|
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
The mission of the University of Michigan is to serve the people of Michigan and the world through preeminence in creating, communicating, preserving and applying knowledge, art, and academic values, and in developing leaders and citizens who will challenge the present and enrich the future. Through these activities and with numerous academic departments engaged in cutting-edge medical, public health, social science and behavioral research, the University collects, uses, and discloses personal health information to carry out its mission. This information is private and confidential. There are policies and procedures in place to protect the information against unlawful use and disclosure. The notice also provides you with other important information, including how to contact us with questions about this notice or our privacy practices.
I. What is this notice?
This notice describes information we collect, how we use that information, and when and to whom we may disclose it.
II. What is “personal health information”?
Personal health information or “PHI” (also called “protected health information”), is current, past or future information created or received by the University through its health care providers, health plans and contractors. It relates to the physical or mental condition of a patient or plan member, the provision of health care to that person, or payment for the provision of health care to that person. The term PHI does not generally include publicly available information, or information available or reported in a summarized or grouped manner.
III. What types of personal health information does the University of Michigan collect?
The University collects PHI through interactions with your health care providers. It can be obtained through applications, interviews, surveys and other forms. PHI may be obtained in writing, in person, by telephone and electronically. The information we collect varies depending on who collects it and why, but generally includes information about your relationship and transactions with our affiliates, our agents and us. Examples include:
- University Providers. If you receive health care services as a patient of one of our hospitals or health centers, University Health Services, Michigan Visiting Nurses, or other individual providers or health care organizations employed or operated by the University (the “University Providers”), the provider may collect or create information such as your name, address, telephone number, social security number, date of birth, medical history, diagnosis, treatment, provider identification and treatment information, financial responsibility and payment information, and family and emergency contact information.
- Employee Plans. If you receive health care benefits through a University-sponsored health benefits plan (an “Employee Plan”) as an employee or graduate student of the University or the employee’s or student’s dependent (spouse/domestic partner or child), we may collect information such as name, address, telephone number, social security number, date of birth, and related information. The organizations that administer these plans – commercial health benefits plans, pharmacy benefits managers, and others – may collect and exchange additional information, such as medical diagnosis and treatment information, but our employee benefits office generally does not request copies of this information without your authorization.
- Affiliated Health Plan Members. If you are a member of a health plan administered by the University or any of its subsidiaries (e.g., M-CARE, M-CAID, Kids Care –our “Affiliated Health Plans”), the plan may collect information:
* When we refer to the University of Michigan, the University, or we or us, we mean The Regents of the University of Michigan and its applicable affiliates to the extent they are acting as “health plans,” “health care providers,” and/or “health care clearinghouses” under the Health Insurance Portability and Accountability Act and related privacy regulations (“HIPAA”). A disability or worker’s compensation plan is not a health plan. Nor is the University of Michigan Medical School (including any University faculty member performing research), a health care provider. When we refer to “you,” we mean a patient of a University of Michigan health care provider; a University of Michigan employee who receives health benefits through the University; or a member of a health plan administered by a University affiliate such as M-CARE, and its wholly owned subsidiaries, M-CAID, Michigan Health Insurance Company (MHIC) or Kids Care.
† If you are a University employee or dependent, or if you are covered under an Affiliated Health Plan, this notice is not part of your health plan documents (group policy, certificate or evidence of coverage, booklet, group service agreement, schedule of benefits, etc.). It is provided to you for information only.
- From your plan sponsor or other payors (e.g., employers, unions, government agencies) regarding eligibility for coverage and other available coverage.
- From health care providers (e.g., doctors, dentists, psychologists, pharmacies, hospitals and other caregivers) such as medical history, diagnosis and treatment.
- From affiliates and agents (e.g., central diagnostic and referral units, pharmacy benefits managers, vendors, etc.) who help administer our Affiliated Health Plans about service requests and benefits provided.
- From you, your family or other caregivers about your treatment, medical history, or any aspect of coverage under the Affiliated Health Plan.
IV. How does the University of Michigan protect personal health information internally?
Access to PHI is restricted to only those employees who need it to provide services, products, or benefits to our patients, employees, health plan members and their dependents. We maintain physical, technical and procedural safeguards to protect PHI against unauthorized use and disclosure. We have several Privacy Offices that are responsible for developing, educating University personnel about, and overseeing the implementation and enforcement of policies and procedures designed to safeguard PHI against inappropriate use and disclosure consistent with the applicable law.
V. What personal health information do the University and other health care providers, employers and health plans use or disclose to third parties, and for what purposes?
When necessary for a patient’s care or treatment, the operation of an Employee Plan or Affiliated Health Plan, or for other related activities, we use PHI internally, share it with our affiliates, and disclose it to health care providers (doctors, dentists, psychologists, pharmacies, hospitals and other caregivers), insurers, third party administrators, plan sponsors and other payors (employers, health care provider organizations, and others who may be responsible for paying for or administering your health benefits); vendors, consultants, government authorities; and their respective agents. They are required by law to keep PHI confidential. Some examples of what we do with the information we collect and the reasons it might be disclosed to third parties are described below.
Treatment, Payment and Health Care Operations
We may use or disclose PHI with or without your consent to provide health care services or administer our health benefits plans. Examples of these uses and disclosures include:
- Treatment. University Providers use and disclose PHI without specific consent to provide, coordinate and manage health care and related services. These activities include coordination or management of health care by University Providers with other University units and third parties; consultation among our Affiliated Providers or between our Affiliated Providers and other health care providers; and patient referrals among providers.
- Payment. University Providers, Employee Plans and Affiliated Health Plans all use and disclose PHI to obtain and provide reimbursement for the provision of health care to patients and health plan members. Our Employee Plans and Affiliated Health Plans also use and disclose PHI to obtain premiums or determine or fulfill their responsibilities for coverage and provision of benefits under the plans. Examples of these payment activities include: billing, claims management, collections activities, and administration of reinsurance, stop loss and excess loss insurance policies, as well as related data processing; making eligibility, coverage, medical necessity, and related determinations, coordinating benefits among various payors, recovering payments from third parties liable for coverage; risk adjustment; utilization review activities, and disclosures to consumer reporting agencies. We may use or disclose PHI in connection with payment activities with or without your consent.
- Health Care Operations. University Providers, Employee Plans and Affiliated Health Plans all use and disclose PHI in connection with their standard business operations, including quality assessment and improvement activities. Examples of these activities include obtaining accreditation from independent organizations like the Joint Commission for the Accreditation of Healthcare Organizations, the National Committee for Quality Assurance and others, outcomes evaluation and development of clinical guidelines, operation of preventive health, early detection and disease management programs, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives, and related functions; evaluations of health care providers (credentialing and peer review activities) and health plans; operation of educational programs; underwriting, premium rating and other activities relating to the creation, renewal or replacement of health benefits contracts; obtaining reinsurance, stop-loss and excess loss insurance; conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs; business planning and development; and business management and general administrative activities, including data and information systems management, customer service, resolution of internal grievances, and sales, mergers, transfers, or consolidations with other providers or health plans or prospective providers or health plans
Other Activities Permitted or Required by Law
We may use or disclose PHI for other important activities permitted or required by law, with or without your authorization. These include:
- Appointment Reminders and Treatment Alternatives. We may contact you to provide appointment reminders or information about treatment alternatives or other health-related benefits or services that may be of interest.
- Public Health and Safety. We may use or disclose PHI as necessary to prevent or reduce a serious and imminent threat to the health or safety of a person or the public, to people who may be able to reduce the threat, including the threatened person or law enforcement officials; or for other public health activities to public health authorities (such as the Michigan Department of Community Health or the U.S. Department of Health and Human Services) engaged in preventing or controlling disease, injury, or disability. For example, Michigan health care providers (including the University Providers) are required to report information about patients with certain conditions, such as HIV/AIDS and cancer, to central registries; they also are required to report information about immunizations administered to their patients. We also may disclose PHI to manufacturers of drugs, biologics, devices, and other products regulated by the federal Food and Drug Administration when the information is related to their quality, safety, or effectiveness. PHI also may be disclosed to certain people exposed to communicable diseases and to employers in connection with occupational health and safety or worker’s compensation matters.
- Required by Law. We may use or disclose PHI to the extent such use or disclosure is required by law and it complies with and is limited to the requirements of that law. For example, if you are treated by one of our Affiliated Providers for a gunshot or knife wound or similar trauma, we may be required to report that information to the police. If we suspect a person is a victim of abuse, neglect, or domestic violence, we may be required to file a report to the Family Independence Agency or another local or state agency and possibly to the police as well. We also use and disclose PHI for certain law enforcement purposes and in response to official subpoenas, court orders, discovery requests and other legal process. In addition, we use and disclose PHI in connection with health oversight activities (e.g., government audits of our compliance with certain laws and regulations; oversight of government-funded health benefits programs, etc.).
- Other Government Functions. We may use or disclose PHI in connection with military and veterans activities, national security and intelligence activities, protective services for the President of the United States and other dignitaries, and certain correctional facility activities.
- Research. We use and disclose PHI in connection with research performed by faculty members of the University of Michigan Medical School‡ and other departments and divisions, as well as researchers outside the institution. This research generally is subject to the oversight of a University of Michigan Institutional Review Board.‡ In most cases, while PHI may be used to help prepare a research project or to contact you to ask whether you want to participate in a study, it will not be further disclosed for research without your authorization. Sometimes, however, where permitted under federal law and institutional policy, and approved by an Institutional Review Board or a privacy board, PHI may be used or disclosed. In addition, PHI may be used or disclosed to compile “limited or de-identified data sets” that do not include your name, address, social security number or other direct identifiers. These data sets may, in turn, be used for research purposes.
- Fundraising. We may contact you to ask for contributions or assistance in raising funds to help pursue our mission.
- Facilities Directories. Our hospitals and other facilities use PHI to maintain directories of people staying in our facilities, including name, location, general condition (e.g., critical, stable), and religious affiliation. They also disclose this information to members of the clergy (e.g., priests, pastors, imams, rabbis) and to others who ask for an individual by name. You may object to these uses or disclosures when you enter our facilities.
† Neither the Medical School nor our Institutional Review Boards are “health plans,” “health care providers,” or “health care clearinghouses” under HIPAA.
- Plan Sponsor Communications. Our Employee Plans and Affiliated Health Plans may disclose PHI to the employer, union, government agency or other organization that pays for the costs of your coverage (the “plan sponsor”) as follows: to carry out plan administration functions; in summary form to obtain premium bids from health plans or to modify, amend, or terminate plans; and enrollment and participation information. We will disclose PHI to a plan sponsor only upon receipt of certification by the plan sponsor that it will appropriately use and protect the information and honor your rights (as described in Section VIII below) to access, review and amend the information, and to receive an accounting of certain disclosures of the information. For example, the plan sponsor will not be permitted to use the information for the purpose of employment-related actions or decisions or in connection with any other benefit or employee benefit plan that it sponsors.
- Family and Friends. Under certain circumstances, we may disclose PHI to family members, other relatives, or close personal friends or others that you identify to the extent it is directly relevant to their involvement with your care or payment related to your care; or to notify them of your location, general condition, or death.
- After Death. We may disclose PHI to coroners or medical examiners to identify a person who has died, determine the cause of death, or perform other functions authorized by law; and (before or after death) to funeral homes as necessary to carry out their duties. In addition, PHI of a person who has died may be used or disclosed in connection with research that does not involve any live subjects.
Our use and disclosure of PHI must comply not only with federal privacy regulations but also with applicable Michigan law. Michigan law provides different and sometimes more stringent protections to PHI than federal regulations. Examples of these protections include: (i) special protections for sensitive information, such as information about HIV/AIDS, treatment for psychiatric conditions or substance abuse problems, and certain genetic information; (ii) a bar against redisclosure of PHI collected by third party administrators of health plans for certain purposes; and (iii) a prohibition against making changes to medical records that would conceal or alter prior entries (even if inaccurate).
VI. Why is it important that personal health information be used and disclosed as described above?
The activities described above are necessary to effectively operate our hospitals and health centers, employee benefits and health plans, and other relevant units of the University. For example, many health plans feature cancer screening reminder programs that promote early detection of breast, cervical and colorectal cancer when these illnesses are most treatable. Disease management programs help patients work with their physicians to effectively manage chronic conditions like asthma, diabetes, and heart disease to improve quality of life and avoid preventable emergencies and hospitalizations. Initiatives to reduce medical errors help providers recognize and avoid potential safety hazards, like dangerous drug interactions. Quality assessment and research programs help us review and improve the services we provide. A variety of outreach programs help us educate patients and health plan members about the programs and services that are available to them, and let them know how they can make the most of their health benefits. Therefore, to the extent permitted or required by law, we use and disclose PHI as provided in Section V regardless of individual preferences. We recognize that many patients and health plan members do not want to receive unsolicited marketing materials unrelated to their health care or health benefits. For this reason, we ask for special permission before disclosing PHI for these marketing purposes.
VII. What does a person need to do to request other disclosures of personal health information?
Many patients and health plan members ask us to disclose PHI to people in ways not described above. For example, an elderly person may want us to make her records available to a neighbor who is helping her resolve a question about her care or payment for that care. Contact information to authorize us to disclose your personal health information to a person or organization or for reasons other than those described in Section V above appears below in section VIII.
If you fill out a form and later change your mind about the special authorization, you may send a letter to us at the address listed on the form to let us know that you would like to revoke the special authorization. In any communication with us, please provide your name, address, patient or member identification number or Social Security number, and a telephone number where we can reach you in case we need to contact you about your request.
VIII. What other rights does a person have with respect to personal health information, and how can the person exercise those rights?
- You have a right to ask us in writing to restrict use or disclosure of your PHI related to your treatment, related to your payment or related to routine health care facility operations. In addition, you may request PHI disclosure restrictions to
family members, other relatives or close friends involved in your care. We are not required to agree to such a restriction, but if we do agree, we will honor our agreement except in case of an emergency. Any restriction we agree to is not effective to prevent uses or disclosures of PHI (i) required by the Secretary of the Department of Health and Human Services to investigate or determine our compliance with federal privacy regulations adopted under the Health Insurance Portability and Accountability Act of 1996; (ii) for health facility directories (e.g., a roster of patients staying at a hospital); or (iii) for certain activities permitted or required by law (see Section V above).
- You may request, in writing, to receive confidential communications containing your PHI from us in ways or at locations that are outside our usual process. Our health care providers will make every effort to accommodate reasonable requests. However, the University’s Benefits Office and/or our affiliated health benefits plans may require that you demonstrate danger to yourself if we do not comply with your request. For example, this rule protects patients who are victims of domestic violence who wish to have health information sent to an address other than his or her own.
- You have a right to review and obtain a copy of existing PHI contained in (i) medical and billing records about you maintained by any University provider; (ii) enrollment, payment, claims adjudication and case or medical management record systems maintained by or for the Employee Plans or Affiliated Health Plans; and (iii) records used by or for any University provider or health plan to make decisions about you. You must make your request in writing and this right is limited to existing records that are maintained, collected, used or disseminated by or for a University Provider, an Employee Plan or an Affiliated Health Plan. It does not apply to psychotherapy notes we maintain; information we compile in reasonable anticipation of, or for use in, civil, criminal or administrative actions or proceedings; or to certain clinical laboratory information. We may charge a fee for any copies you request.
- You have a right to request that we amend the records described above for as long as we maintain them. You must make the request in writing and give us a reason for the amendment. We may deny your request if: (i) we determine that we did not create the record, unless the originator of the PHI is no longer available to act on the requested amendment; or (ii) if we believe that the existing records are accurate and complete. Note that an amendment may take several forms, for example we may add an explanatory statement to a record rather than changing it.
You have a right to receive an accounting of disclosures made by a University Provider, an Employee Plan, or an Affiliated Health Plan to any third party in the six years prior to the date on which the accounting is requested. This right does not apply to certain disclosures, including, but not limited to, disclosures made for the purposes of treatment, payment or health care operations; disclosures made to you or to others involved in your care; disclosures made with your authorization; disclosures made for national security or intelligence purposes or to correctional institutions or law enforcement purposes; or disclosures made prior to April 14, 2003.You must make any request for an accounting in writing and we may charge a fee to fill more than one request in any given year. Written requests should go to:
Director of Privacy
University of Michigan Health System
P.O. Box 7300
Ann Arbor, MI 48109-0626
Toll Free: 1-888-296-2481
What does the University of Michigan plan to do with personal health information about patients, employees and health plan members who are no longer affiliated with the University?
The University does not necessarily destroy PHI when individuals terminate their relationships with us. The information is necessary and used for many of the purposes described in Section V, even after the person stops receiving treatment or benefits through the University, or terminates employment with us. In many cases, the information is subject to legal retention requirements.
However, the policies and procedures that protect all PHI against inappropriate use and disclosure apply regardless of the status of any individual whose information is maintained.
IX. How is this notice distributed and updated?
The University of Michigan posts this notice on our internet site at http://www.med.umich.edu/hipaa and distributes this notice:
- To patients of our hospitals, health centers, and other points of care, no later than the date of first service delivery; or, in the
event of an emergency, as soon as reasonably practical after the emergency is over. University Providers also make copies of
the notice available and prominently posted at the point of care.
- To employees, at the time they enroll in an Employee Plan.
- To subscribers of our Affiliated Health Plans – including M-CARE, M-CAID, MHIC, and Kids Care– at the time of enrollment and within sixty (60) days of any material revision of the notice.
- To patients, employees and their dependents, and health plan members upon request (see Section VIII for contact information).
We reserve the right to change the terms of this notice. Any changes will be effective for all personal health information that we maintain.
X. What more do I need to know about my privacy rights?
The University of Michigan is required by law to maintain the privacy of personal health information and to provide individuals with notice of its legal duties and privacy practices with respect to that information. We are required to abide by the terms of the notice currently in effect.
XI. What should I do if I want a paper copy of this notice, if I have questions about it, or if I think my privacy rights have been violated?
If you would like a paper copy of this notice, have questions about it, or believe its terms or any University of Michigan privacy or confidentiality policy has been violated with respect to information about you, please let us know immediately at the address above or by phone Toll Free: 1-888-296-2481. Please include your name, address, and a telephone number where we can contact you, and a brief description of the complaint. If you prefer, you may lodge an anonymous complaint. You also may contact the Secretary of the Department of Health and Human Services at:
The U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Washington, D.C. 20201
(202) 619-0257
Toll Free: 1-877-696-6775
Please provide as much information as possible so that the complaint can be properly investigated. Neither the University of Michigan nor any of its affiliates will retaliate against a person who files a complaint with us or with the Secretary of the Department of Health and Human Services.
back
to top |
