BUPA INSURANCE COMPANY
HIPAA Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
BUPA GLOBAL’S COMMITMENT
Bupa people care. Our strong caring, ethics, dedication and respect are valued by people at some of the most vulnerable times in their lives. So trust is intrinsic to the way we operate as a business. At the heart of our global business are our values; these are the principles that determine the way we, both as a company and as employees, behave and believe. Preserving confidentiality and protecting the information with which we have been entrusted are two of the basic principles under which Bupa conducts its business.
We are required by the United States Department of Health and Human Services (“U.S. DHHS”) privacy regulations issued under the Health Insurance Portability and Accountability Act of 1996 (“Original HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009 (“HITECH”), and as further amended by the Final Rule issued on January 25, 2013 by the
U.S. DHHS (Original HIPAA, HITECH, and the Final Rule are collectively referred to as “HIPAA”), and any subsequent amendments to HIPAA, to maintain the privacy of “Protected Health Information” (“PHI”) (as defined below) and to provide our policyholders with notice of our legal duties, your rights, and our privacy practices concerning the use and disclosure of your PHI. In the event applicable law, other than HIPAA, prohibits or materially limits our uses and disclosures of PHI, as set forth below, we will restrict our uses and/or disclosures of your PHI in accordance with the more stringent standard. We are required to abide by the terms of this Notice so long as it remains in effect.
WHAT INFORMATION WE MAY COLLECT
The term “Protected Health Information” or “PHI” in this Notice shall include any information, whether oral or recorded in any form or medium, that is created or received by Bupa that reasonably can be used to identify you, and that relates to your past, present or future physical or mental health condition; the provision of health care to you; or the past, present or future payment for such health care. PHI may include, without limitation: medical records; health insurance coverage information including claims history, financial information and demographics.
TO WHOM WE MAY DISCLOSE PROTECTED HEALTH INFORMATION
PHI is routinely requested from or disclosed to: physicians and other health care providers; hospitals; third party claims administrators; insurance agents or brokers and their agency(ies); reinsurance carriers; previous insurance carriers; and group health plan sponsors, as part of our normal business operations.
HOW WE USE OR DISCLOSE PROTECTED HEALTH INFORMATION
WE HAVE THE RIGHT TO USE AND DISCLOSE PHI FOR YOUR TREATMENT, TO PAY FOR YOUR HEALTH CARE AND TO OPERATE OUR BUSINESS, WITHOUT YOUR AUTHORIZATION. FOR EXAMPLE, WE MAY USE OR DISCLOSE YOUR PHI AS FOLLOWS:
- For Payment Activities. We may use or disclose your PHI for billing, coverage determination, and to process claims for health care you receive, including for subrogation or coordination of your other benefits. For example, we may tell a doctor whether you are eligible for coverage and what percentage of the bill may be covered.
- For Treatment. We may use or disclose your PHI to aid in your treatment or the coordination of your care. For example, we may disclose PHI to your physicians to help them provide medical care to you.
- For Health Care Operations. We may use and disclose your PHI as necessary for our health care operations, and may disclose PHI to others that have a relationship with a Bupa insured (but only if the information pertains to such relationship). Examples of health care operations include, without limitation, underwriting, premium rating or other activities relating to the creation, renewal, or replacement of a health plan, claims processing, reinsurance, compliance, auditing, business management, quality improvement and assurance, and other operational needs as allowed by law and as required in the normal course of business. We are prohibited from using or disclosing your PHI that is related to genetic information about you for underwriting purposes.
- For Plan Sponsors. If your health insurance coverage is through an employer sponsored group health plan, we may share summary health information and enrollment and disenrollment information with the employer/plan sponsor. In addition, we may share other PHI with the plan sponsor for plan administration if the plan sponsor agrees to special restrictions on its use and disclosure of the PHI in accordance with applicable law.
WE MAY ALSO USE OR DISCLOSE YOUR PHI, WITHOUT YOUR PERMISSION, FOR THE FOLLOWING PURPOSES UNDER LIMITED CIRCUMSTANCES AND IN ACCORDANCE WITH APPLICABLE LAW:
- As Required by Law. We may disclose PHI when required to do so by law.
- To Persons Involved With Your Care. We may use or disclose your PHI to a person involved in your care or who helps pay for your care, such as a family member, when you are incapacitated or in an emergency, or when you agree or fail to object when given the opportunity. If you are unavailable or unable to object, we will use our best judgment to decide if the disclosure is in your best interests.
- For Public Health Activities such as reporting or preventing disease outbreaks.
- For Reporting Victims of Abuse, Neglect or Domestic Violence to government authorities that are authorized by law to receive such information, including a social service or protective service agency.
- For Health Oversight Activities to the Secretary of the U.S. DHHS, or to a health oversight agency for activities authorized by law, such as licensure, governmental audits and fraud investigations.
- For Judicial or Administrative Proceedings such as in response to a court order, or search warrant.
- For Law Enforcement Purposes. We may disclose your PHI to a law enforcement official for purposes such as providing limited information to locate a missing person or report a crime.
- To Avoid a Serious Threat to Health or Safety to you, another person, or the public, by, for example, disclosing your PHI to public health agencies or law enforcement authorities, or in the event of an emergency or natural disaster.
- For Disaster Relief. We may disclose your PHI in disaster relief situations where disaster relief organizations seek your PHI to coordinate your care, or notify your family and friends of your location and condition. We will provide you with an opportunity to agree or object to such a disclosure whenever we can practicably do so.
- Psychotherapy Notes. Under most circumstances, without your written authorization, we may not disclose the notes a mental health counselor took during a counseling session. However, we may disclose such notes for treatment and payment purposes, for state and federal oversight of the mental health professional, for the purposes of medical examiners and coroners, to avert a serious threat to health or safety, or as otherwise required by applicable law.
- Marketing and Sale of Medical Information. Most uses and disclosures of your medical information for marketing purposes or that constitute a sale of your medical information require your authorization. However, we do not sell your medical information.
- Fundraising. You have the right to opt out of receiving any fundraising communications; however, we do not engage in any fundraising activities or communications. Accordingly, we do not use or disclose your PHI for any fundraising purposes.
- Personal Representative. If you have a personal representative, such as a legal guardian, we will treat that person as if that person is you with respect to disclosures of your PHI. If you become deceased, we may disclose PHI to an executor or administrator of your estate to the extent that person is acting as your personal representative.
- To Provide Information Regarding the Deceased. We may disclose PHI to a coroner, medical examiner or funeral director to identify a deceased person, determine a cause of death, or as authorized by law.
- To Provide You Information Regarding Other Health Related Products and Services. We may use your PHI to provide you information regarding alternative medical treatments and programs, or about health-related products and services, subject to limits imposed by applicable law. For example, we may use and disclose your PHI for the purpose of communicating to you about our health insurance products that could enhance existing health plan coverage, and about health-related products and services that may add value to your health or health plan.
- To Correctional Institutions or Law Enforcement Officials if you are an inmate of a correctional institution or under the custody of a law enforcement official, but only if necessary (1) for the institution to provide you with health
- care; (2) to protect your health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.
- To Business Associates that perform functions for or on our behalf or provide us with services if the PHI is necessary for such functions or services. Our business associates are required, under contract with us, to protect the privacy of your PHI and are not allowed to use or disclose any PHI other than as specified in our contract and in accordance with applicable law. As of February 17, 2010, our business associates also will be directly subject to HIPAA privacy laws.
- For Data Breach Notification Purposes. We may use your contact information to provide legally-required notices of unauthorized acquisition, access, use, or disclosure of your PHI. We may send notice directly to you or provide notice to the sponsor of your health plan through which you receive health insurance coverage.
YOUR WRITTEN AUTHORIZATION
Except for uses and disclosures of your PHI as described, set forth and limited in this Notice, we will not use or disclose your PHI unless you have signed a written request authorizing any use or disclosure. You may revoke your written authorization in writing at any time, except if we have already acted based on your authorization. You may mail your written authorization and requests to revoke a prior authorization to the address listed at the end of this Notice.
WHAT ARE YOUR RIGHTS
WITH RESPECT TO YOUR PHI, YOU HAVE THE RIGHT TO:
- See and obtain a copy of your PHI that may be used to make decisions about you such as claims and case or medical management records. You also may in some cases receive a summary of your PHI. You must make a written request to inspect and copy your PHI. Mail your request to the address listed below. In certain limited circumstances, we may deny your request to inspect and copy your PHI. If we deny your request, you have the right to have the denial reviewed. We may charge a reasonable fee for any copies you request of your PHI. As of February 17, 2010, if we maintain an electronic health record containing your PHI, you have the right to request that we send a copy of your PHI in an electronic format to you or to a third party that you identify. We may charge a reasonable fee for sending the electronic copy of your PHI.
- Ask to amend PHI that we maintain about you if you believe the PHI about you is wrong or incomplete. Your request must be in writing and provide the reasons for the requested amendment. Mail your request to the address listed below. If we deny your request, you may have a statement of your disagreement added to your PHI.
- Receive an accounting of certain disclosures of your PHI made by us during the six years prior to your request. This accounting will not include disclosures of information made: (i) for treatment, payment, and health care operations purposes; (ii) to you or pursuant to your authorization; (iii) to correctional institutions or law enforcement officials; (iv) Incident to a use or disclosure otherwise permitted or required; (v) for national security purposes; and
- (vi) as part of a limited data set.
- Ask to restrict uses or disclosures of your PHI for treatment, payment, or health care operations. You also have the right to ask to restrict disclosures to family members or to others who are involved in your health care or payment for your health care. While we will consider your request and will permit requests consistent with our policies, we are not required to agree to any restriction.
- We retain the right to terminate an agreed to restriction if we believe such termination is appropriate. In the event of a termination by us, we will notify you of such termination. You also have the right to terminate any agreed- to restriction. Requests for a restriction (or termination of an existing restriction) may be made, in writing, by contacting Bupa at the address listed below.
- Ask to receive confidential communications of PHI in a different manner or at a different place. For example, by sending information to a P.O. Box instead of your home address. To request confidential communications, you must make your request in writing and by contacting Bupa at the address listed below. Your request must specify how or where you wish to be contacted.
- Request that a provider not send health PHI to us in certain circumstances if the PHI concerns a health care item or service for which you have paid the provider out of pocket in full.
- Receive a paper copy of this Notice. You may ask for a copy of this Notice at any time. Even if you have agreed to receive this Notice electronically, you are still entitled to request a paper copy of this Notice. You may also obtain a copy of this Notice at our website, www.bupasalud.com.
- Right to receive notice of a breach. We are required to notify you by first class mail or email (if you have indicated a preference to receive information by email), of any breaches of your Unsecured Protected Health Information as soon as possible, but in any event, no later than 60 days following the discovery of the breach as outlined by applicable law. “Unsecured Protected Health Information” is information that is not secured through the use of a technology or methodology identified by the Secretary of the U.S. DHHS to render the PHI unusable, unreadable, or undecipherable to unauthorized users.
Additional restrictions on use and disclosure. Certain other laws may require special privacy protections that restrict the use and disclosure of certain health information, including sensitive information about you. “Sensitive information” may include information regarding alcohol and drug abuse, genetics, HIV/AIDS, mental health, sexually transmitted diseases and reproductive health information, and child or adult abuse or neglect, including sexual assault.
CHANGES TO THIS NOTICE
Bupa reserves the right to change the terms of this Notice and make any new Notice provisions effective for all PHI that it creates, receives and maintains. If we make a material change to our privacy practices, we will provide a revised Notice by direct mail to you reflecting that change within 60 days of the change and we will otherwise post the revised Notice on our website at: www.bupasalud.com.
EXERCISING YOUR RIGHTS
If you have any questions about this Notice or want to exercise any of Your Rights as listed in this Notice, you may contact Bupa Global by submitting a written request. All written requests should be mailed to Bupa Global at the following address:
Attn: HIPAA Privacy Officer 17901 Old Cutler Road, Suite 400 Palmetto Bay, FL 33157 USA
FILING A COMPLAINT
If you believe your privacy rights have been violated, you may file a complaint with us (to our HIPAA Privacy Officer at the above listed address) or with the Secretary of the U.S. Department of Health and Human Services. All complaints must be submitted in writing and should be submitted within 180 days of when you knew or should have known that the alleged violation occurred. See the U.S. Office for Civil Rights website: www.hhs.gov/ocr/hipaa/ for more information.
YOU WILL NOT BE PENALIZED FOR FILING A COMPLAINT.
Effective Date of Notice September 1, 2013