Paramedics Plus

Privacy Policy and Procedures

  1. Introduction

Paramedics Plus (hereafter known as “Paramedics Plus” or “the plan”) places a high value on the privacy of its employees and clients.  Paramedics Plus is obligated as a covered entity, plan sponsor and business associate to comply with various aspects of the privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as well as other laws that may be applicable including, but not limited to, the Gramm-Leach Bliley Act (GLBA) and state privacy laws.  This Privacy and Procedure policy shall be known hereafter as “the policy”.

Paramedics Plus’s medical benefits plan is self-insured with multiple plan options.  As such, Paramedics Plus is obligated to comply with HIPAA.  Paramedics Plus also maintains other plans that are not subject to this Privacy Policy.  For example in regards to the Employee Assistance Plan (EAP) and disability plans, Paramedics Plus receives very limited summary information in its capacity as an employer. This policy will govern the circumstances, if any, that Plan protected health information may be shared with any such plans.

Paramedics Plus recognizes that all employees, business associates and subcontractors have an ethical and legal obligation to keep certain information confidential and to protect and safeguard this information against tampering or Paramedics Plus.

Privacy Policy and Procedures

  1. Introduction

Paramedics Plus (hereafter known as “Paramedics Plus” or “the plan”) places a high value on the privacy of its employees and clients.  Paramedics Plus is obligated as a covered entity, plan sponsor and business associate to comply with various aspects of the privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as well as other laws that may be applicable including, but not limited to, the Gramm-Leach Bliley Act (GLBA) and state privacy laws.  This Privacy and Procedure policy shall be known hereafter as “the policy”.

Paramedics Plus’s medical benefits plan is self-insured with multiple plan options.  As such, Paramedics Plus is obligated to comply with HIPAA.  Paramedics Plus also maintains other plans that are not subject to this Privacy Policy.  For example in regards to the Employee Assistance Plan (EAP) and disability plans, Paramedics Plus receives very limited summary information in its capacity as an employer. This policy will govern the circumstances, if any, that Plan protected health information may be shared with any such plans.

Paramedics Plus recognizes that all employees, business associates and subcontractors have an ethical and legal obligation to keep certain information confidential and to protect and safeguard this information against tampering or unauthorized use and disclosure.  All provisions within this policy apply to Paramedics Plus as a covered entity, plan sponsor and business associate for use with The Plan’s information and our client’s information.

Members of Paramedics Plus’s workforce may have access to personally identifiable information (PII) and protected health information (PHI) of Plan participants (1) on behalf of the Plan itself; (2) on behalf of Paramedics Plus; or (3) on behalf of our clients, for administrative functions and other purposes permitted by the HIPAA privacy rules, state privacy laws and GLBA.  Written agreements are required to be in place for sharing and protection of this information.  Copies of all signed agreements should be filed in the Paperwise system.    The Compliance Department also maintains copies of all signed BAAs with clients and NDA/Confidentiality Agreements with vendors/carriers for easy access in the event of an incident.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations restrict the Plan's and Paramedics Plus’s ability to use and disclose protected health information.

The Gramm-Leach Bliley Act and some state laws restrict Paramedics Plus’s ability to disclose our clients’ non-public personally identifiable information.

It is Paramedics Plus’s intent to comply with all applicable provisions of state and federal laws relating to privacy of information.  All members of Paramedics Plus’s workforce, regardless of whether they have access to PHI or PII, must comply with this Privacy Policy and Procedures. Paramedics Plus’s workforce includes individuals who may be considered part of the workforce under HIPAA such as employees, volunteers, trainees, and other persons whose work performance is under the direct control of the company, whether or not they are paid by Paramedics Plus. The term “employee” or “workforce member” includes all of these types of workers.

No third-party rights (including, but not limited to, rights of Plan participants, beneficiaries, covered dependents, or business associates) are intended to be created by this Policy. Paramedics Plus reserves the right to amend or change this Policy at any time (and even retroactively) without notice. To the extent this Policy establishes requirements and obligations above and beyond those required by HIPAA, these policies and procedures shall be aspirational and not binding. To the extent this Policy is in conflict with the HIPAA privacy rules, the HIPAA privacy rules shall govern.

  1. Paramedics Plus Responsibilities as Covered Entity & Business Associate
  2. Privacy Official and Contact Person

It is the policy of Paramedics Plus to have two Privacy Officials.  One official shall govern the Plan with the other official governing actions related to our client plans.  Both Privacy Officials shall coordinate with the Security Official as necessary regarding privacy activities.

Culver Wilson, Vice President of Human Resources, is the Internal Privacy Official for all participants and business associates of the group health plan. The Internal Privacy Official will be responsible for the development, monitoring and implementation of policies, notices, agreements and procedures relating to privacy of the Plan's PHI including, but not limited to, this Privacy Policy and Procedures, training procedures and procedures relating to privacy of the group health plan.

The Internal Privacy Official will also serve as the contact person for participants who have questions, concerns, or complaints about the privacy of their PHI and will maintain a log of all complaints, actions, breaches, requests and denials of access and all other required functions relating to PHI of the health plan. The Internal Privacy Official shall be responsible for monitoring compliance by all business associates regarding their procedures relating to the Plan participants’ privacy.  A log will be maintained on all staff regarding changes in job duties, terminations and access granted to various systems which may contain PHI for Paramedics Plus.  Refer to section C. III “Permitted Use and Disclosure of PHI” for a listing of personnel who will have access to the Paramedics Plus health plan’s PHI.

Brad Van Winkle, Senior Vice President and Benefits Practice Leader, is the External Privacy Official for all clients, business associates and vendor contacts. The External Privacy Official shall assist with policies and procedures to incorporate provisions relating to privacy and other state or federal regulations as may apply, as well as procedures relating to questions, concerns, complaints, access, potential breaches and disclosures on behalf of our clients and vendors. The External Privacy Official shall be responsible for the monitoring of all business associate agreements, non-disclosure or data sharing agreements and the compliance of those associates as they relate to the privacy rules.

  1. Workforce Training

It is Paramedics Plus’s policy to train all members of its workforce who have access to the Plan’s protected health information on the privacy policy and procedures.

Paramedics Plus provides basic privacy training to all new personnel.  In addition, staff that may have access to clients' PHI and Paramedics Plus’s human resources personnel will be required to participate in annual training.  All training will be documented and maintained as required by law.

The Internal Privacy Official is charged with developing training schedules and programs so that all employees receive the training necessary and appropriate to permit them to carry out their duties in compliance with HIPAA and any other privacy laws.  This will include a combination of web-based training and customized overview of our particular processes and procedures. 

PROCEDURE:

New Workforce Members or personnel: New members of the Plan’s workforce and all new personnel with access to PHI and PII shall be trained prior to accessing or using PHI.

Re-training:  Existing workforce members and all personnel with access to PHI shall be re-trained within a reasonable time of a material change in job functions, privacy policies or procedures, but in no event less frequently than annually. 

III. Safeguards and Firewall

Paramedics Plus will establish and comply with reasonable and appropriate administrative, technical, and physical safeguards to secure PHI and PII from intentional or unintentional use or disclosure in violation of privacy requirements.

PROCEDURE:

Administrative safeguards include implementing procedures for use and disclosure of PHI and PII, a verification process for identifying and confirming the authority of persons requesting PHI, and a process for filing privacy complaints.   All employees will be required to read and understand the policies and procedures.    See Security Policy for additional administrative safeguards, including a log of all software and hardware relating to PHI and the procedures for introducing any new software or connections that are not specifically approved by the Privacy or Security Official. 

Technical safeguards include limiting access to information by creating computer firewalls, virus scan software and procedures, password protection, workstation security and up-to-date software, as well as procedures for disposal and repair of equipment related to or containing PHI.  Daily back-ups for server data will be done and tapes will be maintained offsite at a secure location. Emergency procedures are in place for restoration of data. These safeguards will be further defined by the Security officer in the security policy.

Physical safeguards implemented shall include, but are not limited to, the locking of doors and filing cabinets, sign in & out for all guests (who should be escorted at all times), removal of PHI and PII from desktops (PHI and PII should not be left in common or public areas), and changing of entry access codes and keys when personnel changes occur.  Internal audits shall be performed periodically to monitor that safeguards are being maintained properly. 

See Appendix 4 Physical Safeguards 

All devices and media will be wiped prior to disposal.  This is addressed further in the Security Policy. Firewalls and Network File Security will be used to ensure that only authorized employees will have access to PHI, that they will have access to only the minimum amount of PHI necessary for administrative functions or services provided to clients, and that they will not further use or disclose PHI in violation of privacy rules.

  1. Privacy Notice

The Internal Privacy Official is responsible for developing and maintaining a notice of the Plan's privacy practices that describes:

  • the uses and disclosures of PHI that may be made by the Plan;
  • the rights of individuals under applicable privacy rules;
  • the Plan's legal duties with respect to the PHI; and
  • other information as required by HIPAA privacy rules.

The Privacy Notice will inform participants that Paramedics Plus will have access to PHI in connection with administrative functions. The Privacy Notice will also provide a description of the Plan's complaint procedures, the name and telephone number of the contact person for further information, and the date of the notice.

The External Privacy Official is responsible for developing and maintaining a notice of Paramedics Plus’s privacy practices that describes the uses and disclosures of PHI and PII on behalf of our clients.  This notice will be housed on the Paramedics Plus website. 

PROCEDURE:

As a self-funded group health plan, we will maintain a Privacy Practices Notice. That notice must give individuals written notice of the uses and disclosures of PHI that we may make, our legal duties with respect to PHI, and an individuals’ privacy rights and how to exercise them.  We must use and disclose PHI consistently with our notice.

The notice will be distributed as follows:

  • posted on the intranet;
  • when a person enrolls in the plan;
  • annually in open enrollment materials;
  • to a person requesting the notice; and
  • to all parties within 60 days after a material change to the notice.

Paramedics Plus will not provide a notice of availability of the Privacy Notice as the actual notice is distributed annually.

The Privacy Notice will be revised when its terms are affected by a change to the Plan’s Policies and Procedures or as required by law.

  1. Complaints

Culver Wilson, Vice President Human Resources (972-770-1600), will be the contact person for receiving complaints on behalf of participants in the Paramedics Plus health plan.  Complaints should be filed by contacting Culver Wilson in writing, and such written document should include a description of the particular complaint.

Brad Van Winkle, Sr. Vice President and Benefits Practice Leader (512-226-7900), will be the contact person for receiving requests for information or complaints on behalf of our clients or business associates in relation to our privacy practices. Complaints should be filed by contacting Brad Van Winkle in writing, and such written document should include a description of the particular complaint.

The right to file a complaint is included in the Privacy Notice.  Paramedics Plus shall not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against a participant that has filed a complaint.  Paramedics Plus shall take any and all complaints seriously and every attempt will be made to resolve the complaint satisfactorily for all parties involved.   

PROCEDURE: 

  1. A complaint must be filed on the complaint Form 17.501.
  2. The appropriate Privacy Official shall document complaints and resolution on the complaint log Form 17.602.
  3. A formal response will be provided in writing to the individual who filed the complaint on Form 17.502 within 30 days of receipt of complaint.
  4. Sanctions for Violations of Privacy Policy

Sanctions for using or disclosing PHI in violation of this Privacy Policy, HIPAA or other applicable state or federal privacy laws will be imposed in accordance with the employee handbook, telework and confidentiality policies.  Included therein will be any corrective action including retraining and up to termination of employment.  The severity of disciplinary actions may be determined by the prior training provided to the employee, the severity of the violation, past performance with compliance procedures, and whether the violation was intention or unintentional. 

All Paramedics Plus employees (including workforce members) are required to sign a Non-Disclosure/Confidentiality Agreement, a HIPAA Acknowledgment form and the Employee Handbook and Telework Policy if applicable.  The HIPAA Acknowledgment form acknowledges they have read and intend to comply with the Paramedics Plus Privacy Policy and Procedures. 

Sanctions involving business associates may include counseling on procedures, termination of business associate agreements and notification to HHS for severe or repeated misuse or privacy violations. 

PROCEDURE: 

Each workforce member and all personnel are required to promptly report any suspected or known violations of Paramedics Plus’s Privacy Policy and Procedures, Corporate Privacy Policy or any other applicable state or federal privacy law.  All employee sanctions including warnings will be documented accordingly.

VII. Mitigation of Inadvertent Disclosures of PHI

Paramedics Plus shall mitigate, to the extent possible, any harmful effects that become known to it from a use or disclosure of an individual's PHI or PII in violation of HIPAA or the policies and procedures set forth in any written policies including this Policy. As a result, if a workforce member, employee or business associate becomes aware of an unauthorized use or disclosure of PHI that is not in compliance with the policies and procedures set forth in this policy, of the Plan or a client’s plan or PII, that person must immediately contact the appropriate Privacy Official and Compliance Director so that reasonable steps can be taken to mitigate harm to the participant or involved parties. 

PROCEDURE

Reasonable steps may include, but are not limited, to the following: 

  • Investigating the facts and circumstances relating to the use or disclosure of PHI;
  • Retrieval of PHI from receiving party:
  • Assurance in writing from the receiving party that file was not reviewed and was completely deleted;
  • Contacting the affected individuals;
  • Termination of business associate agreement;
  • Sanctions on workforce member, employee, business associate or subcontractor;
  • Adopting new procedures to address issue if not previously and appropriately addressed;
  • Securing a fully executed confidentiality or non-disclosure agreement specifying data will not be re-disclosed;
  • Documentation to support actions such as data deleted from hard-drive or any back-up files;
  • Notice to the appropriate parties such as HHS, a client, vendor or insurer.

VIII. No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy

No workforce member or employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA or any other applicable privacy law.

No individual shall be required to waive his or her privacy rights under HIPAA or the Privacy Policy, including the right to complain to HHS as a condition of treatment, payment, enrollment, or eligibility under the Plan.

  1. Plan Document

The Plan Document shall include provisions to describe the permitted and required uses and disclosures of PHI by Paramedics Plus for plan administrative or other permitted purposes. Specifically, the Plan Document shall require Paramedics Plus to:

  • not use or further disclose PHI other than as permitted by the Plan Document or as required by law;
  • ensure that any associates, vendors or subcontractors to whom it provides PHI agree to the same restrictions and conditions that apply to Paramedics Plus;
  • not use or disclose PHI for employment-related actions or for any other benefit or employee benefit plan of Paramedics Plus;
  • report to the Internal Privacy Official and Compliance Director any use or disclosure of information that is inconsistent with the permitted uses or disclosures;
  • make PHI available to Plan participants, consider their amendments and, upon request, provide them with an accounting of PHI disclosures in accordance with the HIPAA privacy rules;
  • make the Paramedics Plus's internal practices and records relating to the use and disclosure of PHI received from the Plan available to the Department of Health and Human Services (HHS) upon request; and
  • if feasible, return or destroy all PHI received from the Plan that Paramedics Plus still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. Paramedics Plus may retain one copy as needed to document work.

The Plan Document requires Paramedics Plus to (1) certify to the Internal Privacy Official that the Plan documents have been amended to include the above restrictions and that Paramedics Plus agrees to those restrictions; and (2) provide adequate firewalls in compliance with the HIPAA privacy rules.

  1. Documentation

All privacy policies and procedures, notice of privacy practices, individual authorizations shall be documented and maintained for at least six years from the date created or last in effect, whichever is later. Policies and procedures will be changed as necessary or appropriate to comply with changes in the law, standards, requirements and implementation specifications (including changes and modifications in regulations). Any changes to policies or procedures will be promptly enacted, documented and distributed.  Changes will be effective for any PHI or PII created or received thereafter. 

Paramedics Plus shall document certain events and actions (including authorizations, requests for information, sanctions and complaints) relating to an individual’s privacy rights.  Events and actions in relation to Paramedics Plus’s plan will be maintained by the Internal Privacy Official in the employee file.  Events and actions relating to Paramedics Plus clients will be maintained on a client level in Brokerage Builder. 

Paramedics Plus shall also document the dates and attendance of workforce members and employees’ training sessions.

PROCEDURE

The appropriate Privacy Official will be the repository of documentation of our privacy practices and compliance with Privacy Policies and Procedures.  The documentation will be maintained in written or electronic form. 

  • Our Privacy Policies and Procedures and each reiteration of them.
  • Our Privacy Notice and each reiteration of them and all documentation relating to the distribution of them.
  • Each complaint and any documentation as a result of investigating and resolving such complaint.
  • All requests for authorization, or revocation of authorization, any request for access, amendment, disclosure accounting, restriction and all other documentation relating to our compliance with individuals’ rights.
  • Documentation of designation of our Privacy Officials and any delegation of duties or responsibilities.
  • Documentation of business associate relationships, limited data sets and de-identified health information.
  • Documentation of workforce training, sanctions, mitigation plans and any other administrative requirements.
  • Any other documentation related to the Privacy Policies, state and/or federal laws relating to privacy, or any actions taken therein.
  1. Policies on Use and Disclosure of PHI
  2. Use and Disclosure Payment and Health Care Operations

The use and disclosure of PHI and PII will only be as permitted under HIPAA or other privacy laws as required or subject to Paramedics Plus’s written policies.

  1. Workforce Must Comply with Paramedics Plus’s Policies and Procedures

All employees of Paramedics Plus must comply with this policy, the Paramedics Plus Corporate Privacy Policy and any other written policies which are set forth in separate documents.  These policies outline procedures relating to privacy, security, confidentiality and other processes agreeable to or prohibited by Paramedics Plus. 

III. Permitted Uses and Disclosures for Administration Purposes

The Plan may disclose to Paramedics Plus for administrative purposes the following information. (1) the minimum necessary PHI or PII for the purpose of obtaining premium bids, modifying, amending or terminating a plan; (2) Plan enrollment/disenrollment information; (3) information disclosed to Paramedics Plus in its role as an employer or in providing administrative services to the Plan; or (4) PHI pursuant to an authorization from the individual whose PHI is disclosed. 

PHI, PII and summary health information may also be disclosed by our employees on behalf of our clients for the purposes of plan enrollment/disenrollment, claims assistance, health care operations, premium bids to provide insurance, and as required by law or allowed pursuant to authorization from an individual.

The Plan may disclose PHI to the following workforce members or employees who have access to use and disclose PHI to perform functions on behalf of the Plan or to perform plan administrative functions (“employees with access”):

  • Human Resources Manager (Enrollment/Disenrollment information)
  • Vice President of Human Resources/Internal Privacy Officer (Information related to a potential plan breach)
  • Information Technology Staff
  • Principal acting on behalf of The Plan
  • Account Manager for The Plan
  • Operations Manager & Senior Analyst Health Analytics
  • Compliance Director

Workforce members with access, may disclose PHI to other workforce members with access for plan administrative functions, but the PHI disclosed must be limited to the minimum amount necessary to perform the plan administrative function. Workforce members with access may not disclose PHI to employees other than employees with access unless a valid, signed authorization is in place or the disclosure otherwise is in compliance with this Policy. Employees with access must take all appropriate steps to ensure that the PHI is not disclosed, available, or used for employment purposes. For purposes of this Policy, “plan administrative functions” include the payment and health care operation activities described in section IV of this Policy.

PROCEDURE:

See Appendix 1 to determine steps required for verification of identity prior to releasing PHI or PII on behalf of our clients.  The Plan may release to Paramedics Plus PHI, enrollment/disenrollment information, information for administration of the plan or a client’s plan, or pursuant to a valid authorization.

  1. Permitted Uses and Disclosures: Payment and Health Care Operations

PHI may be disclosed for the Plan's own payment purposes without the individual’s permission. PHI may be disclosed to another covered entity for the payment purposes of that covered entity or for coordination of treatment.

PHI may also be disclosed on the behalf of our clients for payment or administrative purposes to applicable client entities, common business associates and sub-contractors.  Summary PHI may also be disclosed to third parties for renewal marketing of a plan or for comparative purposes.

PHI may be disclosed for purposes of the Plan's own payment activities and health care operations without the individual’s permission. These may include underwriting, premium rating or other activities relating to creation, renewal or replacement of health insurance or health benefits, including stoploss and reinsurance or performance and quality assessment of those plans.  It may also include activities related to general administrative functions.

PHI may be disclosed to another covered entity for purposes of the other covered entity's quality assurance, competency assurance, or health care fraud, and abuse detection programs, if the other covered entity has (or had) a relationship with the participant and the PHI requested pertains to that relationship.  This disclosure must be approved by the appropriate Privacy Official and documented accordingly. 

PHI may also be disclosed for purposes of our client’s health care operations without the individual’s permission. PHI may be disclosed to another business associate for purposes of our client’s quality assessment and improvement, case management, or health care fraud, underwriting and abuse detection programs, if the other business associate has (or had) a relationship with the participant and the PHI requested pertains to that relationship.

We must have written authorization from the individual (or individual’s personal representative) before we may use or disclose an individual’s PHI for any purpose, except the following:

  • For treatment, payment or health care operations;
  • To the individual, the individual’s personal representative or HHS;
  • As permitted for public interest or benefit activities;
  • As permitted with a business associate; and
  • Incidental to otherwise permitted or required uses and disclosures.

 

PROCEDURE:

Uses and Disclosures for Payment Activities or Health Care Operations. A workforce member with access may use and disclose PHI to perform the Plan's own payment activities or health care operations.  An employee may use or disclose PHI to perform payment activities or health care operations on behalf of our clients.

___ Disclosures must comply with the “Minimum-Necessary Standard.”

Disclosures for Another Entity's Payment Activities. A workforce member with access may disclose PHI to another covered entity or health care provider to perform the other entity's payment activities. Disclosures may be made under the following procedures:

___ Disclosures must comply with the “Minimum-Necessary Standard.”

___ Disclosures must be documented in accordance with the procedure for “Documentation Requirements.”

Disclosures for Certain Health Care Operations of the Receiving Entity. A workforce member with access may disclose PHI for purposes of the other covered entity's quality assessment and improvement, case management, or health care fraud and abuse detection programs, if the other covered entity has (or had) a relationship with the individual and the PHI requested pertains to that relationship. Such disclosures are subject to the following:

___ Disclosures must comply with the “Minimum-Necessary Standard.”

___ Disclosures must be documented in accordance with the procedure for “Documentation Requirements.”

Impermissible disclosures that do not rise to the level of reportable breach will be logged as a disclosure. These impermissible disclosures are subject to inquiry by individuals and must be maintained for such purposes, even if they are not deemed a reportable breach.  These impermissible breaches may include someone sending data to another party (other than the intended party) that has an obligation to protect data we share with them but not specific to the client’s data that was inadvertently shared. 

  1. No Disclosure of PHI for Non-Health Plan Purposes

PHI may not be used or disclosed for the payment or operations of the Paramedics Plus’s “non-health” benefits (e.g., disability, workers' compensation, life insurance, etc.), unless the participant has provided an authorization for such use or disclosure (as discussed in “Disclosures Pursuant to an Authorization”) or such use or disclosure is required or allowed by applicable state law and particular requirements under HIPAA are met. This disclosure must be approved by the appropriate Privacy Official.  If approved, it is subject to the minimum disclosure standards and a HIPAA authorization must be obtained. 

  1. Mandatory Disclosures of PHI

A participant’s PHI must be disclosed, in accordance with HIPAA, this Privacy Policy and appendices, in the following situations:

  • The disclosure is to the individual who is the subject of the information (see the policy for “Access to Protected Information and Request for Amendment” that follows);
  • The disclosure is required by law; or
  • The disclosure is made to HHS or other oversight agencies as authorized by law.

 

PROCEDURE

Disclosures made as required by law, to HHS or other oversight agencies must be approved by the appropriate Privacy Official and documented accordingly. Upon receiving a request from an individual (or an individual’s representative) for disclosure of the individual’s own PHI, the workforce member or employee must follow the procedures set forth in Appendix 1.

Request from HHS or public official should be verified using procedures set forth in Appendix 1 and discussed with appropriate Privacy Official prior to release.

VII. Other Permitted Disclosures of PHI

PHI may be disclosed in the following situations without a participant's authorization when specific requirements are satisfied. This Privacy Policy and appendices describe specific requirements that must be met before these types of disclosures may be made. Verification of identify and the authority of request must be validated.  The requirements include prior approval of the appropriate Privacy Official. Permitted disclosures include the following:

  • about victims of abuse, neglect or domestic violence to authorized governmental authorities;
  • to a health care provider for treatment purposes;
  • for judicial and administrative proceedings;
  • for law enforcement purposes;
  • for public health activities;
  • for health oversight activities;
  • about decedents;
  • for cadaveric organ, eye or tissue donation purposes;
  • for certain limited research purposes;
  • to avert a serious threat to health or safety;
  • for specialized government functions; and
  • to comply with workers' compensation programs.

PROCEDURE

When information is disclosed for the public health, public interest, public benefit and law enforcement activities, it is subject to the disclosure accounting and must be logged.  Approval must be provided by the appropriate Privacy Official, comply with the minimum necessary standard and be documented accordingly. 

VIII. Disclosures of PHI Pursuant to an Authorization

PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA's requirements for a valid authorization is provided by the participant. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization.  The below grid provides general information regarding when an authorization is required.  Refer to Form 1.001 for Authorization to Release Information.  When in doubt, consult with appropriate Privacy Official. 

Person requesting PHI

What's needed

Employee or spouse calling on adult child issue

Adult child (age 18 and over) should sign authorization before any detail on claims or treatment is provided to the parent

Employee or spouse calling on other party’s issue

Person whose information is requested must complete authorization prior to information being released to the inquiring party, unless the party whose information is requested has verbally or otherwise (via email) provided approval

Someone calling on behalf of elderly or incompetent adult

Must have written authorization to release information or approval from Privacy Official

Provider calling on issue

Person whose information is requested must complete authorization prior to information being released to the inquiring party, unless the requesting party has proper written authorization. 

Business Associate

No authorization required; however business associate agreement must be current, signed and on file

Public Official (in person)

A copy of agency identification badge or other credentials or proof of government status

Public Agency (in writing)

Request on government agency’s letterhead, a written statement of legal authority and/or warrant, subpoena or similar process

Executor, Administrator of estate or Personal Representative

Proof of legal authority such as will or medical power of attorney; steps should be taken to validate the relationship and verify the identity of person

If the participant is not present or has not had the opportunity to agree to or object to the use or disclosure of their health information, Paramedics Plus will use professional judgment and its experience with common entity or party to determine whether the disclosure is in the best interest of the participant.  If so, disclosure will include the minimum necessary information relevant to the issue or care. 

PROCEDURE:

  1. See Appendix 1 to determine steps required to be taken for verification of identity prior to disclosing PHI or PII. Any disclosure not permitted or required under the use and disclosure procedures may be made with individual authorization and documented accordingly.
  2. The Privacy Official must review and process the request

An authorization may be revoked at any time.  Revocation of an authorization does not affect any actions we may have undertaken in reliance of the authorization while still in force and prior to us learning of the revocation. 

  1. Complying With the “Minimum Necessary” Standard

HIPAA requires that when PHI is used, requested or disclosed, the amount disclosed generally must be limited to the minimum necessary to accomplish the purpose of the use, request or disclosure.  Although not required by HIPAA, these same guidelines will be used when handling and disclosing PII.

The “minimum necessary” standard does not apply to any of the following:

  • uses or disclosures made to the individual or the individual’s personal representative;
  • disclosure to or a request by a health care provider for treatment;
  • uses or disclosures made pursuant to a valid authorization;
  • disclosures made to HHS for complaint investigation or compliance enforcement or review;
  • uses or disclosures required by law; and
  • uses or disclosures required to comply with HIPAA Administrative Simplification Rules.

Paramedics Plus, when disclosing PHI subject to the minimum necessary standard, shall take reasonable and appropriate steps to ensure that only the minimum amount of PHI that is necessary for the requestor is disclosed. All disclosures not discussed in the Privacy Policy must be reviewed on an individual basis with the appropriate Privacy Official to ensure that the amount of information disclosed is the minimum necessary to accomplish the purpose of the disclosure.

Paramedics Plus, when requesting PHI subject to the minimum necessary standard, shall take reasonable and appropriate steps to ensure that only the minimum amount of PHI necessary is requested. All uses, requests or disclosures not discussed in the Privacy Policy must be reviewed on an individual basis with the appropriate Privacy Official to ensure that the amount of information requested is the minimum necessary to accomplish the purpose of the disclosure.

A random identifier may be assigned by Paramedics Plus to a designated record set so that data may be re-identified by Paramedics Plus if necessary.

Additionally, the minimum necessary will be used when requesting or disclosing client PHI or PII.  See procedure below for additional information regarding these requests or disclosures.

PROCEDURE

See Appendix 2 Protocols for Data Comparison - this includes the protocols for providing data to third parties for comparison purposes.  Verification will be made prior to sharing data to confirm appropriate agreements (BAA, NDA, CA, etc.) are in place. 

See Appendix 3 Protocols for Data Sharing/Reporting – this includes the protocols for data sharing/reporting to groups and internal access to clients’ PHI.  Form 2.001 is the Plan Sponsor Certification of HIPAA compliance for groups under 200, if PHI is requested by the Plan Sponsor to be disclosed on reporting.  Identified information will not be shared with clients unless a signed Plan Sponsor Certification form is received.   

  1. Disclosures of PHI to Business Associates

Workforce members may disclose PHI to the Plan's business associates and allow the Plan's business associates to create, maintain, transmit or receive PHI on its behalf as allowed by law.  Paramedics Plus may also create, maintain, transmit, receive or disclose PHI or PII on behalf of our clients to common business associates and allow those business associates to create or receive PHI or PII on behalf of the client as allowed. However, prior to doing so, Paramedics Plus will obtain reasonable assurances from the business associate that the PHI or PII will be appropriately safeguarded.  A list shall be maintained that lists all persons or entities that fall under the definition of business associate of the Plan.  A Business Associate Agreement is required between all business associates and Paramedics Plus. A Business Associate Agreement, Confidentiality Agreement or Non-Disclosure Agreement must be in place prior to sharing PHI or PII with outside consultants or contractors who meet the definition of a “business associate,” or “subcontractor”.   Employees must verify appropriate agreements are in place.

If Paramedics Plus becomes aware of a material breach by any business associate, Paramedics Plus will take reasonable steps to correct the breach or terminate the agreement with that business associate.  Upon termination, the business associate shall be required to return or destroy all PHI received from, or created or received by, the business associate on behalf of Paramedics Plus or as required by the business associate agreement of client whose data was involved.  If the return or destruction of PHI is not feasible, all protections contained within the appropriate agreements shall continue.  When termination of the agreement due to a breach is not feasible, Paramedics Plus shall notify the Department of Health and Human Services as required. 

  1. Disclosures of De-Identified Information

When PHI is used or disclosed for purposes other than treatment, payment or health care operations and/or without authorization, the PHI must be converted into a format that does not identify an individual and for which there is no reasonable basis to believe that the information can be used to identify an individual.  Paramedics Plus may freely use and disclose information that has been “de-identified” in accordance with the HIPAA privacy regulations. The Privacy Rule does not apply to de-identified health information.

There are two ways that information can be de-identified: either by professional statistical analysis or by removal of 18 specific identifiers.  The legend or key used as a means to re-identify information will be treated as PHI.

Summary information is the same 18 specific identifiers removed but retains the zip code.  This data may only be used for treatment, payment or healthcare operations without an authorization.

Names

Account number

Geographic subdivisions smaller than a state

Certificate/license number

All elements of dates except year (DOB, Admission date, discharge date, death date)

Vehicle identifiers, license plate and serial numbers

Telephone number

Device identifiers

Fax number

Web URLs

Email addresses

IP addresses

Social security number

Biometric identifiers

Medical record number

Full-face photos

Health plan beneficiary number

Any other unique identifier

XII. Breach Notification Requirements

Paramedics Plus will comply with the requirements of HIPAA, the HITECH Act and its implementing regulations and appropriate state laws to provide notification to affected individuals, HHS, and the media (when required) if the Plan or one of its business associates discovers a breach of unsecured PHI.   Paramedics Plus will also comply with the requirements of our clients and business associates regarding notification to them of any breaches of unsecured PHI.

PROCEDURE:

  • Determine whether a reportable breach has occurred. If a reportable breach has not occurred, the notice requirements do not apply.
  • The appropriate Privacy Official is responsible for reviewing circumstances of possible breaches and determining whether a reportable breach has occurred. All workforce members in regards to the Plan and employees, business associates and sub-contractors of Paramedics Plus clients are required to report any incidents involving possible breaches.
  • Acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted under the privacy rules is presumed to be a reportable breach, unless the Privacy Official determines that there is a low probability that the privacy or security of the PHI has been or will be compromised.

To determine whether there is only a low probability that the privacy or security of the PHI was compromised, the applicable Privacy Official must perform a risk assessment.

If the Privacy Official determines that there is only a low probability that the privacy or security of the information was compromised, then the Plan will document the determination in writing as a disclosure, keep the documentation on file, and is not required to provide notifications. On the other hand, if the Privacy Official is unable to determine that there is only a low probability that the privacy or security of the information was compromised, the Plan will provide notifications.

If an exception applies, then a Reportable Breach has not occurred, and the notice requirements are not applicable.

Timing and Notice Responsibilities for Reportable Breaches

If the Privacy Official determines that a Reportable Breach has occurred, the Privacy Official will determine (in accordance with the Breach Regulations) the date the breach was discovered in order to determine the time periods for giving notice of the Reportable Breach. The Plan has reasonable systems and procedures in place to discover the existence of possible breaches, and workforce members and employees are trained to notify the Privacy Official or other responsible person immediately so the Plan can act within the applicable time periods.

 

The Privacy Official is responsible for the content of notices and for the timely delivery of notices in accordance with the Breach Regulations. However, the Privacy Official may, on behalf of the Plan, engage a third party (including a Business Associate) to assist with preparation and delivery of any required notices.

 

The Breach Regulations may require a breach to be treated as discovered on a date that is earlier than the date the Plan had actual knowledge of the breach. The Privacy Official will determine the date of discovery as the earlier of-(1) the date that a workforce member (other than a workforce member who committed the breach) knows of the events giving rise to the breach; and (2) the date that a workforce member or agent of the Plan, such as a Business Associate (other than the person who committed the breach) would have known of the events giving rise to the breach by exercising reasonable diligence.

 

Except as otherwise specified in the notice sections that follow, notices must be given "without unreasonable delay" and in no event later than 60 calendar days after the discovery date of the breach. In some instances this timeframe may be substantially less due to reporting requirements in our Business Associate Agreements with clients or vendors. Most of these agreements require Paramedics Plus to notify within 10 calendar days or less. Accordingly, the investigation of a possible breach, to determine whether it is a Reportable Breach and the individuals who are affected, must be undertaken in a timely manner that does not impede the notice deadline.  Notice must be provided even if a full understanding of the breach has not been determined.

There is an exception to the timing requirements if a law-enforcement official asks the Plan to delay giving notices. This should be noted on Form 20.301.

 

Business Associates

If a Business Associate commits or identifies a possible Reportable Breach relating to Plan participants or one of Paramedics Plus’s clients’ data, the Business Associate must give notice to the Plan and the appropriate Privacy Official. The Plan is responsible for providing any required notices of a Reportable Breach to participants, HHS, and (if necessary) the media. Paramedics Plus will apprise any clients whose data may have been breached and assist as necessary for any notifications. Notice to the Plan or our clients’ health plans will be provided on Form 20.001.  In the event Paramedics Plus has a breach and notice is required to carriers or vendors, that notice will be provided on Form 20.401.

Unless otherwise required under the Breach Regulations, the discovery date for purposes of the Plan's notice obligations is the date that the Plan receives notice from the Business Associate.

In its Business Associate contracts, the Plan will require Business Associates to:

  • report incidents involving breaches or possible breaches to the Privacy Official in a timely manner;
  • provide to the Plan any and all information requested by the Plan regarding the breach or possible breach, including, but not limited to, the information required to be included in notices (as described below); and
  • establish and maintain procedures and policies to comply with the Breach Regulations, including workforce training.

 

Notice to Individuals

Notice to the affected individual(s) is always required in the event of a Reportable Breach. Notice will be given without unreasonable delay and in no event later than 60 calendar days after the date of discovery (as determined above).  Notices to individuals will be written in plain language and contain all information as required by the Breach Regulations.  If the data in question relates to the Paramedics Plus Health Plan, notice will be given to participants.  However, if the data is not Paramedics Plus Health Plan data, then notice shall be provided to the client, vendor, or carrier on Form 20.101.

Notice to HHS

Notice of all Reportable Breaches will be given to HHS. The time and manner of the notice depends on the number of individuals affected.

Generally for breaches affecting fewer than 500 individuals, information will be maintained in a log and notice will be provided to HHS within 60 days of the end of the calendar year in which the breach was discovered.  This notice must be submitted electronically at:  https://ocrnotifications.hhs.gov/

For breaches affecting 500 or more individuals, notice must be provided to HHS within 60 days of the breach discovery.  The notice must be submitted electronically at:  https://ocrnotifications.hhs.gov/

The appropriate Privacy Official is responsible for both types of notice to HHS.

Notice to Media

Notice to media (generally in the form of a press release) will be given if a Reportable Breach affects more than 500 residents of any one state or jurisdiction.  This shall be reported on Form 20.201.

 

XIII. No Remuneration

We will not directly or indirectly receive remuneration in exchange for any PHI or PII of an individual, except as otherwise allowed by applicable law. We will not engage in marketing of PHI, except if such marketing is permissible under HIPAA and does not require an authorization. We will not use or disclose genetic information which is PHI for underwriting purposes. We will not use or disclose PHI for research purposes.

XIV. Destruction of PHI

Paramedics Plus’s intent is to ensure that any medium containing PHI is properly destroyed.  PHI stored in paper will be destroyed utilizing an acceptable method of destruction after the appropriate retention period has been met.  PHI stored on electronic medium is subject to the Security Policy requirements.

PROCEDURE:

  • All PHI shall be maintained pursuant to Department of Labor/ERISA recordkeeping requirements. As such most records shall be maintained up to 8 years. Prior to destruction, verification will be made that the retention period has expired.
  • Shredding containers are also provided to dispose of all paper PHI. Once material has been disposed of within the shredding container, it is irretrievable. The shredding container shall remain locked until the shredding company comes to dispose of contents.  A certificate shall be received each time attesting to the secure disposal of information.
  1. Policies on Individual Rights
  2. Access to PHI and Requests for Amendment

Individual’s Right to PHI

HIPAA gives participants the right to access and obtain copies of their PHI that the Plan (or its business associates) maintains in designated record sets except for the following: 

  • Psychotherapy notes;
  • Information compiled for use in a civil, criminal or administrative action or proceeding;
  • Protected health information subject to Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C. 263a;
  • If the release of information may endanger the life or physical safety of the individual or another person; and
  • Other instances provided for or required by law or which would reveal a source of information that would result in a breach of confidentiality.

 

PROCEDURE:

The following steps relate to access by a participant of Paramedics Plus health plan data.  Any access requested by a participant or a covered entity for a client’s health plan shall be furnished within 10 days or shorter period if defined as such in the business associate agreement.

Steps:

  1. Follow verification rules in Appendix 1.
  2. The Privacy Official must review and process the request
  3. Determine where PHI is held and if in one or more designated record sets, or if there is no information held in a designated record set.
  4. Review the request for access to determine whether an exception for the disclosure might exist (i.e. psychotherapy notes, documents for legal proceedings, etc.).

Paramedics Plus shall respond to a participant’s request for access within 30 days. If Paramedics Plus is unable to provide the access within 30 days, it may extend the period by 30 days, provided that it gives the participant notice (including the reason for the delay and the date the information will be provided) within the original 30-day period.  Form 10.502 will be used to notify the need for extension on response to request for access to participant records.

Paramedics Plus will consider requests to access PHI that are submitted in writing on the form titled “Request for Access to Protected Health Information” (Form 10.501).  In the event access to PHI is denied, a written determination titled “Response to Request for Access” (Form 10.503) will be provided.  A participant has the right to a review of the denial by filing a “Request for Review of Denial of Access” (Form 10.504).  At that time a formal written determination (Form 10.505) will be provided indicating the decision regarding the reconsideration of denial. 

If the request is approved, PHI will be released in the requested format if available. If the requested information is not readily producible in such form and format, the requested information will be produced in a readable electronic form and format as agreed by the Plan and the individual. If the Plan and the individual are unable to agree on the form and format, the Plan will provide a paper copy of the information to the individual.

Individual’s Request for Amendment

HIPAA also provides that participants may request to have their PHI amended.  A request may be denied if the PHI was not created by Paramedics Plus, is not part of the designated record set or is accurate and complete without amendment. 

PROCEDURE:

The following steps relate to a request for amendment by a participant of Paramedics Plus health plan data.  Any request for amendment by a participant or a covered entity for a client’s health plan shall be furnished within 10 days or shorter period if defined as such in the business associate agreement.

 

Steps:

  1. Follow verification rules in Appendix 1.
  2. The Privacy Official must review and process the request. If the request for amendment is approved, PHI will be amended in the designated record set and a notice will be provided to the individual listed on the amendment request form. Notice will also be provided to any persons/entities who are known to have the particular record.
  3. Determine where PHI is held and if in one or more designated record sets, or if there is no information held in a designated record set.
  4. Review the request for amendment to determine whether an exception for the disclosure might exist (i.e. psychotherapy notes, documents for legal proceedings, etc.).

Paramedics Plus shall respond to a request for amendment within 60 days.  If Paramedics Plus is unable to respond within 60 days, it may extend the period by 30 days, provided that it gives the participant notice (including the reason for the delay and the date the information will be provided) within the original 60-day period.  Form 12.502 will be used to notify the need for extension in response to request for access to participant records.

Paramedics Plus will consider requests for amendment to PHI that are submitted in writing on the form titled “Request for Amendment or Correction Participant Protected Health Information” (Form 12.501) including the reason(s) for the requested amendment.  If the request is accepted, the participant shall be notified within 60 days by using Form 12.503.  If the request for amendment or correction is denied, Form 12.504 will be sent to the participant.  For risk management purposes the original data shall not be deleted.  Attempts will be made by Paramedics Plus to inform appropriate parties, including Business Associates, of the amendment, and acknowledgment will be requested in writing.

Reasons for denial of amendment:

  • The information is not maintained in a designated record set.
  • Amendment may be denied if the information was not created by Paramedics Plus.

Information is accurate and complete.

 

  1. Accounting of Disclosures

An individual has the right to obtain an accounting of certain disclosures of his or her own PHI. This right to an accounting extends to disclosures made in the last six years prior to request.  It does not include disclosures for the following:

  • to carry out treatment, payment or health care operations;
  • to individuals about their own PHI;
  • incident to an otherwise permitted use or disclosure;
  • pursuant to an authorization;
  • to persons involved in the individual's care or payment for the individual's care or for certain other notification purposes;
  • to correctional institutions or law enforcement when the disclosure was permitted without authorization;
  • as part of a limited data set or summary information;
  • for specific national security or law enforcement purposes; or
  • any disclosures that occurred prior to the compliance date.

PROCEDURE:

The following steps relate to an accounting of disclosures by a participant of Paramedics Plus health plan data.  Any request for an accounting of disclosures by a participant or a covered entity for a client’s health plan shall be furnished within 10 days or shorter period if defined as such in the business associate agreement.

Steps:

  1. Follow verification rules in Appendix 1.
  2. The Privacy Official must review and process the request.
  3. Determine if individual has requested an accounting within the past 12 months. If so, prepare a notice to individual informing them that a fee for processing will be charged and providing them with a chance to withdraw or revise the request.
  4. Paramedics Plus may exclude those disclosures that qualify as an exception (treatment, payment, health care operations, to the member, pursuant to a signed authorization, correctional institution, etc.) as noted above.

Paramedics Plus shall respond to an accounting request within 60 days. If Paramedics Plus is unable to provide the accounting within 60 days, it may extend the period by 30 days, provided that it gives the participant notice (including the reason for the delay and the date the information will be provided) within the original 60-day period. Form 9.502 will be used to notify the need for extension in response to request for access to participant records.

Paramedics Plus will consider requests for accounting that are submitted in writing on the form titled “Request for Accounting” (Form 9.501). 

The request for accounting must include the date of the disclosure, the name of the receiving party, a brief description of the information disclosed, and a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure (or a copy of the written request for disclosure, if any). If a brief purpose statement is included in the accounting, it must be sufficient to reasonably inform the individual of the basis of the disclosure.  A copy of the written authorization or request for disclosure may be provided in lieu of statement.

The first accounting in any 12-month period shall be provided free of charge. The appropriate Privacy Official may impose reasonable production and mailing costs for subsequent accountings.  The participant or requestor will be informed of the fee in advance providing them with an opportunity to withdraw or modify their request to avoid or reduce fee.

We will temporarily suspend accounting for disclosures to health oversight agencies or law enforcement officials from whom we receive notice that an accounting would likely impede their enforcement activity.  Disclosures will continue to be logged during this period. 

III. Requests for Alternative Communication Means or Locations

Participants may request to receive communications regarding their PHI by alternative means or at alternative locations. For example, they may ask to be called only at work rather than at home. Paramedics Plus may, but need not, honor such requests. The decision to honor such a request shall be made by the Internal Privacy Official, if determined reasonable.  Any requests will be reviewed periodically to re-verify the information is still accurate. 

However, Paramedics Plus shall accommodate such a request if the requesting party clearly states that the disclosure of all or part of the information could endanger the person. The Internal Privacy Official has responsibility for Paramedics Plusadministering participant requests for confidential communications and notifying the appropriate parties of change.

PROCEDURE

  1. Requests for alternative communication means or locations must be made using Form 4.501.
  2. Requests will be honored if the individual states that disclosure could endanger the individual.
  3. If the request cannot be accommodated, then contact must be made with the individual in writing or by phone to explain why the request cannot be accommodated.
  4. The appropriate Privacy Official shall make the decision on alternative communication, complete the response to inform member of Plan’s decision and maintain all requests and responses in a recordkeeping file.

There is not an anticipated need for this request in regards to client data; however, if a request is received, it will be honored to extent applicable.

  1. Requests for Restrictions on Use and Disclosure of PHI

A request can be submitted for restrictions on the use and disclosure of the participant's PHI. The right to restriction is included in the Privacy Notice that is provided to all participants.  Paramedics Plus may, but need not, honor such requests.  The decision to honor such a request shall be made by the Internal Privacy Official if determined reasonable.  However, the Plan will comply with a restriction request if:

  1. except as otherwise required by law, the disclosure is to a health plan for purposes of carrying out payment or health care operations (and is not for purposes of carrying out treatment).
  2. the PHI pertains solely to a health care item or service for which the health care provider involved has been paid in full by the individual or another person other than the plan. Paramedics Plus may terminate agreement to restrict use of PHI. The participant will be informed that the agreement has been terminated and the participant will be requested to acknowledge the termination in writing.  If further clarification is needed, you should consult with the Internal Privacy Official. 

State law that requires disclosure of minor’s protected health information to a parent, guardian or person acting in loco parentis takes priority over a minor’s request for confidential communication.

PROCEDURE:

A request for restriction should be submitted using Form 11.501.  Paramedics Plus will provide a formal response to request for restriction by use of Form 11.502.  Notice will be provided to the workforce members to ensure the request is followed, as well as notice to any individuals/entities that have access to the individual’s PHI regarding the agreed-to restrictions.

  1. Other State and Federal Privacy Laws

This policy and all procedures are intended to comply with all state and federal privacy laws including, but not limited to, HIPAA, Gramm-Leach-Bliley Act, Americans with Disabilities Act, Federal Computer Fraud and Abuse Act, and any other state or federal laws for which Paramedics Plus is required to comply in regard to a person’s health or personal information.

  1. Definitions

Breach. The acquisition, access, use, or disclosure of PHI in a manner not permitted which compromises the security or privacy of the PHI.  A breach excludes:

  • An unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted.
  • An inadvertent disclosure by a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity or business associate, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted.
  • A disclosure of PHI where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
  • Information not excluded above is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment.

 

Business Associate. An entity that:

  • creates, receives, maintains, or transmits PHI on behalf of a Plan (including for claims processing or administration, data analysis, underwriting, etc.);
  • provides legal, accounting, actuarial, consulting, data aggregation, management, accreditation, or financial services to or for a Plan where the performance of such services involves giving the service provider access to PHI; or
  • Any of the above on behalf of Paramedics Plus clients.

Company. Paramedics Plus, as a covered entity and business associate to our clients, carriers and vendors.  The term “Company” and Paramedics Plus are used interchangeably.

Covered Entity. A health plan, a health care clearinghouse or a health care provider who transmits any health information in connection with a transaction in an electronic format.

Designated Record Set. A group of records that may be maintained by Paramedics Plus on behalf of the Plan or clients that may include any or all of the following:

  • the enrollment, payment, and claims adjudication record of an individual maintained by or for the Plan or on behalf of a client; or
  • other PHI used, in whole or in part, by or for the Plan, or on behalf of a client to make coverage decisions about an individual.

Disclosure. For information that is PHI, disclosure means any release, transfer, provision of access to, or divulging in any other manner, to persons who are not workforce members of Paramedics Plus or to an entity who is not a Business Associate of the plan. Disclosure of client data is disclosing by any means the release, transfer, provision of access to or divulging of any manner to any entity or person who has not entered into a valid agreement (Business Associate Agreement, Non-Disclosure Agreement or Confidentiality Agreement) to protect the data.

Health Care Operation. Health care operation means any of the following activities:

  • conducting quality assessment and improvement activities;
  • reviewing health plan performance;
  • underwriting and premium rating;
  • conducting or arranging for medical review, legal services and auditing functions;
  • business planning and development;
  • business management and general administrative activities; and
  • other health care operations permitted by HIPAA or other privacy regulations.

Minimum Necessary. PHI or PII used, disclosed, or requested is limited to the “minimum necessary” to accomplish the purpose of the use, disclosure or request, unless an exception applies.

Personally Identifiable information (PII). Personally identifiable information is information that is typically non-public and identifies a persons’ health or financial information that is provided in connection with a transaction involving a financial product or service.   Our website does not collect cookies; therefore, information will not be captured through that source. Identifiers that may be included in this category are:  credit card information, insurance application, bank account or policy number, information from a consumer report, medical record numbers, license numbers, vehicle identifiers such as VIN, serial number or license plate number, URLs and IP address, biometric identifier, photos or other unique identifiers.

Payment. Payment includes activities undertaken to obtain Plan contributions or to determine or fulfill the Plan's responsibility for provision of benefits under the Plan, or to obtain or provide reimbursement for health care. Payment also includes:

  • eligibility and coverage determinations including coordination of benefits and adjudication or subrogation of health benefit claims;
  • risk-adjusting based on enrollee status and demographic characteristics;
  • billing, claims management, collection activities, obtaining payment under a contract for re-insurance (including stop-loss insurance and excess loss insurance) and related health care data processing; and
  • any other payment activity permitted by HIPAA or other privacy regulations.

Protected Health Information (PHI). Protected health information means information that is created or received by the Plan and relates to the past, present, or future physical or mental health or condition of a participant; the provision of health care to a participant; or the past, present, or future payment for the provision of health care to a participant; and that identifies the participant or for which there is a reasonable basis to believe the information can be used to identify the participant. Protected health information includes information of persons living or deceased that may be transmitted or maintained by or in an electronic media, transmitted or maintained in any other form of medium.   It does not include education or employment records.

For purposes of this Policy, protected health information does not include the following:

 

  1. summary health information, as defined by HIPAA's privacy rules, that is disclosed to the Company solely for purposes of obtaining premium bids, or modifying, amending, or terminating the Plan;
  2. enrollment and disenrollment information concerning the Plan that does not include any substantial clinical information;
  3. protected health information disclosed to the Plan or the Company under a signed authorization that meets the requirements of the HIPAA privacy rules;
  4. health information related to a person who has been deceased for more than 50 years;
  5. information disclosed to the Company by an individual for functions that the Company performs in its role as an employer and not as sponsor of the Plan or in providing administrative services to the Plan.

Subcontractor. A person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of business associate.

Treatment. The provision, coordination, or management of health care or related services.

Unsecured PHI. PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary of Health and Human Services. Paramedics Plus currently uses RPost to send emails encrypted to meet the standards required.

Use. The sharing, employment, application, utilization, examination, or analysis of individually identifiable health information by any person working for or within Paramedics Plus, or by a Business Associate (defined below) of the Plan.

Workforce Member. Means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the Company, is under the direct control of the Company, whether they are in fact paid or not. 

Workstation. An electronic computing device such as a laptop or desktop computer, stored in its immediate environment. unauthorized use and disclosure.  All provisions within this policy apply to Paramedics Plus as a covered entity, plan sponsor and business associate for use with The Plan’s information and our client’s information.

Members of Paramedics Plus’s workforce may have access to personally identifiable information (PII) and protected health information (PHI) of Plan participants (1) on behalf of the Plan itself; (2) on behalf of Paramedics Plus; or (3) on behalf of our clients, for administrative functions and other purposes permitted by the HIPAA privacy rules, state privacy laws and GLBA.  Written agreements are required to be in place for sharing and protection of this information.  Copies of all signed agreements should be filed in the Paperwise system.    The Compliance Department also maintains copies of all signed BAAs with clients and NDA/Confidentiality Agreements with vendors/carriers for easy access in the event of an incident.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations restrict the Plan's and Paramedics Plus’s ability to use and disclose protected health information.

The Gramm-Leach Bliley Act and some state laws restrict Paramedics Plus’s ability to disclose our clients’ non-public personally identifiable information.

It is Paramedics Plus’s intent to comply with all applicable provisions of state and federal laws relating to privacy of information.  All members of Paramedics Plus’s workforce, regardless of whether they have access to PHI or PII, must comply with this Privacy Policy and Procedures. Paramedics Plus’s workforce includes individuals who may be considered part of the workforce under HIPAA such as employees, volunteers, trainees, and other persons whose work performance is under the direct control of the company, whether or not they are paid by Paramedics Plus. The term “employee” or “workforce member” includes all of these types of workers.

No third-party rights (including, but not limited to, rights of Plan participants, beneficiaries, covered dependents, or business associates) are intended to be created by this Policy. Paramedics Plus reserves the right to amend or change this Policy at any time (and even retroactively) without notice. To the extent this Policy establishes requirements and obligations above and beyond those required by HIPAA, these policies and procedures shall be aspirational and not binding. To the extent this Policy is in conflict with the HIPAA privacy rules, the HIPAA privacy rules shall govern.

  1. Paramedics Plus Responsibilities as Covered Entity & Business Associate
  2. Privacy Official and Contact Person

It is the policy of Paramedics Plus to have two Privacy Officials.  One official shall govern the Plan with the other official governing actions related to our client plans.  Both Privacy Officials shall coordinate with the Security Official as necessary regarding privacy activities.

Culver Wilson, Vice President of Human Resources, is the Internal Privacy Official for all participants and business associates of the group health plan. The Internal Privacy Official will be responsible for the development, monitoring and implementation of policies, notices, agreements and procedures relating to privacy of the Plan's PHI including, but not limited to, this Privacy Policy and Procedures, training procedures and procedures relating to privacy of the group health plan.

The Internal Privacy Official will also serve as the contact person for participants who have questions, concerns, or complaints about the privacy of their PHI and will maintain a log of all complaints, actions, breaches, requests and denials of access and all other required functions relating to PHI of the health plan. The Internal Privacy Official shall be responsible for monitoring compliance by all business associates regarding their procedures relating to the Plan participants’ privacy.  A log will be maintained on all staff regarding changes in job duties, terminations and access granted to various systems which may contain PHI for Paramedics Plus.  Refer to section C. III “Permitted Use and Disclosure of PHI” for a listing of personnel who will have access to the Paramedics Plus health plan’s PHI.

Brad Van Winkle, Senior Vice President and Benefits Practice Leader, is the External Privacy Official for all clients, business associates and vendor contacts. The External Privacy Official shall assist with policies and procedures to incorporate provisions relating to privacy and other state or federal regulations as may apply, as well as procedures relating to questions, concerns, complaints, access, potential breaches and disclosures on behalf of our clients and vendors. The External Privacy Official shall be responsible for the monitoring of all business associate agreements, non-disclosure or data sharing agreements and the compliance of those associates as they relate to the privacy rules.

 

  1. Workforce Training

It is Paramedics Plus’s policy to train all members of its workforce who have access to the Plan’s protected health information on the privacy policy and procedures.

Paramedics Plus provides basic privacy training to all new personnel.  In addition, staff that may have access to clients' PHI and Paramedics Plus’s human resources personnel will be required to participate in annual training.  All training will be documented and maintained as required by law.

The Internal Privacy Official is charged with developing training schedules and programs so that all employees receive the training necessary and appropriate to permit them to carry out their duties in compliance with HIPAA and any other privacy laws.  This will include a combination of web-based training and customized overview of our particular processes and procedures. 

PROCEDURE:

New Workforce Members or personnel: New members of the Plan’s workforce and all new personnel with access to PHI and PII shall be trained prior to accessing or using PHI.

Re-training:  Existing workforce members and all personnel with access to PHI shall be re-trained within a reasonable time of a material change in job functions, privacy policies or procedures, but in no event less frequently than annually. 

III. Safeguards and Firewall

Paramedics Plus will establish and comply with reasonable and appropriate administrative, technical, and physical safeguards to secure PHI and PII from intentional or unintentional use or disclosure in violation of privacy requirements.

PROCEDURE:

Administrative safeguards include implementing procedures for use and disclosure of PHI and PII, a verification process for identifying and confirming the authority of persons requesting PHI, and a process for filing privacy complaints.   All employees will be required to read and understand the policies and procedures.    See Security Policy for additional administrative safeguards, including a log of all software and hardware relating to PHI and the procedures for introducing any new software or connections that are not specifically approved by the Privacy or Security Official. 

Technical safeguards include limiting access to information by creating computer firewalls, virus scan software and procedures, password protection, workstation security and up-to-date software, as well as procedures for disposal and repair of equipment related to or containing PHI.  Daily back-ups for server data will be done and tapes will be maintained offsite at a secure location. Emergency procedures are in place for restoration of data. These safeguards will be further defined by the Security officer in the security policy.

Physical safeguards implemented shall include, but are not limited to, the locking of doors and filing cabinets, sign in & out for all guests (who should be escorted at all times), removal of PHI and PII from desktops (PHI and PII should not be left in common or public areas), and changing of entry access codes and keys when personnel changes occur.  Internal audits shall be performed periodically to monitor that safeguards are being maintained properly. 

See Appendix 4 Physical Safeguards 

All devices and media will be wiped prior to disposal.  This is addressed further in the Security Policy. Firewalls and Network File Security will be used to ensure that only authorized employees will have access to PHI, that they will have access to only the minimum amount of PHI necessary for administrative functions or services provided to clients, and that they will not further use or disclose PHI in violation of privacy rules.

  1. Privacy Notice

The Internal Privacy Official is responsible for developing and maintaining a notice of the Plan's privacy practices that describes:

  • the uses and disclosures of PHI that may be made by the Plan;
  • the rights of individuals under applicable privacy rules;
  • the Plan's legal duties with respect to the PHI; and
  • other information as required by HIPAA privacy rules.

The Privacy Notice will inform participants that Paramedics Plus will have access to PHI in connection with administrative functions. The Privacy Notice will also provide a description of the Plan's complaint procedures, the name and telephone number of the contact person for further information, and the date of the notice.

The External Privacy Official is responsible for developing and maintaining a notice of Paramedics Plus’s privacy practices that describes the uses and disclosures of PHI and PII on behalf of our clients.  This notice will be housed on the Paramedics Plus website. 

PROCEDURE:

As a self-funded group health plan, we will maintain a Privacy Practices Notice. That notice must give individuals written notice of the uses and disclosures of PHI that we may make, our legal duties with respect to PHI, and an individuals’ privacy rights and how to exercise them.  We must use and disclose PHI consistently with our notice.

The notice will be distributed as follows:

  • posted on the intranet;
  • when a person enrolls in the plan;
  • annually in open enrollment materials;
  • to a person requesting the notice; and
  • to all parties within 60 days after a material change to the notice.

Paramedics Plus will not provide a notice of availability of the Privacy Notice as the actual notice is distributed annually.

The Privacy Notice will be revised when its terms are affected by a change to the Plan’s Policies and Procedures or as required by law.

  1. Complaints

Culver Wilson, Vice President Human Resources (972-770-1600), will be the contact person for receiving complaints on behalf of participants in the Paramedics Plus health plan.  Complaints should be filed by contacting Culver Wilson in writing, and such written document should include a description of the particular complaint.

Brad Van Winkle, Sr. Vice President and Benefits Practice Leader (512-226-7900), will be the contact person for receiving requests for information or complaints on behalf of our clients or business associates in relation to our privacy practices. Complaints should be filed by contacting Brad Van Winkle in writing, and such written document should include a description of the particular complaint.

The right to file a complaint is included in the Privacy Notice.  Paramedics Plus shall not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against a participant that has filed a complaint.  Paramedics Plus shall take any and all complaints seriously and every attempt will be made to resolve the complaint satisfactorily for all parties involved.   

PROCEDURE: 

  1. A complaint must be filed on the complaint Form 17.501.
  2. The appropriate Privacy Official shall document complaints and resolution on the complaint log Form 17.602.
  3. A formal response will be provided in writing to the individual who filed the complaint on Form 17.502 within 30 days of receipt of complaint.
  4. Sanctions for Violations of Privacy Policy

Sanctions for using or disclosing PHI in violation of this Privacy Policy, HIPAA or other applicable state or federal privacy laws will be imposed in accordance with the employee handbook, telework and confidentiality policies.  Included therein will be any corrective action including retraining and up to termination of employment.  The severity of disciplinary actions may be determined by the prior training provided to the employee, the severity of the violation, past performance with compliance procedures, and whether the violation was intention or unintentional. 

All Paramedics Plus employees (including workforce members) are required to sign a Non-Disclosure/Confidentiality Agreement, a HIPAA Acknowledgment form and the Employee Handbook and Telework Policy if applicable.  The HIPAA Acknowledgment form acknowledges they have read and intend to comply with the Paramedics Plus Privacy Policy and Procedures. 

Sanctions involving business associates may include counseling on procedures, termination of business associate agreements and notification to HHS for severe or repeated misuse or privacy violations. 

PROCEDURE: 

Each workforce member and all personnel are required to promptly report any suspected or known violations of Paramedics Plus’s Privacy Policy and Procedures, Corporate Privacy Policy or any other applicable state or federal privacy law.  All employee sanctions including warnings will be documented accordingly.

VII. Mitigation of Inadvertent Disclosures of PHI

Paramedics Plus shall mitigate, to the extent possible, any harmful effects that become known to it from a use or disclosure of an individual's PHI or PII in violation of HIPAA or the policies and procedures set forth in any written policies including this Policy. As a result, if a workforce member, employee or business associate becomes aware of an unauthorized use or disclosure of PHI that is not in compliance with the policies and procedures set forth in this policy, of the Plan or a client’s plan or PII, that person must immediately contact the appropriate Privacy Official and Compliance Director so that reasonable steps can be taken to mitigate harm to the participant or involved parties. 

PROCEDURE

Reasonable steps may include, but are not limited, to the following: 

  • Investigating the facts and circumstances relating to the use or disclosure of PHI;
  • Retrieval of PHI from receiving party:
  • Assurance in writing from the receiving party that file was not reviewed and was completely deleted;
  • Contacting the affected individuals;
  • Termination of business associate agreement;
  • Sanctions on workforce member, employee, business associate or subcontractor;
  • Adopting new procedures to address issue if not previously and appropriately addressed;
  • Securing a fully executed confidentiality or non-disclosure agreement specifying data will not be re-disclosed;
  • Documentation to support actions such as data deleted from hard-drive or any back-up files;
  • Notice to the appropriate parties such as HHS, a client, vendor or insurer.

VIII. No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy

No workforce member or employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA or any other applicable privacy law.

No individual shall be required to waive his or her privacy rights under HIPAA or the Privacy Policy, including the right to complain to HHS as a condition of treatment, payment, enrollment, or eligibility under the Plan.

  1. Plan Document

The Plan Document shall include provisions to describe the permitted and required uses and disclosures of PHI by Paramedics Plus for plan administrative or other permitted purposes. Specifically, the Plan Document shall require Paramedics Plus to:

  • not use or further disclose PHI other than as permitted by the Plan Document or as required by law;
  • ensure that any associates, vendors or subcontractors to whom it provides PHI agree to the same restrictions and conditions that apply to Paramedics Plus;
  • not use or disclose PHI for employment-related actions or for any other benefit or employee benefit plan of Paramedics Plus;
  • report to the Internal Privacy Official and Compliance Director any use or disclosure of information that is inconsistent with the permitted uses or disclosures;
  • make PHI available to Plan participants, consider their amendments and, upon request, provide them with an accounting of PHI disclosures in accordance with the HIPAA privacy rules;
  • make the Paramedics Plus's internal practices and records relating to the use and disclosure of PHI received from the Plan available to the Department of Health and Human Services (HHS) upon request; and
  • if feasible, return or destroy all PHI received from the Plan that Paramedics Plus still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. Paramedics Plus may retain one copy as needed to document work.

The Plan Document requires Paramedics Plus to (1) certify to the Internal Privacy Official that the Plan documents have been amended to include the above restrictions and that Paramedics Plus agrees to those restrictions; and (2) provide adequate firewalls in compliance with the HIPAA privacy rules.

  1. Documentation

All privacy policies and procedures, notice of privacy practices, individual authorizations shall be documented and maintained for at least six years from the date created or last in effect, whichever is later. Policies and procedures will be changed as necessary or appropriate to comply with changes in the law, standards, requirements and implementation specifications (including changes and modifications in regulations). Any changes to policies or procedures will be promptly enacted, documented and distributed.  Changes will be effective for any PHI or PII created or received thereafter. 

Paramedics Plus shall document certain events and actions (including authorizations, requests for information, sanctions and complaints) relating to an individual’s privacy rights.  Events and actions in relation to Paramedics Plus’s plan will be maintained by the Internal Privacy Official in the employee file.  Events and actions relating to Paramedics Plus clients will be maintained on a client level in Brokerage Builder. 

Paramedics Plus shall also document the dates and attendance of workforce members and employees’ training sessions.

PROCEDURE

The appropriate Privacy Official will be the repository of documentation of our privacy practices and compliance with Privacy Policies and Procedures.  The documentation will be maintained in written or electronic form. 

  • Our Privacy Policies and Procedures and each reiteration of them.
  • Our Privacy Notice and each reiteration of them and all documentation relating to the distribution of them.
  • Each complaint and any documentation as a result of investigating and resolving such complaint.
  • All requests for authorization, or revocation of authorization, any request for access, amendment, disclosure accounting, restriction and all other documentation relating to our compliance with individuals’ rights.
  • Documentation of designation of our Privacy Officials and any delegation of duties or responsibilities.
  • Documentation of business associate relationships, limited data sets and de-identified health information.
  • Documentation of workforce training, sanctions, mitigation plans and any other administrative requirements.
  • Any other documentation related to the Privacy Policies, state and/or federal laws relating to privacy, or any actions taken therein.
  1. Policies on Use and Disclosure of PHI
  2. Use and Disclosure Payment and Health Care Operations

The use and disclosure of PHI and PII will only be as permitted under HIPAA or other privacy laws as required or subject to Paramedics Plus’s written policies.

  1. Workforce Must Comply with Paramedics Plus’s Policies and Procedures

All employees of Paramedics Plus must comply with this policy, the Paramedics Plus Corporate Privacy Policy and any other written policies which are set forth in separate documents.  These policies outline procedures relating to privacy, security, confidentiality and other processes agreeable to or prohibited by Paramedics Plus. 

III. Permitted Uses and Disclosures for Administration Purposes

The Plan may disclose to Paramedics Plus for administrative purposes the following information. (1) the minimum necessary PHI or PII for the purpose of obtaining premium bids, modifying, amending or terminating a plan; (2) Plan enrollment/disenrollment information; (3) information disclosed to Paramedics Plus in its role as an employer or in providing administrative services to the Plan; or (4) PHI pursuant to an authorization from the individual whose PHI is disclosed. 

PHI, PII and summary health information may also be disclosed by our employees on behalf of our clients for the purposes of plan enrollment/disenrollment, claims assistance, health care operations, premium bids to provide insurance, and as required by law or allowed pursuant to authorization from an individual.

The Plan may disclose PHI to the following workforce members or employees who have access to use and disclose PHI to perform functions on behalf of the Plan or to perform plan administrative functions (“employees with access”):

  • Human Resources Manager (Enrollment/Disenrollment information)
  • Vice President of Human Resources/Internal Privacy Officer (Information related to a potential plan breach)
  • Information Technology Staff
  • Principal acting on behalf of The Plan
  • Account Manager for The Plan
  • Operations Manager & Senior Analyst Health Analytics
  • Compliance Director

Workforce members with access, may disclose PHI to other workforce members with access for plan administrative functions, but the PHI disclosed must be limited to the minimum amount necessary to perform the plan administrative function. Workforce members with access may not disclose PHI to employees other than employees with access unless a valid, signed authorization is in place or the disclosure otherwise is in compliance with this Policy. Employees with access must take all appropriate steps to ensure that the PHI is not disclosed, available, or used for employment purposes. For purposes of this Policy, “plan administrative functions” include the payment and health care operation activities described in section IV of this Policy.

PROCEDURE:

See Appendix 1 to determine steps required for verification of identity prior to releasing PHI or PII on behalf of our clients.  The Plan may release to Paramedics Plus PHI, enrollment/disenrollment information, information for administration of the plan or a client’s plan, or pursuant to a valid authorization.

  1. Permitted Uses and Disclosures: Payment and Health Care Operations

PHI may be disclosed for the Plan's own payment purposes without the individual’s permission. PHI may be disclosed to another covered entity for the payment purposes of that covered entity or for coordination of treatment.

PHI may also be disclosed on the behalf of our clients for payment or administrative purposes to applicable client entities, common business associates and sub-contractors.  Summary PHI may also be disclosed to third parties for renewal marketing of a plan or for comparative purposes.

PHI may be disclosed for purposes of the Plan's own payment activities and health care operations without the individual’s permission. These may include underwriting, premium rating or other activities relating to creation, renewal or replacement of health insurance or health benefits, including stoploss and reinsurance or performance and quality assessment of those plans.  It may also include activities related to general administrative functions.

PHI may be disclosed to another covered entity for purposes of the other covered entity's quality assurance, competency assurance, or health care fraud, and abuse detection programs, if the other covered entity has (or had) a relationship with the participant and the PHI requested pertains to that relationship.  This disclosure must be approved by the appropriate Privacy Official and documented accordingly. 

PHI may also be disclosed for purposes of our client’s health care operations without the individual’s permission. PHI may be disclosed to another business associate for purposes of our client’s quality assessment and improvement, case management, or health care fraud, underwriting and abuse detection programs, if the other business associate has (or had) a relationship with the participant and the PHI requested pertains to that relationship.

We must have written authorization from the individual (or individual’s personal representative) before we may use or disclose an individual’s PHI for any purpose, except the following:

  • For treatment, payment or health care operations;
  • To the individual, the individual’s personal representative or HHS;
  • As permitted for public interest or benefit activities;
  • As permitted with a business associate; and
  • Incidental to otherwise permitted or required uses and disclosures.

 

PROCEDURE:

Uses and Disclosures for Payment Activities or Health Care Operations. A workforce member with access may use and disclose PHI to perform the Plan's own payment activities or health care operations.  An employee may use or disclose PHI to perform payment activities or health care operations on behalf of our clients.

___ Disclosures must comply with the “Minimum-Necessary Standard.”

Disclosures for Another Entity's Payment Activities. A workforce member with access may disclose PHI to another covered entity or health care provider to perform the other entity's payment activities. Disclosures may be made under the following procedures:

___ Disclosures must comply with the “Minimum-Necessary Standard.”

___ Disclosures must be documented in accordance with the procedure for “Documentation Requirements.”

Disclosures for Certain Health Care Operations of the Receiving Entity. A workforce member with access may disclose PHI for purposes of the other covered entity's quality assessment and improvement, case management, or health care fraud and abuse detection programs, if the other covered entity has (or had) a relationship with the individual and the PHI requested pertains to that relationship. Such disclosures are subject to the following:

___ Disclosures must comply with the “Minimum-Necessary Standard.”

___ Disclosures must be documented in accordance with the procedure for “Documentation Requirements.”

Impermissible disclosures that do not rise to the level of reportable breach will be logged as a disclosure. These impermissible disclosures are subject to inquiry by individuals and must be maintained for such purposes, even if they are not deemed a reportable breach.  These impermissible breaches may include someone sending data to another party (other than the intended party) that has an obligation to protect data we share with them but not specific to the client’s data that was inadvertently shared. 

  1. No Disclosure of PHI for Non-Health Plan Purposes

PHI may not be used or disclosed for the payment or operations of the Paramedics Plus’s “non-health” benefits (e.g., disability, workers' compensation, life insurance, etc.), unless the participant has provided an authorization for such use or disclosure (as discussed in “Disclosures Pursuant to an Authorization”) or such use or disclosure is required or allowed by applicable state law and particular requirements under HIPAA are met. This disclosure must be approved by the appropriate Privacy Official.  If approved, it is subject to the minimum disclosure standards and a HIPAA authorization must be obtained. 

  1. Mandatory Disclosures of PHI

A participant’s PHI must be disclosed, in accordance with HIPAA, this Privacy Policy and appendices, in the following situations:

  • The disclosure is to the individual who is the subject of the information (see the policy for “Access to Protected Information and Request for Amendment” that follows);
  • The disclosure is required by law; or
  • The disclosure is made to HHS or other oversight agencies as authorized by law.

 

PROCEDURE

Disclosures made as required by law, to HHS or other oversight agencies must be approved by the appropriate Privacy Official and documented accordingly. Upon receiving a request from an individual (or an individual’s representative) for disclosure of the individual’s own PHI, the workforce member or employee must follow the procedures set forth in Appendix 1.

Request from HHS or public official should be verified using procedures set forth in Appendix 1 and discussed with appropriate Privacy Official prior to release.

VII. Other Permitted Disclosures of PHI

PHI may be disclosed in the following situations without a participant's authorization when specific requirements are satisfied. This Privacy Policy and appendices describe specific requirements that must be met before these types of disclosures may be made. Verification of identify and the authority of request must be validated.  The requirements include prior approval of the appropriate Privacy Official. Permitted disclosures include the following:

  • about victims of abuse, neglect or domestic violence to authorized governmental authorities;
  • to a health care provider for treatment purposes;
  • for judicial and administrative proceedings;
  • for law enforcement purposes;
  • for public health activities;
  • for health oversight activities;
  • about decedents;
  • for cadaveric organ, eye or tissue donation purposes;
  • for certain limited research purposes;
  • to avert a serious threat to health or safety;
  • for specialized government functions; and
  • to comply with workers' compensation programs.

PROCEDURE

When information is disclosed for the public health, public interest, public benefit and law enforcement activities, it is subject to the disclosure accounting and must be logged.  Approval must be provided by the appropriate Privacy Official, comply with the minimum necessary standard and be documented accordingly. 

VIII. Disclosures of PHI Pursuant to an Authorization

PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA's requirements for a valid authorization is provided by the participant. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization.  The below grid provides general information regarding when an authorization is required.  Refer to Form 1.001 for Authorization to Release Information.  When in doubt, consult with appropriate Privacy Official. 

Person requesting PHI

What's needed

Employee or spouse calling on adult child issue

Adult child (age 18 and over) should sign authorization before any detail on claims or treatment is provided to the parent

Employee or spouse calling on other party’s issue

Person whose information is requested must complete authorization prior to information being released to the inquiring party, unless the party whose information is requested has verbally or otherwise (via email) provided approval

Someone calling on behalf of elderly or incompetent adult

Must have written authorization to release information or approval from Privacy Official

Provider calling on issue

Person whose information is requested must complete authorization prior to information being released to the inquiring party, unless the requesting party has proper written authorization. 

Business Associate

No authorization required; however business associate agreement must be current, signed and on file

Public Official (in person)

A copy of agency identification badge or other credentials or proof of government status

Public Agency (in writing)

Request on government agency’s letterhead, a written statement of legal authority and/or warrant, subpoena or similar process

Executor, Administrator of estate or Personal Representative

Proof of legal authority such as will or medical power of attorney; steps should be taken to validate the relationship and verify the identity of person

If the participant is not present or has not had the opportunity to agree to or object to the use or disclosure of their health information, Paramedics Plus will use professional judgment and its experience with common entity or party to determine whether the disclosure is in the best interest of the participant.  If so, disclosure will include the minimum necessary information relevant to the issue or care. 

PROCEDURE:

  1. See Appendix 1 to determine steps required to be taken for verification of identity prior to disclosing PHI or PII. Any disclosure not permitted or required under the use and disclosure procedures may be made with individual authorization and documented accordingly.
  2. The Privacy Official must review and process the request

An authorization may be revoked at any time.  Revocation of an authorization does not affect any actions we may have undertaken in reliance of the authorization while still in force and prior to us learning of the revocation. 

  1. Complying With the “Minimum Necessary” Standard

HIPAA requires that when PHI is used, requested or disclosed, the amount disclosed generally must be limited to the minimum necessary to accomplish the purpose of the use, request or disclosure.  Although not required by HIPAA, these same guidelines will be used when handling and disclosing PII.

The “minimum necessary” standard does not apply to any of the following:

  • uses or disclosures made to the individual or the individual’s personal representative;
  • disclosure to or a request by a health care provider for treatment;
  • uses or disclosures made pursuant to a valid authorization;
  • disclosures made to HHS for complaint investigation or compliance enforcement or review;
  • uses or disclosures required by law; and
  • uses or disclosures required to comply with HIPAA Administrative Simplification Rules.

Paramedics Plus, when disclosing PHI subject to the minimum necessary standard, shall take reasonable and appropriate steps to ensure that only the minimum amount of PHI that is necessary for the requestor is disclosed. All disclosures not discussed in the Privacy Policy must be reviewed on an individual basis with the appropriate Privacy Official to ensure that the amount of information disclosed is the minimum necessary to accomplish the purpose of the disclosure.

Paramedics Plus, when requesting PHI subject to the minimum necessary standard, shall take reasonable and appropriate steps to ensure that only the minimum amount of PHI necessary is requested. All uses, requests or disclosures not discussed in the Privacy Policy must be reviewed on an individual basis with the appropriate Privacy Official to ensure that the amount of information requested is the minimum necessary to accomplish the purpose of the disclosure.

A random identifier may be assigned by Paramedics Plus to a designated record set so that data may be re-identified by Paramedics Plus if necessary.

Additionally, the minimum necessary will be used when requesting or disclosing client PHI or PII.  See procedure below for additional information regarding these requests or disclosures.

PROCEDURE

See Appendix 2 Protocols for Data Comparison - this includes the protocols for providing data to third parties for comparison purposes.  Verification will be made prior to sharing data to confirm appropriate agreements (BAA, NDA, CA, etc.) are in place. 

See Appendix 3 Protocols for Data Sharing/Reporting – this includes the protocols for data sharing/reporting to groups and internal access to clients’ PHI.  Form 2.001 is the Plan Sponsor Certification of HIPAA compliance for groups under 200, if PHI is requested by the Plan Sponsor to be disclosed on reporting.  Identified information will not be shared with clients unless a signed Plan Sponsor Certification form is received.   

  1. Disclosures of PHI to Business Associates

Workforce members may disclose PHI to the Plan's business associates and allow the Plan's business associates to create, maintain, transmit or receive PHI on its behalf as allowed by law.  Paramedics Plus may also create, maintain, transmit, receive or disclose PHI or PII on behalf of our clients to common business associates and allow those business associates to create or receive PHI or PII on behalf of the client as allowed. However, prior to doing so, Paramedics Plus will obtain reasonable assurances from the business associate that the PHI or PII will be appropriately safeguarded.  A list shall be maintained that lists all persons or entities that fall under the definition of business associate of the Plan.  A Business Associate Agreement is required between all business associates and Paramedics Plus. A Business Associate Agreement, Confidentiality Agreement or Non-Disclosure Agreement must be in place prior to sharing PHI or PII with outside consultants or contractors who meet the definition of a “business associate,” or “subcontractor”.   Employees must verify appropriate agreements are in place.

If Paramedics Plus becomes aware of a material breach by any business associate, Paramedics Plus will take reasonable steps to correct the breach or terminate the agreement with that business associate.  Upon termination, the business associate shall be required to return or destroy all PHI received from, or created or received by, the business associate on behalf of Paramedics Plus or as required by the business associate agreement of client whose data was involved.  If the return or destruction of PHI is not feasible, all protections contained within the appropriate agreements shall continue.  When termination of the agreement due to a breach is not feasible, Paramedics Plus shall notify the Department of Health and Human Services as required. 

  1. Disclosures of De-Identified Information

When PHI is used or disclosed for purposes other than treatment, payment or health care operations and/or without authorization, the PHI must be converted into a format that does not identify an individual and for which there is no reasonable basis to believe that the information can be used to identify an individual.  Paramedics Plus may freely use and disclose information that has been “de-identified” in accordance with the HIPAA privacy regulations. The Privacy Rule does not apply to de-identified health information.

There are two ways that information can be de-identified: either by professional statistical analysis or by removal of 18 specific identifiers.  The legend or key used as a means to re-identify information will be treated as PHI.

Summary information is the same 18 specific identifiers removed but retains the zip code.  This data may only be used for treatment, payment or healthcare operations without an authorization.

Names

Account number

Geographic subdivisions smaller than a state

Certificate/license number

All elements of dates except year (DOB, Admission date, discharge date, death date)

Vehicle identifiers, license plate and serial numbers

Telephone number

Device identifiers

Fax number

Web URLs

Email addresses

IP addresses

Social security number

Biometric identifiers

Medical record number

Full-face photos

Health plan beneficiary number

Any other unique identifier

XII. Breach Notification Requirements

Paramedics Plus will comply with the requirements of HIPAA, the HITECH Act and its implementing regulations and appropriate state laws to provide notification to affected individuals, HHS, and the media (when required) if the Plan or one of its business associates discovers a breach of unsecured PHI.   Paramedics Plus will also comply with the requirements of our clients and business associates regarding notification to them of any breaches of unsecured PHI.

PROCEDURE:

  • Determine whether a reportable breach has occurred. If a reportable breach has not occurred, the notice requirements do not apply.
  • The appropriate Privacy Official is responsible for reviewing circumstances of possible breaches and determining whether a reportable breach has occurred. All workforce members in regards to the Plan and employees, business associates and sub-contractors of Paramedics Plus clients are required to report any incidents involving possible breaches.
  • Acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted under the privacy rules is presumed to be a reportable breach, unless the Privacy Official determines that there is a low probability that the privacy or security of the PHI has been or will be compromised.

To determine whether there is only a low probability that the privacy or security of the PHI was compromised, the applicable Privacy Official must perform a risk assessment.

If the Privacy Official determines that there is only a low probability that the privacy or security of the information was compromised, then the Plan will document the determination in writing as a disclosure, keep the documentation on file, and is not required to provide notifications. On the other hand, if the Privacy Official is unable to determine that there is only a low probability that the privacy or security of the information was compromised, the Plan will provide notifications.

If an exception applies, then a Reportable Breach has not occurred, and the notice requirements are not applicable.

Timing and Notice Responsibilities for Reportable Breaches

If the Privacy Official determines that a Reportable Breach has occurred, the Privacy Official will determine (in accordance with the Breach Regulations) the date the breach was discovered in order to determine the time periods for giving notice of the Reportable Breach. The Plan has reasonable systems and procedures in place to discover the existence of possible breaches, and workforce members and employees are trained to notify the Privacy Official or other responsible person immediately so the Plan can act within the applicable time periods.

 

The Privacy Official is responsible for the content of notices and for the timely delivery of notices in accordance with the Breach Regulations. However, the Privacy Official may, on behalf of the Plan, engage a third party (including a Business Associate) to assist with preparation and delivery of any required notices.

 

The Breach Regulations may require a breach to be treated as discovered on a date that is earlier than the date the Plan had actual knowledge of the breach. The Privacy Official will determine the date of discovery as the earlier of-(1) the date that a workforce member (other than a workforce member who committed the breach) knows of the events giving rise to the breach; and (2) the date that a workforce member or agent of the Plan, such as a Business Associate (other than the person who committed the breach) would have known of the events giving rise to the breach by exercising reasonable diligence.

 

Except as otherwise specified in the notice sections that follow, notices must be given "without unreasonable delay" and in no event later than 60 calendar days after the discovery date of the breach. In some instances this timeframe may be substantially less due to reporting requirements in our Business Associate Agreements with clients or vendors. Most of these agreements require Paramedics Plus to notify within 10 calendar days or less. Accordingly, the investigation of a possible breach, to determine whether it is a Reportable Breach and the individuals who are affected, must be undertaken in a timely manner that does not impede the notice deadline.  Notice must be provided even if a full understanding of the breach has not been determined.

There is an exception to the timing requirements if a law-enforcement official asks the Plan to delay giving notices. This should be noted on Form 20.301.

 

Business Associates

If a Business Associate commits or identifies a possible Reportable Breach relating to Plan participants or one of Paramedics Plus’s clients’ data, the Business Associate must give notice to the Plan and the appropriate Privacy Official. The Plan is responsible for providing any required notices of a Reportable Breach to participants, HHS, and (if necessary) the media. Paramedics Plus will apprise any clients whose data may have been breached and assist as necessary for any notifications. Notice to the Plan or our clients’ health plans will be provided on Form 20.001.  In the event Paramedics Plus has a breach and notice is required to carriers or vendors, that notice will be provided on Form 20.401.

Unless otherwise required under the Breach Regulations, the discovery date for purposes of the Plan's notice obligations is the date that the Plan receives notice from the Business Associate.

In its Business Associate contracts, the Plan will require Business Associates to:

  • report incidents involving breaches or possible breaches to the Privacy Official in a timely manner;
  • provide to the Plan any and all information requested by the Plan regarding the breach or possible breach, including, but not limited to, the information required to be included in notices (as described below); and
  • establish and maintain procedures and policies to comply with the Breach Regulations, including workforce training.

 

Notice to Individuals

Notice to the affected individual(s) is always required in the event of a Reportable Breach. Notice will be given without unreasonable delay and in no event later than 60 calendar days after the date of discovery (as determined above).  Notices to individuals will be written in plain language and contain all information as required by the Breach Regulations.  If the data in question relates to the Paramedics Plus Health Plan, notice will be given to participants.  However, if the data is not Paramedics Plus Health Plan data, then notice shall be provided to the client, vendor, or carrier on Form 20.101.

Notice to HHS

Notice of all Reportable Breaches will be given to HHS. The time and manner of the notice depends on the number of individuals affected.

Generally for breaches affecting fewer than 500 individuals, information will be maintained in a log and notice will be provided to HHS within 60 days of the end of the calendar year in which the breach was discovered.  This notice must be submitted electronically at:  https://ocrnotifications.hhs.gov/

For breaches affecting 500 or more individuals, notice must be provided to HHS within 60 days of the breach discovery.  The notice must be submitted electronically at:  https://ocrnotifications.hhs.gov/

The appropriate Privacy Official is responsible for both types of notice to HHS.

Notice to Media

Notice to media (generally in the form of a press release) will be given if a Reportable Breach affects more than 500 residents of any one state or jurisdiction.  This shall be reported on Form 20.201.

 

XIII. No Remuneration

We will not directly or indirectly receive remuneration in exchange for any PHI or PII of an individual, except as otherwise allowed by applicable law. We will not engage in marketing of PHI, except if such marketing is permissible under HIPAA and does not require an authorization. We will not use or disclose genetic information which is PHI for underwriting purposes. We will not use or disclose PHI for research purposes.

XIV. Destruction of PHI

Paramedics Plus’s intent is to ensure that any medium containing PHI is properly destroyed.  PHI stored in paper will be destroyed utilizing an acceptable method of destruction after the appropriate retention period has been met.  PHI stored on electronic medium is subject to the Security Policy requirements.

PROCEDURE:

  • All PHI shall be maintained pursuant to Department of Labor/ERISA recordkeeping requirements. As such most records shall be maintained up to 8 years. Prior to destruction, verification will be made that the retention period has expired.
  • Shredding containers are also provided to dispose of all paper PHI. Once material has been disposed of within the shredding container, it is irretrievable. The shredding container shall remain locked until the shredding company comes to dispose of contents.  A certificate shall be received each time attesting to the secure disposal of information.
  1. Policies on Individual Rights
  2. Access to PHI and Requests for Amendment

Individual’s Right to PHI

HIPAA gives participants the right to access and obtain copies of their PHI that the Plan (or its business associates) maintains in designated record sets except for the following: 

  • Psychotherapy notes;
  • Information compiled for use in a civil, criminal or administrative action or proceeding;
  • Protected health information subject to Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C. 263a;
  • If the release of information may endanger the life or physical safety of the individual or another person; and
  • Other instances provided for or required by law or which would reveal a source of information that would result in a breach of confidentiality.

 

PROCEDURE:

The following steps relate to access by a participant of Paramedics Plus health plan data.  Any access requested by a participant or a covered entity for a client’s health plan shall be furnished within 10 days or shorter period if defined as such in the business associate agreement.

Steps:

  1. Follow verification rules in Appendix 1.
  2. The Privacy Official must review and process the request
  3. Determine where PHI is held and if in one or more designated record sets, or if there is no information held in a designated record set.
  4. Review the request for access to determine whether an exception for the disclosure might exist (i.e. psychotherapy notes, documents for legal proceedings, etc.).

Paramedics Plus shall respond to a participant’s request for access within 30 days. If Paramedics Plus is unable to provide the access within 30 days, it may extend the period by 30 days, provided that it gives the participant notice (including the reason for the delay and the date the information will be provided) within the original 30-day period.  Form 10.502 will be used to notify the need for extension on response to request for access to participant records.

Paramedics Plus will consider requests to access PHI that are submitted in writing on the form titled “Request for Access to Protected Health Information” (Form 10.501).  In the event access to PHI is denied, a written determination titled “Response to Request for Access” (Form 10.503) will be provided.  A participant has the right to a review of the denial by filing a “Request for Review of Denial of Access” (Form 10.504).  At that time a formal written determination (Form 10.505) will be provided indicating the decision regarding the reconsideration of denial. 

If the request is approved, PHI will be released in the requested format if available. If the requested information is not readily producible in such form and format, the requested information will be produced in a readable electronic form and format as agreed by the Plan and the individual. If the Plan and the individual are unable to agree on the form and format, the Plan will provide a paper copy of the information to the individual.

Individual’s Request for Amendment

HIPAA also provides that participants may request to have their PHI amended.  A request may be denied if the PHI was not created by Paramedics Plus, is not part of the designated record set or is accurate and complete without amendment. 

PROCEDURE:

The following steps relate to a request for amendment by a participant of Paramedics Plus health plan data.  Any request for amendment by a participant or a covered entity for a client’s health plan shall be furnished within 10 days or shorter period if defined as such in the business associate agreement.

 

Steps:

  1. Follow verification rules in Appendix 1.
  2. The Privacy Official must review and process the request. If the request for amendment is approved, PHI will be amended in the designated record set and a notice will be provided to the individual listed on the amendment request form. Notice will also be provided to any persons/entities who are known to have the particular record.
  3. Determine where PHI is held and if in one or more designated record sets, or if there is no information held in a designated record set.
  4. Review the request for amendment to determine whether an exception for the disclosure might exist (i.e. psychotherapy notes, documents for legal proceedings, etc.).

Paramedics Plus shall respond to a request for amendment within 60 days.  If Paramedics Plus is unable to respond within 60 days, it may extend the period by 30 days, provided that it gives the participant notice (including the reason for the delay and the date the information will be provided) within the original 60-day period.  Form 12.502 will be used to notify the need for extension in response to request for access to participant records.

Paramedics Plus will consider requests for amendment to PHI that are submitted in writing on the form titled “Request for Amendment or Correction Participant Protected Health Information” (Form 12.501) including the reason(s) for the requested amendment.  If the request is accepted, the participant shall be notified within 60 days by using Form 12.503.  If the request for amendment or correction is denied, Form 12.504 will be sent to the participant.  For risk management purposes the original data shall not be deleted.  Attempts will be made by Paramedics Plus to inform appropriate parties, including Business Associates, of the amendment, and acknowledgment will be requested in writing.

Reasons for denial of amendment:

  • The information is not maintained in a designated record set.
  • Amendment may be denied if the information was not created by Paramedics Plus.

Information is accurate and complete.

 

  1. Accounting of Disclosures

An individual has the right to obtain an accounting of certain disclosures of his or her own PHI. This right to an accounting extends to disclosures made in the last six years prior to request.  It does not include disclosures for the following:

  • to carry out treatment, payment or health care operations;
  • to individuals about their own PHI;
  • incident to an otherwise permitted use or disclosure;
  • pursuant to an authorization;
  • to persons involved in the individual's care or payment for the individual's care or for certain other notification purposes;
  • to correctional institutions or law enforcement when the disclosure was permitted without authorization;
  • as part of a limited data set or summary information;
  • for specific national security or law enforcement purposes; or
  • any disclosures that occurred prior to the compliance date.

PROCEDURE:

The following steps relate to an accounting of disclosures by a participant of Paramedics Plus health plan data.  Any request for an accounting of disclosures by a participant or a covered entity for a client’s health plan shall be furnished within 10 days or shorter period if defined as such in the business associate agreement.

Steps:

  1. Follow verification rules in Appendix 1.
  2. The Privacy Official must review and process the request.
  3. Determine if individual has requested an accounting within the past 12 months. If so, prepare a notice to individual informing them that a fee for processing will be charged and providing them with a chance to withdraw or revise the request.
  4. Paramedics Plus may exclude those disclosures that qualify as an exception (treatment, payment, health care operations, to the member, pursuant to a signed authorization, correctional institution, etc.) as noted above.

Paramedics Plus shall respond to an accounting request within 60 days. If Paramedics Plus is unable to provide the accounting within 60 days, it may extend the period by 30 days, provided that it gives the participant notice (including the reason for the delay and the date the information will be provided) within the original 60-day period. Form 9.502 will be used to notify the need for extension in response to request for access to participant records.

Paramedics Plus will consider requests for accounting that are submitted in writing on the form titled “Request for Accounting” (Form 9.501). 

The request for accounting must include the date of the disclosure, the name of the receiving party, a brief description of the information disclosed, and a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure (or a copy of the written request for disclosure, if any). If a brief purpose statement is included in the accounting, it must be sufficient to reasonably inform the individual of the basis of the disclosure.  A copy of the written authorization or request for disclosure may be provided in lieu of statement.

The first accounting in any 12-month period shall be provided free of charge. The appropriate Privacy Official may impose reasonable production and mailing costs for subsequent accountings.  The participant or requestor will be informed of the fee in advance providing them with an opportunity to withdraw or modify their request to avoid or reduce fee.

We will temporarily suspend accounting for disclosures to health oversight agencies or law enforcement officials from whom we receive notice that an accounting would likely impede their enforcement activity.  Disclosures will continue to be logged during this period. 

III. Requests for Alternative Communication Means or Locations

Participants may request to receive communications regarding their PHI by alternative means or at alternative locations. For example, they may ask to be called only at work rather than at home. Paramedics Plus may, but need not, honor such requests. The decision to honor such a request shall be made by the Internal Privacy Official, if determined reasonable.  Any requests will be reviewed periodically to re-verify the information is still accurate. 

However, Paramedics Plus shall accommodate such a request if the requesting party clearly states that the disclosure of all or part of the information could endanger the person. The Internal Privacy Official has responsibility for administering participant requests for confidential communications and notifying the appropriate parties of change.

PROCEDURE

  1. Requests for alternative communication means or locations must be made using Form 4.501.
  2. Requests will be honored if the individual states that disclosure could endanger the individual.
  3. If the request cannot be accommodated, then contact must be made with the individual in writing or by phone to explain why the request cannot be accommodated.
  4. The appropriate Privacy Official shall make the decision on alternative communication, complete the response to inform member of Plan’s decision and maintain all requests and responses in a recordkeeping file.

There is not an anticipated need for this request in regards to client data; however, if a request is received, it will be honored to extent applicable.

  1. Requests for Restrictions on Use and Disclosure of PHI

A request can be submitted for restrictions on the use and disclosure of the participant's PHI. The right to restriction is included in the Privacy Notice that is provided to all participants.  Paramedics Plus may, but need not, honor such requests.  The decision to honor such a request shall be made by the Internal Privacy Official if determined reasonable.  However, the Plan will comply with a restriction request if:

  1. except as otherwise required by law, the disclosure is to a health plan for purposes of carrying out payment or health care operations (and is not for purposes of carrying out treatment).
  2. the PHI pertains solely to a health care item or service for which the health care provider involved has been paid in full by the individual or another person other than the plan. Paramedics Plus may terminate agreement to restrict use of PHI. The participant will be informed that the agreement has been terminated and the participant will be requested to acknowledge the termination in writing.  If further clarification is needed, you should consult with the Internal Privacy Official. 

State law that requires disclosure of minor’s protected health information to a parent, guardian or person acting in loco parentis takes priority over a minor’s request for confidential communication.

PROCEDURE:

A request for restriction should be submitted using Form 11.501.  Paramedics Plus will provide a formal response to request for restriction by use of Form 11.502.  Notice will be provided to the workforce members to ensure the request is followed, as well as notice to any individuals/entities that have access to the individual’s PHI regarding the agreed-to restrictions.

  1. Other State and Federal Privacy Laws

This policy and all procedures are intended to comply with all state and federal privacy laws including, but not limited to, HIPAA, Gramm-Leach-Bliley Act, Americans with Disabilities Act, Federal Computer Fraud and Abuse Act, and any other state or federal laws for which Paramedics Plus is required to comply in regard to a person’s health or personal information.

  1. Definitions

Breach. The acquisition, access, use, or disclosure of PHI in a manner not permitted which compromises the security or privacy of the PHI.  A breach excludes:

  • An unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted.
  • An inadvertent disclosure by a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same covered entity or business associate, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted.
  • A disclosure of PHI where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
  • Information not excluded above is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment.

 

Business Associate. An entity that:

  • creates, receives, maintains, or transmits PHI on behalf of a Plan (including for claims processing or administration, data analysis, underwriting, etc.);
  • provides legal, accounting, actuarial, consulting, data aggregation, management, accreditation, or financial services to or for a Plan where the performance of such services involves giving the service provider access to PHI; or
  • Any of the above on behalf of Paramedics Plus clients.

Company. Paramedics Plus, as a covered entity and business associate to our clients, carriers and vendors.  The term “Company” and Paramedics Plus are used interchangeably.

Covered Entity. A health plan, a health care clearinghouse or a health care provider who transmits any health information in connection with a transaction in an electronic format.

Designated Record Set. A group of records that may be maintained by Paramedics Plus on behalf of the Plan or clients that may include any or all of the following:

  • the enrollment, payment, and claims adjudication record of an individual maintained by or for the Plan or on behalf of a client; or
  • other PHI used, in whole or in part, by or for the Plan, or on behalf of a client to make coverage decisions about an individual.

Disclosure. For information that is PHI, disclosure means any release, transfer, provision of access to, or divulging in any other manner, to persons who are not workforce members of Paramedics Plus or to an entity who is not a Business Associate of the plan. Disclosure of client data is disclosing by any means the release, transfer, provision of access to or divulging of any manner to any entity or person who has not entered into a valid agreement (Business Associate Agreement, Non-Disclosure Agreement or Confidentiality Agreement) to protect the data.

Health Care Operation. Health care operation means any of the following activities:

  • conducting quality assessment and improvement activities;
  • reviewing health plan performance;
  • underwriting and premium rating;
  • conducting or arranging for medical review, legal services and auditing functions;
  • business planning and development;
  • business management and general administrative activities; and
  • other health care operations permitted by HIPAA or other privacy regulations.

Minimum Necessary. PHI or PII used, disclosed, or requested is limited to the “minimum necessary” to accomplish the purpose of the use, disclosure or request, unless an exception applies.

Personally Identifiable information (PII). Personally identifiable information is information that is typically non-public and identifies a persons’ health or financial information that is provided in connection with a transaction involving a financial product or service.   Our website does not collect cookies; therefore, information will not be captured through that source. Identifiers that may be included in this category are:  credit card information, insurance application, bank account or policy number, information from a consumer report, medical record numbers, license numbers, vehicle identifiers such as VIN, serial number or license plate number, URLs and IP address, biometric identifier, photos or other unique identifiers.

Payment. Payment includes activities undertaken to obtain Plan contributions or to determine or fulfill the Plan's responsibility for provision of benefits under the Plan, or to obtain or provide reimbursement for health care. Payment also includes:

  • eligibility and coverage determinations including coordination of benefits and adjudication or subrogation of health benefit claims;
  • risk-adjusting based on enrollee status and demographic characteristics;
  • billing, claims management, collection activities, obtaining payment under a contract for re-insurance (including stop-loss insurance and excess loss insurance) and related health care data processing; and
  • any other payment activity permitted by HIPAA or other privacy regulations.

Protected Health Information (PHI). Protected health information means information that is created or received by the Plan and relates to the past, present, or future physical or mental health or condition of a participant; the provision of health care to a participant; or the past, present, or future payment for the provision of health care to a participant; and that identifies the participant or for which there is a reasonable basis to believe the information can be used to identify the participant. Protected health information includes information of persons living or deceased that may be transmitted or maintained by or in an electronic media, transmitted or maintained in any other form of medium.   It does not include education or employment records.

For purposes of this Policy, protected health information does not include the following:

 

  1. summary health information, as defined by HIPAA's privacy rules, that is disclosed to the Company solely for purposes of obtaining premium bids, or modifying, amending, or terminating the Plan;
  2. enrollment and disenrollment information concerning the Plan that does not include any substantial clinical information;
  3. protected health information disclosed to the Plan or the Company under a signed authorization that meets the requirements of the HIPAA privacy rules;
  4. health information related to a person who has been deceased for more than 50 years;
  5. information disclosed to the Company by an individual for functions that the Company performs in its role as an employer and not as sponsor of the Plan or in providing administrative services to the Plan.

Subcontractor. A person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of business associate.

Treatment. The provision, coordination, or management of health care or related services.

Unsecured PHI. PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary of Health and Human Services. Paramedics Plus currently uses RPost to send emails encrypted to meet the standards required.

Use. The sharing, employment, application, utilization, examination, or analysis of individually identifiable health information by any person working for or within Paramedics Plus, or by a Business Associate (defined below) of the Plan.

Workforce Member. Means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the Company, is under the direct control of the Company, whether they are in fact paid or not. 

Workstation. An electronic computing device such as a laptop or desktop computer, stored in its immediate environment.