Boulder Administration Logo

" Third Party Administration Service
              For All Your Employee Needs"

HIPAA PRIVACY PRACTICES AND SECURITY INFORMATION IS ALSO LOCATED IN YOUR PLAN DOCUMENT AND SUMMARY PLAN DOCUMENT

HIPAA PRIVACY PRACTICES

The Plan provides each member with a separate Notice of Privacy Practices. This Notice describes how the Plan uses and discloses your personal health information. It also describes certain rights you have regarding this information. Additional copies of our Notice of Privacy Practices are available by calling your human resource department.

Definitions

  • Breach means an unauthorized acquisition, access, use or disclosure of Protected Health Information (“PHI”) or Electronic Protected Health Information (“ePHI”) that violates the HIPAA Privacy Rule and that compromises the security or privacy of the information.
  • Protected Health Information (“PHI”) means individually identifiable health information, as defined by HIPAA, that is created or received by us and that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or for which there is a reasonable basis to believe the information can be used to identify the individual. PHI includes information of persons living or deceased.

This Section describes how your Personal Health Information (PHI) may be used and disclosed, your rights and how you can get access to this information.

PLAN RESPONSIBILITY: By law, the Plan must protect and secure the privacy of your Personal Health Information (PHI). The Plan is required to abide by the terms of the disclosed Privacy Practices, but the Plan can change those practices. If there is a material change to Privacy Practices, those changes will be effective for all PHI that the Plan maintains. Within 60 days of a revision, the Plan will provide you with a revised statement of Privacy Practices. PLEASE REVIEW IT CAREFULLY.

Uses and Disclosures Related to the Day to Day Business of the Plan:

For Payment: The Plan will use and disclose PHI to process claims for health care services, to obtain excess loss reimbursement for the health plan from a reinsurance company or as may be otherwise necessary to fulfill the responsibility to process benefits. For example, the Plan may disclose PHI when a service provider requests information regarding eligibility for coverage or the payment status of a claim; the Plan may use PHI to determine if treatment received satisfies the written provisions of the health plan such as, but not limited to, medically necessary care and experimental or investigative care; the Plan may disclose PHI to service providers to approve a hospital stay or in the predetermination of benefit for a surgical or other medical procedure requested by the provider.

For Healthcare Operations: The Plan will use and disclose PHI in conducting operation of the health plan. Examples of these operations include, but are not limited to: quality assessments; review of provider performance and fees for services; procedures for the underwriting and purchase of excess loss insurance by the health plan; medical peer review; auditing.

Other examples of uses related to healthcare operations include: to respond to a customer service inquiry; to provide you information with regard to treatment alternatives, disease management programs or other health related benefits and services; to remind you of appointments or other disease management program compliance procedures; in connection with fraud, abuse or similar investigative procedures.

Plan Sponsors: The Plan may disclose to the Plan Sponsor whether you are enrolled or disenrolled in the Plan. The Plan may disclose summary health information to the Plan Sponsor to use in obtaining premium bids for the health insurance coverage offered under the Plan or in deciding whether to amend or terminate the Plan. The Plan also may disclose PHI to the designated personnel of the Plan Sponsor for the purpose of administrative functions that the Plan Sponsor performs for the health plan. The Plan will not disclose to the Plan Sponsor, and the Plan Sponsor will not use or disclose, PHI other than as permitted or required by this Plan document or as required by law.

The Plan Sponsor will not use any PHI received from the Plan in employment-related actions or in connection with any other benefits plans. The Plan Sponsor will allow you to exercise your rights, described below, to access your PHI held by the Plan Sponsor and request an amendment to that PHI. The Plan Sponsor also will provide you, upon request, with an accounting of its disclosures of your PHI, if any.

The only personnel of the Plan Sponsor who will have access to your PHI will be employees in the Human Resource Department of the Plan Sponsor and they will have such access only for Plan administration purposes. The Plan Sponsor will ensure that the separation of its Plan-related operations and its other operations are supported by reasonable and appropriate security measures.

If agents or subcontractors of the Plan Sponsor will receive PHI, the Plan Sponsor will require that such agents and subcontractors abide by the same restrictions and conditions regarding PHI that apply to the Plan and the Plan Sponsor, including, for electronic PHI, implementing reasonable and appropriate security measures to protect the electronic PHI. If the Plan Sponsor becomes aware of any improper use or disclosure of PHI or any security incident, it will notify the Plan and, if such improper use or disclosure or security incident was caused by any Plan Sponsor personnel, such personnel will be appropriately disciplined.

Once the Plan Sponsor no longer needs PHI for its intended purpose, the Plan Sponsor will return the PHI to the Plan or destroy all copies of it. If the Plan Sponsor can neither return the PHI nor destroy it, the Plan Sponsor will limit any further uses or disclosures of the PHI to those purposes that make return or destruction of the PHI infeasible.

If the Plan Sponsor creates, receives, maintains or transmits electronic PHI, the Plan Sponsor will implement technical, physical and administrative safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the electronic PHI.

The Plan Sponsor is required by law to make available to the United States Department of Health and Human Services all Plan Sponsor practices, books and records relating to the use or disclosure of PHI.

Family, Friends and Others Involved in Your Care or Payment for Your Care: The Plan may disclose your PHI to your family, friends or other persons involved in your health care or payment for your health care, but only to the extent that the PHI is relevant to that involvement. In emergencies, disaster relief efforts or similar situations, the Plan may use or disclose your name, location and condition, if known to the Plan, to help notify a person responsible for your health care. Before making any of these disclosures, the Plan will give you an opportunity to object to the disclosure. If you are incapacitated or in emergency or disaster relief situations, the Plan will use its professional judgment to determine whether disclosing your PHI is in your best interests.

Uses and Disclosures to Business Associates or other Covered Entities:

Business Associates: The Plan contracts with individuals and entities (Business Associates) to perform various functions or to provide certain types of services. To perform these functions or to provide the services, the Business Associates will receive, create, maintain, use, or disclose protected health information, but only after the Plan requires the Business Associates to agree in writing to contract terms designed to safeguard information. For example, the Plan may disclose PHI to a Business Associate to administer claims or to provide service support, utilization management, subrogation or pharmacy benefit management. An example of a Business Associate would be the third party administrator for processing claims.

Other Covered Entities: The Plan may use or disclose PHI to assist health care providers in connection with their treatment or payment activities, or to assist other covered entities in connection with payment activities and certain health care operations. For example, the Plan may disclose PHI to a health care provider when needed by the provider to render treatment to you, and the Plan may disclose PHI to another covered entity to conduct health care operations in the areas of quality assurance and improvement activities, or accreditation, certification, licensing or credentialing. The Plan may disclose or share PHI with other insurance organizations in order to coordinate benefits in the event you or a family member has coverage through another such organization.

Additional Uses and Disclosures That May Be Made:

Required by Law: The Plan may use or disclose PHI to the extent that the use or disclosure is required by law. The use or disclosure will be made in compliance with the law and will be limited to the relevant requirements of the law.

Public Health: The Plan may disclose PHI for public health activities and the purposes to which a public health authority is authorized by law to collect or receive the information. Victims of Abuse, Neglect, or Domestic Violence: The Plan may disclose PHI about plan participants to a government authority authorized by law to receive reports of abuse, neglect or domestic violence.

Victims of Abuse, Neglect, or Domestic Violence: The Plan may disclose PHI about plan participants to a government authority authorized by law to receive reports of abuse, neglect or domestic violence.

Food and Drug Administration (FDA): The Plan may disclose PHI to a person subject to the jurisdiction of the FDA with respect to an FDA-regulated product or activity, such as for reports of adverse events, products defects or to track FDA-regulated products.

Communicable Diseases: The Plan may disclose PHI to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease, if the Plan is authorized by law to notify such person.

Health Oversight: The Plan may disclose PHI to a health oversight agency for oversight activities authorized by law, such as audits, inspections, licensure and disciplinary actions. Oversight agencies that might receive this information are those overseeing government benefit programs or those overseeing the health care system.

Legal Proceedings: The Plan may disclose PHI in response to an order of a court, an administrative tribunal or in response to a subpoena if certain conditions are met in relation to notifying the Plan Participant and providing the opportunity to object to the disclosure.

Law Enforcement: The Plan may disclose PHI for a law enforcement purpose to a law enforcement official in response to a court ordered warrant, grand jury subpoena or administrative request.

Coroners and Funeral Directors: The Plan may disclose PHI to a coroner or medical examiner for identification purposes, determining cause of death or for the coroner or medical examiner to perform other duties authorized by law, or to a funeral director, if necessary.

Organ or Tissue Donation: The Plan may disclose PHI to organ procurement organizations or other entities engaged in the procurement, banking or transplantation of cadaveric organs, eyes or tissue for donation purposes.

Research: The Plan may disclose PHI to researchers when their research has been approved by an institutional review board that has reviewed the research proposal and established protocols to ensure the privacy of the PHI.

To Avert Serious Threat to Health and Safety: The Plan may disclose PHI if the Plan believes in good faith that disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or to the public, and the person to whom the Plan discloses the information is reasonably able to lessen or prevent the threat, or is necessary for law enforcement to identify or apprehend an individual. Only limited information may be disclosed about an individual in the case of identification or apprehension of an individual.

Specialized Government Functions: The Plan may disclose PHI for the following governmental functions: (a) for military and veterans activities; (b) for national security and intelligence activities; © for protective services for the President or to foreign heads of state or other authorized persons; (d) to correctional institutions or law enforcement officials regarding an inmate if it is necessary for provision of health care to the individual, for the safety of the individual, other inmates, correctional officers or others involved in the custody of the inmate.

Workers' Compensation: The Plan may disclose PHI when necessary to comply with laws relating to workers' compensation or similar benefits programs.

Uses of PHI Requiring your Authorization: Other uses and disclosures of PHI will be made only when you sign an authorization form. After you sign the authorization form, you can change your mind and revoke the authorization by signing another form.

Instances When Required Authorization Is Needed From Participants Before Disclosing PHI:

If the Plan maintains psychotherapy notes: Most uses and disclosures of psychotherapy notes;
Uses and disclosures for marketing;
Sale of PHI; and
Other uses and disclosures not described in can only be made with authorization from the Participant. The Participant may revoke this authorization at any time.

YOUR RIGHTS:

You have the right to inspect and copy your PHI: The Participant has the right to request the opportunity to look at or get copies of PHI maintained by the Plan about him/her in certain records maintained by the Plan. If the Participant requests copies, he/she may be charged a fee to cover the costs of copying, mailing, and other supplies. To inspect or copy PHI, or to have a copy of your PHI transmitted directly to another designated person, contact the Privacy Compliance Coordinator. A request to transmit PHI directly to another designated person must be in writing, signed by the Participant and the recipient must be clearly identified. The Plan must respond to the Participant’s request within thirty (30) days (in some cases, the Plan can request a thirty (30) day extension). In very limited circumstances, the Plan may deny the Participant’s request. If the Plan denies the request, the Participant may be entitled to a review of that denial.

You have the right to request a restriction of your PHI: You may ask the Plan not to use or disclose some or all of your PHI for the purposes of payment or healthcare operations. You may also ask the Plan not to share your PHI with members of your family or friends who may be involved in your care. You must tell the Plan in writing what information you want restricted and when the restriction applies. The Plan does not have to agree to your request for a restriction if the Plan cannot identify a reasonable way to implement the request. If the Plan agrees to restrict release of your PHI, the Plan must honor that request, unless the information is needed to provide emergency treatment to you. The Plan will inform you whether the Plan has agreed to the restriction. The Plan can terminate the restriction if it becomes too difficult to do, but the Plan must tell you that the Plan is going to terminate the restriction. You should discuss any request to restrict use or disclosure of your PHI by contacting the Privacy Officer of the Plan.

You have the right to request to receive confidential communications from the Plan by alternative means or at an alternative location: The Plan will accommodate any reasonable request to provide an alternative means of communication. The Plan may condition this accommodation by asking you for information on how payment of potential fees will be handled or require that you specify an alternative address or other method of contact. The Plan may also require you to clearly state that disclosure of your PHI could endanger you. You should make this request by contacting the Privacy Officer of the Plan.

You have the right to amend your PHI: You may request an amendment or correction to your PHI contained in your records for as long as the plan maintains that information. In certain cases, the Plan may deny your request for an amendment. You and the Plan have the right to file statements of disagreement and rebuttal. If you would like to amend your health information, contact the Privacy Officer of the Plan.

You have the right to receive an accounting of certain disclosures the Plan has made, if any, of your PHI: The Participant has the right to request an accounting of disclosures the Plan has made of his/her PHI. The request must be made in writing and does not apply to disclosures for treatment, payment, health care operations, and certain other purposes. The Participant is entitled to such an accounting for the six (6) years prior to his/her request. Except as provided below, for each disclosure, the accounting will include: (a) the date of the disclosure, (b) the name of the entity or person who received the PHI and, if known, the address of such entity or person; (c) a description of the PHI disclosed, (d) a statement of the purpose of the disclosure that reasonably informs the Participant of the basis of the disclosure, and certain other information. If the Participant wishes to make a request, please contact the Privacy Compliance Coordinator.

Right to obtain a paper copy of this notice from the Plan: You have the right to receive a paper copy of this notice from your health plan upon request.

COMPLAINTS:

If you believe that your privacy rights have been violated by this Plan, you may file a complaint with the Plan, and to the Secretary of the United States Department of Health and Human Services. If you file a complaint, you will not be retaliated against. To file a complaint with the Plan, contact the Privacy Officer of the Plan.

CONTACT:

Call your human resource department to receive more information about this Notice of Privacy Rights. The contact person to request is the Privacy Officer.

HIPAA SECURITY

HIPAA SECURITY: Disclosure of Electronic Protected Health Information (“Electronic PHI”) to the Plan Sponsor for Plan Administration Functions

STANDARDS FOR SECURITY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION (“SECURITY RULE”): The Security Rule imposes regulations for maintaining the integrity, confidentiality and availability of protected health information that it creates, receives, maintains, or maintains electronically that is kept in electronic format (ePHI) as required under the Health Insurance Portability and Accountability Act (HIPAA).

DEFINITIONS

  1. “Electronic Protected Health Information” (ePHI) is defined in Section 160.103 of the Security Standards (45 C.F.R. 160.103) and means individually identifiable health information transmitted or maintained in any electronic media.
  2. “Security Incidents” is defined within Section 164.304 of the Security Standards (45 C.F.R. 164.304) and means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with systems operation in an information system.

PLAN SPONSOR OBLIGATIONS
To enable the Plan Sponsor to receive and use Electronic PHI for Plan Administration Functions (as defined in 45 CFR §164.504(a)), the Plan Sponsor agrees to:

  1. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the Electronic PHI that it creates, receives, maintains, or transmits on behalf of the Plan;
  2. Ensure that adequate separation between the Plan and the Plan Sponsor, as required in 45 CFR § 164.504(f)(2)(iii), is supported by reasonable and appropriate Security Measures;
  3. Ensure that any agent, including a subcontractor, to whom the Plan Sponsor provides Electronic PHI created, received, maintained, or transmitted on behalf of the Plan, agrees to implement reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of the Electronic PHI and report to the Plan any security incident of which it becomes aware; and
  4. Report to the Plan any security incident of which it becomes aware.

NOTIFICATION REQUIREMENTS IN THE EVENT OF A BREACH OF UNSECURED PHI
The required breach notifications are triggered upon the discovery of a breach of unsecured PHI. A breach is discovered as of the first day the breach is known, or reasonably should have been known.

When a breach of unsecured PHI is discovered, the Plan will:

  1. Notify the Participant whose PHI has been, or is reasonably believed to have been, assessed, acquired, used, or disclosed as a result of the breach, in writing, without unreasonable delay and in no case later than sixty (60) calendar days after discovery of the breach. Breach Notification must be provided to individual by:
    1. Written notice by first-class mail to Participant (or next of kin) at last known address or, if specified by Participant, e-mail;
    2. If Plan has insufficient or out-of-date contact information for the Participant, the Participant must be notified by a “substitute form;
    3. If an urgent notice is required, Plan may contact the Participant by telephone.
      1. The Breach Notification will have the following content:
        1. Brief description of what happened, including date of breach and date discovered;
        2. Types of unsecured PHI involved (e.g., name, Social Security number, date of birth, home address, account number);
        3. Steps Participant should take to protect from potential harm;
        4. What the Plan is doing to investigate the branch, mitigate losses and protect against further breaches;
  2. Notify the media if the breach affected more than five hundred (500) residents of a State or jurisdiction. Notice must be provided to prominent media outlets serving the State or jurisdiction without unreasonable delay and in no case later than sixty (60) calendar days after the date the breach was discovered;
  3. Notify the HHS Secretary if the breach involves five hundred (500) or more individuals, contemporaneously with the notice to the affected individual and in the manner specified by HHS. If the breach involves less than five hundred (500) individuals, an internal log or other documentation of such breaches must be maintained and annually submitted to HHS within sixty (60) days after the end of each Calendar Year; and
  4. When a Business Associate, which provides services for the Plan and comes in contact with PHI in connection with those services discovers a breach has occurred, that Business Associate will notify the Plan without unreasonable delay and in no case later than sixty (60) calendar days after discovery of a breach so that the affected Participants may be notified. To the extent possible, the Business Associate should identify each individual whose unsecured PHI has been, or is reasonably believed to have been, breached.

Any terms not otherwise defined in this section shall have the meanings set forth in the Security Standards.