BOARD OF REGENTS OF THE UNIVERSITY SYSTEM OF GEORGIA
Health Insurance Portability and Accountability Act (HIPAA) Notice of Privacy Practices
The broad mission and extensive scope of operations of the Board of Regents of the University System of Georgia, including the constituent colleges and universities of the University System of Georgia (collectively, the “Board”), necessitates that the Board collect, maintain, and, where necessary, disseminate health information regarding the Board’s students, employees, volunteers, and others. For example, the Board collects medical information through its various medical and dental hospitals, clinics, and infirmaries, through the administration of its various medical and life insurance programs, and through its various environmental health and safety programs. The Board protects the confidentiality of individually identifiable health information that is in its possession. Such health information, which is protected from unauthorized disclosure by Board policies and by state and federal law, is referred to as “protected health information,” or “PHI.”
PHI is defined as any individually identifiable health information regarding an employee’s, a student’s, or a patient’s medical/dental history; mental or physical condition; or medical treatment. Examples of PHI include patient name, address, telephone and/or fax number, electronic mail address, social security number or other patient identification number, date of birth, date of treatment, medical treatment records, medical enrollment records, or medical claims records.
The Board will follow the practices that are described in this Notice of Privacy Practices (“Notice”). The Board reserves the right to change the terms of this Notice and of its privacy policies, and to make the new terms applicable to all PHI that it maintains. Before the Board makes an important change to its privacy policies, it will promptly revise this Notice and post a new Notice in conspicuous locations.
Permitted Uses and Disclosures of PHI
The following categories describe the different ways in which the Board may use or disclose your PHI. We include some examples that should help you better understand each category.
The Board may receive, use, or disclose your PHI to administer your health and dental benefits plan. Please be informed that the Board, under certain conditions and circumstances, may use or disclose your PHI without obtaining your prior written authorization. An example of this would be when the Board is required to do so by law. Other examples are presented below.
For Treatment. The Board may use and disclose PHI as it relates to the provision, coordination, or management of medical treatment that you receive. The disclosure of PHI may be shared among the respective healthcare providers who are involved with your treatment and medical care. For example, if your primary care physician needs to use/disclose your PHI to a specialist, with whom he/she consults regarding your condition, this would be permitted.
For Payment. The Board may use and disclose PHI to bill and collect payment for healthcare services and items that you receive. The Board may transmit PHI to verify that you are eligible for healthcare and/or dental benefits. The Board may be required to disclose PHI to its business associates, such as its claims processing vendor, to assist in the processing of your health and dental claims. The Board may disclose PHI to other healthcare providers and health plans for the payment of services that are rendered to you or to your covered family members by such providers or health plans.
For Healthcare Operations. The Board may use and disclose PHI as part of its business operations. As an example, the Board may require a healthcare vendor partner (referred to as a “business associate”) to survey and assess constituent satisfaction with healthcare plan design/coverage. Constituent survey results assist the Board in evaluating quality of care issues and in identifying areas for needed healthcare plan improvements. Business associates are required to agree to protect the confidentiality of your individually identifiable health information.
The Board may disclose PHI to ensure compliance with applicable laws. The Board may disclose PHI to healthcare/dental providers and health/dental plans to assist them with their required credentialing and peer review activities. The Board may disclose PHI to assist in the detection of healthcare fraud and abuse. Please be reminded that the list of examples that are provided are not intended to be either exhaustive, or exclusive.
As Required by Law and Law Enforcement. The Board must disclose PHI when required to do so by applicable law. The Board must disclose PHI when ordered to do so in a judicial or administrative proceeding. The Board must disclose PHI to assist law enforcement personnel with the identification/location of a suspect, fugitive, material witness, or missing person. The Board must disclose PHI to comply with a law enforcement search warrant, a coroner’s request for information during his/her investigation, or for other law enforcement purposes.
For Public Health Activities and Public Health Risks. The Board may disclose PHI to government agencies that are responsible for public health activities and to government agencies that are responsible for minimizing exposure to public health risks. The Board may disclose PHI to government agencies that maintain vital records, such as births and deaths. Additional examples in which the Board may disclose PHI, as it relates to public health activities, include assisting in the prevention and control of disease; reporting incidents of child abuse or neglect; reporting incidents of abuse, neglect, or domestic violence; reporting reactions to medications or product defects; notifying an individual who may have been exposed to a communicable disease; or, notifying an individual who may be at risk of contracting or spreading a disease or condition.
For Health Oversight Activities. The Board may disclose PHI to a government agency that is authorized by law to conduct health oversight activities. Examples in which the Board may disclose PHI, as it relates to health oversight activities, include assisting with audits, investigations, inspections, licensure or disciplinary actions, and other proceedings, actions or activities that are necessary to monitor healthcare systems, government programs, and compliance with civil rights laws.
Coroners, Medical Examiners, and Funeral Directors. The Board may disclose PHI to coroners, medical examiners, and funeral directors for the purpose of identifying a decedent; for determining a cause of death; or, otherwise as necessary, to enable these parties to carry out their duties consistent with applicable law.
Organ, Eye, and Tissue Donation. The Board may release PHI to organ procurement organizations to facilitate organ, eye, and tissue donation and transplantation.
Research. Under certain circumstances, the Board may use and disclose PHI for medical research purposes.
To Avoid a Serious Threat to Health or Safety. The Board may use and disclose PHI to law enforcement personnel or other appropriate persons. The Board may use and disclose PHI to prevent or lessen a serious threat to the health or safety of a person or the public.
Specialized Government Functions. The Board may use and disclose PHI for military personnel and veterans, under certain conditions, and if required by the appropriate authorities. The Board may use and disclose PHI to authorized federal officials for intelligence, counterintelligence, and other national security activities. The Board may use and disclose PHI for the provision of protective services for the President of the United States, other authorized persons, or foreign heads of state. The Board may use and disclose PHI to conduct special investigations.
Workers’ Compensation. The Board may disclose PHI for worker’s compensation and similar programs. These programs provide benefits for work-related injuries or illnesses.
Appointment Reminders/Health Related Benefits and Services. The Board and/or its business associates may use and disclose your PHI to various other business associates that may contact you to remind you of a healthcare or dental appointment. The Board may use and disclose your PHI to business associates that will inform you of treatment program options, or, of other health related benefits/services such as disease state management programs.
Disclosures for HIPAA Compliance Investigations. The Board must disclose your PHI to the Secretary of the United States Department of Health and Human Services (the "Secretary") when so requested. The Secretary may make such a request of the Board to investigate its compliance with privacy regulations of the federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA").
Uses and Disclosures of Your PHI to Which You Have an Opportunity to Object
You have the opportunity to object to certain categories of uses and disclosures of PHI that the Board may make:
Patient Directories. Unless you object, the Board may use some of your PHI to maintain a directory of individuals in its hospitals or provider facilities. This information may include your name, your location in the facility, your general condition (e.g. fair, stable, etc.), and your religious affiliation. Religious affiliation may be disclosed to members of the clergy. Except for religious affiliation, the information that is maintained in a patient directory may be disclosed to other persons who request such information by referring to your name.
Disclosures to Individuals Involved in Your Health Care or Payment for Your Health Care. Unless you object, the Board may disclose your PHI to a family member, another relative, a friend, or another person whom you have identified as being involved with your healthcare, or, responsible for the payment of your healthcare. The Board may also notify these individuals concerning your location or condition.
Fundraising Activities. Unless you object, the Board may disclose your PHI to contact you for fundraising efforts to support the Board, its related foundations, and/or its cooperative organizations. Such disclosure would be limited to personal contact information, such as your name, address and telephone number. The money raised in connection with these fundraising activities would be used to expand and support the provision of healthcare and related services to the community.
If you object to the use of your PHI in any, or all, of the three instances identified above, please notify your campus or facility privacy officer, in writing.
Other Uses and Disclosures of Your PHI For Which Authorization is Required
Certain uses and disclosures of your PHI will be made only with your written authorization. Please be advised that there are some limitations with regard to your right to object to a decision to use or disclose your PHI.
Regulatory Requirements. The Board is required, by law, to maintain the privacy of your PHI, to provide individuals with notice of the Board’s legal duties and PHI privacy practices, and to abide by the terms described in this Notice. The Board reserves the right to change the terms of this Notice and of its privacy policies, and to make the new terms applicable to all PHI that it maintains. Before the Board makes an important change to its privacy policies, it will promptly revise this Notice and post a new Notice in conspicuous locations. You have the following rights regarding your PHI:
You may request that the Board restrict the use and disclosure of your PHI. The Board is not required to agree to any restrictions that you request, but if the Board does so, it will be bound by the restrictions to which it agrees, except in emergency situations.
You have the right to request that communications of PHI to you from the Board be made by a particular means or at particular locations. For instance, you might request that communications be made at your work address, or by electronic mail, rather than by regular US postal mail. Your request must be made in writing. Your request must be sent to the privacy officer on your campus or facility. The Board will accommodate your reasonable requests without requiring you to provide a reason for your request.
Generally, you have the right to inspect and copy your PHI that the Board maintains, provided that you make your request in writing to the privacy officer on your campus or your facility. Within thirty (30) days of receiving your request (unless extended by an additional thirty (30) days), the Board will inform you of the extent to which your request has, or, has not been granted. In some cases, the Board may provide you with a summary of the PHI that you request, if you agree in advance to a summary of such information and to any associated fees. If you request copies of your PHI, or agree to a summary of your PHI, the Board may impose a reasonable fee to cover copying, postage, and related costs.
If the Board denies access to your PHI, it will explain the basis for the denial. The Board will explain your opportunity to have your request and the denial reviewed by a licensed healthcare professional (who was not involved in the initial denial decision). This healthcare professional will be designated as a reviewing official. If the Board does not maintain the PHI that you request, but it knows where your requested PHI is located; it will advise you how to redirect your request.
If you believe that your PHI maintained by the Board contains an error or needs to be updated, you have the right to request that the Board correct or supplement your PHI. Your request must be made in writing to the privacy officer on your campus or in your facility. Your written request must explain why you desire an amendment to your PHI.
Within sixty (60) days of receiving your request (unless extended by an additional thirty (30) days), the Board will inform you of the extent to which your request has, or, has not been granted. The Board generally can deny your request, if your request for PHI: (i) is not created by the Board, (ii) is not part of the records the Board maintains, (iii) is not subject to being inspected by you, or (iv) is accurate and complete.
If your request is denied, the Board will provide you a written denial that explains the reason for the denial and your rights to: (i) file a statement disagreeing with the denial, (ii) if you do not file a statement of disagreement, to submit a request that any future disclosures of the relevant PHI be made with a copy of your request and the Board’s denial attached, and (iii) complain about the denial.
You generally have the right to request and receive a list of the disclosures of your PHI that the Board has made at any time during the six (6) years prior to the date of your request (provided that such a list would not include disclosures made prior to April 14, 2003).
The list will not include disclosure for which you have provided a written authorization, and will not include certain uses and disclosures to which this Notice already applies, such as those: (i) for treatment, payment, and health care operations, (ii) made to you, (iii) for the Board’s patient directory or to persons involved in your healthcare, (iv) for national security or intelligence purposes, or (v) to correctional institutions or law enforcement officials.
You should submit any such request to the privacy officer on your campus or in your facility. Within sixty (60) days of receiving your request (unless extended by an additional thirty (30) days), the Board will respond to you regarding the status of your request. The Board will provide the list to you at no charge. If you, however, make more than one request in a year, you will be charged a fee for each additional request. You have the right to receive a paper copy of this notice upon request, even if you have agreed to receive this notice electronically. This notice may be found at the Board website address, http://www.usg.edu/legal . To obtain a paper copy of this notice, please contact your campus or facility privacy officer.
You may complain to the Board if you believe your privacy rights, with respect to your PHI, have been violated by contacting the privacy officer on your campus or in your facility. Your must submit a written complaint. The Board will in no manner penalize you or retaliate against you for filing a complaint regarding the Board’s privacy practices. You also have the right to file a complaint with the Secretary of the Department of Health and Human Services. You may contact the Secretary by calling 1-866-627-7748 (outside of metropolitan Atlanta) or (404) 562-7886 (in metropolitan Atlanta).
If you have any questions about this notice, please contact the Human Resources office on your campus or in your facility.
For additional information, please contact the privacy officer on your campus or facility.
Effective Date: April 14, 2003