP) describing (1) the uses and disclosures of his/her PHI that may be made by or on behalf of the Health Plan, (2) the individual’s rights, and (3) the Health Plan’s legal duties with respect to the individual’s PHI.
14.5.2 POLICY INTERPRETATION AND IMPLEMENTATION
| Issue of NPP | Individuals who are covered under the Health Plan will be provided with a copy of the Health Plan’s NPP; |
| Content of NPP | NPPs must be prepared in easy to read language and contain, as a minimum, the following elements:A statement indicating how medical information about the individual may be used and disclosed and how the individual can obtain access to such information;A description, including at least one example, of the types of uses and disclosures that the Health Plan is permitted to make for purposes of treatment, payment and healthcare operations, with sufficient detail to place an individual on notice of the uses and disclosures permitted or required;A description of each of the other purposes for which the Health Plan is permitted or required to use or disclose PHI without the individual’s consent or authorization, with sufficient detail to place an individual on notice of the uses and disclosures permitted or required;A statement that other uses or disclosures will be made only with the individual’s written authorization, and that the authorization may be revoked in accordance with the policy on authorization;A statement of the individual’s rights with respect to his/her PHI, and a brief description of how the individual may exercise those rights, including:The right to request restrictions on certain uses/disclosures of PHI, and the fact that the Health Plan does not have to agree to such restrictions;The right to receive confidential communications of PHI;The right to inspect and copy PHI;The right to amend PHI;The right to receive an accounting of disclosures of PHI; andThe right to receive a paper copy of the privacy notice.A statement of the Health Plan’s duties with respect to PHI, including statements:That the Health Plan is required by law to maintain the privacy of PHI and to provide individuals with notice of its legal duties and privacy practices;That the Health Plan is required to abide by the terms of its current effective privacy notice; andThat the Health Plan reserves the right to change the terms of the notice and make a new notice provision effective for all PHI maintained, along with a description of how the Health Plan will provide individuals with the revised noticeA statement that individuals may complain to the Health Plan and to the Secretary of the U.S. Department of Health and Human Services about privacy rights violations, including a brief statement about how a complaint may be filed and an assurance that the individual will not be retaliated against for filing a complaint;The name, or title, and telephone number of the Health Plan’s HIPAA Privacy Officer to contact for further information;The name, telephone number and address of the person designated by the Health Plan to receive complaints regarding the Health Plan’s privacy practices; andThe effective date of the NPP, which may not be earlier than the date printed or published. |
| Distribution of NPP | The Health Plan will distribute the NPPs at the times specified below:On the Health Plan’s initial compliance date;At the time of enrollment in the Health Plan for new enrollees; andWithin 60 days of a material revision of the NPP to individuals covered by the Health Plan.The NPP will be distributed no less frequently than once every three years.The NPP will be delivered by first class mail to the address of record on file with the Health Plan. |
| Posting of NPP | A copy of the NPP will be posted on the web page of the employer sponsoring the Health Plan. The HIPAA Privacy Officer is responsible for prompt distribution of changes to the privacy notice. |
| Record Retention | A copy of all HIPAA covered information and any revisions shall be maintained for a period of at least six (6) years. Such retention may be in printed or electronic format, or both. |
| Privacy Officer | The Privacy Officer is responsible for the development and implementation of the HIPAA policies and procedures. The Privacy Officer is also the contact person for any questions or complaints regarding HIPAA. Questions or concerns about HIPAA rights should be directed to the Privacy Officer during regular business office hours Monday through Friday, except holidays, at (651) 696-6280. |
| Violations | Violations of this policy will be subject to discipline. |