Notice Of Privacy Practices Of The Group Health Plans Sponsored By The University Of Richmond

This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

Introduction

Effective April 14, 2004, many health plans become subject to new federal privacy regulations under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). The HIPAA privacy regulations do not, as a general matter, regulate employers or non-health benefit plans such as workers compensation, disability, life insurance, dependent care, financial planning, business travel, or other non-health benefits plans. However, employers can be subject to certain requirements of the HIPAA privacy rules, as described in greater detail below.

You can find the HIPAA privacy regulations at 45 Code of Federal Regulations, Parts 160 and 164.

This notice applies to you if you are covered as an employee, former employee or dependent under a group health plan sponsored by the University of Richmond (the "University"). It is the policy of the group health plans sponsored by the University to maintain the privacy of your health information in accordance with the HIPAA privacy rules. The group health plans covered by this notice include the University's group health plan, dental plan, health flexible spending account plan and the employee assistance program plan. The group health plans sponsored by the University are considered an organized health care arrangement under the HIPAA privacy rules, which permits them to jointly issue this Notice of Privacy Practices. Thus, this notice will refer to the University's various group health plans as the "Plan."

The state in which you live may also impose restrictions on the use or disclosure of your health information that are more stringent than the HIPAA privacy rules. While these state laws generally do not apply to employer-sponsored group health plans, they often apply to doctors, hospitals, health insurance companies, and HMOs. The Health Privacy Project of the Institute for Health Care Research and Policy maintains information on state health privacy laws at its website, www.healthprivacy.org, which you may find helpful in protecting the privacy of your health information and in gaining access to your health records.

Protected Health Information

The HIPAA privacy rules regulate the use and disclosure by the Plan of "protected health information" (commonly referred to as "PHI"). PHI is any "individually identifiable health information" maintained or transmitted by the Plan (in any form or medium). Individually identifiable health information is health information that identifies you or creates a reasonable basis to believe that it could be used to identify you, including information relating to your health condition or receipt of health care. In addition, health information that is merely in summary form and that does not identify you as its subject is not PHI and may be used or disclosed by the Plan without restriction under the HIPAA privacy rules. For example, the University may use aggregated data regarding claims paid for all Plan participants to help project benefit costs for the next year. With respect to PHI, however, the HIPAA privacy rules prevent the Plan from using your PHI or disclosing it to the University or anyone else except as permitted by the HIPAA privacy rules, as authorized by you, or as required by law.

Uses and Disclosure of Protected Health Information for Treatment, Payment, and Health Care Operations

The HIPAA privacy rules permit the Plan to use or disclose your PHI without your authorization for purposes of treatment, payment, and health care operations. This is necessary in order to provide you with quality health care. The Plan's business associates may also use or disclose your PHI for treatment, payment, or health care operations on the Plan's behalf. Business associates include the Plan's third party administrators, as well as brokers, service providers, lawyers, accountants, consultants, and other appropriate persons who help to ensure that the Plan is run properly and that you receive any benefits to which you are entitled. PHI may also be shared among the University's various group health plans that make up the Plan for purposes of treatment, payment, or health care operations. The terms "treatment," "payment," and "health care operations" are explained below:

• "Treatment" means generally the provision, coordination, or management of health care and related services by one or more health care providers. For example, the Plan may disclose your PHI to your doctor and his staff, the Plan's third party administrators and their staffs, and other appropriate persons to help provide you with proper medical treatment.
• "Payment" means any action undertaken by the Plan to obtain premiums, to determine responsibility for providing coverage, or to obtain or provide reimbursement for the health care services you receive. This includes, but is not limited to, eligibility and coverage determinations, billing, claims management and processing, plan

reimbursement, reviews for medical necessity, utilization review, and pre-authorization for treatment. For example, the Plan may disclose to your doctor and her staff, the Plan's third party administrators and their staffs, and other appropriate persons information concerning a particular medical procedure that you have had performed to determine whether the procedure is covered by the Plan.

• "Health care operations" means all the activities involved in the administration of the Plan. This includes, but is not limited to, quality assessment and improvement, evaluating providers, underwriting and other activities relating to obtaining or amending insurance contracts, disease management, cost management, and other general administrative activities. For example, the Plan may use PHI about you to refer you to a disease management program, to evaluate the quality of care you are receiving from your providers, or to project benefit costs and determine premiums.

Other Uses and Disclosures Permitted Without Authorization

The Plan may disclose the Plan's enrollment and disenrollment information to the University without your authorization. This information merely indicates whether you are enrolled in the Plan and shows your specific Plan benefit options. The University requires such information for payroll withholding and other purposes. The Plan may also disclose your PHI to the University or its business associates without your authorization so that the University may obtain bids for services or make decisions about modifying or terminating the Plan. Information provided to the University for these purposes will be in summary form. This means that the information will be limited to claims history, claims expenses, or types of claims experienced, with your name and certain types of other identifying information removed. The Plan may use or disclose your PHI at any time without your authorization as required by the HIPAA privacy rules or other applicable law.

In addition, the HIPAA privacy rules permit the Plan to use or disclose your PHI without your authorization to the following: (1) a public health authority authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability; (2) a public health or other governmental authority authorized by law to receive reports of child abuse or neglect; (3) a person subject to the jurisdiction of the Food and Drug Administration with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety, or effectiveness of such FDA-regulated product or activity; (4) a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading the disease or condition, if the plan is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation; (5) a health oversight agency for certain purposes (e.g., audits, investigations, disciplinary actions, government benefit eligibility, civil rights law compliance); (6) a court or other party in connection with a judicial or administrative proceeding; (7) law enforcement officials for law enforcement purposes; (8) coroners and medical examiners for the purpose of identifying a deceased person, determining cause of death, or other duties authorized by law; (9) funeral directors, as necessary to carry out their duties with respect to a decedent (consistent with applicable law); (10) organ procurement organizations (and related organizations); (11) a researcher or research organization, subject to detailed requirements; (12) a person or other entity to avert a serious threat to the health or safety of a person or the public; (13) an appropriate military authority in connection with military and veterans activities; (14) federal officials in connection with certain national security activities; (15) correctional institutions and other law enforcement custodial situations in relation to an inmate; and (16) an individual or other entity as authorized by, and to the extent necessary to comply with, laws related to workers' compensation and other similar programs established by law that provide benefits for work-related injuries or illnesses without regard to fault. It is generally the policy of the Plan to disclose PHI under these circumstances only as required by the HIPAA privacy rules or other applicable law.

Disclosure of Your PHI to University Personnel Without Authorization

In connection with the disclosures described in the previous two sections of this notice, the Plan may disclose your PHI to University personnel who are involved in the administration of the Plan. These disclosures will be made in connection with the University's role as the sponsor of the Plan, and will be made to enable University personnel to carry out their duties in administering the Plan. In many circumstances, it will be appropriate for such personnel to share your PHI with the Plan's business associates outside of the University. The University has amended the Plan documents to protect your PHI as required by the HIPAA privacy rules. In addition, the University has instituted policies and procedures to help ensure that your PHI is made available only to those individuals who need it to perform important Plan functions. Such individuals have received training in the proper handling of PHI and have been informed of the sensitivity of this information. It is the policy of the University that PHI received from the Plan is not to be used for employment-related purposes or other purposes not related to the University's sponsorship or administration of the Plan.

Uses and Disclosures Requiring That You Receive an Opportunity to Agree or Object

Certain circumstances might arise where the Plan needs to disclose your PHI to family members and other appropriate persons in order to ensure that you are receiving appropriate care and to notify certain persons of your medical condition or your location. The Plan will make such disclosures only if you have agreed (or have not objected) to the disclosure. Specifically, the Plan may disclose your PHI to your family member, relative, close personal friend, or another person designated by you, but only to the extent the information is directly relevant to the family member's or friend's involvement with your care or payment for care. The Plan may also disclose your PHI to notify or assist in notifying your family member, personal representative, or other person responsible for your care of details regarding your location, your general condition or your death. In such cases, you will be given an opportunity to agree or object to the disclosure, and the disclosure will be made only if you either affirmatively agree or you do not object to the disclosure when given the opportunity. If you are unavailable or you are incapacitated, the Plan may disclose your PHI to such individuals without providing you with an opportunity to agree or object, if the Plan determines that to do so is in your best interests under the circumstances.

Uses and Disclosures Requiring Your Written Authorization

Where use or disclosure is not otherwise permitted under the HIPAA privacy rules, the Plan is required to obtain your written authorization before using or disclosing your PHI. In addition, the Plan is generally required to ask for your written authorization before using or disclosing notes about you obtained from your psychotherapist. If you choose to sign an authorization to disclose information, you can later revoke that authorization to stop future uses and disclosures, except to the extent the Plan has acted in reliance upon your authorization. In some cases, the Plan (including University personnel and business associates acting on behalf of the Plan) may ask you to sign a written authorization regarding the use and disclosure of your PHI even when one is not clearly required under the HIPAA privacy rules. This is to protect your privacy rights and to ensure that representatives of the University, the Plan, and its business associates are fully authorized to communicate with each other regarding your situation in order to provide you with the best possible health care benefits.

Incidental Uses and Disclosures

The HIPAA privacy rules permit incidental uses and disclosures that occur as a by- product of a permissible or required use or disclosure. An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the HIPAA privacy rules. The Plan has instituted reasonable safeguards to protect against uses and disclosures not permitted by the HIPAA privacy rules and to limit incidental uses or disclosures. However, those safeguards cannot totally guarantee the privacy of your PHI. In implementing safeguards, the Plan has considered the nature of the PHI held, the potential risks to privacy, the potential effects on patient care, and the financial and administrative burden of particular safeguards. The Plan is not required to obtain your authorization or notify you if an incidental disclosure occurs.

Reservation of the Plan's and University's Rights

Generally, it is the Plan's policy to avoid the use and disclosure of your PHI whenever possible. Therefore, the Plan will not normally use or disclose your PHI, except when necessary for treatment, payment, or health care operations or to comply with the HIPAA privacy rules or other applicable law. However, the Plan reserves the right to use or disclose your PHI in any manner permitted by the HIPAA privacy rules. The University is also committed to the protection of your PHI and generally seeks to avoid the use and disclosure of your PHI whenever possible. However, the University reserves the right to use or disclose your PHI received from the Plan in any manner permitted by the HIPAA privacy rules. Please remember that health information maintained by the University as part of your employment records or through a benefit plan of the University that is not part of the Plan, such as a short- or long-term disability plan, is not subject to the HIPAA privacy rules and may be used or disclosed in accordance with the University's standard policies (subject to applicable law).

Your Rights

You have the right to review and receive copies of your PHI maintained by the Plan in a designated record set or used by the Plan to make decisions about your coverage or benefits. The term "designated record set" means the enrollment, payment, claims adjudication, and case or medical management records maintained by the Plan. If you request copies of this information, you may be charged a reasonable, cost-based fee for the copies. Your request should be made in writing to the address listed at the end of this notice, and the Plan will comply with the request within 30 days of your request (60 days if the information is maintained offsite), subject to a possible 30-day extension. If your request is denied, you will receive a written explanation of the reasons for the denial. Please remember that the Plan is only responsible for providing you with information contained in its records. Hospital records and other records not maintained by the Plan must be procured directly from the individual or institution that maintains those records.

You have the right to receive a list of instances where the Plan or the University disclosed your PHI to third parties after the effective date of this notice for reasons other than treatment, payment, or health care operations, except in cases where you have authorized the disclosure, the disclosure was merely incidental to a disclosure that is otherwise permitted under this privacy policy, or the disclosure was required for law enforcement or national security purposes. You may request one such accounting at no charge every 12 months. For any additional requests, you may be charged a reasonable, cost-based fee for the copies.

If you believe that information in your record is incorrect or if important information is missing, you have the right to request that the Plan correct existing information or add missing information. Your request should be made in writing to the address listed at the end of this notice and should state reasons supporting your request for a correction or addition. The Plan has 60 days to respond to your request, subject to a possible 30-day extension. If your request is denied, you will receive a written explanation of the reasons for the denial.

You have the right under HIPAA to request restrictions on the Plan's use or disclosure of your PHI for treatment, payment and health care operations. You may also request restrictions on disclosures to your family members or other individuals who are involved in your care or payment for your care. The Plan will consider your request, but is not required to agree to such restrictions. Any restriction agreed to by the Plan will not apply if the use or disclosure is necessary to provide you with emergency treatment or if the disclosure is required by law. If you wish to request a restriction on disclosures of your PHI, you should send your request in writing to the address listed at the end of this notice. If the Plan accepts your request, you will receive written notification that your request has been accepted. The Plan will also accommodate reasonable requests for you to receive communications of your PHI at alternate locations or by alternate methods, if the normal method of communication could endanger you.

You may exercise your rights through a personal representative, provided that such individual produces evidence of his or her authority to act on your behalf. The Plan will only accept the following as evidence of such authority: (1) a power of attorney for health care purposes notarized by a notary public; (2) a court order appointing the individual as your conservator or guardian; or (3) proof that such individual is your parent (if you are a minor). Your personal representative will be treated as you would with respect to access to your PHI and your other rights under the HIPAA privacy rules. However, the Plan retains the discretion to deny your personal representative access to your PHI if the Plan finds evidence that such denial is necessary to protect you from abuse or neglect.

You may request a paper copy of this notice at any time by contacting the person or office listed at the end of this notice.

The Plan's Legal Duties

The HIPAA privacy rules require the Plan to maintain the privacy of your PHI, to provide this notice about its information practices, and to follow the practices described in this notice. The Plan may change its privacy policies at any time, and changes may apply to all PHI held by the Plan at the time of the change. When the Plan makes a significant change in policy, a revised Notice of Privacy Practices will be distributed to all current Plan participants within 60 days of the effective date of the change.

This notice and the privacy policies of the Plan and the University do not create any legal rights, contractual or otherwise, under state or federal law, but simply give you notice of the Plan's obligations, and your rights, under the HIPAA privacy rules.

Complaints

If you are concerned that the Plan has violated your rights under the HIPAA privacy rules, or if you disagree with a decision made about access to or amendment of your health records, you may contact the person or office listed below. You may also send a written complaint to the Secretary of the U.S. Department of Health and Human Services, Hubert H. Humphrey Building, 200 Independence Avenue SW, Washington, DC 20201, or you may file your complaint with the appropriate regional office listed at http://www.hhs.gov/ocr/privacyhowtofile.htm Neither the Plan nor the University will retaliate against you in any way for exercising your right to file a complaint.

Effective Date of this Privacy Notice: April 14, 2004