THIS NOTICE OF PRIVACY PRACTICES DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE REVIEW IT CAREFULLY.
Integrated Health 21 Midwest Division provides wellness plan services, health coaching, and onsite clinics to employers and employer-sponsored health and wellness plans. This Notice of Privacy Practices describes the legal obligations of Integrated Health 21 Midwest Division and your legal rights regarding your protected health information held by Integrated Health 21 Midwest Division under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Among other things, this Notice describes how your protected health information may be used or disclosed to carry out treatment, payment, or health care operations, or for any other purposes that are permitted or required by law.
Integrated Health 21 Midwest Division is committed to protecting the privacy of your health information. If you have any questions about this Notice or about our privacy practices, please contact Privacy Officer, (800) 432-5427.
Effective Date and Changes
This Notice is effective January 1, 2018.
We reserve the right to change the terms of this Notice and to make new provisions regarding your protected health information that we maintain, including information created or received prior to making such changes, as allowed or required by law. If we make material or important changes to our privacy practices, we will promptly revise our Notice. Each version of the Notice will have an effective date listed on the first page. If we change this Notice, you can access the revised Notice on our website (www.healics.com) or from the receptionist at any Healics location.
Our Responsibilities
The HIPAA Privacy Rule protects certain medical information known as “protected health information.” Generally, protected health information is individually identifiable health information, including demographic information, collected from you or created or received by a health care provider, a health care clearinghouse, a health plan, or your employer on behalf of a group health plan, that relates to: (1) your past, present or future physical or mental health or condition; (2) the provision of health care to you; or (3) the past, present or future payment for the provision of health care to you.
Your health information may also be protected by state law. In some cases, state law imposes more stringent privacy requirements than the HIPAA Privacy Rule, and Integrated Health 21 Midwest Division is required to abide by those more stringent requirements when applicable. For example, we will not dislcose your HIV test results without obtaining your written permission, except as permitted by state law. We may also be required by law to obtain your written permission to use and/or disclose your mental illness, developmental disability, or alcohol or drug abuse treatment records or your genetic test results.
As a general matter, Integrated Health 21 Midwest Division is required by law to protect the privacy of your protected health information. However, because Integrated Health 21 Midwest Division provides multiple types of services, the specific legal requirements that apply to Integrated Health 21 Midwest Division may vary depending upon the services that are being provided. For purposes of the HIPAA Privacy Rule, the specific requirements that are applicable depend on whether Integrated Health 21 Midwest Division is acting as a “business associate” or a “covered entity.” In either case, Integrated Health 21 Midwest Division is required by law to maintain the privacy of your protected health information. However, where Integrated Health 21 Midwest Division is acting as a covered entity, it is subject to certain additional legal obligations. For example, as a covered entity, Integrated Health 21 Midwest Division is legally obligated to provide you with this Notice of Privacy Practices outlining its legal duties and privacy practices with respect to protected health information, and it is required to abide by the terms of the Notice that is currently in effect, and it is required to notify you following a privacy or security breach involving your unsecured protected health information. Other differences are discussed in more detail below. In general, Integrated Health 21 Midwest Division acts as a business associate when providing wellness services, health coaching, and certain onsite clinic services, but Integrated Health 21 Midwest Division is considered a covered entity in regard to some of its onsite clinics.
How We May Use and Disclose Your Protected Health Information
Under the law, we may use or disclose your protected health information under certain circumstances without your permission. The following categories describe the different ways that we may use and disclose your protected health information without your written authorization. For each category of uses or disclosures we will explain what we mean and present some examples. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of the categories. In addition, when we act as a HIPAA business associate, we are required by law to enter into a business associate agreement with your employer’s health and wellness plan. That agreement may further limit the manner in which we may use or disclose your protected health information, and we will abide by any such limitations.
For Treatment. We may use or disclose your protected health information to facilitate medical treatment or services by providers. We may disclose medical information about you to providers, including doctors, nurses, technicians, medical students, or other hospital personnel who are involved in taking care of you. For example, we might disclose information about your prior prescriptions to a pharmacist to determine if prior prescriptions contraindicate a pending prescription, health coaching, disease management, case management, etc.
For Payment. We may use or disclose your protected health information to determine your eligibility for benefits and incentives under your employer’s health and wellness plan, to facilitate payment for the treatment and services you receive from health care providers, to determine benefit responsibility under your employer’s plan, or to coordinate coverage under your employer’s plan. For example, we may tell your health care provider about your medical history to determine whether a particular treatment is experimental, investigational, or medically necessary, or to determine whether the Plan will cover the treatment. We may also share your protected health information with a utilization review or precertification service provider. Likewise, we may share your protected health information with another entity to assist with the adjudication or subrogation of health claims or to another health plan to coordinate benefit payments.
For Health Care Operations. We may use and disclose your protected health information to conduct certain of our business activities necessary to run our business and make sure our patients receive quality care, which are called health care operations, or for the health care operations of your employer’s health and wellness plan. For example, we may use medical information in connection with conducting quality assessment and improvement activities; underwriting, premium rating, and other activities relating to Plan coverage; submitting claims for stop-loss (or excess-loss) coverage; conducting or arranging for medical review, legal services, audit services, and fraud & abuse detection programs; business planning and development such as cost management; and business management and general Plan administrative activities.
To Contact You. We may contact you to provide appointment reminders or information about treatment alternatives or other health- related benefits and services that may be of interest to you.
To Business Associates and Subcontractors. We may work with other HIPAA business associates of your employer’s health and wellness plan or contract with other entities to perform various functions or to provide certain types of services. In order to perform these functions or to provide these services, these business associates and other entities may receive, create, maintain, use, and/or disclose your protected health information, but only after they agree in writing to implement appropriate safeguards regarding your protected health information. For example, we may disclose your protected health information to another business associate to facilitate the operation of your employer’s wellness program, but only after we receive appropriate written assurances that the business associate will protect the privacy of your protected health information. Similarly, where we are acting as a covered entity, we may contract with business associates to perform services on our behalf that involve the use or disclosure of protected health information. We may only do so, however, where we have entered into a business associate agreement that requires the business associate to protect the privacy of your protected health information.
As Required by Law. We will disclose your protected health information when required to do so by federal, state, or local law. For example, we may disclose your protected health information when required by national security laws or public health disclosure laws.
To Avert a Serious Threat to Health or Safety. We may use and disclose your protected health information when necessary to prevent a serious threat to your health and safety, or the health and safety of the public or another person. Any disclosure, however, would only be in a very limited manner to someone able to help prevent the threat.
To Your Employer’s Health and Wellness Plan. We may disclose your protected health information to certain employees of your employer who are involved in the operation or administration of your employer’s health and wellness plan. However, those employees will only use or disclose that information as necessary to perform plan administration functions or as otherwise allowed or required by HIPAA, unless you have authorized further disclosures. Your protected health information cannot be used for employment purposes without your specific authorization.
Special Situations
In addition to the above, the following categories describe other possible ways that we may use and disclose your protected health information. For each category of uses or disclosures, we will explain what we mean and present some examples. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of the categories.
Organ and Tissue Donation. If you are an organ donor, we may release your protected health information to organizations that handle organ procurement or organ, eye, or tissue transplantation or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.
Military and Veterans. If you are a member of the armed forces, we may release your protected health information as required by military command authorities. We may also release protected health information about foreign military personnel to the appropriate foreign military authority.
Workers' Compensation. We may release your protected health information as necessary to comply with laws related to workers' compensation or similar programs. These programs provide benefits for work-related injuries or illness.
Public Health Risks. We may disclose your protected health information for public health actions as authorized law. These actions may include the following:
· to prevent or control disease, injury, or disability;
· to report births and deaths;
· to report child abuse or neglect;
· to report reactions to medications or problems with products;
· to notify people of recalls of products they may be using;
· to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition;
· to notify the appropriate government authority if we believe that you have been the victim of abuse, neglect, or domestic violence. We will only make this disclosure if you agree, or when required or authorized by law.
Health Oversight Activities. We may disclose your protected health information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.
Lawsuits and Disputes. If you are involved in a legal proceeding, we may disclose your protected health information in response to a court or administrative order. Under most circumstances when the request is made through a subpoena, discovery request, or other lawful process, your authorization will be obtained before disclosure is permitted.
Law Enforcement. We may disclose your protected health information if asked to do so by a law enforcement official—
· in response to a court order, subpoena, warrant, summons or similar process;
· to identify or locate a suspect, fugitive, material witness, or missing person;
· about the victim of a crime if, under certain limited circumstances, we are unable to obtain the victim's agreement;
· about a death that we believe may be the result of criminal conduct; and
· about criminal conduct.
Coroners, Medical Examiners and Funeral Directors. We may release protected health information to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also release medical information about patients to funeral directors, as necessary to carry out their duties.
National Security and Intelligence Activities. We may release your protected health information to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.
Inmates. If you are an inmate of a correctional institution or are in the custody of a law enforcement official, we may disclose your protected health information to the correctional institution or law enforcement official if necessary (1) for the institution to provide you with health care; (2) to protect your health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.
Required Disclosures
The following is a description of disclosures of your protected health information we are required to make.
Government Audits. We are required to disclose your protected health information to the Secretary of the United States Department of Health and Human Services when the Secretary is investigating or determining our compliance with the HIPAA privacy rule.
Disclosures to You. You have a right to access your protected health information that is part of what is referred to as a “designated record set,” which includes protected health information that contains medical records, billing records, and any other records used to make decisions regarding your health care benefits. You also have a right to an accounting of certain types of disclosures of your protected health information that were made for reasons other than payment, treatment, or healthcare operations if the disclosures were not made pursuant to an individual authorization for disclosure. Where we are acting as a business associate, requests for access or an accounting of disclosures should generally be directed to your employer’s health and wellness plan. We are required to cooperate with your employer’s plan in responding to such a request. Where we are acting as a covered entity, you should contact us directly to request access or an accounting of disclosures. For such a request, please contact Privacy Officer, (800) 432-5427.
Other Disclosures
Personal Representatives. We will disclose your protected health information to individuals authorized by you, or to an individual designated as your personal representative, attorney-in-fact, etc., so long as you provide us with a written notice/authorization and any supporting documents (i.e., power of attorney). Under the HIPAA Privacy Rule, we do not have to disclose information to a personal representative if we have a reasonable belief that: (1) you have been, or may be, subjected to domestic violence, abuse or neglect by such person; or (2) treating such person as your personal representative could endanger you; and (3) in the exercise of professional judgment, it is not in your best interest to treat the person as your personal representative.
Spouses and Other Family Members. Generally, we will communicate directly with you. With limited exceptions, disclosures of your protected health information to your spouse or family members requires your authorization and the health information we disclose would be limited to the health information that is relevant to that person's involvement in your care or payment for your care. Exceptions include certain emergency situations and situations in which you are provided with an opportunity to object to the disclosure before the disclosure is made and you do not object.
Authorizations. Other uses or disclosures of your protected health information not described above will only be made with your written authorization. You may revoke written authorization at any time, so long as the revocation is in writing. Once we receive your written revocation, it will only be effective for future uses and disclosures. It will not be effective for any information that may have been used or disclosed in reliance upon the written authorization and prior to receiving your written revocation. Some examples of disclosures requiring your specific written authorization include:
· Marketing: We will not use or disclose your health information for marketing purposes without your written authorization except as otherwise permitted by law.
· Sale of Your Health Information: We will not sell your health information without your written authorization except as otherwise permitted by law.
Your Rights
You have certain rights with respect to your protected health information, including those listed below. As noted below, certain of these rights are specific to information that is part of a “designated record set,” which includes the following types of records: (1) medical records and billing records about you that are maintained by or for a covered health care provider; (2) enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or (3) records used by or for a covered entity to make decisions about you.
Who to Contact About Your Rights. Where Integrated Health 21 Midwest Division is acting as a business associate, you should generally contact your employer’s health and wellness plan to exercise these rights. Where Integrated Health 21 Midwest Division is acting as a covered entity, however, you should contact us directly, as described below. If you have questions regarding who you should contact in regard to your rights, please direct them to Privacy Officer, (800) 432-5427.
Right to Inspect and Copy. You have the right to inspect and copy certain protected health information that is included in a designated record set. Requests made directly to Integrated Health 21 Midwest Division must be submitted in writing to Integrated Health 21 Midwest Division, Attn: Privacy Officer, 300 N. Corporate Drive Suite 310, Milwaukee, WI 53045. If you request a copy of the information, we may charge a reasonable fee as authorized by law to meet your request. You may request access to your health information in a certain electronic form and format, if readily producible, or, if not readily producible, in a mutually agreeable electronic form and format. Further, you may request in writing that we transmit such a copy to any person or entity you designate. Your written, signed request must clearly identify such designated person or entity and where you would like us to send the copy. We may deny your request to inspect and copy in certain very limited circumstances. If you are denied access to your medical information, you may request that the denial be reviewed by submitting a written request to Integrated Health 21 Midwest Division using the contact information listed above. The person conducting the review will not be the person who denied your request. We will comply with the outcome of the review.
Right to Amend. You have the right to request an amendment to protected health information that is part of a designated record set. If you feel that the protected health information we have about you is incorrect or incomplete, you may ask that the information be amended. You have the right to request an amendment for as long as the information is kept by us. For requests made directly to Integrated Health 21 Midwest Division, your request must be made in writing and submitted to Integrated Health 21 Midwest Division, Attn: Privacy Officer, 300 N. Corporate Drive Suite 310, Milwaukee, WI 53045. Your written request must provide a reason that supports the request. We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that:
· is not part of the designated record set;
· is not part of the medical information kept by us;
· was not created by us, unless the person or entity that created the information is no longer available to make the amendment;
· is not part of the information that you would be permitted to inspect and copy; or
· is already accurate and complete.
If we deny your request, you have the right to file a statement of disagreement with us and any future disclosures of the disputed information will include your statement.
Right to an Accounting of Disclosures. You have the right to request an “accounting” of certain disclosures of your protected health information. The accounting will not include (1) disclosures for purposes of treatment, payment, or health care operations; (2) disclosures made to you; (3) disclosures made pursuant to your authorization; (4) disclosures that were incident to an otherwise permitted use or disclosure (5) disclosures made to friends or family in your presence or because of an emergency; (6) disclosures for national security purposes or to law enforcement or correctional officials; and (7) disclosures that were part of a limited data set. For requests made directly to Integrated Health 21 Midwest Division, you must submit your request in writing to Integrated Health 21 Midwest Division, Attn: Privacy Officer, 300 N. Corporate Drive Suite 310, Milwaukee, WI 53045. Your request must state a time period of not longer than six years prior to the date of the request. Your request should indicate in what form you want the list (for example, paper or electronic). The first list you request within a 12-month period will be provided free of charge. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.
Right to Request Restrictions. You have the right to request a restriction or limitation on your protected health information that we use or disclose for treatment, payment, or health care operations. You also have the right to request a limit on your protected health information that we disclose to someone who is involved in your care or the payment for your care, such as a family member or friend. For example, you could ask that we not use or disclose information about a surgery that you had.
Except as noted below, we are not required to agree to your request. However, if we do agree to your request, we will honor the restriction until you revoke it or we notify you. Unless otherwise required by law, we are required to honor your request for a restriction if it is in regard to the disclosure of protected health information to a health plan for purposes of carrying out payment or health care operations (and not treatment) and the protected health information pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.
For requests made directly to Integrated Health 21 Midwest Division, you must make your request in writing to Integrated Health 21 Midwest Division, Attn: Privacy Officer, 300 N. Corporate Drive Suite 310, Milwaukee, WI 53045. In your request, you must tell us (1) what information you want to limit; (2) whether you want to limit our use, disclosure, or both; and (3) to whom you want the limits to apply—for example, disclosures to your spouse.
Right to Request Confidential Communications. You have the right to request that we communicate with you about medical matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail.
For requests made directly to Integrated Health 21 Midwest Division, you must make your request in writing to Integrated Health 21 Midwest Division, Attn: Privacy Officer, 300 N. Corporate Drive Suite 310, Milwaukee, WI 53045. We will not ask you the reason for your request. Your request must specify how or where you wish to be contacted.
Right to be Notified of a Breach. You have the right to be notified in the event that we discover a breach of your unsecured protected health information.
Right to a Paper Copy of This Notice. Upon request, we will provide you with a paper copy of this Notice. You may ask us to give you a copy of this Notice at any time. Even if you have agreed to receive this Notice electronically, you are still entitled to a paper copy of this Notice. Where Integrated Health 21 Midwest Division is acting as a covered entity, you have a legal right to a paper copy of this Notice. You may obtain a copy of this Notice at our website, www.healics.com. To obtain a paper copy of this Notice, please call Integrated Health 21 Midwest Division at (800) 432-5427.
Complaints
If you believe that your privacy rights have been violated, you may file a complaint with your employer’s health and wellness plan, Integrated Health 21 Midwest Division, or with the Office for Civil Rights of the United States Department of Health and Human Services. To file a complaint with Integrated Health 21 Midwest Division, please send the complaint to Integrated Health 21 Midwest Division, Attn: Privacy Officer, 300 N. Corporate Drive Suite 310, Milwaukee, WI 53045. All complaints must be submitted in writing.
You will not be penalized, or in any other way retaliated against, for filing a complaint.