BOARD OF REGENTS OF THE UNIVERSITY SYSTEM OF GEORGIA
Health
Insurance Portability and Accountability Act (HIPAA) Notice of Privacy
Practices
The broad mission and extensive scope of operations of the
Board of Regents of the University System of Georgia, including the constituent
colleges and universities of the University System of Georgia (collectively,
the "Board"), necessitates that the Board collect, maintain, and, where
necessary, disseminate health information regarding the Board's students,
employees, volunteers, and others. For example, the Board collects medical
information through its various medical and dental hospitals, clinics, and
infirmaries, through the administration of its various medical and life
insurance programs, and through its various environmental health and safety
programs. The Board protects the confidentiality of individually identifiable
health information that is in its possession. Such health information, which is protected from unauthorized disclosure
by Board policies and by state and federal law, is referred to as "protected
health information," or "PHI."
PHI is
defined as any individually identifiable health information regarding an
employee's, a student's, or a patient's medical/dental history; mental or
physical condition; or medical treatment. Examples of PHI include patient name, address, telephone and/or fax
number, electronic mail address, social security number or other patient
identification number, date of birth, date of treatment, medical treatment
records, medical enrollment records, or medical claims records.
The Board will follow the practices that are described in
this Notice of Privacy Practices ("Notice"). The Board reserves the right to change the terms of this Notice and of
its privacy policies, and to make the new terms applicable to all PHI
that it maintains. Before the Board
makes an important change to its privacy policies, it will promptly revise this
Notice and post a new Notice in conspicuous locations.
Permitted Uses and Disclosures of PHI
The following categories describe the different ways in
which the Board may use or disclose your PHI. We include some examples that should help you
better understand each category.
The Board may receive, use, or disclose your PHI to
administer your health and dental benefits plan. Please be informed that the Board, under
certain conditions and circumstances, may use or disclose your PHI without obtaining your prior written authorization. An example of this
would be when the Board is required to do so by law. Other examples are presented below.
For Treatment. The Board may use
and disclose PHI as it relates to the provision, coordination, or
management of medical treatment that you receive. The disclosure of PHI
may be shared among the respective healthcare providers who are involved with
your treatment and medical care. For
example, if your primary care physician needs to use/disclose your PHI to
a specialist, with whom he/she consults regarding your condition, this would be
permitted.
For Payment. The Board may use and disclose PHI to bill and collect payment
for healthcare services and items that you receive. The Board may transmit PHI to verify that you are
eligible for healthcare and/or dental benefits. The Board may be required to disclose PHI to its business associates,
such as its claims processing vendor, to assist in the processing of your
health and dental claims. The Board may disclose PHI to other healthcare
providers and health plans for the payment of services that are rendered to you
or to your covered family members by such providers or health plans.
For
Healthcare Operations. The Board may use and disclose PHI as part of its business
operations. As an example, the Board may
require a healthcare vendor partner (referred to as a "business associate") to
survey and assess constituent satisfaction with healthcare plan
design/coverage. Constituent survey
results assist the Board in evaluating quality of care issues and in
identifying areas for needed healthcare plan improvements. Business associates are required to agree to
protect the confidentiality of your individually
identifiable health information.
The Board may disclose PHI to ensure compliance with
applicable laws. The Board may disclose PHI to healthcare/dental
providers and health/dental plans to assist them with their required
credentialing and peer review activities. The Board may disclose PHI to assist in the detection
of healthcare fraud and abuse. Please be
reminded that the list of examples that are provided
are not intended to be either exhaustive, or exclusive.
As Required by Law and Law
Enforcement. The Board must disclose PHI when required to do so by
applicable law. The Board must disclose PHI when ordered to do so in a
judicial or administrative proceeding. The
Board must disclose PHI to assist law enforcement personnel with the
identification/location of a suspect, fugitive, material witness, or missing
person. The Board must disclose PHI to comply with a law
enforcement search warrant, a coroner's request for information during his/her
investigation, or for other law enforcement purposes.
For
Public Health Activities and Public Health Risks. The Board may disclose PHI to government agencies that
are responsible for public health activities and to government agencies that
are responsible for minimizing exposure to public health risks. The Board may disclose PHI to government agencies that
maintain vital records, such as births and deaths. Additional examples in which the Board may
disclose PHI, as it relates to public health activities, include assisting in the
prevention and control of disease; reporting incidents of child abuse or
neglect; reporting incidents of abuse, neglect, or domestic violence; reporting
reactions to medications or product defects; notifying an individual who may
have been exposed to a communicable disease; or, notifying an individual who
may be at risk of contracting or spreading a disease or condition.
For
Health Oversight Activities. The Board
may disclose PHI to a government agency that is authorized by law to conduct health
oversight activities. Examples in which
the Board may disclose PHI, as it relates to health oversight
activities, include assisting with audits, investigations, inspections,
licensure or disciplinary actions, and other proceedings, actions or activities
that are necessary to monitor healthcare systems, government programs, and
compliance with civil rights laws.
Coroners,
Medical Examiners, and Funeral Directors. The Board may disclose PHI to coroners, medical
examiners, and funeral directors for the purpose of identifying a decedent; for
determining a cause of death; or, otherwise as necessary, to enable these
parties to carry out their duties consistent with applicable law.
Organ,
Eye, and Tissue Donation. The Board
may release PHI to organ procurement organizations to facilitate organ, eye, and
tissue donation and transplantation.
Research. Under certain circumstances, the Board may
use and disclose PHI for medical research purposes.
To
Avoid a Serious Threat to Health or Safety. The Board
may use and disclose PHI to law enforcement personnel or other
appropriate persons. The Board may use
and disclose PHI to prevent or lessen a serious threat to the health or safety of a
person or the public.
Specialized Government Functions. The Board may use and disclose PHI for
military personnel and veterans, under certain conditions, and if required by
the appropriate authorities. The Board
may use and disclose PHI to authorized federal officials for intelligence,
counterintelligence, and other national security activities. The Board may use and disclose PHI for the provision of
protective services for the President of the United States, other authorized persons,
or foreign heads of state. The Board may
use and disclose PHI to conduct special investigations.
Workers'
Compensation. The Board may disclose PHI for worker's compensation
and similar programs. These programs
provide benefits for work-related injuries or illnesses.
Appointment Reminders/Health
Related Benefits and Services. The Board
and/or its business associates may use and disclose your PHI to various other business
associates that may contact you to remind you of a healthcare or dental
appointment. The Board may use and
disclose your PHI to business associates that will inform you of treatment program
options, or, of other health related benefits/services such as disease state
management programs.
Disclosures
for HIPAA Compliance Investigations. The
Board must disclose your PHI to the Secretary of the United States
Department of Health and Human Services (the "Secretary") when so
requested. The Secretary may make such a
request of the Board to investigate its compliance with privacy regulations of
the federal Health Insurance Portability and Accountability Act of 1996
("HIPAA").
Uses and Disclosures of Your PHI
to Which You Have an Opportunity to Object
You have the opportunity to object to
certain categories of uses and disclosures of PHI that the Board may make:
Patient
Directories. Unless you object, the Board may use some of
your PHI to maintain a directory of individuals in its hospitals or provider
facilities. This information may include
your name, your location in the facility, your general condition (e.g. fair, stable, etc.), and your
religious affiliation. Religious
affiliation may be disclosed to members of the clergy. Except for religious affiliation, the
information that is maintained in a patient directory may be disclosed to other
persons who request such information by referring to your name.
Disclosures to Individuals
Involved in Your Health Care or Payment for Your Health Care. Unless you object, the Board may disclose
your PHI to a family member, another relative, a friend, or another person whom
you have identified as being involved with your healthcare, or, responsible for
the payment of your healthcare. The
Board may also notify these individuals concerning your location or condition.
Fundraising
Activities. Unless you object, the Board may disclose
your PHI to contact you for fundraising efforts to support the Board, its
related foundations, and/or its cooperative organizations. Such disclosure would be limited to personal
contact information, such as your name, address and telephone number. The money raised in connection with these
fundraising activities would be used to expand and support the provision of
healthcare and related services to the community.
If
you object to the use of your PHI in any, or all, of the
three instances identified above, please notify your campus or facility privacy
officer, in writing.
Other Uses and Disclosures
of Your PHI For Which Authorization is
Required
Certain uses and disclosures
of your PHI will be made only with your written authorization. Please be advised that there are some
limitations with regard to your right to object to a decision to use or
disclose your PHI.
Regulatory Requirements. The Board is required, by law, to maintain
the privacy of your PHI, to provide individuals with notice of the
Board's legal duties and PHI privacy practices, and to abide by the terms
described in this Notice. The Board
reserves the right to change the terms of this Notice and of its privacy
policies, and to make the new terms applicable to all PHI that it maintains. Before the Board makes an important change to
its privacy policies, it will promptly revise this Notice and post a new Notice
in conspicuous locations. You have the
following rights regarding your PHI:
You may request that the Board restrict
the use and disclosure of your PHI. The Board is
not required to agree to any restrictions that you request, but if the Board
does so, it will be bound by the restrictions to which it agrees, except in
emergency situations.
You have the right to request that
communications of PHI to you from the Board be made by a particular means or at
particular locations. For instance, you
might request that communications be made at your work address, or by
electronic mail, rather than by regular US postal mail. Your request must be made in writing. Your request must be sent to the privacy
officer on your campus or facility. The
Board will accommodate your reasonable requests without requiring you to
provide a reason for your request.
Generally, you have the right to inspect
and copy your PHI that the Board maintains, provided that
you make your request in writing to the privacy officer on your campus or your
facility. Within thirty (30) days of
receiving your request (unless extended by an additional thirty (30) days), the
Board will inform you of the extent to which your request has, or, has not been
granted. In some cases, the Board may
provide you with a summary of the PHI that you request, if you agree in
advance to a summary of such information and to any associated fees. If you request copies of your PHI, or agree to a summary of your PHI, the Board may impose a reasonable fee
to cover copying, postage, and related costs.
If the Board denies access to your PHI, it will explain the basis for the
denial. The Board will explain your
opportunity to have your request and the denial reviewed by a licensed
healthcare professional (who was not involved in the initial denial
decision). This healthcare professional
will be designated as a reviewing official. If the Board does not maintain the PHI that you request, but it knows where your requested PHI is located; it will advise you how to
redirect your request.
If you believe that your PHI maintained by the Board contains an
error or needs to be updated, you have the right to request that the Board
correct or supplement your PHI. Your request must
be made in writing to the privacy officer on your campus or in your
facility. Your written request must
explain why you desire an amendment to your PHI.
Within sixty (60) days of receiving your
request (unless extended by an additional thirty (30) days), the Board will
inform you of the extent to which your request has, or, has not been
granted. The Board generally can deny
your request, if your request for PHI: (i) is not created by the Board, (ii)
is not part of the records the Board maintains, (iii) is not subject to being
inspected by you, or (iv) is accurate and complete.
If your request is denied, the Board will
provide you a written denial that explains the reason for the denial and your
rights to: (i) file a statement disagreeing with the denial, (ii) if you do not
file a statement of disagreement, to submit a request that any future
disclosures of the relevant PHI be made with a copy of your request and the Board's
denial attached, and (iii) complain about the denial.
You generally have the right to request
and receive a list of the disclosures of your PHI that the Board has made at any time
during the six (6) years prior to the date of your request (provided that such
a list would not include disclosures made prior to April 14, 2003).
The list will not include disclosure for
which you have provided a written authorization, and will not include certain
uses and disclosures to which this Notice already applies, such as those: (i)
for treatment, payment, and health care operations, (ii) made to you, (iii) for
the Board's patient directory or to persons involved in your healthcare, (iv)
for national security or intelligence purposes, or (v) to correctional
institutions or law enforcement officials.
You should submit any such request to the
privacy officer on your campus or in your facility. Within sixty (60) days of receiving your
request (unless extended by an additional thirty (30) days), the Board will respond
to you regarding the status of your request. The Board will provide the list to you at no charge. If you, however,
make more than one request in a year, you will be charged a fee for each
additional request. You have the right
to receive a paper copy of this notice upon request, even if you have agreed to
receive this notice electronically. This
notice may be found at the Board website address, www.usg.edu/admin/legal. To obtain a paper copy of this notice, please contact your campus or
facility privacy officer.
You may complain to the Board if you believe your
privacy rights, with respect to your PHI, have been violated by contacting the
privacy officer on your campus or in your facility. Your must submit a written complaint. The Board will in no manner penalize you or
retaliate against you for filing a complaint regarding the Board's privacy
practices. You also have the right to
file a complaint with the Secretary of the Department of Health and Human
Services. You may contact the Secretary by calling 1-866-627-7748 (outside of
metropolitan Atlanta) or (404) 562-7886 (in metropolitan Atlanta).
If you have any questions
about this notice, please contact the Human Resources office on your campus or
in your facility.
For additional information, please contact the
privacy officer* on your campus or facility.
Effective Date: April 14,
2003
Valdosta State University's Privacy Officer is Deborah
Reaves. She is located in the Department of Human Resources. She can be reached at 333-5709.