12-3 HIPAA: Notice of Privacy Practices
About CMU's "HIPAA notice of privacy practices policy"
This policy issues CMU's Notice of Privacy Practices and a Summary Notice of Privacy Practices as a hybrid entity under the Health Insurance Portability and Accountability Act of 1996.
NOTE ABOUT PDF VERSION: The PDF is the official text of the policy. If there are any incongruities between the text of the HTML version and the text within the PDF file, the PDF will be considered accurate and overriding.
- Attachments are included in the PDF file.
- Effective date of this revision: March 14, 2024
- Contact for more information: Office of HIPAA Compliance 989-774-2829, hipaa@cmich.edu
PURPOSE
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its rules direct that a covered entity (CE) provide individuals with adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual’s rights and the covered entity’s legal duties with respect to protected health information. This policy issues CMU’s Notice of Privacy Practices and a Summary Notice of Privacy Practices for its Hybrid Entity.
POLICY
1.0 HIPAA Privacy Officer and General Counsel will develop or revise CMU’s Notice of Privacy Practice and ensure it includes the required contents of the HIPAA Notice of Privacy Practices standard.
2.0 CMU’s Notice of Privacy Practices will be made available on CMU’s Office of HIPAA Compliance webpage.
3.0 All units covered under CMU’s Hybrid Entity designation:
a) Must make CMU’s Notice available to any person who asks for it.
b) Must prominently post and make available CMU’s Notice on any website it maintains that provides information about its services or benefits.
c) May email the Notice to an individual if the individual agrees to receive an electronic notice.
d) May not use or disclose PHI in a manner inconsistent with its Notice.
4.0 The Health Plan will provide notice:
a) At the time of enrollment to new enrollees.
b) If there is a material change to the Notice:
i. if the Health Plan posts the updated notice on the Health Plan's website and makes the notice available electronically, the Health Plan will:
i. prominently post the change or the revised notice on its web site by the effective date of the material change; and
ii. provide the revised notice, or information about the material change and how to obtain the revised notice, in its next annual mailing to individuals covered by the Plan.
c) If the Health Plan does not post its notice on its website, the Health Plan must provide the revised notice, or information about the material change and how to obtain the revised notice, to individuals who are then covered by the Plan within 60 days of any material revision to the notice.
d) At least every three years the Health Plan will notify individuals covered by the Health Plan of the availability of the Notice and how to obtain it.
5.0 For the Healthcare Components:
a) Healthcare providers within the hybrid entity will provide notice to new patients as follows:
i. Upon the individual’s first visit.
ii. When the first service delivery to an individual is provided over the Internet, if the first service delivery to an individual is delivered electronically, the covered healthcare component must provide electronic notice automatically and contemporaneously in response to the individual's first request for service.
iii. A healthcare component may provide the notice to an individual by e-mail, if the individual agrees to electronic notice and such agreement has not been withdrawn. If the healthcare component knows that the e-mail transmission has failed, a paper copy of the notice must be provided to the individual. The individual who is the recipient of electronic notice retains the right to obtain a paper copy of the notice from a covered entity upon request.
iv. In an emergency treatment situation, as soon as reasonably practicable after the emergency treatment situation.
v. The healthcare provider will make a good faith effort to obtain from new patients written acknowledgment of receipt of the Notice, and, if not obtained, document its good faith efforts to obtain the acknowledgment and the reason why the acknowledgment was not obtained (for example, that the form was offered to the individual and that the individual declined to sign the acknowledgment).
b) The healthcare provider will:
i. Have the Notice available at the service delivery site (typically the reception desk) for individuals to request and take with them.
ii. Post the Notice in the patient waiting area where individuals may read it.
c) Whenever the Notice is revised, post the revised Notice in the patient waiting area and make it available upon request on or after the effective date of the revision.
6.0 The attached Notice of Privacy Practices and the CE’s Summary Notices of Privacy Practices are hereby issued as the policy and procedure of CMU with regard to its obligations under HIPAA.
Central Michigan University reserves the right to make exceptions to, modify or eliminate this policy and or its content. This document supersedes all previous policies, procedures, or guidelines relative to this subject.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW PROTECTED HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
Healthcare Components Covered by this Notice
Central Michigan University (CMU) is a covered entity under HIPAA law. Because only some of its units handle medical information that is subject to HIPAA (referred to as Protected Health Information), CMU has designated itself as a hybrid entity. This notice applies to the privacy practices of CMU’s health care components included in its hybrid entity that may use and share your Protected Health Information as needed for treatment, payment or health care operations as described in this notice.
Our Commitment Regarding Your Protected Health Information
We are committed to protecting the privacy of your Protected Health Information or “PHI.” PHI is information that can be used to identify you that we have created or received about your past, present, or future health or condition, the provision of health care to you, or the payment for health care We are required to provide you with this notice to explain our privacy practices and how, when, and why we use and disclose your PHI. In general, we may not use or disclose any more of your PHI than is necessary to accomplish the purpose of the use of disclosure, although there are some exceptions. We are legally required to follow the privacy practices described in this notice and notify you following a breach of your unsecured PHI.
We are required to provide you with a summary of our Notice of Privacy Practices, and a copy of the Notice of Privacy Practices upon request. We must follow the privacy practices described in this notice while it is in effect. This notice took effect April 14, 2003, and was most recently revised March 14, 2024, and will remain in effect until we replace or modify it.
We reserve the right to change our privacy practices and the terms of this notice at any time, provided that applicable law permits such changes. These revised practices will apply to your PHI regardless of when it was created or received. When we make a material change to our privacy practices, we will provide you with a revised Notice of Privacy Practices.
Where multiple state or federal laws protect the privacy of your PHI, we will follow the requirements that provide the greatest privacy protection. For example, when you authorize disclosure to a third party, state law may require us in certain circumstances to condition the disclosure on the recipient’s promise to obtain your written permission to disclose to someone else.
Other laws, such as the Federal Education Rights and Privacy Act of 1974 (FERPA) may govern your health information. By reading and acknowledging this Notice, you consent to your information being used and disclosed for purposes permitted by and outlined in such Notice.
Our Uses and Disclosures of Protected Health Information
We do not sell your PHI to anyone or disclose your PHI to other companies who may want to sell their products to you (e.g., catalog or telemarketing firms). Your authorization is not required for us to use and disclose your information for the following purposes. Other uses and disclosures not described in this notice will be made only with your written authorization.
1. For Treatment
We may use and disclose your PHI to provide you with medical treatment, products, or services. For example, we may disclose information about you to physicians, nurses, students, and other health care personnel who are involved in your care at CMU. We may disclose information about you to people outside of CMU who are involved in your care. CMU is a teaching facility and clinical students may be involved with your care under the supervision of a staff clinical provider.
a. Health Information Exchange (HIE): We may make your information available electronically through health information exchanges (HIEs) to other healthcare providers who attest to having a treatment relationship with you. Participation in an HIE also allows us obtain information about you from other organizations that also participate in an HIE.
2. For Payment
a. We may use and disclose medical information about you in order to bill and collect payment for the health care services you receive at a CMU clinic. For example, in order to receive payment from your insurance company, we might need to provide specific health information to your health insurance plan about your diagnosis or health services you received from CMU. We may tell your health insurance plan about a treatment or service you are going to receive and your diagnosis in order to obtain pre-authorization or to determine whether your plan covers the treatment or service.
b. CMU’s self-funded health plans may use or disclose your PHI for payment-related activities, including for example, determining eligibility for benefits (however, we will not use your genetic information to determine eligibility or for other underwriting purposes).
3. For Health Care Operations
a. We may use and disclose your health information for our health care operations purposes. These uses and disclosures are necessary to run CMU clinics and help to assure that we provide quality services to all of our patients. For example, we may review your medical record to evaluate the performance of the staff in caring for you and to assist us in making improvements in the care and services we offer. We may also disclose information to doctors, nurses, technicians, medical students, other health care providers and personnel for educational purposes.
b. We may also disclose your health information to other providers and health plans who have a relationship with you for their health care operations. For example, we may disclose your PHI for their quality assessment and improvement activities or for health care fraud and abuse detection.
4. To Others Involved in Your Care
a. We may disclose your health information to someone who has the legal right to act on your behalf. We may, under certain circumstances, disclose to a designated contact person (e.g.: a member of your family, a relative, a close friend or any other person you identify), your health information directly relevant to that person’s involvement in or payment for your health care. For example, we may discuss a claim determination with you in the presence of a friend or relative, unless you object.
5. When Required by Law
a. We will use and disclose your health information if we are required to do so by law. For example, we may use and disclose your health information:
i. To report infectious diseases,
ii. To respond to court and administrative orders and subpoenas,
iii. To comply with workers’ compensation laws,
iv. To report congenital hearing losses in infants and children,
v. To report occupational noise induced hearing loss,
vi. To report suspected abuse and neglect to the proper authorities,
vii. To report PHI as required by the Secretary of Health and Human Services and state regulatory authorities, or
viii. To report threats to safety of self or others.
6. For Public Health Activities
a. We are, at times, required to report your health information to authorities for public health purposes. For example, we may be required to disclose information to help prevent or control disease, injury, or disability, report birth or death information to the Health Department, report information of concern to the Food and Drug Administration, or report information related to child or vulnerable adult abuse or neglect.
7. For Health Oversight Activities
a. We may disclose your health information to a health oversight agency for monitoring and oversight activities authorized by law. This might include release of information to the State agency that licenses the CMU facility for the purpose of monitoring or inspecting the facility related to that license. This will also include the release of information to organizations responsible for government benefit programs such as Medicare or Medicaid.
8. To Communicate About Our Services and Your Treatment Options
a. Without your prior authorization, we may also engage in face-to-face communication with you about alternative treatment options available to you or communicate with you about services and health plans available to you.
9. For Research
a. Under certain circumstances, we may use and disclose your health information for research purposes. This research generally is subject to oversight by an institutional review board to protect patient safety, welfare, and confidentiality. The institutional review board evaluates a proposed research project and its use of health information to balance the benefits of research with the need for privacy of health information. Even without special approval, we may permit researchers to look at records to help them identify patients who may be included in their research project or for similar purposes, so long as they do not remove or take a copy of any health information. Your health information may be used or disclosed for research as “limited or de-identified data sets” which do not include your name, address, or other direct identifiers.
10. To Our Business Associates
a. From time to time we engage third parties to provide various services for us. Whenever an arrangement with such a third party involves the use or disclosure of your health information, we will have a written contract with that third party designed to protect the privacy of your health information. For example, we may share your information with business associates who process claims or conduct disease management programs on our behalf.
Disclosures You May Request
You may instruct us and give your written authorization to disclose your PHI to a designated individual or agency for any purpose. We require that your authorization be on our standard form. To obtain the form, contact the clinic you receive care or the Office of HIPAA Compliance. Contact information is available online at HIPAA.cmich.edu.
Individual Rights
You have the following rights. To exercise these rights, you must make a written request on our standard form. We must generally act upon your written request within sixty (60) days. To obtain the form, contact the clinic you receive services through or the Office of HIPAA Compliance. Forms are also available online at HIPAA.cmich.edu.
1. Right to Inspect and Copy Your Health Information
a. With a few exceptions, you have the right to inspect and obtain an electronic or paper copy of your protected health information. This includes medical and billing records but, this right does not apply to psychotherapy notes or information gathered for judicial proceedings. We may charge you a reasonable fee, as permitted by law for certain costs associated with producing the copy. We have 30 days to make your protected health information available to you and may deny your request in certain limited circumstances. If your request is denied, you have the right to have the denial reviewed by a licensed healthcare professional who was not directly involved in the denial of your request, and we will comply with the outcome of the review.
2. Right to Request an Amendment to Your Health Information
a. If you believe the health information, we have about you is incorrect, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by or for CMU. We are not required to honor your request if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that (a) we did not create, unless the person or entity that created the information is no longer available to make the amendment, (b) is not part of the health information kept by us, (c) is not part of the information which you would be permitted to inspect and copy or (d) we determine that the information is accurate and complete.
3. Right to Receive Confidential Communication of Health Information
a. You have the right to ask that we communicate your health information to you in a certain way or at a certain location. For example, you may ask to receive information about your health status in a special, private room or through correspondence sent to a private address. We will accommodate reasonable requests. Your request must specify how or where you wish to be contacted.
4. Right to Request Restrictions on Certain Uses and Disclosures
a. You have the right to ask for restrictions or limitations on the health information about you that we use or disclose for treatment, payment, or health care operations. You also have the right to request a limit on the protected health information we disclose to someone involved in your care or the payment for your care, like a family member or friend. For example, you could ask that we not use or disclose information to a family member about a procedure you had. We are not required to agree to your request for a restriction if it involves treatment, payment or disclosures we are required to make by law, except that we must agree to a requested restriction on the disclosure of protected health information to a health plan for payment or health care operations not required by law if the information pertains to an item or service for which you or someone other than the health plan has paid in full. If we do agree to other requested restrictions, we will comply with your request unless the information is needed to provide you with emergency medical treatment.
5. Right to Receive a Record of Disclosures of Your Health Information
a. You have the right to ask for a list of certain disclosures we made of your protected health information in the last six years for purposes, other than treatment, payment, and health care operations and for which you have provided written authorization or for which we only needed to give you an opportunity to object (e.g., facility directory and disclosures to family and friends during your care). Your request must state a time period that may not be longer than six (6) years from the date of your request. Your request should indicate in what form you want the list (for example, on paper, electronically). The first list you request within a twelve (12) month period will be free. For additional lists, we may charge you for the cost of providing the list. We will notify you of the costs involved and you may choose to withdraw or modify your request at that time before any costs are incurred.
6. Revoke Prior Authorization
a. You may revoke your authorization, except to the extent that we have already taken action upon it.
7. Right to Receive Notification of a Breach
a. We will provide you with timely notification if we discover a breach of your unsecured protected health information.
8. Right to Obtain a Paper Copy of this Notice
a. Upon your request, you may at any time receive a paper copy of this Notice. Even if you have agreed to receive this Notice electronically, you are still entitled to a paper copy of this Notice. Copies of our Notice are available at the registration desk at any of our facilities.
9. Choose Someone to Act for You
a. If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information. We will make sure the person has this authority and can act for you before we take any action.
Questions and Complaints
If you need more information about our privacy practices, or a written copy of this notice, please contact us. Our contact information is available online at HIPAA.cmich.edu.
For your convenience, you may also obtain an electronic (downloadable) copy of this notice online at HIPAA.cmich.edu.
If you are concerned that we may have violated your privacy rights, or you believe that we have inappropriately used or disclosed your PHI, please contact:
HIPAA Privacy Officer, Office of HIPAA Compliance, Central Michigan University Mt. Pleasant, Michigan 48859 (989) 774-2829
You may also submit a written complaint to: Region V, Office of Civil Rights
Office for Civil Rights
U.S. Department of Health and Human Services
233 N. Michigan Ave., Suite 240
Chicago, IL 60601
Customer Response Center: (800) 368-1019
Fax: (202) 619-3818
TDD: (800) 537-7697
Email: ocrmail@hhs.gov
We support your right to protect the privacy of your PHI. We will not take action against you if you file a complaint with us or with the U.S. Department of Health and Human Services.
Central Michigan University reserves the right to make exceptions to, modify or eliminate this policy and or its content. This document supersedes all previous policies, procedures or guidelines relative to this subject.