NOTICE OF PRIVACY PRACTICES
USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS
INFORMATION. PLEASE REVIEW IT CAREFULLY.
Effective Date of Notice
Tri-State Administrators, Inc. (the "Organization") is required to take reasonable steps to ensure the privacy of your personally identifiable health information in accordance with the privacy provisions contained in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the related regulations ("federal health privacy law"). In addition, the Organization must inform you about:
PHI includes all individually identifiable health information that is transmitted or maintained by the Organization, or on behalf of the Organization, in connection with the Organization's provision of medical, dental, vision and pharmacy benefits, regardless of whether the information is transmitted or maintained orally, on paper or through electronic medium (such as e-mail).
Except as described in this section, or as provided for by federal privacy law, or as you have otherwise authorized, the Organization uses PHI only to determine your eligibility for benefits, to process and pay your health benefits claims, and to administer its operations. The Organization discloses your PHI only for the administration of the Plan and the processing of your health claims. The Organization may also disclose your PHI to other third parties that assist the Organization in its operations, to government and law enforcement agencies, to your family members, and to certain other persons or entities as permitted by law. Under certain circumstances, the Organization will only use or disclose your health information pursuant to your written authorization. In other cases, your authorization is not needed. The details of the Organization's uses and disclosures of your health information are described below.
The Organization may disclose your PHI to the Plan Sponsors of its client employee welfare benefit Funds, to enable said Plan Sponsors to administer said Funds. Such disclosures may be made without your authorization. These Funds’ governing documents reflect the Plan Sponsors' obligation to protect the privacy of your health information and the Plan Sponsors have certified that they will protect any PHI received in accordance with federal law.
The Organization shares PHI with its "business associates," which are third parties that assist the Organization in its operations such as preferred provider networks and prescription benefit program managers. The Organization enters into agreements with its business associates so that the privacy of your health information will be protected by them. A business associate must have any agent or subcontractor to whom the business associate provides your PHI agree to the same restrictions and conditions that apply to the business associate. The Organization is permitted to disclose PHI to its business associates for treatment, payment and health care operations without your authorization as described below. In addition, if you are a non-English speaking participant who has questions about a claim, the Plan may disclose your health information to a translator and may provide names and address information to mailing services.
The Organization and its business associates may use and disclose PHI without your authorization for treatment, payment and health care operations as described below.
For Treatment. While the Organization does not anticipate making disclosures of PHI related to your health care treatment, if necessary, such disclosures may be made without your authorization. For example, the Organization may disclose the name of a treating specialist to your treating physician to assist your treating physician in obtaining records from the specialist.
For Payment. The Organization may use and disclose PHI so that your claims for health care treatment, services and supplies can be paid in accordance with the Organization's plan of benefits. For example, the Organization may tell a doctor whether you are eligible for coverage or what portion of your medical bill will be paid by the Organization. In addition, the Organization may disclose your health information to other insurers or benefit plans to coordinate your health care claims with others that may responsible for some of your health care costs.
For Health Care Operations. The Organization may use and disclose PHI to enable it to operate efficiently and can include quality assessment and improvement, reviewing competence or qualifications of health care professionals, case management, conducting or arranging for medical review, legal services and auditing functions, business planning and general administrative activities. For example, the Organization may disclose PHI to its actuaries and accountants for benefit planning purposes.
In addition to the uses and disclosures of PHI described above for treatment, payment or health care operations as described below, the federal health privacy law provides for specific uses or disclosures that the Organization may make without your authorization.
Required by Law. PHI may be used or disclosed as required by law. For example, your PHI may be disclosed for judicial and administrative proceedings pursuant to court or administrative order, legal process and authority; to report information related to victims of abuse, neglect, or domestic violence, or to assist law enforcement officials in their law enforcement duties, or to notify the appropriate authorities of a breach of unsecured protected health information.
Health and Safety. PHI may be disclosed to avert a serious threat to the health or safety of you or any other person. PHI also may be disclosed for public health activities, such as preventing or controlling disease, injury or disability, and to meet the reporting and tracking requirements of governmental agencies, such as the Food and Drug Administration.
Government Functions. PHI may be disclosed to the government for specialized government functions, such as intelligence, national security activities, security clearance activities and protection of public officials. PHI may also be disclosed to health oversight agencies for audits, investigations, licensure and other oversight activities.
Active Members of the Military and Veterans. PHI may be used or disclosed in order to comply with laws and regulations related to military service or veterans' affairs.
Workers' Compensation. PHI may be used or disclosed in order to comply with laws and regulations related to Workers' Compensation benefits.
Research. Under certain circumstances, PHI may be used or disclosed for research purposes as long as the procedures required by law to protect the privacy of the research data are followed.
Organ, Eye and Tissue Donation. If you are an organ donor, your PHI may be used or disclosed to an organ donor or procurement organization to facilitate an organ or tissue donation or transplantation.
Treatment and Health Related Benefits Information. The Organization or its business associates may contact you to provide information about treatment alternatives or other health related benefits and services that may interest you, including, for example, alternative treatment, services or medication.
Deceased Individuals. The PHI of a deceased individual may be disclosed to coroners, medical examiners, and funeral directors so that those professionals can perform their duties.
Emergency Situations. PHI may be used or disclosed to a family member or close personal friend involved in your care in the event of an emergency or to a disaster relief entity in the event of a disaster. If you do not want this information to be shared, you may request that these types of disclosures be restricted as outlined later in this Notice.
Others Involved In Your Care. Under limited circumstances, your PHI may be used or disclosed to a family member, close personal friend, or others who the Organization has verified are directly involved in your care. For example, this may occur if you are seriously injured and unable to discuss your case with the Organization. Also, upon request, the Organization may advise a family member or close personal friend about (1) your general condition, (2) your location, such as "in the hospital," or (3) your death. If you do not want this information to be shared, you may request that these types of disclosures be restricted as outlined later in this Notice.
Personal Representatives. Your health information may be disclosed to people that you have authorized to act on your behalf, or people who have a legal right to act on your behalf. Examples of personal representatives are parents for unemancipated minors and those people who have Power of Attorney for adults.
Uses and disclosures of your PHI other than those described above will be made only with your express written authorization. You may revoke your authorization at any time, provided you do so in writing. If you revoke a written authorization to use or disclose PHI, the Organization will not use or disclose your PHI, except to the extent that the Organization already relied on your authorization. Once your PHI has been disclosed pursuant to your authorization, the federal privacy law protections may no longer apply to the disclosed health information, and that information may be re-disclosed by the recipient without your knowledge or authorization.
Your PHI may be disclosed to people that you have authorized to act on your behalf, or people who have a legal right to act on your behalf. Examples of personal representatives are parents for unemancipated minors and those who have Power of Attorney for adults.
You have the following rights regarding your PHI that the Organization creates, collects and maintains.
You have the right to inspect and obtain a copy of your health record. Your health record includes, among other things, health information about your eligibility and coverage under the Organization's plan of benefits as well as claims and billing records. For health records that the Plan keeps in electronic form, you may request to receive the records in an electronic format.
To inspect or to obtain a copy your health record, submit a written request to the Organization's HIPAA Privacy Officer identified below. (See page 7). The Organization may charge a reasonable fee based on the cost for copying and mailing records associated with your request for paper copies. Records provided in electronic format also may be subject to a small charge. In certain limited circumstances, the Organization may deny your request to inspect and copy your health record. This denial will be provided in writing and will set forth the reasons for the denial and will describe how you may appeal the Organization's decision.
You have the right to request that your PHI be amended if you believe the information is incorrect or incomplete. To request an amendment, submit a detailed written request to the Organization's HIPAA Privacy Officer identified below. This request must provide the reason(s) that support your request. The Organization may deny your request if it is not made in writing, if it does not provide a basis in support of the request, or if you have asked to amend information that (1) was not created by or for the Organization, unless you provide the Organization with information that the person or entity that created the information is no longer available to make the amendment, (2) is not part of the heath information maintained by or for the Organization, (3) is not part of the health record information that you are permitted to inspect and copy, or (4) is accurate and complete.
The Organization will notify you in writing as to whether it accepts or denies your request for an amendment to your health information. If the Organization denies your request, it will explain the basis for the denial in writing. You may then submit a written statement disagreeing with the denial and have that statement included with any future disclosures of PHI.
You have the right to receive a written accounting of disclosures by the Organization of your PHI made during the six years prior to the date of your request. Such accounting covers up to six years prior to the date of your request, except, in accordance with applicable law and will not include disclosures made prior to April 14, 2003. To request an accounting of disclosures, submit a written request to the Organization's HIPAA Privacy Officer identified below.
In response to your request for an accounting of disclosures, the Organization may provide you with a list of business associates who make such disclosures on behalf of the Organization, along with contact information so that you may request the accounting directly from each business associate. If you request more than one accounting within a 12-month period, the Organization will charge a reasonable fee based on the cost for each subsequent accounting. The Organization will notify you of the cost involved before processing the accounting so that you can decide whether to withdraw your request before any costs are incurred.
You have the right to request that the Organization restrict the use and disclosure of your PHI to carry out treatment, payment or health care operations. You also have the right to request restrictions on your health information that the Organization discloses to someone who is involved in your care or the payment for your care, such as a family member or friend. However, the Organization is generally not required to agree to your request for such restrictions, and the Organization may terminate a prior agreement to the restrictions you requested. The Organization is required to agree your request for restrictions in the case of disclosures for payment purposes where you have paid the health care provider in full, out of pocket. To request restrictions on the use and disclosure of your PHI, submit a written request to the Organization's HIPAA Privacy Officer identified below. (See page 7).
Your request must explain what information you seek to limit, and how and/or to whom you would like the limit(s) to apply. The Organization will notify you in writing as to whether it agrees to your request for restrictions, and when it terminates any agreement with respect to any restriction.
You have the right to request that your PHI be communicated to you in confidence by alternative means or in an alternative location. For example, you can ask that you be contacted only at work or by mail, or that you be provided with access to your PHI at a specific location. Additionally, you have the right to access your health information in an electronic format.
To request communications by alternative means or at an alternative location, submit a written request to the Organization's HIPAA Privacy Officer identified below. (See page 7). Your written request should state the reason for your request, and the alternative means by or location at which you would like to receive your health information. If appropriate, your request should state that the disclosure of all or part of the information by non-confidential communications could endanger you. Reasonable requests will be accommodated to the extent possible and you will be notified appropriately.
You are required to be notified if your unsecured PHI has been breached. You will be notified by first class mail, or electronically if you have consented to receive electronic communication, without unreasonable delay. A breach occurs when there has been an unauthorized use or disclosure under HIPAA that compromises the privacy or security of PHI. The notice will provide you with the following information: (1) a brief description of what happened, including the date of the breach and the date of the discovery of the breach; (2) the steps you should take to protect yourself from potential harm resulting from the breach; and (3) a brief description of what steps are being taken to investigate the breach, mitigate losses, and to protect against further breaches. Please note that not every unauthorized disclosure of health information is a breach that requires notification; you may not be notified if the health information that was disclosed was adequately secured—for example, computer data that is encrypted and inaccessible without a password—or if it is determined that there is a low probability that your health information has been compromised.
You have the right to complain to the Organization and to the Department of Health and Human Services if you believe your privacy rights have been violated. To file a complaint with the Organization, submit a written complaint to the Organization's HIPAA Privacy Officer identified below.
The Organization will not retaliate or discriminate against you and no services, payment, or privileges will be withheld from you because you file a complaint with the Organization or with the Department of Health and Human Services.
You have the right to a paper copy of this Notice. To make such a request, submit a written request to the Organization's HIPAA Privacy Officer identified below.
If you have any questions or concerns about the Organization's privacy practices, or about this Notice, or if you wish to obtain additional information about the Organization's privacy practices or if you wish to exercise one of the rights described above with respect to your PHI, please contact:
HIPAA Privacy Officer
The Organization reserves the right to change its privacy practices and make the new practices effective for all PHI that it maintains, including PHI that it created or received prior to the effective date of the change and PHI it may receive in the future. If the Organization materially changes any of its privacy practices, it will revise its Notice and provide you with the revised Notice, by U.S. mail or e-mail, within sixty days of the revision. In addition, copies of the revised Notice will be made available to you upon your written request.
This Notice was first effective on April 14, 2003 and was revised effective September 23, 2013 to reflect the provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. This Notice will remain in effect unless and until the Organization publishes a revised Notice.