Group Associates           
   
  Home > Privacy Policy  
 

Privacy Policy

As a Business Associate to many organizations, Group Associates' workforce may have access to the individually identifiable health information of client plan participants (1) on behalf of the plan itself; or (2) on behalf of the client, for administrative functions of their benefit plans.  Therefore, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations restrict Group Associates ability to use and disclose protected health information (PHI).

Protected health information means information that is created or received by Group Associates and relates to the past, present, or future physical or mental health or condition of a participant; the provision of health care to a participant; and that identifies the participant or for which there is reasonable basis to believe the information can be used to identify the participant.  Protected health information includes information of persons living or deceased.

It is Group Associates policy to comply fully with HIPAA’s requirements.  To that end, all members of Group Associates workforce who have access to PHI must comply with the Privacy Policy.  For purposes of this Policy, Group Associate's workforce includes Individuals who would be considered part of the workforce under HIPAA, such as employees, volunteers, trainees, temporary staff, and other persons whose work performance is under the direct control of Group Associates, whether or not they are paid by Group Associates.  The term “employee” includes all of these types of workers.

No third party rights (including, but not limited to, rights of Plan participants, beneficiaries, covered dependents, business associates, or third parties) are intended to be created by this Policy.  Group Associates reserves the right to amend or change this Policy at any time (and even retroactively) without notice.  To the extent this Policy establishes requirements and obligations above and beyond those required by HIPAA; the Policy shall be aspirational and shall not be binding upon Group Associates.  This Policy does not address requirements under other federal laws or under state laws.

Group Associates Administrative Requirements

I.  Privacy Lead and Contact Person
The Privacy Lead for Group Associates is stipulated in the Privacy Lead Assignment document.  The Privacy Lead will be responsible for the development and implementation of policies and procedures relating to privacy, including but not limited to this Privacy Policy.  The Privacy Lead will also serve as the contact person for participants who have questions, concerns, or complaints about the privacy of their PHI.

II. Workforce Training
It is Group Associates policy to train all members of its workforce on its privacy policies and procedures.  The Privacy Lead is charged with developing training schedules and programs so that all workforce members receive the training necessary and appropriate to permit them to carry out their functions.

III. Technical and Physical Safeguards and Firewall
Group Associates will establish appropriate technical and physical safeguards to prevent PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA’s requirements.  Technical safeguards include limiting access to information by creating computer firewalls.  Physical safeguards include locking filing cabinets.

Firewalls will ensure that only authorized employees will have access to PHI, that they will have access to only the minimum amount of PHI necessary for client service functions, and that they will not further use or disclose PHI in violation of HIPAA’s privacy rules.

IV. Sanctions for Violations of Privacy Policy
Sanctions for using or disclosing PHI in violation of this HIPAA Privacy Policy will be imposed in accordance with Group Associates Disciplinary Action Policy, up to and including termination.

V. Mitigation of Inadvertent Disclosures of Protected Health Information
Group Associates shall mitigate, to the extent possible, any harmful effects that become known to it of a use or disclosure of an Individual’s PHI in violation of the policies and procedures set forth in this Policy.  As a result, if an employee becomes aware if a disclosure of protected health information, either by an employee of Group Associates or an outside consultant/contractor, that is not in compliance with this Policy, immediately contact the Privacy Lead so that the appropriate steps to mitigate any harm to the participant can be taken.

VI. No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy
No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against Individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA.

No Individual shall be required to waive his or her privacy rights under HIPAA as a condition of treatment, payment, enrollment or eligibility.

VII. Documentation
Group Associates privacy policies and procedures shall be documented and maintained for at least six years.  Policies and procedures must be changed as necessary or appropriate to comply with changes in the law, standards, requirements and implementation specifications (including changes and modifications in regulations).  Any changes to policies or procedures must be promptly documented.  Such change is effective only with respect to PHI created or received after the effective date of the change.

Group Associates shall document certain events and actions (including authorizations, requests for information, sanctions, and complaints) relating to an Individual’s privacy rights.

The documentation of any policies and procedures, actions, activities and designations must be maintained in either written or electronic form for at least six years.

Policies on Use and Disclosure of PHI

I.  Use and Disclosure Defined
Group Associates will use and disclose PHI only as permitted under HIPAA. The term “use” and “disclosure” are defined as follows:

  • Use.  The sharing, employment, application, utilization, examination, or analysis of individually identifiable health information by any person working for or within the defined Group Associates' workforce.
  • Disclosure.  For information that is protected health information, disclosure means any release, transfer, provision of access to, or divulging in any other manner of individually identifiable health information to persons not employed by or working within the defined Group Associates' workforce.

II. Workforce Must Comply With Group Associates' Policy and Procedures
All members of Group Associates' workforce (described at the beginning of this Policy and referred to herein as “employees”) must comply with this Policy and with Group Associates more detailed use and disclosure procedures, which are set forth in separate documents. 

III. Access to PHI is Limited to Certain Employees
Employees who have authorized access to PHI are identified by title and by department based on access.  The defined employees may use and disclose PHI for plan administrative functions, and they may disclose PHI to other employees with access for plan administrative functions, but the PHI disclosed must be limited to the minimum amount necessary to perform the plan administrative function. 

IV. Permitted Uses and Disclosures: Payment and Health Care Operations
PHI may be disclosed for Group Associates own payment purposes, and PHI may be disclosed to another entity for the payment purpose of the Covered Entity.

Payment includes activities undertaken to obtain Plan contributions or to determine or fulfill the Plan’s responsibility for provision of benefits under the Plan, or to obtain or provide reimbursement for health care. 

Payment also includes:

  • Eligibility and coverage determinations, including coordination of benefits and adjudication or subrogation of health benefit claims;
  • Risk adjusting based on enrollee status and demographic characteristics; and
  • Billing, claims management, collection activities, obtaining payment under contract for reinsurance (including stop-loss insurance and excess loss insurance) and related health care data processing.

PHI may be disclosed for purposes of the Plan’s own health care operations.  PHI may be disclosed to another Covered Entity for purposes of the other Covered Entity’s quality assessment and improvement, case management, or health care fraud and abuse detection programs, if the other Covered Entity has (or had) a relationship with the participant and the PHI requested pertains to that relationship.

Health Care Operations means any of the following activities to the extent that they are related to Plan administration:

  • Conducting quality assessment and improvement activities;
  • Reviewing health plan performance;
  • Underwriting and premium rating;
  • Conducting or arranging for medical review, legal services and auditing functions;
  • Business planning and development; and
  • Business management and general administrative activities.

V.  Mandatory Disclosures of PHI: to Individual and the Department of Health and Human Services (DHHS)
A participant’s PHI must be disclosed as required by HIPAA in two situations:

  • The disclosure is to the Individual who is the subject of the information; and
  • The disclosure is made to DHHS for purposes of enforcing of HIPAA.

VI. Permissive Disclosures of PHI: for Legal and Public Policy Purposes
PHI may be disclosed in the following situations without a participant’s authorization, when specific requirements are satisfied. Group Associates more detailed use and disclosure procedures detail specific requirements that must be met before these types of disclosures may be made.  The requirements include prior approval of Group Associates Privacy Lead.  Disclosures are permitted:

  • About victims of abuse, neglect or domestic violence;
  • For judicial and administrative proceedings;
  • For law enforcement purposes;
  • For public health activities;
  • For health oversight activities;
  • About decedents;
  • For cadaver, organ, eye or tissue donation purposes;
  • To avert a serious threat to health or safety;
  • For specialized government functions; and
  • That relate to worker’s compensation program.

VII. Disclosures of PHI Pursuant to an Authorization
PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA’s requirements for a valid authorization is provided by the participant. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization.

VIII. Complying With the “Minimum-Necessary” Standard
HIPAA requires that when PHI is used or disclosed, the amount disclosed generally must be limited to the “minimum-necessary” to accomplish the purpose of the use or disclosure.

The “minimum-necessary” standard does not apply to the following:

  • Uses or disclosures made to the Individual;
  • Uses or disclosures made pursuant to a valid authorization;
  • Disclosures made to the DOL;
  • Uses or disclosures required by law; and
  • Uses or disclosures required to comply with HIPAA.

IX. Disclosure of De-Identified Information
The Plan may freely use and disclose de-identified information.  De-identified information is health information that does not identify an Individual.  There are two ways that information is de-identified; either by professional statistical analysis, or by removing 18 specific identifiers.

Policies on Individual Rights

I.  Access to Protected Health Information and Requests for Amendment
HIPAA gives participants the right to access and obtain copies of their PHI that Group Associates maintains in designated record sets.  HIPAA also provides that participants may request to have their PHI amended.  Group Associates will provide access to PHI and it will consider requests for amendment that are submitted in writing by participants.

Designated Record Set is a group of records maintained by Group Associates that includes:

  • The enrollment, payment, and claims adjudication record of an Individual; or
  • Other PHI used, in whole or in part, to make coverage decisions about an Individual.

 

II. Requesting a Personal Representative or Individual Authorization
An Individual has the right to share any or all of his/her rights with another individual.  To the extent the individual is an immediate family member, as defined by our policy, the Individual may identify a Personal Representative.  To the extent the request is to share information with an organization or an individual who is not an immediate family member, the Individual may complete an Individual Authorization.

III. Request for Alternative Communication Means or Locations
Participants may request communications regarding their PHI by alternative means or at alternative locations.  For example, participants may ask to be called only at work rather than at home.  Such requests may be honored if, in the sole discretion of Group Associates, the requests are reasonable. 

However, Group Associates shall accommodate such a request if the participant clearly provides information that the disclosure of all or part of that information could endanger the participant.  The Privacy Lead has responsibility for administrating requests for confidential communications.

IV. Request for Restrictions on Uses and Disclosures of Protected Health Information
A participant may request restrictions on the use and disclosure of the participant’s PHI.  It is Group Associates policy to attempt to honor such requests if, in the sole discretion of Group Associates, the requests are reasonable. 

V. Accounting of Disclosures
An Individual has the right to obtain an accounting of certain disclosure of his or her own PHI.  This right to an accounting extends to disclosures made in the last six years, other than disclosures:

  • To carry out treatment, payment or health care operations;
  • To Individuals about their own PHI;
  • Incident to an otherwise permitted use or disclosure;
  • Pursuant to an authorization;
  • For purposes of creation of a facility directory or to persons involved in the patient’s care or other notification purposes;
  • As part of a limited data set; or
  • For other national security or law enforcement purposes.

Group Associates shall respond to an accounting request within 60 days (30 days if PHI is stored on site).  If Group Associates is unable to provide the accounting within 60 days, it may extend the period by 30 days, provided that it gives the participant notice (including the reason for the delay and the date the information will be provided) within the original 60-day period.

The accounting must include the date of the disclosure, the name of the receiving party, a brief description of the information disclosed, and a brief statement of the purpose of the disclosure (or a copy of the written request for disclosure, if any).

The first accounting in any 12-month period shall be provided free of charge.  The Privacy Lead may impose reasonable production and mailing costs for subsequent accountings.

VI. Complaints
Individuals have a right to notify Group Associates or the Covered Entity if they are concerned about a privacy policy or procedure.  The Privacy Lead will be Group Associates' contact person for receiving complaints. 

The Privacy Lead is responsible for creating a process for Individuals to lodge complaints about Group Associates privacy procedures and for creating a system for handling such complaints.  A copy of the complaint procedure shall be provided to any participant upon request.
 


 
Group Associates, Inc., 30800 Telegraph Road, Suite 3800, Bingham Farms, MI 48025
800.342.8908 - sales@groupassociates.com
Home  |  Client Login  |  Sitemap  |  Legal Notice  |  Privacy Policy  |  GA News  |  Company  |  Careers