Implemented April 14, 2003
Purpose & Objectives
This policy addresses how the MUS may use and disclose members’ protected health information. It defines the policies and procedures the MUS has adopted to protect the privacy of this information.
At any given time, the MUS has minimal protected health information in its possession. HIPAA coverage attaches to the MUS primarily because of the fact that the MUS provides eligibility and enrollment information to its Business Associates, who in turn provide services to our members. Typically, MUS staff who handle routine appeals receive protected health information directly from members or through Business Associates.
Information concerning members’ eligibility, enrollment, protected health information and other information that MUS staff have received in the performance of their job duties, has always been confidential information. Historically, MUS staff have only shared this information with those who need the information in order to process benefits, claims and appeals. This does not change under HIPAA.
It is the objective of this policy to prevent the unauthorized release or disclosure of members’ confidential health information to the greatest extent possible and to fully comply with HIPAA.
This policy applies to the MUS and its officers and employees. The MUS’s Business Associates and other organizations that perform business activities for the MUS also must comply with certain provisions of HIPAA.
MUS means the Montana University System and the Payroll/Benefits Operations for the MUS. For the purposes of HIPAA compliance the MUS is considered a single “covered entity.”
MUS Director of Benefits means Director of Benefits for the Montana University System.
Business Associate means employees, contractors, subcontractors, agents and vendors of the MUS.
Member means an eligible employee as defined in §2-18-701, MCA, and the employee’s eligible dependents.
Protected Health Information (PHI) means individually identifiable health information that is transmitted or maintained by electronic media; or transmitted or maintained in any other form or medium. The term does not include individually identifiable health information in educational records covered by the Family Educational Right and Privacy Act, 20 USC 1232, and employment records held by the MUS as an employer.
HIPAA means the privacy regulations published by the U.S. Department of Health and Human Services as part of the Health Insurance Portability and Accountability Act. These regulations are defined in 45 CFR Parts 160 and 164.
General Policy Provisions
Policy #1: The MUS may use or disclose PHI only as permitted or required by state of Montana law and HIPAA regulations.
Permitted and required uses and disclosures that do not require a member’s authorization:
1. To a member.
2. For treatment, payment, or health care operations, for example, to determine eligibility for benefits prior to enrollment in a MUS administered health or other insurance plan; to Business Associates that perform plan administration activities on behalf of the MUS; to the plan sponsor for the purposes of obtaining premium bids or modifying, amending, or terminating the group health and insurance plans.
3. In certain circumstances when a member has been given notice of disclosure and has the opportunity to agree or object.
4. As otherwise permitted or required by law, for example: to a public health authority, social services, or protective services agency; in response to a court order, subpoena, discovery request, or other lawful process; to law enforcement; to researchers; to avert a serious threat to health and safety; for specialized government functions such as military or national security activities; to the extent needed to provide emergency treatment; and to comply with workers’ compensation laws, etc.
Uses and disclosures that require a member’s valid HIPAA authorization:
1. In non-routine situations to ask for or disclose information to a third party.
2. To use or disclose psychotherapy notes except to defend the MUS in a legal action brought by a member.
3. For marketing except during a face-to-face communication with or to provide a promotional gift of nominal value to a member.
4. For disclosure to an employer for use in employment related determinations.
5. For research purposes unrelated to a member’s treatment.
Policy #2: The MUS will make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
Benefits MUS supervisory employees must determine the levels of access to PHI required by each position in the MUS and develop procedures to limit access to those employees who require such information in order to perform their job duties.
The minimum necessary standard does not apply to:
1. Disclosures to or requests by a health care provider for treatment;
2. Disclosures made to a member; or
3. Other uses or disclosures required by law.
Policy #3: Under certain conditions, a member has a right of access to inspect and obtain a copy of the member’s PHI in records that the MUS creates or maintains.
The MUS Director of Benefits will designate an employee who is responsible for receiving, evaluating, and responding to requests for access to PHI.
The right of access does not apply to information compiled in reasonable anticipation of, or for use in a civil, criminal, or administrative action or proceeding.
There are some cases where the MUS may deny a member right of access to PHI. In some cases, the member may have an opportunity for the denial to be reviewed by a licensed health care professional designated by the MUS to act as a reviewing official.
If the MUS does not create or maintain the PHI in its records, employees are directed to refer the member to the Business Associate or provider that originates the PHI.
Policy #4: Under certain conditions, a member has a right to amend the member’s PHI that the MUS creates or maintains.
A member must make a written request to amend PHI, which includes a reason to support the requested amendment. The MUS will act on request within 60 days of receipt of the request. This time period may be extended 30 days.
In certain cases, the MUS may deny a member the right to amend PHI. For example, if the information was not created by the MUS, or it is not part of the records maintained by the MUS, or if the information is accurate and complete.
If another entity maintains PHI to be amended, employees are directed to refer the member to the Business Associate or provider that maintains or originates the PHI.
Policy #5: Members have a right to adequate notice of the uses and disclosures of PHI that are made by the MUS, and of members’ rights regarding PHI.
The MUS will create, maintain, and provide a notice of privacy practices to members as required by the HIPAA regulations. For example, a privacy notice will be provided upon request, periodically distributed via mail and/or e -mail to members, and distributed to members at the time of enrollment in the group health plan.
Policy #6: Under certain conditions, members have a right to request and receive an accounting of the MUS’s use and disclosure of PHI for a period of six years prior to the date a member makes a request.
The MUS Director of Benefits will designate an employee who is responsible for receiving and processing accounting requests. Requests must be made in writing. The MUS will respond to a request for accounting within 60 days following receipt of the request.
The right to request an accounting does not apply to:
1. Uses and disclosures to carry out treatment, payment, or health care operations;
2. Permitted disclosures made to members;
3. Incident to other permitted or required uses and disclosures;
4. Pursuant to an authorized use and disclosure; and
5. Other uses and disclosures as described in the HIPAA regulations at §164.528(1) and (2), for example, those occurring prior to April 14, 2003.
The MUS will maintain logs of uses and disclosures of PHI information required to be in an accounting, as well as, copies of responses to members’ written accounting requests. These documents must be kept for a period of six years.
Policy #7: The MUS will implement the following administrative requirements of HIPAA as described in §164.530:
1. The MUS Director of Benefits will appoint a privacy official who is responsible for the development and implementation of the MUS’s privacy policies and procedures.
2. MUS Director of Benefits will appoint a contact person who is responsible for receiving privacy violation complaints and who is able to provide further information about the requirement to notice members of their privacy rights. The MUS Director of Benefits will determine the process for individuals to make complaints about the MUS’s privacy policies and procedures, and how the MUS documents complaints and their disposition.
3. As necessary and appropriate, the MUS will periodically train employees on privacy policies and procedures with respect to PHI in order for the employees to carry out their job duties in compliance with HIPAA regulations. The MUS Director of Benefits will determine training content and frequency.
4. The MUS Director of Benefits will determine and adopt appropriate administrative, technical, and physical safeguards to protect the privacy of PHI from any intentional or unintentional use or disclosure that violates the MUS’s privacy policies and procedures.
A disciplinary action is private information and will be maintained in accordance with the Employee Records Keeping Policy, (MOM policy 30110). HIPAA regulations require retention of disciplinary sanction information for six years.
6. The MUS may not intimidate, threaten, coerce, or discriminate against any member or other person for exercising their rights under this policy, including filing a complaint under this policy.
7. The MUS reserves the right to update this policy as necessary to comply with changes in the law or the HIPAA regulations. Members will be notified of policy changes.
8. The MUS will maintain the documentation necessary to comply with HIPAA regulations for a minimum of six years. Examples of this documentation include adopted privacy policies and procedures and records related to authorizations (policy #1); employee classification and access to PHI (policy #2); requests to amend or access PHI and titles of the employees responsible for processing this information (policies #3 and 4); notices of privacy practices (policy #5); requests for accounting of disclosures of PHI (policy #6); complaints received (policy #7.2); training materials and classes (policy #7.3); corrective actions taken (policy #7.4); and records of hardware and software security testing, etc.
When this documentation is no longer necessary, it will be destroyed in a manner that protects PHI, for example, shredding paper documents and deleting and erasing electronic records and their backup files.