Office of Ethics, Compliance & Privacy site logo

Office of Ethics, Compliance,
and Risk

 

GW Health Information Privacy

Policy Summary

The George Washington University ("GW" or "university") Health and Welfare Benefit Plan (the “Plan”) is committed to and takes reasonable steps towards protecting the privacy of employees’ Protected Health Information (“PHI”), and will use or disclose the minimum amount of PHI required to reasonably provide necessary services. The Plan also pledges to provide employees with certain rights related to their PHI.

For purposes of this policy, “Plan participant” and “participant” refer to employees and dependents who are eligible for benefits described under the Plan. 

This policy informs employees how PHI may be used and disclosed by the Plan, explains how participants can obtain access to their PHI, and complies with the Health Insurance Portability and Accountability Act of 1996  and the Health Information Technology for Economic and Clinical Health Act and the related regulations (collectively, “HIPAA”).

Who is Governed by this Policy

  • Staff
  • Faculty

Policy

PHI includes demographic information that may identify a participant and that relates to healthcare services provided to a participant, the payment of healthcare services provided to a participant, or a participant’s physical or mental health condition (in the past, present, or future). 
 
The Plan collects certain PHI about its participants to help provide them with health benefits, as well as to fulfill legal requirements. The Plan collects this identifying information from applications and other forms completed by the participant, through conversations the participant may have with the Plan’s administrative staff and health care providers, and from reports and data provided to the Plan by health care service providers or other employee benefit plans. Participant PHI maintained by the Plan includes, among other things, names, addresses, phone numbers, birth dates, Social Security numbers, and medical and health claims information. This is the information that is subject to the privacy practices described in this Policy. 
 
This policy does not apply to health information collected or maintained by the university on behalf of the non-health employee benefits that it sponsors, including disability benefits, life insurance, accidental death and dismemberment insurance, and workers’ compensation insurance. This policy also does not apply to health information that the university requests, receives, and maintains about Plan participants for employment purposes (such as employment testing), or for determining eligibility for medical leave benefits under the Family and Medical Leave Act or disability accommodations under the Americans with Disabilities Act.

The Plan’s Uses and Disclosures of PHI

 Except as described in this section, as provided for by federal, state, or local law, or as the Plan participant has otherwise authorized, the Plan only uses and discloses PHI for Plan administration and claims processing. Uses and disclosures that do not require written authorization from the Plan participant are described below.

  1. Uses and Disclosures for Treatment, Payment, and Health Care Operations

    1. For Treatment: The Plan may use and disclose PHI to a health care provider, such as a hospital or physician, to assist the provider in treating a Plan participant. For example, if the Plan maintains information regarding interactions between a Plan participant’s prescription medications, the Plan may disclose this information to the Plan participant’s health care provider for treatment purposes.

    2. For Payment: The Plan may use and disclose PHI to allow for the payment of claims for health care services according to its terms. For example, if the Plan has a question regarding payment for health care services received by a Plan participant, the Plan may contact the health care provider for additional information.

    3. For Health Care Operations: The Plan may use or disclose PHI so that it can operate efficiently and in the best interests of its participants. For example, the Plan may disclose PHI to its auditors to conduct an audit involving the accuracy of claim payments

  2. Uses and Disclosures to Business Associates: The Plan may disclose PHI to third parties that assist the Plan in its operations.  For example, the Plan may share PHI with its business associate if the business associate is responsible for paying medical claims for the Plan. The Plan's business associates have the same obligation to keep PHI confidential as the Plan does and must agree in writing to do so. The Plan must require its business associates to ensure that PHI is protected from unauthorized use or disclosure.

  3. Uses and Disclosures to the Plan Sponsor: The Plan may disclose PHI, without a Plan participant’s consent, to the university for administration purposes, such as determining the amount of benefits the participant or their eligible dependent is entitled to from the Plan; determining or investigating facts that are relevant to a benefit claim; determining whether benefits should be terminated or suspended; performing duties that relate to the establishment, maintenance, administration and/or amendment of the Plan; communicating with participants about the status of a claim; recovering any overpayment or mistaken payments made to participants and handling issues related to subrogation and third-party claims. 

    The university has designated certain offices and employees who represent the Plan. These are the Office of Benefits, Human Resource Management and Development, and the Office of the Vice President and General Counsel. Any PHI that a Plan participant discusses with university employees in these offices while they are performing duties that are related to the Plan is subject to the privacy practices described in this policy. 

  4. Other Uses and Disclosures That May Be Made Without a Participant’s Authorization: HIPAA provides for specific uses or disclosures of PHI that the Plan may make without a Plan participant’s authorization, as follows: 

    1. Required by Law: The Plan may use and disclose PHI as required by federal, state, or local law.  For example, the Plan may disclose PHI for the following purposes:

      • For judicial and administrative proceedings pursuant to a court or administrative order, legal process, and authority.

      • To report information related to victims of abuse, neglect, or domestic violence.

      • To assist law enforcement officials in their law enforcement duties.

    2. Health and Safety: PHI may be disclosed to avert a threat to the health or safety of a Plan participant, any other person, or the public, pursuant to applicable law.  PHI also may be disclosed for public health activities, such as preventing or controlling disease or disability. 

    3. Government Functions: PHI may be disclosed to the government for specialized government functions, such as intelligence, national security activities, and protection of public officials. PHI may also be disclosed to health oversight agencies that monitor the health care system for audits, investigation, licensure, and other oversight activities.  
    4. Active Members of the Military and Veterans: PHI may be used or disclosed to comply with laws related to military service or veterans’ affairs. 
    5. Workers Compensation: PHI may be used or disclosed in order to comply with laws related to Workers’ Compensation. 
    6. Emergency Situations: PHI may be used or disclosed to a family member or close personal friend involved in the care of a Plan participant in the event of an emergency, or to a disaster relief entity in the event of a disaster.  
    7. Others Involved In a Participant’s Care: In limited instances, PHI may be used or disclosed to a family member, close personal friend, or others whom the Plan has verified are involved in a Plan participant’s care or payment for their care. For example, if a Plan participant is seriously injured and unable to discuss their case with the Plan, the Plan may so disclose PHI to those involved in the Plan participant’s care.  Also, upon request, the Plan may advise a family member or close personal friend about the Plan participant’s general condition, location (such as in the hospital), or death. Plan participants have the ability to request that these disclosures be restricted as outlined later in this Policy. 
    8. Personal Representatives: PHI may be disclosed to individuals authorized by the Plan participant, or individuals who have the right to act on a Plan participant’s behalf.  Examples of personal representatives include parents for minors and those who have Power of Attorney for adults.  
    9. Treatment and Health-Related Benefits Information: The Plan and its business associates may contact a Plan participant to provide information about treatment alternatives or other health-related benefits and services that may interest them including, for example, alternative treatment, services, or medication.  
    10. Research: Under certain circumstances, HIPAA permits the Plan to use or disclose PHI for research purposes, as long as the procedures required by law to protect the privacy of the research data are followed. However, the Plan does not use or disclose PHI for research purposes.

    11. Organ and Tissue Donation: If a Plan participant is an organ donor, PHI may be used or disclosed to an organ donor, eye, or procurement organization to facilitate an organ or tissue donation or transplantation. 

    12. Deceased Individuals: The PHI of a deceased individual may be disclosed to coroners, medical examiners, and funeral directors to allow those professionals to perform their duties.

  5. Prohibition on Use and Disclosures of Genetic Information: The Plan is prohibited from using or disclosing Plan participants’ genetic information for underwriting purposes.

  6. Any Other Uses and Disclosures Requires Plan Participant's Authorization: Most uses or disclosures of psychotherapy notes (where applicable), uses and disclosures of PHI for marketing purposes, and disclosures that constitute the sale of PHI require authorization. Other uses and disclosures of PHI other than those described above will be made only with the express written authorization of the Plan participant. The Plan participant may revoke their authorization in writing. If so, the Plan will not use or disclose the Plan participant’s PHI subject to the revoked authorization, except to the extent that the Plan already has relied on their authorization.  

    Once PHI has been disclosed pursuant to a Plan participant’s authorization, HIPAA protections may no longer apply to the disclosed health information and that information may be re-disclosed by the recipient without the participant’s or the Plan’s knowledge or authorization. 

Health Information Privacy Rights

Plan participants have the following rights regarding their PHI collected and maintained by the Plan.  Plan participants are required to submit a written request related to these rights, as described below, and should address such requests to the Data Privacy Officer: 

 
Associate Vice President for Ethics, Compliance, and Risk & Data Privacy Officer

Office of Ethics, Compliance, and Risk

1922 F Street NW

Office 323W

Washington, D.C.20052

 

  1. Right to Inspect and Copy PHI: Plan participants have the right to inspect and obtain a copy of their health records. This includes, among other things, PHI regarding plan coverages, claim records, and billing records. To inspect and copy their health record maintained by the Plan, participants must submit a request in writing to the Privacy Officer at the address above. The Plan may charge a fee per page for the cost of copying as well as any applicable mailing costs. If a Plan participant’s health record is maintained electronically, they have the right to receive such PHI in the electronic form and format upon request, if it is readily producible; if the PHI is not readily producible in the requested electronic form and format, then the participant may receive their PHI in a readable electronic form and format agreed to by the participant and the Plan. The Plan may charge the participant for the cost of any electronic media (other than email) used to provide the electronic PHI. In certain limited circumstances, the Plan may deny a participant’s request to inspect and copy their health record. If the Plan does so, it will inform the participant in writing.  In certain instances, if denied access to the health record, the participant may request a review of the denial. 

  2. Right to Request Confidential Communications, or Communications by Alternative Means or at an Alternative Location: Plan participants have the right to request that the Plan communicate PHI to them in confidence by alternative means or in an alternative location.  For example, a Plan participant can ask that the Plan only contact them at work or by mail, or that the Plan provide them with access to their PHI at a specific location. To request confidential communications by alternative means or at an alternative location, a participant must submit their request in writing to the Privacy Officer at the address provided above. The written request should state the reason(s) for the request and the alternative means by, or location at which, the participant would like to receive their PHI. If appropriate, the request should state that the disclosure of all or part of the PHI by non-confidential communications could endanger the participant.  The Plan will accommodate reasonable requests and will notify participants appropriately. 

  3. Participant’s Right to Request That Their PHI Be Amended: Plan participants have the right to request that the Plan amend PHI if they believe that the information is incorrect or incomplete.  To request an amendment, participants must submit a detailed request in writing to the Privacy Officer at the address provided above, and provide the reason(s) that support the request.  The Plan may deny the request if asked to amend information that: 

    1. Was not created by the Plan, unless the Plan is provided with information that the person or entity that created the information is no longer available to make the amendment;
    2. Is not part of the PHI maintained by or for the Plan;
    3. Is not part of the information that the participant would be permitted to inspect and copy; or
    4. Is accurate and complete. 

The Plan will notify the participant in writing as to whether it accepts or denies the request for an amendment to the PHI. If the Plan denies the request, it will explain the reason(s) for the denial, and describe how the participant may continue to pursue the denied amendment. 

  1. Right to an Accounting of Disclosures: Plan participants have the right to receive a written accounting of disclosures. The accounting is a list of disclosures of PHI by the Plan to others; disclosures not included in the accounting are those for treatment, payment, or health care operations; those made to or authorized by the participant and certain other disclosures. The accounting covers up to six years prior to the date of the request.    

To request an accounting of disclosures, the participant should make the request in writing to the Privacy Officer at the address provided above. The request should specify the time period requested (if less than six years). The first accounting requested within a 12-month period is free; for additional accountings in a 12-month period, the Plan will charge the participant for the cost of providing the accounting. In the latter case, the Plan will notify the participant of the cost involved before processing the accounting to allow for the request to be withdrawn before any costs are incurred.  

  1. Right to Request Restrictions: Participants have the right to request restrictions on PHI used or disclosed by the Plan to carry out treatment, payment, or health care operations. Participants also maintain the right to request restrictions on PHI disclosed by the Plan to individuals involved in the participant’s care or in the payment for their care (such as a family member or friend). The Plan is not required to agree to the request for such restrictions, and the Plan may terminate its agreement to the restrictions requested.  To request restrictions, participants should submit a request in writing to the Privacy Officer at the address provided above, and advise the Plan as to what information they seek to limit, and how and/or to whom they would like the limit(s) to apply. The Plan will notify the participant in writing as to whether it agrees to the request for restrictions. The Plan will also notify participants in writing if it terminates an agreement to the restrictions that were requested. 

  2. Right to Receive Breach Notification: Participants have the right to, and will receive, notification if a breach of their unsecured PHI requiring notification occurs.   

  3. Right to Complain: Participants have the right to complain to the Plan and/or to the Department of Health and Human Services if they believe their privacy rights have been violated. To file a complaint with the Plan, participants must submit a complaint in writing to the Privacy Officer at the address provided above. Participants will not be retaliated or discriminated against, and no services, payment, or privileges will be withheld, due to complaints made to the Plan or the Department of Health and Human Services. 

  4. Right to a Paper Copy of Notice of Privacy Practices: Participants have the right to a paper copy of the Plan’s Notice of Privacy Practices.  To make such a request, participants must submit a written request to the Privacy Officer at the address listed above.

Participants may also obtain a copy of the Notice on the GW Benefits website. 

Changes in the Plan’s Privacy Practices 

The Plan reserves the right to change its privacy practices and to make the new practices effective for all PHI that it maintains, including PHI that it created or received prior to the effective date of the change and participant PHI it may receive in the future.     
 
If the Plan materially changes any of its privacy practices covered by this policy, it will revise this policy and provide participants with the revised policy within 60 days of the revision (or within such other time frame required under the regulations), or if the Plan posts the policy on its website it shall: (1) prominently post the material change or the revised policy on its website by the effective date of the material change to the policy; and (2) provide the revised policy, or information about the material change and how to obtain the revised policy during the next annual enrollment or at the beginning of the plan year if there is no annual enrollment process.  In addition, copies of the revised policy will be made available to Plan participants upon written request, and any revised policy will also be available on the GW Benefits website

Definitions

Individually Identifiable Information: Information that is created or received by a health care Health Information provider, health plan, employer, or health care clearinghouse; relates to the past, present, or future physical or mental health or condition of an individual, to the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; and identifies the individual, or the information can be used to determine the identity of the individual.  
 
Protected Health Information (PHI): Information that includes all “Individually Identifiable Information (PHI) Health Information” transmitted or maintained by the Plans, regardless of form (oral, written, or electronic). 

Related Information

Contacts

Contact Phone Number Email Address
GW Benefits 571-553-8382 [email protected]

 

Responsible University Official: Vice President and Chief People Officer
Responsible Office: GW Benefits

Noncompliance with this policy can be reported through this website.