AultCare Insurance Plans—Notice of Privacy Practices

Your Information. Your Rights. Our Responsibilities.


This Notice of Privacy Practices (NPP) describes how medical and claims information about you may be used and disclosed, how you can get access to your information, and your rights under HIPAA. Please review this NPP carefully. Feel free to share it with your family or personal representative.


Introduction

AultCare Insurance Company (dba AultCare HMO), which is part of an Organized Health Care Arrangement with AultCare Corporation, AultCare Health Insuring Corporation dba PrimeTime Health Plan, and Aultra Administrative Group (AultCare or We) is a Group Health Plan Covered Entity under HIPAA.

We’re committed to safeguarding the Privacy and Security of Protected Health Information of its enrollees and their eligible dependents (you) in paper (PHI) or electronic form (ePHI).

This NPP describes our HIPAA-compliant policies and procedures for the Use and Disclosure of your PHI/ePHI, including the use of PHI/ePHI for eligibility, enrollment, underwriting, claims processing, coordination of benefits, and payment of treatment under your group health plan in compliance with HIPAA’s Privacy and Security Rules (updated by the Omnibus Rule of 2013), the HITECH Act, and the Genetic Information Nondiscrimination Act (GINA).

You may access this NPP on our website www.primetimehealthplan.com. If you do not have a computer or internet access, or if you want a paper copy of this NPP, please call our Service Center at 330-363-7407 or 1-800-577-5084.

Not every use or disclosure of PHI, with or without a signed Authorization, is listed in this NPP. Uses or disclosures not specified in this NPP often require an Authorization. Please contact our Privacy Officer if you have a question, concern, or need further guidance.


Terms

Accounting . An Accounting is a list of disclosures of your PHI/ePHI we have made.

Authorization . An Authorization is a document signed and dated by the individual who authorizes the use or disclosure of PHI/ePHI for purposes other than treatment, payment, or healthcare operations.

Business Associates . We contract with outside business associates that may access, use, or disclose PHI/ePHI to perform covered services for us. Examples include auditing, accounting, accreditation, actuarial services, and legal services. Business associates must protect the privacy and security of your PHI/ePHI to the same extent we do. If a business associate delegates services to a subcontractor or agent, that subcontractor or agent also is a business associate that must comply with HIPAA.

Covered Entities . Covered entities include health care providers ( e.g . hospitals, doctors, nurses, nursing homes, home health agencies, durable medical equipment suppliers, other health care professionals and suppliers), and group health plans. AultCare is a group health plan covered entity.

Designated Record Set . A designated record set is a group of records containing PHI in paper or electronic form that we created and store. A designated record set include medical, healthcare and service records, billing, claims and payment information, eligibility and enrollment information, and other information we use to make decisions regarding the coverage and payment of medical care under your plan. Records created by others are not part of a designated record set.

Disclose . Disclose means our releasing, transferring, providing access to, or divulging PHI/ePHI to a third party, including covered entities and their business associates: (1) for treatment, payment, and health care operations; or (2) when you permit us by your signed authorization; or (3) as required by law.

Genetic Information . Genetic information includes genetic testing of the individual or family members. 

Health Plan . Health plan means an individual or group health plan that provides, or pays the cost of, medical care and includes a health insurance issuer, HMO, Part A or B of Medicare, Medicaid, voluntary prescription drug benefit program, issuer of Medicare supplemental policy, issuer or a long-term care policy, employee welfare benefit plan, plan for uniformed services, veterans health care program, CHAMPUS, Indian health service program, federal employee health benefit program, Medicare Advantage plan, approved state child health plan, high risk pool, and any other individual or group health plans or combination that provides or pays for the cost of medical care. AultCare is a group health plan.

Health Care Operations . Health care operations include quality assurance, performance improvement, utilization review, accreditation, licensing, legal compliance, provider/supplier credentialing, peer review, business management, auditing, enrollment, underwriting, stop-loss/reinsurance, and other functions related to your health plan, as well as offering and providing preventive, wellness, case management, and related services.

Individual . Individual means the enrollee or eligible dependent (including minors) to whom PHI belongs. It also applies to your family member or personal representative acting on your behalf.

Minimum Necessary . We will limit the use or disclosure of your PHI/ePHI to the minimum needed to accomplish the intended purpose of the use, disclosure, or request.

Payment . Payment means the activities by a group health plan to obtain premiums or to determine or fulfill its responsibility for coverage and the provisions of benefits under your plan and includes eligibility or coverage determination, coordination of benefits, adjudication and subrogation of health benefit claims, billing, claims management, EOBs, health care data processing, reinsurance (including stop-loss and excess), determination of medical necessity, utilization review (including pre-certification and retrospective review), and related activities.

Personal Representative . Personal Representative means a person acting on behalf of the individual, including family, spouse, guardian, attorney-in-fact under a durable or general power of attorney, or friend assisting the individual with healthcare and payment decisions.

Protected Health Information (PHI/ePHI) . PHI/ePHI means individually identifiable medical and health information regarding your medical condition, treatment of your medical condition, and payment of your medical condition, and includes oral, written, and electronically generated and stored information. PHI/ePHI excludes de-identified information or health information regarding a person who has been deceased for more than 50 years. 

Treatment . Treatment means the provision, coordination, and management of health care and services by one or more health care providers, including referrals and consultations between providers or suppliers.

Use . Use means our accessing, sharing, employing, applying, utilizing, examining, or analyzing your PHI/ePHI within the AultCare organization for payment and health care operation purposes. Your PHI/ePHI is accessible only to members of AultCare’s workforce who have been trained in HIPAA Privacy and have signed a confidentiality agreement that limits their access and use of PHI/ePHI, according to the minimum necessary standard, to perform the authorized purpose.

Wellness Program . Wellness Program means a program that an employer has adopted to promote health and disease prevention, which is offered to employees as part of an employer-sponsored group health plan or separately as a benefit of employment. 


Your Rights

When it comes to your health information, you have certain rights. This section explains some of your rights and our responsibilities.

You may get a copy or summary of your health and claims records:

  • You may ask to see or get a copy of your health and claims records and PHI kept in a designated record set. Please call the Service Center to ask how to do this. There are some restrictions.
  • We will get you a paper copy or electronic version of your health and claims records, or give you a summary, usually within 30 days of your request. We may charge reasonable, cost-based fees.

You may ask us to correct your health and claims records:

  • You may ask us in writing to correct your health and claims records in a designated records set if you believe they are incorrect, inaccurate, or incomplete. Please call the Service Center or visit our website to get an amendment request form.
  • We may say “no” to your request, but we’ll tell you why in writing within 60 days.
  • You will have an opportunity to appeal.

You may request confidential communications of communications by alternative means:

  • You may ask us to contact you about claims, premiums, EOBs, or other matters about your health plan and coverage in a specific way, such as home phone, office phone, or cell phone, or by alternate means, such as an address different from your home or usual email address.
  • Let us know if you do not want us to leave any voice mail message.
  • Contact the Service Center to request. We will consider all reasonable requests.

You may ask us to limit (restrict) what we use or disclose:

  • You may ask us in writing not to use or disclose certain health information for treatment, payment, or operations. We may honor your request if you pay for treatment in full out-of-pocket.
  • Please call the Service Center for a restriction request form or visit our website.
  • While we will consider reasonable requests, we are not required to agree to your request. We may say “no” if restricting information could affect your care or if disclosure is required by law.

You may request a list (“Accounting”) of those to whom we’ve disclosed PHI/ePHI:

  • You may ask in writing for a list of disclosures of your PHI/ePHI (Accounting) for the six years prior to your request.
  • We will include all disclosures except for those about treatment, payment, and health care operations, and disclosures made to you or you authorized us to make. We’ll provide one accounting a year for free but will charge a reasonable, cost-based fee if you ask for another one within 12 months.

You may get a copy of this NPP:

  • You may ask for a paper copy of this NPP at any time, even if you have agreed to receive this NPP electronically. We will provide you with a paper copy promptly.
  • You may access electronic copy of this NPP on our website at any time.

You may choose someone to act for you:

  • You may choose a family member or personal representative to receive PHI/ePHI from us, exercise your rights, and make choices for you.
  • We will use reasonable efforts to confirm that the person is authorized to act on your behalf before we take any action.

You may file a complaint if you believe your rights have been violated:

  • If you believe your privacy or your HIPAA rights have been violated, we urge you to contact our privacy officer, either by calling the Service Center or filing a written complaint at AultCare, P.O. Box 6029, Canton, OH 44706.
  • We take all complaints very seriously. We will investigate and take appropriate action if needed.
  • You also may file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting hhs.gov/ocr/privacy/hipaa/complaints/.
  • We will never retaliate against you for filing a complaint, asking a question, or expressing a concern.

Communicating with You

This section describes how we may communicate with you, family members, or your personal representative.

Communicating with You:

We may communicate with you about claims, premiums, or other things regarding your health plan.

Communicating with Family or Others Involved In Your Care:  

  • We may disclose your PHI/ePHI to designated family, friends, guardians, persons named in a durable or general power of attorney, personal representatives, or others assisting in your care or payment of claims.

Minors and Emancipated Minors:

  • We may disclose a minor’s PHI/ePHI to the minor’s parent(s) or guardian, unless there are legal or policy reasons not to.
  • We will not disclose PHI/ePHI to the parent(s) or guardian of an emancipated minor. A minor is emancipated if he/she: (1) does not live with his/her parent(s); (2) is not covered by parental health insurance; (3) is financially independent of parent(s); (4) is married; (5) has children; or (6) is in the military.

Deceased Enrollees:  

  • If you die, we may disclose your PHI to the executor or administrator of your estate.
  • We may disclose PHI/ePHI to your spouse, family, personal representative, or others who were involved in your care or management of your affairs, unless doing so would be inconsistent with your wishes made known to us.

Uses and Disclosures

This section describes how we typically use or disclose your PHI/ePHI with and without an Authorization.

 No Authorization Needed:   

  • We will create, receive, or access your PHI/ePHI, which we may use or disclose to other covered entities for treatment, payment, and health care operations, without the need for you to sign an Authorization.
  • We will disclose PHI/ePHI needed to treat or authorize treatment. For example, a doctor or health facility involved in your care may request your PHI/ePHI to make treatment decisions covered by the plan.
  • We will use or disclose your PHI needed for payment. For example, we will use information about your medical procedures and treatment to process and pay claims, to determine whether services are medically necessary, and to pre-authorize or certify services covered by your health plan.
  • We may disclose PHI/ePHI to governmental or commercial health plans that may be obligated under coordination of benefit rules to process and pay your claims.
  • We will use and disclose your PHI/ePHI as necessary or required by law to administer your plan and for our health care operations. For example, we may use or disclose PHI/ePHI for underwriting purposes. We will not use or disclose genetic information for underwriting purposes.
  • We may disclose PHI/ePHI to business associates to perform covered services. It is not necessary for you to sign an Authorization for us to share PHI/ePHI with our business associates for covered services. 

Authorization Needed:

We will not use or disclose your PHI/ePHI for any purpose other than treatment, payment, or healthcare operations without your signed HIPAA-compliant Authorization, unless required by law.

  • We will not disclose psychotherapy notes without a signed Authorization unless required by law.
  • We will not disclose your PHI/ePHI to your employer without your signed Authorization. We may disclose PHI/ePHI to the plan sponsor of your health benefit plan on condition that the plan sponsor certifies that it will maintain the confidentiality of PHI/ePHI and will not use PHI to make employment-related decisions or employee benefit determinations.
  • We will not release medical records if subpoenaed, unless you sign an Authorization, or the lawyers sign a qualified protective order, or if we receive a valid court or administrative order.

You may choose to receive information about health-related products or services or fundraising:

  • We may use your PHI/ePHI if we believe you may be interested in, or benefit from, treatment alternatives, wellness, preventive, disease management, or health-related programs, products or services that may be available to you as an enrollee or eligible beneficiary under your health plan. For example, we may use your PHI/ePHI to identify whether you have a particular illness, and contact you to let you know about a disease management program is available to help manage your illness.
  • Let us know if you do not want to be contacted or receive information about these services and programs. Opting out will not affect coverage or services.
  • We will not sell or disclose your PHI/ePHI to third-parties for marketing without your Authorization, which will indicate whether we are paid for selling PHI.
  • We may contact you about charitable fundraising. If you do not want to be contacted or receive fundraising materials, let our Service Center know. Opting out will not affect coverage or services. 

Wellness Programs:

  • If you voluntarily choose to participate in a Wellness Program, you may be asked to answer questions on a health risk assessment (HRA) and/or undergo biometric screenings for risk factors,
  • Wellness Programs may also provide educational health-related information or services that may include nutrition classes, weight loss and smoking cessation programs, onsite exercise facilities, and/or health coaching to help employees meet their health goals.
  • If your employer has entered or may enter into a contract with us to perform services, as well as receive, collect, use, disclose, and store data in connection with a Wellness Program. We will protect the privacy of your PHI.

Use and Disclosure of Health Information Permitted or Required by Law  

We may use or disclose PHI/ePHI, without your Authorization, as required by law, including, but not limited to:

  • Workers’ Compensation
  • Public health agencies
  • FDA and OSHA
  • Ohio Department of Insurance and other regulatory and licensing agencies
  • Armed Forces to assist in notifying family members of your location, general condition, or death
  • Law Enforcement
  • Homeland security
  • Emergency and disaster
  • Prevent threat of serious harm
  • Proof of immunization

Breach Notification

  • You have the right to notification if a breach of your PHI/ePHI occurs. We will promptly notify you by first-class mail, at your last known address, or by email (if you prefer) if we discover a breach of unsecured PHI/ePHI, which includes the unauthorized acquisition, access, use, or disclosure of your PHI/ePHI, unless we determine through a risk analysis that a low probability exists that the compromise of your PHI would cause you financial, reputational, or other harm. 
  • We will include in the breach notification a brief description of what happened, a description of the types of unsecured PHI involved, steps you should take to protect yourself from potential harm, a brief description of what we are doing to investigate the breach and mitigate any potential harm, as well as contact information for you to ask questions and learn additional information.

Changes to this NPP

This section describes how and when we may changes NPP and how we will inform you of any material changes.

  • We reserve the right to change this NPP at any time, which we may make effective for PHI/ePHI we already used or disclosed, and for any PHI/ePHI we may create, receive, use, or disclose in the future.
  • We will make material amendments based on changes in the HIPAA laws.
  • The revised NPP will be posted on our website www.aultcare.com. Copies of revised NPPs will be mailed to all enrollees covered by the plan, and copies may be obtained by mailing a request to: Privacy Coordinator, P.O. Box 6029, Canton, Ohio 44706.

If you have questions or need further assistance regarding this Notice, you may contact the Service Center at 330-363-7407 or 1-800-577-5084. For people who are hearing impaired, please call our TTY line at 330-363-7460 or 1-800-617-7446. Interpreter services are provided free of charge to you. A customer service representative is available to assist you Monday through Friday from 8 a.m. to 8 p.m. (October 1 – February 14th, we are available 7 days a week, 8 a.m. to 8 p.m.). If you would like to meet with a customer service representative in person, you can visit us during our office hours Monday through Friday from 8:00 a.m. to 4:30 p.m. As a member you retain the right to obtain a paper copy of this Notice of Privacy Practices, even if you have requested such copy by e-mail or other electronic means.


EFFECTIVE DATE

This Notice of Privacy Practices became effective on April 14, 2003.

Reviewed: 07/31/06, 09/25/06, 04/06/07, 02/15/12, 6/15/12 (name change),9/18/13, 9/3/14, 9/10/15; 5/24/16, 7/31/16
Revised: 07/31/06, 09/25/06, 04/06/07, 02/15/12, 6/15/12 (name change), 7/17/13; 5/24/16, 8/1/16, 1/13/2017


Approved 9/3/14; 7/31/16 in Privacy Committee. MK, KKT