Your HIPAA Rights
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE REVIEW IT CAREFULLY.
Effective as revised September 23, 2013
UNITED FOOD & COMMERCIAL WORKERS UNIONS
AND FOOD EMPLOYERS BENEFIT FUND
NOTICE OF PRIVACY PRACTICES
General Information About This Notice
If you have any questions regarding this Notice, please contact:
Southern California United
Food & Commercial Workers
Unions and Food Employers
Cypress, California 90630
Phone: (714) 220-2297 ext 380
Fax: (714) 236-9372
The United Food & Commercial Workers Unions and Food Employers Benefit Fund (the “Plan”) is committed to maintaining the confidentiality of your private medical information. This Notice describes our efforts to safeguard your health information from improper or unnecessary use or disclosure. This Notice only applies to health-related information created or received by or on behalf of the Plan. We are providing this Notice to you because privacy regulations issued under federal law, the Health Insurance Portability and Accountability Act of 1996, 45 CFR Parts 160 and 164 (“HIPAA”), require us to provide you with a summary of the Plan’s privacy practices and related legal duties, and your rights in connection with the use and disclosure of your Plan information. The Plan must abide by the terms of this Notice currently in effect.
In this Notice, the terms “Plan,” “we,” “us,” and “our” refer to the Plan, all Plan employees involved in the administration of the Plan, and third parties to the extent they perform administrative services for the Plan. When third party service providers perform administrative functions for the Plan, we require them to appropriately safeguard the privacy of your information.
- If you are enrolled in an HMO you will also receive a separate notice from your HMO provider that describes the HMO provider’s specific use and disclosure of your health information. Your rights with respect to their use and disclosure of your health information are set forth in that separate notice.
What is Protected?
HIPAA privacy law requires the Plan to have a special policy for safeguarding a category of medical information called “protected health information,” or “PHI,” received or created in the course of administering the Plan. PHI is health information that can be used to identify you and that relates to: (1) your physical or mental health condition, (2) the provision of health care to you, or (3) payment for your health care. Your medical and dental records, your claims for medical and dental benefits, and the explanation of benefits (“EOB’s”) sent in connection with payment of your claims are all examples of PHI.
The remainder of this Notice generally describes our rules with respect to your PHI received or created by the Plan.
Uses and Disclosures of Your PHI
The Plan is required to maintain the privacy of your PHI in accordance with HIPAA. To protect the privacy of your PHI, the Plan not only guards the physical security of your PHI, but we also limit the way your PHI is used or disclosed to others. We may use or disclose your PHI in certain permissible ways described below. To the extent required under federal health information privacy law, we use the minimum amount of your PHI necessary to perform these tasks.
- To determine proper payment of your Health Plan benefit claims. The Plan uses and discloses your PHI to reimburse you or your doctors or health care providers for covered treatments and services. For example, your diagnosis information may be used to determine whether a specific procedure is medically necessary or to reimburse your doctor for your medical care. The Plan may use and disclose your PHI to determine eligibility for benefits; to determine the amount of Plan benefits for the health care services received and to otherwise manage and process claims; and to conduct utilization review activities. The Plan may also use and disclose your PHI for other payment purposes as permitted by HIPAA.
- For the administration and operation of the Plan. We may use and disclose your PHI for numerous administrative and quality control, assessment and improvement functions necessary for the Plan’s proper operation. For example, we may use your claims information for fraud and abuse detection activities; to review and evaluate providers; to conduct data analyses for health improvement, cost-control, protocol development or planning related purposes; or in connection with the merger or consolidation of the Plan and/or its plans with another plan. The Plan may also use your PHI to provide you with customer service; to submit claims for stop-loss (or excess loss) coverage; to conduct or arrange for medical review, legal services, audit services (including the disclosure of certain information to an employer regarding claims that should not have been paid because a person was not eligible or otherwise not entitled to coverage); to create limited data sets or de-identified health information in accordance with the requirements of HIPAA. The Plan may use and disclose PHI about you for enrollment, underwriting and premium rating purposes and other activities related to the creation, renewal or replacement of a contract of health insurance or health benefits. However, the Plan will not use or disclose "genetic information” for “underwriting purposes” (as such terms are defined by HIPAA). The Plan may also use and disclose your PHI for such other healthcare operations of the Plan as permitted by HIPAA.
- To inform you or your health care provider about treatment alternatives or other health-related benefits that may be offered under the Plan. For example, we may use your claims data to alert you to an available case or disease management program or care coordination program if you are diagnosed with certain diseases or illnesses, such as diabetes. If case management is required, the Plan may use or disclose PHI to health care providers to coordinate or help manage treatment. If your plan requires precertification for hospitalization or certain procedures or diagnostic services, the Plan may use or disclose PHI to health care providers to assist in determining an appropriate course of treatment. The Plan may also contact you to provide you information about other health-related benefits or services that may be of interest to you, including health-related products or services (or payment for such product or service) that is provided by, or included in your Plan benefits, or other health-related products or services, only available to you, that add value to, but are not part of, your Plan benefits.
- To a health care provider if needed for your treatment.
- To a health care provider or to another health plan to coordinate benefit coverage between the Plan and the other plan and to determine proper payment of your claim. For example, we may exchange your PHI with your spouse’s health plan for coordination of benefits purposes, or the Plan may discuss your specific medical history with a health care provider to determine a particular treatment’s medical necessity.
- To another health plan for certain administration and operations purposes. We may share your PHI with another health plan or health care provider who has a relationship with you for quality assessment and improvement activities, to review the qualifications of health care professionals who provide care to you, or for fraud and abuse detection and prevention purposes. The Plan may also use and disclose your PHI for other treatment purposes as permitted by HIPAA.
- To your family members, other relatives, your close personal friends, and any other person you choose to identify if: (a) the information is directly relevant to the family members’, other relatives’, close personal friends’ or other person’s involvement with your care or payment for that care (including if you are deceased, subject to certain limitations with respect to your prior expressed preferences which are known to the Plan), or (b) the information is used or disclosed to notify, or assist in the notification of, a family member, Personal Representative, or another person responsible for your care, of your location, general condition, or death (the Plan may also disclose your PHI to disaster relief agencies or entities for the same purposes). If you are present for, or otherwise available prior to a use or disclosure permitted above, and you have the capacity to make health care decisions, the Plan will not use or disclose your PHI to your family and friends unless (i) the Plan obtains your agreement, or provides you with an opportunity to object to the use and disclosure of your PHI and you express no objections to such use and disclosure, or (ii) the Plan can reasonably infer from the circumstances that you do not object to such use and disclosure. The Plan may also disclose PHI to the persons and entities and for the purposes set forth above in emergency circumstances or if you are incapacitated, and the Plan reasonably believes to be in your best interests and relevant to that person's involvement in your care.
- For Plan design activities or to collect Plan contributions. The Plan may use summary or de-identified health information for Plan design activities. In addition, Plan employees may use information about your enrollment or disenrollment in a Plan in order to collect contributions that pay for your Plan participation.
- To the Plan Sponsor. The Plan may disclose PHI to the Plan sponsor, the Board of Trustees, to the extent provided by a rule of the Plan, provided that the sponsor protects the privacy of the PHI and it is only used for the permitted purposes described in this Notice.
- For fundraising. The Plan may use, and disclose to a business or to an institutionally related foundation, certain types of protected health information for the purpose of raising funds. The type of information that may be disclosed under this exception to the authorization requirement is (1) demographic information relating to an individual, (2) dates of health care provided to an individual, and (3) health insurance status. The Plan may also contact you to raise funds as permitted by HIPAA and you have a right to opt out of receiving such communications.
- To Business Associates. The Plan may disclose PHI to other people or businesses that provide services to the Plan and which need the PHI to perform those services. These people or businesses are called business associates, and the Plan will have a written agreement with each of them requiring each of them to protect the privacy of your PHI. For example, the Plan may have hired a consultant to evaluate claims or suggest changes to the Plan, for which he needs to see PHI.
- To comply with, or as otherwise required by, an applicable federal, state, or local law.
- For public health reasons, including (1) to a public health authority for the prevention or control of disease, injury or disability; (2) to a proper government or health authority to report child abuse or neglect; (3) to report reactions to medications or problems with products regulated by the Food and Drug Administration; (4) to notify individuals of recalls of medication or products they may be using; (5) to a proper government or health authority to report births and deaths; or (6) to notify a person who may have been exposed to a communicable disease or who may be at risk for contracting or spreading a disease or condition.
- To report a suspected case of abuse, neglect or domestic violence to a law enforcement official or other government authority, as permitted or required by applicable law.
- To comply with health oversight activities, such as audits, investigations, inspections, licensure actions, and other government monitoring and activities related to health care provision or public benefits or services.
- To the U.S. Department of Health and Human Services to demonstrate our compliance with federal health information privacy law.
- To respond to an order of a court or administrative tribunal, a court-ordered warrant, a subpoena or summons issued by a judicial officer, a grand jury subpoena, or an administrative request (including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process).
- To respond to a subpoena, discovery request, or other lawful process (in the course of any judicial or administrative proceeding), if (1) the Plan receives satisfactory assurances from the party seeking the information that reasonable efforts have been made by such party to ensure that you have been given notice of the request or to secure a protective order, or (2) the Plan makes reasonable efforts to provide such notice or to secure a protective order.
- To a law enforcement official for a law enforcement purpose, including (1) to identify or locate a suspect, fugitive, material witness, or missing person; (2) about the victim of a crime if, under certain limited circumstances, the Plan is unable to obtain such person's agreement; (3) about a death the Plan believes may be the result of criminal conduct; (4) about criminal conduct at a Plan office or Plan facility; or (5) as otherwise required by applicable law.
- For purposes of public safety, national security or protective services, including (1) when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person, or as necessary, under certain conditions, for law enforcement authorities to identify or apprehend an individual; (2) for intelligence, counterintelligence, and other national security activities authorized by law; or (3) for the provision of protective services to the President or other persons receiving Federal protective services, as authorized by applicable law.
- To allow a coroner or medical examiner to make an identification or determine cause of death or to allow a funeral director to carry out his or her duties.
- To respond to a request by military command authorities if you are or were a member of the armed forces.
- For cadaveric organ, eye or tissue donation purposes, including, if you are an organ donor, as necessary to facilitate organ, eye or tissue donation and transplantation.
- To a correctional institution or a law enforcement official having lawful custody of an inmate or other individual, if necessary for: (1) the provision of health care to such individual; (2) the health and safety of such individual, other inmates, the officers or employees of or others at the correctional institution, or the officers or other persons responsible for the transporting such individuals; (3) law enforcement on the premises of the correctional institution; or (4) the administration and maintenance of the safety, security, and good order of the correctional institution.
- For workers’ compensation purposes, including as authorized by and to the extent necessary to comply with laws relating to workers' compensation or other similar programs.
- For limited research purposes, if the Plan obtains one of the following: (1) documented institutional review board or privacy board approval or waiver; (2) representations from the researcher that the use or disclosure is being used solely for preparatory research purposes; (3) representations from the researcher that the use or disclosure is solely for research on the PHI of decedents; or (4) an agreement to exclude specific information identifying the individual.
- Incident to a permitted use or disclosure. The Plan may use and disclose protected health information incident to any use or disclosure permitted or authorized by law.
- As part of a limited data set that meets the technical requirements of 45 Code of Federal Regulations, Section 164.514(e), if the Plan has entered into a data use agreement with the recipient of the limited data set.
Absent your written authorization, Plan employees will only use or disclose your PHI as described in or permitted by this Notice. If an applicable state law provides greater health information privacy protections than the federal law, we will comply with the stricter applicable state law.
Use or Disclosure of Psychotherapy Notes
It is not the Plan’s standard practice to access any psychotherapy notes kept by behavioral health providers. However, in the event the Plan needs access to these notes, such notes cannot be used or disclosed without your written authorization (except in certain limited situations permitted by HIPAA addressed below). If you elect not to provide written authorization, the notes will not be used or disclosed; provided the Plan may use or disclose psychotherapy notes as required by applicable law or as permitted by applicable law. For example, the Plan may use or disclose psychotherapy notes as necessary to defend itself in a legal action or other proceeding brought by you or on your behalf or as necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the Plan may disclose psychotherapy notices to public health oversight agencies and coroners and medical examiners as permitted by HIPAA.
Disclosure of PHI for Marketing Purposes; Sale of PHI
Except in the limited circumstances permitted by HIPAA or other applicable law, the Plan may not (1) use or disclose your PHI to market services or products to you, (2) provide your PHI to anyone else for marketing purposes, or (3) sell your PHI, without your written authorization. Your authorization is not required for marketing communications in the form of a face-to-face communication made by the Plan to you or a promotional gift of nominal value provided by the Plan.
Other Uses and Disclosures of Your PHI; Revocation of Authorization
Before we use or disclose your PHI for any purpose other than those listed above or otherwise provided for herein, we must obtain your written authorization. You may revoke your authorization, in writing, at any time. If you revoke your authorization, the Plan will no longer use or disclose your PHI except as described above (or as permitted by any other authorizations that have not been revoked). However, please understand that we cannot retrieve any PHI disclosed to a third party in reliance on your prior authorization.
Federal law provides you with certain rights regarding your PHI. Parents of minor children and other individuals with legal authority to make health decisions for a Plan participant may exercise these rights on behalf of the participant, consistent with state law.
Right to request restrictions: You have the right to request a restriction or limitation on the Plan’s use or disclosure of your PHI. For example, you may ask us to limit the scope of your
You may make a request for restriction on the use and disclosure of your PHI by completing the appropriate request form available from the Plan
Right to receive confidential communications: You have the right to request that the Plan communicate with you about your PHI at an alternative address or by alternative means if you believe that communication through normal business practices could endanger you. For example, you may request that the Plan contact you only at work and not at home.
You may request confidential communication of your PHI by completing an appropriate form available from the Plan. We will accommodate all reasonable requests if you clearly state that you are requesting the confidential communication because you feel that disclosure in another way could endanger your safety.
Right to inspect and obtain a copy of your PHI: You have the right to inspect and obtain a copy of your PHI that is contained in a designated record set (as defined by HIPAA) (e.g., records that the Plan maintains for enrollment, payment, claims determination, or case or medical management activities). If such PHI is maintained electronically, you may request such PHI in an electronic format. The Plan will work with you to provide such PHI in the form and format you request or in a satisfactory alternative if such PHI is not readily producible in such form and format. You may also direct that such PHI be sent to another person or entity.
However, this right does not extend to (1) psychotherapy notes, (2) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding, and (3) any information, including PHI, as to which the law does not permit access. We will also deny your request to inspect and obtain a copy of your PHI if a licensed health care professional hired by the Plan has determined that giving you the requested access is reasonably likely to endanger the life or physical safety of you or another individual or to cause substantial harm to you or another individual, or that the record makes references to another person (other than a health care provider), and that the requested access would likely cause substantial harm to the other person.
In the event that your request to inspect or obtain a copy of your PHI is denied, you may have that decision reviewed. A different licensed health care professional chosen by the Plan will review the request and denial, and we will comply with the health care professional’s decision.
You may make a request to inspect or obtain a copy of your PHI by completing the appropriate form available from the Plan. We may charge you a fee to cover the costs of copying, mailing or other supplies directly associated with your request. You will be notified of any costs before you incur any expenses.
Right to amend your PHI: You have the right to request an amendment of your PHI in a designated record set if you believe the information the Plan has about you is incorrect or incomplete. You have this right as long as your PHI is maintained by the Plan in a designated record set. The Plan may deny your request to amend if the PHI or the record that is the subject of the request (1) was not created by the Plan, unless the person or entity that originally created the PHI is no longer available to make the amendment, (2) is not a part of the designated record set, (3) would not be available to you under your right to inspect and copy discussed above, or (4) is accurate and complete.
If the Plan denies any portion of your request to amend, it will give you a written denial decision discussing the basis for the denial and give you the opportunity to submit a written statement of disagreement with the Plan’s decision. Any such written statement of disagreement that you submit must contain an explanation of the basis for your disagreement. The Plan has the right to prepare a rebuttal statement to your statement of disagreement. Any such rebuttal will be provided to you and added, along with the denial decision and your statement of disagreement, to the information or record which is the subject of the request.
You may request amendments of your PHI by completing the appropriate form available from the Plan. Be sure to include evidence to support your request because the Plan cannot amend PHI that the Plan believes to be accurate and complete.
Right to receive an accounting of disclosures of PHI: You have the right to request a list of certain disclosures of your PHI by the Plan. Except as may otherwise be required by law, the Plan is not obligated to give you an accounting or list of disclosures made (1) to carry out treatment, payment and health care operations, (2) to you, (3) incident to a use or disclosure permitted or required by law, (4) pursuant to an authorization provided by you, (5) for certain directories or to people involved in your care or other notification purposes as permitted by law, (6) for national security or intelligence purposes, (7) to correctional institutions or law enforcement officials, (8) that are part of a limited data set, or (9) that occurred prior to April 14, 2003, or more than six years before your request. Your first request for an accounting within a 12-month period will be free. We may charge you for costs associated with providing you additional accountings. We will notify you in advance of any costs, and you may choose to withdraw or modify your request before you incur any expenses.
You may make a request for an accounting by completing the appropriate request form available from the Plan.
Right to Receive Notice: The Plan must notify you following the acquisition, access, use or disclosure of your unsecured PHI in a manner that is impermissible under the HIPAA privacy rules, unless there is a low probability that such PHI was compromised (or notification is not otherwise required under HIPAA).