HIPAA Privacy

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

PLEASE REVIEW IT CAREFULLY.

The Effective Date of this Notice is September 22, 2014.

This Notice of Privacy Practices (this “Notice”) describes the legal obligations of Bowling Green State University’s group health plans, including the self-funded medical and prescription drug plans, the health flexible spending account and the employee assistance program (collectively referred to as the “Plan”) and your legal rights regarding your “protected health information” (“PHI”) (as defined below) held by the Plan pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended, including without limitation the amendments in the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and its implementing regulations (“HIPAA”). The Plan is required by Law to take reasonable steps to ensure the privacy of your PHI. In addition, the Plan must inform you about how the Plan may Use and Disclose your PHI; your individual privacy rights; the Plan’s responsibilities concerning PHI; your right to file a complaint with the Plan and the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) and the contact person to obtain additional information about the Plan’s privacy practices and procedures.

HIPAA’s privacy rules protect certain medical information known as PHI. Generally, PHI is health information, including demographic information, collected from you or created or received by a Covered Entity in any form (oral, written, or electronic), from which it is possible to individually identify you and that relates to: (1) your past, present, or future physical or mental health or condition; (2) the provision of health care to you; or (3) the past, present, or future payment for the provision of health care to you.

I. The Plan’s Responsibilities

(a) Privacy Notice

The Plan is required by Law to maintain the privacy of your PHI and provide you with this Notice, which includes the Plan’s legal duties and privacy practices. The Plan is required to comply with the terms of the Notice currently in effect. We reserve the right to change the terms of this Notice or our privacy practices and to make new provisions regarding any PHI received or maintained by the Plan prior to the date of such change, as allowed or Required by Law. A copy of this Notice will be posted at all times on the Plan Sponsor’s (Bowling Green State University’s) website for Human Resources. If we make any material change to a privacy practice and this Notice, we will post the revised Notice on such website by the effective date of the material change and provide you with a copy of the revised Notice or information regarding the material change and how to obtain the revised Notice in the Plan’s next annual mailing. The Plan may only deliver this Notice to you electronically if the Plan offers electronic delivery and you have affirmatively agreed to such delivery.

(b) Minimum Necessary Standard

The Plan will use and disclose your PHI only to the extent of and in accordance with the Uses and Disclosures permitted by HIPAA. Specifically, the Plan will follow the “minimum necessary standard” when applicable in accordance with the current definition provided by the Department of Health and Human Services or other Federal agency. Unless and until further guidance is provided, this means that when the Plan Uses or Discloses your PHI or when it requests your PHI from another Covered Entity, the Plan will limit the Use, Disclosure or request to a “limited data set” to the extent practicable or, if needed, to the minimum amount of PHI necessary to accomplish its intended purpose(s). A “limited data set” is PHI that excludes your direct identifiers (listed in 45 Code of Federal Regulations (“CFR”) §164.514(e)(2)) or those of your relatives, employers, or household members.

The minimum necessary standard will not apply in the following situations:

  • Disclosure to or requests by a Health Care Provider for treatment;
  • Uses or Disclosures made to you;
  • Uses or Disclosures made pursuant to your authorization;
  • Disclosures made to the Secretary;
  • Uses or Disclosures that are required by Law; and
  • Uses or Disclosures that are required for the Plan’s compliance with legal regulations.

Further, this Notice does not apply to information that has been de-identified. “De-identified information” is information that does not identify an Individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an Individual.

(c) Notice of Privacy Breach

In the event you are affected by a “breach” of “unsecured PHI” by either the Plan or a Business Associate of the Plan, the Plan (or the Business Associate of the Plan if so delegated by the Plan) has the duty to notify you by regular mail or as otherwise permitted by law, without unreasonable delay and in no case later than sixty (60) days after discovering the breach. If a breach involves more than five hundred (500) residents of a State or jurisdiction, the Plan must also notify the Secretary and prominent local media outlets of the breach. If a breach involves five hundred (500) or less residents of a State or jurisdiction, the Plan must keep a log of all such breaches and annually submit such log to the Secretary.

“Breach” is the acquisition, access, use, or disclosure of PHI in a manner not permitted under HIPAA’s privacy rules, which compromises the security or privacy of the PHI.

“Unsecured PHI” is PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary (i.e., the PHI is not encrypted or destroyed).

Under HIPAA, an acquisition, access, use or disclosure of unsecured PHI is presumed to be a breach unless the Plan, or a Business Associate of the Plan, as applicable, conducts a risk assessment and demonstrates that there is a low probability that the PHI has been compromised. Specifically, the Plan’s risk assessment must consider at least the following factors:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the PHI or to whom the Disclosure was made;
  • Whether the PHI was actually acquired or viewed; and
  • The extent to which the risk to the PHI has been mitigated.

Notwithstanding the foregoing, the Plan is not required to give notice upon the occurrence of any of the following:

  • Any unintentional acquisition, access, or Use of PHI by an Employee or person acting under the authority of the Plan or a Business Associate of the Plan, if such acquisition, access, or Use was made in good faith and within the scope of authority and does not result in further Use or Disclosure in a manner not permitted by HIPAA privacy rules.
  • Any inadvertent Disclosure by a person who is authorized to access PHI at the Plan or a Business Associate of the Plan to another person authorized to access PHI within the Plan or such Business Associate, or organized health care arrangement in which the Plan participates, and the information received as a result of such Disclosure is not further Used or Disclosed in a manner not permitted by HIPAA’s privacy rules.
  • A Disclosure of PHI where the Plan or a Business Associate of the Plan has a good faith belief that an unauthorized person to whom the Disclosure was made would not reasonably have been able to retain such information.

II. How We May Use and Disclose Your PHI

(a) Uses and Disclosures for which your Authorization is not required

Under the law, we may Use or disclose your PHI under certain circumstances without your authorization. The following categories describe the different ways that we may Use and Disclose your PHI. Not every Use or Disclosure in a category will be listed. However, all of the ways we are permitted to Use and Disclose information will fall within one of the categories below. Please be advised that the Plan will not Use your Genetic Information for underwriting purposes.

For Treatment. “Treatment” is the provision, coordination or management of health care and related services. It includes but is not limited to consultations and referrals to facilitate medical treatment or services between one or more of your providers. The Plan may Disclose PHI, without your authorization to health care providers for treatment. For example, the Plan may disclose to a specialist the name of your primary physician so that they may confer concerning your health.

For Payment. “Payment” includes but is not limited to actions to make coverage and eligibility determinations for Plan benefits and to facilitate payment for the treatment and services you receive from health care providers, to determine benefit responsibility under the Plan or to coordinate Plan coverage (this includes but is not limited to billing, claims management, subrogation, Plan reimbursement, reviews for medical necessity and appropriateness of care and utilization review and preauthorizations). The Plan may Disclose PHI, without your authorization, to other Covered Entities for their payment activities or for the Plan’s own payment activities. For example, the Plan may disclose to a doctor whether you are eligible for coverage and what percentage of the bill will be paid by the Plan.

For Health Care Operations. “Health Care Operations” are certain Uses and Disclosures that are necessary to run the Plan. The Plan may Disclose PHI, without your authorization, to other Covered Entities for purposes of its own health care operations or to other Covered Entities participating in its organized health care arrangement for health care operations or to other Covered Entities having a relationship with you for limited purposes. For example, we may Use PHI in connection with conducting quality assessment and improvement activities; reviewing health care professionals or Plan performance; underwriting, premium rating, and other activities relating to Plan coverage; submitting claims for stop-loss (or excess-loss) coverage; conducting or arranging for medical review, legal services, audit services, and fraud and abuse detection programs; business planning and development such as cost management; and business management and general Plan administrative activities.

To Business Associates. We may contract with individuals or entities known as Business Associates to perform various functions on our behalf or to provide certain types of services. In order to perform these functions or to provide these services, Business Associates will receive, create, maintain, and/or transmit your PHI, but only after they agree in writing to implement appropriate safeguards regarding your PHI. In addition, if the Business Associate utilizes any Subcontractors that will receive, create, maintain, and/or transmit your PHI, they are required to obtain a similar agreement with such subcontractor. For example, we may disclose your PHI to a Business Associate to process your claims for Plan benefits or to provide support services, such as utilization management, pharmacy benefit management, or subrogation, but only after the Business Associate enters into a Business Associate contract with us.

To the Plan Sponsor. For the purpose of administering the Plan, we may Disclose PHI, without your authorization, to the Plan Sponsor so that the Plan Sponsor will be able to carry out Plan Administration Functions. Your PHI cannot be used for employment purposes without your specific authorization. The Plan Sponsor has amended its Plan documents to protect your PHI.

(b) Use and Disclosure without an Authorization in Special Situations

In addition to the above, the following categories describe other possible ways that we may Use and Disclose your PHI without your specific authorization. Not every Use or Disclosure in a category will be listed. However, all of the ways we are permitted to Use and Disclose information will fall within one of the categories.

As Required by Law. We will disclose your PHI when required to do so by Federal, State, or local law.

Victims of Abuse, Neglect or Domestic Violence. We may Use or Disclosure your PHI when authorized by law to report information about abuse, neglect or domestic violence to public authorities or if the Plan, in the exercise of professional judgment, believes Disclosure is necessary to prevent serious harm to you or another person. If the Plan makes such a Disclosure, you will be informed promptly that such report has been made unless informing you poses a risk of harm.

For Judicial and Administrative Proceedings. We may Disclose PHI in response to a court order, subpoena, warrant, summons, or similar process when satisfactory assurance is given.

Law Enforcement. We may Disclose your PHI if asked to do so by a law-enforcement official subject to certain conditions in the following situations: to identify or locate a suspect, fugitive, material witness, or missing person; about the victim of a crime if, under certain limited circumstances, we are unable to obtain the victim’s agreement; about a death that we believe may be the result of criminal conduct; and about certain criminal conduct.

Public Health Risks. We may disclose your PHI for public health activities when authorized by law. These activities generally include the following: to prevent or control disease, injury, or disability; to report births and deaths; to report reactions to medications or problems with products; to notify people of recalls of products they may be using; and to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition.

Health Oversight Activities. We may disclose your PHI to a health oversight agency for activities as authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.

Coroners, Medical Examiners, and Funeral Directors. We may Disclose PHI to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also release PHI to funeral directors, as necessary to carry out their duties.

Organ and Tissue Donation. If you are an organ donor, we may release your PHI after your death to organizations that handle organ procurement or organ, eye, or tissue transplantation or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.

Research. We may Disclose your PHI to researchers when: (1) the individual identifiers have been removed; or (2) when an institutional review board or privacy board has reviewed the research proposal and established protocols to ensure the privacy of the requested information, and approves the research.

To Avert a Serious Threat to Health or Safety. We may Use and Disclose your PHI when necessary to prevent a serious and imminent threat to your health and safety, or the health and safety of the public or another person. Any Disclosure, however, would only be to someone able to help prevent the threat.

Specialized Government Functions. We may disclose your PHI to authorized Federal officials for intelligence, counterintelligence, and other national security activities authorized by law. In addition, if you are a member of the armed forces, we may release your PHI as required by military command authorities. We may also release PHI about foreign military personnel to the appropriate foreign military authority. Further, If you are an inmate of a correctional institution or are in the custody of a law-enforcement official, we may Disclose your PHI to the correctional institution or law-enforcement official for certain purposes.

Workers’ Compensation. We may release your PHI for workers’ compensation or similar programs, but only as authorized by, and to the extent necessary to comply with, laws relating to workers’ compensation and similar programs that provide benefits for work-related injuries or illness.

(c) Required Disclosures

The following is a description of Disclosures of your PHI we are required to make without your
authorization.

Government Audits. We are required to disclose your PHI to the Secretary when the Secretary is investigating or determining our compliance with HIPAA’s privacy rules.

Disclosures to You. When you request, we are required to disclose your PHI that is in a “Designated Record Set.” A Designated Record Set includes the medical and billing records about Individuals maintained by or for a covered health care provider; enrollment, payment, billing, claims adjudication and case or medical management record systems maintained by or for the Plan; or other information Used in whole or in part by or for the Plan to make decisions about Individuals.

(d) Other Disclosures that require you be Given an Opportunity to Object

Individual Involved in your Care or Payment of your Care. The Plan may Disclose PHI to your family members, other relatives or close personal friends if: (a) the PHI is directly relevant to a family member’s or friend’s involvement with your care or payment for your care; and (b) you have agreed to the Disclosure, have been given an opportunity to object and have not objected, or are unavailable to ask and the Plan has determined, in the exercise of its professional judgment, that the Disclosure is in your best interests.

Other Notification Purposes. The Plan may also advise your family members, other relatives or close personal friends about your condition, location (for example, that you are in the hospital), or death, if you have agreed to the Disclosure, have been given an opportunity to object and have not objected, or are unavailable to ask and the Plan has determined, in the exercise of its professional judgment, that the Disclosure is in your best interests. In addition, if certain similar conditions are met, the Plan can Use or disclose your PHI for certain disaster relief efforts and can Disclose the PHI of a deceased Individual.

(e) Uses and Disclosures that Require your Authorization.

All other Uses or Disclosures of your PHI not described above or as permitted or required by Law will only be made with your written authorization. For example, in general and subject to specific conditions, we will not Use or Disclose your psychotherapy notes; we will not Use or Disclose your PHI for marketing; and we will not sell your PHI, unless you give us a written authorization. You may revoke written authorizations at any time, so long as the revocation is in writing. Once we receive your written revocation, it will only be effective for future Uses and Disclosures. It will not be effective for any information that may have been Used or Disclosed in reliance upon the written authorization and prior to receiving your written revocation.

III. Your Rights

You have the following rights with respect to your PHI:

Right to Inspect and Copy. You have the right to inspect your PHI that is part of a Designated Record Set, subject to certain specific exceptions, for as long as the Plan maintains the PHI. To inspect and copy
your PHI, you must submit your request in writing to the Plan’s Privacy Official/Contact Person listed below. You may also request a summary and explanation of the requested information in lieu of, or in addition to, the full information.

The Plan must respond to your request by providing the information or denying the request in writing within thirty (30) days. If the requested PHI cannot be accessed within the thirty (30) day period, the deadline may be extended for thirty (30) days by providing written notice to you within the original thirty (30) day period of the reasons for the extension and the date by which the Plan will respond. If your request is granted, the Plan will provide the information requested in the form or format requested by you, if readily producible in such form. If you request the information in an electronic format and such format is not readily producible, the Plan must produce such information in an alternative electronic format as agreed to by the parties. Otherwise, the Plan must provide the information in a readable hard copy or such other form as is agreed to by you.

We may deny your request to inspect and copy in certain very limited circumstances. If your request is denied, you may request that the denial be reviewed by submitting a written request to the Plan’s Privacy Official/Contact Person listed below.

If you request a copy of the information, we may charge a reasonable fee for the costs of copying, mailing, or other supplies associated with your request. Also, if you agree in advance, the Plan may also charge a reasonable fee for preparing any summary that you request.

Right to Amend. If you feel that the PHI we have about you in a Designated Record Set is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by or for the Plan in such Designated Record Set.

To request an amendment, your request must be made in writing and submitted to the Plan’s Privacy Official/Contact Person listed below. In addition, you must provide a reason that supports your request.

The Plan will respond to your request within sixty (60) days by informing you in writing that the amendment will be made or that the request is denied. If the determination cannot be made within the sixty (60) day period, the deadline may be extended for thirty (30) days by providing written notice to you within the original sixty (60) day period of the reasons for the extension and the date by which we will respond.

We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that: (1) is not part of a Designated Record Set; (2) was not created by us, unless the person or entity that created the information is no longer available to make the amendment; (3) is not part of the information that you would be permitted to inspect and copy; or (4) is already accurate and complete. If we deny your request, you have the right to file a statement of disagreement with us and any future Disclosures of the disputed information will include such statement.

Right to an Accounting of Disclosures. You have the right to request an “accounting” of certain Disclosures of your PHI. The accounting will not include Disclosures that occurred prior to the date of compliance or that were: (1) for purposes of treatment, payment, or health care operations; (2) made to you; (3) made pursuant to your authorization; (4) made to those involved in your care or payment for your care or for certain notification purposes; (5) for national security or intelligence purposes; (6) to correctional institutions or for law enforcement purposes; (7) part of a limited data set; and (8) incidental to otherwise permissible Disclosures.

To request an accounting of Disclosures, you must submit your request in writing to the Plan’s Privacy Official/Contact Person listed below. Your request must state the period you want the accounting to cover, which may not be longer than six (6) years before the date of the request. Your request should also indicate in what form you want the accounting (for example, paper or electronic). The Plan will provide the first accounting in any twelve (12) month period free of charge but will charge you a reasonable, cost-based fee for any additional accounting in that period. For any subsequent accountings, the Plan will notify you of the cost involved and you may choose to withdraw or modify your request before any costs are incurred.

The Plan will act on your request as soon as reasonably possible, and within sixty (60) days after your request. However, if the accounting cannot be provided within sixty (60) days, the Plan is allowed an additional (30) days to provide the accounting if you are given a written statement of the reasons for the delay and the date by which the accounting will be provided.

Right to Request Restrictions. You have the right to request a restriction or limitation on your PHI that we Use or Disclose for treatment, payment, or health care operations. You also have the right to request a limit on your PHI that we disclose to someone who is involved in your care or the payment for your care, such as a family member or friend or for other notification purposes. For example, you could ask that we not Use or Disclose information about a surgery that you had.

The Plan is not required to agree to your request unless the request is to restrict the Disclosure for purposes carrying out payment or health care operations (and is not for purposes of carrying out treatment) and the PHI pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.

If we do agree to your request, we will honor the restriction until you revoke it or we notify you. Even if we do agree to the restriction, Disclosures may still be made in certain circumstances to provide the Individual subject to the restriction with emergency treatment.

To request restrictions, you must make your request in writing to the Plan’s Privacy Official/Contact Person listed below. In your request, you must tell us: (1) what information you want to limit; (2) whether you want to limit our Use, Disclosure, or both; and (3) to whom you want the limits to apply (e.g., Disclosures to your spouse).

Right to Request Confidential Communications. You have the right to request that we communicate with you about your PHI in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail.

To request confidential communications, you must make your request in writing to the Plan’s Privacy Official/Contact Person listed below. The Plan does not have to honor your request; however, the Plan will accommodate all reasonable requests if you clearly state that Disclosure of all or part of your PHI could endanger you. Your request must specify how or where you wish to be contacted.

Right to Access Individual Rights through a Personal Representative. You may exercise your rights through a personal representative. Your personal representative will be required to produce evidence of his/her authority to act on your behalf before he/she will be given access to your PHI. Evidence of authority may take one of the following forms:

  • A notarized power of attorney;
  • A court order of appointment of the person as the conservator or guardian of the Individual; or
  • Being the parent of a minor child.

The Plan retains discretion to deny access to your PHI to a personal representative if there are certain safety concerns regarding the personal representative.

Right to Be Notified of a Breach. You have the right to be notified in the event that we (or a Business Associate) discover a breach of unsecured PHI.

Right to a Paper Copy of This Notice. You have the right to obtain a paper copy of this Notice at any time upon request, even if you have agreed to receive it electronically. To obtain a paper copy of this Notice, contact the Plan’s Privacy Official/Contact Person listed below.

Right to File a Complaint. If you believe that your privacy rights have been violated, you may file a complaint with the Plan by sending your complaint in writing to the Plan’s Privacy Official, Rebecca Ferguson, Chief Human Resource Officer, at Bowling Green State University, Office of Human Resources, 1851 North Research Drive, Bowling Green, OH 43403-0201.

You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services, Hubert H. Humphrey Building, 200 Independence Avenue S.W., Washington, DC 20201.

You will not be penalized, or in any other way retaliated against, for filing a complaint.

Contact Person at the Plan to Obtain More Information. If you have any questions regarding this Notice or the subjects addressed in it, or if you would like to make requests of the Plan or receive sample forms
for the exercise of your legal privacy rights, you may contact the Plan’s Privacy Official, Rebecca Ferguson, Chief Human Resources Officer, at Bowling Green State University, Office of Human Resources, 1851 North Research Drive, Bowling Green, OH 43403-0201, phone: (419) 372-8421.

IV. Conclusion

You may find HIPAA’s privacy rules, as well as the capitalized terms not defined in this Notice, at 45 CFR Parts 160 and 164. This Notice attempts to summarize HIPAA’s privacy rules and regulations. The HIPAA Privacy Rules and regulations will supersede any discrepancy between the information in this Notice and such rules and regulations. If a Use or Disclosure required or permitted by this Notice is prohibited or materially limited by State privacy or other applicable laws, the Plan may be required to follow those State or other applicable laws.

Updated: 10/06/2022 04:19PM