NOTIFICATION

You are receiving this Privacy Notice because you are enrolled in at least one health plan operated by Ithaca College. The health plans operated by Ithaca College include self-funded health plans, a fully insured medical plan and a medical flexible spending account program. Collectively these plans will be referred to as the “Plan” throughout the remainder of this document. The Plan is committed to protecting the confidentiality of any health information that it collects about you. This Notice describes how the Plan may use and disclose your “protected health information” (PHI). PHI is any information created or received by a health care provider, health plan, employer or health care clearinghouse that relates to your past, present or future physical or mental health or condition, or provision of or payment for health care. PHI is information that identifies the individual or may reasonably be used to identify the individual.

Employees of the plan sponsor who administer and manage the Plan may use your PHI only for appropriate plan purposes (such as for payment or health care operations), but not for purposes of other benefits not provided by this plan, and not for employment-related purposes of the plan sponsor. These people must comply with the same requirements that apply to the Plan to protect the confidentiality of PHI.

The Plan is required by the Health Insurance Portability and Accountability Act (HIPAA) to provide this Notice to you. Additionally, the Plan is required by law to:

• maintain the privacy of your “protected health information” (PHI), and
   
• provide you with a Privacy Notice of its legal duties and privacy practices with respect to your PHI, and
   
• follow the terms of the Privacy Notice that is currently in effect.

USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION (PHI)

The following categories describe the ways that the Plan is permitted to use and disclose your PHI without your consent. Not every use or disclosure will be listed. However, all of the ways the Plan is permitted to use and disclose information will fall within at least one of the categories.

1. Treatment Purposes – The Plan may disclose PHI to a health care provider for the health care provider’s treatment purposes, although it is more likely a health care provider would receive your PHI from another health care provider than from the Plan. For example, if your Primary Care Physician (PCP) or your treating medical provider refers you to a specialist for treatment, the Plan can disclose your PHI so the specialist to whom you have been referred can become familiar with your medical condition, prior diagnoses and treatment, and prognosis.
    
2. Payment Purposes – The Plan may use your PHI to evaluate and process any request for coverage and claims for benefits you make, and may review PHI included with claims to reimburse providers for treatment and services rendered. Additionally, the Plan may disclose PHI to another plan or to a health care provider for the payment purposes of the Plan, the other plan, or the health care provider. For example, the Plan may tell a doctor whether you are eligible for coverage or what percentage of the bill will be paid by the Plan.
    
3. Health Care Operations Purposes – The Plan may use PHI for its own health care operations and may disclose PHI to another group health plan, a health care provider, a medical group or a hospital for the health care operation purposes of the Plan, or for certain health care operations purposes of the other entities. Examples of this Plan’s “health care operations” include underwriting, premium rating and other activities related to plan coverage; conducting quality assessment and improvement activities; submitting claims for stop-loss coverage; conducting or arranging for medical review, legal services, audit services, and fraud and abuse detection programs; and business planning, management and general administration of the Plan.
    
4. To a Business Associate of the Plan - The Plan may disclose PHI to a Business Associate (BA) of the Plan. A Business Associate is an entity that performs a function on behalf of the Plan and that uses PHI in doing so, or provides services to the Plan such as legal, actuarial, accounting, consulting or administrative services. Examples of Business Associates include a Third-Party Administrator (TPA) and broker.
    
5. To the Plan Sponsor – The Plan may disclose your health information to the Plan Sponsor for plan administration functions performed by the Plan Sponsor on behalf of the Plan. In addition, the Plan may provide health information to the Plan Sponsor so that the Plan Sponsor may solicit premium bids from health insurers or modify, amend or terminate the plan. The Plan also may disclose to the Plan Sponsor information on whether you are participating in the Plan. Any disclosures to the Plan Sponsor must be for purposes of administering the Plan. Examples would include: for case management purposes or to Human Resources representatives of the Plan Sponsor who are assisting plan members in getting their claims resolved.
    
6. Where Required by Law or Requested as Part of a Regulatory or Legal Proceeding - The Plan may disclose PHI as required by law or when requested as part of a regulatory or legal proceeding. For example, the Plan may disclose health information when required by a court order in a litigation proceeding, or pursuant to a subpoena, or as necessary to comply with Workers’ Compensation laws.
    
7. For Public Health Activities or to avert a Serious Threat to Health or Safety - The Plan may disclose PHI to public health authorities for purposes such as preventing or controlling diseases, injury or disability; reporting abuse or neglect; reporting domestic violence; reporting to the Food and Drug Administration on products and reactions to medications; and reporting disease or infection exposure.
    
8. For Law Enforcement or Specific Government Functions - The Plan may disclose PHI to law enforcement personnel for purposes such as identifying or locating a suspect, fugitive, material witness or missing person; complying with a court order or subpoena; and other law enforcement purposes. Other uses and disclosures will be made only with your written authorization or that of your legal representative, and you may revoke such authorization. Any disclosures that were made when your Authorization was in effect will not be taken back. In the event that New York State law requires the Plan to give more protection to your health information than stated in this notice or as required by Federal Law, the Plan will give that additional protection to your health information.

YOUR RIGHTS REGARDING YOUR PHI

You have the following rights with respect to your PHI. To submit one of the requests listed below, you must submit a written request to the Ithaca College contact listed on this page.

• a) The right to request restrictions on certain uses and disclosures of PHI. The Plan is not required to agree to a requested restriction, however.
   
• b) The right to receive confidential communications of PHI if you believe the Plan’s usual method of communicating PHI may endanger you.
   
• c) The right to inspect and copy PHI, as provided in the Privacy Regulation.
   
• d) The right to amend PHI, as provided in the Privacy Regulation.
   
• e) The right to receive an accounting of disclosures of PHI. We are not required to, and we will not, account for disclosures listed.
   
• f) The right to obtain a paper copy of this Notice upon request to the Plan. This right extends to you even if you previously agreed to receive the Notice electronically.
   
• g) The right to file a complaint if you feel your privacy rights have been violated. For details, see subsequent section of this Privacy Notice entitled “The Plan’s Grievance Procedures.”

THE PLAN’S RESPONSIBILITIES REGARDING YOUR PHI

The Plan is a “covered entity” (CE) and has responsibilities under HIPAA regarding use and disclosure of PHI. The Plan has a legal obligation to maintain the privacy of PHI and to provide individuals with notice of its legal duties and privacy practices with respect to PHI.

1. The Plan is required to abide by the terms of the Notice of Privacy Practices (the “Notice”) currently in effect.
    
2. The Plan reserves the right to change the terms of this Notice and to make the revised Notice provisions effective for all PHI the Plan maintains, even PHI obtained prior to the effective date of the revisions.
    
3. If the Plan revises its Notice, it will provide you with a revised Notice by noting on our web site that the Notice has been revised and the date of the revision, so you can download the revised Notice.

THE PLAN’S GRIEVANCE PROCEDURES

If you believe that your privacy rights have been violated, you may complain to the Plan in care of the Ithaca College contact listed on this page.

You can file a complaint with the HHS OCR at the following e-mail address:

OCRComplaint@hhs.gov

Alternatively, you can file a complaint with the Secretary of Health and Human Services (HHS), Office for Civil Rights (OCR) , Region II, using the contact information on this page.

The Plan will not retaliate against you for filing a complaint.

WHOM TO CONTACT AT THE PLAN FOR MORE INFORMATION

If you have any questions regarding this notice or the subjects addressed in it, you may contact Ithaca College using the contact information on this page.

ADDRESSES FOR EACH OF THE HEALTH PLAN VENDORS

Addresses for Aetna, First Ameritas and Employee Network, Inc. (eni) can be found on the 2011 Benefit Providers Contact Page.

This Notice is first in effect on April 14, 2003.