MOUNTAIN HEALTH COOPERATIVE NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE REVIEW IT CAREFULLY.
The MOUNTAIN HEALTH COOPERATIVE (“Co-Op”) is committed to safeguarding and protecting your protected health information from unauthorized uses and disclosures.
We are required by law to:
- Maintain the privacy of your protected health information;
- Explain our legal duties and privacy practices with respect to your protected health information; and
- Notify affected individuals following a breach of unsecured protected health information.
We apply the protections and practices described in this notice to all protected health information that we maintain, including the information of former members who are no longer covered by us. We abide by the notice that is currently in effect. This notice is effective October 1, 2014.
Uses and Disclosures of Your Protected Health Information
We may use and disclose your protected health information under the following circumstances without your permission. Not every possible use or disclosure in each category is listed.
Treatment. We may use or disclose your protected health information your health care providers to facilitate medical treatment and services. We may disclose your protected health information for the treatment activities of any of your health care providers, for example, to provide you with preventative health, early detection and disease and case management programs.
Payment. We may use your protected health information for payment purposes, for example, to facilitate payment for the treatment and services you receive from health care providers, to determine benefit responsibility under your plan, to coordinate plan coverage, to assist with processing or adjudicating claims and for our other payment activities.
Health Care Operations. We may use your protected health information for Co-op health care operations, for example, Co-Op operational or administrative purposes necessary to run the Co-Op, conducting quality assessment and improvement activities, premium rating, submitting claims for stop-loss or excess loss coverage, conducting or arranging for medical review, legal services, audit services, compliance activities, business planning, development and cost management, and general Co-Op administration. We may also disclose protected health2 information about you to another covered entity for its operational activities under certain circumstances. We are prohibited by law from using or disclosing genetic health care information for underwriting purposes.
Business Associates. We may contract with individuals or entities known as Business Associates to perform various functions on the Co-Op’s behalf or to provide certain services to the Co-Op. In order to perform such functions or provide such services, Business Associates may receive, create, maintain, use and/or disclose your protected health information, but only after they agree with us in writing to implement appropriate safeguards regarding your protected health information.
To Plan Sponsors. For purposes of administering employer sponsored group health plans, we may disclose your protected health information to certain employees of your employer. However, those employees may only use or disclose that information as necessary to perform plan administration functions or as otherwise required or authorized by HIPAA, unless you have authorized further use or disclosures. Your protected health information cannot be used for employment purposes without your specific authorization.
Health-Related Services, Reminders and Marketing. We may use your personal information to communicate with you for health-related services, reminders, and/or marketing activities, for example informing you of available or replacement health plans or enhancements, reminding you to obtain preventive health services, including wellness classes and information, and providing information on treatment alternatives or health- related benefits and services. We will not use or disclose your protected health information for marketing communications unless you authorize us to do so, except as permitted by law. Further, we will not sell your protected health information without your authorization, except as permitted by law.
Special Situations
In addition to the above uses and disclosures, the following categories describe other possible ways that we may use and disclose your protected health information. Not every possible use or disclosure in each category is listed.
As Required by Law. We may disclose your protected health information when required to do so by federal, state or local law, including disclosures to government agencies with certain oversight responsibilities. The law also requires that we make your personal information available to you, subject to certain limited exceptions.
To Avert a Serious Threat to Health or Safety. We may use and disclose your protected health information when necessary to prevent a serious threat to your health and safety, or the health and safety of the public or another person. Any disclosure, however, would only be to3 someone able to help prevent the threat. For example, we may disclose your protected health information in a proceeding regarding the licensure of a physician.
Law Enforcement. We may release protected health information if asked to do so by a law enforcement official: in response to a court order, warrant, summons or other similar process; to identify or locate a suspect, fugitive, material witness, or missing person; about the victim of a crime if, under limited circumstances, we are unable to obtain the person’s agreement; about a death we believe may be the result of criminal conduct; about criminal conduct; and in emergency circumstances to report a crime; the location of the crime or victims; or the identity, description or location of the person who committed the crime.
Lawsuits and Disputes. If you are involved in a lawsuit or a dispute, we may disclose protected health information about you in response to a court or administrative order. In certain circumstances, we may disclose protected health information about you in response to a subpoena or discovery request.
Workers’ Compensation. We may disclose your protected health information for workers’ compensation or similar programs. These programs provide benefits for work related injuries or illness.
Public Health Risks. We may disclose your protected health information for public health actions. These actions generally include the following:
- To prevent or control disease, injury or disability;
- To report births and deaths;
- To report child abuse or neglect;
- To report reactions to medications or problems with products;
- To notify people of recalls of products they may be using;
- To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; and
- To notify the appropriate government authority if we believe that an individual has been the victim of abuse, neglect or domestic violence. We will only make this disclosure if you agree or when required or authorized by law.
Government Audits and Oversight Activities. We are required to disclose your protected health information to the Secretary of the United States Department of Health and Human Services when the Secretary is investigating or determining our compliance with the HIPAA Privacy Rule. We may also use or disclose your protected health information for health care oversight, such as activities of state insurance commissioners, HHS, the U.S.4 Department of Labor, and the U.S. Food and Drug Administration, licensing and peer review authorities, and fraud prevention agencies.
Military and Veterans. We may disclose your protected health information as required by military command authorities, if you are a member of the armed forces.
Coroners, Medical Examiners and Funeral Directors. We may release protected health information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also release medical information about patients to funeral directors as necessary to carry out their duties.
Other Special Situations. We may also use and disclose your protected health information under certain circumstances relating to the following categories.
- To facilitate your organ and tissue donation;
- To authorized federal officials for intelligence, counterintelligence or other national security activities authorized by law;
- To law enforcement or correctional institution officials, if you are an inmate of a correctional facility or in law enforcement custody;
- For research purposes, where certain privacy safeguards have been met; and
- In any other circumstances where required or authorized by the HIPAA Privacy Rule.
Other Disclosures
Personal Representatives. We generally will disclose your protected health information to an individual designated or authorized as your personal representative, attorney-in-fact or agent, guardian, etc., so long as we are provided with a written authorization or other legally valid and sufficient document (e.g., power of attorney, letters of guardianship, etc.). Such disclosures will not be made under certain circumstances, such as where you have been subjected to domestic violence, abuse or neglect by such person, treating such person as your personal representative could endanger you, or where in the exercise of professional judgment, we determine it is not in your best interests to treat the person as your personal representative.
Family and Friends Involved in Care. We may share your protected health information with your spouse, family members, friends or other persons whom you identify as being involved in your care or payment for health care. We may also discuss this information with these other persons if you are present and agree or you do not object when given the opportunity to do so. If you are not present or it is impracticable to gain your consent for5 certain disclosures, because of emergency or other circumstances, we may discuss your protected health information with a family member or other person involved in your care, when, in exercising our professional judgment, we determine that doing so would be in your best interest. We may also use our professional judgment and experience to make reasonable inferences about your best interests in allowing another person to act on your behalf in certain circumstances. In addition, if you are deceased we may disclose personal information as allowed by law about you to a family member or other certain other persons who were involved in your care or payment for your care prior to your death if the information is relevant to that person’s involvement, unless doing so is inconsistent with any prior expressed preference of your that is known to us.
Other Uses and Disclosures Only As Authorized by You. We must obtain a separate, specific authorization from you to use or disclose your protected health information for any purpose not covered by this notice or the laws that apply to us. Authorizations are valid for up to two (2) years. You may revoke your written authorization at any time, so long as the revocation is in writing. Once we receive your written revocation, it will be effective only for future uses and disclosures. It will not be effective for any use or disclosure made in reliance upon the written authorization and made prior to receiving your written revocation.
Use and Disclosure of Certain Types of Medical Information. Certain types of personal information require that we provide greater privacy protection. For example, use or disclosure of certain types of personal information must be specifically authorized by you or be required by law for certain HIV Test Information, Genetic Information, Psychotherapy Notes, or Alcoholism or Drug Abuse Information.
No Use of Genetic Information. We are prohibited by law from using or disclosing your protected health information that is genetic information for purposes of underwriting. If we request your health information at any time, we are not requesting your genetic information.
Internal protection of information across the organization
The CO-OP Compliance Officer shall periodically monitor the CO-OP’s compliance regarding its reasonable efforts to safeguard PHI.
Safeguards for Verbal Uses
These procedures shall be followed, if reasonable by the CO-OP, for any meeting or conversation where PHI is discussed.
Meetings during which PHI is discussed:
1. Specific types of meetings where PHI may be discussed include, but are not limited to:
a. Grievances & Appeals Meetings
b. Medical Review Meetings
c. Adhoc member Complaint Meetings
d. Member Services Staff Meetings
e. Customer Service Meetings with TPA
2. Meetings will be conducted in an area that is not easily accessible to unauthorized persons.
3. Meetings will be conducted in a room with a door that closes, if possible.
4. Voices will be kept to a moderate level to avoid unauthorized persons from overhearing.
5. Only staff individuals who have a “need to know” the information will be present at the meeting. (See the Policy “Minimum Necessary Uses and Disclosures.”)
6. The PHI that is shared or discussed at the meeting will be limited to the minimum amount necessary to accomplish the purpose of sharing the PHI.
Telephone conversations:
1. Telephones used for discussing PHI are located in as private an area as possible.
2. Staff individuals will take reasonable measures to assure that unauthorized persons do not overhear telephone conversations involving PHI. Reasonable measures may include:
a. Lowering the voice
b. Requesting that unauthorized persons step away from the telephone area
c. Moving to a telephone in a more private area before continuing the conversation
3. PHI shared over the phone will be limited to the minimum amount necessary to accomplish the purpose of the use or disclosure.
In-Person conversations:
• With individual/family in public areas
• With authorized staff in public areas
Reasonable measures will be taken to assure that unauthorized persons do not overhear conversations involving PHI. Such measures may include:
1. Lowering the voice
2. Moving to a private area within the CO-OP
Safeguards for Written PHI
All documents containing PHI should be stored appropriately to reduce the potential for incidental use or disclosure. Documents should not be easily accessible to any unauthorized staff or visitors.
Active Records:
1. Active records shall be stored in an area that allows staff providing service to individuals to access the records quickly and easily as needed.
2. Authorized staff shall review the record in-house, unless it is signed out in accordance with CO-OP procedure.
3. Active records shall not be left unattended where unauthorized individuals could easily view the records.
4. Only authorized staff shall review the records. All authorized staff reviewing records shall do so in accordance with the minimum necessary standards.
5. Records shall be protected from loss, damage and destruction.
a. Active Business Files:
b. Active Business Files shall be stored in a secure area that allows authorized staff access as needed.
c. Thinned Records, Inactive Records:
6. Thinned and inactive records will be filed in a systematic manner in a location that ensures the privacy and security of the information. The Health Information Manager or a designee shall monitor storage and security of such records. When records are left unattended, records will be in a locked room, file cabinet or drawer.
7. The Administrator will identify and document those staff individuals with keys to stored records. The minimum number of staff necessary to assure that records are secure yet accessible shall have keys allowing access to stored Records. Staff individuals with keys shall assure that the keys are not accessible to unauthorized individuals.
8. Inactive records must be signed out if removed from their designated storage area. Only authorized persons shall be allowed to sign out such records.
9. Records must be returned to storage promptly.
10. In the event that the confidentiality or security of PHI stored in an active or inactive record has been breached, the CO-OP Privacy Official and Administrator shall be notified immediately.
11. CO-OP procedure will be followed if records are missing.
Inactive Business Files:
Inactive Business Files shall be stored in a systematic manner in a location that ensures privacy and security of the information.
Office Equipment Safeguards
Computer access:
1. Only staff individuals who need to use computers to accomplish work-related tasks shall have access to computer workstations, terminals and systems.
2. All users of computer equipment must have unique login and passwords.
3. Passwords shall be changed every 90 days. (See Password Management Procedure).
4. Posting, sharing and any other disclosure of passwords and/or access codes is prohibited (except as pre-approved and documented by the Compliance Officer).
5. Access to computer-based PHI shall be limited to staff individuals who need the information for treatment, payment, health care operations or business reasons.
6. CO-OP staff individuals shall log off their workstation when leaving the work area.
7. Computer monitors shall be positioned so that unauthorized persons cannot easily view information on the screen.
8. Employee access privileges will be removed promptly following their departure from employment.
9. Employees will immediately report any violations of this Policy to their supervisor, Administrator or CO-OP Compliance Officer.
Printers, copiers and fax machines:
10. Printers will be located in areas not easily accessible to unauthorized persons.
11. If equipment cannot be relocated to a secure location, a sign will be posted near the equipment indicating that unauthorized persons are prohibited from viewing documents from the equipment. Sample language: “Only authorized staff may view documents generated by this (indicate printer, copier, fax, etc). Access to such documents by unauthorized persons is prohibited by federal law.”
12. Documents containing PHI will be promptly removed from the printer, copier or fax machine and placed in an appropriate and secure location.
13. Documents containing PHI that must be disposed of due to error in printing will be destroyed by shredding or by placing the document in a secure recycling or shredding bin until destroyed.
Sending or Receiving PHI via Fax:
1. The fax machine should be located in an area that is not easily accessible to unauthorized persons. The fax machine should not be located in a public area where confidentiality of PHI might be compromised.
2. Received documents will be removed promptly from the fax machine. To promote secure delivery, instructions on the cover page will be followed.
3. Steps should be taken to ensure that the fax transmission is sent to the appropriate destination. These include:
a. Pre-programming and testing destination numbers whenever possible to eliminate errors in transmission due to misdialing.
b. Asking frequent recipients to notify the CO-OP of a fax number change.
c. Confirming the accuracy of the recipient’s fax number before pressing the send/start key.
d. If possible, printing a confirmation of each fax transmission.
4. A cover page should be attached to any facsimile document that includes PHI. (See a sample cover page following this Policy.)
i. The cover page should include:
a. Destination of the fax, including name, fax number and phone number;
b. Name, fax number and phone number of the sender;
c. Date;
d. Number of pages transmitted; and
e. Confidentiality Statement (See sample below).
4. If a fax transmission fails to reach a recipient or if the sender becomes aware that a fax was misdirected, the internal logging system should be checked to obtain incorrect recipient’s fax number. Fax a letter to the receiver and ask that the material be returned or destroyed.
5. A written Authorization for any use or disclosure of PHI will be obtained when the use or disclosure is not for treatment, payment or healthcare operations or required by federal or state law or regulation.
6. The PHI disclosed will be the minimum necessary to meet the requestor’s needs.
Sending PHI via email:
1. E-mail users will be set up with a unique identity complete with unique password and file access controls.
2. E-mail users may not intercept, disclose or assist in intercepting and disclosing e-mail communications.
3. Individual specific information regarding highly sensitive health information must not be sent via e-mail, even within the internal email system.
4. Users will restrict their use of email for communicating normal business information such as information about general care and treatment of individuals, operational and administrative matters, such as billing.
5. Users should verify the accuracy of the email address before sending any PHI.
6. PHI may be sent unprotected via e-mail within a properly secured, internal network of the organization. When sending PHI outside of this network, such as over the Internet, emails will be encrypted and transferred via an encryption appliance provided by ZixCorp. Sample security measures include password protecting the document(s) being sent or encrypting the message by including the word, “secure”, within the email subject. Additionally, filters are configured on the Zix appliance to detect PHI within an email or document and encrypt it without the sender specifying it as “secure”.
7. All e-mail containing PHI will contain a confidentiality statement (see sample below).
8. Users should exercise extreme caution when forwarding messages. Sensitive information, including individual information, must not be forwarded to any party outside the organization without using the same security safeguards as specified above.
9. Users should periodically purge e-mail messages that are no longer needed for business purposes, per the organization’s records retention policy.
10. Employee e-mail access privileges will be removed promptly following their departure from the organization.
11. Email messages, regardless of content, should not be assumed secure and private. The amount of information in any email will be limited to the minimum necessary to meet the needs of the recipient.
12. Employees should immediately report any violations of this guideline to their supervisor, Administrator or CO-OP Compliance Officer.
Rights Regarding Your Protected Health Information
You have the rights described below in regard to the protected health information that we maintain about you. You are required to submit a written request to exercise any of these rights. You may contact our Privacy Official to obtain a form that you can use to exercise any of the rights listed below.
Right to Inspect and Copy. You have the right to inspect and copy certain protected health information used to make decisions about your health benefits. To inspect and copy your protected health information, you must submit your request in writing to our Privacy Official. We may charge you a reasonable fee for the costs of copying, mailing and supplies associated with your request. We may deny your request to inspect and/or copy your protected health information in certain limited circumstances. If you are denied access, you may request that the denial be reviewed by submitting a written request to our Privacy Official.6
Right to Amend. If you feel that protected health information that we have about you is incorrect or incomplete, you may make a written request that we amend it. You have the right to request an amendment for as long as the information is kept by us. To request an amendment, your request must be made in writing and submitted to our Privacy Official. In addition, you must provide a reason that supports your amendment request. We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask to amend information that we did not create; that is not part of the protected health information that we maintain; that is not part of the information that you would be permitted to inspect and copy; or that is accurate and complete.
Right to an Accounting of Disclosures. You have the right to request one free “accounting of disclosures” of your protected health information every 12 months. This is a list of certain disclosures we have made of your protected health information. There are several categories of disclosures that we are not required to list in the accounting. For example, we are not required to keep track of disclosures that are authorized. Your request must state a time period, which may not be longer than 6 years. If you request more than one accounting in a 12-month period, we may charge you for the costs of providing the list.
Right to Request Restrictions. You have the right to request a restriction or limitation on the protected health information we use or disclose for treatment, payment or health care operations. You also have the right to request a limit on the protected health information we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend. We are not required to agree to your request (except with respect to certain disclosures to a health plan solely with respect to a health care item or service for which the health care provider has been paid out-of-pocket in full). To request restrictions, you must make your request in writing to our Privacy Official. If we agree, we will comply with your request. In your request, you must indicate the type of restriction you want, the information you want restricted and to whom you want the limits to apply, for example, your spouse.
Right to Request Confidential Communications. You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail. To request confidential communications, you must make your request in writing to our Privacy Official. We will not ask you the specific reason for your request, but you must clearly indicate that the disclosure of all or part of your information may endanger you. You must specify how or where you wish to be contacted. We will accommodate all reasonable requests.
Right to be Notified of a Breach. You have the right to be notified as required by law in the event that we or a Business Associate discover a breach of your unsecured protected health information.
Right to a Paper Copy of This Notice. You have the right to a paper copy of this notice. To obtain a paper copy of this Notice, contact our Privacy Official.7
Amendments to this Notice
We reserve the right to amend this Notice. Copies of the current Notice will be posted at the Co- Op’s offices and will be available for you to pick up on each visit to the Co-Op. Contacting Our Privacy Official
For more information about our privacy practices, to discuss questions or concerns, or to receive additional copies of this notice, you may contact our Privacy
Official as follows:
Privacy Official
Mountain Health Cooperative
1545 E. Iron Eagle Drive, Suite 103
Eagle, ID 83616
208-917-1600
Email:privacyoffice@mhc.coop
Complaints
If you believe your privacy rights have been violated, you may file a complaint with us or with the Office of Civil Rights of the Department of Health and Human Services (OCR/HHS). To file a complaint with us, contact our Privacy Officer as described above. To file a complaint with the OCR/HHS, you must submit the complaint within 180 days of when you knew or should have known of the circumstance that led to the complaint. The complaint must be submitted in writing. Information on how to file a complaint can be located on the OCR/HHS website at: http://www.hhs.gov/ocr/privacy/index.html. You will not be retaliated against for filing a complaint.
Future Changes to this Notice
We will follow the privacy practices described in this notice, but we may change our privacy practices at any time. For example if privacy laws change, we will change our practices to comply with the law. If this occurs, we will send a new notice to you prior to making a significant change in our practices. Any changes will apply to all protected health information we have in our possession, including any information created or received before we changed the notice.