Employee Group Insurance Program by HC120625165933

VIEWS: 1 PAGES: 94

									                         EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Policy 1: Introduction & Definitions                Page: 1 of 9

Effective Date: April 14, 2003


                                           Purpose
This compilation of policies and procedures governs the treatment of the protected health
information of group health plan participants and beneficiaries by Employer Group Insurance
(EGI). The policies and procedures are intended to comply with 45 C.F.R. § 164.530(j)(1)(i),
which requires EGI to implement and design privacy policies and procedures that comply with
the HIPAA Privacy Standards and to maintain such privacy policies and procedures in written
or electronic form. (Defined terms are capitalized.)

The HIPAA Privacy Standards govern the confidentiality of individuals’ health information
maintained in the health care system. An entity covered by the HIPAA Privacy Standards
generally must comply with the following obligations: (i) Use or Disclose health information
only as permitted by the HIPAA Privacy Standards; (ii) limit requests, Uses, and Disclosures
of health information to the minimum necessary; (iii) give individuals a notice of the entity’s
privacy practices; (iv) provide individuals certain rights with respect to their health
information; and (v) establish certain administrative procedures to ensure health information is
kept confidential, such as the designation of a privacy official and the establishment of
sanctions against workforce members who breach an individual’s privacy rights.

It is always the intent of EGI that these policies be interpreted consistently with the HIPAA
Privacy Standards.

                                Self-funded Group Health Plan
These policies and procedures, as they may be amended from time to time, are incorporated
into and are made a part of the Self-funded Group Health Plan administered by EGI.

                                           Definitions
Where the following capitalized terms appear in these Policies, they have the definitions set
forth below.
(1)      Authorization: A written document that authorizes a Use or Disclosure of Protected
Health Information or PHI and that satisfies Section 4.8 of this Manual.
(2)      Business Associate: A person who, on behalf of EGI, either (i) performs (or assists in
the performance of) a function or activity involving the Use or Disclosure of protected health
information or any other function or activity regulated by the HIPAA Privacy Standards; or (ii)
provides legal, actuarial, accounting, consulting, data aggregation, management,
administrative, accreditation, or financial services to or for EGI, where the provision of the
service involves the Disclosure of individually identifiable health information from EGI, or
from another Business Associate of EGI, to the person.; provided that the term “Business
Associate” does not include EGI when it is functioning as the sponsor of a group health plan.i
The relationship between EGI and a Business Associate must be formalized by a written

April 2003                                                                          Page 400.1
Business Associate Agreement that binds the Business Associate to comply with all applicable
provisions of this Manual as to any PHI collected or held on behalf of EGI and includes a
Certification.
(3)      Carrier: A health insurance carrier, which is an insurance company, insurance service,
or managed care organization (including an HMO) that is licensed under and subject to state
law that regulates insurance; provided that the term “Carrier” does not include a group health
plan. ii
(4)       Certification: A certification that an entity shall:
a.       Not Use or Disclose PHI other than as permitted or required by the group health plans
         administered or sponsored by EGI or as required by law;
b.       Agree to the same restrictions and conditions that apply to EGI with respect to such
         information;
c.       Not Use or Disclose PHI for employment-related actions and decisions or in
         connection with any other benefit or employee benefit plan of EGI or The University of
         Texas System Administration;
d.       Take steps to deal with any Use or Disclosure of Plan PHI that is inconsistent with the
         Uses or Disclosures provided for of which it becomes aware;
e.       Make available PHI in accordance with individuals’ right to access PHI, which right is
         described in Section 7.2 of this Manual;
f.       Make available PHI for amendment and incorporate any PHI amendments into the
         Designated Record Sets held by EGI in accordance with individuals’ right to request
         amendments of PHI, which right is described in Section 7.3 of this Manual;
g.       Make available the information required to provide an accounting of disclosures of
         PHI in accordance with individuals’ right to receive an accounting of disclosures,
         which right is described in Section 7.4 of this Manual;
h.       Make EGI’s internal practices, books, and records relating to the Use and Disclosure of
         PHI available to the Secretary for purposes of determining EGI’s compliance with the
         HIPAA Privacy Standards;
i.       If feasible, return or destroy all PHI received that EGI still maintains in any form and
         retain no copies of such information when no longer needed for the purpose for which
         Disclosure was made, except that, if such return or destruction is not feasible, limit
         further Uses and Disclosures to those purposes that make the return or destruction of
         the information infeasible; and
j.       Ensure that any adequate separation of records or PHI is established and maintained. iii

(5)      Contact Person: The person or office designated in accordance with Section 3.2 of
this Manual.
(6)     Covered Entity: A health plan (as defined by HIPAA), a health care clearinghouse (as
defined by HIPAA), or a health care provider (as defined by HIPAA) who transmits any health
information in electronic form in connection with a transaction covered by Subchapter C of
Subtitle A of Title 45 of the Code of Federal Regulations.iv
(7)      De-identified Information: Information that does not identify an individual and that
EGI has no reasonable basis to believe can be used to identify an individual. vTwo methods by
which EGI can demonstrate that information qualifies as De-identified Information are as
follows:



April 2003                                                                           Page 400.2
a.     A person with appropriate knowledge of and experience with generally accepted
       statistical and scientific principles and methods for rendering information not
       individually identifiable (i) determines, applying such principles and methods, that the
       risk is very small that the information could be used, alone or in combination with
       other reasonably available information, by an anticipated recipient to identify an
       individual who is a subject of the information and (ii) documents the methods and
       results of the analysis that justify such determination; or
b.     EGI ensures that (i) it does not have actual knowledge that the information could be
       used alone or in combination with other information to identify an individual who is a
       subject of the information and (ii) the following identifiers of the individual, or
       relatives, employers, or household members of the individual, are removed:
       · Names;
       · All geographic subdivisions smaller than a state, including street address, city,
           county, precinct, and zip code and their geocodes (except that the initial three digits
           of a zip code may be used if more than 20,000 people reside within the area
           included in all zip codes sharing those initial three digits, and, if fewer than 20,000
           people reside within such area, the number “000” may be used instead);
       · All elements of dates (except the year) for dates directly related to an individual,
           including birth date, admission date, discharge date, and date of death;
       · All ages over 89 and all elements of dates (including the year) indicative of such
           age, except that such ages and elements may be aggregated into a single category of
           age 90 or older;
       · Telephone numbers;
       · Fax numbers;
       · Electronic mail addresses;
       · Social Security numbers;
       · Medical record numbers;
       · Health plan beneficiary numbers;
       · Account numbers;
       · Certificate/license numbers;
       · Vehicle identifiers and serial numbers, including license plate numbers;
       · Device identifiers and serial numbers;
       · Web Universal Resource Locators (URLs);
       · Internet Protocol (IP) address numbers;
       · Biometric identifiers, including finger and voice prints;
       · Full face photographic images and any comparable images; and
       · Any other unique identifying number, characteristic, or code (other than a code that
           enables the information’s creator to re-identify the information).vi

(8)      Designated Record Set: The set of information that includes PHI and that either (i) is
enrollment, Payment, claims adjudication, and case or medical management record systems
maintained by or for EGI or (ii) is used, in whole or in part, to make decisions about
individuals.vii
(9)      Disclosing, a Disclosure, to Disclose or to be Disclosed: Divulging information
outside an entity, including release, transfer, or provision of access to information.viii



April 2003                                                                            Page 400.3
(10)      Employee Group Insurance or EGI:                    The University of Texas System
Administration Office charged by The University of Texas System with implementing the
uniform benefit program for its employees and retired employees and administering the
insurance coverage and other benefits provided under the State University Uniform Insurance
Benefits Act.
(11)      Fully-insured Group Health Plan: Group health coverage that is offered to eligible
employees, retired employees, spouses and eligible dependents of The University of Texas
System pursuant to the State University Employees Uniform Insurance Benefit Act (the Act)
that is purchased by The University of Texas System from a carrier.
(12) Group Health Plan: Coverage provided by a Carrier to the employees of an
employee. The coverage provided includes coverage for medical services, pharmacy benefits,
vision care services, dental services and any other service considered by law to be a health
service or benefit that can be provided by a Carrier.
(13)      Health Care: Services that prevent, treat, cure or heal human physical and mental
conditions and illnesses.
(14) Health Care Component: The portions of a Hybrid Entity that perform functions that
are subject to the HIPAA privacy standards.
(15) Health Care Operations: Any of the following activities:
a.       Conducting quality assessment and improvement activities including outcomes
         evaluation and development of clinical guidelines (provided that the obtaining of
         generalizable knowledge is not the primary purpose of any studies resulting from such
         activities); population-based activities relating to improving health or reducing health
         care costs; protocol development; case management and care coordination; contacting
         of health care providers and patients with information about treatment alternatives; and
         related functions other than Treatment;
b.       Reviewing the competence or qualifications of health care professionals; evaluating
         practitioner and provider performance or health plan performance; conducting training
         programs in which students, trainees, or practitioners in areas of health care learn under
         supervision to practice or improve their skills as health care providers; training of non-
         health care professionals; and accreditation, certification, licensing, or credentialing
         activities;
c.       Underwriting, premium rating, and other activities relating to the creation, renewal, or
         replacement of a contract of health insurance or health benefits; and ceding, securing,
         or placing a contract for reinsurance of risk relating to claims for health care (including
         stop-loss insurance and excess of loss insurance);
d.       Conducting or arranging for medical review, legal services, and auditing functions
         (including fraud and abuse detection and compliance programs);
e.       Business planning and development (including cost-management and planning-related
         analyses related to managing and operating the entity, formulary development and
         administration, and development or improvement of methods of payment or coverage
         policies); and
f.       Business management and general administrative activities of the entity, including (i)
         management activities relating to implementation of and compliance with the
         requirements of the HIPAA Privacy Standards; (ii) customer service (including the
         provision of data analyses for policyholders, plan sponsors, or other customers,
         provided that PHI is not Disclosed to such policyholder, plan sponsor, or customer);

April 2003                                                                              Page 400.4
       (iii) resolution of internal grievances; (iv) the sale, transfer, merger, or consolidation of
       all or part of the Covered Entity with another Covered Entity, or an entity that
       following such activity will become a Covered Entity, and due diligence related to such
       activity; and (v) in accordance with the HIPAA Privacy Standards, fundraising for the
       benefit of the Covered Entity and creating De-identified Information or a Limited Data
       Set.ix

(16)      Health Care Provider: A physician or other provider licensed under the laws of the
state to provide health care to an individual.
(17)      Health Oversight Agency: An agency or authority of the United States, a state, a
territory, a political subdivision of a state or territory, or an Indian tribe (or a person or entity
acting under a grant of authority from or contract with such public agency, including the
employees or agents of such public agency or its contractors or persons or entities to whom it
has granted authority) that is authorized by law to oversee the health care system (whether
public or private) or government programs in which health information is necessary to
determine eligibility or compliance, or to enforce civil rights laws for which health information
is relevant.x
(18)      HIPAA: The Health Insurance Portability and Accountability Act of 1996, as
amended from time to time.
(19)     HIPAA Privacy Standards or Privacy Rule: The privacy regulations at Part 160 of,
and subparts A and E of Part 164 of, Title 45 of the Code of Federal Regulations, as amended
from time to time.
(20)      HMO: A federally qualified health maintenance organization, an organization
recognized as a health maintenance organization under state law, or a similar organization
regulated for solvency under state law in the same manner and to the same extent as such a
health maintenance organization.
(21)       Hybrid Entity: A single legal entity that performs both functions that are subject to
the HIPAA Privacy Standards and non-HIPAA covered functions and that segregates its
covered functions from its non-covered functions for purposes of compliance with the HIPAA
Privacy Standards.
(22)      Limited Data Set: Information that excludes the following direct identifiers of the
individual and his relatives, employers, and household members:
· Names;
· Postal address information (but not including town or city, state, and zip code);
· Telephone numbers;
· Fax numbers;
· Electronic mail addresses;
· Social Security numbers;
· Medical record numbers;
· Health plan beneficiary numbers;
· Account numbers;
· Certificate/license numbers;
· Vehicle identifiers and serial numbers, including license plate numbers;
· Device identifiers and serial numbers;
· Web Universal Resource Locators (URLs);
· Internet Protocol (IP) address numbers;

April 2003                                                                               Page 400.5
·   Biometric identifiers, including finger and voice prints; and
·   Full face photographic images and any comparable images.xi

(23) Manual: This compilation of EGI’s HIPAA privacy policies and procedures.
(24) Medical Record: Information that is created by a health care provider; identifies or can
be readily associated with the identity of an individual; and relates to the health care of the
individual.
(25) Members: Employees and retired employees who are eligible for and obtaining a
benefit or benefits provided by System under the State University Employees Uniform
Insurance Benefit Act and the spouses and eligible dependents of these employees and retired
employees.
(26) Memorandum of Understanding or MOU: An agreement that takes the place of a
Business Associate Agreement between EGI and entities that are governmental agencies or
subdivisions of governmental agencies with which EGI has a Business Associate relationship.
(27)     Notification Disclosures: Disclosure of PHI to an individual’s relative or close
personal friend or other person identified by the individual, if such PHI is directly relevant to
such person’s involvement with the individual’s care or payment for the individual’s health
care; and Disclosure (or Use) of PHI to notify, or assist in the notification of, a person
responsible for the individual’s care (such as the individual’s family member or personal
representative) of the individual’s location, general condition, or death.xii
(28)    Payment: Activities undertaken by a Group Health Plan to obtain premiums or to
determine its responsibility for coverage and provision of benefits under the Group Health
Plan, and activities undertaken by a health care provider or health plan to obtain or provide
reimbursement for the provision of health care. Such activities include, without limitation:
a.     Determinations of eligibility or coverage (including coordination of benefits or the
       determination of cost sharing amounts), and adjudication or subrogation of health
       benefit claims;
b.     Risk adjusting amounts due based on enrollee health status and demographic
       characteristics;
c.     Billing, claims management, collection activities, obtaining payment under a contract
       for reinsurance (including stop-loss insurance and excess of loss insurance), and related
       health care data processing;
d.     Review of health care services with respect to medical necessity, coverage under a
       health plan, appropriateness of care, or justification of charges;
e.     Utilization review activities, including precertification and preauthorization of services
       and concurrent and retrospective review of services; and
f.     Disclosure to consumer reporting agencies of any of the following PHI relating to
       collection of premiums or reimbursement: name, address, date of birth, Social Security
       number, payment history, account number, and the health care provider’s and/or health
       plan’s name and address.xiii

(29) Plan Sponsor: An employer that maintains a Group Health Plan for its employees. xiv A
Plan Sponsor is not a covered entity under HIPAA and Plan Sponsors are not regulated under
HIPAA..
(30)    Privacy Officer: The individual appointed to serve as the Privacy Officer for The
University of Texas System Administration or the Privacy Officer’s authorized designee.

April 2003                                                                           Page 400.6
(31) Protected Health Information or PHI: any information, transmitted or maintained
in any form or medium (including orally), that (i) is created or received by a health care
provider, health plan, employer, or health care clearinghouse; (ii) relates to the past, present, or
future physical or mental health or condition of an individual, the provision of health care to an
individual, or the past, present, or future Payment for the provision of health care to an
individual; and (iii) either identifies the individual or with respect to which there is a
reasonable basis to believe the information can be used to identify the individual; provided that
the term “PHI” does not include (A) education records covered by the Family Educational
Rights and Privacy Act, as amended, 20 U.S.C. § 1232g, (B) student treatment records
described at 20 U.S.C. 1232g(a)(4)(B)(iv), and (C) employment records held by a Covered
Entity in its role as employer.xv
(32)      Psychotherapy Notes: Notes recorded by a health care provider who is a mental
health professional documenting or analyzing the contents of conversation during a private
counseling session or a group, joint, or family counseling session and that are separated from
the rest of the individual’s medical record, but excluding the following: medication
prescription and monitoring, counseling session start and stop times, the modalities and
frequencies of treatment furnished, results of clinical tests, and any summary of diagnosis,
functional status, the treatment plan, symptoms, prognosis, and progress to date.xvi
(33) Public Health Authority: An agency or authority of the United States, a state, a
territory, a political subdivision of a state or territory, or an Indian tribe (or a person or entity
acting under a grant of authority from or contract with such public agency, including the
employees or agents of such public agency or its contractors or persons or entities to whom it
has granted authority), that is responsible for public health matters as part of its official
mandate.xvii
(34)      Secretary: The Secretary of Health and Human Services (or any other officer or
employee of the Department of Health and Human Services to whom the authority involved
has been delegated).xviii
(35) Self-funded Group Health Plan: Group health coverage that is offered to eligible
employees, retired employees, spouses and eligible dependents of The University of Texas
System pursuant to the State University Employees Uniform Insurance Benefit Act (the Act)
and that is self-funded by The University of Texas System and exempt from any insurance law
of Texas which does not expressly apply to the Act.
(36)     Summary Health Information: Information that summarizes the claims history,
claims expenses, or types of claims experienced by individuals to or on whose behalf health
benefits have been provided under a Group Health Plan and from which the following
information has been deleted:
· Names;
· All geographic subdivisions smaller than a state (including street address, city, county, and
    precinct), except for the initial five digits of zip codes;
· All elements of dates (except the year) for dates directly related to an individual, including
    birth date, admission date, discharge date, and date of death;
· All ages over 89 and all elements of dates (including the year) indicative of such age,
    except that such ages and elements may be aggregated into a single category of age 90 or
    older;
· Telephone numbers;
· Fax numbers;

April 2003                                                                               Page 400.7
·   Electronic mail addresses;
·   Social Security numbers;
·   Medical record numbers;
·   Health plan beneficiary numbers;
·   Account numbers;
·   Certificate/license numbers;
·   Vehicle identifiers and serial numbers, including license plate numbers;
·   Device identifiers and serial numbers;
·   Web Universal Resource Locators (URLs);
·   Internet Protocol (IP) address numbers;
·   Biometric identifiers, including finger and voice prints;
·   Full face photographic images and any comparable images; and
·    Any other unique identifying number, characteristic, or code (other than a code that
    enables the information’s creator to re-identify the information)xix
(37) Treatment: The provision, coordination, or management of health care or related
services by one or more health care providers, including the coordination or management of
health care by a health care provider with a third party, consultation between health care
providers relating to a patient, and the referral of a patient for health care from one health care
provider to another.xx
(38) The University of Texas System or The System: The component institutions and
other entities, including The University of Texas System Administration that comprise The
University of Texas System.
(39)     The University of Texas System Administration or System Administration: The
offices, including EGI, the Office of General Counsel (OGC) and the Office of Human
Resources for System Administration employees (OHRSA), that provide support and other
services on behalf of the Board of Regents of The University of Texas System to The
University of Texas System.
(40) Using, a Use, or To Use: Both (i) employment, application, utilization, examination, or
analysis of information, and (ii) sharing information within an entity.xxi
i
     45 C.F.R. § 160.103.
ii
      Id.
iii
      Id. § 164.504(f)(2)(ii).
iv
      Id. § 160.103.
v
      Id. § 164.514(a).
vi
      Id. § 164.514(b).
.
vii
       Id. § 164.501
viii
       Id.
ix
      Id.
x
      Id.


April 2003                                                                             Page 400.8
xi
      Id. § 164.514(e)(2).
xii
       Id. § 164.510(b)(1).
xiii
       Id. § 164.501
xiv
xv
       Id. §§ 160.103, 164.501.
xvi
       Id. § 164.501.
xvii
        Id. §164.504(f),
xviii
        Id. § 160.103.
xix
       Id. § 164.504(a).
xx
       Id. § 164.501.
xxi
       Id.




April 2003                        Page 400.9
                      EMPLOYEE GROUP INSURANCE
              TREATMENT OF PROTECTED HEALTH INFORMATION
Policy 2: Organization of EGI for HIPAA Privacy Standard                      Page: 1 of 2
            Compliance Purposes

Effective Date: April 14, 2003

POLICY

EGI provides many different types of services to System employees, retired employees,
spouses and eligible dependents (“Members”). HIPAA requires only Covered Entities to
comply with the HIPAA Privacy Standards. Not all of the functions performed by EGI are
performed by EGI in its capacity as a Covered Entity. The purpose of this policy is to describe
the various functions performed by EGI and to identify whether the functions must be
performed in compliance with the HIPAA Privacy Standards.

Section 2.1 The policies and procedures in this Manual shall apply to all functions
performed by EGI in its capacity as a Covered Entity under HIPAA.

EGI functions as a Covered Entity under HIPAA when it acts as the plan administrator for the
Self-funded Health Plans that it offers to Members. Since The University of Texas System
functions as a state agency, EGI’s Self-funded Group Health Plans are not subject to ERISA.
The self-funded plans currently offered by EGI are UT Select and UT Dental Select. UT
Select is a PPO medical coverage plan with pharmacy benefits. Many administrative services
for the medical portion of the plan are provided through a contract with a general indemnity
insurance carrier. Many administrative services for the pharmacy benefit portion of the plan
are provided through a contract with a pharmacy benefits manager. UT Dental Select is a
dental plan. Many administrative services are administered by a contract with a dental
indemnity carrier. EGI also offers UT FLEX, a medical and dependent flexible spending
account plan administered by a contract with a flexible spending plan administrator. For
purposes of HIPAA, UT FLEX is considered by EGI to be a Self-funded Group Health Plan.
EGI is required to comply with the HIPAA Privacy Standards only in its capacity as the
administrator of its Self-funded Group Health plans. The policies and procedures set forth in
this Manual are applicable to EGI and its staff when it is performing functions in this capacity.
The Secretary has the ability to enforce the HIPAA Privacy Standards against EGI when it is
performing functions in this capacity.

Section 2.2 The policies and procedures in this Manual that apply to Plan Sponsors shall
apply to all functions performed by EGI in its capacity as a Plan Sponsor as defined by
the HIPAA Privacy Standards.

EGI functions as a Plan Sponsor to Fully-insured Group Health Plans that are Covered Entities
under HIPAA. Plan Sponsors have a more limited responsibility under HIPAA than a Covered
Entity and are not subject to the jurisdiction of the Secretary. EGI has a Plan Sponsor
relationship with the licensed HMOs and insurers that are providing or have provided fully-
insured health coverage to Members through a contract with EGI. EGI is required to comply
with the HIPAA Privacy Standards that apply to Plan Sponsors when acting in the capacity of
April 2003                                                                          Page 400.10
a Plan Sponsor. Only the policies and procedures designated in this Manual as applicable to
Plan Sponsors (see Policy 5) are applicable to EGI and its staff when it is performing functions
in this capacity. The Secretary does not have the ability to enforce the HIPAA Privacy
Standards against EGI when it is performing functions in this capacity.

Section 2.3 None of the policies and procedures in this Manual shall apply to any
functions performed by EGI in its capacity as a plan sponsor or administrator to a plan
that is not subject to the HIPAA Privacy Standards.

EGI functions in other capacities that are not subject to HIPAA. The benefits currently offered
by EGI that are not subject to the HIPAA Privacy Standards are life insurance coverage, long-
term disability coverage, short-term disability coverage, long-term care and personal accident
insurance. While it is the practice of EGI at all times to respect the privacy of its members and
to protect the confidentiality of all information that it receives from its Members to the extent
permitted by law, the medical and health information received by EGI in the process of
offering these non-HIPAA subject benefits to Members is not PHI as defined by HIPAA or the
HIPAA Privacy Standards. None of the policies or procedures in this Manual are applicable to
EGI and its staff when it is performing functions in a capacity that is not subject to HIPAA.
The Secretary does not have the ability to enforce the HIPAA Privacy Standards against EGI
when it is performing functions in this capacity.

REFERENCES/CITATIONS

45 C.F.R §164.104

45 C.F.R §164.500

45 C.F.R §164.504(f)




April 2003                                                                          Page 400.11
                           EMPLOYEE GROUP INSURANCE

              TREATMENT OF PROTECTED HEALTH INFORMATION

Policy 3: Director and Contact Person                                            Page: 1 of 2

Effective Date: April 14, 2003

POLICY

The HIPAA Privacy Standards require that Covered Entities designate a privacy official, who
is ultimately responsible for the development and implementation of privacy policies and
procedures; as well as a contact person, who is responsible for receiving complaints and
providing further information about the privacy policies and procedures upon request. The
University of Texas System Administration has a Privacy Officer with which EGI, as a
Covered Entity, must work to ensure EGI’s compliance with the HIPAA Privacy Standards.
This policy sets forth the method by which EGI shall comply with the HIPAA Privacy
Standards and coordinate with the System Administration’s Privacy Officer in doing so.

Section 3.1   Responsibilities of the Director

a. The Director of Employee Group Insurance shall serve as the designee of The University of
   Texas System Administration’s Privacy Officer with regard to EGI’s compliance with the
   HIPAA Privacy Standards.

b. The Director shall oversee the implementation of, monitor adherence to, and evaluate the
   terms of this Manual in consultation with the Privacy Officer. Such responsibility includes:

   i. Reviewing non-routine requests for PHI by EGI in accordance with Section 4.1 of this
      Manual, and reviewing non-routine Uses and Disclosures of PHI in accordance with
      Section 4.8 of this Manual;

   ii. Identifying Business Associates, reviewing proposed and existing contracts with
       Business Associates for compliance with HIPAA, and addressing identified or
       suspected privacy violations by Business Associates, in accordance with Section 6.1 of
       this Manual;

   iii. Overseeing compliance with the individual rights described in Policy 7 of this Manual;
   iv. Overseeing compliance with the activities described in Policy 4 of this Manual, which
        are designed to ensure that Uses and Disclosures of PHI conform to the HIPAA
        Privacy Standards;
   v. Ensuring that EGI’s privacy documents (such as the policies and procedures contained
        in this Manual, EGI’s notice of privacy practices, and the forms in the Appendix) are,
        as appropriate, reviewed and updated;
   vi. Overseeing compliance with the document retention requirements described in Policy 9
        of this Manual; and

April 2003                                                                        Page 400.12
   vii. Maintaining current knowledge of applicable federal and state privacy laws in
        connection with these duties.

Section 3.2 Designation and Responsibilities of the Contact Person

   a. The Contact Person is responsible for serving as EGI’s contact point regarding EGI’s
      privacy compliance. The Contact Person may also serve as the designee of the Director
      for purposes of Section 3.1(b) of this Policy. The Contact Person shall be the contact
      point for individuals seeking to exercise their individual rights under the HIPAA
      Privacy Standards, or otherwise seeking privacy information, in connection with EGI.
      The Contact Person shall be available to individuals who seek to exercise their
      individual rights (described in Policy 7 of this Manual), want to revoke their
      Authorization, or otherwise seek information concerning the Plan’s privacy policies
      and procedures.

   b. The Director shall designate an EGI staff position as the Contact Person for EGI.
      Documentation of such designation shall be maintained in accordance with Section 9
      of this Manual. The Director may designate him or herself as the Contact Person.

   c. The Contact Person shall be familiar with the policies and procedures set forth in this
      Manual. The Contact Person’s phone number shall be included in the notice of privacy
      practices for an individual to obtain additional information.

Section 3.3 Reporting to the Privacy Officer

Either the Director or the Contact Person shall report on a periodic basis to the Privacy Officer
regarding complaints, questions, comments, and requests received by the Contact Person, as
well as any actions taken by EGI in response.

REFERENCES/CITATIONS

45 C.F.R. § 164.530(a)

65 Fed. Reg. at 82,561, 82,747 (Dec. 28, 2000)




April 2003                                                                          Page 400.13
                         EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Policy 4: PHI Requests, Access, Uses and Disclosures   Page: 1 of 2

Effective Date: April 14, 2003

POLICY

This Policy 4 implements the portion of the HIPAA Privacy Standards that limits EGI’s
ability, as a Covered Entity, to request, access, Use, or Disclose PHI, which, in most cases is
based on the purpose of the intended request, access, Use, or Disclosure, and in many cases is
limited to the minimum necessary PHI required for an intended purpose. This Section
identifies when EGI can request, access, Use, and Disclose PHI and sets forth additional
procedures for responding to requests for Uses and Disclosures under specific circumstances.

This Policy 4 consists of the following Sections:

Section 4.1 Requests for PHI by EGI

Section 4.2 The EGI Hybrid Entity; Access to PHI

Section 4.3 Uses and Disclosures Required by Law

Section 4.4 Discretionary Uses and Disclosures Without An Authorization

       4.4(1) Routine Uses and Disclosures Exempt from Prior Approval:

                      a.      Disclosure of an Individual’s Own PHI to that Individual

                      b.      Uses and Disclosures for the Purpose of Conducting Payment
                              Operations

                      c.      Uses and Disclosures for the Purpose of Conducting Health Care
                              Operations

                      d.      Uses and Disclosures for Health Oversight Activities

                      e.      Disclosures for Inspection by the Secretary

                      f.      Disclosures for Workers Compensation

                      g.      Disclosures of Limited Data Sets




April 2003                                                                           Page 400.14
       4.4(2) Non-Routine Uses and Disclosures Requiring Prior Approval:
                    a.     Disclosures for Third-Party Judicial or Administrative
                           Proceedings

                      b.     Uses and Disclosures for Public Health Activities

                      c.     Disclosures for Law Enforcement Purposes

                      d.     Uses and Disclosures Due to Imminent Threat to Health or
                             Safety

                      e.     Uses and Disclosures Required by Military Authority

                      f.     Uses and Disclosures for National Security Activities

                      g.     Disclosures to Coroners and Medical Examiners

                      h.     Disclosures to Funeral Directors

Section 4.5 Conducting Underwriting Activities

Section 4.6 Research Disclosures and Uses

Section 4.7 Making Notification Disclosures

Section 4.8 Review of Requests for Use or Disclosure Requiring Approval by the
            Privacy Officer

Section 4.9 Minimum Necessary Standard for Uses and Disclosures of PHI

Section 4.10 Verification of Requestor’s Identity and Authority

Section 4.11 Obtaining and Relying Upon an Authorization

Section 4.12 Personal Representatives

Section 4.13 De-identified Information

Section 4.14 Documentation of Disclosures




April 2003                                                                       Page 400.15
                          EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Section 4.1: Requests for PHI by EGI                Page: 1 of 2

Effective Date: April 14, 2003

POLICY

EGI may make a request for PHI without first obtaining specific approval from the Contact
Person in consultation with the Privacy Officer only if the request constitutes a “routine
request.” EGI shall obtain approval prior to making any other request for PHI.

4.1(1) Routine Requests for PHI.

EGI may request PHI without prior approval from the Contact Person in consultation with the
Privacy Officer under any of the following circumstances, each of which shall be considered a
routine request:

   a. EGI’s request for PHI is for the purpose of conducting Payment activities or Health
      Care Operations activities of the Group Health Plan:

   b. The Member has provided an Authorization permitting the disclosure from the person
      from whom EGI intends to request the PHI; or

   c. EGI requests PHI in order to adequately respond to a Member’s request for access to
      the member’s PHI (in accordance with Section 7.2 of this Manual), amendment of the
      Member’s PHI (in accordance with Section 7.3, or an accounting of disclosures of the
      Member’s PHI (in accordance with Section 7.4 of this Manual).

Notwithstanding the above, a request for a Member’s entire medical record or a request for
psychotherapy notes shall not be considered to be a routine request.

4.1(2) Non-routine Requests for PHI.

Prior to making any request for PHI that is not identified in Section 4.1(1) as a routine request,
EGI shall seek approval from the Contact Person in consultation with the Privacy Officer of
such request and shall refrain from making such request absent the Contact Person’s approval.

Upon notification of a request for PHI, the Contact Person shall determine whether the
information to be requested is PHI. If the information is PHI and the request is made to
another Covered Entity, the Contact Person shall approve a request only if the PHI sought is
limited to the information reasonably necessary to accomplish the purpose for which the
request is made. If the Contact Person determines, in his or her discretion, that EGI may and
should make a request, the Contact Person shall, as soon as administratively practicable after
making such determination, communicate his or her determination to the individual who
requested it. Otherwise, the Contact Person shall inform such individual either that the request

April 2003                                                                            Page 400.16
should not be made or that, to make such request, an Authorization from each individual who
is a subject of the PHI must first be obtained.

4.1(3)   Documentation of Requests for an Entire Medical Record

If the Contact Person approves a request for an individual’s entire medical record, the Contact
Person shall document the justification for such request in accordance with Section 9.2 of this
Manual.

4.1(4) Documentation of Requests for Psychotherapy Notes

If the Contact Person approves a request for psychotherapy notes as part of the record being
requested, the Contact Person shall document the justification for such request in accordance
with Section 9.2 of this Manual.

REFERENCES/CITATIONS

45 C.F.R. §§ 164.502(b), 164.514(d)(4)-(5)

65 Fed. Reg. at 82,543-45, 82,712-16 (Dec. 28, 2000); 67 Fed. Reg. at 53,195-99 (Aug. 14,
2002)




April 2003                                                                         Page 400.17
                         EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Section 4.2: Access to PHI                          Page: 1 of 4

Effective Date: April 14, 2003

POLICY

In its capacity as a Covered Entity, EGI shall limit access to PHI to those persons that require
access to the PHI in order to carry out their Self-funded Group Health Plan related duties.

In its capacity as a Covered Entity, EGI shall limit access to PHI to those persons that require
access to the PHI in order to carry out their Self-funded Group Health Plan related duties.

4.2(1) Individuals With Access to Plan PHI

System Administration has been designated as a Hybrid Entity. Only currently employed staff
of EGI and the other designated Health Care Components within System Administration who
have received the training required by this Manual are entitled to access PHI collected or held
by EGI as a Covered Entity. All such employees are specifically required to comply with this
Manual.

4.2(2) EGI’s Health Care Components

EGI’s Health Care Components consists of the following and shall have access to PHI as
follows:

a. EGI Staff: Current EGI employees shall have access to PHI in order to conduct any
  permissible Use or Disclosure of PHI in accordance with the terms of this Manual.
  Employees whose duties require access to the entire Medical Record shall have access to an
  individual’s entire Medical Record to the extent the entire Medical Record may be Used or
  Disclosed under the terms of this Manual. Otherwise, employees shall have access only to
  the minimum necessary PHI relating to the specific duties to which they are assigned. All
  employees shall have access to PHI only during the time periods they are on duty in the
  capacity for which they require the Use of the PHI. No employee shall request, or without a
  signed Authorization, Use or Disclose PHI for any non-Self-funded Group Health Plan
  related purpose of any kind, even if the employee’s specific job duties include both Self-
  funded Health Plan and non-Self-funded Group Health Plan related functions, regardless of
  whether the PHI would be of use in performing the non-Self-funded Group Health Plan
  duties. No employee shall re-identify De-identified PHI unless it is part of the employee’s
  specific duties with regard to that particular PHI and only as approved by the Privacy Officer
  as set forth in Section 4.13 of this Policy. The various functions of EGI staff and additional
  detail regarding type of access are:

   i. Benefits staff shall have access to all PHI (including the entire Medical Record)
      maintained in any medium by EGI during the time periods staff is performing job-
      related functions, which functions may include but are not limited to claims review and

April 2003                                                                         Page 400.18
        adjudication; resolution of appeal issues; requests for proposals and plan development;
        and resolving enrollment, coverage and eligibility issues.
   ii. Financial staff shall have access only to minimum PHI necessary for performing job-
        related functions, which functions may include but are not limited to, payment of
        claims, adjustment of claims, and premium payments.
   iii. Information Systems staff shall have access to all PHI they maintain in any medium,
        during the time periods staff is performing job-related functions. PHI may be contained
        or stored in the various computer systems and magnetic media managed by the staff.
        Access to PHI maintained in other mediums by EGI shall be permitted to the extent
        required for staff to perform duties as assigned, which may include, but are not limited
        to, reporting functions, analysis functions, reconciliation functions, maintenance and
        repair functions, testing, addressing enrollment and eligibility issues, billing and
        payment.
   iv. The Executive Director of Employment and Benefits Administration and the EGI
        Director shall have the same access rights as set out above for all EGI functions, to the
        extent necessary to carry out the responsibilities of their positions, which include but
        are not limited to, oversight of all EGI functions and appeals resolution.

b. Medical Director: Any licensed physician employed by The System, who is specifically
  appointed to act as a Medical Director on behalf of EGI or to provide a professional medical
  opinion to EGI staff in the performance of staff’s duties in relation to a Self-Funded Group
  Health Plan offered by EGI, shall be considered a Health Care Component of the Hybrid
  Entity in which EGI is a Covered Entity and have access to PHI in order to provide the
  services he or she is appointed to provide. Such access shall be limited to the PHI, necessary
  in the professional judgment of the physician, to perform a service, including, if necessary,
  an individual’s entire medical record. Any licensed physician employed by EGI as a
  Medical Director shall be considered EGI staff and may have the same access to PHI that is
  granted to the Director in Paragraph a of this Subsection.

c. Complaint Review Committee: Any licensed physician who is employed by System and is
  designated by EGI to serve on EGI’s Complaint Review Committee shall be considered a
  Health Care Component of the Hybrid Entity in which EGI is a Covered Entity and may
  have access to an entire medical record to the extent that access is necessary to ensure a
  complete and accurate evaluation of the claim under review. A physician serving on the
  Committee shall not be considered to be providing Treatment in connection with such
  services.

d. Privacy Officer: The Privacy Officer shall be considered a Health Care Component of the
  Hybrid Entity in which EGI is a Covered Entity and have access to PHI in order to conduct
  any permissible Use or Disclosure of PHI in accordance with the terms of this Manual. The
  Privacy Officer shall have access to an individual’s entire medical record to the extent (i) the
  entire medical record may be Used or Disclosed under the terms of this Manual, or (ii) such
  PHI must be reviewed in order to determine whether a Use or Disclosure is permissible
  under the terms of this Manual.

e. Office of General Counsel. Only an attorney, a paralegal under supervision of an attorney,
  and/or a legal intern and support staff assigned specifically by the Office of General Counsel

April 2003                                                                           Page 400.19
 (OGC) to provide services to EGI in regard to health benefits offered through EGI, or to
 provide services to the Privacy Officer in connection with the Privacy Officer’s
 responsibilities pursuant to this Manual, shall be considered a Health Care Component of the
 Hybrid Entity in which EGI is a Covered Entity and have access to PHI as necessary to
 evaluate legal issues that arise. The attorney, and any paralegal or legal intern under the
 supervision of the attorney, may have access to the entire medical record if complete access
 is necessary, in the professional judgment of the attorney, to ensure a complete and accurate
 evaluation of a case. Access shall be available to the attorney at all times. Clerical and
 administrative staff directly supporting the attorney shall have access to the PHI only as
 necessary during the time periods they are providing specific support services involving that
 particular case. File clerks shall be authorized to take note of any information necessary to
 correct filing (name, date, etc.). No employee shall request, or without a signed
 Authorization, Use or Disclose PHI for any non-case related purpose of any kind.

f. Office of Human Resources: Employees of the System Administration Office of Human
  Resources (SAOHR) whose duties specifically require the employee to access PHI on behalf
  of EGI for purposes of providing Administrative Services to a Self-funded Group Health
  Plans shall be considered a Health Care Component of the Hybrid Entity in which EGI is a
  Covered Entity and have access to an individual’s entire medical record to the same extent
  the entire medical record may be Used or Disclosed under the terms of this Manual.
  However, each employee shall have access only to the PHI relating to the specific duties to
  which they are assigned and only during the time periods they are on duty in the capacity for
  which they require the Use of the PHI. No employee shall request, or without a signed
  Authorization, Use or Disclose PHI for any non-Self-funded Group Health plan related
  purpose of any kind even if the employee’s specific job duties include both Self-funded
  Group Health Plan and non-Self-funded Group Health Plan related functions, regardless of
  whether the PHI would be of use in performing the employee’s non-Self-funded Group
  Health Plan duties.

g. Office of Information Resources: Office of Information Resources (OIR) supervisors shall
  be considered a Health Care Component of the Hybrid Entity in which EGI is a Covered
  Entity and shall have access to all PHI contained in System Administration’s computer
  system for maintenance and repair purposes. Access to paper or other types of PHI shall be
  granted to department supervisors when necessary to complete a specific function for the
  information management system. Other members of OIR shall be considered a Health Care
  Component of the Hybrid Entity in which EGI is a Covered Entity and have access to PHI in
  the computer system only for specific purposes as delegated and monitored by an OIR
  supervisor. OIR management supervisors and employees shall have access to PHI only
  while on duty.

4.2(3) Access to PHI by Other Persons Including System Administration and System
       Employees and Officers

If a person not identified in Subsection 4.2(2) of this Section desires to access PHI, such
access shall be treated as a Use or Disclosure of PHI, as applicable. The determination of
whether a Use or Disclosure of PHI is permissible shall be made under the applicable
provisions of this Policy, unless the person is a Business Associate or the employee of a

April 2003                                                                        Page 400.20
Business Associate of EGI; a person with a Limited Data Set agreement with EGI; or, another
Covered Entity in which case the determination shall be made under the applicable provisions
of Policy 6 of this Manual.

REFERENCES/CITATIONS

45 C.F.R. §§ 164.502(b), 164.504(a)-(c), 164.514(d)(2)

65 Fed. Reg. at 82,543-45, 82,712-16 (Dec. 28, 2000)




April 2003                                                                      Page 400.21
                     EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Section 4.3: Uses and Disclosures Required by Law                            Page: 1 of 2

Effective Date: April 14, 2003

POLICY

EGI shall permit uses and disclosures of PHI without prior written authorization to the extent
that such uses and disclosures are required by law and comply with and are limited to the
relevant requirements of such law. All Uses and Disclosures made pursuant to this section
must be made by the Contact Person in consultation with the Privacy Officer according to
these procedures.

EGI may Use and Disclose PHI without prior written authorization to the extent that such Uses
and Disclosures are required by law and comply with and are limited to the relevant
requirements of such law. The minimum necessary rule does not apply to Disclosures that are
required by law and are made according to this Policy.

       a.     Definition of “Required by Law.” For purposes of this Manual, the term
              “required by law” means a mandate contained in law that compels EGI to make
              a Use or Disclosure of PHI and is enforceable in a court of law. The term
              includes, but is not limited to, court orders and court-ordered warrants;
              subpoenas or summons issued by a court, grand jury, a governmental or tribal
              inspector general, or an administrative body authorized to require the
              production of information; a civil or an authorized investigative demand;
              Medicare conditions of participation with respect to health care providers
              participating in the Medicare program; and statutes or regulations that require
              the production of information, including statutes or regulations that require such
              information if payment is sought under a government program providing public
              benefits.

       b.     Mandatory versus Permissive Legal Requirements. EGI shall identify whether
              a requested Use or Disclosure is required by law and the relevant requirements
              of such law and comply with such requirements when Using or Disclosing PHI
              pursuant to that law.

              EGI may require the requestor to provide proof that the requested information
              is required to be disclosed by EGI. If EGI determines that a Use or Disclosure
              is required by law, EGI shall Use or Disclose the PHI that the law requires be
              Used or Disclosed as requested. If EGI determines the requested Use or
              Disclosure is merely permitted, and not required, by law, EGI shall determine if
              the Use or Disclosure is permitted under another section of this Manual as a
              permissible Disclosure and follow all requirements set forth in that section.

April 2003                                                                         Page 400.22
       c.     If EGI determines that the Use or Disclosure is not required by law and is not
              permitted under another section of this Manual, EGI must obtain an
              authorization from the individual who is the subject of the PHI; De-identify the
              information before Using or Disclosing it; require the requestor to obtain the
              authorization of the individual or require the requestor to provide a court order
              or other legal process that would authorize EGI to release the information.

       d.     No Duty To Disclose. This Section does not create any duty or obligation to
              Use or Disclose PHI to a requestor. Rather, this Section permits EGI to Use or
              Disclose PHI when EGI is required by law to do so.

REFERENCES/CITATIONS

45 C.F.R. §§ 164.501, 164.512(a) (2001)

65 Fed. Reg. 82462, 82485, 82524-25, 82666-68 (Dec. 28, 2000); 67 Fed. Reg. 53182, 53195,
53198-99, 53208 (Aug. 14, 2002)




April 2003                                                                        Page 400.23
                           EMPLOYEE GROUP INSURANCE
              TREATMENT OF PROTECTED HEALTH INFORMATION
Section 4.4: Discretionary Uses and Disclosures Without An Page: 1 of 5
             Authorization
Effective Date: April 14, 2003

POLICY
HIPAA requires Covered Entities to have policies and procedures addressing Uses and
Disclosures that are permitted by other laws which are not pre-empted by HIPAA. EGI shall
conduct Uses and Disclosures of PHI that are permitted by law in the absence of an
authorization for routine uses without specific approval from the Contact Person in
consultation with the Privacy Officer, but shall obtain such approval prior to any non-routine
Use or Disclosure of PHI under this Section. This section does not apply to Uses and
Disclosures that are required by law, including Uses or Releases required by Court Order as
described in Section 4.3 of this Policy. With the exception of Subsections 4.4(1)(a) and
4.4(2)(a)(i), all Uses and Disclosures described in this section are considered to be permitted,
as opposed to required, by law.

4.4(1) Routine Uses and Disclosures Exempt from Prior Approval.

EGI may Use or Disclose PHI without an authorization and without seeking prior approval by
the Privacy Officer under any of the following circumstances, each of which shall be
considered a “routine” Use or Disclosure, subject to the Verification requirements of Section
4.10 and, with the exception of Paragraph a of this subsection, the Minimum Necessary
requirements of Section 4.9 of this Policy.

   a. Disclosure of an Individual’s Own PHI to that Individual

   b. Uses or Disclosures for the Purpose of Conducting Payment Operations: EGI may Use
      or Disclose PHI in order to conduct its Payment operations.

   c. Uses or Disclosure for the Purpose of Conducting Health Care Operations: EGI may
      Use or Disclose PHI in order to conduct Health Care Operations, provided that EGI’s
      ability to Use or Disclose PHI in connection with underwriting activities is subject to
      Section 4.5 of this Policy. Health Care Operations include Disease Management as
      defined by the HIPAA Privacy Rules. Health Care Operations do not including
      Marketing.

   d. Uses and Disclosures for Health Oversight Activities: EGI may Disclose PHI to a
      Health Oversight Agency for oversight activities authorized by law (including audits;
      civil, administrative, or criminal investigations; inspections; licensure or disciplinary
      actions; civil, administrative, or criminal proceedings or actions; or other activities
      necessary for appropriate oversight of the health care system, government benefit
      programs for which health information is relevant to beneficiary eligibility, entities
      subject to government regulatory programs for which health information is necessary
      for determining compliance with program standards, and entities subject to civil rights

April 2003                                                                           Page 400.24
       laws for which health information is necessary for determining compliance), provided
       that such health oversight activity arises out of, or is directly related to, (i) the receipt
       of health care; (ii) a claim for public benefits related to health; (iii) qualification for, or
       receipt of, public benefits or services when a patient’s health is integral to the claim for
       public benefits or services; or (iv) a claim for public benefits not related to health, if
       such activity is conducted in conjunction with an activity described by one of the
       preceding Clauses (i), (ii), or (iii).

   e. Disclosures for Inspection by the Secretary: Upon the request of the Secretary for
      access to PHI, and provided that Section 8.1 of this Manual permits the Secretary to
      obtain such access, EGI may Disclose PHI to the Secretary.

   f. Disclosures for Workers’ Compensation: EGI may Disclose PHI as authorized by, and
      to the extent necessary to, comply with laws relating to workers compensation or other
      similar programs, established by law, that provide benefits for work-related injuries or
      illness without regard to fault.

   g. Disclosure of Limited Data Sets: EGI may Disclose a Limited Data Set for the purpose
      of Health Care Operations, research activities, and public health activities if the
      recipient has entered into a data use agreement that complies with Section 6.3 of this
      Manual.

Notwithstanding the above, a Use or Disclosure of PHI that constitutes an individual’s entire
medical record or psychotherapy notes shall not be considered to be made under “routine”
circumstances.

4.4(2) Non-Routine Uses and Disclosures of PHI Requiring Prior Approval.

Prior to making any Use or Disclosure of PHI identified below, or that is not identified in
Section 4.1(1) of this Policy as a “routine” Use or Disclosure, EGI shall notify the Contact
Person of such intended Use or Disclosure and shall refrain from making such Use or
Disclosure absent the approval of the Contact Person provided in consultation with the Privacy
Officer. In considering whether to approve a non-routine Use or Disclosure, the Verification
requirements of Section 4.10 and the Minimum Necessary requirements of Section 4.9 of this
Policy must be met.

   a. Disclosures for Third Party Judicial or Administrative Proceedings:

       i. Court Orders: EGI shall disclose PHI in response to an order of a court or
           administrative tribunal of competent jurisdiction provided that EGI discloses only
           the PHI expressly authorized by such order. When a request is made pursuant to an
           order from a court or administrative tribunal, EGI may disclose the information
           requested without any additional process. A subpoena issued by a court constitutes
           a disclosure that is required by law and nothing in this Section or otherwise shall
           interfere with the ability of EGI to comply with such subpoena.



April 2003                                                                              Page 400.25
       ii. Written Notice: In response to a subpoena, discovery request, or other lawful
           process that is not accompanied by an order of a court or administrative tribunal, if
           EGI receives from the party seeking the PHI a written statement and accompanying
           documentation demonstrating that (A) the party seeking the PHI has made a good
           faith attempt to provide written notice to the individual who is the subject of the
           PHI or, if the subject’s location is unknown, to mail a notice to the subject’s last
           known address, (B) the notice included sufficient information about the litigation or
           proceeding in which the PHI is requested to permit the subject to raise an objection
           to the court or administrative tribunal, and (C) the time for the subject to raise
           objections to the court or administrative tribunal has elapsed and either (I) no
           objections were filed or (II) all objections filed by the subject have been resolved
           by the court or administrative tribunal and the Disclosures being sought are
           consistent with such resolution;

       iii. Qualified Protective Order: In response to a subpoena, discovery request, or other
            lawful process that is not accompanied by an order of a court or administrative
            tribunal, if EGI receives a written statement and accompanying documentation
            demonstrating that (A) the parties to the dispute giving rise to the request for
            information have agreed to a qualified protective order (a “qualified protective
            order” is an order of the court or administrative tribunal or a stipulation by the
            parties to the litigation or administrative proceeding that (I) prohibits the parties
            from Using or Disclosing the PHI for any purpose other than the litigation or
            proceeding for which such information was requested and (II) requires the PHI,
            including all copies made, to be returned to EGI or destroyed at the end of the
            litigation or proceeding) and have presented the order to the court or administrative
            tribunal with jurisdiction over the dispute or (B) the party seeking the PHI has
            requested a qualified protective order from such court or administrative tribunal.

       iv. EGI’s Efforts: In response to a subpoena, discovery request, or other lawful process
           that is not accompanied by an order of a court or administrative tribunal, if EGI
           makes reasonable efforts to provide written notice to the subject, as described
           above, or to seek a qualified protective order, as defined above in iii.

       v. All actions taken by EGI pursuant to this paragraph shall only be taken upon
          consultation with legal counsel.

   b. Uses and Disclosures for Public Health Activities: Subject to the minimum necessary
      rule described in Section 4.9 of this Policy, EGI may Disclose PHI for:

       i. Disease Prevention: A Public Health Authority that is authorized by law to collect
          or receive such information for the purpose of preventing or controlling disease,
          injury, or disability (including, but not limited to, the reporting of disease, injury,
          vital events such as birth or death, and the conduct of public health surveillance,
          public health investigations, and public health interventions) or, at the direction of a
          Public Health Authority, an official of a foreign government agency that is acting
          in collaboration with the Public Health Authority;


April 2003                                                                           Page 400.26
       ii. Reporting Child Abuse or Neglect: A Public Health Authority or other appropriate
           government authority authorized by law to receive reports of child abuse or neglect;

       iii. FDA Regulation: A person subject to the jurisdiction of the Food and Drug
            Administration (“FDA”) with respect to an FDA-regulated product or activity for
            which that person has responsibility, for the purpose of activities related to the
            quality, safety, or effectiveness of such FDA-regulated product or activity,
            including (A) collecting or reporting adverse events (or similar activities with
            respect to food or dietary supplements), product defects or problems (including
            problems with the use or labeling of a product), or biological product deviations,
            (B) tracking FDA-regulated products, (C) enabling product recalls, repairs,
            replacement, or lookback (including locating and notifying individuals who have
            received products that have been recalled, withdrawn, or are the subject of
            lookback), and (D) conducting post marketing surveillance; or

       iv. Disease Control: A person who may have been exposed to a communicable disease
           or may otherwise be at risk of contracting or spreading a disease or condition if
           EGI or a Public Health Authority is authorized by law to notify such person as
           necessary in the conduct of a public health intervention or investigation.


   c . Disclosures for Law Enforcement Purposes: EGI may Disclose an individual’s PHI to
       a law enforcement official under any of the following circumstances:

       i. Court Order: In compliance with and as limited by the relevant requirements of a
           court order, a court-ordered warrant, a subpoena or summons issued by a judicial
           officer, a grand jury subpoena, or—if (A) the PHI sought is relevant and material to
           a legitimate law enforcement inquiry, (B) the request is specific and limited in
           scope to the extent reasonably practicable in light of the purpose for which the PHI
           is sought, and (C) De-identified Information could not reasonably be used—an
           administrative request (including an administrative subpoena or summons, a civil
           or an authorized investigative demand, or similar process authorized under law);

       ii.    Using PHI for Identification or Location: In response to a law enforcement
             official’s request for such PHI for the purpose of identifying or locating a suspect,
             fugitive, material witness, or missing person;

       iii. Alerting of Death: For the purpose of alerting law enforcement of the individual’s
            death, if EGI suspects that such death resulted from criminal conduct; or

       iv. Alerting of Criminal Conduct: Due to EGI’s good faith belief that such PHI
           constitutes evidence of criminal conduct that occurred in connection with benefits
           obtained through EGI.

   d. Uses and Disclosures Due to Imminent Threat to Health or Safety: EGI may,
      consistent with applicable law and standards of ethical conduct, Use or Disclose PHI if

April 2003                                                                           Page 400.27
       EGI, in good faith, including reliance on actual knowledge or on a credible
       representation by a person with apparent knowledge or authority, believes the Use or
       Disclosure is necessary to prevent or lessen a serious and imminent threat to the health
       or safety of a person or the public and involves PHI, including Psychotherapy Notes,
       Disclosed to a person or persons reasonably able to prevent or lessen the threat,
       including the target of the threat.

   e. Uses and Disclosures Required by Military Authority: EGI may Use or Disclose the
      PHI of individuals who are Armed Forces personnel, or foreign military personnel, for
      activities deemed necessary by appropriate military command authorities to assure the
      proper execution of a military mission, if the appropriate military authority has
      published by notice in the Federal Register (i) the appropriate military command
      authorities and (ii) the purposes for which the PHI may be Used or Disclosed.

   f. Uses and Disclosures for National Security Activities: EGI may Disclose PHI to
      authorized federal officials for the conduct of lawful intelligence, counter-intelligence,
      and other national security activities authorized by the National Security Act (50
      U.S.C. § 401 et seq.) and implementing authority (e.g., Executive Order 12333).

   g. Disclosures to Coroners and Medical Examiners: EGI may Disclose PHI, including
      Psychotherapy Notes, to a coroner or medical examiner for the purpose of identifying a
      deceased person, determining a cause of death, or other duties as authorized by law. In
      connection with such Disclosure, EGI shall not be required to redact identifying
      information about persons other than the deceased individual.

   h. Disclosures to Funeral Directors: EGI may Disclose an individual’s PHI to funeral
      directors, consistent with applicable law, as necessary to carry out their duties with
      respect to the individual after his death, or prior to and in reasonable anticipation of the
      individual’s death.



REFERENCES/CITATIONS

45 C.F.R. §§ 164.512, 164.514(d)

Fed. Reg. at 82,544-45 (Dec. 28, 2000)




April 2003                                                                           Page 400.28
                        EMPLOYEE GROUP INSURANCE
         TREATMENT OF PROTECTED HEALTH CARE INFORMATION
Section 4.5: Conducting Underwriting Activities   Page: 1 of 1

Effective Date: April 14, 2003

POLICY

Under HIPAA, a Group Health Plan may condition eligibility for enrollment on the Member’s
Authorization to allow PHI to be obtained for the purpose of risk rating or underwriting an
individual enrollment. In some circumstances, EGI requires evidence of insurability as a
condition of a Member’s enrollment in a Group Health Plan. In such cases, enrollment will be
conditional upon the individual’s Authorization for EGI to receive PHI for underwriting
purposes.

4.5(1) Conditioning Plan Enrollment on the Individual’s Authorization

A Member’s ability to be enrolled in a Group Health Plan may be conditioned on the
Member’s provision of a valid Authorization for EGI to obtain PHI for the purpose of
underwriting, premium rating, or other activities relating to the creation, renewal, or
replacement of a contract of health insurance or health benefits (collectively, “underwriting
activities”) based on its current Self-funded Group Health Plan’s requirements relating to
evidence of insurability. Such Authorization shall not permit the Use or Disclosure of
Psychotherapy Notes.

4.5(2) Request for PHI for Underwriting Activities

Unless and until EGI receives an individual’s Authorization, EGI shall not request the
individual’s PHI from other entities in order to conduct underwriting activities.

4.5(3) Use and Disclosure of PHI Received for Underwriting Activities

Unless and until a Member is enrolled in a Group Health Plan, EGI shall not Use and Disclose
PHI received for underwriting activities except for such underwriting activities or as otherwise
required by law. Upon the Member’s enrollment, EGI may Use and Disclose such PHI as
permitted by this Manual.

REFERENCES/CITATIONS

45 C.F.R. §§ 164.508(b)(4)(ii), 164.514(g)

65 Fed. Reg. at 82,514, 46 (Dec. 28, 2000)




April 2003                                                                         Page 400.29
                          EMPLOYEE GROUP INSURANCE
              TREATMENT OF PROTECTED HEALTH INFORMATION
Section 4.6: Research Disclosures and Uses           Page: 1 of 1

Effective Date: April 14, 2003

POLICY

EGI shall not Use or Disclose PHI for Research purposes that has not been De-identified as
required by Section 4.13, without a signed Authorization that identifies the PHI to be
disclosed, the specific research for which the Use or Disclosure is authorized, and the
individual who may Use or to whom the PHI may be Disclosed. Any Use or Disclosure of
such PHI must be made in accordance with the terms of the Authorization.

REFERENCES/CITATIONS

45 C.F.R. §164.508




April 2003                                                                    Page 400.30
                         EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Section 4.7: Making Notification Disclosures        Page: 1 of 2

Effective Date: April 14, 2003

POLICY

EGI may make a Notification Disclosure if the individual’s agreement is obtained or can be
implied under the circumstances.

4.7(1) Notification Disclosures Dependent on Express or Implied Approval.

EGI’s ability to make a specific Notification Disclosure shall be subject to the express or
implied approval of the individual who is the subject of the PHI. Specifically, the Plan may
make a Notification Disclosure only if at least one of the following circumstances applies:

a.   The individual is available to and has the capacity to make health care decisions, and
     EGI obtains the individual’s agreement to allow the Notification Disclosure;

b.   EGI provides the individual the opportunity to object to the Notification Disclosure, and
     the individual does not express an objection to such Notification Disclosure;

c.   The individual is available to and has the capacity to make health care decisions, and
     EGI reasonably infers from the circumstances that the individual does not object to the
     Disclosure;

d.   The individual is not present to, or does not have the capacity to, make health care
     decisions, EGI determines in the exercise of reasonable judgment (considering potential
     harm to the individual due to domestic violence, if applicable) that the Notification
     Disclosure is in the best interests of the individual, and any Disclosure of PHI is directly
     relevant to the recipient’s involvement with the individual’s health care; or

e.   The Notification Disclosure is made to an entity authorized by law or its charter to assist
     in disaster relief efforts, the Notification Disclosure is made regarding the individual’s
     location, general condition, or death, and EGI determines in the exercise of professional
     judgment that to depend on the individual’s approval would interfere with an adequate
     response to a present emergency.

Notwithstanding the above, EGI may make a Disclosure that qualifies as a Notification
Disclosure if such Disclosure is permissible for reasons other than its being a Notification
Disclosure (for instance, because it qualifies as a Disclosure for EGI’s Payment activities).




April 2003                                                                           Page 400.31
4.7(2) Documentation of Permissibility of Notification Disclosures.

In the event EGI makes a Notification Disclosure (that is a permissible Disclosure only
because it is a Notification Disclosure), EGI shall document its determination that such
Notification Disclosure is permissible. Any such documentation shall be retained in
accordance with Section 9.2 of this Manual.

REFERENCES/CITATIONS

45 C.F.R. §§ 164.510(b), 164.522(a)

65 Fed. Reg. at 82,521-24, 82,663-66 (Dec. 28, 2000)




April 2003                                                                         Page 400.32
                           EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Section 4.8: Review of Requests for Use or Disclosure Requiring Page: 1 of 1
Approval by the Privacy Officer
Effective Date: April 14, 2003

POLICY

EGI may Use or Disclose PHI only if such Use or Disclosure is permissible under the HIPAA
Privacy Standards. Unless a Use or Disclosure is categorized as “routine” under Section 4.4(1)
of this Policy, a request for Use or Disclosure must be approved by the Contact Person in
consultation with the Privacy Officer.

4.8(1) Review of Intended Use or Disclosure of PHI

a.     Upon notification of an intended Use or Disclosure of PHI that is not deemed routine,
       the Contact Person shall determine if the information to be Used or Disclosed is PHI.
       If the information is PHI, the Contact Person shall determine whether the intended Use
       or Disclosure is a required Disclosure in accordance with Section 4.3 of this Policy or a
       permissible Use or Disclosure in accordance with Section 4.4 of this Policy or some
       other provision of this Manual.

b.     Upon a determination by the Contact Person that EGI must make a required
       Disclosure, or that EGI should make a permitted Use or Disclosure, the Contact Person
       shall, if the Privacy Officer was not involved in the determination, as soon as
       administratively practicable, communicate the determination to the Privacy Officer,
       and upon approval of the Privacy Officer, communicate the determination to the
       individual who requested it.

c.     If the determination is not approved by the Privacy Officer, the Privacy Officer shall
       make a determination as to the requested disclosure as required by this Manual, the
       System Administration’s applicable policies and procedures and the HIPAA Privacy
       Rules which shall be communicated to the requesting individual as soon as
       administratively practical.

d.     The communication must inform the individual either that the Use or Disclosure can be
       made; or, if the information cannot be Disclosed, inform the requestor that to make
       such Use or Disclosure, an Authorization from each individual who is a subject of the
       PHI must first be obtained.




April 2003                                                                         Page 400.33
                        EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Section 4.9: Minimum Necessary Standard for Uses and Disclosures Page: 1 of 2
of PHI

Effective Date: April 14, 2003

POLICY

The HIPAA Privacy Standards require that some Uses or Disclosures of PHI be limited in their
scope.

4.9(1) When Minimum Necessary Standard Must be Applied

To the extent that the Use or Disclosure of PHI may be approved as a permissive use without
an Authorization under this Policy, EGI may Use or Disclose only the PHI that is reasonably
necessary to accomplish the purpose for which the Use or Disclosure is sought. This is known
as the “minimum necessary standard.”

4.9(2) Disclosure of Entire Record
If a Use or Disclosure involves an individual’s entire medical record, the Privacy Officer shall
document the justification for such Use or Disclosure, in accordance with Section 9.2 of this
Manual.

4.9(3) Exceptions from Application

A contemplated Use or Disclosure of PHI is not subject to the minimum necessary standard if
the Use or Disclosure is approved as a reasonable response to one of the following:

a.   The Disclosure is to the individual that is the subject of the PHI;

b.   The Use or Disclosure is permitted by an Authorization and the Use or Disclosure is
     made in accordance with the terms of the Authorization;

c.   A public official requests the PHI (for reasons other than Payment, Health Care
     Operations, or Notification Disclosure) and represents that such PHI is the minimum
     necessary for the stated purpose;

d.    Another Covered Entity requests the PHI;

e.    A professional who is a member of EGI’s workforce or a Business Associate that
      provides professional services to EGI such as the an auditor requests the PHI and
      represents that the information requested is the minimum necessary for the stated
      purpose; or

f.   The Disclosure is required by law.

April 2003                                                                          Page 400.34
4.9(4) Incidental Disclosures

A Use and Disclosure that occurs incidentally to another Use or Disclosure permitted by this
Policy shall be acceptable, provided that the Plan employs reasonable safeguards to limit
incidental Uses and Disclosures.

REFERENCES/CITATIONS

45 CFR §164.502(b), §164.514(d)




April 2003                                                                        Page 400.35
                          EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Section 4.10: Verification of Requestor’s Identity and Authority Page: 1 of 2

Effective Date: April 14, 2003

POLICY
Prior to any Disclosure of an individual’s PHI (other than a Notification Disclosure or a
Disclosure in response to a threat to health or safety), EGI shall verify, as reasonable under the
circumstances, the identity of the person requesting the PHI and the authority of such person to
have access to PHI, to the extent such person’s identity and/or authority is relevant to whether
such Disclosure is permissible under this Policy and to the extent such person’s identity and/or
authority is not already known to the Privacy Officer or the Contact Person.

4.10(1) General requirements.

   a. Verification must be completed as required by this Policy before any Disclosure takes
      place.
   b. Verification may be based upon the identification of the Privacy Officer, the Contact
      Person, or a person that is employed by System provided that the person has no
      personal involvement in the request or the outcome of the request of the PHI.
   c. Documentation presented in support of verification will be presumed to be valid. For
      example, a state driver’s license, an employee identification badge issued by System, a
      United States Passport or other photo identification issued by a local, state or federal
      governmental agency; a written document on appropriate government letterhead; or, a
      warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or
      administrative tribunal shall be accepted at face value unless circumstances clearly
      place the validity of the document into question.
   d. The Privacy Officer may approve any other method of verification provided that the
      Privacy Officer documents the approval and method of verification in a signed writing
      prior to the Use or Disclosure.

4.10(2) Verification of a Requesting Public Official

Verification of a person’s status as a public official identity may include, but is not limited to:

   a. if responding to a telephone request, calling back the requestor through a number
      obtained from an official directory or the letterhead for a known place of business or
      receipt of a Facsimile containing a written statement on appropriate government
      letterhead;

   b. if the request is in writing, the request is on the appropriate government letterhead;

   c. if the request is in person, presentation of an agency identification badge or other
      official credential sufficient to identify the individual and the individual’s capacity; or


April 2003                                                                             Page 400.36
   d. if the Disclosure is to a person acting on behalf of a public official (e.g., a non-profit
      agency contracting with a public health agency to collect and analyze data), a written
      statement on appropriate government letterhead that the person is acting under the
      government’s authority or other documentation of agency, such as a contract for
      services, memorandum of understanding, or purchase order, that establishes that the
      person is acting on behalf of the public official plus sufficient proof of the individual’s
      identity.

4.10(3) Verification of a Requesting Individual

Verification of a person’s status as an individual requesting his own individual PHI may
include, but is not limited to:
    a. presentation of a employee identification badge issued by System, a valid photo
       identification issued by a local, state or federal governmental agency such as a driver’s
       license or U.S. passport;
    b. presentation of a plan identification card issued to the individual by a plan offered by
       EGI; or
    c. the ability to provide three or more non-public informational items from a record kept
       by System as to that individual.

4.10(4) Documentation

Verification must be documented and retained before any Use or Disclosure requiring
verification is made:
    a. in the case of a verification by a person as described in Section 4.10(1)(b), a statement
        signed by the person describing the basis of his or her knowledge of the individual’s
        identity, the date and the person’s office and phone number at System; provided that if
        an employee providing the identification is at a location away from the EGI staff
        accepting the verification, the statement must be received at EGI’s office by facsimile
        before any Use or Disclosure is made;
    b. in the case of a verification by a telephonic call back, a notation of all names of
        individuals involved in the call, the number used for the call back and the source of the
        number; and
    c. in all cases involving physical documentation, if feasible, retention of the original
        including any documentation made pursuant to Section 4.10(1)(d); or if retention of the
        original is not feasible (such as in the case of a license or badge), a copy of any and all
        items or document presented for verification purposes.

REFERENCES/CITATIONS

45 CFR §164.514(h)




April 2003                                                                            Page 400.37
                          EMPLOYEE GROUP INSURANCE
              TREATMENT OF PROTECTED HEALTH INFORMATION
Section 4.11: Obtaining and Relying Upon an Authorization Page: 1 of 4

Effective Date: April 14, 2003

POLICY

EGI shall obtain an individual’s written Authorization before requesting, Using or Disclosing
the individual’s PHI when such request, Use or Disclosure is not permitted by the HIPAA
Privacy Standards without an Authorization.

4.11(1) Obtaining an Individual’s Written Authorization

Except as otherwise provided in this Manual, EGI shall obtain an individual’s signed, written
Authorization before requesting, Using, or Disclosing the individual’s PHI in situations when
the intended request, Use or Disclosure is not otherwise permitted by the HIPAA Privacy
Standards. EGI’s Authorization for the Use and Disclosure of Protected Health Information
form, a copy of which is attached as a Form in the Appendix to this Manual and which
contains the elements required by the HIPAA Privacy Standards, or another specific form for
specific circumstances shall be used whenever possible. A Member may initiate an
Authorization, in which case the individual shall not be required to reveal the purpose of the
requested Use or Disclosure.

4.11(2) Personal Representative

In accordance with Section 4.12 of this Manual, an individual’s personal representative has the
authority to give and revoke Authorizations on behalf of the individual.

4.11(3) Provision of Copies to the Member

EGI shall provide each Member with a copy of any signed Authorization that is personally
provided by the Member to EGI. EGI shall provide a Member with a copy of any signed
Authorization that it does not receive in person from the Member at the written request of the
Member provided that the specific Authorization is adequately identified in the request. EGI
will not comply with global requests for all Authorizations received concerning a particular
individual, except as part of a Member’s request for access to the Member’s PHI in accordance
with Section 7.2 of this Manual.

4.11(4) Reliance on an Authorization

Prior to Using, or Disclosing PHI in reliance on an Authorization, an employee of EGI
qualified to make such a determination shall review the Authorization to ensure that:

   a. the Authorization contains all applicable elements described in this Section;




April 2003                                                                        Page 400.38
   b. any expiration date has not passed, and any expiration event is not known by EGI to
      have occurred;

   c. the Authorization has been filled out completely;

   d. the Authorization has not been revoked in accordance with this Section;

   e. to the extent known by EGI, the Authorization was not obtained due to a condition that
      violates this Section;

   f. the Authorization is not combined with another document in violation of this Section;
      and

   g. no material information in the Authorization is known by EGI to be false.

Upon receipt of a valid Authorization, the Authorization shall be filed with the individual’s
Designated Record Set, in accordance with Section 9.2 of this Manual.

4.11(5) Contents of an Authorization

An Authorization, to be valid, must contain all of the following elements written in plain and
understandable language:

   a. a description of the information to be Used or Disclosed that identifies the information
      in a specific and meaningful fashion;

   b. a statement that EGI or System Administration or the System or an employee of one of
      these entities is authorized to make the requested Use or Disclosure;

   c. the name or other specific identification of the persons, or class of persons, to whom
      the requested Use or Disclosure may be made;

   d. a description of each purpose of the requested Use or Disclosure, except that, if an
      individual initiates the Authorization and does not provide a statement of the purpose,
      the statement “at the request of the individual” is sufficient;

   e. an expiration date or an expiration event that relates to the individual or the purpose of
      the Use or Disclosure;

   f. a statement that places the individual on notice of the individual’s right to revoke the
      Authorization in writing, and either (i) the exceptions to the right to revoke and a
      description of how the individual may revoke the Authorization or (ii) to the extent
      such information is included in the Plan’s notice of privacy practices, a reference to the
      notice;

   g. a statement that places the individual on notice of the ability or inability of the person
      requesting the Authorization to condition Treatment, Payment, enrollment, or
      eligibility for benefits on the Authorization, by stating either (i) if Treatment,

April 2003                                                                         Page 400.39
       enrollment, or eligibility for benefits is conditioned on whether the individual signs the
       Authorization, the consequences to the individual of a refusal to sign the Authorization,
       or (ii) that Treatment, Payment, enrollment, or eligibility for benefits is not conditioned
       on whether the individual signs the Authorization;

   h. if the Authorization is for Marketing that involves direct or indirect remuneration from
      a third party, a statement that such remuneration is involved;

   i. a statement that places the individual on notice of the potential for information
      Disclosed pursuant to the Authorization to be subject to re-disclosure by the recipient
      and to no longer be protected by the HIPAA Privacy Standards; and

   j. a description of and the signature of the individual with the date signed and, if the
      Authorization is signed by a personal representative of the individual, a description of
      such representative’s authority to act for the individual.

4.11(6) Revocation of an Authorization

An individual shall have the right to revoke his or her Authorization at any time, provided that
the individual’s revocation is in writing. The revocation is effective upon its receipt by the
Contact Person. EGI’s form Revocation of Authorization, a copy of which is contained in the
Appendix to this Manual, may be used by the individual. When the Contact Person receives
an individual’s written revocation (or learns, if the Authorization was obtained by a person
other than EGI, from that person or the individual that the Authorization has been revoked),
the Contact Person shall notify applicable parties of the revocation of Authorization and
document the revocation or information concerning the revocation received by the person
obtaining the authorization. EGI shall stop Using and Disclosing the individual’s PHI in
reliance on the Authorization, except to the extent EGI has already taken action in reliance on
the Authorization. If EGI has not yet Used or Disclosed the PHI, EGI shall refrain from doing
so, pursuant to the revocation. If EGI has already Disclosed the information, EGI need not
retrieve the information. Notwithstanding the above, if an Authorization is obtained as a
condition of obtaining insurance coverage under a policy or certificate, a revocation of the
Authorization shall not be effective to the extent any law provides an insurer with the right to
contest either a claim under the policy or certificate or the policy or certificate itself and the
revocation would cause Uses or Disclosures for such purpose to be prohibited.

4.11(7) Conditioning Activities on the Provision of an Authorization

The provision of Treatment, Payment, health plan enrollment, or eligibility for health plan
benefits may not be conditioned on an individual’s provision of an Authorization, except as
follows:

   a. a Covered Entity, including EGI, may condition the provision of health care on an
      individual’s provision of an Authorization if (i) such health care is solely for the
      purpose of creating PHI for Disclosure to a third party and (ii) such Authorization is for
      the Disclosure of such PHI to such third party; or



April 2003                                                                           Page 400.40
   b. enrollment in a health plan may be conditioned upon an individual’s provision of
      Authorization if the Authorization (i) is requested prior to the individual’s enrollment
      in the health plan; (ii) is sought for an eligibility or enrollment determinations relating
      to the individual or for its underwriting or risk rating determinations; and (iii) does not
      authorize a Use or Disclosure of Psychotherapy Notes.

4.11(8) Combining Authorizations.

An Authorization may not be combined with any other document, except as follows:

   a. an Authorization for the Use or Disclosure of PHI for a specific research study may be
      combined with any other type of written permission for the same research study; and

   b. an Authorization may be combined with another Authorization if they are visually and
      organizationally separate and are separately signed and dated, unless (i) one
      Authorization is for a Use or Disclosure of Psychotherapy Notes, and the other is not,
      or (ii) the provision of Treatment, Payment, plan enrollment, or eligibility for plan
      benefits was conditioned on the provision of one of the Authorizations.

4.11(9) Effect of an Authorization Made Prior to April 14, 2003

EGI may Use or Disclose PHI pursuant to an Authorization or other express legal permission
obtained from an individual prior to April 14, 2003, if the Authorization or other express legal
permission specifically permits such Use or Disclosure and there is no agreed-upon restriction
on the Use or Disclosure of that PHI; provided, however, that such Authorization shall be valid
for non-research purposes only in connection with PHI that it created or received prior to April
14, 2003.

4.11(10) Retention of Authorizations

EGI shall maintain any written Authorization, or the electronic record of any Authorization,
that it receives in accordance with Section 9.2 of this Manual.

REFERENCES/CITATIONS

45 C.F.R. §§ 164.508, 164.532

65 Fed. Reg. at 82,513-21, 82,650-62 (Dec. 28, 2000); 67 Fed. Reg. at 53,219-26 (Aug. 14,
2002)




April 2003                                                                          Page 400.41
                         EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Section 4.12: Personal Representatives              Page: 1 of 2

Effective Date: April 14, 2003

POLICY

A person who qualifies under applicable law as an individual’s personal representative may be
treated by EGI as the individual for purposes of this Manual. The purpose of this Policy is to
identify the process by which a determination shall be made. It does not represent an attempt
to set forth all the applicable laws under which a person may qualify as a Personal
Representative of another individual.

4.12(1) Identification of Personal Representatives

a.   A person qualifies as an individual’s “personal representative” to the extent the person
     has authority under applicable state or federal law to act on the individual’s behalf in
     connection with the individual’s PHI including a person with authority to act on behalf
     of a deceased individual or the individual’s estate.
b.    A person who presents him or herself to EGI as the personal representative of an
      individual in order to exercise the rights of that individual afforded to an individual
      under the HIPAA Privacy Rules and/or this Manual shall be required to provide
      documentation of his or her status to EGI, except that in the case where a person
      presents himself or herself as the parent of an individual who is a minor child,
      verification may be based on confirmation of the child’s enrollment as the dependent
      minor child of the person in a benefit plan administered or sponsored by The System in
      the absence of evidence that the person is not the child’s legal representative.
c.    In the case of a person whose representation is based on an attorney-client relationship
      with the individual, the person must present or transmit by facsimile a verification of
      legal representation.
d.   The Contact Person, in consultation with the Privacy Officer, shall determine whether
     the documentation indicates that under applicable law the person is legally entitled to act
     on behalf of the individual.
e.   Notwithstanding paragraph c of this subsection, the Privacy Officer may elect not to treat
     a person as an individual’s personal representative if (i) the Privacy Officer has
     reasonable belief that (A) the individual has been or may be subjected to domestic
     violence, abuse, or neglect by such person or (B) treating such person as the personal
     representative could endanger the individual; and (ii) the Privacy Officer, in the exercise
     of professional judgment, decides that it is not in the best interest of the individual to
     treat the person as the individual’s personal representative.

f.   A person that is determined to be an individual’s legal representative must also verify his
     or her identity as that person through the verification processes described in Section 4.10
     of this Policy

April 2003                                                                         Page 400.42
4.12(2) Authority of Personal Representatives

If the Privacy Officer determines that a person is an individual’s personal representative, EGI
shall treat such person as the individual for purposes of this Manual. For example, the person
has the authority to sign and revoke Authorizations on behalf of the individual, and the person
has the authority to exercise the individual privacy rights described in this Manual on behalf of
the individual.

4.12(3) Documentation of Personal Representative Determinations

Upon making a determination regarding whether to recognize a person as an individual’s
personal representative, the Privacy Officer shall document the determination. EGI shall retain
such documentation in accordance with Section 9.2 of this Manual.

REFERENCES/CITATIONS

45 C.F.R. § 164.502(g)

65 Fed. Reg. at 82,500-01, 82,633-35 (Dec. 28, 2000); 67 Fed. Reg. at 53,199-203 (Aug. 14,
2002)




April 2003                                                                          Page 400.43
                          EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Section 4.13: De-identified Information             Page: 1 of 1

Effective Date: April 14, 2003

POLICY

De-identified Information shall not be subject to the protections and rights set forth in this
Manual, but an identifying code shall be.

4.13(1) De-identified Information Is Not PHI

For all purposes, De-identified Information is not PHI and therefore shall not be subject to this
Manual as PHI, provided that Subsection 4.13(2) of this Section is not violated.

4.13(2) Use of Identifying Code for Re-identification

If EGI creates De-identified Information, EGI may assign a code (or other means of record
identification) to allow such information to be re-identified by EGI, provided that such code is
not derived from or related to information about the individual and is not otherwise capable of
being translated so as to identify the individual. EGI shall not Use or Disclose such code,
except that EGI may Use or Disclose to a Business Associate such code in order to re-identify
the De-identified Information for purposes consistent with this Manual. Disclosure of a code
must be approved by the Contact Person in consultation with the Privacy Officer.


REFERENCES/CITATIONS

45 C.F.R. §§ 164.502(d)(2), 164.514(a)-(c)

65 Fed. Reg. at 82,499, 82,542-43, 82,708-12 (Dec. 28, 2000); 67 Fed. Reg. at 53,232-34
(Aug. 14, 2002)




April 2003                                                                          Page 400.44
                        EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Section 4.14: Documentation of Disclosures          Page: 1 of 2

Effective Date: April 14, 2003

POLICY

The HIPAA Privacy Standards require documentation to enable EGI to respond adequately to
an individual’s request for an accounting of disclosures. Any Disclosure of PHI by EGI that
requires documentation shall be documented in the individual’s designated record set by use of
the form Disclosure Log in the Appendix to this Manual. The Documentation must include:
(i) the date of the Disclosure; (ii) the name and, if known, address of the person who receives
the PHI; (iii) a brief description of the PHI Disclosed; (iv) a brief statement of the basis of the
Disclosure; (v) if the Disclosure is done pursuant to a written request, that written request; and
(vi) a copy of, or a reference to, any other documents considered by the Privacy Officer in
approving the request; all of which shall be maintained as required by Section 9.2 of this
Manual. The following chart lists the documentation requirements for the categories of
disclosures contained in this Policy:




                           Category of Disclosure                        Documentation
             Disclosure to the Individual                                       No
             Disclosure to a Personal Representative                            Yes
             Secretary Inspection                                               Yes
             Under an Authorization                                             No
             Payment                                                            No
             Health Care Operations                                             No
             Another Covered Entity                                             No
             Required by Law                                                    Yes
             Judicial or Administrative Proceedings                             Yes
             Public Health Activities                                           Yes
             Limited Data Set                                                   No
             Notification Disclosures                                           No
             Imminent Threat to Health or Safety                                Yes
             Health Oversight Activities                                        Yes
             Workers’ Compensation                                              Yes
             Law Enforcement Purposes                                           Yes
             Coroners and Medical Examiners                                     Yes


April 2003                                                                            Page 400.45
             Funeral Directors                                            Yes
             Required by Military Authority                               Yes
             National Security Activities                                 No
             Incidental Disclosures                                       No
             Any other Disclosure, whether intentional or unintentional   Yes




REFERENCES/CITATIONS

45 CFR §§ 164.502(b), 164.514(d)(3)(i) and 164.530(j)




April 2003                                                                      Page 400.46
                         EMPLOYEE GROUP INSURANCE
            TREATMENT OF PROTECTED HEALTH INFORMATION
Policy 5: EGI As A Plan Sponsor                       Page: 1 of 3

Effective Date: April 14, 2003

POLICY

Although EGI’s status as a Plan Sponsor for purposes of the HIPAA Privacy Rules does not
subject EGI to the jurisdiction of the Secretary, HIPAA requires a Carrier that is a Covered
Entity to provide coverage under a Group Health Plan only to employers who agree to comply
with the HIPAA Plan Sponsor rules when functioning as the Plan Sponsor. It is EGI’s policy
that when functioning in its capacity as a Plan Sponsor for a Fully-insured Group Health Plan
(“Plan”) providing Group Health Plan coverage to Members, EGI shall comply with the Plan
Sponsor rules.

5.1 Notice Provided by the Plan

When acting as a Plan Sponsor, EGI shall distribute a copy of the Plan’s notice within 30 days
to any individual who requests a copy, regardless of the individual’s relationship with the Plan.

5.2 Identifying Plan Participants and Enrollees

The Plan may Disclose to EGI information on whether the individual is participating in the
Plan or is enrolled in or has disenrolled from the Plan.

5.3 Obtaining Premium Bids

If EGI needs PHI in order to obtain premium bids from health plans for providing health
insurance coverage, and if the Plan’s notice of privacy practices permits the Plan to Disclose
PHI to EGI, EGI can obtain and Disclose Summary Health Information from the Plan for such
purpose. The Plan may Disclose PHI that is not Summary Health Information to EGI only if
all individuals who are the subjects of such PHI have provided Authorization for such
Disclosure. If the Plan’s notice of privacy practices does not state that the Plan may Disclose
PHI to EGI, the Plan may Disclose Summary Health Information that is PHI to EGI for such
purpose only pursuant to an Authorization.

5.4 Modifying, Amending, or Terminating the Plan.

If EGI needs PHI in order to consider or execute a modification, amendment, or termination of
the Plan, and if the Plan’s notice of privacy practices states that the Plan may Disclose PHI to
EGI, the Plan may Disclose Summary Health Information to EGI for such purpose. The Plan
may Disclose PHI that is not Summary Health Information to EGI for such purpose only if all
individuals who are the subjects of such PHI have provided Authorization for such Disclosure.
If the Plan’s notice of privacy practices does not state that the Plan may Disclose PHI to EGI,

April 2003                                                                          Page 400.47
the Plan may Disclose Summary Health Information that is PHI to EGI for such purpose only
pursuant to an Authorization.

5.5 Conducting Inquiries and Advocacy on Behalf of a Member to the Plan

EGI recognizes that when EGI staff makes inquiries or advocates to the Plan on behalf of a
Member seeking claim coverage or other services from the Plan, EGI is acting as the
representative of the Member rather than the Plan Sponsor. Therefore, the Plan shall not
Disclose PHI to an employee of EGI, the Office of Human Resources at System
Administration or an Office of Human Resources (“OHR”) of a component institution as a
business associate of EGI in connection with such representation unless the employee provides
an Authorization to the Plan. A Form Authorization is included in the Appendix that will
allow both an employee of the OHR at the component institution where the Member is
employed and EGI staff to obtain PHI on behalf of a Member in order to represent the Member
in transactions with the Plan that involve the Disclosure of PHI.

5.6 Conducting Non-Plan Employment-related Actions or Decisions.

The Plan shall not Disclose PHI to EGI in connection with EGI’s employment-related actions
and decisions unless each Member who is a subject of the PHI provides Authorization for such
Disclosure.

5.7 Underwriting Required by the Plan

If the terms of the Plan require individual underwriting for certain categories of Members that
apply for enrollment in the Plan, EGI shall obtain Authorizations for such underwriting
activities as set forth in Section 4.5 of this Manual.

5.8. Administering Other Employee Benefits or Employee Benefit Plans

EGI shall not require Disclosure of PHI from the Plan in connection with any employee
benefit or employee benefit plan other than the Plan unless each individual who is a subject of
the PHI provides an Authorization for such Disclosure or the Disclosure is for Payment or
Health Care Operations.

5.9. Disclosures for Any Other Purpose.

EGI may require Disclosure of PHI by the Plan for any purpose not set forth in this Policy but
only for Disclosures that are permissible under the Plan’s HIPAA compliance policies. Before
requesting the Disclosure, EGI must:

a.     (i) ensure that the Plan’s notice of privacy practices states that the Plan may Disclose
       PHI to EGI and (ii) agree to (A) restrict EGI’s Use and Disclosure of PHI in
       accordance with the HIPAA Privacy Standards, (B) provide any required Certification
       to the Plan, and (C) establish adequate protection for the PHI by (1) identifying those
       individuals within EGI entitled to receive Plan PHI, (2) restricting access to Plan PHI

April 2003                                                                         Page 400.48
       to the identified individuals, and (3) agreeing to resolve privacy violations by the
       identified individuals; or

b.     obtain an Authorization from each individual who is a subject of the PHI to be
       Disclosed to EGI.

5.10   Documentation of Plan Provisions and Company Certifications

EGI shall document (i) any agreement that is intended to permit Disclosure of PHI to EGI and
(ii) any Certification given by EGI to receive PHI in connection with the Plan. Such
documentation shall be retained in accordance with Section 9.2 of this Manual.

5.11   Authorizations

Any Authorization required under this Policy must meet the requirements for authorizations
set forth in Section 4.11 of this Manual.

REFERENCES/CITATIONS

45 C.F.R. § 1164.504(f)




April 2003                                                                       Page 400.49
                         EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Policy 6: Relationships With Other Entities            Page: 1 of 1

Effective Date: April 14, 2003

POLICY

EGI shall comply with the requirements set forth this Policy when dealing with the following
entities: Business Associates, Carriers Providing Group Health Plan Coverage and recipients
of Limited Data Sets.

This Policy 6 consists of the following Sections:

       Section 6.1: Business Associates

       Section 6.2: Carriers Providing Group Health Plan Coverage

       Section 6.3: Agreements With Recipients of a Limited Data Set




April 2003                                                                      Page 400.50
                        EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Section 6.1: Contracts With Business Associates    Page: 1 of 3

Effective Date: April 14, 2003

POLICY

EGI shall require any Business Associate of EGI to agree by written agreement to certain
restrictions and duties with respect to PHI that the Business Associate creates, collects or holds
on behalf of EGI in its capacity as a Covered Entity.

6.1(1) Identifying Business Associates

EGI shall review existing Self-funded Group Health Plan-related contracts that involve Use or
Disclosure of PHI in order to determine whether such contracts need to be amended to include
Business Associate agreement provisions. Prior to entering into any new agreement with
another entity concerning such services or activities, EGI shall determine whether the entity is
a Business Associate as a result of such services or activities.

Business Associates may include persons who have periodic contact with PHI (e.g., outside
auditors), or substantial contact with PHI (e.g., vendors providing claims processing).

6.1(2) Contracting with Business Associates

If a Business Associate creates, receives, Uses, or Discloses EGI PHI, EGI shall require the
Business Associate to enter into a written contract or other written agreement with EGI that:

a.     Establishes the Business Associate’s permitted and required Uses and Disclosures of
       EGI PHI, which Uses and Disclosures would not violate the HIPAA Privacy Standards
       if performed by EGI, except that the agreement may permit the Business Associate to
       (i) Use EGI PHI as necessary to carry out the Business Associate’s proper management
       and administration or legal responsibilities; (ii) Disclose EGI PHI for such purposes if
       the Disclosure is required by law or if the Business Associate obtains reasonable
       assurances from the person to whom EGI PHI is Disclosed that it will be held
       confidentially and Used or further Disclosed only as required by law or for the purpose
       for which it was Disclosed to the person and the person notifies the Business Associate
       of any instances of which it is aware in which the confidentiality of EGI PHI has been
       breached; and; (iii) conduct data analyses relating to the Health Care Operations of
       both EGI and another entity of which the Business Associate is a Business Associate.

b.     Provides that the Business Associate shall use appropriate safeguards to prevent Use or
       Disclosure of EGI PHI other than as provided for by the agreement;

c.     Provides that the Business Associate shall report to EGI any Use or Disclosure of EGI
       PHI not provided for by the agreement of which it becomes aware;


April 2003                                                                           Page 400.51
d.     Provides that the Business Associate shall ensure that any agent, including a
       subcontractor, to whom it provides EGI PHI agrees to the same restrictions and
       conditions that apply to the Business Associate with respect to such PHI;

e.     Provides that the Business Associate shall make EGI PHI available to individuals in the
       same manner as the Plan in accordance with Section 7.2 of this Manual;

f.     Provides that the Business Associate shall make EGI PHI available to individuals for
       amendment in the same manner as EGI in accordance with Section 7.3 of this Manual
       and, if informed of an amendment to EGI PHI by EGI or other Covered Entity, shall
       incorporate such amendment into the Business Associate’s Designated Record Set;

g.     Provides that the Business Associate shall make EGI PHI available as required to
       provide an accounting of disclosures to individuals in the same manner as EGI in
       accordance with Section 7.4 of this Manual;

h.     Provides that the Business Associate shall make its internal practices, books, and
       records relating to the Use and Disclosure of EGI PHI available to the Secretary for
       purposes of determining EGI’s compliance with the HIPAA Privacy Standards;

i.     Provides that the Business Associate shall, at termination of the contract, if feasible,
       return or destroy all EGI PHI that the Business Associate still maintains in any form
       and retain no copies of such PHI or, if such return or destruction is not feasible, extend
       the protections of the agreement to the PHI and limit further Uses and Disclosures to
       those purposes that make the return or destruction of EGI PHI infeasible; and

j.     Authorizes termination of the agreement by EGI in the event that the EGI determines
       that the Business Associate has violated a material term of the agreement, except that
       this provision may be omitted from the agreement if it is inconsistent with the statutory
       obligations of EGI or the Business Associate or if the Business Associate is another
       office within System Administration, a component institution of The System or another
       state agency .

Notwithstanding the foregoing, if an entity is required by law to perform an activity or provide
a service, and the entity qualifies as a Business Associate solely because of such legally
required activities or services, EGI may either (i) require the entity to enter into a written
agreement as described above, (ii) obtain satisfactory assurances from the entity that it will
comply with the agreement’s provisions described above, or (iii) if EGI’s good faith attempt to
obtain such satisfactory assurances fails, document the attempt and the reasons that such
assurances could not be obtained.

6.1(3) Monitoring Business Associates

If EGI learns that a Business Associate has materially violated one or more of the written
agreement’s provisions described in subsection 6.1(2) of this Section, EGI shall take
reasonable steps to end the violation and mitigate the violation’s harmful effects in accordance
with Section 8.4 of this Manual. If EGI’s steps to end the violation and mitigate its effects are
unsuccessful, EGI shall terminate the contract or arrangement with the Business Associate or,

April 2003                                                                          Page 400.52
if the Privacy Officer determines that such termination is not feasible, report the problem to the
Secretary.

6.1(4) Documentation of Business Associates.

EGI shall retain any written agreement with a Business Associate, or any other set of written
provisions intended to comply with this Section. Such documentation shall be retained in
accordance with Section 9.2 of this Manual.

REFERENCES/CITATIONS

45 C.F.R. §§ 164.502(e), 164.504(e)

65 Fed. Reg. at 82,503-07, 82,640-45 (Dec. 28, 2000); 67 Fed. Reg. at 53,248-54 (Aug. 14,
2002)




April 2003                                                                           Page 400.53
                          EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Section 6.2: Carriers Providing Group Health Plan Coverage Page: 1 of 1

Effective Date: April 14, 2003

POLICY

Under HIPAA, Carriers such as insurers or HMOs do not become Business Associates of EGI
simply by providing health insurance or health coverage for EGI. EGI shall ensure that any
Disclosures to EGI by a Carrier providing health insurance or health coverage on behalf of
EGI is made compliance with this Manual.

6.2(1) Determination of Business Associate Status.

Prior to entering into any agreement with a Carrier for Group Health Plan services or activities,
EGI shall determine whether the Issuer or HMO shall become a Business Associate as a result
of such services or activities. The Carrier does not become a Business Associate simply by
providing health insurance or health coverage for EGI.

6.2(2) Contracting With Carriers.

If the Carrier is a Business Associate due to services or activities other than providing Fully-
Insured Group Health Plan insurance or health coverage for EGI, EGI shall comply with
Section 6.1 of this Policy in connection with such Issuer or HMO. If the Carrier is providing
Fully-Insured Group Health Plan insurance or health coverage for EGI, EGI shall comply with
Policy 5 which are the policies applicable to EGI as a Plan Sponsor.

6.2(3) Monitoring Carriers.

If EGI learns that a Carrier providing Group Health Plan insurance or health coverage for or on
behalf of EGI has Disclosed PHI concerning its Members, which Disclosure, if performed by
EGI, would be a violation of a Policy in this Manual, EGI shall take reasonable steps to stop
such Disclosure and mitigate any harmful effects from such Disclosure in accordance with
Section 8.4 of this Manual. If EGI’s steps to end such Disclosures and mitigate their effects
are unsuccessful, EGI shall terminate the contract or arrangement with the Carrier. If it is
determined that such termination is not reasonable or feasible, the Privacy Officer shall report
the problem to the Secretary.

REFERENCES/CITATIONS

45 C.F.R. § 164.504(f)(3)(ii)

65 Fed. Reg. at 82,642 (Dec. 28, 2000)


April 2003                                                                          Page 400.54
                        EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Section 6.3: Agreements With Recipients of a Limited Data Set Page: 1 of 2

Effective Date: April 14, 2003

POLICY
EGI shall require a person to agree to a data use agreement prior to Disclosure of a Limited
Data Set to such person.

6.3(1) Use and Disclosure of a Limited Data Set

To the extent EGI’s Use or Disclosure of PHI would be permissible under Section 4.4 of this
Manual as a Limited Data Set, EGI may Use or Disclose such Limited Data Set to a recipient
only if the recipient has agreed to a data use agreement that meets the requirements set forth in
this Section.

6.3(2) Data Use Agreement

A data use agreement shall:

   a. restrict the recipient from Using or Disclosing the Limited Data Set for a purpose other
      than Health Care Operations, research, public health activities, or as otherwise required
      by law;

   b. not authorize the recipient to Use or Disclose the Limited Data Set in a manner that
      would violate the HIPAA Privacy Standards if performed by EGI;

   c. establish the identity of the person or classes of persons permitted to Use or receive the
      Limited Data Set;

   d. require the recipient to use appropriate safeguards to prevent Use or Disclosure of the
      Limited Data Set other than as provided for by the data use agreement;

   e. require the recipient to report to EGI any Use or Disclosure of the Limited Data Set not
      provided for by its data use agreement of which the recipient becomes aware;

   f.   require the recipient to ensure that any agents, including a subcontractor, to whom the
        recipient provides the Limited Data Set agree to the same restrictions and conditions
        that apply to the recipient with respect to such information; and

   g. prohibit the recipient from identifying the information or contacting the
      individuals.



April 2003                                                                          Page 400.55
April 2003   Page 400.56
6.3(3) Monitoring Recipients of a Limited Data Set

If EGI learns that a recipient of a Limited Data Set has performed a material violation of its
data use agreement, EGI shall take reasonable steps to end the violation and mitigate the
violation’s harmful effects in accordance with Section 8.4 of this Manual.

6.3(4) Documentation of Data Use Agreements

EGI shall retain any data use agreement entered into with any person. Such documentation
shall be retained in accordance with Section 9.2 of this Manual.

REFERENCES/CITATIONS

45 C.F.R. § 164.514(e)

67 Fed. Reg. at 53,234-38 (Aug. 14, 2002)




April 2003                                                                       Page 400.57
                          EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Policy 7: Individual Rights                         Page: 1 of 1

Effective Date: April 14, 2003

POLICY

EGI shall provide certain rights to individuals with respect to the individual’s PHI. EGI shall
not require individuals to waive any right described in this Section 7 as a condition of Payment
for benefits, enrollment in any Group Health Plan, or eligibility for any benefits. EGI shall not
intimidate, threaten, coerce, discriminate against, or take any other retaliatory action against an
individual because of the exercise of any right described in this Policy. EGI’s procedures may
vary depending on whether EGI holds the PHI as a Covered Entity or as a Plan Sponsor.

This Policy 7 consists of the following Sections:

Section 7.1 Notice of Individual Rights Concerning PHI

Section 7.2 Right to Access Protected Health Information

Section 7.3 Requests to Amend PHI

Section 7.4 Right to Receive Accounting of Disclosures

Section 7.5 Requests for Restrictions on Use and Disclosure

Section 7.6 Requests for Confidential Communications

Section 7.7 Right to Make Complaints




April 2003                                                                            Page 400.58
                           EMPLOYEE GROUP INSURANCE
              TREATMENT OF PROTECTED HEALTH INFORMATION
Section 7.1: Notice of Individual Rights Concerning PHI Page: 1 of 3

Effective Date: April 14, 2003

POLICY

EGI shall give individuals the right to adequate notice of the Uses and Disclosures of PHI that
may be made by EGI in its capacity as a Covered Entity, and of the individual’s rights and
EGI’s legal duties with respect to such PHI.

7.1(1) Maintenance of the Notice.

EGI shall maintain a notice of privacy practices, written in plain language, that contains the
following required provisions:

a.     A prominently displayed header stating, “THIS NOTICE DESCRIBES HOW
       MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
       AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE
       REVIEW IT CAREFULLY”;

b.     A sufficiently detailed description of all purposes for which EGI in its capacity as a
       Covered Entity is permitted or required to Use or Disclose PHI;

c.     A statement that any Use or Disclosure not described in the notice requires an
       Authorization and that the individual may revoke any such Authorization;

d.     A statement that EGI may contact the individual to provide information about
       treatment alternatives or other health-related benefits and services that may be of
       interest to the individual;
e.     A statement of the individual’s rights with respect to PHI and a brief description of
       how the individual may exercise such rights;
f.     A statement that EGI is required by law to maintain the privacy of PHI and to provide
       notice of its legal duties and privacy practices with respect to PHI;
g.     A statement that EGI is required to abide by the terms of the notice currently in effect;

h.     A statement that EGI reserves the right to change the terms of its notice and to make
       the new notice provisions effective for all PHI that it maintains, and a statement
       describing how EGI shall provide individuals with a revised notice;
i.     A statement that individuals may complain to EGI and to the Secretary if they believe
       their privacy rights have been violated, a description of how to file a complaint with
       EGI, and a statement that the individual will not be retaliated against for filing a
       complaint;
j.     The name or title and telephone number of the Contact Person; and

k.     The effective date of the notice.

April 2003                                                                          Page 400.59
7.1(2) Distribution of Notice.

EGI shall distribute the notice as follows:

a.     Covered Individuals: To all individuals covered by a Self-funded Group Health Plan
       as of April 14, 2003 on or before such date.

b.     New Enrollees: To all individuals who become new enrollees in such a plan after April
       14, 2003, at the time of enrollment.

c.     Covered Individuals Upon Revision: To all individuals covered by a Self-funded
       Group Health Plan upon material revision of the Notice that takes place after April 14,
       2003, within 60 days of such revision.

d.     Anyone upon Request: To any individual who requests a copy regardless of the
       individual’s relationship with the Self-funded Group Health Plan, within 30 days of
       such request.

7.1(3) Revision of the Notice.

a.     The Privacy Notice may be revised at any time. EGI shall revise the notice promptly
       whenever there is a material change to the privacy practices stated in the notice,
       including any change required by law.

b.     The effective date of a revised notice may not precede either (i) the date it is printed or
       otherwise published or (ii) if applicable, the date such revision is required by law to be
       effective.

c.     The revised notice shall be distributed to individuals if, and to the extent, required by
       the former version. If the revised notice effects a material change to the Uses or
       Disclosures, the individual’s rights, EGI’s legal duties, or other privacy practices stated
       in the notice, the revised notice shall be promptly distributed to all individuals then
       covered by the Self-funded Group Health Plan. EGI shall inform a Business Associate
       of changes to its notice that affect the Business Associate.

7.1(4) Informing Covered Individuals About the Notice.

a.     No less frequently than once every three years, EGI shall notify individuals then
       covered by the Self-funded Group Health Plan of the availability of the notice and how
       to obtain the notice.

b.     The notice shall also be prominently posted on, and made available electronically
       through, the EGI website at http://www.utsystem.edu/egi/hipaa.

7.1(5) Use of a Joint Notice.

EGI may use a joint notice of privacy practices that describes the privacy practices of each
Self-funded Group Health Plan. A joint notice shall identify each Self-funded Group Health

April 2003                                                                           Page 400.60
Plan covered by the notice. The distribution of a joint notice to an individual by EGI satisfies
the notice distribution requirements with respect to each other Self-funded Group Health Plan
covered by the notice.

7.1(6) Distribution of the Notice

a.     The notice may be distributed together with, or contained within, a Self-funded Group
       Health Plan summary plan description. If an individual who is a named insured covers
       a spouse or dependents under the Self-funded Group Health Plan, a single copy of the
       notice provided to the named insured satisfies the notice requirement as to that
       individual, the individual’s spouse and any covered dependents.

b.     EGI may provide the notice electronically if the individual has agreed to electronic
       notice and such agreement has not been withdrawn. For example, if EGI asks an
       individual applying for coverage for an e-mail address, and the individual provides an
       e-mail address, EGI may infer that the individual has agreed to electronic notice. If
       EGI knows that electronic transmission has failed, a paper copy must be provided to
       the individual. An individual who has agreed to electronic notice retains the right to
       receive a paper copy of the notice upon request.

c.     EGI shall document any request for the notice by a covered individual and EGI’s
       provision of the notice to a covered individual, in accordance with Section 9.2 of this
       Manual.

7.1(7) Documentation of Notice.

EGI shall retain a copy of each version of the notice, in writing or electronically. Such
documentation shall be retained in accordance with Section 9.2 of this Manual.

REFERENCES/CITATIONS

45 C.F.R. § 164.520

65 Fed. Reg. at 82,547-52, 82,720-26 (Dec. 28, 2000); 67 Fed. Reg. at 53,241 (Aug. 14, 2002)




April 2003                                                                          Page 400.61
                          EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Section 7.2: Right to Access Protected Health Information Page: 1 of 4

Effective Date: April 14, 2003

POLICY
EGI shall recognize an individual’s right to inspect and/or obtain copies of his own PHI
contained in a Designated Record Set, to the extent the individual is entitled to such access.

7.2(1) An Individual’s Right to Make Written Request for Access to Designated Record
Set

a.     Individuals requesting an opportunity to inspect and/or obtain copies of their PHI shall
       submit a written request to the Contact Person. If an individual orally notifies EGI of
       his desire to make such a request, the Contact Person shall supply the individual with a
       copy of the form Request for Access to Protected Health Information, which is in the
       Appendix to this Manual, in order to assist the individual with making a written,
       complete request.

b.     An individual shall have access to PHI for as long as it is maintained in a Designated
       Record Set, subject to this Section. The Contact Person shall be responsible for
       receiving and processing requests for access by individuals. The Privacy Officer shall
       have ultimate authority regarding whether such requests shall be granted or denied.

7.2(2) Verification of Requestor’s Identity

a.     Before PHI is released under this section, the requesting person’s identity shall be
       verified in accordance with Section 4.10 of this Manual.

b.     An individual’s personal representative shall have the right to access PHI to the same
       extent the individual has such right under this Section.

7.2(3) Time Period for Responding to a Request for Access.

EGI shall provide access or a written denial to the designated record set, as applicable, in
response to an individual’s request for access within 30 days of EGI’s receipt of the request,
unless:

a.     The PHI is maintained off-site (including records held by a Business Associate), in
       which case access or written denial must be provided within 60 days; or

b.     EGI extends the deadline by providing the individual, within the 30-day or 60-day
       deadline, as applicable, a written statement of the reasons for the delay and the date by
       which action on the request will be completed, but in no case may this extension be for


April 2003                                                                           Page 400.62
       more than 30 days. EGI is allowed only one extension for a decision on a request for
       access.

7.2(4) Providing Access to Records in the Designated Record Set
a.     If an individual makes a valid request for access to some or all of the requested PHI,
       such access shall be provided as follows:

      i.     if the form requested by the individual is readily producible, EGI shall provide the
             individual with access to the information in the form or format requested;

      ii.    if the form requested by the individual is not readily producible, the information
             may be produced in a readable hard copy format;

      iii.   if the individual is requesting personal access to inspect, arrangements shall be
             made with the individual to establish a convenient time for him to inspect the
             records;

      iv.    if an individual requests copies of PHI, EGI shall honor that request if fees for
             copying and mailing are paid in advance (if the requested PHI may be provided
             more quickly and inexpensively in an electronic format, the individual shall be
             notified of this option); and

      v.     an individual may be provided with a summary of the information rather than the
             information itself if (i) the individual agrees to receive a summary and (ii) the
             individual agrees in advance to any fees that will be imposed in preparing the
             summary.

b.    If access to PHI is granted in part and denied in part, EGI shall provide the individual
      with the granted access to the PHI, excluding (through redaction) the PHI for which
      access has been denied.

c.    EGI shall charge a reasonable cost-based fee for providing access/copies, which
      includes (i) the cost of copying (supplies and labor), (ii) postage, and (iii) the cost of
      preparing a summary or explanation (if applicable) if the individual agrees to a charge
      in advance.

7.2(5) Denial of Access to PHI
a. Access to PHI may be denied if:
      i. the PHI requested is not part of the Designated Record Set;

      ii. the PHI requested is Psychotherapy Notes;

      iii. the PHI requested was compiled by EGI in reasonable anticipation of, or for use in,
           a civil, criminal, or administrative action or proceeding;




April 2003                                                                          Page 400.63
      iv. the PHI requested was received from a source, other than a health care provider,
          under a promise of confidentiality, and providing access would be reasonably likely
          to reveal the source of the information;

      v. a designated health care professional has decided to deny access because in his or her
          professional judgment he or she believes that the access requested is reasonably
          likely to endanger the life or physical safety of the individual or another person—
          this would not include the potential for causing emotional or psychological harm;

      vi. a designated health care professional has decided to deny access because in his or
          her professional judgment he or she believes that the PHI contains a reference to a
          third person, and it is reasonably likely that access may cause substantial physical,
          emotional, or psychological harm to that other person; or

      vii. a designated health care professional has decided to deny access because the person
           requesting the PHI is the personal representative of the individual and in the
           professional’s judgment the provision of access is reasonably likely to cause
           substantial harm to the individual who is the subject of the information or to another
           person.

b.    It is expected that the exceptions to open access will be employed rarely The reasons for
      denial listed set forth in paragraphs 7.2(5)(a)(i)-(iv) are not reviewable. Reasons for
      denial listed in paragraphs 7.2(5)(a)(v)-(vii) may be reviewed in accordance with
      subsection 7.2(7) of this Section.

7.2(6) Notice of Denial.
If access is to be denied in part or in whole, EGI shall provide written notice, in plain language
and within the timeframes established by this Section to the requesting person of the
following:

a. the specific grounds for the denial;

b. the individual’s right to protest the denial to the Contact Person and to the Secretary and
   the name or title and phone number of the Contact Person as well as a contact source for
   the Secretary;

c. if the denial is reviewable, the individual’s right to have the decision to deny access
   reviewed by another licensed health care provider, designated by EGI, who did not
   participate in the initial decision to deny access (the individual may exercise this right by
   notifying the Contact Person); and

d. if the PHI is not in EGI’s Designated Record Set but EGI knows where the information is
   maintained, where the individual should direct the request for access.




April 2003                                                                           Page 400.64
7.2 (7) Review of Denials

a.     If an individual is entitled to, and has requested, review of a denial of access, EGI shall
       designate a licensed health care professional who was not directly involved in the
       decision to deny access to be the designated reviewer and shall promptly refer such
       request to that reviewer. The reviewer shall determine within a reasonable period of
       time whether to deny access based upon the criteria listed in Subsection 5 of this
       Section. The decision of the official shall be final.

b.     EGI shall promptly notify the individual in writing of the determination of the
       reviewer, and if the reviewer finds that the individual should be given access to inspect
       and/or copy his PHI, EGI shall provide that access as described in Subsection 7.2(4) of
       this Section.

7.2(8) Document Retention

EGI shall retain documentation of the Designated Record Sets that are subject to access by
individuals in paper or electronic form in accordance with Section 9.2 of this Manual.
For each request, as applicable, EGI shall retain (i) the individual’s written request for access;
(ii) EGI’s written response to the request including a notice of deadline extension (if any); (iii)
if the request is denied, the individual’s written request for review, if any, and written notice of
the reviewer’s determination on review; and (iv) if the request is granted, a description of how
access was provided and any summaries or explanations prepared by EGI. Such documents
shall be retained in accordance with Section 9.2 of this Manual.

REFERENCES/CITATIONS

45 C.F.R. § 164.524

65 Fed. Reg. at 82538, 82547, 82554-58, 82731-36 (Dec. 28, 2000)

OCR Guidance at 28 (July 6, 2001)




April 2003                                                                            Page 400.65
                          EMPLOYEE GROUP INSURANCE
              TREATMENT OF PROTECTED HEALTH INFORMATION
Section 7.3: Requests to Amend PHI                      Page: 1 of 3

Effective Date: April 14, 2003

POLICY

An individual has the right to request an amendment to the individual’s PHI in EGI’s
Designated Record Set. EGI shall comply with any notice of amendment of PHI received
from a Covered Entity that is EGI’s source of such PHI.

7.3(1) Individual’s Right to Request Amendment to Designated Record Set

EGI shall permit an individual or, in accordance with Section 4.12 of this Manual, the Personal
Representative of an individual to make written requests for amendment of the individual’s
PHI contained in EGI’s Designated Record Set, provided that the request includes a reason in
support of the amendment. If an individual either orally notifies EGI of his or her desire to
request an amendment or does not include a reason in the written request, the Contact Person
shall give the individual a copy of the form Request for Amendment of Protected Health
Information included in the Appendix to this Manual, to facilitate the individual’s ability to
make a written, complete request.

7.3(2) Review of Request for Amendment

The Contact Person shall be responsible for receiving and processing requests for amendment
of PHI by individuals. The Privacy Officer shall have ultimate authority regarding whether
such requests will be granted or denied. Upon receipt of a written request for amendment of
PHI with a supporting reason, EGI shall review the applicable portion of the individual’s PHI
in the Designated Record Set and determine whether the request for amendment will be
granted, in whole or in part. A request may be denied, in whole or in part, only under all or
some of the following circumstances:

a.     the PHI (or portion thereof) subject to the request would not be made available if the
       individual had requested access to such PHI under the terms of Section 7.2(5) of this
       Manual;

b.     the PHI (or portion thereof) subject to the request is not part of EGI’s Designated
       Record Set;

c.     the PHI (or portion thereof) subject to the request was not created by EGI or its
       Business Associate, and the individual has not provided a reasonable basis to believe
       that the originator of the PHI is no longer available to act on the requested amendment;
       or

d.     the PHI (or portion thereof) subject to the request is currently accurate and complete.


April 2003                                                                          Page 400.66
7.3(3) Time Period for Responding to a Request for Amendment

EGI shall respond to a request for amendment within 60 days after receipt of the written
request. This deadline may be extended once for up to 30 days if EGI is unable to comply
with the applicable deadline; provided, however, that EGI shall, within the original time
period, notify the individual in writing of the extension, the reason therefor, and the date by
which EGI will respond.

7.3(4) Granting the Amendment

To the extent a request for amendment is granted, EGI shall, within the period of time
described in subsection 7.3(3) of this section:

a.      make the appropriate amendment to the PHI either by marking each occurrence of the
        PHI with a link to the amendment or by correcting the PHI, such amendment becoming
        part of the Designated Record Set. If PHI is corrected, the time and date of the
        correction shall be indicated. Existing records shall not be altered in a manner that
        makes the original entry unreadable, except that incorrectly filed information may
        simply be moved to the correct individual’s file;

b.      identify each person, including Business Associates, that EGI knows to have the PHI
        and that may have relied, or could foreseeably rely, on such PHI to the detriment of the
        individual; and

c.      notify the individual in writing that the amendment has been made, of all identified
        person it has identified in paragraph (b), and that EGI will make reasonable efforts to
        provide the amendment within a reasonable time to the identified persons.

7.3(5) Denying the Amendment.

To the extent a request for amendment is denied, EGI shall, within the period of time described
in subsection 7.3(3) of this Section:

     a. notify the individual, in writing, of such denial which shall include the following
        information: (i) the basis for the denial; (ii) a statement that notifies the individual of
        the right to submit a written statement disagreeing with the denial; (iii) a description of
        how to file such statement of disagreement; (iv) the right, if the individual does not
        submit a statement of disagreement, to request that EGI provide both the request and
        EGI’s denial as part of any future Disclosures of the PHI; and, (v) a description of how
        the individual may complain to System Administration or to the Secretary.

     b. EGI shall permit the individual to submit a written statement disagreeing with the
        denial and containing the basis for such disagreement. EGI may reasonably limit the
        length of a statement of disagreement. After receiving a statement of disagreement
        from an individual, EGI may prepare a written rebuttal, in which case EGI shall
        provide a copy of the written rebuttal to the individual. EGI shall include the request
        for amendment, the denial, any statement of disagreement, and any rebuttal in the
        Designated Record Set, linked to the PHI that is the subject of the denied amendment.

April 2003                                                                            Page 400.67
7.3(6) Receiving a Notice of Amendment From a HIPAA Covered Entity

a.     If EGI is informed by another Covered Entity of an amendment to an individual’s PHI
       that EGI maintains in its Designated Record Set and received from the Covered Entity,
       EGI shall make the appropriate amendment to the PHI either by: (i) marking each
       occurrence of the PHI with a link to the amendment; or, (ii) correcting the PHI. If PHI
       is corrected, the time and date of the correction shall be indicated. Existing records
       shall not be altered in a manner that makes the original entry unreadable, except that
       incorrectly filed information may simply be moved to the correct individual’s file.

b.     All such amendments become part of the Designated Record Set

c.     EGI shall communicate such amendment to any Business Associate who also possesses
       the PHI.

7.3(7) Future Disclosures

a.     To the extent EGI grants an individual’s requested amendment or complies with a
       Covered Entity’s notice of amendment, any future Disclosure of the PHI that is subject
       to the amendment shall include the amendment.

b.     To the extent EGI denies an individual’s requested amendment and the individual
       submits a statement of disagreement, any future Disclosure of the PHI that is the
       subject of the denied amendment that is not a standard transaction, shall include the
       following documents (or a summary thereof): the requested amendment, the denial, the
       statement of disagreement, and EGI’s rebuttal, if any; or, in lieu of submitting a
       statement of disagreement, the individual requests that inclusion of the requested
       amendment and the denial, any future Disclosure of the PHI shall include such
       documents or a summary thereof: the requested amendment and the denial.


7.3(8) Documentation of Requests for Amendment and Notices of Amendment.

For each request for amendment, EGI shall retain, as applicable, the documentation described
in this Section, including any notice amendment and documentation of the amendments made
pursuant to the notice in accordance with Section 9.2 of this Manual.

REFERENCES/CITATIONS

45 C.F.R. § 164.526

65 Fed. Reg. at 82,558-59, 82,736-38 (Dec. 28, 2000)




April 2003                                                                       Page 400.68
                          EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Section 7.4: Right to Receive an Accounting of Disclosures Page: 1 of 3

Effective Date: April 14, 2003

POLICY
EGI shall recognize an individual’s right to receive an accounting from EGI of certain
Disclosures of the individual’s PHI made by or for EGI.

7.4(1) Individual’s Right to Request an Accounting
a.     EGI shall recognize an individual’s right to receive an accounting of certain
       Disclosures of the individual’s PHI made by or for EGI. A request shall be in writing
       and include a range of dates to which the accounting applies. If an individual either
       orally notifies EGI of his desire to obtain an accounting or does not include a range of
       dates in his written request, the Contact Person shall give the individual a copy of the
       form Request for Accounting of Disclosures in the Appendix to this Manual, in order
       to assist the individual with making a written, complete request.

b.     The Contact Person shall be responsible for receiving and processing an individual’s
       request for an accounting. The Privacy Officer shall have ultimate authority regarding
       the content of accountings.

7.4(2) Verification of Requestor’s Identity.

a.     Before an accounting is released, EGI shall verify the requesting person’s identity in
       accordance with Section 4.10 of this Manual.

b.     In accordance with Section 4.12 of this Manual, an individual’s personal representative
       shall have the right to request and receive an accounting to the same extent the
       individual has such right under this Section.

7.4(3) Acting on an Individual’s Request for an Accounting.

a.     As soon as practicable after receiving a written, complete request for an accounting,
       EGI shall inform its Business Associates of the request, as necessary to help EGI to
       compile the accounting or to compile its own accounting on behalf of EGI. In addition,
       prior to providing an accounting, EGI shall inform the individual of any fee associated
       with the request imposed in accordance with subsection 7.4(7) of this Section and
       allow the individual to withdraw or modify the request for an accounting in order to
       avoid or reduce the fee. EGI shall also inform the individual if a separate accounting is
       to be provided by a Business Associate.

b.     EGI shall provide the written accounting of PHI Disclosures to the individual within 60
       days after receipt of the individual’s written, complete request for the accounting. This
       deadline may be extended once for up to 30 days if EGI is unable to comply with the

April 2003                                                                          Page 400.69
       applicable deadline; provided, however, that EGI shall, within the original time period,
       notify the individual in writing of the extension, the reason for the delay, and the date
       by which EGI will respond.

7.4(4) Disclosures Included in an Accounting

The accounting shall identify each Disclosure, and only such Disclosure, that satisfies all the
following:

a.     the Disclosure is required to be documented when made in accordance with the chart
       set forth in of Section 4.14 of this Manual, except that a Disclosure shall be excluded
       from an accounting to the extent required by this section;

b.     the Disclosure was made by EGI or its Business Associate; and

c.     the Disclosure was made (i) during the time period requested by the individual,
       (ii) within six years prior to the date of the individual’s request, and (iii) on or after
       April 14, 2003.

7.4(5) Disclosure Descriptions Included in an Accounting

For each Disclosure listed in the accounting, the following information shall be included,
except as set forth in subsection 7.4(6) of this Section:

a. the date of the Disclosure (in the case of multiple Disclosures of PHI to the same person or
   entity for a single purpose, the accounting need not include every date of Disclosure as
   long as it contains (i) the dates of the first and last Disclosure during the accounting period
   and (ii) the frequency, periodicity, or number of Disclosures made during the accounting
   period);

b. the name of the person or entity who received the PHI and, if known, such person’s
   address;

c. a brief description of the PHI Disclosed; and

d. either (i) a brief statement of the purpose of the Disclosure, which reasonably informs the
   individual of the basis for the Disclosure, or (ii) if applicable, a copy of the written request
   for the Disclosure.

7.4(6) Accounting for Disclosures to a Health Oversight Agency or Law Enforcement
Official

If a Health Oversight Agency or law enforcement official states that including a Disclosure to
the respective agency or official in an individual’s accounting would be reasonably likely to
impede the respective agency’s or official’s activities, EGI shall exclude such Disclosure from
any accounting requested by the individual until:

April 2003                                                                              Page 400.70
a.   if such statement is made in writing and includes a time period for exclusion from the
     accounting, the end of such time period; or

b.   in the absence of such a statement, 30 days after the receipt of the request.

7.4(7) Imposition of a Fee for an Accounting.

The first accounting requested by an individual shall be provided free of charge. From then
on, EGI may charge the individual a reasonable, cost-based fee for each accounting provided,
but only if the accounting is requested less than 12 months after a prior request by the
individual for which EGI provided an accounting without charging any fee.

7.4(8) Document Retention.

For each request for an accounting, EGI shall retain the written request, a notice of deadline
extension (if any), and the written accounting. EGI shall document whether a fee was
imposed. EGI shall document any statement, including the identity of the applicable agency or
official, of an accounting made in accordance with subsection 7.4(6) of this Section. All
documentation shall be retained in accordance with Section 9.2 of this Manual.

REFERENCES/CITATIONS

45 C.F.R. §§ 164.504(e)(2)(ii)(G), 164.504(f)(2)(ii)(G), 164.528

65 Fed. Reg. at 82,559-61, 82,672, 82,739-44 (Dec. 28, 2000); 67 Fed. Reg. at 53,243-47
(Aug. 14, 2002)




April 2003                                                                           Page 400.71
                          EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Section 7.5: Requests for Restrictions on Use and Disclosure Page: 1 of 2

Effective Date: April 14, 2003

POLICY

An individual shall have the right to request that EGI restrict its Use and Disclosure of PHI for
Payment, Health Care Operations, and Notification Disclosures.

7.5(1) Individual’s Right to Request Restrictions on Uses and Disclosures of PHI.
a.     EGI shall permit an individual to request that EGI restrict (i) its Use and Disclosure of
       the individual’s PHI for purposes of Payment and Health Care Operations and (ii) its
       Notification Disclosures concerning the individual.

b.     In accordance with Section 4.12 of this Manual, an individual’s personal representative
       has the right to request restrictions to the same extent the individual has such right
       under this Section 7.5.

7.5(2) Request for Restriction on Use and Disclosure of PHI
a.     The Contact Person shall be responsible for receiving and processing an individual’s
       request that EGI restrict its Use and Disclosure of PHI. The Privacy Officer has
       ultimate authority regarding the disposition of such requests.

b.     EGI may agree to comply with such request but is not required to do so. EGI shall not
       agree to a request to restrict Use or Disclosure of PHI unless all of the following
       requirements are met:

       i. The individual’s request is in writing;

       ii. The individual’s request identifies which PHI should not be Used or Disclosed
           and/or to whom such PHI should not be Disclosed (the individual may restrict all
           PHI or all recipients, but not both);

       iii. The individual’s request states the special circumstances that justify the requested
             restriction;

       iv. If compliance with the individual’s request would affect EGI’s Payment operations,
           the individual’s request provides a feasible alternative method for the Payment
           operation to be performed; and

       v. The Privacy Officer determines, in his discretion, that the administrative difficulty
           that would result from granting the individual’s request would be reasonable,
           would not result in a more than modest additional cost, and is justified by the
           identified special circumstances.

April 2003                                                                          Page 400.72
       Provided, however, that EGI reserves the right to not to agree to a request for a
       restriction even if all of these requirements are met.

c.     If EGI agrees to an individual’s request, EGI shall:

       i.      notify the individual in writing of the agreed upon restriction;

       ii.     file a copy of the agreed upon restriction with the individual’s Designated
               Record Set, in accordance with Section 9.2 of this Manual; and

       iii.    not make any future Use or Disclosure of PHI in violation of the agreed
               restriction unless: the Use or Disclosure is permissible for reasons other than
               Payment, Health Care Operations or Notification Disclosures; or the restriction
               has been terminated in accordance with Subsection 7.5(3) of this Section.

d.     If EGI denies an individual’s request, EGI shall notify the individual in writing of the
       denial and the reasons therefor.

7.5(3) Termination of Agreed Restriction.
An agreed restriction on Uses and Disclosures of PHI shall be terminated if:

a.     The individual agrees in writing that the restriction can be terminated; or

b.     EGI gives the individual written notice that the restriction is terminated without the
       individual’s agreement, except that such termination shall be effective only as to PHI
       received or created by EGI after the written notice is given.

7.5(4) Documentation of Agreed and Denied Restrictions
a.     If a request is granted, EGI shall document (i) the individual’s request; (ii) notice of the
       granted request; (iii) any subsequent agreed-upon modifications or revocations of the
       agreed restriction; and (iv) if EGI’s modification or revocation is not agreed to by the
       individual, any written notification to the individual of such unilateral modifications or
       revocations.

b.     If an individual’s request is denied, EGI shall document both the individual’s request
       and EGI’s written denial of such request. Any such documentation shall be retained in
       accordance with Section 9.2 of this Manual.

REFERENCES/CITATIONS

45 C.F.R. § 164.522(a)
65 Fed. Reg. at 82,552-53, 82,726-30 (Dec. 28, 2000)




April 2003                                                                            Page 400.73
                      EMPLOYEE GROUP INSURANCE
              TREATMENT OF PROTECTED HEALTH INFORMATION
Section 7.6: Requests for Confidential Communications                           Page: 1 of 2

Effective Date: April 14, 2003

POLICY

An individual shall have the right to designate a specific means and a specific location, if
reasonable, for EGI’s communications of PHI to the individual.

7.6(1) Individual’s Right to Request Confidential Communications.

An individual or, in accordance with Section 4.12 of this Manual, an individual’s Personal
Representative, shall have the right to request that EGI communicate PHI to that individual by
a specified means and/or to a specified location. Such request may cover all PHI or, if
specifically identified, only a class of PHI (e.g., PHI relating to a certain disease).

7.6(2) EGI’s Consideration of a Request for Confidential Communications.

a.     The Contact Person shall be responsible for receiving and processing an individual’s
       request for confidential communications. The Privacy Officer shall have ultimate
       authority regarding the disposition of such requests. Upon receipt by the Contact
       Person of an individual’s request for confidential communications on the appropriate
       form, EGI shall suspend any communications of the individual’s PHI that are subject to
       the request. A copy of the form is included in the Appendix to this Manual.

b.     EGI may deny an individual’s request for confidential communications only for one or
       more of the following reasons:

       i.     the individual’s request is not in writing;

       ii.    the individual’s request does not specify an alternative method (e.g., e-mail or
              fax) or alternative location (e.g., business address or post office box) for
              Disclosure of PHI;
       iii.   if compliance with the individual’s request affects Payment, the individual’s
              request does not inform EGI how Payment shall be handled; or
       iv.    the Privacy Officer determines that the administrative difficulty that would
              result from granting the individual’s request would be unreasonable and would
              result in a more than modest additional cost.

7.6(3) Granting A Request.

If EGI grants an individual’s request, EGI shall notify the individual through the alternative
means specified for communications of PHI. Upon granting an individual’s request for
confidential communications, EGI shall conduct all communications of the individual’s PHI to
the individual in accordance with the alternative means specified. A communication that

April 2003                                                                       Page 400.74
contains both unrestricted PHI and restricted PHI shall be divided, with the restricted portion
being sent in accordance with the granted request. The granted request shall be filed with the
individual’s Designated Record Set in accordance with Section 9.2 of this Manual.

7.6(4) Denying a Request.

a.     If EGI denies an individual’s request for confidential communications, EGI shall notify
       the individual of such denial. Such notification shall be given in accordance with the
       alternative means specified in the request unless (i) the request does not specify an
       alternative means or location or (ii) a reason for the request’s denial is unreasonable
       administrative difficulty and notifying the individual of such denial in the manner
       requested would, considered alone, result in an unreasonable additional cost. If the
       notification of denial is not sent in accordance with the specified alternative means
       and/or location, such notification shall be given directly to the individual (e.g., in
       person or by phone) or, if direct communication fails or is not feasible, shall be in
       writing, shall be addressed to the individual, and shall identify neither the affected PHI
       nor any specified alternative means and/or location.

b.     A notification of denial shall set forth the reasons for denial and shall include a blank
       form Request for Confidential Communications of Medical Information.

7.6(5) Documentation of Requests for Confidential Communications.

EGI shall document (i) all requests for confidential communications; (ii) the Plan’s
notifications of granted or denied request; and (iii) the method of delivery of such
notifications. Such documentation shall be retained in accordance with Section 9.2 of this
Manual.

REFERENCES/CITATIONS

45 C.F.R. §§ 164.502(h), 164.522(b)

65 Fed. Reg. at 82,501, 53-54, 82,729-31 (Dec. 28, 2000)




April 2003                                                                          Page 400.75
                          EMPLOYEE GROUP INSURANCE
              TREATMENT OF PROTECTED HEALTH INFORMATION
Section 7.7: Right to Make A Complaint               Page: 1 of 2

Effective Date: April 14, 2003

POLICY

EGI shall have a process by which an individual can make a complaint to the Contact Person
regarding EGI’s compliance with the HIPAA Privacy Standards or any of the policies and
procedures compiled in this Manual.

7.7(1) Responsibility for Receiving a Complaint

An individual shall have the right to submit a complaint to EGI relating to EGI’s compliance
with any of the policies and procedures compiled in this Manual and EGI’s compliance with
the HIPAA Privacy Standards. The Contact Person shall be responsible for receiving and
keeping a log of such complaints.

7.7(2) Filing a Complaint.
a.     If an individual or his or her Personal Representative wishes to make a complaint to
       EGI, the Contact Person shall be the party to receive such complaint. The Contact
       Person shall ask the individual whether he or she wishes to submit a written or oral
       complaint.
b.     If the individual wishes to submit a written complaint, the individual shall complete
       EGI’s complaint form. The Contact Person shall ensure that the complaint form
       completely states in clear terms the nature of the complaint and providing sufficient
       information to enable EGI to investigate, review, and resolve the complaint.
c.     If the individual wishes to submit an oral complaint, the Contact Person shall ask the
       individual to explain the complaint in sufficient terms to enable the investigation,
       review, and resolution of the complaint.

7.7(3) Report to the Privacy Officer.

The Contact Person shall forward all written and oral privacy complaints to the Privacy
Officer.

7.7(4) Investigation of Privacy Complaints.
a.     The Contact Person in consultation with the Privacy Officer shall address and resolve
       all complaints. All such matters shall be privileged and confidential to the extent
       permitted by law. The Contact Person shall investigate and handle as a quality review
       matter all complaints including, as appropriate, interviewing or otherwise contacting
       other persons involved in the circumstances upon which the complaint is based, and
       shall take all other steps necessary to review and investigate the complaint.


April 2003                                                                      Page 400.76
b.     Following completion of the investigation, the Contact Person shall make a
       determination regarding whether a violation has occurred and if so whether (i) EGI’s
       Policies fail to comply with the HIPAA Privacy Standards; (ii) EGI has failed to
       comply with the policies and procedures compiled in this Manual; or (iii) EGI has
       failed to comply with the HIPAA Privacy Standards.

7.7(5) Correction of Discovered Privacy Violation.

If it is determined that any provision of the policies and procedures compiled in this Manual
violates the law or otherwise needs modification, this Manual shall be revised in accordance
with Section 9.1 of this Manual. If it is determined that EGI has violated either this Manual or
the HIPAA Privacy Standards, such violation shall be corrected in accordance with Section 8.4
of this Manual, and if the violation is continuing, it shall be stopped.

7.7(6) Notice of Resolution of Privacy Complaints.

The Contact Person, subject to the discretion of the Privacy Officer, may provide the
complaining person with written notice of the decision regarding the complaint that includes
(i) the name of the individual handling the complaint; (ii) the fact that an investigation has
taken place or will take place; (iii) the date of completion or expected completion; and (iv) the
result of the investigation or, if applicable, notification that due to the confidential and
privileged nature of the peer review/quality review process, the results of such proceedings
may not be communicated to the person. A copy of any such notice shall be retained in
accordance with Section 9.2 of this Manual.

7.7(7) Document Retention.

EGI shall retain documentation of any complaint, including misdirected complaints, received
and its disposition. Such documentation shall be retained in accordance with Section 9.2 of
this Manual.

7.7(8) Misdirected Complaints
a.     Upon receipt of any complaint received by the Contact Person that alleges a violation
       by a component institution which is not a Business Associate of EGI, the Contact
       Person shall forward the complaint to the Privacy Officer of that component institution
       a copy of which shall be sent to the individual filing the complaint.
b.     Upon receipt of a complaint received by the Contact Person that alleges a violation by
       an Entity that is not described in paragraph (a) of this subsection, the complaint shall
       be returned to the individual filing the complaint advising them that the complaint
       cannot be considered by EGI as it does not involve action by or on behalf of EGI.

REFERENCES/CITATIONS
45 C.F.R. § 164.530(a), (d)




April 2003                                                                          Page 400.77
                      EMPLOYEE GROUP INSURANCE
              TREATMENT OF PROTECTED HEALTH INFORMATION
Policy 8: Ensuring Privacy Compliance                                        Page: 1 of 1

Effective Date: April 14, 2003

POLICY

The HIPAA Privacy Standards require EGI to cooperate with privacy investigations initiated
by the Secretary. In addition, EGI shall implement certain procedures designed to ensure
EGI’s compliance with the HIPAA Privacy Standards, including training workforce members
regarding the provisions of this Manual, safeguarding PHI maintained by EGI, and responding
adequately to discovered privacy violations.

This Policy 8 consists of the following Sections:

       Section 8.1: Cooperation With the Secretary’s Investigation

       Section 8.2: Training

       Section 8.3: Safeguarding Protected Health Information

       Section 8.4: Mitigation of Known Privacy Violations

       Section 8.5: Sanctions for Personnel Violations of Privacy




April 2003                                                                     Page 400.78
                     EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Section 8.1: Cooperation With the Secretary’s Investigation                         Page: 1 of 2

Effective Date: April 14, 2003

POLICY

EGI shall cooperate with the Secretary in the event the Secretary initiates a complaint
investigation or compliance review of EGI’s privacy policies, procedures, and practices.

8.1(1) Access to Records Held by EGI

a.     EGI shall permit the Secretary to access EGI’s facilities, books, records, accounts, and
       other sources of information (including PHI) if the Secretary requires such access
       during a complaint investigation or a compliance review in order to ascertain EGI’s
       compliance with the HIPAA Privacy Standards.

b.     Such access shall be granted during normal business hours upon reasonable advance
       notice by the Secretary. However, EGI shall permit access by the Secretary at any time
       and without prior notice if the Secretary informs EGI of its determination that exigent
       circumstances exist, such as when documents may be hidden or destroyed absent
       immediate access.

8.1(2) Access to Records Held by Another

a.     If the Secretary requires access to information during a complaint investigation or a
       compliance review in order to ascertain EGI’s compliance with the HIPAA Privacy
       Standards, and such information is in the exclusive possession of a person other than
       EGI, EGI shall take reasonable steps to obtain the information for the Secretary.

b.     If the person with possession of the information provides the information to EGI, EGI
       shall provide access to the Secretary in accordance with Subsection 8.1(1) of this
       Section. If the person fails or refuses to furnish the information, EGI shall provide to
       the Secretary a certification of such failure or refusal that sets forth the efforts made by
       EGI to obtain the information.

8.1(3) Maintenance of Records.

Upon the Secretary’s request, EGI shall retain any records in the manner, and containing the
information, that the Secretary determines is necessary to ascertain whether EGI has complied
or is complying with the HIPAA Privacy Standards.

8.1(4) Submission of Compliance Reports.

Upon the Secretary’s request, EGI shall submit a compliance report to the Secretary in a
reasonable time and manner, containing the information that the Secretary determines is

April 2003                                                                            Page 400.79
necessary to ascertain whether EGI has complied or is complying with the HIPAA Privacy
Standards.

8.1(5) Documentation of Communications with the Secretary.

EGI shall document any written communications with the Secretary including compliance
reports and certifications of failed efforts to obtain EGI records from another entity. Such
documentation shall be retained in accordance with Section 9.2 of this Manual.

REFERENCES/CITATIONS

45 C.F.R. § 160.310

65 Fed. Reg. at 82,487, 82,602-05 (Dec. 28, 2000)




April 2003                                                                      Page 400.80
                      EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Section 8.2: Training                               Page: 1 of 2

Effective Date: April 14, 2003

POLICY

All EGI staff and members of the staff of any office identified as part of the Health Care
Components providing covered functions on behalf of EGI as a Covered Entity (Staff) shall
receive training on EGI’s privacy policies and procedures with respect to PHI as necessary and
appropriate to carry out their functions for EGI.

8.2(1) Responsibility for Training.

The Director, in consultation with the Privacy Officer, shall have the responsibility for training
all Staff regarding EGI’s privacy policies and procedures, which responsibility involves
discretion concerning the following:

   a.        the policies and procedures to be addressed for each category of Staff and the
             frequency;
   b.        the appropriate personnel who may be assigned responsibility for conducting or
             overseeing privacy training;
   c.        the methods and materials used to provide privacy training (tailored to the nature of
             the trainee’s contact with PHI), such as traditional classroom lectures, video
             presentations, interactive software, role-playing, case studies, seminars and
             discussions; and
   d.        the use of competency tests to evaluate training effectiveness.

8.2(2) Initial Training.

Initial training for all Staff shall take place prior to April 14, 2003. Any new Staff member
shall receive training within a reasonable period of time after the person is hired but before the
person shall be allowed to Use or Disclose PHI without direct supervision.

8.2(3) Additional Training.

In the event of a material change in EGI’s privacy policies and procedures, the Director shall
ensure that those Staff members whose functions are affected by the material change receive
additional training concerning the change within a reasonable period of time after the change
becomes effective.




April 2003                                                                           Page 400.81
8.2(4) Documentation of Training.

EGI shall document the training of each member of its workforce. Upon completing the initial
privacy training (or as otherwise required by the Privacy Officer), Staff must sign a form
“Health Information Confidentiality Agreement”, a copy of which is attached in the Appendix
to this Manual, by which such Staff shall attest that he or she is aware of and agrees to EGI’s
privacy policies and procedures and that he or she has completed privacy training. All such
documentation shall be retained in accordance with Section 9.2 of this Manual.

REFERENCES/CITATIONS

45 C.F.R. § 164.530(b)

65 Fed. Reg. at 82,561, 82,745 (Dec. 28, 2000); 67 Fed. Reg. at 53,253 (Aug. 14, 2002)




April 2003                                                                        Page 400.82
                         EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Section 8.3: Safeguarding PHI                       Page: 1 of 2

Effective Date: April 14, 2003

POLICY

EGI shall safeguard PHI so as to minimize Uses and Disclosures of PHI that violate the
HIPAA Privacy Standards or the policies and procedures set forth in this Manual.

8.3(1) Written Documents

a.     Papers containing PHI shall be picked up as soon as reasonably possible from publicly
       accessible locations, such as copiers, mailboxes, and conference room tables, and shall
       be appropriately filed or destroyed. PHI shall not be left unattended unless the area is
       secured from unauthorized access.

b.     File cabinets containing PHI shall be locked when not in use, and only individuals with
       access to the PHI in the file cabinets shall be able to unlock the file cabinets.

c.     Documents containing PHI shall not be discarded in trash bins, recycle bins, or other
       publicly accessible locations but shall be shredded by EGI or placed in a secure bin for
       disposal. Microfilm and microfiche shall be cut into pieces or chemically destroyed.

8.3(2) Computer Use

a.     Passwords shall not be shared and shall not be written down where others can find
       them. A computer user with access to PHI via the computer shall log off or use a
       password protected screen saver before leaving his or her workstation for any
       significant period of time and shall not allow someone else to use his or her computer
       under his or her password in his or her absence.

b.     A computer shall not be positioned such that PHI may be viewed by unauthorized
       individuals.

8.3(3) Mailing PHI

Records containing PHI, if mailed, should be sent in a sealed envelope marked
“CONFIDENTIAL.”

8.3(4) Faxing PHI

a.     All pages of a facsimile containing PHI shall be marked “CONFIDENTIAL.” The
       facsimile cover letter shall contain a notice of disclosure that informs the recipient that
       the information is confidential, identifies the proper recipient, and directs any other
       person who receives the fax to notify the sender immediately of the error.


April 2003                                                                           Page 400.83
b.     To help ensure that faxes are sent to the correct destination, any frequently used
       numbers or programmed numbers shall be periodically checked for accuracy, and new
       fax numbers shall be verified with the intended recipient before any PHI is faxed.

c.     If EGI learns that a fax has been misdirected, the recipient shall be reached by phone or
       by fax and instructed to destroy the misdirected fax.

8.3(5) Verbal Communications

EGI shall reasonably safeguard PHI that is orally Used or Disclosed in order to limit incidental
Uses and Disclosures of the PHI. Conversations, whether face-to-face or by telephone, that
involve PHI should be conducted in private (e.g., behind closed doors) or spoken softly,
without excessive use of the subject’s name.

8.3(6) Electronic Storage of PHI

a.     EGI shall reasonably safeguard PHI that is electronically stored in order to limit
       incidental Uses and Disclosures of PHI. Electronically stored PHI may be located on
       The University of Texas at Austin administrative mainframe, on the EGI FTP server,
       on EGI PC workstations, on System Administration’s Office of Information Resources
       servers or network attached storage devices, or, on electronic storage media such as
       cartridge tapes, compact disks, or floppy discs.

b.     Electronic PHI stored by EGI in accordance with paragraph (a) on any computer
       system or storage device shall be protected by User ID and Password protection.

8.3(7) Separation of Group Health Plan Records from Employee and other Non-Group
Health Plan Information

a.     EGI shall keep all records concerning Group Health Plans containing PHI separate
       from other Non-Group Health Plan Information including employment-related
       information kept by EGI and/or The System.

b.     PHI held by EGI shall not be Used or Disclosed in connection with any Non-Group
       Health Plan functions including employment-related functions performed by EGI
       and/or The System without an Authorization permitting the Use or Disclosure.

REFERENCES/CITATIONS

45 C.F.R. § 164.530(c)

65 Fed. Reg. at 82,561-62, 82,745-46 (Dec. 28, 2000); 67 Fed. Reg. at 53,193-95 (Aug. 14,
2002)




April 2003                                                                         Page 400.84
                           EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Section 8.4: Mitigation of Known Privacy Violations Page: 1 of 1

Effective Date: April 14, 2003

POLICY
EGI shall mitigate, to the extent practicable, any known harmful effects of Uses and
Disclosures in violation of the HIPAA Privacy Standards or the Manual.
8.4(1) Mitigation of Known Privacy Violations.
a.     If EGI learns of a Use or Disclosure of PHI by Health Care Component staff or a
       Business Associate that is a violation of the HIPAA Privacy Standards or this Manual,
       EGI shall report such violation, and any other relevant facts, to the Privacy Officer. If
       EGI learns of a harmful effect of a Use or Disclosure of PHI by Health Care
       Component or a Business Associate, EGI shall report the effect, and any other relevant
       facts, to the Privacy Officer.
b.     Upon learning of a Use or Disclosure that is a violation, the Privacy Officer shall
       determine, in his or her discretion, whether any harmful effects might result, or have
       resulted, from the Use or Disclosure and whether EGI can practicably mitigate such
       harmful effects. The Privacy Officer shall work with EGI to mitigate, to the extent
       practicable, any known harmful effects of the applicable Use and Disclosure of PHI.
c.     To determine proper mitigation activities, the Privacy Officer may consider (i) to
       whom the PHI has been Disclosed; (ii) how the PHI might be used to cause harm; and
       (iii) what steps could actually have a mitigating effect with respect to the particular
       situation. Examples of potential mitigation activities include:
             Taking operational and procedural corrective measures to remedy violations;
             Notifying individuals who are able and appropriate to prevent harm;
             Recommendation of sanctions against the person responsible for the privacy
               violation in accordance with Section 8.5 of this Manual; and
             Incorporating a mitigation solution into the policies and procedures compiled in
               this Manual in accordance with Section 9.1 of this Manual.

8.4(2) Documentation of Mitigation Efforts.
EGI shall document its efforts to mitigate the harmful effects of a privacy violation. Such
documentation shall be retained in accordance with Section 9.2 of this Manual.

REFERENCES/CITATIONS

45 C.F.R. § 164.530(f)

65 Fed. Reg. at 82,562-63, 82,747-48 (Dec. 28, 2000)




April 2003                                                                         Page 400.85
                          EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Section 8.5: Sanctions for Personnel Violations of Privacy Page: 1 of 2

Effective Date: April 14, 2003

POLICY

EGI adopts the System Administrations policies and procedures as the sanctions required by
HIPAA for failure to comply with the HIPAA Privacy Standards or the policies and
procedures set forth in this Manual. Sanctions shall not be imposed upon persons who Disclose
PHI in furtherance of compliance with the HIPAA Privacy Standards.

8.5(1) Parties Responsible for Imposing Discipline.

Sanctions shall be imposed upon employees who violate these policies in accordance with the
applicable System Administration employee disciplinary policies and procedures. The
supervisor imposing the sanction must have or act in consultation with others who have
sufficient knowledge of the HIPAA Privacy Standards to assess the extent and impact of any
violations that have occurred.

8.5(2) Individuals Who May Be Subject to Discipline

Employees in the course of their duties for a Health Care Component may be subject to
sanctions under this Section. Independent contractors are not considered members of the
Health Care Components’ staff and are therefore not subject to discipline under this Section.

8.5(3) Violations That Will Prompt Consideration of Disciplinary Action

Persons may be subject to discipline, up to and including discharge, for violations of either (i)
the HIPAA Privacy Standards or (ii) the policies and procedures set forth in this Manual.
Managers or supervisors may also be subject to discipline, up to and including discharge, if
their lack of diligence or lack of supervision contributes to a subordinate’s privacy violation.
A person shall not be subject to discipline as a result of performing one or more of the
following:

a. Filing a complaint with the Secretary for suspected violation of the HIPAA Privacy
   Standards;

b. Testifying, assisting, or participating in an investigation, compliance review, proceeding,
   or hearing in connection with the “Administrative Simplification” provisions of HIPAA;

c. Opposing any act or practice made unlawful by the HIPAA Privacy Standards, provided
   that (i) the person has a good faith belief that the practice opposed is unlawful; and (ii) the
   manner of the opposition is reasonable and does not involve a Disclosure of PHI in
   violation of the HIPAA Privacy Standards;


April 2003                                                                           Page 400.86
d. Disclosing PHI if (i) the individual believes in good faith either that EGI has engaged in
   conduct that is unlawful or otherwise violates professional or clinical standards or that the
   care, services, or conditions provided by EGI potentially endanger one or more Member,
   workers, or the public; and (ii) the Disclosure is either to a Health Oversight Agency or
   Public Health Authority authorized by law to investigate or otherwise oversee the relevant
   conduct or conditions of EGI, to an attorney retained by or on behalf of the individual for
   the purpose of determining the person’s legal options with regard to the relevant conduct
   of persons, or to an appropriate health care accreditation organization for the purpose of
   reporting the allegation of failure to meet professional standards or misconduct by EGI; or

e. Disclosing PHI to a law enforcement official in compliance with this Manual

8.5(4) Existence of Appeal Process

In the event that a sanction triggers any process of appeal under the applicable System
Administration employee disciplinary policies and procedures such process shall be made
available to the employee. However, in the event that the party hearing the appeal is not a
party identified in this Manual as having access to PHI, the identity of the individual whose
privacy rights were violated shall be removed to the extent feasible.

8.5(5) Documentation of Disciplinary Actions

a. EGI shall document the disciplinary action, including (i) the privacy violation; (ii) the
   parties who determined the disciplinary action; (iii) the facts and circumstances considered
   in determining the disciplinary action (without regard to whether such considerations were
   relied upon in determining the disciplinary action); (iv) the discipline imposed (including
   lack of discipline); (v) the appeals process used, if any, and the results thereof; and (vi) the
   actions taken in order to enforce the discipline.

b. Such documentation shall be retained in accordance with Section 9.2 of this Manual in
   addition to the documentation required by the applicable System Administration policies
   and procedures. Any documentation that identifies the individual whose privacy rights
   were violated may constitute PHI. To the extent practicable, such identifying information
   shall be removed prior to a Use or Disclosure of the documentation. In addition, where
   feasible, the violator’s identity shall be removed prior to any Disclosure of such
   documentation.

REFERENCES/CITATIONS

45 C.F.R. §§ 164.502(j), 164.512(f)(2)(i), 164.530(e), (g)

65 Fed. Reg. at 82,501-02, 82,562, 82,636-37, 82,747 (Dec. 28, 2000)




April 2003                                                                            Page 400.87
                        EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Policy 9: Documentation                                Page: 1 of 1

Effective Date: April 14, 2003

POLICY
Not only do the HIPAA Privacy Standards require EGI to maintain the policies and procedures
set forth in this Manual, but they also require EGI to follow certain guidelines in order to
revise any such policies and procedures and to document EGI’s compliance with such policies
and procedures.

This Policy 9 consists of the following Sections:

       Section 9.1: Changes to Privacy Policies and Procedures

       Section 9.2: Retention of Privacy Documentation




April 2003                                                                      Page 400.88
                         EMPLOYEE GROUP INSURANCE
             TREATMENT OF PROTECTED HEALTH INFORMATION
Section 9.1: Changes to Privacy Policies and Procedures Page: 1 of 1

Effective Date: April 14, 2003

POLICY
EGI shall change its privacy policies and procedures as needed if necessary to comply with
changes in the law and shall incorporate any changes to its privacy policies and procedures
into the written policies and procedures contained in this Manual.
9.1(1) Revisions to this Manual.
EGI shall promptly revise the policies and procedures in this Manual as necessary and
appropriate to comply with changes to the HIPAA Privacy Standards or any other applicable
law. EGI may at any time make any revision to the policies and procedures set forth in this
Manual, as desirable to improve confidentiality practices, that does not violate the HIPAA
Privacy Standards or any other applicable law.
9.1(2) Effective Date of Changes to EGI’s Privacy Policies and Procedures.
a.     EGI shall implement any change to EGI’s privacy policies and procedures as of the
       designated effective date of such change. A change’s effective date cannot occur until
       (i) the change has been incorporated into the particular policies and procedures in this
       Manual; and (ii) if the change affects the content of EGI’s notice of privacy practices,
       the notice has been revised to incorporate such change.
b.     If a change to EGI’s privacy policies and procedures is required by law, EGI shall
       make a reasonable effort to implement such change by the compliance date of such
       law. To this end, EGI shall incorporate such change into the particular policies and
       procedures in this Manual and, if applicable, EGI’s notice prior to the law’s
       compliance date, if administratively feasible.
9.1(3) Communication of Changes to EGI’s Privacy Policies and Procedures.
Following any material revision of the policies and procedures set forth in this Manual, EGI
shall comply with any training obligation applicable under Section 8.2 of this Manual.
9.1(4) Documentation of Revisions to this Manual.
Following a revision to any policies and procedures in this Manual, EGI shall retain a copy of
the applicable pre-revision terms of the applicable policies and procedures, including the date
on which such terms were superseded. Such documentation shall be retained in accordance
with Section 9.2 of this Manual.

REFERENCES/CITATIONS

45 C.F.R. § 164.530(i).

65 Fed. Reg. at 82,563, 82,748-49 (Dec. 28, 2000)



April 2003                                                                        Page 400.89
                           EMPLOYEE GROUP INSURANCE
              TREATMENT OF PROTECTED HEALTH INFORMATION
Section 9. 2: Retention of Privacy Documentation     Page: 1 of 5

Effective Date: April 14, 2003

POLICY
EGI shall engage in document retention efforts the primary purpose of these efforts being to
demonstrate past compliance and to facilitate continued compliance with the HIPAA Privacy
Standards.

9.2(1) Overview of Privacy Documentation

EGI shall maintain records, either in written or electronic form, of its activities that are
conducted in accordance with this Manual. The content, organization, and duration of such
records are described in this Section 9.2.

9.2(2) Designated Record Set to Be Maintained for Each Covered Individual.

A Designated Record Set of all PHI attributable to a Member whose PHI is held by EGI shall
be separately maintained for each individual. Any Psychotherapy Notes attributable to a
covered individual shall be maintained separately from the rest of such individual’s medical
record.

9.2(3) Contents of a Designated Record Set

In addition to any PHI held by EGI on behalf of an individual, the following documents shall
be attached to the Designated Record Set:

a. Authorizations: Any valid Authorization signed by the covered individual, in the event
   that EGI may presently Use or Disclose the covered individual’s PHI in reliance on such
   Authorization. An Authorization that has expired, been revoked, or otherwise been
   determined to be invalid shall be removed from the individual’s Designated Record Set.

b. Determination to Treat a Person as a Personal Representative: Documentation of any
   determination by the Privacy Officer to treat a person as the covered individual’s personal
   representative in accordance Section 4.12 of this Manual. Such documentation shall be
   removed from the individual’s Designated Record Set in the event that the Privacy Officer
   determines that such person is no longer the covered individual’s personal representative.

c. Restrictions on Uses and Disclosures: Any restriction on EGI’s Use or Disclosure of the
   covered individual’s PHI in accordance with Section 7.5 of this Manual to which EGI has
   agreed. Such restriction shall be removed from the individual’s Designated Record Set in
   the event that it ceases to be effective.



April 2003                                                                       Page 400.90
d. Confidential Communications: Any request for confidential communications applicable to
   Disclosures of PHI to the covered individual in accordance with Section 7.6 of this Manual
   to which EGI has agreed, along with any other applicable documentation required by that
   section. Such description of alternate communications shall be removed from the
   individual’s Designated Record Set in the event that it ceases to be effective.

e. Data Use Agreements: Any data use agreement to which EGI has agreed in order to
   receive a Limited Data Set, in accordance with Section 6.3 of this Manual. Such data use
   agreement shall be removed from the individual’s Designated Record Set in the event that
   EGI no longer maintains the applicable Limited Data Set.

9.2(4) Compliance Records: Maintained for Each Covered Individual

For each Member, EGI shall maintain the following applicable documents:

a.    Accounted Disclosures of PHI: Listed Disclosures of the individual’s PHI with
     descriptions, in accordance with Section 4.14 of this Manual. Documentation of a
     Disclosure shall be retained at least until the date that is 6 years after the date on which the
     Disclosure occurred.

b. Suspension of Disclosure’s Inclusion in Accounting: In accordance with Section 7.4 of
   this Manual, any statements by a Health Oversight Agency or law enforcement official that
   result in the suspension of inclusion in an accounting of disclosures of a Disclosure of the
   individual’s PHI. Such documentation shall be retained at least until the date that is 6
   years after the expiration of the time period during which the applicable Disclosures would
   be excluded from any accountings requested.

c. Plan Requests for Entire Medical Record: In accordance with Section 4.1 of this Manual,
   the justification for any EGI request of the individual’s entire medical record. Such
   documentation shall be retained at least until the date that is 6 years after the date of the
   request.

d. Plan Uses or Disclosures of Entire Medical Record: In accordance with of Policy 4 of this
   Manual, the justification for a Use or Disclosure of the individual’s entire medical record.
   Such documentation shall be retained at least until the date that is 6 years after the date of
   the Use or Disclosure.

e. Determinations of Personal Representatives: In accordance with Section 4.12 of this
   Manual, any determination regarding whether a person is the individual’s personal
   representative. Such documentation shall be retained at least until the date that is 6 years
   after the later of the determination date or, if the Privacy Officer determines the person is
   the personal representative, the date on which such determination ceases to be effective.

f.    Authorizations: In accordance with Section 4.11 of this Manual, any Authorization
     received for EGI’s Use or Disclosure of the individual’s PHI. Such documentation shall be



April 2003                                                                              Page 400.91
     retained at least until the date that is 6 years after the date on which the Authorization
     expires or is revoked.

g.    Notification Disclosures: If the Privacy Officer approves a Notification Disclosure
     concerning the individual (in accordance with Section 4.7 of this Manual), the reasons for
     the determination that such Notification Disclosure is permissible. Such documentation
     shall be retained at least until the date that is 6 years after the date of disclosure.

h. Dates of Provision of a Notice: In accordance with of Section 7.1 of this Manual, a log of
   the dates on which the individual requests a copy of the notice of privacy practices and the
   dates on which he receives a copy. Documentation of each date shall be retained at least
   until the date that is 6 years after the date documented.

i. Requests for Access: The documents described in Section 7.2 of this Manual relating to
   the individual’s request for access. All such documents shall be retained at least until the
   date that is 6 years after the date on which the last document attributable to the applicable
   request for access was created.

j.   Requests for Amendment: The documents described in Section 7.3 of this Manual relating
     to the individual’s request for amendment. All such documents shall be retained at least
     until the date that is 6 years after the date on which the last document attributable to the
     applicable request for amendment was created.

k. Requests for Accounting: The documents described in Section 7.4 of this Manual relating
   to the individual’s request for accounting. All such documents shall be retained at least
   until the date that is 6 years after the date the applicable accounting is provided.

l. Requests for Restriction on Use or Disclosure of PHI: The documents described in Section
   7.5 of this Manual relating to the individual’s request for restriction. All such documents,
   if attributable to a granted request, shall be retained at least until the date that is 6 years
   after the date on which the respective restriction is no longer effective. All such
   documents, if attributable to a denied request, shall be retained at least until the date that is
   6 years after the date of denial.

m. Requests for Confidential Communications: The documents described in Section 7.6 of
   this Manual relating to the individual’s request for confidential communications. All such
   documents, if attributable to an granted request, shall be retained at least until the date that
   is 6 years after the date on which the alternate communications are no longer in effect. All
   such documents, if attributable to a denied request, shall be retained at least until the date
   that is 6 years after the notification of denial.

n. Notification of Complaint Disposition: In accordance with Section 7.7 of this Manual, any
   notification that is sent to the individual regarding the disposition of his complaint. Such
   notification shall be retained at least until the date that is 6 years after the date on which it
   is given.



April 2003                                                                            Page 400.92
9.2(5) Compliance Records: General Files

EGI shall maintain the following general privacy files:

a. Policies and Procedures: The current written policies and procedures set forth in this
   Manual and, in accordance with Section 9.1 of this Manual, any written policies and
   procedures that are no longer in effect. A superseded Section of the policies and
   procedures shall be retained at least until the date that is 6 years after the date it became
   superceded.

b. Notices of Privacy Practices: EGI’s current version of the notice of privacy practices and,
   in accordance with Section 7.1 of this Manual, any former version that is no longer in
   effect. A former version shall be retained at least until the date that is 6 years after the date
   it was revised.

c. Plan Sponsor Agreements and Plan Sponsor Certifications: In accordance with Policy 5 of
   this Manual, any written agreements and any Certification intended to permit Disclosure of
   PHI to EGI as a Plan Sponsor. Any such documentation shall be retained at least until the
   date that is 6 years after the date on which it ceases to be effective.

d. Business Associate Contract Provisions: The provisions of contracts with a Business
   Associate that are intended to comply with Section 6.1 of this Manual. Documentation of
   such contractual provisions shall be retained at least until the date that is 6 years after the
   date on which the provisions cease to be effective.

e. Data Use Agreements: Data use agreements that are intended to comply with Section 6.3
   of this Manual. Any such agreement shall be retained at least until the date that is 6 years
   after the date on which it ceases to be effective.

f. Designation of Contact Person: Documents identifying EGI’s designated Contact Person,
   in accordance with Section 3.2 of this Manual. Such documentation shall be retained at
   least until the date that is 6 years after the date on which the identified person or office
   ceases to be the Contact Person.

g.    Disposition of Complaints: In accordance with Section 7.7 of this Manual, documentation
     of a complaint received and its disposition. Such documentation shall be retained at least
     until the date that is 6 years after the date on which it is created.

h. Secretary Investigations: In accordance with Section 8.1 of this Manual, any written
   communications with the Secretary regarding EGI’s privacy policies and procedures. Each
   such document shall be retained at least until the date that is 6 years after the date on which
   it was created.

i. Mitigation Efforts: In accordance with Section 8.4 of this Manual, documentation of EGI’s
   efforts to mitigate the harmful effects of a privacy violation. Such documentation shall be
   retained at least until the date that is 6 years after the date on which it is created.

April 2003                                                                             Page 400.93
9.2(6) Records Relating to Personnel

a.   Privacy Training: In accordance with Section 8.2 of this Manual, documentation of
      privacy training received by all employees and any signed PHI confidentiality
      agreement. Such documentation shall be retained at least until the date that is 6 years
      after the person’s date of termination of employment.

b. Sanctions: Description of any sanctions considered against the employee in accordance
    with Section 8.5 of this Manual, whether or not imposed. Information that identifies the
    individual whose privacy rights were violated shall be removed to the extent practicable.
    All such documents shall be retained at least until the date that is 6 years after the date on
    which they were created.

REFERENCES/CITATIONS

45 C.F.R. § 164.530(j).

65 Fed. Reg. at 82,563, 82,749-50 (Dec. 28, 2000)




April 2003                                                                           Page 400.94

								
To top