Our Commitment to HIPAA Compliance
We are committed to protecting the privacy of Participants’ health information, and to complying with applicable federal and state laws that protect the privacy and security of a Participant’s health information. Consistent with this commitment, we have established basic requirements for the use or disclosure of Participants’ protected health information (PHI).
Federal Health Insurance Portability and Accountability Act (HIPAA) privacy regulations do not require health plans to obtain a Participant’s written consent or authorization prior to using, disclosing, or requesting PHI for purposes of treatment, payment, or health care operations (TPO). Nor do federal privacy regulations require that providers of health care services obtain their patients’ consent or authorization before disclosing PHI to health plans for payment purposes, or for certain operational activities of the health plan, such as quality assurance.
In addition, PHI may be disclosed by a health plan for a number of other purposes without the Participant’s authorization. For instance, PHI may be disclosed when the health plan is required by law to do so.
Unless a disclosure is specifically permitted by HIPAA, a Participant must sign an authorization form before we may use or disclose the Participant’s PHI. An example of a disclosure that requires a specific authorization is the disclosure of a Participant’s PHI for marketing purposes.
In these situations in which an authorization is required, we will make sure that a signed Participant (or personal representative) authorization has been obtained. Authorizations must:
- Authorize disclosure of PHI
- State the purpose for which the information is sought
- Authorize the use of the information for the stated purpose
Our policies, in compliance with federal and state privacy regulations, permit Participants to have access to their PHI, to receive copies of it, and to request that certain such information be amended. However, this applies only to information that is stored in designated record sets. Designated record sets are records that contain PHI and that are used to make decisions about individual Participants. The following are examples of our designated record sets:
- Claims
- Adjudication records
- Claim payment records
- Grievances and appeals relating to claim payment, eligibility for benefits, or enrollment decisions about individual Participants
- Enrollment and eligibility forms and records
- Medical management records
- Utilization management (medical and pharmacy) records
- Care coordination records
- Case management records
- Disease management records
We have adopted a number of internal safeguards to prevent the unauthorized use, alteration, or disclosure of PHI orally, in writing, or transferred electronically throughout the company. These safeguards include administrative procedures, physical protections, and technology security solutions.
We will continue to maintain adequate administrative, technical, and physical safeguards to protect the privacy of PHI from unauthorized use or disclosure, whether intentional or unintentional, and from theft and unauthorized alteration. Safeguards are also utilized to effectively reduce the likelihood of use or disclosure of PHI that is unintended and incidental to a use or disclosure in accordance with our policies and procedures.
Our associates are subject to disciplinary action for violation of policies and procedures. Violations that jeopardize the privacy or security of PHI are particularly serious. This seriousness will be reflected in the nature of the disciplinary action, up to and including termination of employment.