THIS NOTICE DESCRIBES HOW CERTAIN MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE REVIEW IT CAREFULLY.
The Washington and Lee University Employee Health and Welfare Plan (the "Plan") is committed to protecting the privacy and security of your protected health information and electronic protected health information as defined under HIPAA (may be collectively referred to herein as "health information" or as "PHI" or "EPHI"). Health information is information that is created or maintained by the Plan that identifies you and relates to a health condition, or to the provision or payment of health services for you. The Plan also pledges to provide you with certain rights related to your health information, as required by HIPAA.
By this Notice of Plan's Privacy and Security Policies and Practices ("Notice"), the Plan informs you that it has the following legal obligations under the federal health privacy provisions contained in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the HITECH Act, and the related regulations ("privacy rules" and "security rules") and that its policies and practices are as follows to comply with those obligations:
This Notice also informs you how the Plan uses and discloses your health information and explains the rights that you have with regard to your health information maintained by the Plan. For purposes of this Notice, "you" and "yours" refers to participants and dependents who are eligible for benefits described under the Plan.
The Plan collects certain health information about you to help provide health benefits to you and your eligible dependents, as well as to fulfill legal requirements. The Plan collects this health information from applications and other forms that you complete, through conversations you may have with the Plan's administrative staff and healthcare providers, and from reports and data provided to the Plan by healthcare service providers or other employee benefit plans. The health information the Plan has about you includes, among other things, your name, address, phone number, birth date, social security number, employment information, and medical and health claims information. This is the information that is subject to the privacy practices described in this Notice. Additionally, if this information is transmitted electronically, it is subject to the Security Rules under HIPAA and the security practices described in this Notice.
The Plan uses your health information to determine your eligibility for benefits, to process and pay your health benefits claims, and to administer its operations. In some cases, your health information may only be disclosed with your written authorization, while in other instances, your authorization is not required. For example, the Plan may disclose your health information, without your authorization, to insurers, third party administrators, and healthcare providers for treatment, payment and healthcare operations purposes. The Plan also may disclose your health information, without your authorization, to third parties that assist the Plan in its operations, to government and law enforcement agencies, to your family members in limited instances, and to certain other persons. Details of the Plan's uses and disclosures of your health information are described below.
The federal health privacy law provides you with access to your health information and with certain rights related to your health information. Specifically, you have the right to:
These rights and how you may exercise them are detailed below.
Amy Diamond Barnes
Executive Director of Human Resources
Washington and Lee University
204 West Washington St.
Lexington, VA 24450
Director of Enterprise Applications and ITS Security
Washington and Lee University
204 West Washington St.
Lexington, VA 24450
Except as described in this section, as provided for by federal, state or local law, or as you have otherwise authorized, the Plan only uses and discloses your health information for the administration of the Plan and for processing claims.
The Plan discloses your health information, without your authorization, to its business associates, which are third parties that assist the Plan in its operations, for treatment, payment and healthcare operations. For example, the Plan may share your health information with a business associate for the purpose of obtaining accounting or consulting services or legal advice. The Plan enters into agreements with its business associates to ensure that the privacy of your health information is protected from unauthorized disclosure and, to the extent electronic protected health information is shared with its business associates, to ensure that such business associates will comply with the security rules. Additionally, business associates must comply with the HIPAA's privacy and security rules to the extent required by law.
The Plan may disclose health and eligibility information, without your authorization, to the Plan Sponsor, Washington and Lee University, only for plan administration purposes, such as eligibility determinations, enrollment and disenrollment activities, and Plan amendments or termination. The Plan Sponsor has certified to the Plan that it will protect the privacy and security of your health information, that your health information will not be used by the Plan Sponsor for any employment-related actions and decisions or in connection with any other employee benefit plans sponsored by the Plan Sponsor, and that it has amended the plan documents to reflect its obligation to protect the privacy and security of your health information.
The federal health privacy law provides for specific uses or disclosures of your health information that the Plan may make without your authorization, which are described below.
The Plan does NOT use your health information for fundraising or marketing purposes, as defined by HIPAA and the privacy rules.
The Plan is prohibited from using PHI that is genetic information for underwriting purposes.
Uses and disclosures of your health information other than those described above will be made only with your express written authorization, including the use or disclosure of psychotherapy notes. You may revoke your authorization in writing. If you do so, the Plan will not use or disclose your health information protected by the revoked authorization, except to the extent that the Plan already has relied on your authorization.
Once your health information has been disclosed pursuant to your authorization, the federal privacy protections may no longer apply to the disclosed health information, and that information may be re-disclosed by the recipient without your or the Plan's knowledge or authorization. However, you may revoke your authorization to use or disclose PHI, at any time by contacting the Privacy Officer. Such revocations of authorizations will be made on a prospective basis only.
You have the following rights regarding your health information that the Plan collects and maintains. If you are required to submit a written request related to these rights, as described below, you should address requests to the Privacy Officer noted on page 3 of this Notice.
You have the right to inspect and obtain a copy of your health record, generally within 30 days of your request. This includes, among other things, health information about your plan eligibility, plan coverages, claim records, and billing records, but does not include any health information expressly excluded by HIPAA.
To inspect and copy your health record maintained by the Plan, submit your request in writing. The Plan may charge a fee per page for the cost of copying your health record, and charge you the cost of mailing your health record to you. If your health information is maintained by the Plan in electronic format, you have the right to obtain a copy in electronic format and to direct that the Plan transmit the copy to a person or entity you designate. In certain limited circumstances, the Plan may deny your request to inspect and copy your health record. If the Plan does so, it will inform you in writing. In certain instances, if you are denied access to your health record, you may request a review of the denial.
You have the right to request that the Plan communicate your health information to you in confidence by alternative means or in an alternative location. For example, you can ask that the Plan only contact you at work or by mail, or that the Plan provide you with access to your health information at a specific location.
To request confidential communications by alternative means or at an alternative location, submit your request in writing. Your written request should state the reason(s) for your request and the alternative means by or location at which you would like to receive your health information. If appropriate, your request should state that the disclosure of all or part of your health information by non-confidential communications could endanger you. The Plan will accommodate reasonable requests and will notify you appropriately.
You have the right to request that the Plan amend your health information if you believe the information is incorrect or incomplete.
To request an amendment, submit a detailed request in writing that provides the reason(s) that support your request. The Plan may deny your request if you have asked to amend information that:
The Plan will notify you in writing as to whether it accepts or denies your requests for an amendment to your health information, generally within 60 days of your request. If the Plan denies your request, it will explain the reason(s) for the denial, and describe how you can continue to pursue the denied amendment.
You have the right to receive a written accounting of disclosures. The accounting is a list of disclosures of your health information by the Plan to others, except that disclosures for treatment, payment or healthcare operations, disclosures made to or authorized by you, and certain other disclosures are not part of the accounting. If the Plan uses or maintains your health information in an electronic health record ("EHR") created by health care clinicians or staff and transferred to the Plan, you may have a right to an additional limited accounting of disclosures of such EHR.
The accounting covers up to six years prior to the date of your request, except that the accounting will not include disclosures of the Plan made before April 14, 2004. If you want an accounting that covers a time period of less than six years, please state that in your written request for an accounting.
To request an accounting of disclosures, submit your request in writing. The Plan generally has 60 days to respond. The first accounting that you request within a 12-month period will be free. For additional accountings in a 12-month period, the Plan will charge you for the cost of providing the accounting, but the Plan will notify you of the cost involved before processing the accounting so that you can decide whether to withdraw your request before any costs are incurred.
You have the right to be notified promptly in the event that we (or a business associate) discover a breach of unsecured PHI, in accordance with applicable data breach notice requirements.
In addition, you have a right to receive reports of any security incidents resulting in a breach of unsecured protected health information that the Employer becomes aware of, to the extent required under the privacy or security rules.
You have the right to request restrictions on your healthcare information that the Plan uses or discloses about you to carry out treatment, payment or healthcare operations. Also, you have the right to request restrictions on your health information that the Plan discloses to someone who is involved in your care or the payment for your care, such as a family member or friend. The Plan is not required to agree to your request for such restrictions (except in limited circumstances after February 2010 where your request deals with disclosure of protected health information to a health plan for payment or health care operations, if the protected health information relates solely to something you have paid for in full out of pocket), and the Plan may terminate its agreement to the restrictions you requested.
To request restrictions, submit your request in writing, and advise the Plan as to what information you seek to limit, and how and/or to whom you would like the limit(s) to apply. The Plan will notify you in writing as to whether it agrees to your request for restrictions. The Plan will also notify you in writing if it terminates an agreement to the restrictions that you requested.
You have the right to complain to the Plan and/or to the Secretary of the U.S. Department of Health and Human Services if you believe your privacy rights have been violated, generally within 180 days of when the act or omission occurred. To file a complaint with the Plan, submit your complaint in writing to the Privacy Officer noted on page 3 of this Notice.
The Privacy Officer will investigate any complaint and, in the event a violation of these and/or other applicable University privacy and/or security policies, procedures, or practices is found (including but not limited to the University's Confidentiality or Computing and Network Acceptable Use Policies), will take prompt action to see that the responsible person(s) is/are disciplined, up to and including termination. The Plan will take all reasonable steps to mitigate any harmful effect resulting from known violations of its privacy and security policies and practices.
You will not be retaliated or discriminated against and no services, payment, or privileges will be withheld from you because you file a complaint with the Plan or with the Department of Health and Human Services.
You have the right to a paper copy of this Notice. To make such a request, submit a written request to the Privacy Officer noted on page 3 of this Notice.
The Plan reserves the right to change its privacy and security policies and practices and make the new practices effective for all health information that it maintains, including your health information that it created or received prior to the effective date of the change and your health information it may receive in the future.
In the event of material changes, the Plan will post the most recent notice on the Plan Sponsor's Office of Human Resources website by the effective date of the material changes. By October 1 of each year the Office of Human Resources sends the notice to all benefit eligible employees and retirees. Employees who use email as part of their daily work receive the document by email. Employees who do not use email as part of their daily work receive the notice by email and hard copy delivered through campus mail. Retirees receive the notice through hard copy delivered by U.S. mail.
A copy of the most recent notice will be made available to you at any time upon your written request. The Plan also will maintain a posting of the most recent notice on the Plan Sponsor's Human Resources web page.
Current Amended Notice Effective Date: January 1, 2014
Prior Amended Notice Effective Date: September 23, 2013
Prior Amended Notice Effective Date: September 30, 2012
Prior Amended Notice Effective Date: October 14, 2011
Prior Amended Notice Effective Date: November 15, 2009
Original Notice Effective Date: April 14, 2004