Summary of Privacy Information
For employer groups, brokers and consultants
The HIPAA Privacy Regulations provide numerous requirements that health plans and providers must comply with in order to protect the privacy of individuals' health care information. These regulations govern the uses and disclosures of an individual's protected health information (PHI) and will give our members a number of new rights to control the use and disclosure of their PHI.
PHI is any written, verbal or electronic form of information relating to a person's past, present or future health condition, delivery or payment of health services that identifies an individual or where there is a reasonable basis to believe the information could be used to identify the individual.
New member rights under HIPAA Privacy
Under the HIPAA Privacy Regulations, a member has the right:
- To be provided with a Notice of Privacy Practices. View a PDF of Tufts Health Plan's Notice of Privacy Practices here.
- To request Tufts Health Plan restrict its uses and disclosures of his/her PHI, and request Tufts Health Plan send communications to an alternate address
- To access most of his/her PHI Tufts Health Plan possesses
- To request that Tufts Health Plan amend his/her PHI
- To request a list of some of the disclosures Tufts Health Plan has made of his/her PHI.
We're taking steps
Tufts Health Plan recently completed an 18-month privacy implementation effort to achieve compliance with the Privacy Regulations. The following is a list of some of our accomplishments to date:
- Designated a Privacy Officer.
- Developed and implemented 22 new policies and procedures to comply with the regulations. Completed a number of company-wide computer-based privacy trainings for employees. Completed additional training sessions for those employees who work with PHI on a regular basis and are affected by the new policies and procedures.
- Developed Tufts Health Plan's Notice of Privacy Practices. Our Notice was sent to all existing Tufts Health Plan and Tufts Health Plan Medicare Preferred subscribers. All new subscribers will receive the Notice upon enrollment.
- Mailed business associate contracts to all identified business associates, including vendors and providers who perform delegated duties.
- Mailed guidance materials to Tufts Health Plan affiliated employer groups, brokers and consultants.
Privacy regulations and group health plans
Group health plans, employee welfare benefit plans as defined by ERISA, must also comply with the Privacy Regulations.
The extent to which the Privacy Regulations will apply to group health plans and the employer/plan sponsor depends on the amount of protected health information (PHI) employers access and its funding arrangement (e.g. fully- or self-insured).
The following are some examples of the requirements for employers/plan sponsors:
- Amend plan documents to permit access to PHI by the employer/plan sponsor
- Certify compliance with the regulations
- Ensure PHI will not be used for any decisions affecting an individual's employment.
Examples of PHI include an individual's demographic information and claims information, including the individual's name, copy of medical records, reports containing identification numbers and claim payments.
To access some informative documents regarding the HIPAA Privacy Regulations, to learn more about what steps you may need to take, or to learn more about Tufts Health Plan's compliance efforts, visit our HIPAA Privacy documents page.