Notice of Privacy Practices
Capital District Physicians’ Health Plan, Inc., CDPHP Universal Benefits, Inc., and Capital District Physicians’ Healthcare Network, Inc. (collectively referred to as “CDPHP”) Notice of Privacy Practices
The effective date of this notice is May 4, 2018.
This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.
Our Commitment to Your Privacy
At CDPHP, we believe in keeping your protected health information (PHI) safe. PHI includes information that we have created or received about your past, present, or future health or medical condition that could be used to identify you. It also includes information about medical treatment you have received and about payment for health care you have received. We may receive this information in our capacity as a health insurance issuer for your medical plan, or as a third-party administrator of group health plan benefits offered by your employer. If you are enrolled in a medical plan insured by CDPHP through your employer, and your employer has also contracted with CDPHP for third-party administration services for its health flexible spending account (FSA) and/or health reimbursement arrangement (HRA), then this notice also describes privacy practices with respect to the FSA and HRA plans offered by your employer.
CDPHP keeps protected health information in strict confidence. As part of providing services, we may get nonpublic personal information from the following sources: applications, forms, claims, and other information provided to us. This information can be given to us in writing, in person, by telephone, electronically, or by any other means. This information may include names, dates of birth, and addresses. We do not give out any protected health information about our current or former members, except as permitted by law or to provide services to our members.
CDPHP restricts access to information to those CDPHP employees who need to know that information to provide services. We also maintain physical, electronic, and procedural safeguards that comply with federal and state regulations to guard your information.
Our Legal Duties
This Notice of Privacy Practices explains how CDPHP uses information about you and when we can share that information with others. The law requires CDPHP to maintain the privacy of your health information. We are also required to give you this notice about our legal duties, our privacy practices, and your health information rights. CDPHP must follow the terms of this notice. If you have questions about any part of this notice or if you want more information about the privacy practices at CDPHP please contact the CDPHP privacy official at (518) 641-5261 or 1-888-258-0477.
CDPHP has the right to change this Notice of Privacy Practices as well as CDPHP privacy policies and procedures as business needs and changes in federal and state law require. If we make a significant change to the privacy practices in this notice, we will post the revised notice on the CDPHP website by the effective date of the revision and provide the revised notice in our annual newsletter. Except as required by law, CDPHP will not put into practice a significant change to any part of this notice before the effective date of the new notice.
Routine Uses and Disclosures of Your Health Information
CDPHP uses and discloses protected health information in a number of different ways in connection with your treatment, payment for your health care, and our health care operations. The following are the types of uses and disclosures of your protected health information that we are allowed to make without your authorization.
Treatment
We may share your information with your doctors or hospitals to help them provide medical management and care to you.
Payment
We may use and disclose your PHI to pay claims to providers who render services to you.
Health Care Operations
We may use and disclose your PHI to perform our healthcare operations. Examples of health care operations functions include determining premiums for your health plan, conducting quality improvement activities, and engaging in care coordination or case management. We may not use or disclose your PHI that is genetic information for purposes of enrollment, determining your premiums, or underwriting. Where you are enrolled in a medical plan insured by CDPHP and sponsored by your employer, and your employer has hired CDPHP to be the third-party administrator for its health flexible spending account (FSA) and/or a health reimbursement arrangement (HRA), the medical plan insured by CDPHP and the FSA/HRA plan(s) are part of an Organized Health Care Arrangement (OHCA) wherein the sharing of HIPAA protected health information between the medical plan and the FSA/HRA plan(s) may occur as part of health care operations.
Health-Related Benefits and Services
We may use your information to tell you about health-related benefits or services. For example, we might send you information about programs to help you manage your asthma or diabetes.
Disclosures to Business Associates
CDPHP may disclose your PHI to outside persons or organizations to perform specific functions on our behalf. These companies are called business associates. We may only disclose PHI to business associates upon completion of a written contract which requires the business associates to appropriately safeguard your information.
Disclosures to Persons Involved in Your Care
CDPHP may disclose health information to a person involved in your care, such as a family member or friend, limited to the information directly relevant to the person’s involvement with your health care or payment for your health care. CDPHP will do so only in exceptional circumstances wherein you are present or if you are not present or cannot object for other reasons and we reasonably determine that 1.) the person is involved in your care; and 2.) the disclosure is in your best interest. In those circumstances we would limit our disclosure to health information that is directly relevant to the person’s involvement with your health care. You may request that CDPHP limit this kind of disclosure by contacting the CDPHP Privacy Official in writing at the address listed in this notice.
Disclosures to Plan Sponsors
If you are enrolled in a group health plan, we may disclose summary health information and enrollment and disenrollment information to the plan sponsor of the group health plan for limited plan administration purposes. A plan sponsor is normally an employer or a company that manages the employee’s benefit plan. To share any other PHI, CDPHP must obtain a signed certification from the plan sponsor in accordance with HIPAA.
Eligibility Determinations
If you are enrolled in a CDPHP government program plan, such as Select Plan (Medicaid eligible recipients), we may disclose your PHI to a business associate to determine your eligibility for the plan or for additional public benefits.
Non-Routine Uses and Disclosures of Your Health Information
Required by Law
CDPHP may disclose your PHI to report information to state and federal agencies that regulate us such as the U.S. Department of Health and Human Services and where otherwise as required by federal, state, or local law.
Health Oversight
We are also allowed to disclose your PHI to a government agency authorized to oversee the health insurance system, such as for audits or to maintain our license.
Law Enforcement
We may disclose your PHI for certain law enforcement purposes. For example, we may give information to a law enforcement official for purposes of identifying or locating a suspect, fugitive, or material witness.
Public Health and Safety
We may share PHI about you for certain public health and safety reasons, including preventing disease, helping with product recalls, reporting adverse reactions to medications, reporting suspected abuse, neglect, or domestic violence and preventing or reducing a serious threat to anyone’s health or safety.
Workers’ Compensation
We may use or disclose information about you for workers’ compensation claims.
Legal Proceedings
We may disclose your PHI in response to a court order or subpoena or other lawful process such as in the course of a judicial or administrative proceeding.
Disaster Relief
We may disclose your PHI to an entity authorized by law or charter to assist in disaster relief efforts.
Research
We may use and/or disclose your PHI for research as permitted by and subject to federal law.
National Security and Government Requests
We may share information relative to specialized government functions such as military, presidential protective services, national security, and intelligence activities.
Fundraising
CDPHP may contact you for purposes of fundraising. You have the right to opt-out of future fundraising efforts.
Coroner, Medical Examiners and Funeral Directors
We may disclose your PHI to coroners and medical examiners for purposes of identifying deceased person, determining a cause of death or other duties as authorized by law and to funeral directors as necessary for them to carry out their duties.
Correctional Institutions
We may disclose your PHI to a correctional institution or custodial law enforcement official that has custody of the individual who is the subject of the PHI.
HHS HIPAA Compliance Investigation
We may disclose your PHI to the Secretary of the Department of Health and Human Services (“HHS”) for the purpose of investigating or determining CDPHP compliance with HIPAA administrative simplification provisions.
Cadaveric Organ, Eye or Tissue Donation
We may disclose your PHI to organ procurement, banking or transplanting organizations to facilitate organ, eye or tissue donation and transplantation.
Uses and Disclosures of PHI with an Authorization
For any other uses or disclosures including most uses and disclosures of psychotherapy notes, for marketing and the sale of PHI, CDPHP must get a member’s signed written authorization and the information is used as stated in the authorization. You may cancel your authorization, in writing, at any time, except to the extent that CDPHP or another company or person has already relied on the authorization.
Also, wherein federal and state law further restrict the disclosure of sensitive information such as HIV/AIDS, mental health, substance abuse, abortions, and sexually transmitted diseases, CDPHP will only disclose such information in accordance with law or with your authorization.
Your Health Information Rights
You have the following rights that deal with your medical information. You can contact the CDPHP member services department at the phone number on your identification card or (518) 641-3000 or 1-888-258-0477 to obtain the appropriate form needed to use any of these rights. Or you can get any of the forms noted below on the CDPHP website at www.cdphp.com.
Access Right
You have the right to look at and get a copy of your protected health information that is in your designated record set. You have a right to receive a paper or electronic copy and to receive a response to your request in a timely manner, usually within 30 days. If you would like to get your information, you must make your request in writing on the Inspection and Copying Request Form. You have the right to direct that the copy of information be forwarded to a third party. If CDPHP does not have the information you asked for, we will tell you how you may be able to get it. CDPHP will respond in writing to your request. In certain situations, we may deny your request. If we do, we will tell you in writing the reason we are denying your request.
If you ask for a copy of your PHI, we may charge you a fee of up to 75 cents per page for the cost of copying. We can send you your PHI, or if you request, we may send you a summary or general explanation of your PHI if you agree to the cost of preparing and sending it.
Restriction Right
You have the right to ask for restrictions on our use or disclosure of your information for treatment, payment, or health care operations purposes. CDPHP is not required to agree to restriction requests; but if granted, CDPHP will be bound by the agreement except in cases of emergency treatment. You can contact the CDPHP member services department at the phone number on your identification card or (518) 641-3000 or 1-888-258-0477 to ask for a restriction request.
Amendment Right
You have the right to ask us to correct your PHI or add missing information if you think there is a mistake in your PHI. You must send us your request in writing on the Request for Amendment of Health Information Form and give the reason for your request. We will respond to you in writing. If we approve your request, we will make the change to your PHI. We will tell you that we have made the change. We will also tell others who need to know about the change to your PHI.
We may deny your request if your PHI is: a) correct and complete; b) not made by us; c) not allowed to be disclosed; or d) not part of our records. Our written denial will also explain your rights to file a written statement of disagreement. You have the right to ask that your written request, our written denial, and your statement of disagreement be attached to your PHI any time we give it out in the future.
Confidential Communications Right
You have the right to ask that we send PHI to you at an address of your choice or to communicate with you in a certain way. All requests for confidential communications must be made in writing on the Confidential Communications Request Form. We will respond to you in writing.
Accounting of Disclosures Right
You have the right to get a list of instances in which we have given out your PHI by completing the Accounting of Disclosures Request Form. The list we provide will not include: a) disclosures we made so you could get treatment; b) disclosures we made so we could make payment for your treatment; c) disclosures we made in order to operate our business; d) disclosures made directly to you or to people you choose; e) disclosures made to corrections or law enforcement personnel; f) disclosures we made before April 14, 2003; or g) disclosures we made when we had your authorization.
We will respond to your request in writing. Your request must state a time period that may not be longer than six years and may not include dates before April 14, 2003.
The list will include: a) the date of the disclosure; b) the person to whom PHI was disclosed (including that person’s address, if known); c) a description of the information disclosed; and d) the reason for the disclosure. If you ask, we will give you one list of disclosures every 12 months for free. However, if you ask for another list within 12 months of getting your free list, we will send you one if you agree to pay the reasonable fee we will charge for the additional list. We will tell you in advance of the fee and give you a chance to cancel or change your request.
Notice of Privacy Practices Right
You have the right to receive a paper copy of this Notice of Privacy Practices at any time. You can call the member services number on your identification card to request a copy of this notice. Or you can get a copy of this notice from our website at www.cdphp.com.
Notice of Breach of Confidentiality
You have the right to be notified by CDPHP after a breach of unsecured PHI.
Questions and Complaints
If you want more information about our privacy practices or have questions or concerns, please contact the CDPHP privacy official at (518) 641-5261. If you think that your privacy rights may have been violated, you may send a written complaint to: CDPHP Privacy Official, 500 Patroon Creek Blvd., Albany, NY 12206-1057. You also may submit a written complaint to the Office for Civil Rights, U.S. Department of Health and Human Services. At CDPHP, we are committed to safeguarding your information. Therefore, you will not be penalized in any way for filing a complaint about our privacy practices.