Notice of Washington and Lee University Health Benefit Plan Privacy and Security Practices
THIS NOTICE DESCRIBES HOW CERTAIN MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE REVIEW IT CAREFULLY.
The Plan's Commitment to Privacy and Security
The Washington and Lee University Employee Health and Welfare Plan (the "Plan") is committed to protecting the privacy and security of your protected health information and electronic protected health information as defined under HIPAA (may be collectively referred to herein as "health information" or as "PHI" or "EPHI"). Health information is information that is created or maintained by the Plan that identifies you and relates to a health condition, or to the provision or payment of health services for you. The Plan also pledges to provide you with certain rights related to your health information, as required by HIPAA.
By this Notice of Plan's Privacy and Security Policies and Practices ("Notice"), the Plan informs you that it has the following legal obligations under the federal health privacy provisions contained in the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the HITECH Act, and the related regulations ("privacy rules" and "security rules") and that its policies and practices are as follows to comply with those obligations:
- To maintain the privacy of your health information;
- To provide you with this Notice of its legal duties and privacy and security practices with respect to your health information; and
- To abide by the terms of this Notice, as amended;
- To designate a Privacy Officer who is responsible for implementing the Plan's privacy policies and receiving complaints regarding privacy of health information:
- To designate a Security Officer who is responsible for assessing and monitoring the security of electronic protected health information, implementing the Plan's security policies and practices and receiving complaints regarding security of electronic protected health information;
- To establish policies and procedures concerning health information, including provision for discipline and a complaint mechanism for inappropriate privacy disclosures;
- To train employees with access to health information on policies and procedures;
- To establish appropriate administrative, technical, and physical safeguards to maintain the privacy and security of health information;
- To provide notice of breaches of unsecured PHI in accordance with applicable law and to mitigate harmful effects from a known violation of privacy or security policies and procedures;
- To keep for six years documentation of required policies, procedures, training, and other required written communications under the privacy and security rules, including Business Associate agreements with all persons and entities performing services on behalf of the Plan that require access to health information;
- To avoid retaliating against any person who exercises a right under the privacy rules;
- To refrain from requiring anyone to waive rights under the privacy rules;
- To amend its plan documents to reflect its obligation to protect the privacy of your health information; and
- To receive certification from the Plan Sponsor that it will protect the privacy of your health information.
This Notice also informs you how the Plan uses and discloses your health information and explains the rights that you have with regard to your health information maintained by the Plan. For purposes of this Notice, "you" and "yours" refers to participants and dependents who are eligible for benefits described under the Plan.
Information Subject to This Notice
The Plan collects certain health information about you to help provide health benefits to you and your eligible dependents, as well as to fulfill legal requirements. The Plan collects this health information from applications and other forms that you complete, through conversations you may have with the Plan's administrative staff and healthcare providers, and from reports and data provided to the Plan by healthcare service providers or other employee benefit plans. The health information the Plan has about you includes, among other things, your name, address, phone number, birth date, social security number, employment information, and medical and health claims information. This is the information that is subject to the privacy practices described in this Notice. Additionally, if this information is transmitted electronically, it is subject to the Security Rules under HIPAA and the security practices described in this Notice.
The Plan's Uses and Disclosures of Your Health Information
The Plan uses your health information to determine your eligibility for benefits, to process and pay your health benefits claims, and to administer its operations. In some cases, your health information may only be disclosed with your written authorization, while in other instances, your authorization is not required. For example, the Plan may disclose your health information, without your authorization, to insurers, third party administrators, and healthcare providers for treatment, payment and healthcare operations purposes. The Plan also may disclose your health information, without your authorization, to third parties that assist the Plan in its operations, to government and law enforcement agencies, to your family members in limited instances, and to certain other persons. Details of the Plan's uses and disclosures of your health information are described below.
Your Rights Related to Your Health Information
The federal health privacy law provides you with access to your health information and with certain rights related to your health information. Specifically, you have the right to:
- Inspect and/or copy your health information;
- Request to receive your health information through confidential communications;
- Request that your health information be amended;
- Request an accounting of certain disclosures of your health information;
- Request certain restrictions related to the use and disclosure of your health information;
- File a complaint with the Plan or the Secretary of the Department of Health and Human Services if you believe that your privacy rights have been violated; and
- Receive a paper copy of this Notice.
These rights and how you may exercise them are detailed below.
If you have any questions about this Notice or about our privacy or security practices, please contact:
Executive Director of Human Resources
Washington and Lee University
2 South Main 109
Lexington, VA 24450
Chief Information Security Officer
Washington and Lee University
204 West Washington St.
Lexington, VA 24450
Uses and Disclosures
Except as described in this section, as provided for by federal, state or local law, or as you have otherwise authorized, the Plan only uses and discloses your health information for the administration of the Plan and for processing claims.
Uses and Disclosures for Treatment, Payment, and Healthcare Operations
- For Treatment. The Plan may use and disclose your health information, without your authorization, to a healthcare provider, such as a hospital or physician, to assist the provider in treating you. For example, the Plan may use or disclose your health information to help your doctor determine whether a particular treatment is appropriate.
- For Payment. The Plan may use and disclose your health information, without your authorization, so that your claims for healthcare treatment, services and supplies can be paid according to the Plan's terms. For example, the Plan may use or disclose your health information if your doctor submits a request for payment for services provided to you.
- For Healthcare Operations. The Plan may use or disclose your health information, without your authorization, to enable it to operate efficiently and in the best interests of its participants. For example, the Plan may use or disclose your health information to conduct audits or actuarial studies, or for fraud and abuse detection.
Uses and Disclosures to Business Associates
The Plan discloses your health information, without your authorization, to its business associates, which are third parties that assist the Plan in its operations, for treatment, payment and healthcare operations. For example, the Plan may share your health information with a business associate for the purpose of obtaining accounting or consulting services or legal advice. The Plan enters into agreements with its business associates to ensure that the privacy of your health information is protected from unauthorized disclosure and, to the extent electronic protected health information is shared with its business associates, to ensure that such business associates will comply with the security rules. Additionally, business associates must comply with the HIPAA's privacy and security rules to the extent required by law.
Uses and Disclosures to the Plan Sponsor
The Plan may disclose health and eligibility information, without your authorization, to the Plan Sponsor, Washington and Lee University, only for plan administration purposes, such as eligibility determinations, enrollment and disenrollment activities, and Plan amendments or termination. The Plan Sponsor has certified to the Plan that it will protect the privacy and security of your health information, that your health information will not be used by the Plan Sponsor for any employment-related actions and decisions or in connection with any other employee benefit plans sponsored by the Plan Sponsor, and that it has amended the plan documents to reflect its obligation to protect the privacy and security of your health information.
Other Uses and Disclosures That May Be Made Without Your Authorization
The federal health privacy law provides for specific uses or disclosures of your health information that the Plan may make without your authorization, which are described below.
- Required by Law. The Plan may use and disclose health information about you as required by federal, state, or local law.
- Additional Legal Reasons. The Plan may disclose your health information for the following purposes:
- For judicial and administrative proceedings pursuant to court or administrative order, legal process and authority;
- To report information related to victims of abuse, neglect, or domestic violence; or
- To assist law enforcement officials in their law enforcement duties.
- Health and Safety. Your health information may be disclosed to avert a threat to the health or safety of you, any other person, or the public, pursuant to applicable law. Your health information also may be disclosed for public health activities, such as preventing or controlling disease or disability, and meeting the reporting and tracking requirements of governmental agencies such as the Food and Drug Administration.
- Government Functions. Your health information may be disclosed to the government for specialized government functions, such as intelligence, national security activities, and protection of public officials. Your health information also may be disclosed to health oversight agencies that monitor the healthcare system for audits, investigations, licensure, and other oversight activities.
- Active Members of the Military and Veterans. Your health information may be used or disclosed to comply with laws related to military service or veterans' affairs.
- Workers' Compensation. Your health information may be used or disclosed in order to comply with laws related to workers' compensation and similar programs.
- Emergency Situations. Your health information may be used or disclosed to a family member or other person responsible for care in the event of an emergency, or to a disaster relief entity in the event of a disaster.
- Others Involved In Your Care. In limited instances, your health information may be used or disclosed to a family member, close personal friend, or others who are involved in your care or payment for your care (as verified by the Plan). For example, if you are seriously injured and unable to discuss your case with the Plan, the Plan may so disclose your health information. Also, upon request, the Plan may advise a family member or close personal friend about your general condition, location (such as in the hospital) or death. If you do not want this information to be shared, you may request that these disclosures be restricted as outlined later in this Notice.
- Personal Representatives. Your health information may be disclosed to people you have authorized or people who have the right to act on your behalf. Examples of personal representatives are parents for minors, and those who have the Power of Attorney for adults.
- Research. Under certain circumstances, the Plan may use or disclose your health information for research purposes, as long as the procedures required by law to protect the privacy of the research data are followed.
- Organ and Tissue Donation. If you are an organ donor, your health information may be used or disclosed to an organ donor, eye, or procurement organization to facilitate an organ or tissue donation or transplantation.
- Deceased Individuals. The health information of a deceased individual may be disclosed to coroners, medical examiners, and funeral directors so that those professionals can perform their duties.
Uses and Disclosures for Fundraising and Marketing Purposes
The Plan does NOT use your health information for fundraising or marketing purposes, as defined by HIPAA and the privacy rules.
Uses and Disclosures of Genetic Information
The Plan is prohibited from using PHI that is genetic information for underwriting purposes.
Any Other Uses and Disclosures Require Your Express Authorization
Uses and disclosures of your health information other than those described above will be made only with your express written authorization, including the use or disclosure of psychotherapy notes. You may revoke your authorization in writing. If you do so, the Plan will not use or disclose your health information protected by the revoked authorization, except to the extent that the Plan already has relied on your authorization.
Once your health information has been disclosed pursuant to your authorization, the federal privacy protections may no longer apply to the disclosed health information, and that information may be re-disclosed by the recipient without your or the Plan's knowledge or authorization. However, you may revoke your authorization to use or disclose PHI, at any time by contacting the Privacy Officer. Such revocations of authorizations will be made on a prospective basis only.
Your Health Information Rights
You have the following rights regarding your health information that the Plan collects and maintains. If you are required to submit a written request related to these rights, as described below, you should address requests to the Privacy Officer noted on page 3 of this Notice.
Right to Inspect and Copy Health Information
You have the right to inspect and obtain a copy of your health record, generally within 30 days of your request. This includes, among other things, health information about your plan eligibility, plan coverages, claim records, and billing records, but does not include any health information expressly excluded by HIPAA.
To inspect and copy your health record maintained by the Plan, submit your request in writing. The Plan may charge a fee per page for the cost of copying your health record, and charge you the cost of mailing your health record to you. If your health information is maintained by the Plan in electronic format, you have the right to obtain a copy in electronic format and to direct that the Plan transmit the copy to a person or entity you designate. In certain limited circumstances, the Plan may deny your request to inspect and copy your health record. If the Plan does so, it will inform you in writing. In certain instances, if you are denied access to your health record, you may request a review of the denial.
Right to Request Confidential Communications, or Communications by Alternative Means or at an Alternative Location
You have the right to request that the Plan communicate your health information to you in confidence by alternative means or in an alternative location. For example, you can ask that the Plan only contact you at work or by mail, or that the Plan provide you with access to your health information at a specific location.
To request confidential communications by alternative means or at an alternative location, submit your request in writing. Your written request should state the reason(s) for your request and the alternative means by or location at which you would like to receive your health information. If appropriate, your request should state that the disclosure of all or part of your health information by non-confidential communications could endanger you. The Plan will accommodate reasonable requests and will notify you appropriately.
Right to Request That Your Health Information Be Amended
You have the right to request that the Plan amend your health information if you believe the information is incorrect or incomplete.
To request an amendment, submit a detailed request in writing that provides the reason(s) that support your request. The Plan may deny your request if you have asked to amend information that:
- Was not created by the Plan, unless you provide the Plan with information that the person or entity that created the information is no longer available to make the amendment;
- Is not part of the health information maintained by or for the Plan;
- Is not part of the information which you would be permitted to inspect and copy; or
- Is accurate and complete.
The Plan will notify you in writing as to whether it accepts or denies your requests for an amendment to your health information, generally within 60 days of your request. If the Plan denies your request, it will explain the reason(s) for the denial, and describe how you can continue to pursue the denied amendment.
Right to an Accounting of Disclosures
You have the right to receive a written accounting of disclosures. The accounting is a list of disclosures of your health information by the Plan to others, except that disclosures for treatment, payment or healthcare operations, disclosures made to or authorized by you, and certain other disclosures are not part of the accounting. If the Plan uses or maintains your health information in an electronic health record ("EHR") created by health care clinicians or staff and transferred to the Plan, you may have a right to an additional limited accounting of disclosures of such EHR.
The accounting covers up to six years prior to the date of your request, except that the accounting will not include disclosures of the Plan made before April 14, 2004. If you want an accounting that covers a time period of less than six years, please state that in your written request for an accounting.
To request an accounting of disclosures, submit your request in writing. The Plan generally has 60 days to respond. The first accounting that you request within a 12-month period will be free. For additional accountings in a 12-month period, the Plan will charge you for the cost of providing the accounting, but the Plan will notify you of the cost involved before processing the accounting so that you can decide whether to withdraw your request before any costs are incurred.
Right to Notification in the Event of a Breach of Unsecured PHI
You have the right to be notified promptly in the event that we (or a business associate) discover a breach of unsecured PHI, in accordance with applicable data breach notice requirements.
In addition, you have a right to receive reports of any security incidents resulting in a breach of unsecured protected health information that the Employer becomes aware of, to the extent required under the privacy or security rules.
Right to Request Restrictions
You have the right to request restrictions on your healthcare information that the Plan uses or discloses about you to carry out treatment, payment or healthcare operations. Also, you have the right to request restrictions on your health information that the Plan discloses to someone who is involved in your care or the payment for your care, such as a family member or friend. The Plan is not required to agree to your request for such restrictions (except in limited circumstances after February 2010 where your request deals with disclosure of protected health information to a health plan for payment or health care operations, if the protected health information relates solely to something you have paid for in full out of pocket), and the Plan may terminate its agreement to the restrictions you requested.
To request restrictions, submit your request in writing, and advise the Plan as to what information you seek to limit, and how and/or to whom you would like the limit(s) to apply. The Plan will notify you in writing as to whether it agrees to your request for restrictions. The Plan will also notify you in writing if it terminates an agreement to the restrictions that you requested.
Right to Complain
You have the right to complain to the Plan and/or to the Secretary of the U.S. Department of Health and Human Services if you believe your privacy rights have been violated, generally within 180 days of when the act or omission occurred. To file a complaint with the Plan, submit your complaint in writing to the Privacy Officer identified in this Notice.
The Privacy Officer will investigate any complaint and, in the event a violation of these and/or other applicable University privacy and/or security policies, procedures, or practices is found (including but not limited to the University's Confidentiality or Computing and Network Acceptable Use Policies), will take prompt action to see that the responsible person(s) is/are disciplined, up to and including termination. The Plan will take all reasonable steps to mitigate any harmful effect resulting from known violations of its privacy and security policies and practices.
You will not be retaliated or discriminated against and no services, payment, or privileges will be withheld from you because you file a complaint with the Plan or with the Department of Health and Human Services.
Right to a Paper Copy of This Notice
You have the right to a paper copy of this Notice. To make such a request, submit a written request to the Privacy Officer identified in this Notice.
Changes in the Plan's Privacy and Security Policies and Practices
The Plan reserves the right to change its privacy and security policies and practices and make the new practices effective for all health information that it maintains, including your health information that it created or received prior to the effective date of the change and your health information it may receive in the future.
In the event of material changes, the Plan will post the most recent notice on the Plan Sponsor's Office of Human Resources website by the effective date of the material changes. By October 1 of each year the Office of Human Resources sends the notice to all benefit eligible employees and retirees. Employees who use email as part of their daily work receive the document by email. Employees who do not use email as part of their daily work receive the notice by email and hard copy delivered through campus mail. Retirees receive the notice through hard copy delivered by U.S. mail.
A copy of the most recent notice will be made available to you at any time upon your written request. The Plan also will maintain a posting of the most recent notice on the Plan Sponsor's Human Resources web page.
Current Amended Notice Effective Date: September 30, 2022
Prior Amended Notice Effective Date: October 1, 2017
Prior Amended Notice Effective Date: January 1, 2014
Prior Amended Notice Effective Date: September 23, 2013
Prior Amended Notice Effective Date: September 30, 2012
Prior Amended Notice Effective Date: October 14, 2011
Prior Amended Notice Effective Date: November 15, 2009
Original Notice Effective Date: April 14, 2004