HIPAA Policy Section 7.1: Notice of Individual Rights Concerning PHI
System shall give Individuals the right to adequate notice of the Uses and Disclosures of PHI that may be made by System as a Hybrid Entity, and of the Individual’s rights and System’s legal duties with respect to such PHI.
7.1(1) Maintenance of the Notice.
System shall maintain a notice of privacy practices, written in plain language, that contains the following required provisions:
- A prominently displayed header stating, “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY”;
- A sufficiently detailed description of all purposes for which System in its capacity as a Covered Entity is permitted or required to Use or Disclose PHI;
- A statement that any Use or Disclosure not described in the notice requires an Authorization and that the individual may revoke any such Authorization;
- A statement that System may contact the individual to provide information about treatment alternatives or other health-related benefits and services that may be of interest to the Individual;
- A statement of the Individual’s rights with respect to PHI and a brief description of how the individual may exercise such rights;
- A statement that System is required by law to maintain the privacy of PHI and to provide notice of its legal duties and privacy practices with respect to PHI;
- A statement that System is required to abide by the terms of the notice currently in effect;
- A statement that System reserves the right to change the terms of its notice and to make the new notice provisions effective for all PHI that it maintains, and a statement describing how System shall provide individuals with a revised notice;
- A statement that Individuals may complain to System and to the Secretary if they believe their privacy rights have been violated, a description of how to file a complaint with System, and a statement that the Individual will not be retaliated against for filing a complaint;
- The title and telephone number of the Privacy Officer Contact Person;
- The effective date of the notice;
- A statement that System will make every effort to secure an Individual’s health information, including the use of encryption whenever possible and that in the event that any such medical information that has not been encrypted is the subject of a breach, System will provide each affected Individual a written or electronic about the breach as required by federal law.
- A statement that Genetic Information will never be used for Underwriting purposes; and
- Any other information required by the HIPAA Privacy Rule.
7.1(2) Distribution of Notice.
System shall distribute the notice as follows:
- Members: To all Members covered by a Self-funded Group Health Plan as of the effective date of this requirement.
- New Enrollees: To all Members who become new enrollees in such a plan after the effective date, at the time of enrollment.
- All Individuals Upon Revision: To all Individuals, including Members covered by a Self-funded Group Health Plan, upon material revision of the Notice that takes place after the effective date of this Policy, within 60 days of such revision.
- Anyone upon Request: To any person who requests a copy regardless of the person’s relationship with the Self-funded Group Health Plan or System, within 30 days of such request.
- System’s website: The Notice in effect on the effective date shall be posted on the effective date at https://www.utsystem.edu/offices/employee-benefits/hipaa-and-privacy.
7.1(3) Revision of the Notice.
- The Privacy Notice may be revised at any time. System shall revise the notice promptly whenever there is a material change to the privacy practices stated in the notice, including any change required by law.
- The effective date of a revised notice may not precede either (i) the date it is printed or otherwise published or (ii) if applicable, the date such revision is required by law to be effective.
- The revised notice shall be posted on the System website at https://www.utsystem.edu/offices/employee-benefits/hipaa-and-privacy and distributed to Individuals if, and to the extent, required by the former version. If the revised notice effects a material change to the Uses or Disclosures, the Individual’s rights, System legal duties, or other privacy practices stated in the notice, the revised notice shall be promptly distributed to all individuals then covered by the Self-funded Group Health Plan. System shall inform a Business Associate of changes to its notice that affect the Business Associate.
7.1(4) Informing Covered Individuals About the Notice.
- No less frequently than once every three years, System shall notify Members then covered by the Self-funded Group Health Plan of the availability of the notice and how to obtain the notice.
- The notice shall also be prominently posted on, and made available electronically through, the System website at https://www.utsystem.edu/offices/employee-benefits/hipaa-and-privacy.
7.1(5) Use of a Joint Notice.
System shall use a joint notice of privacy practices that describes the privacy practices of each Self-funded Group Health Plan. A joint notice shall identify each Self-funded Group Health Plan covered by the notice. The distribution of a joint notice to an Individual by System satisfies the notice distribution requirements with respect to each other Self-funded Group Health Plan covered by the notice.
7.1(6) Distribution of the Notice
- The notice may be also distributed together with, or contained within, a Self- funded Group Health Plan summary plan description or other annual mailing to all Plan subscribers. If an Individual who is a named insured covers a spouse or dependents under the Self-funded Group Health Plan, a single copy of the notice provided to the named insured satisfies the notice requirement as to that Individual, the Individual’s spouse and any covered dependents.
- System may provide the notice electronically if the Individual has agreed to electronic notice and such agreement has not been withdrawn. For example, if ￼￼￼￼￼￼ System asks an Individual applying for coverage for an e-mail address, and the individual provides an e-mail address, System may infer that the Individual has agreed to electronic notice. Individuals who have been assigned an e-mail account and address by System or a University of Texas System institution are deemed to have consented to receive notices electronically. If System knows that electronic transmission has failed, a paper copy must be provided to the individual. An Individual who has agreed to electronic notice retains the right to receive a paper copy of the notice upon request.
- System shall document any request for the notice by an Individual and System’s provision of the notice to an Individual, in accordance with Section 9.2 of this Manual.
7.1(7) Documentation of Notice.
System shall retain a copy of each version of the notice, in writing or electronically. Such documentation shall be retained in accordance with Section 9.2 of this Manual.
45 C.F.R. § 164.520
65 Fed. Reg. at 82,547-52, 82,720-26 (Dec. 28, 2000); 67 Fed. Reg. at 53,241 (Aug. 14, 2002)