BNY Mellon Benefits Guide
HIPAA Notice
To: Employees (both active and inactive), retirees, dependents and COBRA beneficiaries who are eligible to participate in any of the health plans offered by BNY Mellon
Date: January 1, 2019
Subject: HIPAA Notice of Privacy Practices
The privacy regulations of the Health Insurance Portability and Accountability Act (HIPAA) became effective April 14, 2003. These federal regulations require covered entities, such as health plans, to provide plan participants with a notice of privacy practices describing the health-related information that is collected, how it is used and the ways in which the regulations permit it to be disclosed. These privacy notices also provide information on a participant's right to access, review and, if necessary, to have this information amended.
The following HIPAA Notice of Privacy Practices for the self-insured health plans sponsored by BNY Mellon details the uses and disclosure that the BNY Mellon self-insured health plans may make of your health information, along with your rights and BNY Mellon's self-insured health plan's obligations with respect to that information.
BNY Mellon's benefits program includes both self-insured and insured plans. This notice contains a list of all of these plans, indicating which are self-insured and which are not. If you are enrolled in an insured plan, the applicable insurance company or HMO is obligated to provide its HIPAA Notice of Privacy Practices to you.
BNY Mellon and its health plans strive to take all appropriate measures to protect the privacy of your health information. We take this responsibility very seriously and consider it our obligation to you and to your family, not simply a legal requirement that we must fulfill. Not only do the self-insured BNY Mellon health plans place limits on disclosing your health information to outside parties, but we also take precautions regarding who can access that information internally. Your health information is not disclosed to outside parties for the purpose of marketing products and services.
If you have questions, please contact the BNY Mellon Benefit Solutions Service Center at 1-800-947-4748, option 2, Monday through Friday, 8:30 a.m. to 8:00 p.m. Eastern Time.
BNY MELLON-SPONSORED HEALTH PLANS/PROGRAMS FOR U.S.-BASED EMPLOYEES
|
||
SELF-INSURED PLANS/PROGRAMS
|
INSURED PLANS/PROGRAMS
|
|
BNY Mellon Notice of Health Information Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Notice describes the medical information practices of BNY Mellon's self-insured health plans and programs, which are listed below, and of any third party (called a "business associate") in connection with functions or services that party provides in the administration of those plans and programs.
- Aetna Lower Deductible HSA Plan (Health Savings Account)
- Aetna Higher Deductible HSA Plan (Health Savings Account)
- Best Doctors®
- Castlight
- CVS/Caremark Prescription Program and Pharmacy Advisor Counseling
- CVS Accordant Care and MinuteClinic
- Doctor On Demand
- Premise Health
- UnitedHealthcare Lower Deductible HSA Plan (Health Savings Account)
- UnitedHealthcare Higher Deductible HSA Plan (Health Savings Account
- The Employee Assistance Program (EAP)
- MetLife Preferred Dental Program
- Vision Service Plan (VSP)
- WebMD Health Services
"We," "us," and "Plan" refer to all the health plans and programs listed above. "Plan Sponsor" refers to BNY Mellon. `'You" or "yours" refers to individual participants in the Plans.
If you participate in one of the insured health plans sponsored by BNY Mellon, you will receive a notice from the appropriate insurance company or HMO regarding the policies and procedures it will follow related to the use and disclosure of your Protected Health Information (PHI).
PHI is information that may identify you and that relates to past, present or future health care services provided to you, payment for health care services provided to you, or your physical or mental health or condition. This Notice of Privacy Practices describes how we may use and disclose your PHI. It also describes your rights to access and control your PHI. We are required to abide by the terms of this Notice of Privacy Practices as it is currently in effect.
We are required by the Health Insurance Portability and Accountability Act (HIPAA) to:
- maintain the privacy of your PHI;
- provide you with certain rights with respect to your PHI;
- provide you with this Notice of our legal duties and privacy practices regarding your PHI; and
- abide by the terms of this Notice as it may be updated from time to time.
We protect your PHI from inappropriate use or disclosure. Our employees and those of our business associates are required to protect the confidentiality of PHI. They may look at your PHI only when there is an appropriate reason to do so, such as to determine coordination of benefits or services.
We will not disclose your PHI to anyone for marketing purposes. We will not sell your PHI to anyone in violation of HIPAA.
Uses and Disclosures of PHI
Primary Uses and Disclosures of PHI
The main reasons for which we may use and may disclose your PHI are in order to administer our health benefit programs effectively and to evaluate and process requests for coverage and claims for benefits. The following describe these and other uses and disclosures, together with some examples.
Treatment, Payment and Health Care Operations Purposes
For Treatment: Treatment refers to the provision and coordination of health care by a doctor, hospital or other health care provider. We may disclose your PHI to health care providers to provide you with treatment. For example, we might respond to an inquiry from a hospital about your eligibility for a particular surgical procedure.
For Payment: Payment refers to our activities in collecting premiums and paying claims for health care services you receive. We may use your PHI or disclose it to others for these purposes. For example, if you had insurance coverage from a spouse's employer, we might disclose your PHI to the other insurer to determine coordination of benefits or services. Payment also refers to the activities of a health care provider in obtaining reimbursement for services. We may disclose your PHI to a provider for this purpose.
For Health Care Operations Purposes: Health care operations purposes refer to the following:
- We may use your PHI or disclose it to others for quality assessment and improvement activities.
- We may use your PHI or disclose it to others for activities relating to improving health or reducing health care costs, development of health care procedures, case management and care coordination.
- We may use your PHI or disclose it to others for the purpose of informing you or a health care provider about treatment alternatives.
- We may use your PHI or disclose it to others for the purpose of reviewing the competence, qualifications or performance of health care providers, or conducting training programs.
- We may use your PHI or disclose it to others for accreditation, certification, licensing or credentialing activities.
- We may use your PHI or disclose it to others in the process of contracting for health benefits or insurance covering health care costs.
- We may use your PHI or disclose it to others for purposes of reviewing your medical treatment, obtaining legal services, performing audits or obtaining auditing services, and detecting fraud and abuse.
- We may use your PHI or disclose it to others in our business management, planning and administrative activities. As an example, we might use your PHI in the process of analyzing data about treatment of certain conditions to develop a list of preferred medications.
The amount of health information used, disclosed or requested will be limited and, when needed, restricted to the minimum necessary to accomplish the intended purposes, as defined under the HIPAA rules.
- Business Associates: We contract with various individuals and entities (Business Associates) to perform functions on behalf of the Plans or to provide certain services. To perform these functions our Business Associates may receive, create, maintain, use or disclose PHI, but only after we require the Business Associates to agree in writing to contract terms designed to safeguard your PHI.
- Plan Sponsor: We and our Business Associates may also disclose PHI to the Plan Sponsor in connection with payment, treatment or health care operations purposes or pursuant to a written request signed by you. Such disclosures may only be made to the individuals authorized to receive such information.
- Other Covered Entities: The Bank of New York Mellon Corporation's Plans (including the insured plans) together are called an "organized health care arrangement." The Plans may share PHI with each other for the health care operations purposes of the organized health care arrangement.
Other Possible Uses and Disclosures of PHI
In addition to using and disclosing your PHI for treatment, payment and health care operations purposes, we may (and are permitted to) use or disclose it in the following circumstances:
- To Persons Involved in Care and for Notification Purposes: We may disclose PHI to a family member, relative, close personal friend or any other person identified by you, provided that the PHI is directly relevant to that person's involvement with your care or payment related to your care. In addition, we may use or disclose PHI to notify a member of your family, your personal representative or another person responsible for your care of your location, general condition or death.
- In Regard to Abuse, Neglect or Domestic Violence: In certain circumstances, we may disclose your PHI to a government authority that is authorized to receive reports of cases of abuse, neglect or domestic violence.
- To Coroners, Medical Examiners and Funeral Directors: We may disclose PHI to coroners and medical examiners for the purpose of identifying a deceased person, determining a cause of death or other purposes authorized by law. We may disclose PHI to funeral directors to enable them to carry out their duties.
- For Public Health Activities: We may disclose PHI to public authorities for the purpose of preventing or controlling disease, injury or disability. Under some circumstances, when authorized by law, we may disclose PHI to an individual who is at risk of contracting or spreading a contagious disease or condition. We also may disclose PHI to appropriate parties for the purpose of activities related to the quality, safety or effectiveness of products regulated by the U.S. Food and Drug Administration.
- To Avert a Threat to Health or Safety: We may, under certain circumstances, disclose PHI to avert a serious threat to the health or safety of a person or the general public.
- Organ and Tissue Donations: We may, under certain circumstances, disclose PHI for purposes of organ, eye or other medical transplants or tissue donation purposes.
- To Comply with Workers' Compensation Laws: We may disclose your PHI to the extent necessary to comply with laws relating to Workers' Compensation or other similar programs.
- For Law Enforcement and National Security Purposes: In certain circumstances, we may disclose PHI to appropriate officials for law enforcement purposes—for example, as required by law or legal process. In addition, we may disclose your PHI if you are or were armed forces personnel or to authorized federal officials for conducting national security and intelligence activities.
- In Connection with Legal Proceedings: In certain cases, we may disclose PHI in connection with the legal proceedings of courts or governmental agencies. For example, we may disclose your PHI in response to a subpoena for such information, but only after certain conditions required by HIPAA are met.
- For Health Oversight Activities: We may disclose PHI to a governmental agency authorized by law to oversee the health care system, compliance with civil rights laws or government benefit. Health oversight activities include audits, inspections, investigations or legal proceedings.
- Military Personnel: If you are in the armed forces, we may disclose your PHI for activities that military authorities consider necessary to the accomplishment of a mission.
- Inmates: If you are incarcerated, we may disclose your PHI to appropriate authorities as needed for your health care, your safety, the health or safety of other persons, or general administrative purposes.
- Research: Under certain circumstances, we may disclose PHI for research purposes, provided certain measures have been taken to protect your privacy.
- Health Information: We may contact you with information about treatment alternatives and other health-related benefits and services.
- As Required by Law: We may disclose your PHI when required to do so by federal, state or local law.
Required Disclosures of PHI
The following is a description of disclosures we are required by law to make:
- Disclosures to the Secretary of the U.S. Department of Health and Human Services: We are required to disclose your PHI to the Secretary of the U.S. Department of Health and Human Services when the Secretary is investigating or determining compliance with HIPAA.
- Disclosure to You: We are required to disclose to you most of your PHI. We will also disclose your PHI to an individual whom you have designated as your personal representative. However, before we can disclose your PHI to such person, you must submit a written notice of his/her designation, along with documents supporting his/her qualification (such as a power of attorney). In limited situations HIPAA permits us to elect not to treat the person as your personal representative if we have reasonable belief that it could endanger you.
Other Uses and Disclosures of Your PHI with Authorization
We generally may use or disclose psychotherapy notes about you or use or disclose your PHI for marketing purposes only with your written authorization, unless a specific exception to those rules applies. We may not sell your PHI without your written authorization.
Other uses and disclosures of your PHI that are not described above will be made only with your written authorization. You may revoke an authorization at any time by providing written notice to us. We will honor a request to revoke as of the day it is received and to the extent that we have not already used or disclosed your PHI in reliance on the authorization. To obtain an Authorization for Release of Information, call the BNY Mellon Benefit Solutions Service Center at 1-800-947-4748, option 2 (Monday through Friday, 8:30 a.m. to 8:00 p.m. Eastern Time). You may revoke an authorization by contacting the Health Information Privacy Officer identified at the end of this Notice.
Genetic Information
The Privacy Regulations prohibit us from using or disclosing your family members' genetic information for underwriting purposes.
Your Rights
Right to Request Restrictions on Uses and Disclosure
You may ask us to restrict uses and disclosures of your PHI for treatment, payment or health care operations purposes, or to restrict disclosures to family members, relatives, friends or other persons identified by you who are involved in your care or payment for your care, or to restrict disclosures for notification purposes. However, we are not generally required to comply with your request for restrictions, except in those situations where the requested restriction relates to the disclosure to the Plan for purposes of carrying out payment or health care operations (and not for treatment) and the PHI pertains solely to a health care item or service for which the individual, or a person other than the Plan on behalf of the individual has paid in full. You may exercise this right by contacting the Health Information Privacy Officer identified at the end of this Notice, who will provide you with additional information including what information is required to make a restriction request.
Right to Inspect, Copy and Amend Your PHI
As long as we maintain records containing your PHI, you have a right to inspect and copy such information. If you request an electronic copy of this information, we will provide you with the information in the electronic form and format you request, if it is readily reproducible in that form or format or, if not, in a readable form and format to which we and you agree. These rights are subject to certain limitations and exceptions. For example, if the requested information contains psychotherapy notes or may endanger someone, it may not be available. You may request a review of any denial to access. If you believe your PHI held and created by us is incorrect or incomplete, you may request that we amend your PHI. You will be required to provide the reason the amendment is necessary. Requests for access to your PHI or amendment of your records should be in writing and directed to the Health Information Privacy Officer identified at the end of this Notice.
Right to a List of Disclosures
You have a right to an accounting of certain disclosures of your PHI by us. The accounting will not include those items which are not required to be provided such as disclosures made at your request or disclosures made for treatment, payment or health care operations. A request for a list of disclosures should be directed to the Health Information Privacy Officer identified at the end of this Notice.
Right to Request Confidential Communications
We will accommodate a reasonable request by you to receive communications from us by alternative means or at an alternative location if you believe that disclosure of your PHI could pose a danger to you. For example, you may request that we only contact you by mail or at work. Requests for confidential communications should be in writing and directed to the Health Information Privacy Officer identified at the end of this Notice.
Right to be Notified of a Breach
You have the right to be notified in the event that we (or a Business Associate) discover a breach of unsecured PHI.
Right to Receive Paper Copy
You have the right to receive a paper copy of this Notice from the Plan upon request, even if you have previously agreed to receive copies of this Notice electronically. Requests for a paper copy should be in writing and directed to the Health Information Privacy Officer identified at the end of this Notice.
Changes to This Notice
We reserve the right to change the terms of this Notice and to make the new Notice provisions effective for all PHI we maintain. If we change this Notice, you will receive a new Notice. Active employees will receive the Notice by distribution in the workplace; inactive employees (including retirees) will receive the Notice by mail.
Complaints
If you believe that your privacy rights have been violated, you may complain to us in writing at the location described below under "Health Information Privacy Officer'' or with the office for Civil Rights of the Department of Health and Human Services, Hubert H. Humphrey Building, 200 Independence Avenue SW, Washington, DC 20201. You will not be retaliated against for filing a complaint.
Health Information - Privacy Officer
You may exercise the rights described in this Notice by contacting the office identified below, which will provide you with additional information.
BNY Mellon
Employee Benefits Department
Suite 3118
BNY Mellon Center
Pittsburgh, PA 15258
ATTN: Health Information Privacy Officer
Employee Benefits Department
Suite 3118
BNY Mellon Center
Pittsburgh, PA 15258
ATTN: Health Information Privacy Officer
Any Employee Assistance Program (EAP)-related questions or issues should be directed to:
BNY Mellon
EAP Manager
500 Grant Street
Suite 3118
Pittsburgh, PA 15258
EAP Manager
500 Grant Street
Suite 3118
Pittsburgh, PA 15258
Effective Date of Notice: This Notice is effective as of January 2019.