1.0 Policy Purpose
This policy sets forth the responsibilities of Brown University’s (the “Employer”) self-funded group health plans to protect the privacy of the plans’ protected health information in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the plans’ policies on the use and disclosure of protected health information, and the plans’ policies on participant rights with respect to protected health information.
2.0 To Whom the Policy Applies
3.0 Policy Statement
The Employer sponsors the following self-funded group health benefits:
- Prescription Drug
- Disease Management
- Health Care Flexible Spending Account
- Wellness Program
Members of the Employer’s workforce may have access to Protected Health Information (“PHI”) of Plan participants: (1) on behalf of the Plan itself, or (2) on behalf of the Employer, for administrative functions of the Plan and other purposes permitted by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) privacy rules. HIPAA and its implementing regulations restrict the Plan’s and the Employer’s ability to use and disclose PHI.
It is the Employer’s policy that the Plan shall comply with HIPAA’s requirements for the privacy of PHI.
In no event will any employee have access to the PHI of individuals for whom the employee is the direct supervisor.
3.1 Plan Responsibilities as Covered Entity
3.1.1 Privacy Officer and Contact Person
3.1.2 Workforce Training
The Employer will establish on behalf of the Plan appropriate administrative, technical, and physical safeguards to prevent PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA’s requirements. Administrative safeguards include implementing procedures for use and disclosure of PHI. Technical safeguards include limiting access to information by implementing appropriate controls to ensure only authorized employees will have access to PHI and that they will have access to only the minimum amount of PHI necessary for Plan administrative functions. Physical safeguards include locking doors or filing cabinets. Authorized employees will not further use or disclose PHI in violation of HIPAA’s privacy rules.
3.1.4 Privacy Notice
The Privacy Officer is responsible for developing and maintaining the Plan’s Notice of Privacy Practices (“NOPP”) that describes:
- the uses and disclosures of PHI that may be made by the Plan;
- the rights of individuals under HIPAA privacy rules;
- the Plan’s legal duties with respect to the PHI; and
- other information as required by the HIPAA privacy rules.
The NOPP will inform participants that the Employer will have access to PHI in connection with its Plan administrative functions. The NOPP will also provide a description of the Plan’s complaint procedures, the name and telephone number of the contact person for further information, and the date of the NOPP.
The NOPP shall be placed on the Plan’s or the Employer’s website. The NOPP also will be individually delivered:
- at the time of an individual’s enrollment in the Plan;
- to a person requesting the notice; and
- to participants within 60 days after a material change to the notice.
The Plan will also provide notice of availability of the NOPP (or a copy of the NOPP) at least once every three years in compliance with the HIPAA privacy regulations.
Additionally, the Plan will prominently post any changes or revisions to the NOPP on its website by the effective date of the material change to the NOPP, or otherwise, provide information about the material change and how to obtain the revised NOPP, in its next annual mailing to individuals then covered by the Plan.
The Director, Benefits Operations, benefits_Office@brown.edu or (401) 863-3175, will be the Plan’s contact person for receiving complaints.
The Privacy Officer is responsible for creating a process for individuals to lodge complaints about the Plan’s privacy procedures and for creating a system for handling such complaints. A copy of the complaint procedure shall be provided to any participant upon request.
3.1.7 Mitigation of Inadvertent Disclosures of PHI
3.1.8 No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy
No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA.
No individual shall be required to waive the individual’s privacy rights under HIPAA as a condition of treatment, payment, enrollment, or eligibility under the Plan.
3.1.9 Plan Document
The Plan Document shall include provisions to describe the permitted and required uses and disclosures of PHI by the Employer for Plan administrative or other permitted purposes. Specifically, the Plan Document shall require the Employer to:
- not use or further disclose PHI other than as permitted by the Plan Document or as required by law;
- ensure that any agents or subcontractors to whom it provides PHI received from the Plan agree to the same restrictions and conditions that apply to the Employer through a written contractual agreement in accordance with 45 C.F.R. § 164.314;
- not use or disclose PHI for employment-related actions;
- not use or disclose genetic information for underwriting purposes;
- report to the Privacy Officer any use or disclosure of the information that is inconsistent with the permitted uses or disclosures;
- make PHI available to Plan participants, in paper and/or electronic form, consider their amendments and, upon request, provide them with an accounting of PHI disclosures in accordance with the HIPAA privacy rules;
- make the Employer’s internal practices and records relating to the use and disclosure of PHI received from the Plan available to the Department of Health and Human Services (“HHS”) upon request; and
- if feasible, return or destroy all PHI received from the Plan that the Employer still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. The Employer will ensure that all Business Associates return or destroy all PHI received from the Employer and that all Business Associates’ subcontractors and vendors return or destroy PHI received from the Business Associate as well in accordance with the written contractual agreement referenced above.
The Plan Document must also require the Employer to (1) certify to the Privacy Officer that the Plan Document has been amended to include the above restrictions and that the Employer agrees to those restrictions; and (2) ensure adequate electronic protections are implemented in compliance with the HIPAA privacy rules.
The Plan’s privacy policies and procedures shall be documented and maintained for at least six (6) years from the date last in effect. Policies and procedures must be changed as necessary or appropriate to comply with changes in the law, standards, requirements and implementation specifications (including changes and modifications in regulations). Any changes to policies or procedures must be promptly documented.
The Plan shall document certain events and actions (including authorizations, requests for information, sanctions, and complaints) relating to an individual’s privacy rights.
The documentation of any policies and procedures, actions, activities, and designations may be maintained in either written or electronic form. The Plan will maintain such documentation for at least six (6) years.
3.2 Policies on Use and Disclosure of PHI
The Plan will use and disclose PHI only as permitted under HIPAA. The terms “use” and “disclosure” are defined as follows:
Use: The sharing, employment, application, utilization, examination, or analysis of individually identifiable health information by any person working for or within the Human Resources Department of the Employer, or by a Business Associate of the Plan.
Disclosure: For information that is PHI, disclosure means any release, transfer, provision of access to, or divulging in any other manner of individually identifiable health information to persons not employed by or working within the Human Resources Department of the Employer, or not to a Business Associate of the Plan.
3.2.1 Workforce Must Comply with Plan’s Policy and Procedures
3.2.2 Permitted Uses and Disclosures for Plan Administration Purposes
The Plan may disclose to the Employer for its use the following: (1) de-identified health information relating to Plan participants; (2) Plan enrollment information; (3) summary health information for the purposes of obtaining premium bids for providing health insurance coverage under the Plan or for modifying, amending, or terminating the Plan; or (4) PHI pursuant to an authorization from the individual whose PHI is disclosed.
The Plan may disclose PHI to the following employees who have access to use and disclose PHI to perform functions on behalf of the Plan or to perform plan administrative functions (“employees with access”):
3.2.3 Permitted Uses and Disclosures: Payment and Health Care Operations
PHI may be disclosed for the Plan’s own payment purposes, and PHI may be disclosed to another covered entity for the payment purposes of that covered entity.
Payment includes activities undertaken to obtain Plan contributions or to determine or fulfill the Plan’s responsibility for provision of benefits under the Plan, or to obtain or provide reimbursement for health care. Payment also includes:
- eligibility and coverage determinations including coordination of benefits and adjudication or subrogation of health benefit claims;
- risk-adjusting based on enrollee status and demographic characteristics;
- billing, claims management, collection activities, obtaining payment under a contract for re-insurance (including stop-loss insurance and excess loss insurance) and related health care data processing; and
- any other payment activity permitted by the HIPAA privacy regulations.
PHI may be disclosed for purposes of the Plan’s own health care operations. PHI may be disclosed to another covered entity for purposes of the other covered entity’s quality assessment and improvement, case management, or health care fraud and abuse detection programs, if the other covered entity has (or had) a relationship with the participant and the PHI requested pertains to that relationship.
Health Care Operations means any of the following activities:
- conducting quality assessment and improvement activities;
- reviewing health plan performance;
- underwriting and premium rating;
- conducting or arranging for medical review, legal services, and auditing functions;
- business planning and development;
- business management and general administrative activities; and
- other Health Care Operations permitted by the HIPAA privacy regulations.
3.2.4 No Disclosure of PHI for Non-Health Plan Purposes
PHI may not be used or disclosed for the payment or operations of the Employer’s “non-group health plan” benefits (e.g., disability, workers’ compensation, life insurance, etc.), unless the participant has provided an authorization for such use or disclosure (as discussed in “Disclosures Pursuant to an Authorization”) or such use or disclosure is required or allowed by applicable state law and particular requirements under HIPAA are met.
3.2.5 Mandatory Disclosures of PHI
A participant’s PHI must be disclosed in the following situations:
- the disclosure is to the individual who is the subject of the information (see the policy for “Access to PHI and Request for Amendment” that follows);
- the disclosure is required by law; or
- the disclosure is made to HHS for purposes of enforcing HIPAA.
3.2.6 Other Permitted Disclosures of PHI
PHI may be disclosed in the following situations without a participant’s authorization when specific requirements are satisfied. The requirements include prior approval of the Plan’s Privacy Officer. Permitted are disclosures:
- about victims of abuse, neglect, or domestic violence;
- for treatment purposes;
- for judicial and administrative proceedings;
- for law enforcement purposes;
- for public health activities;
- for health oversight activities;
- about decedents;
- for cadaveric organ-, eye- or tissue-donation purposes;
- for certain limited research purposes;
- to avert a serious threat to health or safety;
- for specialized government functions; and
- that relate to workers’ compensation programs.
3.2.7 Disclosures of PHI Pursuant to an Authorization
PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA’s requirements for a valid authorization is provided by the participant. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization.
3.2.8 Complying with the “Minimum-Necessary” Standard
To the extent practicable, the Plan will limit its use and/or disclosure of PHI to a Limited Data Set. A Limited Data Set is PHI that excludes the following identifiers of the individual or of relatives, employers, or household members of the individual:
- postal address information, other than town or city, state, and zip code;
- telephone numbers;
- fax numbers;
- electronic mail addresses;
- Social Security numbers;
- medical record numbers;
- health plan beneficiary numbers;
- account numbers;
- certificate/license numbers;
- vehicle identifiers and serial numbers, including license plate numbers;
- device identifiers and serial numbers;
- web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- biometric identifiers, including finger and voice prints; and
- full face photographic images and any comparable images.
If it is not practicable for the Plan to limit its use and/or disclosure of PHI to a Limited Data Set, the Plan will use the “minimum necessary” PHI to accomplish the purpose of the use or disclosure.
3.2.9 Disclosures of PHI to Business Associates
Employees may disclose PHI to the Plan’s Business Associates and allow the Plan’s Business Associates to create or receive PHI on its behalf. However, prior to doing so, the Plan must first obtain assurances from the Business Associate that it will appropriately safeguard the information through a Business Associate agreement in accordance with 45 C.F.R. § 164.314. Before sharing PHI with outside consultants or contractors who meet the definition of a “Business Associate,” employees must contact the Privacy Officer and verify that a Business Associate contract is in place.
3.2.10 Disclosures of De-Identified Information
The Plan may freely use and disclose information that has been “de-identified” in accordance with the HIPAA privacy regulations. De-identified information is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.
3.2.11 Prohibited Uses of Disclosures
The Plan will not use or disclose genetic information for underwriting purposes in accordance with 45 C.F.R. § 164.502.
3.2.12 Breach Notification Requirements
The Plan will comply with the requirements of the HITECH Act and its implementing regulations to provide notification to affected individuals, HHS, and the media (when required) if the Plan or one of its Business Associates discovers that there is a breach of unsecured PHI and pursuant to the Policy and Procedure for Notification of a Breach of Unsecured Protected Health Information.
3.3 Policies on Individual Rights
3.3.1 Access to PHI and Requests for Amendment
HIPAA gives participants the right to access and obtain copies of their PHI that the Plan (or its Business Associates) maintains in designated record sets. HIPAA also provides that participants may request to have their PHI amended. The Plan will provide paper and/or electronic access to PHI and it will consider requests for amendment that are submitted in writing by participants.
A designated record set is a group of records maintained by or for the Plan that includes:
- the enrollment, payment, and claims adjudication record of an individual maintained by or for the Plan; or
- other PHI used, in whole or in part, by or for the Plan to make coverage decisions about an individual.
The Plan will provide participants with the information requested in the electronic form and format requested by the participant and/or Employer if it is readily producible in such form and format, or, if not, in a readable electronic form and format as requested by the participant and/or Employer.
An individual has the right to obtain an accounting of certain disclosures of his or her own PHI. This right to an accounting extends to disclosures made in the last six (6) years, except for electronic disclosures of Electronic Health Records (“EHRs”), for which the right to an accounting extends to disclosures made in the last three (3) years. The right to an accounting does not exist where the disclosure was:
- to carry out treatment, payment, or health care operations (except in the case of EHRs, for which this exception does not apply);
- to individuals about their own PHI;
- incident to an otherwise permitted use or disclosure;
- pursuant to an authorization;
- to persons involved in the individual’s care or payment for the individual’s care or for certain other notification purposes;
- to correctional institutions or law enforcement when the disclosure was permitted without authorization;
- part of a limited data set;
- for specific national security or law enforcement purposes; or
- made prior to the compliance date under HIPAA.
The Plan shall respond to an accounting request within 60 days. If the Plan is unable to provide the accounting within 60 days, it may extend the period by 30 days, provided that it gives the participant notice (including the reason for the delay and the date the information will be provided) within the original 60-day period.
The accounting must include the date of the disclosure, the name of the receiving party, a brief description of the information disclosed, and a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure (or a copy of the written request for disclosure, if any). If a brief purpose statement is included in the accounting, it must be sufficient to reasonably inform the individual of the basis of the disclosure.
The first accounting in any 12-month period shall be provided free of charge. The Privacy Officer may impose reasonable production and mailing costs for subsequent accountings.
3.3.3 Requests for Alternative Communication Means or Locations
Participants may request to receive communications regarding their PHI by alternative means or at alternative locations. For example, participants may ask to be called only at work rather than at home. The Plan will only honor reasonable requests and those requests that are required by law. The decision to honor such a request shall be made by the Privacy Officer.
However, the Plan shall accommodate such a request if the participant clearly states that the disclosure of all or part of the information could endanger the participant. The Privacy Officer has responsibility for administering requests for confidential communications.
3.3.4 Requests for Restrictions on Use and Disclosure of PHI
A participant may request restrictions on the use and disclosure of the participant’s PHI. The Plan may, but need not, honor such requests. The decision to honor such a request shall be made by the Privacy Officer. However, the Privacy Officer may not deny such a request if the participant has paid for a service in-full and the disclosure is not otherwise required by law.
For the purpose of this Policy, the terms below have the following definitions:
- Business Associate:
An entity that:
- performs or assists in performing a Plan function or activity involving the use and disclosure of PHI (including claims processing or administration, data analysis, underwriting, etc.);
- provides legal, accounting, actuarial, consulting, data aggregation, management, accreditation, or financial services, where the performance of such services involves giving the service provider access to PHI; or
- a subcontractor that creates, receives, maintains, or transmits PHI on behalf of another Business Associate.
- Protected Health Information (“PHI”):
PHI means information that is created or received by the Plan and relates to the past, present, or future physical or mental health or condition of a participant; the provision of health care to a participant; or the past, present, or future Payment for the provision of health care to a participant; and that identifies the participant or for which there is a reasonable basis to believe the information can be used to identify the participant. PHI includes information of persons living or deceased, including genetic information.
All individuals to whom this policy applies are responsible for becoming familiar with and following this policy. University supervisors are responsible for promoting the understanding of this policy and for taking appropriate steps to help ensure compliance with it.
6.0 Consequences for Violating this Policy
Failure to comply with this and related policies is subject to disciplinary action, up to and including suspension without pay, or termination of employment or association with the University, in accordance with applicable (e.g., staff, faculty, student) disciplinary procedures.
7.0 Related Information
This policy is not a legal document. This policy does not confer a term of employment, nor is the language intended to establish a contract of employment, express or implied, between any employee and Brown University. The University reserves the right to change, amend or terminate any of its human resources policies at any time for any reason.
Brown University is a community in which employees are encouraged to share workplace concerns with University leadership. Additionally, Brown’s Anonymous Reporting Hotline allows anonymous and confidential reporting on matters of concern online or by phone (877-318-9184).
The following information complements and supplements this document. The information is intended to help explain this policy and is not an all-inclusive list of policies, procedures, laws and requirements.
7.1 Related Policies
- HIPAA Security Policy
- HIPAA Breach Notification Policy
- HIPAA Notice of Privacy Practices
7.2 Related Procedures
7.3 Related Forms
7.4 Frequently Asked Questions (FAQs)
7.5 Other Related Information
Policy Owner and Contact(s)
Policy Owner: Vice President for Human Resources
Policy Approved by: Executive Vice President for Finance and Administration
Policy Issue Date:
Policy Effective Date:
Policy Update/Review Summary: