This provides notice of the privacy practices and policies of Haven Benefits, Inc. These protections have been adopted to ensure that the information that we obtain and maintain for our clients, which may also include information about the employees, dependents, former employees and dependents, and other eligible participants on a group health plan for which we are providing services (“Protected Parties”), is protected in accordance with relevant state and federal rules. The Notice outlines our practices, policies, and legal duties to maintain and protect against prohibited disclosure of personally-identifiable financial information (as required by the federal Gramm-Leach-Bliley Financial Modernization Act (“GLB Act”), and the various state laws implementing those requirements), Protected Health Information of those Protected Parties (under the privacy regulations mandated by the Health Insurance Portability and Accountability Act and further expanded by the Health Information Technology for Economic and Clinical Health Act provisions in Title XIII of the American Recovery and Reinvestment Act (“HITECH”) and the regulations related to these laws and mandates), and the protection of personally-identifiable information under 45 CFR § 155.260 (collectively referred herein as “Privacy Rules”).
THE PROTECTION OF THE PRIVACY OF THE INFORMATION WE MAINTAIN IS EXTREMELY IMPORTANT TO US.
We are required by law to maintain the privacy of non-public personal information (“NPPI”), protected health information (“PHI”), and personally-identifiable information (“PII”) (collectively referred herein as “Protected Information”) of the Protected Parties and to provide our clients with this notice of our privacy practices and legal duties. We are required to abide by the terms of this notice. We reserve the right to change the terms of this notice and to adopt any new provisions regarding the Protected Information that we maintain about the Protected Parties. If we revise this notice, we will provide each client or customer with whom there is a current and direct business relationship with a revised notice by mail, electronic mail or any other electronic means, facsimile or fax or hand-delivery.
Client’s Rights under Privacy Rules
As our client, you have a right to know how we may use or disclose the Protected Information we maintain on those Protected Parties with whom there is a direct relationship (e.g., we have been retained by you to provide employee benefit consulting services which requires we have access to Protected Health Information (PHI)). Haven Benefits, Inc. complies with the HIPAA Privacy and Security Rules which regulate our company as your Business Associate. In the event our client is an employer sponsoring a group health plan, we do not have a direct duty to their employees, dependents, former employees or dependents or other eligible participants on the group health plan. Our obligations to not disclose the Protected Information we maintain about those individuals may arise due to our contractual obligations as a Business Associate of the client, as well as to any other third party who is a Covered Entity under the Privacy Rules, but does not create a special legal duty to provide notice to those individuals of their rights through a Notice of Privacy Practices.
Use and Disclosure of PHI
We use, disclose, and request from third parties PHI on behalf of our client in order to:
- Perform or assist in performing a function or activity regulated by the HIPAA Privacy or Security Rules, including, but not limited to, claims processing or administration, data analysis, utilization review, quality assurance, billing, benefit management, practice management, repricing, renewal or replacement of a contract, conducting planning-related analysis related to managing the employee benefit plans, and customer service.
- Assist the client’s other business associates retained to provide legal advice, accounting, actuarial, consulting, data aggregation, management, administration, accreditation, or financial services to the client or to an organized health care arrangement in which the client participates.
- Properly manage and administer Haven Benefits, Inc. or to carry out our legal responsibilities.
- Perform functions, activities, or services for, or on behalf of, the client as specified above, except as otherwise limited or if such use or disclosure would violate the HIPAA Privacy or Security Rules if done by the client.
Our Obligations and Activities
- Use and Disclosure of PHI. Haven Benefits will not use or further disclose PHI other than as permitted by our agreement with the client or as required by law. To the extent practicable, we limit our use or disclosure of PHI or requests for PHI to a limited data set, or if necessary, to the minimum necessary to accomplish the intended purpose of such use, disclosure or request.
- Safeguards. Haven Benefits uses appropriate safeguards to prevent the use or disclosure of PHI other than mentioned herein, including establishing procedures that limit access to PHI within our company to those employees with a need to know the information. Haven Benefits has implemented appropriate administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of electronic PHI that we create, receive, maintain or transmit on behalf of our client, as required by the HIPAA Security Rule.
We also use appropriate safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to electronic protected health information, to prevent use or disclosure of protected health information other than as provided for our client agreements.
- Unauthorized Disclosures of PHI. If Haven Benefits would become aware of a disclosure of PHI in violation of our client agreements by our company, its officers, directors, employees, contractors, or agents or by a third party to which we have disclosed PHI (including a subcontractor), will then report to the client any use or disclosure of protected health information not provided for by our client agreements of which we become aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which we become aware, within ten (10) business days of the incident.
This also applies to any breach of unsecured PHI, as defined by the applicable regulations. Notice of any such breach shall include the identification of any individual whose unsecured PHI has been, or is reasonably believed by Haven Benefits, to have been accessed, acquired or disclosed during such breach and any other information required by the applicable regulations.
- Security Incidents. Business Associate shall promptly report to Covered Entity any Security Incident of which it becomes aware, in accordance with the HIPAA Security Rule.
- Agreements with Third Parties. Haven Benefits agrees In accordance with 45 CFR 164.502(e)(1)(ii) and 164.308(b)(2), to ensure that any agents and subcontractors that create, receive, maintain or transmit PHI on behalf of our company with respect to our relationship with our client agree to the same restrictions and conditions that apply to Haven Benefits with respect to such information.
- Access to Information. Within ten (10) business days of a request by our client for access to PHI about an individual contained in a Designated Record Set, Haven Benefits will make available to the client such PHI for so long as such information is maintained in a Designated Record Set and in accordance with the requirements of 45 C.F.R. Section 164.524. In the event any individual requests access to PHI directly from Haven Benefits, we will respond to the request for PHI within ten (10) business days.
- Maintenance and Availability of PHI for Amendment. Haven Benefits agrees to make any amendments to PHI in a Designated Record Set that the client directs or agrees to pursuant to 45 CFR Section 164.526 at the request of the client or an individual, and in the time and manner designated by client.
- Inspection of Books and Records. Haven Benefits agrees to make its internal practices, books, and records relating to the use and disclosure of PHI received from, or created or received by our company on behalf of the client, available to the client or at the request of the client, to the Secretary of the U.S. Department of Health and Human Services or its designee (the “Secretary”), in a time and manner designated by the client or the Secretary, for purposes of the Secretary determining the client’s compliance with HIPAA.
- Accounting of Disclosures. Haven Benefits agrees to maintain and make available to the client an accounting of disclosures of PHI as would be required for the client to respond to a request by an individual made in accordance with 45 CFR Section 164.528. Haven Benefits shall provide an accounting of disclosures made during the six (6) years prior to the date on which the accounting is requested (or during the three (3) years prior to the date the accounting is requested for PHI maintained in an electronic health record, beginning on the applicable effective date pursuant to the American Recovery and Reinvestment Act of 2009). At a minimum, the accounting of disclosures shall include the following information:
- Date of disclosure,
b. The name of the person or entity who received the PHI, and if known, the address of such entity or person,
- A brief description of the PHI disclosed, and
- A brief statement of the purpose of such disclosure which includes an explanation of the basis of such disclosure.
In the event the request for an accounting is delivered directly to Haven Benefits, our company will respond to the request within ten (10) business days. Any denials of a request for an accounting shall be our responsibility. Haven Benefits has implemented appropriate recordkeeping processes to enable us to comply with these requirements.
- Remuneration in Exchange for PHI. Effective Sept. 23, 2013, the effective date of the final HIPAA regulations pursuant to the American Recovery and Reinvestment Act of 2009, and subject to the transition provision of 45 CFR Section 164.532 regarding prior data use agreements, Haven Benefits will not directly or indirectly receive remuneration in exchange for any PHI without a valid authorization permitting such remuneration, except as permitted by law.
Permitted Use and Disclosure by Haven Benefits
Haven Benefits may use or disclose Protected Health Information to perform functions, activities or services for, or on behalf of the client provided that such use or disclosure would not violate the Privacy Rule if done by the client. We may also disclose Protected Health Information for the proper management and administration of our company, provided that disclosures are Required By Law or we obtain reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as Required By Law or for the purpose for which it was disclosed to the person, and the person notifies Haven Benefits of any instances of which it is aware in which the confidentiality of the information has been breached.
Haven Benefits is authorized to use protected health information to de-identify the information in accordance with 45 CFR 164.514(a)-(c), to perform functions, activities or services for, or on behalf of the client. We agree to make uses and disclosures and requests for protected health information consistent with the client’s minimum necessary policies and procedures.
Our client agrees to comply with each applicable requirement of the HIPAA Privacy and Security Rules. They also agree to notify Haven Benefits of any limitation(s) in the notice of privacy practices of covered entity under 45 CFR 164.520, to the extent that such limitation may affect our company’s use or disclosure of Protected Health Information.
Our client agrees to notify Haven Benefits of any changes in, or revocation of, the permission by an individual to use or disclose his or her Protected Health Information, to the extent that such changes may affect our company’s use or disclosure of Protected Health Information. Our client also agrees to notify Haven Benefits of any restriction on the use or disclosure of Protected Health Information that the client has agreed to or is required to abide by under 45 CFR 164.522, to the extent that such restriction may affect our company’s use or disclosure of Protected Health Information.
Permissible Requests by Client
The client agrees not to request Haven Benefits to use or disclose PHI in any manner that would not be permissible under HIPAA if done by the client. The client shall not request Haven Benefits to use or disclose Protected Health Information in any manner that would not be permissible under Subpart E of 45 CFR Part 164 if done by Covered Entity, except if the Business Associate will use or disclose Protected Health Information for management and administration and legal responsibilities of the Business Associate.
If a Client Terminates from Haven Benefits Services
Upon termination of a client agreement, Haven Benefits will return or destroy all PHI received from the client or created, maintained or received by our company on behalf of the client that Haven Benefits maintains in any form. Haven Benefits shall retain no copies of the PHI.
Notwithstanding the above, to the extent that Haven Benefits determines that it is not feasible to return or destroy such PHI, the terms and provisions will survive termination of our agreement and such PHI shall be used or disclosed solely for such purpose or purposes which prevented the return or destruction of such PHI. When the PHI is no longer needed by the Haven Benefits, the Haven Benefits will return the PHI to the client or shall destroy it.
Haven Benefits and our clients agree to amend our agreement only by the mutual written agreement or if it is needed from time to time as is necessary for the client or Haven Benefits to comply with the requirements of HIPAA.
Haven Benefits’ obligation to limit its use and disclosure of PHI will remain intact so long as our company has PHI received during the performance of our services for the client. We follow all regulations in accordance with the laws of the State of Georgia. Any ambiguity will be resolved in favor of a meaning that permits the client and/or Haven Benefits as applicable, to comply with HIPAA.