POLICIES AND PROCEDURES FOR COMPLIANCE WITH by lnwh62f

VIEWS: 4 PAGES: 34

									This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal
counsel in applying this information to your own specific situation.

                        POLICIES AND PROCEDURES FOR COMPLIANCE WITH
                                INDIVIDUALS’ RIGHTS REGARDING
                               PROTECTED HEALTH INFORMATION


The Plan Sponsor and the Plan Administrator hereby adopt the following Policies and Procedures which
shall be instituted and followed by the Plan:

1.     Defined Terms. The following terms shall have the meanings set forth below when used in this
document:

           “Designated Record Set” shall mean a group of records maintained by or for the Plan that is
           enrollment, payment, claims adjudication and case or medical management record systems
           maintained by or for the Plan; or used in whole or in part by or for the Plan to make decisions
           about Individuals. Information used for quality control or peer review analyses and not used to
           make decisions about Individuals is not in the Designated Record Set.

           “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996, as
           amended.

           “Individual” shall mean [the person who is the subject of PHI].                                                             Formatted

           “Plan Sponsor” shall mean [insert name of Plan Sponsor].

           “Plan Administrator” shall mean [insert name of Administrator of the Plan].

           “Plan” shall mean [insert name of Plan].

           “Privacy Official” shall mean the individual appointed as such by the Plan Administrator.

           “Privacy Standards” shall mean the Standards for Privacy of Individually Identifiable Health
           Information enacted pursuant to HIPAA.

           “Protected Health Information” or “PHI” shall mean individually identifiable health
           information, as more specifically defined in the Privacy Standards.

2.      Compliance with the Privacy Standards. The Plan at all times shall comply with the
requirements of the Privacy Standards regarding Individual’s rights with respect to PHI. In the event the
Privacy Standards are amended, these Policies and Procedures shall be deemed to be amended in
accordance therewith.

3.        Right to Request Restrictions on PHI Uses and Disclosures. An Individual may request the
Plan to (a) restrict uses or disclosures of his or her PHI to carry out treatment, payment or health care
operations; or (b) restrict disclosures to family members, other relatives, close personal friends or other
persons identified by the Individual who are involved in his or her care or payment for that care; or (c) to
notify, or assist in the notification of (including identifying or locating), a family member, a personal
representative of the Individual or another person responsible for the care of the Individual, of the
Individual’s location, general condition or death. However, the Plan is not required to agree to a requested
restriction.

If the Plan agrees to a requested restriction, the Plan shall not use or disclose PHI in violation of such
restriction, except that, if the Individual requested a restriction and later is in need of emergency treatment
and the restricted PHI is needed to provide the emergency treatment, the Plan may use the restricted PHI, or
it may disclose such information to a health care provider, to provide such treatment to the Individual. If
restricted PHI is disclosed to a health care provider for emergency treatment, the Plan shall request that
such health care provider not further use or disclose the information.
Policies and Procedures for Compliance with
Individuals’ Rights Regarding Protected Health Information       1                                                         Exhibit K
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal
counsel in applying this information to your own specific situation.


A restriction agreed to by the Plan is not effective to prevent uses or disclosures permitted or required
under §§ 164.502(a)(ii), 164.510(a) or 164.512 of the Privacy Standards.

The Plan may terminate its agreement to a restriction, if:

               The Individual agrees to or requests the termination in writing;
               The Individual orally agrees to the termination and the oral agreement is documented; or
               The Plan informs the Individual that it is terminating its agreement to a restriction, except that
                such termination is only effective with respect to PHI created or received after the Plan has
                informed the Individual of the termination.

If the Plan agrees to a restriction, it will document the restriction by maintaining a written or electronic
record of the restriction. The record of the restriction will be retained for six years from the date of its
creation or the date when it last was in effect, whichever is later.

An Individual or his or her personal representative will be required to request restrictions on uses and
disclosures of PHI in writing. Such requests should be addressed to the contact person specified in the
Plan’s Notice of Privacy Practices.

Forms 1 and 2 are attached for requests for, and responses to requests for, restrictions on PHI uses and
disclosures.

4.        Right to Request Confidential Communications of PHI. An Individual may request to receive
communications of PHI from the Plan by alternative means or at alternative locations if he or she clearly
states that the disclosure of all or part of the information to which the request pertains could endanger the
Individual. The Plan will accommodate all such reasonable requests. However, the Plan may condition the
provision of a reasonable accommodation on:

               When appropriate, information as to how payment, if any, will be handled; and
               Specification by the Individual of an alternative address or other method of contact.

An Individual or his or her personal representative will be required to request confidential communications
of PHI in writing. Such requests should be addressed to the contact person specified in the Plan’s Notice of
Privacy Practices.

Forms 3 and 4 are attached for requests for, and responses to requests for, confidential communications of
PHI.

5.        Right to Inspect and Copy PHI. An Individual has a right to inspect and obtain a copy of his or
her PHI contained in a Designated Record Set, for as long as the Plan maintains PHI in the Designated
Record Set, except for psychotherapy notes; information compiled in reasonable anticipation of, or for use
in, a civil, criminal or administrative action or proceeding; and other health information not subject to the
right to access information under the Privacy Standards.

The Plan shall act on a request for access no later than 30 days after receipt of the request. However, if the
request for access is for PHI that is not maintained or accessible to the Plan on-site, the Plan shall take
action no later than 60 days from the receipt of such request. The Plan shall take action as follows: if the
Plan grants the request, in whole or in part, the Plan shall inform the Individual of the acceptance and
provide the access requested. However, if the Plan denies the request, in whole or in part, the Plan shall
provide the Individual with a written denial. If the Plan cannot take action within the required time, the
Plan may extend the time for such action by no more than 30 days if the Plan, within the applicable time
limit, provides the Individual with a written statement of the reasons for the delay and the date by which it
will complete its action on the request.


Policies and Procedures for Compliance with
Individuals’ Rights Regarding Protected Health Information       2                                                         Exhibit K
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal
counsel in applying this information to your own specific situation.

If the Plan provides access to PHI, it shall provide the access requested, including inspection or obtaining a
copy, or both, of the Individual’s PHI in a Designated Record Set. The Plan shall provide the Individual
with access to the PHI in the form or format requested if it is readily producible in such form or format; or,
if it is not, in a readable hard copy form or such other form or format as agreed to between the Individual
and the Plan. The Plan may provide the Individual with a summary of the PHI requested, in lieu of
providing access to the PHI, or may provide an explanation of the PHI to which access has been provided
in certain circumstances. The Plan will arrange with the Individual for a convenient time and place to
inspect or obtain a copy of the PHI, or mail a copy of the PHI at the Individual’s request. If an Individual
requests a copy of PHI or agrees to a summary or explanation of PHI, the Plan may impose a reasonable,
cost-based fee. Such fee shall include only the cost of (a) copying, including the cost of supplies for and
labor of copying, the PHI requested; (b) postage, when the Individual has requested the copy, or the
summary or explanation, be mailed; and (c) preparing an explanation or summary of the PHI, if agreed to
by the Individual as set forth above.

If the Plan denies access to PHI in whole or in part, the Plan shall, to the extent possible, give the
Individual access to any other PHI requested, after excluding PHI as to which the Plan has grounds to deny
access. If access is denied, the Individual or his or her personal representative will be provided with a
written denial setting forth the basis for the denial; if applicable, a statement of his or her review rights,
including a description of how the Individual may exercise those review rights; and a description of how
the Individual may complain to the Plan or to the Secretary of the U.S. Department of Health and Human
Services (“HHS”) (including the name, or title, and telephone number of the contact person specified in the                            Formatted
Plan’s Notice of Privacy Practices). If an Individual requests review of a decision to deny access, the Plan                           Formatted
will refer the request to a designated licensed health care professional, who was not directly involved in the
denial, for review. The reviewing official will determine, within a reasonable period of time, whether to
deny the access requested. The Plan will promptly provide the Individual with written notice of that
determination and take any other action required by the Privacy Standards to carry out the determination.

Unreviewable grounds for denial. The Plan may deny an Individual access without providing the
Individual an opportunity for review, in the following circumstances: (a) the PHI is excepted from the right
of access by the Privacy Standards; (b) the PHI is contained in records that are subject to the Privacy Act, 5
U.S.C. § 552a, if denial would meet the requirements of that law; and (c) the PHI was obtained from
someone other than a health care provider under a promise of confidentiality and the access requested
would be reasonably likely to reveal the source of the information.

Reviewable grounds for denial. The Plan may deny an Individual access, provided the Individual is given
the right to have such denials reviewed, where: (a) a licensed health care professional has determined that
such access is reasonably likely to endanger the life or physical safety of the Individual or another person;
(b) the PHI makes reference to another person (unless such other person is a health care provider) and a
licensed health care professional has determined that the access requested is reasonably likely to cause
substantial harm to such other person; or (c) the request for access is made by the Individual's personal
representative and a licensed health care professional has determined that the provision of access to such
personal representative is reasonably likely to, or cause substantial harm to, the IndivdualIndividual or
another person.

If the Plan does not maintain the PHI that is the subject of the Individual’s request for access, and the Plan
knows where the requested information is maintained, the Plan will inform the Individual where to direct
the request for access.

An Individual or his or her personal representative will be required to request access to the Individual’s PHI
in writing. Such requests should be addressed to the contact person specified in the Plan’s Notice of
Privacy Practices.

In addition to the actions set forth above, the Plan shall:



Policies and Procedures for Compliance with
Individuals’ Rights Regarding Protected Health Information       3                                                         Exhibit K
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal
counsel in applying this information to your own specific situation.

               Document what constitutes the Designated Record Set that includes PHI; for example, the
                Plan may include all records related to an Individual’s enrollment, eligibility, claims or
                appeals, but exclude records related to audits of individual claims for quality review purposes;
               Ensure that Designated Record Sets are kept separate from employment-related documents
                and employee personnel files;
               Determine whether requested information is subject to the inspection and copying
                requirements of the Privacy Standards;
               Date and time-stamp written requests when they are received to ensure that either responses
                are generated within 30 days or that extensions are requested;
               Log all requests and assign a supervisor to monitor the log on a weekly basis; and
               Log all inspections and/or copies made of PHI.

Forms 5 and 6 are attached for requests for, and responses to requests for, inspection and copying of PHI.

6.       Right to Amend PHI. An Individual has the right to request the Plan to amend his or her PHI or
a record about him or her in a Designated Record Set for as long as the PHI is maintained in the Designated
Record Set.

The Plan may deny an Individual’s request for amendment if it determines that the PHI or record that is the
subject of the request:

               Was not created by the Plan, unless the Individual provides a reasonable basis to believe that
                the originator of PHI is no longer available to act on the requested amendment;
               Is not part of the Designated Record Set;
               Would not be available for the Individual’s inspection under the Privacy Standards; or
               Is accurate and complete.

The Plan has 60 days after the request is made to act on the request. A single 30-day extension is allowed
if the Plan is unable to comply within that deadline provided that the Plan, within the original 60-day time
period, gives the Individual a written statement of the reasons for the delay and the date by which it will
complete its action on the request. If the Plan accepts the requested amendment, the Plan shall make the
appropriate amendment to the PHI or record that is the subject of the request by, at a minimum, identifying
the records in the Designated Record Set that are affected by the amendment and appending or otherwise
providing a link to the location of the amendment. The Plan shall timely inform the Individual that the
amendment is accepted and obtain his or her identification of and agreement to have the Plan notify the
relevant persons with which the amendment needs to be shared as provided in the Privacy Standards,. The
Plan shall make reasonable efforts to inform and provide the amendment within a reasonable time to: (a)
persons identified by the Individual as having received PHI about the Individual and needing amendment,
and (b) persons, including Business Associates (as defined in the Privacy Standards) of the Plan, that the
Plan knows have the PHI that is the subject of the amendment and that may have relied, or could
foreseeably rely, on such information to the detriment of the Individual.

If the request is denied in whole or part, the Plan shall provide the Individual with a written denial that (i)
explains the basis for the denial, (ii) sets forth the Individual’s right to submit a written statement
disagreeing with the denial and how to file such a statement, (iii) states that, if the Individual does not
submit a statement of disagreement, he or she may request that the Plan provide his or her request for
amendment and the denial with any future disclosures of the PHI that is the subject of the amendment, and
(iv) includes a description of how the Individual may complain to the Plan or to the Secretary of HHS
(including the name, or title, and telephone number of the contact person specified in the Plan’s Notice of
Privacy Practices). The Plan may reasonably limit the length of a statement of disagreement. Further, the
Plan may prepare a written rebuttal to a statement of disagreement, which will be provided to the
Individual. The Plan shall, as appropriate, identify the record or PHI in the Designated Record Set that is
the subject of the disputed amendment and append or otherwise link the Individual’s request for an
amendment, the Plan's denial of the request, the Individual’s statement of disagreement, if any, and the
Plan's rebuttal, if any, to the Designated Record Set. If a statement of disagreement has been submitted, the
Policies and Procedures for Compliance with
Individuals’ Rights Regarding Protected Health Information       4                                                         Exhibit K
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal
counsel in applying this information to your own specific situation.

Plan will include the above-referenced material, or, at the Plan's election, an accurate summary of such
information, with any subsequent disclosure of the PHI to which the disagreement relates. If the Individual
does not submit a written statement of disagreement, the Plan must include his or her request for
amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of
the PHI only if requested by the Individual.

If the Plan is informed by another Covered Entity (as defined in the Privacy Standards) of an amendment to
an Individual’s PHI, the Plan shall amend the PHI in Designated Record Sets as required by the Privacy
Standards.

An Individual or his or her personal representative will be required to request amendment to PHI in a
Designated Record Set in writing. Such requests should be addressed to the contact person specified in the
Plan’s Notice of Privacy Practices. All requests for amendment of PHI must include a reason to support the
requested amendment.

In addition to the actions set forth above, the Plan shall:

               Document what constitutes the Designated Record Set that includes PHI; for example, the
                Plan may include all records related to an Individual’s enrollment, eligibility, claims or
                appeals, but exclude records related to audits of individual claims for quality review purposes;
               Ensure that Designated Record Sets are kept separate from employment-related documents
                and employee personnel files;
               Determine whether the Information requested in is subject to the amendment requirements of
                the Privacy Standards;
               Date and time-stamp written requests when they are received to ensure that either responses
                are generated within 30 60 days or that extensions are requested;
               Log all requests and assign a supervisor to monitor the log on a weekly basis;
               If the request to amend is approved, log the result and include in the log how the Designated
                Record Set will be changed and how the Individual was notified of the approval; and
               Ensure that related future disclosures include documentation regarding the amendment.

Forms 7 and 8 are attached for requests for, and responses to requests for, amendment or correction of PHI.

7.        Right to Receive an Accounting of PHI Disclosures. At an Individual’s request, the Plan shall
provide the Individual with an accounting of disclosures by the Plan of his or her PHI during the six years
prior to the date on which the accounting is requested. However, such accounting need not include PHI
disclosures made: (a) to carry out treatment, payment or health care operations; (b) to individuals about
their own PHI; (c) incident to a use or disclosure otherwise permitted or required by the Privacy Standards;
(d) pursuant to an authorization; (e) to certain persons involved in the Individual’s care or payment for that
care; (df) to notify certain persons of the Individual’s location, general condition or death; (g) as part of a
“Limited Data Set” (as defined in the Privacy Standards), which largely relates to research purposes; or (he)
prior to the compliance date of April 14, 2003. An Individual may request an accounting of disclosures for
a period of time less than six years from the date of the request.

The accounting will include disclosures of PHI that occurred during the six years (or such shorter time
period, if applicable) prior to the date of the request for an accounting, including disclosures to or by
business Business associates Associates of the Plan. Except as otherwise provided below, fFor each
disclosure, the accounting will include:

               The date of the disclosure;
               The name of the entity or person who received the PHI and, if known, the address of such
                entity or person;
               A brief description of the PHI disclosed; and



Policies and Procedures for Compliance with
Individuals’ Rights Regarding Protected Health Information       5                                                         Exhibit K
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal
counsel in applying this information to your own specific situation.

               A brief statement of the purpose of the disclosure that reasonably informs the Individual of
                the basis for the disclosure, or, in lieu of such statement, a copy of the Individual’s written
                authorization or a copy of a written request for disclosure.

If during the period covered by the accounting, the Plan has made multiple disclosures of PHI to the same
person or entity for a single purpose, or pursuant to a single authorization, the accounting may, with respect
to such multiple disclosures, provide the above-referenced information for the first disclosure; the
frequency, periodicity or number of the disclosures made during the accounting period; and the date of the
last disclosure.

If during the period covered by the accounting, the Plan has made disclosures of PHI for a particular
research purpose for 50 or more Individuals, the accounting may, with respect to such disclosures for which
an Individual's PHI may have been included, provide certain information as permitted by the Privacy
Standards. If the Plan provides an accounting for such research disclosures, and if it is reasonably likely
that an Individual's PHI was disclosed for such research activity, the Plan shall, at the Individual's request,
assist in contacting the entity that sponsored the research and the researcher.

If the accounting cannot be provided within 60 days after receipt of the request, an additional 30 days is
allowed if the Individual is given a written statement of the reasons for the delay and the date by which the
accounting will be provided.

If an Individual requests more than one accounting within a 12-month period, the Plan shall charge a
reasonable, cost-based fee for each subsequent accounting unless the Individual withdraws or modifies the
request for a subsequent accounting to avoid or reduce the fee.

An Individual or his or her personal representative will be required to request an accounting of PHI
disclosures in writing. Such requests should be addressed to the contact person specified in the Plan’s
Notice of Privacy Practices.

Forms 9 and 10 are attached for requests for, and responses to requests for, accountings of PHI disclosures.

IN WITNESS WHEREOF, the Plan Sponsor and the Plan Administrator have executed this document as of
the date set forth below.

                                                                  PLAN SPONSOR



                                                                  By: __________________________________
                                                                  Title: ________________________________

                                                                  PLAN ADMINISTRATOR



                                                                  By: __________________________________
                                                                  Title: ________________________________


Effective Date: ______________________




Policies and Procedures for Compliance with
Individuals’ Rights Regarding Protected Health Information       6                                                         Exhibit K
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal
counsel in applying this information to your own specific situation.

                                    INDIVIDUAL REQUEST NOT TO USE OR
                                      DISCLOSE HEALTH INFORMATION


Request for Restriction

         I, ________________________, understand that [insert name of plan] (the “Plan”) may use and
disclose protected health information (“PHI”) about me for purposes of health care treatment, payment and
health care operations without my authorization or opportunity to agree or object. I request to restrict use
and disclosure of PHI concerning treatment, payment and health care operations about me, or to restrict
disclosures to family members, relatives, friends or other persons identified by me who are involved in my
care or payment for that care, in accordance with the Standards for Privacy of Individually Identifiable
Health Information (the “Privacy Standards”) pursuant to the Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”), as amended.

Plan Not Required to Agree

           I understand that the Plan is not required to agree to this restriction.

Termination of Restriction

          I understand that if the Plan agrees to this restriction, either the Plan or I may terminate this
restriction at any time. If the Plan informs me that it is terminating its agreement to a restriction, the
termination of the restriction is only effective with respect to PHI created or received after the Plan informs
me of the termination.

Emergency Treatment Exception

         I understand that if restricted PHI must be used or disclosed to provide emergency treatment for
me, then this restriction is void.

Privacy Standards Exception

         I understand that if a restriction is agreed to by the Plan, it is not effective to prevent uses or
disclosures required by the Secretary of the U.S. Department of Health and Human Services to investigate
the Plan's compliance with the Privacy Standards or uses or disclosures that are otherwise required by law.

Questionnaire

        Requestor: Please complete all of the following questions. If the question is not applicable, mark
N/A on the answer line.

           (1) I request the following information be restricted:
           _______________________________________________________________________________
           _______________________________________________________________________________

           (2) I request that the use and disclosure of the above-described information be restricted in the
               following manner:
           _______________________________________________________________________________
           _______________________________________________________________________________

           (3) I request that my PHI not be disclosed to the following individuals or entities:
           _______________________________________________________________________________
           _______________________________________________________________________________




Form 1                                                                                                                  Exhibit K-1
Page 1
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal
counsel in applying this information to your own specific situation.

Exception for Other Restrictions

          I understand that if a restriction is not specifically listed above and agreed to in writing by the
Plan, it will not be effective.



           ______________                              _________________________________________
           Date                                        Signature




Form 1                                                                                                                  Exhibit K-1
Page 2
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal
counsel in applying this information to your own specific situation.

                             GROUP HEALTH PLAN'S RESPONSE
                 TO REQUEST NOT TO USE OR DISCLOSE HEALTH INFORMATION



Date of this Notice: _____________________



Grant of Request

_______ Your request to restrict use and disclosure of protected health information has been granted in
accordance with the request, subject to the following:

               Either you or the Plan may terminate this restriction at any time. If the Plan informs you that
                it is terminating its agreement to this restriction, the termination of the restriction is only
                effective with respect to PHI created or received after the Plan informs you of the termination.
               If restricted PHI must be used or disclosed to provide emergency treatment for you, then this
                restriction is void.
               The restriction is not effective to prevent uses or disclosures required by the Secretary of the
                U.S. Department of Health and Human Services to investigate the Plan's compliance with the
                Privacy Standards or uses or disclosures that are otherwise required by law.
               If a restriction is not specifically listed on the request, it will not be effective.


Denial of Request

_______ Your request to restrict use and disclosure of protected health information has been denied.




Form 2                                                                                                                  Exhibit K-2
Page 1
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal
counsel in applying this information to your own specific situation.

                                        INDIVIDUAL REQUEST FOR
                                     CONFIDENTIAL COMMUNICATIONS
                                   OF PROTECTED HEALTH INFORMATION


Request for Restriction

         I, ________________________, request that I receive communications of my protected health
information from [insert name of plan] (the “Plan”), as follows:

           Alternative Means of Contact or Delivery: ______________________________________
           OR
           Alternative Location of Delivery: _____________________________________

           Specifically, I request that the following communications be subject to the above request:

           ________________________________________________________________________

           The disclosure of all or part of the information to which this request pertains could endanger me.

Plan May Impose Conditions

         I understand that the Plan will agree to all reasonable requests, but may condition this
accommodation on, when appropriate, information as to how payment, if any, will be handled; and my
specifying above an alternative means or alternative location.




           ______________                              _________________________________________
           Date                                        Signature




Form 3                                                                                                                  Exhibit K-3
Page 1
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal
counsel in applying this information to your own specific situation.

                                GROUP HEALTH PLAN'S RESPONSE
                         TO REQUEST FOR CONFIDENTIAL COMMUNICATIONS
                              OF PROTECTED HEALTH INFORMATION



Date of this Notice: _____________________



Grant of Request

_______ Your request for confidential communications of protected health information has been granted in
accordance with your request.

_______ Your request for confidential communications of protected health information has been received;
however, you did not specify on the request either an alternative means of contact or delivery or an
alternative location of delivery. If you submit the following information, then your request will be granted.

           Alternative Means of Contact or Delivery: _______________________________________
           OR
           Alternative Location of Delivery: ________________________________________


Payment Information

_______ Please specify how payment of benefits under the Plan should be handled:
______________________________________________________________________________________


Denial of Request

_______ Your request for confidential communications of protected health information has been denied.




Form 4                                                                                                                  Exhibit K-4
Page 1
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal counsel in
applying this information to your own specific situation.

                                                INDIVIDUAL REQUEST
                                                TO INSPECT OR COPY
                                           PROTECTED HEALTH INFORMATION



          I, ______________________, request to review protected health information held about me in the [Insert
Name of Plan] group health plan's (the "Plan") "designated record set" in accordance with the Health Insurance
Portability and Accountability Act of 1996, as amended ("HIPAA"). A "designated record set" is a group of records
maintained by or for the Plan including enrollment, payment, claims adjudication and health plan case or medical
management record systems; or records used by or for the Plan to make decisions about individuals. The term
"record" means any item, collection or grouping of information that includes protected health information that is
maintained, collected, used or disseminated by or for the Plan.

       Check any of the below, as applicable:
  ____ I want to inspect protected health information about myself that is maintained in the designated record set.
  ____ I want to obtain a copy of protected health information about myself that is maintained in the designated
       record set.
  ____ I request that the copy of protected health information about myself be mailed to the following
       address:__________________________________________________________

         If the same protected health information that is the subject of a request for access is maintained in more
than one designated record set or at more than one location, the Plan will only produce the protected health
information once in response to a request.

         I understand that the Plan has 30 days to respond to this request, and that if someone else holds the
information or it is off-site, the response time is 60 days. If the Plan is unable to take action within the applicable
time period, the Plan may extend the time for such action by 30 days, provided the Plan, within the applicable time
period, gives me a written statement of the reasons for the delay and the date by which the Plan will complete its
action on the request.

          I understand that if the Plan grants this request, in whole or in part, it will inform me of the acceptance of
this request and provide the access requested. In that event, the Plan will arrange with me for a convenient time and
place to inspect or copy the protected health information. However, if the Plan denies the request, in whole or in
part, it will provide me with a written denial.

           I request that the information be provided in the following format: (circle one)

                      Paper              Computer Disk                       CD Rom                Email

        I understand that if the format requested is not readily producible, the Plan will provide a readable hard
copy form or such other form or format as agreed to by the Plan and myself.

        I do____ do not ______ agree that the Plan may provide a summary of the health information instead of
allowing me to review the information.

          I do ____ do not ______ agree that the Plan may provide an explanation of the health information to which
access is provided.

         I agree to pay any fees for copying, summarizing, or explaining my health information. Fees will be
reasonable and cost-based, and include only the cost of copying, postage (if I request that a copy, summary or
explanation be mailed), and preparation of a summary or explanation (if I agree to a summary or explanation, or
both).




Form 5                                                                                                                   Exhibit K-5
Page 1
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal counsel in
applying this information to your own specific situation.

          I understand that this request does not apply to certain health information, including: (1) information that is
not held in the designated record set; (2) psychotherapy notes; (3) information compiled in reasonable anticipation
of, or for use in, a civil, criminal or administrative action or proceeding; and (4) other health information not subject
to the right to access information under HIPAA.



________________                                                  ___________________________________
Date                                                              Signature




Form 5                                                                                                                   Exhibit K-5
Page 2
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal
counsel in applying this information to your own specific situation.

                                      GROUP HEALTH PLAN'S RESPONSE
                                      TO REQUEST TO INSPECT OR COPY
                                     PROTECTED HEALTH INFORMATION



Date of this Notice: _____________________


Grant of Request

Check only one of the following, if applicable:
_______ Your request to access your health information has been granted in its entirety.
_______ Your request to access your health information has been granted in part. (See the section entitled
"Denial of Access" for an explanation regarding that portion of your access request that has been denied.)

           Access will be provided as follows: [Insert date, time and place for access].

Check only one of the following:
_______ The Plan will provide you with access in the form/format requested.
_______ The Plan cannot readily produce the form/format requested. Instead, the Plan will:(check one of
        the following)_______ provide access in a readable hard copy form; OR
                      _______ contact you to agree upon an alternative form/format.

Check, if applicable:
_______ A copy of the protected health information will be mailed to you pursuant to your prior
instructions.

           A summary has ____ has not ____ been created based on the advance agreement provided by you.

          An explanation of the protected health information to which access shall be provided will _____
will not _____ be prepared based on the advance agreement provided by you.

Check, if applicable:
_______ In accordance with your prior agreement, you must pay the Plan the following fees: [Insert fee
amount]. The fees may relate to any of the following, as applicable: (1) cost of copying; (2) postage; and
(3) cost of preparation of an explanation of health information and/or summary of health information.


Need for Extension of Time

         The [Insert Name of Plan] group health plan (the "Plan") received your request to access health
information on [Insert date of receipt]. The Plan is reviewing your request to access health information,
but the Plan is unable to determine if the requested access should be granted. A delay in rendering the
Plan's decision regarding the requested access is necessary for the following reason(s):
___________________________________________________.

         The Plan will respond to your request by ________________, but in any event, no later than 30
days after you receive this notice of the need for an extension of time.


Denial of Access

         Your request to access your health information is denied, in whole or in part, for the following
reason(s): ____________________________________________________________________________.
If your request was denied in part, the Plan will give you access to other protected health information


Form 6                                                                                                                  Exhibit K-6
Page 1
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal
counsel in applying this information to your own specific situation.

requested, after excluding the information for which the Plan has denied access, as set forth in the section
entitled "Grant of Request."

         You may file a complaint regarding this decision with the Plan or the U.S. Department of Health
and Human Services. If you file a complaint with the Plan, please file it in writing with the following
person: [Insert Name or Title of Contact Person, and their address and telephone number (Note: telephone
number is mandatory)]. Your complaint should include the reason(s) for the complaint, the grounds for
disagreement with the Plan's decision to deny your requested access and any other relevant information.
Alternatively, to file a complaint with the Secretary of the U.S. Department of Health and Human Services,
it should be addressed as follows: The Hubert H. Humphrey Building, 200 Independence Avenue, S.W.,
Washington, D.C. 20201. A complaint filed with the Secretary must meet the following requirements: (1)
it must be filed in writing, either on paper or electronically; (2) it must name the plan that is the subject of
the complaint and describe the acts or omissions believed to be in violation of the Privacy Standards; and
(3) it must be filed within 180 days after receipt of this denial of access.
                                                                                                                                      Formatted
          In certain cases, you are entitled to appeal the denial of access. You are entitled to an appeal if
access was denied because: (1) in the opinion of a licensed health care professional, granting access is
likely to endanger the life or physical safety of you or another person; (2) the protected health information
makes reference to another person (unless that other person is a health care provider) and a licensed health
care professional has determined, in the exercise of professional judgment, that the access requested is
reasonably likely to cause substantial harm to such other person; or (3) the request for access was made by
your personal representative and a licensed health care professional has determined, in the exercise of
professional judgment, that the provision of access to such personal representative is reasonably likely to
cause substantial harm to you or another person. In these cases, if you appeal, your appeal will be reviewed
by a licensed health care professional, designated by the Plan, who did not participate in the original
decision. The appeal and notice of the appeal decision will be conducted promptly. Following review of
the appeal, the Plan will provide or deny access in accordance with the determination of the reviewing
official.

         If you have a right to appeal, to exercise that right you must file an appeal, which must be in
writing and addressed as follows: [Insert Name or Title of Contact Person, and their address].

      KEEP IN MIND, YOU MAY ONLY FILE AN APPEAL IF ACCESS WAS DENIED
BECAUSE OF ONE OF THE THREE ABOVE-REFERENCED REASONS. IF ACCESS WAS
DENIED FOR ANY OTHER REASON, THE PLAN'S DECISION IS UNREVIEWABLE. PLEASE
REVIEW THE REASON(S) THAT ACCESS WAS DENIED BEFORE FILING AN APPEAL TO
ENSURE THAT YOU HAVE A RIGHT TO APPEAL.




Form 6                                                                                                                  Exhibit K-6
Page 2
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal counsel in
applying this information to your own specific situation.

                                                INDIVIDUAL REQUEST TO
                                              CORRECT OR AMEND A RECORD



         I, ________________________, request [insert name of plan] (the “Plan”) to amend the protected health                              Formatted
information (“PHI”) in its Designated Record Set (as defined in the Standards for Privacy of Individually
Identifiable Health Information (the "Privacy Standards")), as set forth below:

Specific Statement of Amendment Request
______________________________________________________________________________________                                                      Formatted

Specific Reason for Amendment Request
______________________________________________________________________________________                                                      Formatted

        I understand that if the protected health information was not created by the Plan, the Plan is not required to
honor my request. For example, if the information I wish to amend is in a medical report created by my physician, I
must ask the physician – not the Plan – to amend the report. I also understand that if the information is not available
for my inspection, is not part of the Plan’s Designated Record Set or is already accurate and complete, I cannot
amend the information.

         I understand that the Plan will respond to my request within 60 days. If the Plan is unable to take action
within the applicable time period, the Plan may extend the time for such action by 30 days, provided the Plan, within
the original 60-day time period, gives me a written statement of the reasons for the delay and the date by which it
will complete its action on the request.

         If the Plan accepts the requested amendment, the Plan shall make the appropriate amendment to the PHI or
record that is the subject of the request by, at a minimum, identifying the records in the Designated Record Set that
are affected by the amendment and appending or otherwise providing a link to the location of the amendment. The
Plan shall timely inform me that the amendment is accepted and obtain my identification of and agreement to have
the Plan notify the relevant persons with which the amendment needs to be shared as provided in the Privacy
Standards. The Plan shall make reasonable efforts to inform (a) persons identified by me as having received my PHI
and needing amendment, and (b) persons, including Business Associates (as defined in the Privacy Standards) of the
Plan, that the Plan knows have the PHI that is the subject of the amendment and that may have relied, or could
foreseeably rely, on such information to my detriment.

          If the request is denied in whole or part, the Plan shall provide me with a written denial that (i) explains the
basis for the denial, (ii) sets forth my right to submit a written statement disagreeing with the denial and how to file
such a statement, (iii) states that, if I do not submit a statement of disagreement, I may request that the Plan provide
my request for amendment and the denial with any future disclosures of the PHI that is the subject of the
amendment, and (iv) includes a description of how I may complain to the Plan or to the Secretary of the U.S.
Department of Health and Human Services (including the name, or title, and telephone number of the contact person
specified in the Plan’s Notice of Privacy Practices). The Plan may reasonably limit the length of a statement of
disagreement. Further, the Plan may prepare a written rebuttal to a statement of disagreement, which will be
provided to me. The Plan shall, as appropriate, identify the record or PHI in the Designated Record Set that is the
subject of the disputed amendment and append or otherwise link my request for an amendment, the Plan's denial of
the request, my statement of disagreement, if any, and the Plan's rebuttal, if any, to the Designated Record Set. If a
statement of disagreement has been submitted, the Plan will include the above-referenced material, or, at the Plan's
election, an accurate summary of such information, with any subsequent disclosure of the PHI to which the
disagreement relates. If I do not submit a written statement of disagreement, the Plan must include my request for
amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of the PHI
only if requested by me.

           __________________                          ________________________________________
           Date                                        Signature



Form 7                                                                                                                   Exhibit K-7
Page 1
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal
counsel in applying this information to your own specific situation.

                                 GROUP HEALTH PLAN’S RESPONSE TO
                              REQUEST TO AMEND OR CORRECT A RECORD


Date of this Notice: _________________


Grant of Request

______ Your request to amend or correct your protected health information (“PHI”) has been granted.
The [insert name of plan] (the “Plan”) will make an appropriate amendment to the Designated Record Set
(as defined in the Standards for Privacy of Individually Identifiable Health Information (the “Privacy
Standards”)).

         You must provide the Plan with the names of any persons to which you wish to provide the
amended information. The Plan then will make reasonable efforts to inform these individuals – and
persons, including Business Associates (as defined in the Privacy Standards) of the Plan, that the Plan
knows have the PHI that is the subject of the amendment and that may have relied or could rely on the
information – of the amendment within a reasonable time.


Need for Extension of Time

______ The Plan received your request to correct or amend protected health information on [Insert date of
receipt]. The Plan is reviewing your request, but the Plan is unable to determine if the requested correction
or amendment should be granted. A delay in rendering the Plan's decision is necessary for the following
reason(s): ___________________________________________________.

         The Plan will respond to your request by ________________, but in any event, no later than 30
days after you receive this notice of the need for an extension of time.


Denial of Amendment

______ Your request is denied for the following reason: _______________________________________
_____________________________________________________________________________________.


Statement of Disagreement

         You have the right to file a written statement disagreeing with the denial of amendment. The
statement of disagreement should be filed within 60 days of this notice with the following office:
__________________________________________. The Plan has the right to prepare a rebuttal statement
to your statement of disagreement. If it does so, you will receive a copy.

         If you do not submit a statement of disagreement, you may request that the Plan provide your
request for amendment and this denial of amendment with any future disclosures of protected health
information that is the subject of this request.

         The Plan shall, as appropriate, identify the record or PHI in the Designated Record Set that is the
subject of the disputed amendment and append or otherwise link your request for an amendment, the Plan's
denial of the request, your statement of disagreement, if any, and the Plan's rebuttal, if any, to the
Designated Record Set. If a statement of disagreement has been submitted, the Plan will include the above-
referenced material, or, at the Plan's election, an accurate summary of such information, with any
subsequent disclosure of the PHI to which the disagreement relates. If you do not submit a written


Form 8                                                                                                                  Exhibit K-8
Page 1
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal
counsel in applying this information to your own specific situation.

statement of disagreement, the Plan shall include your request for amendment and its denial, or an accurate
summary of such information, with any subsequent disclosure of the PHI only if requested by you.

         You may file a complaint regarding this decision with the Plan or the U.S. Department of Health
and Human Services. If you file a complaint with the Plan, please file it in writing with the following
person: [Insert Name or Title of Contact Person, and their address and telephone number (Note: telephone
number is mandatory)]. Your complaint should include the reason(s) for the complaint, the grounds for
disagreement with the Plan's decision to deny your request to amend or correct your protected health
information and any other relevant information. Alternatively, to file a complaint with the Secretary of the
U.S. Department of Health and Human Services, it should be addressed as follows: The Hubert H.
Humphrey Building, 200 Independence Avenue, S.W., Washington, D.C. 20201. A complaint filed with
the Secretary must meet the following requirements: (1) it must be filed in writing, either on paper or
electronically; (2) it must name the plan that is the subject of the complaint and describe the acts or
omissions believed to be in violation of the Privacy Standards; and (3) it must be filed within 180 days after
receipt of this denial.




Form 8                                                                                                                  Exhibit K-8
Page 2
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal counsel in
applying this information to your own specific situation.

                                                INDIVIDUAL REQUEST
                                          FOR ACCOUNTING OF DISCLOSURES
                                         OF PROTECTED HEALTH INFORMATION



        I, ______________________, request an accounting of disclosures by [Insert Name of Plan] (the "Plan")
of my protected health information ("PHI") during the following time period: ____________________________ .

          I understand that such accounting need not include PHI disclosures made: (a) to carry out treatment,
payment or health care operations; (b) to me; (c) incident to a use or disclosure otherwise permitted or required by
the Standards for Privacy of Individually Identifiable Health Information (the "Privacy Standards"); (d) pursuant to
an authorization; (e) to certain persons involved in my care or payment for that care; (f) to notify certain persons of
my location, general condition or death; (g) as part of a "Limited Data Set" (as defined in the Privacy Standards),
which largely relates to research purposes; or (h) prior to the compliance date of April 14, 2003.
          I understand that the accounting will include disclosures of PHI that occurred during the six years (or such
shorter time period, if applicable) prior to the date of this request, including disclosures to or by business associates
of the Plan. Except as otherwise provided below, for each disclosure, the accounting will include:
           The date of the disclosure;
           The name of the entity or person who received the PHI and, if known, the address of such entity or
              person;
           A brief description of the PHI disclosed; and
           A brief statement of the purpose of the disclosure that reasonably informs me of the basis for the
              disclosure, or, in lieu of such statement, a copy of my written authorization or a copy of a written
              request for disclosure.

         If during the period covered by the accounting, the Plan has made multiple disclosures of PHI to the same
person or entity for a single purpose, the accounting may, with respect to such multiple disclosures, provide the
above-referenced information for the first disclosure; the frequency, periodicity or number of the disclosures made
during the accounting period; and the date of the last disclosure.

          If during the period covered by the accounting, the Plan has made disclosures of PHI for a particular
research purpose for 50 or more individuals, the accounting may, with respect to such disclosures for which my PHI
may have been included, provide certain information as permitted by the Privacy Standards. If the Plan provides an
accounting for such research disclosures, and if it is reasonably likely that my PHI was disclosed for such research
activity, the Plan shall, at my request, assist in contacting the entity that sponsored the research and the researcher.

         I understand that the Plan has 60 days to respond to this request. If the Plan is unable to take action within
the applicable time period, the Plan may extend the time for such action by 30 days, provided the Plan, within the
applicable time period, gives me a written statement of the reasons for the delay and the date by which the Plan will
complete its action on the request.

______ If this request is for a second or subsequent accounting within a 12-month period, I agree to pay any fees
for the accounting. Fees will be reasonable and cost-based.



________________                                                  ___________________________________
Date                                                              Signature




Form 9                                                                                                                   Exhibit K-9
Page 1
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal
counsel in applying this information to your own specific situation.

                                 GROUP HEALTH PLAN’S RESPONSE TO
                              REQUEST FOR ACCOUNTING OF DISCLOSURES
                                OF PROTECTED HEALTH INFORMATION



Date of this Notice: _________________


Grant of Request

______ Your request for an accounting of disclosures by the [insert name of plan] (the “Plan”) of your
protected health information (“PHI”) has been granted. The accounting is attached.


Grant of Request; Agreement to Pay Fees

______ Your request for an accounting of disclosures by the Plan of your PHI has been granted. However,
this request is for a second or subsequent accounting within a 12-month period; therefore, you must agree
to pay any fees for the accounting or withdraw or modify your request to avoid or reduce the fees. Once
you take such action, the accounting will be provided.

          ______ I agree to pay the following fees for the accounting, which are reasonable and cost-based:
[Insert fee amount]
          OR
          ______ I hereby withdraw my request for an accounting.
          OR
          ______ I hereby modify my request as follows: _________________________________. Please
          notify me if the fees will be avoided or reduced.


Need for Extension of Time

______ The Plan received your request for an accounting of disclosures of protected health information by
the Plan on [Insert date of receipt]. The Plan is unable to provide your accounting within the 60-day
period required by law. A delay in providing the accounting is necessary for the following reason(s):
____________________________________________________.

         The Plan will provide your accounting by ________________, but in any event, no later than 30
days after you receive this notice of the need for an extension of time.




Form 10                                                                                                                Exhibit K-10
Page 1
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal counsel in
applying this information to your own specific situation.

                                                POLICIES AND PROCEDURES
                                              RELATING TO NON-COMPLIANCE
                                              WITH THE PRIVACY STANDARDS


The Plan Sponsor and the Plan Administrator hereby adopt the following Policies and Procedures which shall be
instituted and followed by the Plan:

1.         Defined Terms. The following terms shall have the meanings set forth below when used in this document:

           “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996, as amended.

           “Individual” shall mean the person who is the subject of PHI.

           “Plan Sponsor” shall mean [insert name of Plan Sponsor].

           “Plan Administrator” shall mean [insert name of Administrator of the Plan].

           “Plan” shall mean [insert name of Plan].

           “Privacy Official” shall mean the individual appointed as such by the Plan Administrator.

           “Privacy Standards” shall mean the Standards for Privacy of Individually Identifiable Health Information
           enacted pursuant to HIPAA.

           “Protected Health Information” or “PHI” shall mean individually identifiable health information, as
           more specifically defined in the Privacy Standards.

           “TPO” shall mean treatment, payment and health care operations, as more specifically defined in the
           Privacy Standards.

2.      Compliance with the Privacy Standards. The Plan at all times shall comply with the requirements of the
Privacy Standards. In the event the Privacy Standards are amended, these Policies and Procedures shall be deemed
to be amended in accordance therewith.

3.       Specific Procedures for Compliance – Internal Complaints; Mitigation. Any complaints by Individuals
regarding non-compliance with the Privacy Standards or the Plan’s privacy policies and procedures shall be directed
to the contact person specified in the Notice of Privacy Practices provided to all individuals covered by the Plan.
The Plan shall keep a written record of all written and oral complaints received and a brief explanation of their
disposition. The Plan shall be responsible for (a) investigating any complaints (for example, by interviews or review
of relevant documents); (b) mitigating, to the extent practicable, any harmful effect that is known to the Plan
Administrator of a use or disclosure of PHI in violation of these Policies and Procedures or the Privacy Standards;
and (c) resolving any complaints, including, if necessary, by making changes to the Plan’s privacy policies and
procedures. A written explanation of the disposition of each complaint shall be furnished to the Individual who
made the complaint within thirty (30) days of receipt of the complaint. The Plan will not retaliate against any
Individual for filing a complaint.

4.     Specific Procedures for Compliance – Sanctions. The following sanctions shall be imposed against any
employee of the Plan Administrator who breaches the Plan’s privacy policies and procedures:

           1st offense:                     Oral warning
           2nd offense:                     Written warning
           3rd offense:                     Three (3) days’ suspension without pay
           4th offense:                     Termination of employment



Policies and Procedures Relating to
Non-compliance with the Privacy Standards                                                                                  Exhibit L
Page 1
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal counsel in
applying this information to your own specific situation.

Notwithstanding the above, the Privacy Official shall have the authority, after consultation with senior management
of the Plan Administrator, to impose a greater sanction if the Privacy Official believes that it is called for by the
severity of the violation. All sanctions imposed shall be documented in the employee’s personnel file. Further,
documentation of any sanctions imposed shall be maintained as required by the Privacy Standards.

IN WITNESS WHEREOF, the Plan Sponsor and the Plan Administrator have executed this document as of the date
set forth below.

                                                                  PLAN SPONSOR



                                                                  By: __________________________________
                                                                  Title: ________________________________

                                                                  PLAN ADMINISTRATOR



                                                                  By: __________________________________
                                                                  Title: ________________________________


Effective Date: ______________________




Policies and Procedures Relating to
Non-compliance with the Privacy Standards                                                                                  Exhibit L
Page 2
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal counsel in
applying this information to your own specific situation.

                                                   INSTRUCTION SHEET
                                                       REGARDING
                                              NOTICE OF PRIVACY PRACTICES

An Individual (as defined in the Privacy Standards, the person who is the subject of protected health information)                          Formatted
has a right to receive a Notice of Privacy Practices ("Notice") from a group health plan of the uses and disclosures of
protected health information that may be made by the Plan, and of the Individual's rights and the Plan's legal duties
with respect to protected health information.

PROVISION OF NOTICE.
The Plan must make the Notice available on request to any person.

The Plan must provide the Notice as follows:                                                                                                Formatted
 No later than the compliance date of April 14, 2003, to Individuals then covered by the Plan;
 Thereafter, at the time of enrollment, to Individuals who are new enrollees; and
 Within 60 days of a material revision to the Notice, to Individuals then covered by the Plan.

Additionally, no less frequently than once every three years, the Plan must notify Individuals then covered by the
Plan of the availability of the Notice and how to obtain the Notice.

The Plan satisfies the requirements of providing the Notice if the Notice is given to the employee when coverage is
provided to the employee and one or more dependents.

SPECIFIC REQUIREMENTS FOR ELECTRONIC NOTICE.
If the Plan maintains a web site that provides information about the Plan's customer services or benefits, the Plan
must prominently post its Notice on the web site and make the Notice available electronically through the web site.

The Plan may provide the Notice to an Individual by e-mail, if the Individual agrees to electronic notice and such
agreement has not been withdrawn. If the Plan knows that the e-mail transmission has failed, a paper copy of the
Notice must be provided to the Individual. Any electronic notice must be given within the appropriate timeframe as
set forth above.

An Individual who is the recipient of an electronic notice retains the right to obtain a paper copy of the Notice from
the Plan upon request.

DOCUMENTATION OF NOTICE.
The Plan must document that it has provided the Notice by retaining copies of the Notice in written or electronic
form for six years from the date of its creation or the date when the Notice last was in effect, whichever is later.

REVISIONS TO THE NOTICE.
The Plan promptly must revise and distribute its Notice whenever there is a material change to the uses or
disclosures, the Individual's rights, the Plan's legal duties, or other privacy practices stated in the Notice. Except
when required by law, a material change to any term of the Notice may not be implemented prior to the effective
date of the revised Notice in which such material change is reflected.

JOINT NOTICE WHEN THE PLAN SPONSOR MAINTAINS MORE THAN ONE PLAN.
In the event the Plan Sponsor maintains more than one group health plan, a joint notice may be used for all group
health plans, provided that:
 The Notice is accurate as to the privacy practices of all plans covered by the Notice;
 The Notice describes the plans covered by the Notice;
 If applicable, the Notice states that the plans covered by the Notice will share protected health information with
     each other, as necessary to carry out treatment, payment and health care operations; and
 All other requirements regarding content and provision of the Notice are met.




Notice of Privacy Practices                                                                                                Exhibit M
Page 1
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal counsel in
applying this information to your own specific situation.

                                              NOTICE OF PRIVACY PRACTICES

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND                                                                     Formatted
DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT
CAREFULLY.

Effective Date of Notice: [Insert date]

         This Notice of Privacy Practices ("Notice") is made in compliance with the Standards for Privacy of
Individually Identifiable Health Information (the "Privacy Standards") set forth by the U.S. Department of Health
and Human Services ("HHS") pursuant to the Health Insurance Portability and Accountability Act of 1996, as
amended ("HIPAA"). The [Insert Name of Plan] (the "Plan") is required by law to take reasonable steps to ensure
the privacy of your Protected Health Information ("PHI"), as defined below, and to inform you about:

           (1)        the Plan's uses and disclosures of PHI;
           (2)        your privacy rights with respect to your PHI;
           (3)        the Plan's duties with respect to your PHI;
           (4)     your right to file a complaint with the Plan and with the Secretary of HHS; and
           (5)        the person or office to contact for further information about the Plan's privacy practices.

        The term "Protected Health Information" (PHI) includes all "Individually Identifiable Health
Information" transmitted or maintained by the Plan, regardless of form (oral, written or electronic).

           The term "Individually Identifiable Health Information" means information that:
            Is created or received by a health care provider, health plan, employer or health care clearinghouse;
            Relates to the past, present or future physical or mental health or condition of an individual; the
               provision of health care to an individual; or the past, present or future payment for the provision of
               health care to an individual; and
            Identifies the individual, or with respect to which there is a reasonable basis to believe the information
               can be used to identify the individual.

Section 1. Notice of PHI Uses and Disclosures

1.1        Required PHI Disclosures

           Upon your request, the Plan is required to give you access to certain PHI to inspect and copy it and to
                provide you with an accounting of disclosures of PHI made by the Plan. For further information
                pertaining to your rights in this regard, see Section 2 of this Notice.

         The Plan must disclose your PHI when required by the Secretary of HHS to investigate or determine the
Plan's compliance with the Privacy Standards.

1.2        Permitted uses and disclosures to carry out treatment, payment and health care operations

         The Plan, its business associates, and their agents/subcontractors, if any, will use or disclose PHI without
your consent, authorization or opportunity to agree or object, to carry out treatment, payment and health care
operations. The Plan will disclose PHI to a business associate only if the Plan receives satisfactory assurance that
the business associate will appropriately safeguard the information.

         In addition, the Plan may contact you to provide information about treatment alternatives or other health-
related benefits and services that may be of interest to you. The Plan will disclose PHI to [Insert Name of Plan
Sponsor] ("Plan Sponsor") for purposes related to treatment, payment and health care operations. The Plan Sponsor
has amended its plan documents to protect your PHI as required by the Privacy Standards. The Plan Sponsor will
obtain an authorization from you if it intends to use or disclose your PHI for purposes unrelated to treatment,
payment and health care operations.


Notice of Privacy Practices                                                                                                Exhibit M
Page 2
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal counsel in
applying this information to your own specific situation.

         Treatment is the provision, coordination or management of health care and related services by one or more
health care providers. It also includes, but is not limited to, consultations and referrals between one or more of your
providers.

           For example, the Plan may disclose to a treating orthodontist the name of your treating dentist so that the
           orthodontist may ask for your dental X-rays from the treating dentist.

         Payment means activities undertaken by the Plan to obtain premiums or to determine or fulfill its
responsibility for coverage and provision of benefits under the Plan, or to obtain or provide reimbursement for the
provision of health care. Payment includes, but is not limited to, actions to make eligibility or coverage
determinations, billing, claims management, collection activities, subrogation, reviews for medical necessity and
appropriateness of care, utilization review and pre-authorizations.

           For example, the Plan may tell a doctor whether you are eligible for coverage or what percentage of the bill
           might be paid by the Plan.

          Health care operations means conducting quality assessment and improvement activities, population-
based activities relating to improving health or reducing health care costs, contacting health care providers and
patients with information about treatment alternatives, reviewing the competence or qualifications of health care
professionals, evaluating health plan performance, underwriting, premium rating and other insurance activities
relating to creating, renewing or replacing health insurance contracts or health benefits. It also includes disease
management, case management, conducting or arranging for medical review, legal services and auditing functions
including fraud and abuse detection and compliance programs, business planning and development, business
management and general administrative activities.

           For example, the Plan may use information about your claims to refer you to a disease management
           program, project future benefit costs or audit the accuracy of its claims processing functions.

1.3        Uses and disclosures that require your written authorization

         Your written authorization generally will be obtained before the Plan will use or disclose psychotherapy
notes about you from your psychotherapist. Psychotherapy notes are separately filed notes about your conversations
with your mental health professional during a counseling session. They do not include summary information about
your mental health treatment. The Plan may use and disclose such notes without authorization when needed by the
Plan to defend against litigation filed by you.

1.4        Disclosures that require that you be given an opportunity to agree or disagree prior to the disclosure

         The Plan may disclose to a family member, other relative, close personal friend of yours or any other
person identified by you PHI directly relevant to such person's involvement with your care or payment for your
health care when you are present for, or otherwise available prior to, a disclosure and you are able to make health
care decisions, if:

               The Plan obtains your agreement;
               The Plan provides you with the opportunity to object to the disclosure and you fail to do so; or
               The Plan infers from the circumstances, based upon professional judgment, that you do not object to
                the disclosure.

           The Plan may obtain your oral agreement or disagreement to a disclosure.

         However, if you are not present, or the opportunity to agree or object to the disclosure cannot practicably
be provided because of your incapacity or an emergency circumstance, the Plan may, in the exercise of professional
judgment, determine whether the disclosure is in your best interests, and, if so, disclose only PHI that is directly
relevant to the person's involvement with your health care.




Notice of Privacy Practices                                                                                                Exhibit M
Page 3
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal counsel in
applying this information to your own specific situation.

1.5        Uses and disclosures for which authorization or opportunity to agree or object is not required

         Use and disclosure of your PHI is allowed without your authorization or opportunity to agree or object
under the following circumstances:

           (a) When required by law, provided that the use or disclosure complies with and is limited to the relevant
               requirements of such law.
           (b) When permitted for purposes of public health activities, including disclosures to (i) a public health
               authority or other appropriate government authority authorized by law to receive reports of child abuse
               or neglect and (ii) a person subject to the jurisdiction of the Food and Drug Administration (FDA)
               regarding an FDA-regulated product or activity for the purpose of activities related to the quality,
               safety or effectiveness of such FDA-regulated product or activity, including to report product defects,
               to permit product recalls and to conduct post-marketing surveillance. PHI also may be disclosed to a
               person who may have been exposed to a communicable disease or may otherwise be at risk of
               contracting or spreading a disease or condition, if authorized by law.
           (c) Except for reports of child abuse or neglect permitted by part (b) above, when required or authorized
               by law, or with your agreement, the Plan may disclose PHI about you to a government authority,
               including a social service or protective services agency, if the Plan reasonably believes you to be a
               victim of abuse, neglect, or domestic violence. In such case, the Plan will promptly inform you that
               such a disclosure has been or will be made unless (i) the Plan believes that informing you would place
               you at risk of serious harm or (ii) the Plan would be informing your personal representative, and the
               Plan believes that your personal representative is responsible for the abuse, neglect or other injury, and
               that informing such person would not be in your best interests. For the purposes of reporting child
               abuse or neglect, it is not necessary to inform the minor that such a disclosure has been or will be
               made. Disclosure generally may be made to the minor's parents or other representatives although there
               may be circumstances under federal or state law when the parents or other representatives may not be
               given access to the minor's PHI.
           (d) The Plan may disclose your PHI to a health oversight agency for oversight activities authorized by law.
               This includes civil, administrative or criminal investigations; inspections; licensure or disciplinary
               actions (for example, to investigate complaints against providers); and other activities necessary for
               appropriate oversight of: (i) the health care system, (ii) government benefit programs for which health
               information is relevant to beneficiary eligibility, (iii) entities subject to government regulatory
               programs for which health information is needed to determine compliance with program standards, or
               (iv) entities subject to civil rights laws for which health information is needed to determine
               compliance.
           (e) The Plan may disclose your PHI in the course of a judicial or administrative proceeding in response to
               an order of a court or administrative tribunal, provided that the Plan discloses only the PHI expressly
               authorized by such order, or in response to a subpoena, discovery request, or other lawful process, that
               is not accompanied by an order of a court of administrative tribunal if certain conditions are met. One
               of those conditions is that satisfactory assurances must be given to the Plan that the requesting party
               has made a good faith attempt to provide written notice to you, and the notice provided sufficient
               information about the proceeding to permit you to raise an objection, and the time to object has expired
               and either no objections were raised or any objections were resolved in favor of disclosure by the court
               or tribunal.
           (f) The Plan may disclose your PHI to a law enforcement official when required for law enforcement
               purposes. The Plan may disclose PHI as required by law, including laws that require the reporting of
               certain types of wounds. Also, the Plan may disclose PHI in compliance with (i) a court order, court-
               ordered warrant, or a subpoena or summons issued by a judicial officer, (ii) a grand jury subpoena, or
               (iii) an administrative request, including an administrative subpoena or summons, a civil or authorized
               investigative demand, provided certain conditions are satisfied. PHI may be disclosed for law
               enforcement purposes, including for the purpose of identifying or locating a suspect, fugitive, material
               witness or missing person. Under certain circumstances, the Plan may disclose your PHI in response
               to a law enforcement official's request if you are, or are suspected to be, a victim of a crime. Further,
               the Plan may disclose your PHI if it believes in good faith that the PHI constitutes evidence of criminal
               conduct that occurred on the Plan's premises.



Notice of Privacy Practices                                                                                                Exhibit M
Page 4
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal counsel in
applying this information to your own specific situation.

           (g) The Plan may disclose PHI to a coroner or medical examiner for the purpose of identifying a deceased
               person, determining a cause of death or other duties as authorized by law. Also, disclosure is permitted
               to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to
               the decedent.
           (h) The Plan may use or disclose PHI for research, subject to certain conditions.
           (i) When consistent with applicable law and standards of ethical conduct, the Plan may use or disclose
               PHI if the Plan, in good faith, believes the use or disclosure: (i) is necessary to prevent or lessen a
               serious and imminent threat to health or safety of a person or the public and is to person(s) able to
               prevent or lessen the threat, including the target of the threat, or (ii) is needed for law enforcement
               authorities to identify or apprehend an individual, provided certain requirements are met.
           (j) When authorized by and to the extent necessary to comply with workers' compensation or other similar
               programs established by law.

         Except as otherwise indicated in this Notice, uses and disclosures will be made only with your written
authorization, subject to your right to revoke such authorization. You may revoke an authorization at any time,
provided your revocation is done in writing, except to the extent that the Plan has taken action in reliance upon the
authorization, or if the authorization was obtained as a condition of obtaining insurance coverage, other law provides
the insurer with the right to contest a claim under the policy or the policy itself.

Section 2: Rights of Individuals

2.1        Right to Request Restrictions on PHI Uses and Disclosures

         You may request the Plan to restrict uses and disclosures of your PHI to carry out treatment, payment or
health care operations, or to restrict disclosures to family members, relatives, friends or other persons identified by
you who are involved in your care or payment for your care. However, the Plan is not required to agree to your
requested restriction.

          If the Plan agrees to a requested restriction, the Plan may not use or disclose PHI in violation of such
restriction, except that, if you requested a restriction and later are in need of emergency treatment and the restricted
PHI is needed to provide the emergency treatment, the Plan may use the restricted PHI, or it may disclose such
information to a health care provider, to provide such treatment to you. If restricted PHI is disclosed to a health care
provider for emergency treatment, the Plan must request that such health care provider not further use or disclose the
information.

         A restriction agreed to by the Plan is not effective to prevent uses or disclosures when required by the
Secretary of HHS to investigate or determine the Plan's compliance with the Privacy Standards or uses or
disclosures that are otherwise required by law.

           The Plan may terminate its agreement to a restriction, if:

               You agree to or request the termination in writing;
               You orally agree to the termination and the oral agreement is documented; or
               The Plan informs you that it is terminating its agreement to a restriction, except that such termination is
                only effective with respect to PHI created or received after the Plan has informed you of the
                termination.

         If the Plan agrees to a restriction, it will document the restriction by maintaining a written or electronic
record of the restriction. The record of the restriction will be retained for six years from the date of its creation or
the date when it last was in effect, whichever is later.

        You or your personal representative will be required to request restrictions on uses and disclosures of your
PHI in writing. Such requests should be addressed to the following individual: [Insert Name or Title of Contact
Person and their Address]

2.2        Right to Request Confidential Communications of PHI

Notice of Privacy Practices                                                                                                Exhibit M
Page 5
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal counsel in
applying this information to your own specific situation.


         You may request to receive communications of PHI from the Plan by alternative means or at alternative
locations if you clearly state that the disclosure of all or part of the information to which the request pertains could
endanger you. The Plan will accommodate all such reasonable requests. However, the Plan may condition the
provision of a reasonable accommodation on:

               When appropriate, information as to how payment, if any, will be handled; and
               Specification by you of an alternative address or other method of contact.

         You or your personal representative will be required to request confidential communications of your PHI in
writing. Such requests should be addressed to the following individual: [Insert Name or Title of Contact Person
and their Address]

2.3        Right to Inspect and Copy PHI

         You have a right to inspect and obtain a copy of your PHI contained in a "designated record set," for as
long as the Plan maintains PHI in the designated record set.

         "Designated Record Set" means a group of records maintained by or for a health plan that is enrollment,
payment, claims adjudication and case or medical management record systems maintained by or for a health plan; or
used in whole or in part by or for the health plan to make decisions about individuals. Information used for quality
control or peer review analyses and not used to make decisions about individuals is not in the designated record set.

          The Plan will act on a request for access no later than 30 days after receipt of the request. However, if the
request for access is for PHI that is not maintained or accessible to the Plan on-site, the Plan must take action no
later than 60 days from the receipt of such request. The Plan must take action as follows: if the Plan grants the
request, in whole or in part, the Plan must inform you of the acceptance and provide the access requested. However,
if the Plan denies the request, in whole or in part, the Plan must provide you with a written denial. If the Plan cannot
take action within the required time, the Plan may extend the time for such action by no more than 30 days if the
Plan, within the applicable time limit, provides you with a written statement of the reasons for the delay and the date
by which it will complete its action on the request.

         If the Plan provides access to PHI, it will provide the access requested, including inspection or obtaining a
copy, or both, of your PHI in a designated record set. The Plan will provide you with access to the PHI in the form
or format requested if it is readily producible in such form or format; or, if it is not, in a readable hard copy form or
such other form or format as agreed to between you and the Plan. The Plan may provide you with a summary of the
PHI requested, in lieu of providing access to the PHI or may provide an explanation of the PHI to which access has
been provided in certain circumstances. The Plan will arrange with you for a convenient time and place to inspect or
obtain a copy of the PHI, or mail a copy of the PHI at your request. If you request a copy of PHI or agree to a
summary or explanation of PHI, the Plan may impose a reasonable, cost-based fee.

         If the Plan denies access to PHI in whole or in part, the Plan will, to the extent possible, give you access to
any other PHI requested, after excluding PHI as to which the Plan has grounds to deny access. If access is denied,
you or your personal representative will be provided with a written denial setting forth the basis for the denial, if
applicable, a statement of your review rights, including a description of how you may exercise those review rights
and a description of how you may complain to the Plan or to the Secretary of the HHS. If you request review of a
decision to deny access, the Plan will refer the request to a designated licensed health care professional for review.
The reviewing official will determine, within a reasonable period of time, whether to deny the access requested. The
Plan will promptly provide you with written notice of that determination.

        If the Plan does not maintain the PHI that is the subject of your request for access, and the Plan knows
where the requested information is maintained, the Plan will inform you where to direct the request for access.

         You or your personal representative will be required to request access to your PHI in writing. Such
requests should be addressed to the following individual: [Insert Name or Title of Contact Person and their
Address]


Notice of Privacy Practices                                                                                                Exhibit M
Page 6
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal counsel in
applying this information to your own specific situation.


2.4        Right to Amend PHI

          You have the right to request the Plan to amend your PHI or a record about you in a designated record set
for as long as the PHI is maintained in the designated record set.

         The Plan may deny your request for amendment if it determines that the PHI or record that is the subject of
the request:

               Was not created by the Plan, unless you provide a reasonable basis to believe that the originator of PHI
                is no longer available to act on the requested amendment;
               Is not part of the designated record set;
               Would not be available for your inspection under the Privacy Standards; or
               Is accurate and complete.

          The Plan has 60 days after the request is made to act on the request. A single 30-day extension is allowed
if the Plan is unable to comply within that deadline provided that the Plan, within the original 60-day time period,
gives you a written statement of the reasons for the delay and the date by which it will complete its action on the
request. If the Plan accepts the requested amendment, the Plan will make the appropriate amendment to the PHI or
record that is the subject of the request by, at a minimum, identifying the records in the designated record set that are
affected by the amendment and appending or otherwise providing a link to the location of the amendment. The Plan
will timely inform you that the amendment is accepted and obtain your identification of and agreement to have the
Plan notify the relevant persons with which the amendment needs to be shared as provided in the Privacy Standards.

          If the request is denied in whole or part, the Plan must provide you with a written denial that (i) explains
the basis for the denial, (ii) sets forth your right to submit a written statement disagreeing with the denial and how to
file such a statement, (iii) states that, if you do not submit a statement of disagreement, you may request that the
Plan provide your request for amendment and the denial with any future disclosures of the PHI that is the subject of
the amendment, and (iv) includes a description of how you may complain to the Plan or to the Secretary of HHS.
The Plan may reasonably limit the length of a statement of disagreement. Further, the Plan may prepare a written
rebuttal to a statement of disagreement, which will be provided to you. The Plan must, as appropriate, identify the
record or PHI in the designated record set that is the subject of the disputed amendment and append or otherwise
link your request for an amendment, the Plan's denial of the request, your statement of disagreement, if any, and the
Plan's rebuttal, if any, to the designated record set. If a statement of disagreement has been submitted, the Plan will
include the above-referenced material, or, at the Plan's election, an accurate summary of such information, with any
subsequent disclosure of the PHI to which the disagreement relates. If you do not submit a written statement of
disagreement, the Plan must include your request for amendment and its denial, or an accurate summary of such
information with any subsequent disclosure of the PHI only if requested by you.


         You or your personal representative will be required to request amendment to your PHI in a designated
record set in writing. Such requests should be addressed to the following individual: [Insert Name or Title of
Contact Person and their Address] All requests for amendment of PHI must include a reason to support the
requested amendment.

2.5        Right to Receive an Accounting of PHI Disclosures

         At your request, the Plan will provide you with an accounting of disclosures by the Plan of your PHI during
the six years prior to the date on which the accounting is requested. However, such accounting need not include PHI
disclosures made: (a) to carry out treatment, payment or health care operations; (b) to individuals about their own
PHI; (c) incident to a use or disclosure otherwise permitted or required by the Privacy Standards; (d) pursuant to an
authorization; (e) to certain persons involved in your care or payment for your care; (f) to notify certain persons of
your location, general condition or death; (g) as part of a "Limited Data Set" (as defined in the Privacy Standards),
which largely relates to research purposes; or (h) prior to the compliance date of April 14, 2003. You may request
an accounting of disclosures for a period of time less than six years from the date of the request.



Notice of Privacy Practices                                                                                                Exhibit M
Page 7
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal counsel in
applying this information to your own specific situation.

         The accounting will include disclosures of PHI that occurred during the six years (or such shorter time
period, if applicable) prior to the date of the request for an accounting, including disclosures to or by business
associates of the Plan. Except as otherwise provided below, for each disclosure, the accounting will include:

               The date of the disclosure;
               The name of the entity or person who received the PHI and, if known, the address of such entity or
                person;
               A brief description of the PHI disclosed; and
               A brief statement of the purpose of the disclosure that reasonably informs you of the basis for the
                disclosure, or, in lieu of such statement, a copy of a written request for disclosure.

         If during the period covered by the accounting, the Plan has made multiple disclosures of PHI to the same
person or entity for a single purpose, the accounting may, with respect to such multiple disclosures, provide the
above-referenced information for the first disclosure; the frequency, periodicity or number of the disclosures made
during the accounting period; and the date of the last disclosure.

         If during the period covered by the accounting, the Plan has made disclosures of PHI for a particular
research purpose for 50 or more individuals, the accounting may, with respect to such disclosures for which your
PHI may have been included, provide certain information as permitted by the Privacy Standards. If the Plan
provides an accounting for such research disclosures, and if it is reasonably likely that your PHI was disclosed for
such research activity, the Plan shall, at your request, assist in contacting the entity that sponsored the research and
the researcher.

        If the accounting cannot be provided within 60 days after receipt of the request, an additional 30 days is
allowed if the individual is given a written statement of the reasons for the delay and the date by which the
accounting will be provided.

         If you request more than one accounting within a 12-month period, the Plan will charge a reasonable, cost-
based fee for each subsequent accounting unless you withdraw or modify the request for a subsequent accounting to
avoid or reduce the fee.

         You or your personal representative will be required to request an accounting of your PHI disclosures in
writing. Such requests should be addressed to the following individual: [Insert Name or Title of Contact Person
and their Address]

2.6        The Right To Receive a Paper Copy of This Notice Upon Request

         You have a right to obtain a paper copy of this Notice upon request. To request a paper copy of this
Notice, contact the following individual: [Insert Name or Title of Contact Person and their Address and Telephone
Number].

2.7        A Note About Personal Representatives

         You may exercise your rights through a personal representative. Your personal representative will be
required to produce evidence of his/her authority to act on your behalf before that person will be given access to
your PHI or allowed to take any action for you. Proof of such authority may include, but is not limited to, the
following:

           (a) a power of attorney for health care purposes, notarized by a notary public;
           (b) a court order of appointment of the person as the conservator or guardian of the individual; or
           (c) an individual who is the parent of a minor child.

         The Plan retains discretion to deny access to your PHI to a personal representative to provide protection to
those vulnerable people who depend on others to exercise their rights under these rules and who may be subject to
abuse or neglect. This also applies to personal representatives of minors.



Notice of Privacy Practices                                                                                                Exhibit M
Page 8
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal counsel in
applying this information to your own specific situation.

Section 3: The Plan's Duties

3.1        Notice

         The Plan is required by law to maintain the privacy of PHI and to provide individuals (participants and
beneficiaries) with notice of its legal duties and privacy practices with respect to PHI.

          This Notice is effective beginning on the effective date set forth on Page 1 of this Notice, and the Plan is
required to comply with the terms of this Notice. However, the Plan reserves the right to change the terms of this
Notice and to make the new revised notice provisions effective for all PHI that it maintains, including any PHI
created, received or maintained by the Plan prior to the date of the revised notice. If a privacy practice is changed, a
revised version of this Notice will be provided to all individuals then covered by the Plan. If agreed upon between
the Plan and you, the Plan will provide you with a revised Notice electronically. Otherwise, the Plan will mail a
paper copy of the revised Notice to your home address. In addition, the revised Notice will be maintained on any
web site maintained by the Plan to provide information about its benefits.

          Any revised version of this Notice will be distributed within 60 days of any material change to the uses or
disclosures, the individual's rights, the duties of the Plan or other privacy practices stated in this Notice. Except
when required by law, a material change to any term of this Notice may not be implemented prior to the effective
date of the revised notice in which such material change is reflected.

3.2        Minimum Necessary Standard

         When using or disclosing PHI or when requesting PHI from another covered entity, the Plan will make
reasonable efforts not to use, disclose or request more than the minimum amount of PHI necessary to accomplish the
intended purpose of the use, disclosure or request, taking into consideration practical and technological limitations.

           However, the minimum necessary standard will not apply in the following situations:

           (a)   disclosures to or requests by a health care provider for treatment;
           (b)   uses or disclosures made to the individual;
           (c)   disclosures made to the Secretary of HHS.
           (d)   uses or disclosures that are required by law;
           (e)   uses or disclosures that are required for the Plan's compliance with the Privacy Standards; and
           (f)   uses or disclosures made pursuant to an authorization.

         This Notice does not apply to information that has been de-identified. De-identified information is health
information that does not identify an individual and with respect to which there is no reasonable basis to believe that
the information can be used to identify an individual. It is not individually identifiable health information.

         In addition, the Plan may use or disclose "summary health information" to the Plan Sponsor for obtaining
premium bids or modifying, amending or terminating the group health plan. Summary health information
summarizes the claims history, claims expenses or type of claims experienced by individuals for whom a plan
sponsor has provided health benefits under a group health plan, and from which identifying information has been
deleted in accordance with the Privacy Standards.

Section 4: Your Right to File a Complaint With the Plan or the HHS Secretary

        If you believe that your privacy rights have been violated, you may complain to the Plan. Any complaint
must be in writing and addressed to the following individual: [Insert Name or Title of Contact Person and their
Address].

         You also may file a complaint with the Secretary of the U.S. Department of Health and Human Services, by
writing to him at the following address: The Hubert H. Humphrey Building, 200 Independence Avenue, S.W.,
Washington, D.C. 20201.



Notice of Privacy Practices                                                                                                Exhibit M
Page 9
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal counsel in
applying this information to your own specific situation.

           The Plan will not retaliate against you for filing a complaint.

Section 5: Whom to Contact at the Plan for More Information

        If you have any questions regarding this Notice or the subjects addressed in it, you may contact the
following individual: [Insert Name or Title of Contact Person and their Telephone Number and Address].

Conclusion

         PHI use and disclosure by the Plan is regulated by a federal law known as HIPAA. You may find these
rules at 45 Code of Federal Regulations Parts 160 and 164. This Notice attempts to summarize the Privacy
Standards. The Privacy Standards will supersede any discrepancy between the information in this Notice and the
Privacy Standards.




Notice of Privacy Practices                                                                                                Exhibit M
Page 10
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal counsel in
applying this information to your own specific situation.

                                              POLICIES AND PROCEDURES
                                         FOR DESTRUCTION AND MAINTENANCE
                                         OF PROTECTED HEALTH INFORMATION



The Plan Sponsor and the Plan Administrator hereby adopt the following Policies and Procedures which shall be
instituted and followed by the Plan:

1.         Defined Terms. The following terms shall have the meanings set forth below when used in this document:

           “ERISA” shall mean the Employee Retirement Income Security Act of 1974, as amended.

           “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996, as amended.

           “Individual” shall mean the person who is the subject of PHI.

           “Plan Sponsor” shall mean [insert name of Plan Sponsor].

           “Plan Administrator” shall mean [insert name of Administrator of the Plan].

           “Plan” shall mean [insert name of Plan].

           “Privacy Standards” shall mean the Standards for Privacy of Individually Identifiable Health Information
           enacted pursuant to HIPAA.

           “Protected Health Information” or “PHI” shall mean individually identifiable health information, as
           more specifically defined in the Privacy Standards.

           “TPO” shall mean treatment, payment and health care operations, as more specifically defined in the
           Privacy Standards.

2.       Compliance with the Privacy Standards. The Plan at all times shall comply with the Privacy Standards
and with ERISA’s requirements regarding document retention. In the event the Privacy Standards are amended,
these Policies and Procedures shall be deemed to be amended in accordance therewith.

3.       Specific Procedures for Compliance. The Plan shall retain the documentation listed below in Item 4 for
six (6) years from either the date it was created or the date it was last in effect, whichever is later. Such documents
shall be retained either in written or electronic form. If they are retained in electronic form, the Plan shall comply
with the requirements of the Privacy Standards, HIPAA and ERISA and, at a minimum, shall ensure that:

           a.       The recordkeeping system has reasonable controls designed to ensure the integrity, accuracy,
           authenticity and reliability of the electronic records;

           b.       The electronic records are maintained in reasonable order, in a safe and accessible place and are
           capable of being readily inspected or examined;

           c.      The electronic records are readily convertible into legible paper copies to satisfy all obligations
           under ERISA, including its reporting and disclosure requirements;

           d.        The electronic system does not compromise or limit the Plan Administrator’s ability to comply
           with all of its obligations under ERISA, including its reporting and disclosure requirements; and

           e.       Adequate records management systems are established and implemented, to ensure that documents
           are labeled adequately and stored securely, backup electronic copies are made and paper copies are kept for
           records that cannot be clearly, accurately and completely transferred to electronic media.

Policies and Procedures for Destruction and Maintenance                                                                    Exhibit N
of Protected Health Information
Page 1
This material is provided for informational purposes only. We cannot provide legal advice. You should seek the advice of legal counsel in
applying this information to your own specific situation.


In the event that the documents are maintained electronically by a third party, the Plan Administrator shall ensure
that such third party complies with such requirements.

4.         Documentation to be Retained. The following documents shall be retained as set forth above in Item 3:

           a.         Plan Document and Summary Plan Description;
           b.         Policies on PHI uses and disclosures;
           c.         “Minimum necessary” policies and procedures, including protocols for PHI use, routine
                      disclosures and requests;
           d.         All signed authorizations;
           e.         The Plan’s privacy notice;
           f.         Documentation regarding the following Individual rights:
                      i.       Right to request amendment of PHI;
                      ii.      Right to an accounting of disclosures of PHI;
                      iii.     Right to inspect and obtain copies of PHI;
                      iv.      Right to request restrictions on uses and disclosures of PHI; and
                      v.       Right to request confidential communications of PHI.
           g.         Records of PHI disclosures that are required to be accounted for under the Privacy Standards,
                      which must be made available to an Individual for six (6) years after the request date;
           h.         All Individual complaints and their outcomes;
           i.         Records of any sanctions imposed in connection with non-compliance with the Privacy Standards;
           j.         Records on any PHI use and disclosure for research purposes, as allowed without authorization
                      under the Privacy Standards;
           k.         Information on whether an entity is a hybrid or affiliated entity or an organized health care
                      arrangement;
           l.         Business Associate Agreements;
           m.         Employee training manuals and procedures; and
           n.         Plan Sponsor certifications to the Plan regarding Plan amendments and firewalls.

5.       Business Associates. If the Business Associate provides notice to the Plan Administrator that the return or
destruction of PHI in its possession is infeasible, upon mutual agreement between the Plan Administrator and the
Business Associate, the Business Associate shall extend the protections of the Business Associate Agreement to
such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction
infeasible, for so long as the Business Associate maintains such PHI.

IN WITNESS WHEREOF, the Plan Sponsor and the Plan Administrator have executed this document as of the date
set forth below.

                                                                  PLAN SPONSOR



                                                                  By: __________________________________
                                                                  Title: ________________________________

                                                                  PLAN ADMINISTRATOR



                                                                  By: __________________________________
                                                                  Title: ________________________________


Effective Date: _______________________


Policies and Procedures for Destruction and Maintenance                                                                    Exhibit N
of Protected Health Information
Page 2

								
To top