Notice of Privacy Practices
This policy pertains to the privacy practices of Mount Carmel Health Plan, Inc., DBA MercyOne Health Plan (“Company”). When this policy says “we,” “us,” “our,” it means Mount Carmel Health Plan, Inc. / MercyOne Health Plan.
MercyOne Health Plan Notice of Privacy Practices
Policy last revised Sept. 30, 2022
Protection of Information
Company understands that your information is highly personal and is committed to safeguarding your protected health information (“PHI”). Please read this Notice of Privacy Practices thoroughly. Company is required by law to maintain the privacy of PHI. We are required to provide you with notice of our legal duties and privacy practices with respect to PHI. We will only use or disclose your PHI as permitted or required by applicable state or federal law. We can help you understand our privacy practices and your rights.
Permitted Uses and Disclosures
Treatment
We may use and disclose PHI to doctors, hospitals, pharmacies and/or other health care providers who are involved in your care and treatment.
For example, doctors may request PHI from us for coordination of care purposes or doctors may send Company information about your diagnosis and treatment plan so we can arrange additional services. Company may also disclose your PHI to health care providers in connection with preventive health, early detection and disease and case management programs.
Payment
To help pay for your covered services, we may use and disclose PHI in a number of ways – in conducting utilization and medical necessity reviews; coordinating care; determining eligibility and coverage; determining prescription drug compliance; collecting premiums; calculating cost-sharing amounts and coordination of benefits; and responding to complaints, appeals and requests for external review.
For example, we may use your medical history and other health information about you to decide whether a treatment is a covered benefit and what the payment should be – and during the process we may disclose information to your provider. We also use PHI to obtain payment for any mail-order pharmacy services provided to you or to obtain payment for premiums.
Health Care Operations
Company may use and disclose PHI about you to develop better services for you. Other routine operations requiring use and disclosure of PHI include population health and wellness; underwriting and premium rating; administration of pharmacy benefit programs; coordination of benefits; and other general administrative activities including information resources and data management. Company is specifically prohibited from using or disclosing PHI that is genetic information of an individual for underwriting purposes as required by the Genetic Information and Nondiscrimination Act (“GINA").
Other Uses and Disclosures
Information and Health Promotion Activities
Company may use and disclose some of your PHI for certain health promotion activities. For example, your name and address may be used to send you newsletters or general communications. Company may also send you information based on your own health concerns. We may send you this information if it has determined that a product or service may help you. These communications will explain how the products or services relate to your well-being and can improve your health.
Research
Under certain circumstances, Company may use and disclose your PHI for research purposes. Research projects are subject to a special approval process. This process evaluates a proposed research project and its use of medical information, trying to balance the research needs with patients’ need for privacy of their medical information. Researchers are required to safeguard all PHI they receive. We may disclose your PHI without your authorization to medical researchers who request it for approved medical research projects; however, with very limited exceptions such disclosures must first be cleared through this special approval process.
More Stringent State and Federal Laws
There may be times where certain areas of state law is more stringent than the Health Insurance Portability and Accountability Act and associated regulations ("HIPAA"). Certain federal laws also are more stringent than HIPAA. Company will continue to abide by these more stringent state and federal laws.
The federal laws include applicable internet privacy laws, such as the Children’s Online Privacy Protection Act and the federal laws and regulations governing the confidentiality of health information regarding substance abuse treatment.
State law is more stringent when the individual is entitled to greater access to records than under HIPAA. State law also is more restrictive when the records are more protected from disclosure by state law than under HIPAA. For example, Ohio law may require that we obtain your authorization before releasing records containing HIV/AIDs diagnosis or before disclosing information regarding treatment you received at an Ohio licensed behavioral health facility. And in Idaho, electronic medical records must be provided by hospitals within three (3) days of the request being received.
Permitted Uses or Disclosures With an Opportunity for You to Agree or Object
Family/Friends
Company may disclose PHI about you to a friend or family member who is involved in your medical care. We may also give information to someone who helps you pay for your care. You have a right to request that your PHI not be shared with some or all of your family or friends.
Other Permitted Uses and Disclosures
Company may also disclose your PHI as follows.
Administer Your Plan
We may disclose PHI to your health plan sponsor for plan administration. For example, your company contracts with us to provide a health plan, and we provide your company with certain statistics to explain the premiums we charge.
Business Associates
To organizations that provide services to us and assure us in writing that they will protect the information. We will give out as little information as possible to allow our business associates to complete these tasks and Company requires these business associates to appropriately safeguard the privacy of your information.
Membership in Trinity Health
Members of Trinity Health (including Company) participate together in an organized health care arrangement for utilization review and quality assessment activities with respect to this information. Members of Trinity Health may also use your PHI for treatment, payment and/or health care operations permitted by HIPAA with respect to operations of the organized health care arrangement.
Uses and Disclosures Permitted by Public Policy or Law Without Your Authorization
Law Enforcement
Company will use and disclose PHI to federal, state, and local law enforcement officials as required by applicable law, such as identifying a criminal suspect or a missing person, or providing information about a crime victim or criminal conduct.
Legal Proceedings
Company will use and disclose PHI in response to a court order or other lawful purpose.
Required by Law
Company will disclose PHI about you when required by federal, state or local law to make reports or other disclosures. We may also make disclosures for judicial and administrative proceedings such as lawsuits or other disputes in response to a court order. Company will disclose your medical information to government agencies concerning victims of abuse, neglect or domestic violence. We will report drug diversion and information related to fraudulent prescription activity to law enforcement and regulatory agencies. Specialized government functions will include military and veteran’s activities, national security and intelligence activities, and protective services for the President and others. Company will make certain disclosures that are required in order to comply with workers’ compensation or similar programs.
Public Health Oversight or Safety
Company will use and disclose PHI to avert a serious threat to health and safety of a person or the public. We will use and disclose PHI to Public Health Agencies for immunizations, communicable diseases, etc. Company will use and disclose PHI for activities related to the quality, safety or effectiveness of FDA-regulated products or activities, including collecting and reporting adverse events, tracking and facilitating product recalls, etc. and post-marketing surveillance.
Health Information Exchange (HIE)
Your PHI may be disclosed to an approved health information exchange (“HIE”) to facilitate the provision of health care to you. The HIE has a duty under the law to maintain appropriate administrative, physical and technical safeguards to protect the privacy and security of PHI. Only authorized individuals may access and use PHI from the HIE. You or your personal representative have the right to request in writing that Company do either or both of the following: (i) not disclose any of your PHI to the HIE; and (ii) not disclose specific categories of your PHI to the HIE.
Any restrictions on the disclosure of PHI you request as described in the prior sentence may result in a health care provider not having access to information that is necessary for the provider to render appropriate care to you. Company will honor all requests for restrictions on disclosure of PHI to health information exchange(s) as required by law.
For more information or to request restrictions, please contact Company, either by mail or by calling Member Services.
3100 Easton Square Place, Suite 300
Columbus, OH 43219
Phone
1-800-240-3851 (TTY/TDD 711)
8 a.m. to 8 p.m., seven days a week
Use or Disclosure Requiring Your Authorization
Marketing
Company is not permitted to provide your PHI to any other person or company for marketing to you of any products or services other than certain Plan products or services unless you have signed an authorization. If Company receives direct or indirect payment from or on behalf of a third party to make a communication that encourages you to purchase or use that third party’s product or service, we will obtain your authorization.
Psychotherapy Notes, Sale of PHI, and Other Uses
In addition to marketing and research, the following uses and disclosures will be made only with your authorization: (i) most uses and disclosures of psychotherapy notes (if recorded by a mental health professional); and (ii) disclosures that constitute a sale of PHI. Company does not share or sell your PHI to companies that market health care products or services directly to consumers for use by those companies to contact you, such as drug companies, unless you have signed an authorization.
Other uses and disclosures of your medical information not described in this Notice will be made only with your written authorization. Written authorizations will let you know why we are using your PHI. You have the right to revoke an authorization at any time. If you have questions regarding authorizations, please call Member Services.
Individual Rights
Under federal privacy regulations, you have the following rights regarding your personal health information. You can exercise these rights as described below by contacting Company, either by mail or by calling Member Services.
3100 Easton Square Place, Suite 300
Columbus, OH 43219
Member Services
1-800-240-3851 (TTY/TDD 711)
8 a.m. to 8 p.m., seven days a week
Right to Confidential Communications. You have the right to request in writing to receive confidential communications of your PHI by alternative means or at alternative locations. For example, you may request that Company only contact you at work or by mail.
Right to Request Restrictions. You have the right to request restrictions on certain uses and disclosures of your PHI. Company will consider your request, but is not required to agree to your requested restrictions.
Right to Inspect and Copy. With some exceptions, you have the right to inspect and copy information about your PHI as long as we maintain the information. In certain limited circumstances, Company may be required to deny your request.
Right to Amend. With some exceptions, you have the right to request in writing an amendment of your PHI for as long as Company maintains the information.
Right to an Accounting. With some exceptions, you have a right to receive an accounting of certain disclosures of your PHI that Company has made.
Right to Receive a Copy of this Notice. You have the right to receive a paper copy of this Notice of Privacy Practices upon request.
Right to Notification of Breach. You will receive notification of any breach of your unsecured PHI.
Complaints
If you believe your privacy rights have been violated, you may file a complaint with Company. You may submit complaints directly to Company by mail or by calling Member Services.
3100 Easton Square Place, Suite 300,
Columbus, OH 43219
Member Services
1-800-240-3851 (TTY/TDD 711)
8 a.m. to 8 p.m., seven days a week
Company assures you that filing a complaint will in no way affect your covered services or membership in our plan – we will not retaliate against you for filing a complaint.
Complaints may also be filed with the Department of Health and Human Services, Office for Civil Rights, by:
- Sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201,
- Calling 1-877-696-6775
- Visiting www.hhs.gov/ocr/privacy/hipaa/complaints
Further Information
To obtain additional information, please contact Member Services at 1-800- 240-3851 (TTY 711). Member Services is available 8 a.m. to 8 p.m., seven days a week.
Changes to This Notice
Company will abide by the terms of the notice currently in effect. We reserve the right to change the terms of its notice and to make the new notice provisions effective for all PHI that it maintains. We will notify you in writing of any substantial changes to the notice. Our current Notice of Privacy Practices is always available on this page of our website.