ICS HIPAA Rights Policy

Purpose of Policy

The purpose of this policy is to ensure that Independence Care System (“Company”) assures enrollees of the rights afforded to them under the Health Insurance Portability and Accountability Act (HIPAA).

Definitions

Business Associate means a person or entity that provides services to or on behalf of Company and, in the course of providing these services, receives, creates or has access to Company’s PHI. Examples of business associates include claims processing companies, attorneys, accountants and software maintenance vendors. Business associates do not include individuals or entities with incidental access to PHI such as office cleaning services or repair personnel.

Designated Record Set means enrollment, payment, claims adjudication and medical management records as well as any other records used by Company or its Business Associates, in whole or in part, to make decisions about enrollees.

Health Care Operations means (i) quality improvement and assessment, (ii) reviewing the competence or qualifications of health care professionals, (iii) underwriting and premium rating, (iv) medical review, legal services, auditing and compliance program administration, (v) business planning and development and (vi) business management and general administration.

HIPAA means the Health Insurance Portability and Accountability Act of 1996.

Payment means any activities related to the collection of premiums, the payment of claims or the provision of benefits and coverage.

Protected Health Information or PHI means information that relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for the provision of health care to an individual, and identifies or could reasonably be used to identify the individual. Protected health information includes demographic information about individuals (such as name, address and social security number) created in connection with the development of health-related information, even if later separated from the health information.

Policy Requirements

Access to Records

Enrollees may request an inspection or copies of any PHI maintained by Company or its Business Associates in a Designated Record Set. All such requests must be made in writing on Company’s standard request form and directed to the Privacy Officer.

The Privacy Officer will ensure a response to access requests within 30 days unless the records are maintained off-site, in which case a response shall be made within 60 days. The Privacy Officer may deny access to records only for one of the reasons specified in 45 C.F.R. § 164.524.  If access is denied, the Privacy Officer must provide the enrollee with a written denial notice. To the extent required by 45 C.F.R. § 164.524, the denial notice should inform the enrollee of his or her right to appeal Company’s decision.

Company will charge enrollees requesting copies of their records a reasonable fee to cover the cost of copying and postage.  No fees will be charged for on-site inspections of records.

A copy of all correspondence relating to requests for access to records by enrollees will be maintained in the enrollee’s file.  The Privacy Officer will maintain another copy of this correspondence in a separate file. Company will retain this documentation for six years.

Amendment of Records

Enrollees may request an amendment to any of their PHI maintained by Company or any of its Business Associates in a Designated Record Set. All such requests must be made in writing on Company’s standard form and directed to the Privacy Officer. The Privacy Officer must respond to requests for an amendment within 60 days. No fee will charged for such requests.

If the Privacy Officer agrees to the amendment request, he or she must notify the enrollee and append or link the amendment to the original record. The original record should not be modified. If the Privacy Officer denies the request, he or she must send the enrollee a written denial notice using Company’s standard form. The notice will advise the enrollee that he or she has the right to submit a written statement of disagreement in response to the denial. The amendment request, the denial notice and the statement of disagreement, if any, must be appended or linked to the original record.

The Privacy Officer may deny a request for an amendment if the relevant PHI (i) was not created by Company or one of its Business Associates, (ii) is not part of a Designated Record Set, (iii) would not be available for inspection and copying under this policy; or (iv) is accurate and complete. The reason for the denial will be specified in the denial notice.

The Privacy Officer will maintain a copy of all correspondence related to amendment requests for six years. The Privacy Officer will carry out any other responsibilities imposed on Company under 45 C.F.R. § 164.526.

Accounting of Disclosures

Enrollees may request an accounting of certain disclosures of their PHI made by Company or any of its Business Associates for the six year period immediately preceding the date of the request. All such requests must be made in writing on Company’s standard form and directed to the Privacy Officer. The Privacy Officer will provide an accounting within 60 days of a request.

The accounting provided by Company will not include disclosures for any of the following purposes:  (1) except as specified in the next paragraph, to facilitate medical treatment or carry out Payment or Health Care Operations; (2) to the enrollee; (3) pursuant to the enrollee’s written authorization; (4) to federal officials for national security or intelligence purposes; (5) to a correctional institution or law enforcement official that has custody of a enrollee if the Privacy Officer determines that the disclosure is not subject to the accounting requirement;  and (6) to a health oversight or law enforcement agency if the agency notifies Company in writing that the provision of an accounting during a specified period would impede the agency’s activities.

Company will provide an accounting of disclosures made to facilitate treatment or carry out Payment or Health Care Operations if the disclosure was made electronically through an electronic health record system. The accounting of such disclosures will be limited to disclosures made during the three-year period immediately preceding the date of the request, but in no event during the period prior to the HITECH Accounting Date. For purposes of this policy, the HITECH Accounting Date will be (i) January 1, 2014 for electronic health record systems acquired by Company prior to January 1, 2009 and (ii) the date of acquisition or January 1, 2011, whichever is later, for electronic health record systems acquired by Company after January 1, 2009.

The accounting will include:  (1) the date of the disclosure; (2) the name of the recipient and, if known, the recipient’s address; (3) a brief description of the PHI disclosed; and (4) a brief statement of the purpose of the disclosure.

Company will not charge an enrollee a fee for the first accounting requested in any 12-month period. For additional requests, the Privacy Officer will inform the enrollee in advance that the enrollee will be charged a fee to cover Company’s reasonable costs.

The Privacy Officer will maintain a copy of all correspondence related to accounting requests for six years. The Privacy Officer will carry out any other responsibilities imposed on Company under 45 C.F.R. § 164.528.

In order to ensure that Company has the capacity to provide an accounting upon request, whenever an employee or Business Associate discloses PHI for any purpose that is subject to the accounting requirement, the employee or Business Associate must provide a copy of the information to the Privacy Officer. The Privacy Officer will develop a database or other tracking system that includes the information that must be included in an accounting.

Restrictions on Uses and Disclosures of Protected Health Information

Enrollees may request a restriction on uses and disclosures of their PHI by Company and its Business Associates to facilitate medical treatment or carry out Payment or Health Care Operations. All such requests must be made in writing and directed to the Privacy Officer. The Privacy Officer will respond in writing to such requests within a reasonable time period not to exceed 30 days. No fee will be charged to process such requests.

The Privacy Officer is not required to agree to all requests. In making determinations regarding restriction requests, the Privacy Officer will consider whether the request is reasonable given Company’s business and legal obligations. If the Privacy Officer agrees to a restriction request, he or she will advise all relevant employees and Business Associates of the decision. Company will not use or disclose PHI in violation of any agreed upon restriction.

The Privacy Officer will maintain a copy of all correspondence related to restriction requests for six years. The Privacy Officer will carry out any other responsibilities imposed on Company under 45 C.F.R. § 164.522.

Alternative Communications

Enrollees may request that Company and its Business Associates communicate with them by alternative means or at alternative locations.  All such requests must be made in writing and directed to the Privacy Officer. The Privacy Officer will respond in writing to such requests within a reasonable time period not to exceed 30 days. No fee will be charged to process such requests.

The Privacy Officer will accommodate all reasonable requests. The Privacy Officer may not ask the enrollee to provide a reason for his or her request. If the Privacy Officer agrees to an alternative communication request, he or she will advise all relevant employees and Business Associates of the decision so that they may revise their contact information and systems.

The Privacy Officer will maintain a copy of all correspondence related to alternative communication requests for six years.  The Privacy Officer will carry out any other responsibilities imposed on Company under 45 C.F.R. § 164.522.

Complaints

Enrollees may file complaints regarding Company’s privacy policies or practices with the Privacy Officer or the U.S. Department of Health and Human Services. Company will not discriminate or retaliate against a enrollee for filing a complaint.

Privacy Notice

Company will provide by e-mail or regular mail a copy of its Notice of Privacy Practices to all new enrollees in conjunction with the commencement of their coverage. Every three years, Company will notify all existing enrollees of the availability of the Notice of Privacy Practice and how to obtain a copy. A copy of the Notice of Privacy Practices will be prominently displayed on Company’s web site. No amendment of the Notice of Privacy Practices may be made without the approval of the Privacy Officer.

Policy Enforcement

This policy applies to all Company employees. Employees who violate this policy will subject to discipline, up to and including termination of employment.

APPROVED

This page is approved.