University of Pittsburgh | Pitt Home | Pitt Home | Find People | Contact Us Pitt Home |


PRIVACY PRACTICES HOME

NOTICE OF PRIVACY PRACTICES
(PDF FORMAT)
NOTICE SUMMARY (PDF FORMAT)

UNIVERSITY POLICIES
(PDF FORMAT)
PRIVACY OF MEDICAL RECORDS
RELEASE OF PHI
USE AND DISCLOSURES OF PHI
ACCOUNTING OF DISCLOSURE OF PHI
CONTROL OF PHYSICAL ACCESS TO PHI
HIPAA SECURITY POLICY
USE OF PHI FOR FUNDRAISING

RELATED DOCUMENTS (PDF FORMAT)
ACKNOWLEDGMENT FORM
COMPLAINT FORM

RELATED SITES:
SCHOOL OF DENTAL MEDICINE PRIVACY NOTICE
UNIVERSITY OF PITTSBURGH MEDICAL PLANS PRIVACY NOTICE

PRIVACY NOTICE Medical and Health Plans of the University of Pittsburgh

The Privacy Notice - Medical and Health Plans of the University of Pittsburgh outlines the long-standing commitment of the University of Pittsburgh to the rights of our prospective, current, and former faculty, staff, and covered dependents concerning the privacy of their protected health information (PHI).

This notice describes how medical information about you may be or may not be used and disclosed and how you can get access to this information. Please review it carefully.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) imposes numerous requirements on employer health plans concerning the use and disclosure of individual health information. This information, known as protected health information (PHI), includes virtually all individually identifiable health information held by the University's Plans-whether received in writing, in an electronic medium, or as an oral communication. However, please remember that we do not ordinari1y collect or maintain any medical records, doctors or hospital charts. The PHI we maintain consists of aggregate cost information from the claims that your health care providers have submitted to us, as well as enrollment information and the files for member service logs, utilization review files, or files for complaints, request for service, or grievances that you have filed with us. This notice describes the privacy practices of the University of Pittsburgh-sponsored medical insurance plans. The scope extends to all integrated partner companies and ancillary product operations of the UPMC Insurance Services Division. The plans covered by this notice may share health information with each other to carry out Treatment, Payment, or Health Care Operations. These plans are collectively referred to as the Plan in this notice, unless specified otherwise.

The Plan's duties with respect to health information about you

The Plan is required by law to maintain the privacy of your health information and to provide you with this notice of the Plan's legal duties and privacy practices with respect to your health informa­tion. Additionally, the Plan will notify you in the event of a breach of your unsecured PHI. If you participate in the dental and vision programs, you will receive a notice directly from the Insurer. It is important to note that these rules apply to the Plan, not the Univer­sity of Pittsburgh as an employer, according to the way the HIPAA rules work. Different policies may apply to other University of Pittsburgh programs or to data unrelated to the health plan.

How the Plan may use or disclose your health information

The privacy rules generally allow the use and disclosure of your health information without your permission (known as an authorization) for purposes of health care Treatment, Payment activities, and Health Care Operations. We will use or disclose your PHI only for treatment, payment, or operations either to others or with oth­ers who are subject to these Privacy Rules and who are also involved in your health care, or with vendors, agents, or subcontractors with whom we have contracted to assist us in providing your health care services and who are also subject to these Privacy Rules. Here are some examples of what that might entail:

  • Treatment includes providing, coordinating, or managing health care by one (1) or more health care providers or doc­tors. Treatment can also include coordination or management of care between a provider and a third party, and consultation and referrals between providers. For example, the Plan may share health information about you with physicians who are treating you.

  • Payment includes activities by the Plan, other plans, or pro­viders to obtain premiums, make coverage determinations, and provide reimbursement for health care. This can include eligibility determinations, reviewing services for medical ne­cessity or appropriateness, utilization management activities, claims management, and billing, as well as "behind the scenes" plan functions such as risk adjustment, collection, or reinsur­ance. For example, the Plan may share information about your coverage or the expenses you have incurred with an­other health plan in order to coordinate payment of benefits.

  • Health Care Operations include activities by the Plan (and, in limited circumstances, other plans or providers) such as wellness and risk assessment programs, quality assessment and improvement activities, customer service, and internal grievance resolution. Health Care Operations also include vendor evaluations, credentialing, training, accreditation ac­tivities, underwriting, premium rating, arranging for medical review and audit activities, and business planning and devel­opment. For example, the Plan may use information about your claims to review the effectiveness of wellness programs. Although the Plan may use your health information for Health Care Operations, it will not use genetic information for under­writing purposes.

The amount of health information used or disclosed will be limited to the "Minimum Necessary" for these purposes, as defined under the HIPAA rules. The Plan may also contact you to provide appoint­ment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to you. The Plan may use certain PHI in fundraising activities without receiving an authorization and the Plan may contact you for fund­raising purposes; you have the option to opt out of current and future fundraising activities by notifying the University's Privacy Officer at University of Pittsburgh, 801 Cathedral of Learning, 4200 Fifth Avenue, Pittsburgh, PA 15260 or by contacting the University of Pittsburgh's Benefits Department at 412-624-8160. Fundrais­ing activities are any activity to raise funds for the Plans. If you opt-out of current or future fundraising activities, the Plan will make reasonable efforts to ensure you do not receive any future fundraising information.

How the Plan may share your health information with the University of Pittsburgh

The Plan may disclose your health information without your written authorization to the University of Pittsburgh for plan administration purposes only. The University of Pittsburgh may need your health information to administer benefits under the Plan. The University of Pittsburgh agrees not to use or disclose your health information other than as permitted or required by the Plan documents and by law. The University of Pittsburgh benefits staff and its representatives are the only individuals who will have access to your health information for plan administration functions.
Here's how additional information may be shared between the Plan and the University of Pittsburgh, as allowed under the HIPAA rules:

  • The Plan may disclose "summary health information" to the University of Pittsburgh if requested, for purposes of obtain­ing premium bids to provide coverage under the Plan, or for modifying, amending, or terminating the Plan. Summary health information is information that summarizes participants' claims information, but from which names and other identifying information have been removed.

  • The Plan may disclose to the University of Pittsburgh information on whether an individual is participating in the Plan, or has enrolled or disenrolled in an option offered by the Plan.

In addition, you should know that the University of Pittsburgh cannot and will not use health information obtained from the Plan for any employment-related actions. However, health information collected by the University of Pittsburgh from other sources, for example, under the Family and Medical Leave Act, Americans with Disabilities Act, or workers' compensation, is not covered under HIPAA (although this type of information may be protected under other federal or state laws).

Other allowable uses or disclosures of your health information

In certain cases, your health information can be disclosed without authorization to a family member, close friend, or other person you identify who is involved in your care or payment for your care. Information describing your location, general condition, or death may be provided to a similar person (or to a public or private entity authorized to assist in disaster relief efforts). You will generally be given the chance to agree or object to these disclo­sures (although exceptions may be made, for example, if you are not present or if you are incapacitated). For this purpose we have developed for your use a Personal Representative Designation Form, which you may request from the University of Pittsburgh Benefits Department. In addition, your health information may be disclosed without authorization to your legal representative. The Plan is also allowed to use or disclose your health information without your written authorization for the activities listed in the chart in this privacy notice.

Except as described in this notice, other uses and disclosures will be made only with your written authorization. You may revoke your authorization as allowed under the HIPAA rules. However, you cannot revoke your authorization if the Plan has taken action relying on it. In other words, you cannot revoke your authoriza­tion with respect to disclosures the Plan has already made. There are certain circumstances that require your authorization before any disclosure can be made. These circumstances include the dis­closure or use of psychotherapy notes, the disclosure of PHI for marketing or any disclosure that would constitute a sale of PHI. PHI is "sold" when the Plan receives direct or indirect payment for the information, unless the sale of information relates to research or disclosures for public health. Marketing is any communication where about a product or service that encourages you to purchase a product or use a service, except as may be provided on the chart in this privacy notice.

As required by law

 

Disclosures to federal, state or local agencies in accordance with applicable law.

 

Permitted Marketing Contacts

Disclosures to you regarding refill reminders or other communications about a drug or biologic that you are currently taking; communications about generic equivalents, adherence to properly taking medications and information on self-administered drugs are also excepted; descriptions of health related products or services; to promote general health (such as healthy diet or encouraging routine diagnostic tests); about government or government-sponsored program; treatments and health care operations or recommendations for alternative treatments, providers and therapies; and case management and care coordination.

 

Workers’ compensation

Disclosures to workers' compensation or similar legal programs that provide benefits for work-related injury or illness without regard to fault, as authorized by and necessary to comply with such laws.

 

Necessary to prevent serious threat to health or safety

Disclosures made in the good-faith belief that releasing your health information is necessary to prevent or lessen a serious and imminent threat to public or personal health or safety, if made to someone reasonably able to prevent or lessen the threat (including disclosure to the target of the threat); includes disclosures to assist law enforcement officials in identifying or apprehending an individual because the individual has made a statement admitting participation in a violent crime that the Plan reasonably believes may have caused serious physical harm to a victim, or where it appears the individual has escaped from prison or from lawful custody.

 

Public health activities

Disclosures authorized by law to persons who may be at risk for contracting or spreading disease or condition, or who may have been exposed to a communicable disease; disclosures to public health authorities to prevent or control disease or report child abuse or neglect; disclosures to the Food and Drug Administration to collect or report adverse events and product defects; and to notify individuals of recalls of medication or products they may be using.

 

Victims of abuse, neglect, or domestic violence

Disclosures to government authorities, including social services or protected services agencies authorized by law to receive reports of abuse, neglect, or domestic violence, as required by law or if you agree or the Plan believes that disclosure is necessary to prevent serious harm to you or potential victims (you'll be notified of the Plan's disclosure if informing you won't put you at further risk)

 


Judicial and
administrative proceedings

Disclosures in response to a court or administrative order, subpoena, discovery request, or other lawful process (the Plan may be required to notify you of the request, or receive satisfactory assurance from the party seeking your health information that efforts were made to notify you or to obtain a qualified protective order concerning the information)

 

Law enforcement purposes

Disclosures to law enforcement officials required by law or pursuant to legal process, or to identify a suspect, fugitive, witness, or missing person; disclosures about a crime victim if you agree or if disclosure is necessary for immediate law enforcement activity; disclosure about a death that may have resulted from criminal conduct; and disclosure to provide evidence of criminal conduct on the Plan's premises

 

Decedents

Disclosures to a coroner or medical examiner to identify the deceased or determine cause of death, and to funeral directors to carry out their duties

 

Organ, eye, or tissue donation

Disclosures to organ procurement organizations or other entities to facilitate organ, eye, or tissue donation and transplantation after death

 

Research purposes

Disclosures subject to approval by institutional or private privacy review boards, and subject to certain assurances and representations by researchers regarding necessity of using your health information and treatment of the information during a research project

 

Health oversight activities

Disclosures to health agencies for activities authorized by law (audits, inspections, investigations, or licensing actions) for oversight of the health care system, government benefits programs for which health information is relevant to beneficiary eligibility, and compliance with regulatory programs or civil rights laws

 

Specialized government functions

Disclosures about individuals who are Armed Forces personnel or foreign military personnel under appropriate military command; disclosures to authorized federal officials for national security or intelligence activities; and disclosures to correctional facilities or custodial law enforcement officials about inmates

 

HHS investigations

Disclosures of your health information to the Department of Health and Human Services (HHS) to investigate or determine the Plan's compliance with the HIPAA privacy rule


 

Your individual rights

You have the following rights with respect to your health informa­tion the Plan maintains. These rights are subject to certain limita­tions, as discussed here. At the end of this notice, refer to "Complaints" and "Contact" for explanation of how you may exercise each individual right.

Right to request restrictions on certain uses and disclosures of your health information and the Plan's right to refuse

You have the right to ask the Plan to restrict the use and dis­closure of your health information for Treatment, Payment, or Health Care Operations, except for uses or disclosures required by law. You have the right to ask the Plan to restrict the use and disclosure of your health information to family members, close friends, or other persons you identify as being involved in your care or payment for your care. You also have the right to ask the Plan to restrict use and disclosure of health information to notify those persons of your location, general condition, or death-or to coordinate those efforts with entities assisting in disaster relief efforts. If you want to exercise this right, your request to the Plan must be in writing.

The Plan is not required to agree to a requested restriction. And if the Plan does agree, a restriction may later be terminated by your written request, by agreement between you and the Plan (in­cluding an oral agreement), or unilaterally by the Plan for health information created or received after you are notified that the Plan has removed the restrictions. The Plan may also disclose health information about you if you need emergency treatment, even if the Plan has agreed to a restriction.

Right to receive confidential communications of your health information

If you think that disclosure of your health information by the usual means could endanger you in some way, the Plan will ac­commodate reasonable requests to receive communications of health information from the Plan by alternative means or at al­ternative locations.

If you want to exercise this right, your request to the Plan must be in writing and you must include a statement that disclosure of all or part of the information could endanger you.

Please remember that electronic communications are, by their nature, not encrypted or completely secure. We will not be re­sponsible for disclosures caused by member requests to provide confidential communications to invalid fax numbers or incorrect e-mail addresses.

Right to inspect and copy your health information

With certain exceptions, you have the right to inspect or obtain a copy of your health information. This may include medical and billing records maintained for a health care provider; enrollment, payment, claims adjudication, and case or medical management record systems maintained by the Plan; or a group of records the Plan uses to make decisions about individuals. Again, please re­member that we do not ordinarily collect or maintain any medical records, doctors' records, or hospital charts. We can only provide you access to the PHI that we have in our records. However, you do not have a right to inspect or obtain copies of psychotherapy notes; information compiled for civil, criminal, or administrative proceedings; and health information that is covered by certain federal laws concerning clinical laboratories. In addition, the Plan may deny your right to access, although in certain circumstances you may request a review of the denial.

If you want to exercise this right, your request to the Plan must be in writing. Within 30 days of receipt of your request, the Plan will provide you with:

  • The access or copies you requested;

  • A written denial that explains why your request was denied and any rights you may have to have the denial reviewed or to file a complaint; or

  • A written statement that the time period for reviewing your request will be extended for no more than 30 days, along with the reasons for the delay and the date by which the Plan ex­pects to address your request.

The Plan may provide you with a summary or explanation of the information instead of access to or copies of your health informa­tion, if you agree in advance and pay any applicable fees. The Plan may also charge reasonable fees for copies or postage.
If the Plan doesn't maintain the health information but knows where it is maintained, you will be informed of where to direct your request.

Right to amend your health information that is inaccurate or incomplete

With certain exceptions, you have a right to request that the Plan amend your health information. The Plan may deny your request for a number of reasons. For example, your request may be de­nied if the health information is accurate and complete, was not created by the Plan (unless the person or entity that created the information is no longer available), is not part of the Designated Record Set, or is not available for inspection (e.g., psychotherapy notes or information compiled for civil, criminal, or administrative proceedings).

If you want to exercise this right, your request to the Plan must be in writing, and you must include a statement to support the requested amendment. If in our review of your request to amend your PHI, we are unable to agree to the amendment you have re­quested, we will contact you in writing and explain the reasons for the denial of the request. We will also provide you with the process for you to submit a "Statement of Disagreement" with our denial of your request to amend. You are not required to submit this Statement, but it is an option that you have. Within 60 days of receipt of your request, the Plan will:

  • Make the amendment as requested; or

  • Provide a written explanation about why your request was denied and any rights you may have to disagree or file a com­plaint; or

  • Provide a written statement that the time period for reviewing your request will be extended for no more than 30 days, along with the reasons for the delay and the date by which the Plan expects to address your request.

Right to receive an accounting of disclosures of your health information

You have the right to a list of certain disclosures the Plan has made of your health information. This is often referred to as an "account­ing of disclosures." You generally may receive an accounting of disclosures if the disclosure is required by law, in connection with public health activities, or in similar situations listed in the table earlier in this notice, unless otherwise indicated below.

You may receive information on disclosures of your health infor­mation going back for six (6) years from the date of your request, but not earlier than April 14, 2003 (the general date that the HIPAA privacy rules are effective). You do not have a right to receive an accounting of any disclosures made:

  • For Treatment, Payment, or Health Care Operations;

  • Those that we have already made to you about your PHI;

  • Those that have been made to our contracted vendors for pro­vision of your health care benefits or to any personal represen­tative you have designated;

  • Those made to law enforcement officials;

  • Where authorization was provided;

  • To family members or friends involved in your care (where disclosure is permitted without authorization);

  • For national security or intelligence purposes or to correc­tional institutions or law enforcement officials in certain cir­cumstances; or

  • As part of a "limited data set" (health information that excludes certain identifying information).

In addition, your right to an accounting of disclosures to a health oversight agency or law enforcement official may be suspended at the request of the agency or official.
If you want to exercise this right, your request to the Plan must be in writing. Within 60 days of the request, the Plan will provide you with the list of disclosures or a written statement that the time peri­od for providing this list will be extended for no more than 30 days, along with the reasons for the delay and the date by which the Plan expects to address your request. You may make one (1) request in any 12-month period at no cost to you, but the Plan may charge a fee for subsequent requests. You'll be notified of the fee in advance and have the opportunity to change or revoke your request.

Right to obtain a paper copy of this notice from the Plan upon request

You have the right to obtain a paper copy of this Privacy Notice upon request. Even individuals who agreed to receive this notice electronically may request a paper copy at any time.

Changes to the information in this notice

The Plan must abide by the terms of the Privacy Notice currently in effect. This notice took effect on July 1, 2003 and was amended as of September 20, 2013. However, the Plan reserves the right to change the terms of its privacy policies as described in this notice at any time, and to make new provisions effective for all health information that the Plan maintains. This includes health information that was previ­ously created or received, not just health information created or received after the policy is changed. If changes are made to the Plan's privacy policies described in this notice, you will be provided with a revised Privacy Notice mailed to your home address.

Complaints

If you believe your privacy rights have been violated, you may complain to the Plan and/or to the Secretary of Health and Human Services. You will not be retaliated against for filing a complaint. To file a complaint contact University of Pittsburgh, Privacy Offi­cer. 801 Cathedral of Learning, 4200 Fifth Avenue, Pittsburgh, PA 15260-8404

Contact

For more information on the Plan's privacy policies or your rights under HIPAA contact the University of Pittsburgh Benefits Department at 412-624-8160.

You may also access this Notice and related Privacy Policies on the University's Web site at www.pitt.edu/hipaa/ or by contacting the University's Privacy Officer at University of Pittsburgh, 801 Cathedral of Learning, 4200 Fifth Avenue, Pittsburgh, PA 15260.

 



Revised 9/20/13
Home | Univ. of Pittsburgh Home