| Defiance City School District |
| Bylaws & Policies |
3421 - HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
|
"Northern Buckeye Education Council Employee Benefits Plan" |
|||
|
("The Plan") |
|||
|
PRIVACY POLICIES |
|||
The Plan is committed to ensuring the privacy of Protected Health Information (PHI) and at all times shall comply with the requirements of the Privacy Standards. In the event the Privacy Standards are amended, these Policies shall be deemed to be amended in accordance therewith and at the Privacy Officer’s discretion, with retroactive effective dates. To support the Plan's commitment to privacy of PHI, it will ensure that appropriate steps are taken, as more specifically set forth in the policies below. The Plan Sponsor and the Plan Administrator, on behalf of the Plan, hereby adopt the following policies that shall be instituted and followed by the Plan with regard to uses, disclosures and requests for Protected Health Information.
The following terms shall have the meanings set forth below when used in this document:
| A. | "Business Associate" shall mean a person who, on behalf of a Covered Entity, performs or assists with an activity involving the use or disclosure of individually identifiable health information. | |
| B. | "Covered Entity" shall mean a health plan, a health care clearinghouse or a health care provider who transmits any health information in electronic form in connection with a transaction covered by the Privacy Standards. | |
| C. | "Designated Record Set" shall mean a group of records maintained by or for the Plan that is enrollment, payment, claims adjudication and appeals and case or medical management record systems maintained by or for the Plan; or used in whole or in part by or for the Plan to make decisions about individuals. Information used for audits or quality control or peer review analyses and not used to make decisions about individuals is not in the Designated Record Set. | |
| D. | "HIPAA" shall mean the Health Insurance Portability and Accountability Act of 1996, as amended. | |
| E. | "Individual" shall mean the person who is the subject of the PHI or unemancipated minors and other individuals who lack capacity to act on their own behalf. | |
| F. | "Marketing" shall mean communications about a product or service with the purpose to encourage recipients of the communication to purchase or use the product or service unless the communication is made to describe a health related product or service (or payment for such service) that is provided by, or included in the Plan’s benefits or adds value to, but is not a part of the Plan’s benefits; is for the treatment of the individual; or is for case management or care coordination for the individual or to direct or recommend alternative treatments, therapies, health care providers or settings of care to the individual. | |
| Marketing shall also include any arrangements between the Plan and any other entity whereby the Plan disclosures of PHI are in exchange for direct or indirect remuneration or for which the other entity makes a communication about its own product or service that encourage recipients of the communication to purchase or use the product or service. | ||
| G. | "Plan" shall mean Northern Buckeye Education Council Employee Benefits Plan. |
| H. | "Plan Administration" activities shall mean activities that would meet the definition of payment (as defined in the Privacy Standards) or health care operations (as defined in the Privacy Standards), but do not include functions to modify, amend or terminate the Plan or solicit bids from prospective issuers. "Plan Administration" functions include quality assurance, claims processing, auditing, monitoring and management of carve-out plans, such as vision and dental. It does not include any employment-related functions or functions in connection with any other benefit or benefit plans. | |
| I. | "Plan Administrator" shall mean Northern Buckeye Education Council. | |
| J. | "Plan Sponsor" shall mean Defiance City Schools. | |
| K. | "Privacy Official" shall mean the individual appointed as such by the Plan Administrator. | |
| L. | "Privacy Standards" shall mean the Standards for Privacy of Individually Identifiable Health Information enacted pursuant to HIPAA. | |
| M. | "Protected Health Information" or "PHI" shall mean individually identifiable health information, as more specifically defined in the Privacy Standards. | |
| N. | "Summary Health Information" shall mean information that may be individually identifiable health information that summarizes the claims history, claims expenses or the type of claims experienced by individuals in the Plan, but it excludes all identifiers that must be removed for the information to be de-identified, except that it may contain geographic information to the extent that it is aggregated by five-digit zip code. | |
| O. | "TPO" shall mean treatment, payment and health care operations, as more specifically defined in the Privacy Standards. |
"NEED TO KNOW" AND "MINIMUM NECESSARY" COMPLIANCE
Compliance Policy.
The Plan is committed to ensuring the privacy of PHI and at all times shall comply with the "need to know" and "minimum necessary" requirements of the Privacy Standards. The Plan shall make reasonable efforts to limit access to PHI to those individuals in the Plan Administrator's workforce who require access to PHI to carry out their duties and job responsibilities and, further, to limit their access to only the category or categories of PHI to which access is needed, upon any conditions appropriate to such access. The Plan shall make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose when (a) using PHI; (b) disclosing PHI; and (c) requesting PHI from a Covered Entity; provided, however, that prior to such use, disclosure or request, the Plan shall determine if the intended purpose of the use, disclosure or request for disclosure of PHI could be satisfied by using de-identified information. If so, the Plan shall use, disclose or request de-identified information. In that event, the Privacy Standards do not apply and there is no need to assess the minimum necessary PHI required.Exceptions to Minimum Necessary Requirements.
These minimum necessary requirements shall not apply to:| A. | disclosure to or requests by a health care provider for treatment. | |
| B. | uses or disclosures permitted or required to be made to the individual under the Privacy Standards, or to the individual's personal representative as long as that use or disclosure is within the purpose of the representation if representation is limited to a particular purpose. | |
| C. | Uses or disclosures pursuant to an authorization; | |
| D. | Disclosures made to the Secretary of the U.S. Department of Health and Human Services in accordance with the Privacy Standards; | |
| E. | Uses or disclosures that are required by law (as defined in the Privacy Standards); | |
| F. | Uses or disclosures that are required for compliance with the Privacy Standards; and | |
| G. | Uses or disclosures of required data elements that are required for compliance with HIPAA's Electronic Data Interchange Transaction Standards. |
Compliance Policy.
The Plan at all times shall comply with the Privacy Standards regarding authorized uses and disclosures in connection with disclosures of PHI.Use of PHI.
The Plan shall make reasonable efforts, including the use of firewalls, to limit the access of those titles or classes of persons requiring access to PHI to carry out treatment, payment and health care operation pursuant to the regulations the category of PHI to which access is needed.Disclosures of PHI.
With respect to the minimum necessary disclosure of PHI, the Plan shall comply with the following policies:| A. | Routine and Recurring Disclosures. For disclosures made on a routine and recurring basis, implement and comply with the following policies and procedures that limit the PHI disclosed to the amount reasonably necessary to achieve the purpose of the disclosure: |
| 1. | Third Party Administrator. To perform its duties relating to the Plan, the Third Party Administrator shall have access to all information that is available to the Plan Administrator. | ||
| 2. | Decisions on Claims and Appeals. The Plan Administrator, Fiduciaries of the Plan, or other agents designated by the Plan Administrator who review claims decisions and/or claims appeals requiring the use of discretion shall have access to, and disclose, that amount of PHI as they may deem necessary, in the exercise of discretion and professional judgment, to render a claims determination or decide an appeal. | ||
| 3. | Eligibility Determinations. For purposes of determinations of eligibility, the Plan Administrator shall have access to all enrollment information of Plan participants and those individuals who have applied for coverage under the Plan. | ||
| 4. | Coverage Determinations. For purposes of determinations of coverage, the Plan Administrator shall have access to the individual's claims file regarding the claim in question. | ||
| 5. | Coordination of Benefits. For coordination of benefits purposes, the Plan Administrator and other health plans or health insurance providers shall have access to all enrollment information of the Plan participants who are the subject of the inquiry, as well as information regarding other coverage those participants may have. | ||
| 6. | Human Resource or Benefits Manager and Staff. The Human Resource Manager and designated staff shall have access to information regarding claims filed, appeals filed, eligibility, enrollment, termination, COBRA coverage and applications for coverage, as necessary to supervise the day-to-day operations of the Plan and to assist participants with questions and concerns regarding their benefits under the Plan. | ||
| 7. | Plan Auditor and Staff. The Plan Auditor shall have information regarding claims filed, PPO re-pricing, claims paid, stop-loss submittals, eligibility, enrollment, termination, COBRA participants, COBRA premiums, participant contributions and checking accounts, or such other information as may be necessary to audit the handling of funds related to the Plan as well as Plan assets. | ||
| 8. | Plan Operations. The Plan Administrator shall have access to all information needed to oversee and make decisions concerning Plan operations, including claims costs, administrative costs, stop-loss premiums and provisions and audit reports. | ||
| 9. | Chief Financial Officer(s) and Staff. The Chief Financial Officer(s) of the Plan Sponsor and the Plan Administrator shall have access to all information regarding funding and expenses of the Plan, including but not limited to information regarding claims filed, PPO, HMO, or other network re-pricing, claim funding requirements, claims paid, stop-loss submittals, COBRA premiums, participant contributions and checking accounts. | ||
| 10. | Plan Sponsor Audits. For auditing purposes, the Plan Sponsor shall have access to claims information for the prior plan year, as well as information regarding specific claims as are requested to assess the Plan's performance and review Plan costs. | ||
| 11. | Underwriting. For underwriting purposes, the Plan's actuaries, consultants and/or the stop-loss carrier(s) and managing general underwriter(s) from whom quotes are obtained shall have access to aggregate claims information, as well as such information regarding specific claims as are requested to determine the projected future costs of the Plan, reserve obligations and requirements, and/or obtain stop loss or other insurance on behalf of the Plan. | ||
| 12. | Stop-loss Claims. The stop-loss carrier and managing general underwriter shall have access to information regarding specific and aggregate claims as necessary to determine whether or not such claims are payable or reimbursable. | ||
| 13. | Personal Representatives. Personal representatives of individuals shall have access only to that class of an individual's PHI that relates to the purpose of their appointment if the personal representative has been appointed for a limited purpose. (For example, if a personal representative is appointed solely to make decisions regarding an individual's cancer treatment, the personal representative shall have access only to the individual's PHI relating to cancer treatment.) | ||
| 14. | Utilization Review Companies. Any utilization review companies used by the Plan shall have access to such medical records and medical information as they deem necessary to perform their duties related to pre-admission certification, concurrent review, case management, and retrospective review. | ||
| 15. | Attorneys. For purposes of providing legal services to the Plan, the Plan's attorneys shall have access only to that class of an individual's PHI that relates to the issues on which the attorneys advise the Plan. | ||
| 16. | Actuaries, Consultants, and Brokers. For purposes of providing advice to the Plan, its actuaries, consultant(s), or broker(s) shall have access to such eligibility, enrollment, termination, COBRA, claims and stop-loss information as necessary to provide accurate and complete advice. | ||
| 17. | Subrogation Vendor. Any subrogation vendor used by the Plan shall have access to such medical records, accident information and claims information as it deems necessary to perform its duties relating to the Plan's subrogation interests. | ||
| 18. | COBRA Vendor. Any vendor used by the Plan to provide COBRA administration services shall have access to such information relating to enrollment, eligibility, termination, COBRA elections and payment of COBRA premiums as it deems necessary to perform its duties for the Plan. | ||
| 19. | Preferred Provider Organizations (PPO), Health Maintenance Organizations (HMO) or Other Network Organizations (Networks). Any organizations providing discounted rates to the Plan shall have access to all claims relating to services provided by network providers so that it may re-price such claims and resolve any disputes in connection therewith. | ||
| 20. | Printing and Mailing Services. Any printing and mailing service used by the Plan shall have access to those documents to be printed and mailed, to perform its duties for the Plan. | ||
| 21. | Scanning and Scrubbing Services. Any scanning and/or claims "scrubbing" service(s) used by the Plan shall have access to the document to be scanned and the Plan's database in connection therewith, to perform the duties owed to the Plan. |
| B. | All Other Disclosures. For all other disclosures, the Privacy Official shall review each request for disclosure on an individual basis in accordance with the criteria set forth below. In addition, the Privacy Official shall consult with the party requesting the information to determine the purpose of the requested disclosure, if the purpose is not clear from the request. The Privacy Official shall have an understanding of the Plan's privacy policies and procedures and sufficient expertise to understand and weigh the necessary factors. However, if necessary, the Privacy Official shall utilize the input of prudent professionals to assist in determining the appropriateness of the disclosure and the minimum necessary disclosure of PHI. | |
| The following criteria shall be used in limiting the amount of PHI disclosed by the Plan: |
| 1. | The requesting individual or entity must have a complete understanding of the purpose of the request for the PHI and explain, to the Privacy Official's satisfaction, the use and purpose, and that the information requested is no more than needed to meet the purpose. | ||
| 2. | All of the individuals or entities must be identified for whom the disclosure of PHI is required. |
| C. | Reliance by the Plan under Certain Circumstances. The Plan may rely, if reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose(s) when: |
| 1. | making disclosures to public officials that are permitted by the Privacy Standards if the public official represents that the information requested is the minimum necessary for the stated purpose(s); | ||
| 2. | the information is requested by a Covered Entity; | ||
| 3. | the information is requested by a professional who is a member of the Plan Administrator's workforce, or is a Business Associate of the Plan, for the purpose of providing professional services to the Plan, if the professional represents that the information requested is the minimum necessary for the stated purpose(s); or | ||
| 4. | documentation or representations that comply with the requirements of the Privacy Standards have been provided by a person requesting the information for research purposes. |
Requests for PHI.
With respect to minimum necessary requests for PHI, the Plan shall:| A. | General Limits. Limit any request for PHI to that which is reasonably necessary to accomplish the purpose for which the request is made, when requesting PHI from Covered Entities and Business Associates; | |
| B. | Routine and Recurring Requests. For requests made on a routine and recurring basis, implement and comply with the following policies and procedures that limit the PHI requested to the amount reasonably necessary to achieve the purpose of the request: |
| 1. | Plan Fiduciaries, Plan Administrator or Other Agents Designated by the Plan Administrator. Plan Fiduciaries, the Plan Administrator or other agents designated by the Plan Administrator who review claims decisions and/or claims appeals requiring the use of discretion shall request only that amount of PHI as they may deem necessary, in the exercise of discretion and professional judgment, to render a claims determination or decide an appeal. | ||
| 2. | Eligibility Determinations. For purposes of determinations of eligibility, the Plan Administrator may request all enrollment information of Plan participants and those individuals who have applied for coverage under the Plan. | ||
| 3. | Coverage Determinations. For purposes of determinations of coverage, the Plan Administrator may request the individual's claims file regarding the claim in question. | ||
| 4. | Coordination of Benefits. For coordination of benefits purposes, the Plan Administrator and other health plans or health insurance providers may request all enrollment information of the Plan participants who are the subject of the inquiry, as well as information regarding other coverage those participants may have. | ||
| 5. | Human Resource Manager and Staff. The Human Resource Manager and designated staff may request information regarding claims filed, appeals filed, eligibility, enrollment, termination, COBRA coverage and applications for coverage, as necessary to supervise the day-to-day operations of the Plan and to assist participants with questions and concerns regarding their benefits under the Plan. | ||
| 6. | Plan Auditor. The Plan Auditor may request information regarding claims filed, PPO, HMO, or other network re-pricing, claims paid, stop-loss submittals, eligibility, enrollment, termination, COBRA participants, COBRA premiums, participant contributions and checking accounts, or such other information as may be necessary to audit the handling of funds related to the Plan as well as Plan asserts. | ||
| 7. | Chief Financial Officer. The Chief Financial Officer of the Plan Administrator may request all information regarding funding and expenses of the Plan, including but not limited to information regarding claims filed, PPO, HMO, or other network re-pricing, claim funding requirements, claims paid, stop-loss submittals, COBRA premiums, participant contributions and checking accounts. | ||
| 8. | Plan Operations. The Plan Administrator may request such information needed to oversee and make decisions concerning Plan operations, including claims costs, administrative costs, stop-loss premiums and provisions and audit reports. |
| C. | All Other Requests. For all other requests, the Privacy Official shall review each request on an individual basis in accordance with the criteria set forth below. In addition, the Privacy Official shall consult with the party in the Plan Administrator's workforce requesting the information to determine the purpose of the requested disclosure, if the purpose is not clear from the request. The Privacy Official shall have an understanding of the Plan's privacy policies and procedures and sufficient expertise to understand and weigh the necessary factors. However, if necessary, the Privacy Official shall utilize the input of prudent professionals to assist in determining the minimum necessary request for PHI. | |
| The following criteria shall be used in limiting the amount of PHI requested by the Plan: |
| 1. | The requesting individual or entity must have a complete understanding of the purpose of the request for the PHI and explain, to the Privacy Official's satisfaction, the purpose that the information requested is no more than needed to meet the purpose. | ||
| 2. | All of the individuals or entities must be identified for whom the request for PHI is required. |
Requests for Entire Medical Record.
Any use or disclosure of, or request for, an individual's entire medical record shall be examined by the Plan Administrator, who shall determine, in its discretion, whether the use, disclosure or request is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure or request. If necessary, the Plan Administrator shall utilize the input of prudent professionals to assist in determining whether the use, disclosure or request is specifically justified.VERIFICATION OF IDENTITY AND AUTHORITY
Compliance Policy.
The Plan at all times shall comply with the Privacy Standards regarding verification of identity and authority in connection with disclosures of PHI.Exceptions to Verification of Identity and Authority.
Verification of Identity and Authority shall not be required for disclosures (a) with the consent of the individual to a known family member, other relative or a close personal friend of the individual, or to any other person identified by the individual of PHI directly relevant to such person's involvement with the individual's care or payment related to the individual's health care; or (b) to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual or another person responsible for the care of the individual, of the individual's location, general condition or death. When the individual is not present or is incapacitated, the Plan Administrator, or other individual or entity acting on behalf of the Plan, shall use its professional judgment in reviewing any requests for disclosure.Compliance Policy.
The Plan at all times shall comply with the requirements of the Privacy Standards.Internal Complaints; Mitigation.
Any complaints by individuals regarding non-compliance with the Privacy Standards or the Plan's privacy policies and procedures shall be directed to the contact person specified in the Notice of Privacy Practices provided to all individuals covered by the Plan. The Plan shall keep a written record of all written and oral complaints received and a brief explanation of their disposition. The Plan shall be responsible for (a) investigating any complaints (for example, by interviews or review of relevant documents); (b) mitigating, to the extent practicable, any harmful effect that is known to the Plan Administrator of a use or disclosure of PHI in violation of the Plan's Policies and Procedures or the Privacy Standards; and (c) resolving any complaints, including, if necessary, by making changes to the Plan's privacy policies and procedures. A written explanation of the disposition of each complaint shall be furnished to the individual who made the complaint within sixty (60) days of receipt of the complaint. The Plan will not retaliate against any individual for filing a complaint.Specific Procedures for Compliance - Sanctions.
The following sanctions shall be imposed against any employee of the Plan Administrator who breaches the Plan's privacy policies and procedures:| A. | 1st offense: Oral warning | |
| B. | 2nd offense: Written warning | |
| C. | 3rd offense: Suspension with or without pay | |
| D. | 4th offense: Termination of employment |
Notwithstanding the above, the Privacy Official shall have the authority, after consultation with senior management of the Plan Administrator, to impose a greater or lesser sanctions if the Privacy Official believes that it is warranted. Consideration shall be given to the frequency of violation and the length of time elapsed between privacy violations. In no case shall violations occurring more than six (6) years prior to the date of the most recent violation be considered under this policy. All sanctions imposed shall be documented in the employee's personnel file. Further, documentation of any sanctions imposed shall be maintained as required by the Privacy Standards.
DOCUMENT RETENTION
Compliance Policy.
The Plan at all times shall comply with the Privacy Standards and with any applicable State or Federal requirements regarding document retention.The Plan shall retain the required documentation as listed below for six (6) years from either the date it was created or the date it was last in effect, whichever is later. Such documents shall be retained either in written or electronic form. If they are retained in electronic form, the Plan shall comply with the requirements of the Privacy Standards and any applicable State or Federal regulations and, at a minimum, shall ensure that:
| A. | the recordkeeping system has reasonable controls designed to ensure the integrity, accuracy, authenticity and reliability of the electronic records; | |
| B. | the electronic records are maintained in reasonable order, in a safe and accessible place and are capable of being readily inspected or examined; | |
| C. | the electronic records are readily convertible into legible paper copies to satisfy all obligations under any applicable State or Federal regulations, including any reporting and disclosure requirements; | |
| D. | the electronic system does not compromise or limit the Plan Administrator's ability to comply with all of its obligations under any applicable State or Federal regulations, including any reporting and disclosure requirements; and | |
| E. | adequate records management systems are established and implemented, to ensure that documents are labeled adequately and stored securely, backup electronic copies are made and paper copies are kept for records that cannot be clearly, accurately and completely transferred to electronic media. |
In the event that the documents are maintained electronically by a third party, the Plan Administrator shall ensure that such third party complies with such requirements.
Documents to be Retained.
The following documents shall be retained as set forth above:| A. | Plan Document and Summary Plan Description | |
| B. | policies on PHI uses and disclosures | |
| C. | "Minimum Necessary" policies and procedures, including protocols for PHI use, routine disclosures and requests | |
| D. | all signed authorizations | |
| E. | the Plan's privacy notice | |
| F. | documentation regarding the following individual rights: |
| 1. | right to request amendment of PHI | ||
| 2. | right to an accounting of disclosures of PHI | ||
| 3. | right to inspect and obtain copies of PHI | ||
| 4. | right to request restrictions on uses and disclosures of PHI | ||
| 5. | right to request confidential communications of PHI |
| G. | records of PHI disclosures that are required to be accounted for under the Privacy Standards, which must be made available to an individual for six (6) years after the request date | |
| H. | all individual complaints and their outcomes | |
| I. | records of any sanctions imposed in connection with non-compliance with the Privacy Standards | |
| J. | records on any PHI use and disclosure for research purposes, as allowed without authorization under the Privacy Standards | |
| K. | information on whether an entity is a hybrid or affiliated entity or an organized health care arrangement | |
| L. | Business Associate Agreements | |
| M. | employee training manuals and procedures | |
| N. | plan sponsor certifications as required by the Privacy Standards |
Business Associates.
If the Business Associate provides notice to the Plan Administrator that the return or destruction of PHI in its possession is infeasible, the Business Associate shall extend the protections of the Business Associate Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as the Business Associate maintains such PHI.Compliance Policy.
The Plan at all times shall comply with the requirements of the Privacy Standards regarding individual's rights with respect to PHI.Right to Request Restrictions on PHI Uses and Disclosures.
An individual may request the Plan to (a) restrict uses or disclosures of his/her PHI to carry out treatment, payment or health care operations, or (b) restrict disclosures to family members, other relatives, close personal friends or other persons identified by the individual who are involved in his/her care or payment for that care. However, the Plan is not required to agree to a requested restriction.If the Plan agrees to a requested restriction, the Plan shall not use or disclose PHI in violation of such restriction, except that, if the individual requested a restriction and later is in need of emergency treatment and the restricted PHI is needed to provide the emergency treatment, the Plan may use the restricted PHI, or it may disclose such information to a health care provider, to provide such treatment to the individual. If restricted PHI is disclosed to a health care provider for emergency treatment, the Plan shall request that such health care provider not further use or disclose the information.
A restriction agreed to by the Plan is not effective to prevent uses or disclosures required under Sections 164.502(a) (ii), or 164.512, or such similar provisions as may be amended in the Privacy Standards.
The Plan may terminate its agreement to a restriction, if:
| A. | the individual agrees to or requests the termination in writing. | |
| B. | the individual orally agrees to the termination and the oral agreement is documented. | |
| C. | the Plan informs the individual that it is terminating its agreement to a restriction, except that such termination is only effective with respect to PHI created or received after the Plan has informed the individual of the termination. |
If the Plan agrees to a restriction, it will document the restriction by maintaining a written or electronic record of the restriction. The record of the restriction will be retained for six (6) years from the date of its creation or the date when it last was in effect, whichever is later.
An individual or his/her personal representative will be required to request restrictions on uses and disclosures of PHI in writing. Such requests should be addressed to the contact person specified in the Plan's Notice of Privacy Practices.
Right to Request Confidential Communications of PHI.
An individual may request to receive communications of PHI from the Plan by alternative means or at alternative locations if s/he clearly states that the disclosure of all or part of the information to which the request pertains could endanger the individual. The Plan will accommodate all such reasonable requests. However, the Plan may condition the provision of a reasonable accommodation on:| A. | when appropriate, information as to how payment, if any, will be handled. | |
| B. | specification by the individual of an alternative address or other method of contact. |
An individual or his/her personal representative will be required to request confidential communications of PHI in writing. Such requests should be addressed to the contact person specified in the Plan's Notice of Privacy Practices.
Right to Inspect and Copy PHI.
An individual has a right to inspect and obtain a copy of his/her PHI contained in a Designated Record Set, for as long as the Plan maintains PHI in the Designated Record Set, except for psychotherapy notes; information compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding; and other health information not subject to the right to access information under the Privacy Standards.The Plan shall act on a request for access no later than thirty (30) days after receipt of the request. However, if the request for access is for PHI that is not maintained or accessible to the Plan on-site, the Plan shall take action no later than sixty (60) days from the receipt of such request. The Plan shall take action as follows: if the Plan grants the request, in whole or in part, the Plan shall inform the individual of the acceptance and provide the access requested. However, if the Plan denies the request, in whole or in part, the Plan shall provide the individual with a written denial. If the Plan cannot take action within the required time, the Plan may extend the time for such action by no more than thirty (30) days if the Plan, within the applicable time limit, provides the individual with a written statement of the reasons for the delay and the date by which it will complete its action on the request.
If the Plan provides access to PHI, it shall provide the access requested, including inspection or obtaining a copy, or both, of the individual's PHI in a Designated Record Set. The Plan shall provide the individual with access to the PHI in the form or format requested if it is readily producible in such form or format; or, if it is not, in a readable hard copy form or such other form or format as agreed to between the individual and the Plan. The Plan may provide the individual with a summary of the PHI requested, in lieu of providing access to the PHI, or may provide an explanation of the PHI to which access has been provided in certain circumstances. The Plan will arrange with the individual for a convenient time and place to inspect or obtain a copy of the PHI, or mail a copy of the PHI at the individual's request. If an individual requests a copy of PHI or agrees to a summary of explanation of PHI, the Plan may impose a reasonable, cost-based fee. Such fee shall include only the cost of (a) copying, including the cost of supplies for and labor of copying, the PHI requested; (b) postage, when the individual has requested the copy, or the summary or explanation, be mailed; and (c) preparing an explanation or summary of the PHI, if agreed to by the individual as set forth above.
If the Plan denies access to PHI in whole or in part, the Plan shall, to the extent possible, give, the individual access to any other PHI requested, after excluding PHI as to which the Plan has grounds to deny access. If access is denied, the individual or his/her personal representative will be provided with a written denial setting forth the basis for the denial; if applicable, a statement of his/her review rights, including a description of how the individual may exercise those review rights; and a description of how the individual may complain to the Plan or to the Secretary of the U.S. Department of Health and Human Services ("HHS") (including the name, or title, and telephone number of the contact person specified in the Plan's Notice of Privacy Practices). If an individual requests review of a decision to deny access, the Plan will refer the request to a competent professional, who was not directly involved in the denial, for review. The reviewing party will determine, within a reasonable period of time, whether to deny the access requested. The Plan will promptly provide the individual with written notice of that determination and take any other action required by the Privacy Standards to carry out the determination.
Unreviewable grounds for denial.
The Plan may deny an individual access without providing the individual an opportunity for review, in the following circumstances: (a) the PHI is excepted from the right of access by the Privacy Standards; (b) the PHI is contained in records that are subject to the Privacy Act, 5 U.S.C. § 552a, and as amended, if denial would meet the requirements of that law; and (c) the PHI was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information.Reviewable grounds for denial.
The Plan may deny an individual access, provided the individual is given the right to have such denials reviewed, where: (a) a licensed health care professional has determined that such access is reasonably likely to endanger the life or physical safety of the individual or another person; (b) the PHI makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined that the access requested is reasonably likely to cause substantial harm to such other person; or (c) the request for access is made by the individual's personal representative and a licensed health care professional has determined that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person.If the Plan does not main the PHI that is the subject of the individual's request for access, and the Plan knows where the requested information is maintained, the Plan will inform the individual where to direct the request for access.
An individual or his/her personal representative will be required to request access to the individual's PHI in writing. Such requests should be addressed to the contact person specified in the Plan's Notice of Privacy Practices.
In addition to the actions set forth above, the Plan shall:
| A. | ensure that Designated Record Sets are kept separate from employment-related documents and employee personnel files. | |
| B. | determine whether requested information is subject to the inspection and copying requirements of the Privacy Standards. | |
| C. | date and time-stamp written requests when they are received to ensure that either responses are generated within thirty (30) days or that extensions are requested. | |
| D. | log all requests and assign a supervisor to monitor the log on a weekly basis. | |
| E. | log all inspections and/or copies made of PHI. |
Right to Amend PHI.
An individual has the right to request the Plan to amend his/her PHI or a record about him/her in a Designated Record Set for as long as the PHI is maintained in the Designated Record Set.The Plan may deny an individual's request for amendment if it determines that the PHI or record that is the subject of the request:
| A. | was not created by the Plan, unless the individual provides a reasonable basis to believe that the originator of PHI is no longer available to act on the requested amendment. | |
| B. | is not part of the Designated Record Set. | |
| C. | would not be available for the individual's inspection under the Privacy Standards. | |
| D. | is accurate and complete. |
The Plan has sixty (60) days after the request is made to act on the request. A single thirty (30) day extension is allowed if the Plan is unable to comply within that deadline provided that the Plan, within the original sixty (60) day time period, gives the individual a written statement of the reasons for the delay and the date by which it will complete its action on the request. If the Plan accepts the requested amendment, the Plan shall make the appropriate amendment to the PHI or record that is the subject of the request by, at a minimum, identifying the records in the Designated Record Set that are affected by the amendment and appending or otherwise providing a link to the location of the amendment. The Plan shall, in a timely manner, inform the individual that the amendment is accepted and obtain his/her identification of and agreement to have the Plan notify the relevant persons with which the amendment needs to be shared as provided in the Privacy Standards. The Plan shall make reasonable efforts to inform and provide the amendment within a reasonable time to: (a) persons identified by the individual as having received PHI about the individual and needing amendment, and (b) persons, including Business Associates (as defined in the Privacy Standards) of the Plan, that the Plan knows have the PHI that is the subject of the amendment and that may have relied, or could foreseeable rely, on such information to the detriment of the individual.
If the request is denied in whole or part, the Plan shall provide the individual with a written denial that (i) explains the basis for the denial, (ii) sets forth the individual's right to submit a written statement disagreeing with the denial and how to file such a statement, (iii) states that, if the individual does not submit a statement of disagreement, s/he may request that the Plan provide his/her request for amendment and the denial with any future disclosures of the PHI that is the subject of the amendment, and (iv) includes a description of how the individual may complain to the Plan or to the Secretary of HHS (including the name, or title, and telephone number of the contact person specified in the Plan's Notice of Privacy Practices). The Plan may reasonably limit the length of a statement of disagreement. Further, the Plan may prepare a written rebuttal to a statement of disagreement, which will be provided to the individual. The Plan shall, as appropriate, identify the record or PHI in the Designated Record Set that is the subject of the disputed amendment and append or otherwise link the individual's request for an amendment, the Plan's denial of the request, the individual's statement of disagreement, if any, and the Plan's rebuttal, if any, to the Designated Record Set. If a statement of disagreement has been submitted, the Plan will include the above-referenced material, or, at the Plan's election, an accurate summary of such information, with any subsequent disclosure of the PHI to which the disagreement relates. If the individual does not submit a written statement of disagreement, the Plan must include his/her request for amendment and its denial, or an accurate summary of such information, with any subsequent disclosure of the PHI only if requested by the individual.
If the Plan is informed by another Covered Entity (as defined in the Privacy Standards) of an amendment to an individual's PHI, the Plan shall amend the PHI in Designated Record Sets as required by the Privacy Standards.
An individual or his/her personal representative will be required to request amendment to PHI in a Designated Record Set in writing. Such requests should be addressed to the contact person specified in the Plan's Notice of Privacy Practices. All requests for amendment of PHI must include a reason to support the requested amendment.
In addition to the actions set forth above, the Plan shall:
| A. | ensure that Designated Record Sets are kept separate from employment-related documents and employee personnel files. | |
| B. | determine whether the information requested is subject to the amendment requirements of the Privacy Standards. | |
| C. | date and time-stamp written requests when they are received to ensure that either responses are generated within sixty (60) days or that extensions are requested. | |
| D. | log all requests and assign a supervisor to monitor the log on a weekly basis. | |
| E. | if the request to amend is approved, log the result and include in the log how the Designated Record Set will be changed and how the individual was notified of the approval. | |
| F. | ensure that related future disclosures include documentation regarding the amendment. |
Right to Receive an Accounting of PHI Disclosures.
At an individual's request, the Plan shall provide the individual with an accounting of disclosures by the Plan of his/her PHI during the six (6) years prior to the date on which the accounting is requested. However, such accounting need not include PHI disclosures made: (a) to carry out treatment, payment or health care operation; (b) to individuals about their own PHI; (c) incident to a use or disclosure otherwise permitted or required by the Privacy Standards; (d) pursuant to an authorization; (e) to certain persons involved in the individual's care or payment for that care; (f) to notify certain persons of the individual's location, general condition or death; (g) as part of a "Limited Data Set" (as defined in the Privacy Standards), which largely relates to research purposes; or (h) prior to the compliance date of April 14, 2003. An individual may request an accounting of disclosures for a period of time less than six (6) years from the date of the request.The accounting will include disclosures of PHI that occurred during the six (6) years (or such shorter time period, if applicable) prior to the date of the request for an accounting, including disclosures to or by Business Associates of the Plan. Except as otherwise provided below, for each disclosure, the accounting will include:
| A. | the date of the disclosure; | |
| B. | the name of the entity or person who received the PHI and, if known, the address of such entity or person; | |
| C. | a brief description of the PHI disclosed; and | |
| D. | a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or, in lieu of such statement, a copy of the individual's written authorization or a copy of a written request for disclosure. |
If during the period covered by the accounting, the Plan has made multiple disclosures of PHI to the same person or entity for a single purpose, the accounting may, with respect to such multiple disclosures, provide the above-referenced information for the first disclosure; the frequency, periodicity or number of the disclosures made during the accounting period; and the date of the last disclosure.
If during the period covered by the accounting, the Plan has made disclosures of PHI for a particular research purpose for fifty (50) or more individuals, the accounting may, with respect to such disclosures for which an individual's PHI may have been included, provide certain information as permitted by the Privacy Standards. If the Plan provides an accounting for such research disclosures, and if it is reasonably likely that an individual's PHI was disclosed for such research activity, the Plan shall, at the individual's request assist in contacting the entity that sponsored the research and the researcher.
If the accounting cannot be provided within sixty (60) days after receipt of the request, an additional thirty (30) days is allowed if the individual is given a written statement of the reasons for the delay and the date by which the accounting will be provided.
If an individual requests more than one (1) accounting within a 12-month period, the Plan shall charge a reasonable, cost-based fee for each subsequent accounting unless the individual withdraws or modifies the request for a subsequent accounting to avoid or reduce the fee.
An individual or his/her personal representative will be required to request an accounting of PHI disclosures in writing. Such requests should be addressed to the contact person specified in the Plan's Notice of Privacy Practices.
SEPARATION OF THE PLAN AND THE PLAN SPONSOR
Compliance Policy.
The Plan Sponsor and the Plan Administrator hereby adopt the following Policies which shall be instituted and followed by the Plan Sponsor, both in its capacity as an employer and as the Plan Sponsor of the Plan, and by the Plan.The Plan and the Plan Sponsor at all times shall comply with the Privacy Standards, and specifically, shall ensure that there exists adequate separation between the Plan and the Plan Sponsor, as required in the Privacy Standards.
Persons with Access to PHI.
The following employees, or classes of employees, or other persons under control of the Plan Sponsor, shall be given access to the PHI to be disclosed:| A. | Human Resources or Benefits Manager | |
| B. | staff members designated by the Human Resources or Benefits Manager | |
| C. | Chief Financial Officer | |
| D. | staff members designated by Chief Financial Officer | |
| E. | Plan Auditor and Staff |
The access to and use of PHI by the individuals described above shall be restricted to the Plan Administration activities that the Plan Sponsor performs for the Plan. Such persons at all times shall comply with the provisions of the Plan Document and Summary Plan Description relating to use and disclosure of PHI and with the Privacy Standards.
Compliance Policy.
The Plan at all times shall comply with the Privacy Standards regarding Business Associate Agreements in connection with disclosures of PHI.All contracts negotiated and approved by the Plan which include the transmission or transfer of PHI shall include the following terms as stated in the Business Associate provisions of the Privacy Standards.
| A. | Business Associates shall comply with the Privacy Standards as defined and amended from time to time in their capacity as a Business Associate as defined by the Privacy Standards. | |
| B. | Business Associates will not use or disclose the PHI received from the Plan other than as permitted or required by their contract or the Privacy Standards. | |
| C. | Business Associates will not use or further disclose the PHI in a manner that would violate the requirements of the Privacy Standards. | |
| D. | Business Associates will use appropriate safeguards to prevent use of disclosure of the PHI other than as provided for by the terms of the contract. | |
| E. | Business Associates will report to the Plan any use or disclosure of the PHI not provided for by their contract of which it becomes aware. | |
| F. | Business Associates will ensure that any subcontractors or agents to whom the Business Associate provides PHI received from the Plan agree to the same restrictions and conditions that apply to the Business Associates with respect to such information. | |
| G. | Business Associates will make available PHI in accordance with the Privacy Standards regarding access of individuals to PHI. | |
| H. | Business Associates will make their internal practices, books, and records relating to the use and disclosure of PHI received from the Plan available to the Secretary of the Department of Health and Human Services for purposes of determining the Plan’s compliance with the Privacy Standards. | |
| I. | Business Associates will, after termination of their contract, return or destroy all PHI received from the Plan that the Business Associate maintains in any form and retain no copies of such PHI. If return or destruction of all PHI is not feasible, the Business Associate shall continue to protect such PHI under the Privacy Standards as long as the PHI remains in its possession. | |
| J. | Business Associates will incorporate any amendments or corrections to PHI when notified by the Plan in accordance with the Privacy Standards. | |
| K. | The Plan may terminate the Business Associate's contract if it determines that the Business Associate has violated a material term of the contract required by the Privacy Standards. | |
| L. | Business Associates shall make their practices, books, and records available in the event the Business Associate breaches its agreement with the Plan. | |
| M. | In the event of a Business Associate’s breach, the Plan shall require that the Business Associate retrieve any improperly disclosed information, and adopt new practices to assure PHI is appropriately handled. In addition the Business Associate may be subject to audits or may be required to submit reports to demonstrate compliance with the Privacy Standards. | |
| N. | The Plan may terminate the Business Associate's contract if the Business Associate cannot be relied upon to maintain privacy of PHI. |
Compliance Policy.
The Plan at all times shall comply with the Privacy Standards regarding training in connection with disclosures of PHI.Employees working with PHI shall be provided privacy and security training regarding the vulnerabilities of PHI to ensure the protection of that PHI. Such employees shall be trained to understand their privacy and security responsibilities pursuant to the Plan’s policies and procedures and instructed to make security a part of their day-to-day activities. PHI privacy and security training shall be provided as a part of general employment orientation. Employees working with PHI shall be educated regarding confidentiality policies and password management and required to execute confidentiality agreements prior to working with PHI.
Upon material changes to the Plan’s policies and procedures, employees whose duties are affected by such changes shall be retrained consistent with the applicable policy changes.
The Plan shall document the provision of such training sessions and retain such documentation as required by the Privacy Standards.
PRIVACY/COMPLAINT OFFICER DESIGNATION & APPOINTMENT
Compliance Policy.
The Plan at all times shall comply with the Privacy Standards regarding the designation of a Privacy Officer and a contact person for receipt of complaints in connection with disclosures of PHI.The Privacy Officer shall be responsible for the development and implementation of the policies and procedures regarding compliance with the Privacy Standards. The Privacy Officer shall also serve as the contact person that is responsible for receiving complaints concerning the substance of the policies and procedures adopted by the Plan to comply with the Privacy Standards or the Plan’s compliance with the Privacy Standards, and to provide additional information about any matters covered by the Plan’s Notice of Privacy Practices as required by the Privacy Standards.
Compliance Policy.
The Plan at all times shall comply with the Privacy Standards regarding protection of PHI of deceased individuals in connection with disclosures of PHI.The Plan shall protect the PHI of a deceased individual in the same manner and to the same extent as required for the PHI of living individuals. The Plan shall protect the confidentiality of PHI of a deceased individual as long as the Plan maintains such PHI. However, the Plan may disclose PHI of a deceased individual in the following situations:
| A. | to coroners and medical examiners for identification of a deceased individual to determine the cause of death | |
| B. | to funeral directors, consistent with any applicable laws, as necessary to carry out their duties with respect to a deceased individual. Such disclosures of PHI may occur prior to and in reasonable anticipation of the individual’s death | |
| C. | to authorized Personal Representatives of the deceased individual | |
| D. | for research purposes, if the researcher provides representation that the individual is deceased, that the disclosure of PHI is for research on the PHI of the decedent, and that the PHI is necessary for the research purposes | |
| E. | to organ procurement organizations or other entities engaged in the procurement, banking or transplantation of cadaveric organs, eyes or tissue for the purpose of facilitating such donation or transplantation |
The Plan shall treat an executor, administrator or other person who has authority to act on behalf of a deceased individual as a Personal Representative with respect to PHI.
Compliance Policy.
The Plan at all times shall comply with the Privacy Standards regarding authorizations in connection with disclosures of PHI.Authorizations are required for the Plan to disclose PHI for purposes other than treatment, payment, and health care operations. In addition, the Plan shall not require authorization for the following disclosures of an individual’s PHI that are:
| A. | required by law | |
| B. | for public health activities | |
| C. | about victims of abuse, neglect or domestic violence | |
| D. | for health oversight activities | |
| E. | for judicial or administrative proceedings | |
| F. | for law enforcement purposes | |
| G. | about decedents | |
| H. | for cadaveric organ, eye or tissue donation purposes | |
| I. | to avert a serious threat to health or safety | |
| J. | for specialized government functions | |
| K. | for worker’s compensation purposes |
The Plan shall require authorization for disclosures of an individual’s PHI for purposes other than treatment, payment or health care operations and specifically for:
| A. | psychotherapy notes, except for: |
| 1. | treatment uses by the originator of the notes (i.e., the therapist); | ||
| 2. | defense against a legal action brought by the subject of the notes. |
| B. | marketing purposes | |
| C. | research purposes |
An authorization shall be in writing and must include all of the following core elements to be valid:
| A. | a description of the information to be used or disclosed | |
| B. | an identification of the persons or class of persons authorized to make the use or disclosure of the PHI | |
| C. | an identification of the persons or class of persons to whom the Plan is authorized to make the use or disclosure | |
| D. | a description of each purpose of the use or disclosure | |
| E. | an expiration date or event (except for research, where a statement that there is no expiration date may be inserted instead) | |
| F. | the individual's signature and date | |
| G. | if signed by a Personal Representative, a description of his/her authority to act for the individual |
Valid authorizations shall also contain the following statements, in addition to the above elements:
| A. | that the individual may revoke the authorization in writing, and either a statement regarding the right to revoke, and instructions on how to exercise such right or, to the extent this information is included in the Plan’s Notice of Privacy Practices, a reference to the notice | |
| B. | that treatment, payment, enrollment, or eligibility for benefits may not be conditioned on obtaining the authorization if such conditioning is prohibited by the Privacy Standard or, if conditioning is permitted, a statement about the consequences of refusing to sign the authorization | |
| C. | that, generally, the health information may no longer be protected by the Privacy Standards once it is disclosed by the Plan (or a more specific statement of redisclosure risks where appropriate). |
The Plan shall not condition enrollment or payment for health services on the provision of an authorization except for:
| A. | the provision of research-related treatment, which may be conditioned on provision of an authorization for research uses and disclosures; | |
| B. | enrollment in the Plan or eligibility for benefits may be conditioned on provision of a pre-enrollment authorization for risk-rating or underwriting determinations (except for psychotherapy notes); | |
| C. | a claim under the Plan’s coverage, if the disclosure of information is necessary to determine the level or validity of the payment (except for psychotherapy notes); or | |
| D. | provision of health care that is solely for the purpose of creating PHI for disclosure to a third party can be conditioned on an authorization for disclosure to that third party (e.g., a life insurance physical exam). |
The Plan shall provide individuals with a copy of the signed authorization.
Multiple authorizations may be combined into a single document. (except authorizations for use or disclosure of psychotherapy notes may only be combined with other psychotherapy note authorizations.)
In the event that multiple authorizations conflict, the Plan shall be bound by the more restrictive arrangement unless or until the conflict is resolved.
An individual may revoke an authorization at any time, provided that the revocation is in writing, except to the extent that the Plan has taken actions relying on it.
The Plan shall maintain the signed authorization for six (6) years from the date of its creation or the date when it last was in effect, whichever is later.
Compliance Policy.
The Plan at all times shall comply with the Privacy Standards regarding marketing in connection with disclosures of PHI.The Plan shall require a valid authorization from the individual for disclosures of PHI for marketing purposes.
PHI may be disclosed without an authorization of an individual for payment, treatment, and health care operations or the following activities of the Plan:
| A. | face-to-face communication made by the Plan to an individual | |
| B. | promotional gifts of nominal value provided by the Plan |
Individuals may, at any time, deny to provide authorization for marketing purposes, revoke existing authorizations given for marketing purposes and request not to receive any future marketing communications.
Compliance Policy.
The Plan at all times shall comply with the Privacy Standards regarding de-identified information in connection with disclosures of PHI.The Plan may use or disclose De-Identified PHI upon the execution of a Data Use Agreement as a Limited Data Set for public health, research and health care operations purposes. De-Identified Information is defined as PHI with the following elements removed:
| A. | names (including dependents) | |
| B. | street address references | |
| C. | telephone numbers | |
| D. | fax numbers | |
| E. | e-mail addresses | |
| F. | social security numbers | |
| G. | medical record numbers | |
| H. | health plan beneficiary numbers | |
| I. | account numbers | |
| J. | certificate/license numbers | |
| K. | vehicle identifiers (including serial numbers and license plate numbers) | |
| L. | device numbers (such as serial numbers and model numbers) | |
| M. | web Universal Resource Locators (URLs) | |
| N. | internet Protocol (IP) address numbers | |
| O. | biometric identifiers (includes voice and finger prints) | |
| P. | full face photographic images or comparable images | |
| Q. | any other unique identifying number, characteristic or code (i.e. clinical trial numbers) | |
| R. | any other unique identifying number characteristic or code, except codes permitted by the Privacy Standards' re-identification standards |
A Limited Data Set may include:
| A. | admission, discharge and service dates | |
| B. | dates of birth and death | |
| C. | age (including age 90 +) | |
| D. | 5 digit zip codes or any other geographic subdivision (i.e., state, county, city, precinct, etc.) |
A Data Use Agreement shall specify the following:
| A. | establish the permitted uses and disclosures of the information by the recipient (consistent with the purposes of research, public health or health care operations) | |
| B. | limit who can use or receive the data | |
| C. | require the recipient to assure protection of the information in accordance with the Privacy Act Regulations and that any subcontractors retained by the recipient agree to do the same | |
| D. | require that the recipient report to the Plan any unauthorized use or disclosure of which it becomes aware | |
| E. | require the recipient to agree not to re-identify the data or contact the individuals |
Compliance Policy.
The Plan at all times shall comply with the Privacy Standards regarding disclosures of PHI in connection with emergency situations.In emergency situations, the Plan, if it determines that it is in the best interests of the individual, may disclose PHI that is directly relevant to the individual’s health care to an individual’s family member, other relative or other person. Such use or disclosure shall be without regard to whether the individual had previously requested a restriction on his/her PHI use or disclosure.
The Plan may also use or disclosure PHI without authorization or restriction, to law enforcement officers if the individual is a victim of crime and is unable to provide agreement to such use or disclosure because of incapacity or other emergency situations.
The Plan may disclose PHI about individuals whom it reasonably believes to be a victim of abuse, neglect or domestic violence under the following circumstances:
| A. | as required by law, with such disclosure limited to the relevant requirements of the law | |
| B. | with the individual’s agreement to such disclosure | |
| C. | disclosure is authorized by statute or regulation and either: |
| 1. | the Plan believes that disclosure is necessary to prevent serious harm to the individual or other potential victims; | ||
| 2. | the individual is unable to provide agreement due to incapacity, the law or public official authorized to receive the disclosure represents that the disclosure is not intended to be used against the individual and that the immediate enforcement activity would be materially and adversely affected by any delay. |
In these situations, the Plan shall make best efforts to notify the individual about the disclosure promptly. If the Plan believes that informing the individual of the disclosure would place the individual in jeopardy, the Plan may elect not to inform the individual of the disclosure. In addition, the Plan is not required to inform a Personal Representative of such disclosure, if it believes that person is responsible for the abuse, neglect or other injury and that informing the person is not in the individual’s best int