NOTICE OF PRIVACY PRACTICES

FOR

IOWA STATE UNIVERSITY BENEFITS OFFICE

 

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

 

PLEASE REVIEW IT CAREFULLY.

 

Effective Date: April 14, 2003

 

 

1.  Purpose of This Privacy Notice

This Notice of Privacy Practices describes how the Iowa State University Benefits Office may use and disclose your protected health information to conduct health care operations, assist with your treatment, initiate payment, and for other purposes that are permitted or required by law. Iowa State University reserves the right to make changes in this Notice of Privacy Practices.  The Notice describes your rights to access and control of your protected health information. “Protected Health Information” is information about you, including demographic information, that may identify you and that relates to your past, present or future physical or mental health condition and related health care services. For purposes of this notice, we will refer to “Protected Health Information” as “PHI”.

2.  Who Will Follow This Notice

 

This notice describes the privacy policy of the Benefits Office at Iowa State University that provides group health plans and other heath-related services to you as an employee of ISU.  The health plans and other services covered by this notice include:

 

• Our Self-Insured ISU Plan including the Indemnity, PPO and HMO plans.
• Our Basic and Comprehensive Dental plans.
• Our Medical Reimbursement Flexible Spending Account Program.

 

These privacy policies will be followed by:

 

• All employees of the ISU Benefits Office.
• ISU Departments and their employees that provide support to the ISU Benefits Office and may have access to your PHI while providing that support such as Administrative Data Processing, Accounts Receivable, Internal Audit, University Counsel, and Risk Management.

 

3.  Our Pledge Regarding Your Medical Information

 

We understand that medical information about you and your health is personal, and we are committed to protecting it whenever it is in the possession of the ISU Benefits Office. 

 

Your personal health information is required to be kept confidential and private under a number of federal and state laws.  For example, Iowa Code Chapter 22.7(2) addresses the confidentiality of public hospital, medical and professional counselor records; Iowa Code Chapter 228 addresses the disclosure of mental health and psychological information; the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. §1232(g) and 34 CFR Part 99, addresses the confidentiality of student educational records; and the Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. 1320(d) and 45 CFR Parts 160 and 164, addresses the confidentiality of patient health information and  records.

 

We are required by law to:

 

• Make sure that medical information that identifies you is kept private.

 

• Provide you this notice of our legal duties and privacy practices regarding your medical information.

 

• Follow the terms of the notice that is currently in effect.  We may change the terms of our notice at any time.  The new notice will be effective for all PHI that we maintain at that time.  Upon your request, we will provide you with any revised Notice of Privacy Practices.  You may obtain a copy by contacting the ISU Benefits Office and requesting that a revised copy be sent to you in the mail or asking for one at the time of your next visit to the ISU Benefits Office.  The current notice and any revised notice are available on the internet on the ISU Benefits Office Website at: http://www.hrs.iastate.edu/benefits/homepage.shtml.

 

4.  How We May Use And Disclose Medical Information About You

 

The following categories describe ways that we use and disclose medical information.  Examples of each category are included.  Not every use or disclosure in each category is listed; however, all of the ways we are permitted to use and disclose information falls into one of these categories:

 

• For Health Care Operations:  We may use and disclose your medical information to rate our risk and determine our premiums for your health plan, to conduct quality assessment and improvement activities, to engage in care coordination or case management, to manage our business, and the like.
• For Payment:  We may use and disclose your medical information to pay claims from doctors, hospitals and other providers for services delivered to you that are covered by your health plan, to determine your eligibility for benefits, to coordinate benefits, to examine medical necessity, to obtain premiums, to issue explanations of benefits to the person who subscribes to the health plan in which you participate, to reimburse you under your medical reimbursement flexible spending account and the like.
• For Treatment:  We may disclose your medical information to a doctor or a hospital which asks us for it to assist in your treatment.

We may share your PHI with third party “business associates” that perform various activities (e.g., billing and collection) for Iowa State University. Whenever an arrangement between our office and a business associate involves the use or disclosure of your PHI, we will have a written contract that contains terms that will protect the privacy of your PHI.

5.  General Rule: Uses and Disclosures of PHI Are Based Upon Your Written Authorization

Other uses and disclosures of your PHI will be made only with your written authorization, unless otherwise permitted or required by law as described below. You may give us written authorization to use your medical information or to disclose it to anyone for any purpose. You may revoke this authorization at any time, in writing, except to the extent that the ISU Benefits Office has taken action in reliance on the use or disclosure indicated in the authorization. Without your written authorization, we may not use or disclose your medical information for any reason except those described in this notice.

6.  Exception to General Rule For Uses and Disclosures To Family or Friends Involved in Your Health care

Before we disclose your medical information to a member of your family, a relative, a close friend or any other person you identify that is involved in your health care, we will provide you with an opportunity to object to such uses or disclosures.  If you are not present, or in the event of your incapacity or an emergency treatment situation exists, we will only disclose your PHI to others involved in your health care based on our professional judgment of whether the disclosure would be in your best interest. We may use or disclose PHI to notify or assist in notifying a family member, personal representative, or any other person that is responsible for your care of your location, general condition or death. We will also use our professional judgment and experience with common practice to allow a person involved in your health care to pick up filled prescriptions, medical supplies, x-rays, or other forms of medical information. In these situations, only the minimum necessary PHI that is relevant to your health care will be disclosed.

7.  Exceptions to General Rule For Uses and Disclosures of Your PHI That May Be Made Without Your Consent, Authorization or Opportunity to Object

We may use or disclose your PHI in the following situations without your consent or authorization. These situations include:

7.1  To Iowa State University:  We may disclose your PHI and the PHI of others enrolled in your group health plan or medical reimbursement flexible spending account program to ISU or other organization that sponsors your group health plan, administers the medical reimbursement flexible spending account program, or to permit the plan sponsor to perform plan administration functions.  Please see your group health plan document for a full explanation of the limited uses and disclosures that the plan sponsor may make of your medical information in providing plan administration.  We may also disclose summary information about the enrollees in your group health plan to the plan sponsor to use to obtain premium bids for the health insurance coverage offered through your group health plan or to decide whether to modify, amend or terminate your group health plan.  The summary information we may disclose summarizes claims history, claims expenses, or types of claims experienced by the enrollees in your group health plan.  The summary information will be stripped of demographic information about the enrollees in the group health plan, but the plan sponsor may still be able to identify you or other enrollees in your group health plan from the summary information.

7.2  For Underwriting:  We may receive your medical information for underwriting, premium rating or other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits.  We will not use or further disclose this medical information for any other purpose, except as required by law, unless the contract of health insurance or health benefits is placed with us.  In that case, our use and disclosure of your medical information will only be as described in this notice.

7.3  For Marketing:  We may use your medical information to contact you with information about health-related products and services or about treatment alternatives that may be of interest to you.  We may disclose your medical information to a business associate to assist us in these activities.  Unless the information is provided to you by a general newsletter or in person or is for products or services of nominal value, you may opt out of receiving further such information by telling us using the contact information listed at the end of this notice.

7.4  Research:  Although in most cases health-related research is conducted only after you have provided authorization to disclose your protected health information to the researcher, in certain circumstances when the research proposal has been approved by an institutional review board or is preparatory to research, your PHI may be used or disclosed for health-related research without your authorization.

7.5  Required By Law:  We may use or disclose your PHI to the extent that Federal, State or Local law requires the use or disclosure. The use or disclosure will be made in compliance with the law and will be limited to the relevant requirements of the law. You will be notified, when required by law, of any such uses or disclosures.

7.6  Disaster Relief:  We may use or disclose your name, location and general condition or death to a public or private organization authorized by law or by its charter to assist in disaster relief efforts.

7.7  Death and Organ Donation:  We may disclose the medical information of a deceased person to a coroner, medical examiner, funeral director, or organ procurement organization for certain purposes.

7.8  Serious Threat to Health or Safety:  We may, consistent with applicable law and ethical standards of conduct, use or disclose your PHI if we believe, in good faith, that such use or disclosure is necessary to prevent or lessen a serious and imminent threat to your health or safety or to the health or safety of the public. We may disclose your PHI to appropriate authorities if we reasonably believe that you are a possible victim of abuse, neglect, domestic violence or other crimes.

7.9  Specialized Government Functions:  We may disclose your PHI when it relates to specialized government functions such as military and veteran’s activities, national security and intelligence activities, protective services for the President, and medical suitability or determinations of the Department of State.

7.10  Legal Proceedings:  We may disclose PHI in the course of any judicial or administrative proceeding, in response to an order of a court or administrative tribunal (to the extent such disclosure is expressly authorized), in certain conditions in response to a subpoena, discovery request or other lawful process.

7.11  Law Enforcement:  We may also disclose PHI, so long as applicable legal requirements are met, for law enforcement purposes. These law enforcement purposes may include (1) legal processes and otherwise required by law, (2) limited information requests for identification and location purposes,  (3) suspicion that death or serious injury has occurred as a result of criminal conduct, (4) in the event that a crime occurs on the premises of ISU, and (5) on the occurrence of a medical emergency when it is likely that a crime has occurred.

7.12  Compliance: Under the law, we must make disclosures when required by the Secretary of the U.S. Department of Health and Human Services to investigate or determine our compliance with the requirements of the HIPAA Privacy Regulations and other Federal or State laws.

8.  Your Rights Regarding Your Protected Health Information

Following is a statement of your individual rights with respect to your PHI and a brief description of how you may exercise these rights.

8.1  You have the right to access, inspect and copy your PHI.  This means you may inspect and obtain a copy of PHI about you that is contained in our records for as long as we maintain the PHI.  We will respond to your written request to inspect and/or copy within 30 days. We may charge you a fee for the cost of copying the documents involved.

There are a few limited exceptions to your right of access. Under federal law, you may not inspect or copy the following records: psychotherapy notes; information compiled in reasonable anticipation of, or use in, a civil, criminal, or administrative action or proceeding, and PHI that is subject to law that prohibits access to PHI. Depending on the circumstances, you may have a right to have a decision to deny access reviewed.  Please contact the ISU Benefits Office if you have questions about access to or decisions concerning your PHI.

8.2  You have the right to request a restriction of your PHI.  This means you may ask us not to use or disclose any part of your PHI for the purposes of treatment, payment or health care operations. You may also request that any part of your PHI not be disclosed to family members or friends who may be involved in your care or for notification purposes as described in this Notice of Privacy Practices. Your request must be in writing and state the specific restriction requested and to whom you want the restriction to apply.

We are not required to agree to any restrictions, but if we do, we will abide by our agreement (except in an emergency).  Any agreement we may make to a request for restrictions must be in writing signed by a person authorized to make such an agreement on our behalf.  We will not be bound unless our agreement is so memorialized in writing.

8.3  You have the right to request to receive confidential communications from us by alternative means or at an alternative location.  You may make a request that we send you confidential communications by alternative means or to you at an alternative location.  This request must be in writing and must contain a statement that disclosure of all or part of the information could endanger you if it is not communicated to you in confidence. We must accommodate your request if it is reasonable, specifies the alternative means or location, and continues to permit us to collect premiums and pay claims under your health plan, including issuance of explanations of benefits to the subscriber of the health plan in which you participate.  An explanation of benefits issued to the subscriber for health care that you received for which you did not request confidential communications or about the subscriber or others covered by the health plan in which you participate may contain sufficient information to reveal that you obtained health care for which we paid, even though you requested that we communicate with you about that health care in confidence. Please make this request in writing to the ISU Benefits Office.

8.4  You may have the right to amend your PHI.  This means you may request an amendment of PHI about you in our records set for as long as we maintain this information. Your request must be in writing and explain why the information should be amended.  We will respond to your written request to amend within 60 days of receiving the request. We may deny your request for an amendment in circumstances where we have not created the information or when we believe that the information is accurate and complete. If we deny your request for amendment, you have the right to file a statement of disagreement with us, and we may prepare a rebuttal to your statement and will provide you with a copy of any such rebuttal. Please contact the ISU Benefits Office if you have questions about amending your record.

8.5  You have the right to receive an accounting of certain disclosures we have made, if any, of your PHI. This right applies to disclosures for purposes other than treatment, payment or health care operations as described in this Notice of Privacy Practices. It excludes disclosures we may have made to you, to others based upon your express authorization, to family members or friends involved in your care, for a facility directory, for notification purposes, or as part of a limited data set that does not directly identify you. You have the right to receive specific information regarding these disclosures that occurred after April 14, 2003. The request for an accounting must be in writing, and we will respond to your written request within 60 days. You may request a shorter timeframe. The right to receive this information is subject to certain exceptions, restrictions and limitations.

8.6  You will receive a paper copy of this notice from us, upon request, even if you have agreed to accept this notice electronically.

9.  Questions and Complaints

If you want more information about our privacy practices or have questions or concerns, please contact us using the information listed at the end of this notice.

If you are concerned that we may have violated your privacy rights, you disagree with a decision we made about access to your medical information or in response to a request you made to amend or restrict the use or disclosure of your medical information, or to have us communicate with you in confidence by alternative means or at an alternative location, you may complain to the ISU Benefits Office using the contact information listed at the end of this notice.  You also may submit a written complaint to the U.S. Department of Health and Human Services.  We will provide you with the address to file your complaint with the U.S. Department of Health and Human Services upon request.

We support your right to protect the privacy of your medical information.  We will not retaliate in any way if you choose to file a complaint with us or with the U.S. Department of Health and Human Services.

CONTACT INFORMATION

The Iowa State University Benefits Office

3750 Beardshear Hall, Suite 3350, Ames, Iowa 50011-2033

Telephone:  515 294-7680             Fax:  515 294-4707       E-mail:  benefits@iastate.edu

                       

 

THIS NOTICE IS EFFECTIVE ON APRIL 14, 2003.