Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE REVIEW IT CAREFULLY.
This notice is effective: August 1, 2024
Who Will Follow This Notice
This notice describes the medical information practices of the OKHEEI Health Plan (the Plan) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) and describes how the Plan will use or disclose your Protected Health Information to carry out treatment, payment, or healthcare operations, or for any other purpose permitted or required by law.
The Plan provides the following benefits:
We are required by law to maintain the privacy of your protected health information, to provide you with a notice of our legal duties and privacy practices with respect to your protected health information, and to follow the terms of the notice that is currently in effect. We are also required to notify affected individuals in the case of a breach of unsecured protected health information.
Our Pledge Regarding Protected Health Information
We understand that your protected health information and your health is personal and are committed to safeguarding your protected health information. We create a record of the health care claims reimbursed under the Plan for Plan administration purposes. This notice applies to all of the medical records, including claims records, the Plan maintains. Your personal doctor or health care provider may have different policies or notices regarding the doctor's use and disclosure of your protected health information created in the doctor's office or clinic.
This notice will tell you about the ways in which we may use and disclose your protected health information. It also describes our obligations and your rights regarding the use and disclosure of protected health information.
We reserve the right to change the terms of this Notice and to make new provisions about your protected health information that we maintain, as allowed or required by law. If we make any material change, we will provide you with a copy of our revised Notice of Privacy Practices by direct mail or hand delivery. A copy of the revised Notice of Privacy Practices will also be posted on our Intranet at the following address: www.OKHEEI.org.
HIPAA only protects certain medical information known as "protected health information." Generally, protected health information is information created or received by a health care provider, a health care clearing house, a health plan, or your employer on behalf of your health plan, from which it is possible to identify you and which relates to: (1) your past, present, or future physical or mental health condition; (2) the provision of health care to you; or (3) the past, present, or future payment of health care claims on your behalf. Note: The individually identifiable health information of a person who has been deceased for more than 50 years is not protected health information under the Privacy Rule.
How We May Use and Disclose Your Protected Health Information (PHI)
The following categories describe different ways that we use and disclose protected health information. For each category of uses or disclosures we will explain what we mean and present some examples. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of the categories.
For Treatment (as described in applicable regulations). We may use or disclose your protected health information to facilitate medical treatment or services by providers. We may disclose protected health information about you to providers, including doctors, nurses, technicians, medical students, or other hospital personnel who are involved in taking care of you. For example, we might use your PHI information for case management.
For Payment (as described in applicable regulations). We may use and disclose your protected health information to determine eligibility for Plan benefits, to facilitate payment for the treatment and services you receive from health care providers, to determine benefit responsibility under the Plan, or to coordinate Plan coverage. For example, we may use your PHI to adjudicate a claim for a specialist office visit. We may also share medical information with a utilization review or precertification service provider, to assist with the adjudication or subrogation of health claims, or to another health plan to coordinate benefit payments.
For Health Care Operations (as described in applicable regulations). We may use and disclose your protected health information for other Plan operations. These uses and disclosures are necessary to run the Plan. For example, we may use your PHI for underwriting, premium rating, and other activities relating to determining plan coverage.
As Required By Law. We will disclose your protected health information when required to do so by federal, state, or local law. For example, we may disclose medical information when required by a court order in a litigation proceeding, such as a malpractice action, or a divorce proceeding.
To Avert a Serious Threat to Health or Safety. We may use and disclose your protected health information when necessary to prevent a serious threat to your, another person's, or the public's health and safety. But disclosure would only be to someone able to help prevent the serious threat. For example, we may disclose your protected health information in case of exposure to a highly infectious disease.
To Plan Sponsors. For plan administration purposes, your protected health information may be disclosed to specifically designated employees. Those employees will only use or disclose that protected health information necessary to perform plan administration functions or as otherwise required or permitted by HIPAA. Your employer may not use protected health information for employment purposes without your express authorization. Information may be disclosed to another health plan (as described by HIPAA) maintained by Oklahoma Higher Education Employee Interlocal for purposes of facilitating claims payable under that plan or for other purposes permitted by HIPAA.
To Business Associates. We may contract with individuals or entities known as Business Associates to perform various functions on behalf of the Plan or to provide certain types of services. In order to perform these functions or to provide these services, Business Associates will receive, create, maintain, transmit, use, and/or disclose your protected health information, but only after they agree in writing to implement appropriate safeguards regarding your protected health information. For example, we may disclose your protected health information to a Business Associate such as a third-party administrator to process your claims for Plan benefits.
Prohibition on Use or Disclosure of Genetic Information. The plan (other than the long term care plan, if applicable,) is prohibited from using or disclosing your genetic information for underwriting purposes.
Treatment Alternatives or Health-Related Benefits and Services. We may use and disclose your protected health information to send you information about treatment alternatives or other health-related benefits and services.
Special Situations. The following are categories of other circumstances in which we may use or disclose your protected health information. While this is not an exhaustive list of the specific ways that we may use or disclose your PHI, each way that we may use or disclose your PHI would fall into one of these categories.
Organ and Tissue Donation. If you are an organ donor, we may release your protected health information to organizations that handle organ procurement or organ, eye or tissue transplantation or to an organ donation bank as necessary
Military and Veterans. If you are a current member of the armed forces, we may release protected health information as deemed necessary by military command authorities to ensure the proper execution of their military mission. We may also release protected health information about foreign military personnel to the appropriate foreign military authority.
Workers' Compensation. We may release your protected health information to the extent necessary to comply with laws relating workers' compensation or similar programs, that provide benefits for work-related injuries or illness without regard to fault.
Public Health Risks. We may disclose your protected health information to public health authorities. Reportable activities generally include the following:
-
To prevent or control disease, injury or disability;
-
To report births and deaths;
-
To report child abuse or neglect;
-
To conduct public health surveillance, investigation, or intervention;
-
To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease;
-
To notify the appropriate government authority if we believe a patient has been the victim of abuse, neglect or domestic violence, but only if you agree to the disclosure, or the disclosure is required or authorized by law.
Health Oversight Activities. We may disclose your protected health information to a health oversight agency for reasons authorized by law. For example, a health oversight agency may conduct audits, investigations, inspections, and licensure (e.g., reporting the results of a TB test to the Centers for Disease Control and Prevention).
Lawsuits and Disputes. If you are involved in a lawsuit or a legal dispute, we may disclose your protected health information in response to a court or administrative order, a subpoena, discovery request, or other lawful process by someone else involved in the dispute. Prior to responding, we will attempt to inform you of the request or obtain an order protecting the health information requested.
Law Enforcement. We may release medical information if asked to do so by a law enforcement official:
-
To report certain types of wounds or other physical injuries as required by law;
-
In response to a court order, subpoena, court-ordered warrant, summons or similar process issued by a judicial officer;
-
In response to a grand jury subpoena; or
-
As otherwise permitted by HIPAA.
Coroners, Medical Examiners and Funeral Directors. We may release your protected health information to a coroner or medical examiner for the purposes of identifying a deceased person, determining a cause of death, or other duties authorized by law. We may also release protected health information to funeral directors as necessary to carry out their duties.
National Security and Intelligence Activities. We may release your protected health information to authorized federal officials for lawful intelligence, counterintelligence, and other national security activities authorized by the National Security Act and implementing regulations.
Inmates. If you are an inmate of a correctional institution or under the custody of a law enforcement official with lawful custody over you, we may release your protected health information to the correctional institution or law enforcement official, if that information is necessary for one of the following:
a) To provide you with health care;
b) To protect your health and safety or the health and safety of other individuals; or
c) For the safety and security of officers or employees of the correctional institution.
Uses and Disclosures for Which Your Written Authorization is Required. We may use or disclose your personal health information in the following circumstances only with your written authorization: Disclosure to your spouse, another family member such as a parent for an adult child, or a close personal friend designated by you to receive your protected health information, including an individual involved in your care prior to your death, unless you object or we are able to determine, based on our best professional judgment, that it is in your best interests to make the disclosure.
All other uses and disclosures of your PHI not described in this Notice of Privacy Practices will be made only with your written authorization. You have the right to revoke your written authorization at any time, but you must do so in writing, and we are required to comply with your request, except to the extent that we took prior action relying upon your authorization.
Your Rights Regarding Your Protected Health Information
You have the following rights regarding protected health information we maintain about you:
Right to Inspect and Copy. You have the right to inspect and copy protected health information maintained by the Plan in a designated record set. To inspect and copy your designated record set, you must submit your request in writing to the Privacy Officer as directed below. If you request a copy of the information, we may charge a fee for the costs of copying, mailing or other supplies associated with your request.
We may deny your request to inspect and copy in certain very limited circumstances. If you are denied access to medical information, you may request that the denial be reviewed.
Right to Amend. If you feel that protected health information we have about you is inaccurate or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by or for the Plan in a designated record set. To request an amendment, your request must be made in writing and submitted to the Privacy Officer as directed below. In addition, you must provide a reason that supports your request.
We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that:
-
Is not part of the designated record set kept by or for the Plan;
-
Was not created by us, unless you provide us with information that the person or entity that created the information is no longer available to make the amendment;
-
Is not part of the information which you would be permitted to inspect and copy; or
-
Is accurate and complete.
Right to an Accounting of Disclosures. You have the right to request an "accounting of disclosures" (i.e., a list) of your protected health information where such disclosures were made other than: (1) for treatment, payment, or health care operations; (2) to you; (3) pursuant to your authorization; (4) to friends or family in your presence or due to an emergency; (5) for national security purposes; or (6) incidental to an otherwise permissible use or disclosure.
To request this accounting of disclosures, you must submit your request in writing to the Privacy Officer as directed below. Your request must state a time period which may not be longer than six years from the date of the request. Your request should indicate in what form you want the accounting (for example, paper or electronic). The first accounting you request within a 12 month period will be free. For additional accountings, we may charge you for the costs of providing the accounting. We will notify you of the cost involved, and you may choose to withdraw or modify your request at that time before any costs are incurred to comply with the original request.
Right to Request Restrictions. You have the right to request a restriction or limitation on the protected health information we use or disclose about you for treatment, payment, or health care operations. You also have the right to request a limitation on the protected health information we disclose about you to someone who is involved in your care or the payment for your care, such as a family member or friend. For example, you could ask that we not use or disclose information to a family member about a treatment for Hepatitis C you had.
We are not required to agree to a requested restriction or limitation, unless your request is made to restrict disclosure to an insurance carrier for purposes of carrying out payment or health care operations (and is not for purposes of carrying out treatment), and the protected health information pertains solely to a health care item or service for which you have paid the healthcare provider out of pocket in full. If we do agree to a restriction or limitation, we must abide by it unless you revoke it in writing.
To request restrictions, you must make your request in writing to the Privacy Officer as directed below. In your request, you must tell us:
(a) What information you want to limit or restrict;
(b) Whether you want to limit our use, disclosure or both; and
(c) To whom you want the limits to apply, for example, disclosures to another family member.
Right to Request Confidential Communications. You have the right to request that we communicate with you about medical matters in an alternative way or at an alternative location. For example, you can ask that we only contact you at work or by cell phone. To request confidential communications, you must make your request in writing to the Privacy Officer as directed below. We will not ask you the reason for your request, and we will accommodate all reasonable requests.
A Note About Personal Representatives. You may exercise your rights through a personal representative. Your personal representative will be required to produce evidence of his/her authority to act on your behalf before that person will be given access to your PHI or allowed to take any action for you. Proof of such authority may take one of the following forms:
-
A power of attorney for health care purposes, notarized by a notary public;
-
A court order of appointment of the person as the conservator or guardian of the individual; or
-
Verification of identity as an individual who is the parent of a minor child.
The Plan retains discretion to deny access to your PHI to a personal representative to provide protection to those vulnerable people who depend on others to exercise their rights under these rules and who may be subject to abuse or neglect. This also applies to personal representatives of minors.
However, we are not required to disclose your protected health information to a personal representative if we have a reasonable belief that: (1) you are or may have been subject to domestic violence, abuse or neglect by the designated personal representative; (2) treating the designated individual as your personal representative would endanger you; or (3) it is not in your best interest, using professional judgment, to allow the designated individual to act as your personal representative.
Right to Request Electronic Copy of PHI Maintained Electronically in One or More Designated Record Sets. If the plan maintains an "electronic health record" or maintains your PHI electronically in a "designated record set," you have the right to: (1) obtain a copy of the information in electronic format and/or (2) ask the Plan to send the copy to a third party. The Plan requires you to make the request for electronic copies of your PHI in writing, and the Plan may charge you a reasonable fee for labor costs for sending the electronic copy of your health information. To request an account of electronic health records, you must make the request in writing to the Privacy Officer as directed below. The Plan will send the information to a third party at your request only if you provide complete information including the name and address of the third party.
Right to be Notified of a Breach. You have the right to be notified in the event that the Plan (or a Business Associate) discovers a breach of your unsecured protected health information. Business Associates include the Business Associates themselves and their subcontractors.
Right to a Paper Copy of This Notice. You have the right to receive a paper copy of this notice. You may ask us to provide you a copy of this notice at any time. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice. You may obtain a copy of this notice from the website at the following address: www.OKHEEI.org. To obtain a paper copy of this notice via mail, please contact the Privacy Officer as directed below
Changes to This Notice
We reserve the right to change this notice. We reserve the right to make the revised or changed notice effective for medical information we already have about you as well as any information we receive in the future. We will post a copy of the current notice on the employer website or Intranet. The notice will contain the effective date on the first page.
Complaints
If you believe your privacy rights have been violated, you may file a complaint with the Plan. To file a complaint with the Plan, please contact the Privacy Officer as directed below. All complaints must be submitted in writing. In addition to filing a complaint with the Plan, you may file a complaint with the Secretary of the Department of Health and Human Services (HHS) Office for Civil Rights by sending a letter to U.S. Department of Health and Human Services, 200 Independence Ave. S.W., Room 509F HHH Bldg., Washington, D.C. 20201, email: OCRComplaint@hhs.gov, or through the OCR Complaint Portal.
The Plans will not retaliate against you for submitting an internal complaint, a complaint to HHS, or for exercising your other rights as described in this Notice or under applicable law.
Other Uses of Medical Information
All other uses and disclosures of your medical information not described in this Notice of Privacy Practices or HIPAA and its implementing regulations will be made only with your written authorization. You have the right to revoke your written authorization at any time, but you must do so in writing, and we are required to comply with your request, except to the extent that we took prior action relying upon your authorization.
Contact Information
If you wish to invoke any of your rights under this notice or if you have any questions about this notice, please contact: Benefits Coordinator, Privacy Officer for the OKHEEI Health Plan, 305 Northwest 5th Street, #407, Oklahoma City, OK 73102, hipaa@ruso.edu (email), (405) 942-8817 (phone).