PRIVACY NOTICE
THIS NOTICE DESCRIBES HOW HEALTH PLAN, CLAIMS AND MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Aspire Health is committed to protecting the confidentiality of your protected health information (PHI). We take the job of protecting your PHI seriously. We maintain policies and procedures to protect PHI, and all employees receive training on how to protect PHI.
We also use physical and electronic safeguards to limit employee access to PHI. Access to your PHI is restricted only to employees who “need to know” the information.
Introduction to Privacy Notice
The plans at Aspire Health are required to abide by the terms of this Notice. This Notice of Privacy Practices describes how Aspire Health may use and disclose your protected health information (PHI) to provide health care coverage for you, to facilitate payment of the health care services provided by your doctor and to support the health care operations of our insurance plan. Aspire Health provides this notice to you per the requirements of federal law, specifically the Health Insurance Portability and Accountability Act (HIPAA) Privacy Standards. In addition to HIPAA, other state and federal laws provide to you additional protections for your health information related to treatment for mental health, alcohol and other substance abuse, and HIV/AIDS. To the extent that state or federal laws and rules are more stringent that the HIPAA Privacy Standards, we will continue to follow these laws and rules. The law requires Aspire Health to notify you regarding:
- What kind of PHI we collect about you and how we get it
- How we use your PHI
- What kind of PHI we release to other entities and organizations
- How we protect your PHI from unauthorized use and disclosures
- How you can obtain a copy of the PHI we have on file about you
PHI includes your demographic information such as name, address, telephone number, social security number, birth date, and gender. PHI also includes information regarding your health, illnesses, injuries, and information about the medical services provided to you.
Aspire Health collects your PHI from:
- You (when you complete enrollment forms)
- Your prior transactions with Aspire Health Medicare Advantage Plans
- Your physician and other health care providers
- Your transactions with others (your providers, employer, or other health plans)
We may amend this Notice of Privacy Practices periodically and you may obtain a current copy of the Notice by contacting an Aspire Health member service representative or the Privacy Office. We also have this Privacy Notice posted on our Aspire Health member website.
We reserve the right to make the revised or changed Notice effective for PHI that we already have about you as well as for any PHI we receive in the future. We will provide updates of any material change of this Notice, as required by law. If you have any questions about Aspire Health Notice of Privacy Practices, please contact our Privacy hotline at 1-800-810-0176.
Safeguarding PHI Within Aspire Health Facilities
Aspire Health protects your PHI by using appropriate administrative, technical and physical safeguards. We train regularly our employees on the obligation to protect the privacy of your PHI. We secure health plan and claims records in our facilities. Aspire Health Plan permits only those employees with a “need to know” access your health plan, claims, medical records, and other PHI. We use physical and electronic safeguards to limit employee access to PHI. We will let you know promptly if a breach occurs that may have compromised the privacy or security of your information.
Uses and Disclosures of PHI for Treatment, Payment and Health Care Operations
Aspire health will use and disclose your PHI for the following types of activities:
For Treatment: Our network providers may use or disclose your PHI for treatment purposes, which includes the provision, coordination, management of your health care and related services by our Health Care Centers and other health care providers involved in your care. For example, we may ask you to have laboratory tests (such as blood or urine tests), and we may use the results to help us reach a diagnosis. We may use your PHI in order to write a prescription for you, or we may disclose your PHI to a pharmacy when we order a prescription for you. Our staff may use or disclose your PHI to treat you or to assist other health care providers in your treatment. Additionally, we may disclose your PHI to others who may assist in your care, such as your spouse, children, or parents. Finally, we may disclose your PHI to other health care providers for purposes related to your treatment. Note that psychotherapy notes will not be disclosed for treatment purposes without your authorization.
For Payment: Payment means our activities to pay for the medical services provided to you, including billing, claims management, and collection activities. Payment activities also include our work in determining eligibility, claims processing, assessing medical necessity and utilization review.
For Health Care Operations: Health care operations mean the business activities of our health plan. These activities include, for example, quality assessment and improvement activities, practitioner performance evaluation, member satisfaction surveys, fraud and abuse compliance, business planning and development, health education, and general administrative activities. For example, we may send you a newsletter about our health plan or a mailing about health plan activities.
We may also use or disclosure your PHI to contact you about health care quality improvement initiatives or health-related benefits that may be of interest to you. When we involve third parties in our business activities, we require them to treat your PHI the same way we do and sign formal contracts that outline their legal obligations to safeguard the use and disclosure of your PHI.
To Business Associates: Aspire Health may contract with other organizations called “Business Associates” to provide services on our behalf. As these services are performed by our Business Associates, PHI may be accessed or disclosed. We will enter into an agreement with Business Associates that explicitly set forth the requirements associated with the protection and safeguarding of your PHI.
For Fundraising: Aspire Health Plan may contact you during fundraising campaigns. Aspire Health Plan is a not-for-profit organization. As such, we may engage in fundraising efforts to support our mission. We may use and disclose your PHI to contact you regarding our fundraising efforts. You have the right to “opt out” of receiving fundraising communications by following the opt out instructions on the communication or contacting our Compliance Officer and making a request to opt out of receiving fundraising communications.
We are not allowed to use genetic information to decide whether we will give you coverage and the price of that coverage.
We are not allowed to use or disclose your health information for marketing purposes unless we have received your written authorization to do so. However, we may provide you with promotional gifts of nominal value.
Please note that not every type of use or notice is listed in this Notice.
Other permitted or required uses and disclosures of PHI that do not require your authorization include the following:
Release of information to family/friends: We may disclose your PHI to a family member, close friend or other person you identify, to the extent the information is relevant to that person’s involvement in your care or payment related to your care. We will provide you with an opportunity to object to such a disclosure whenever it is reasonably practicable for us to do so.
Parents as personal representatives of minors: In most cases, your minor child’s PHI may be disclosed to you. However, we may be required by law to deny a parent’s access to a minor’s PHI for certain diagnoses or treatment such as sexually transmitted diseases, family planning services, etc.
Appointment reminders and treatment options: We may use and disclose your PHI to contact you and remind you of an appointment. We may use or disclose your PHI to inform you of potential treatment options or alternatives. We may use and disclose your PHIto inform you of other health-related benefits and services that may be of interest to you.
Uses and Disclosures of PHI Based Upon Your Written Authorization
Except as otherwise described in this Notice, we may not use or disclose your PHI without your written authorization, which you may revoke.
You may request that we disclose all or part of your PHI to a person or organization outside of Aspire Health. You may authorize Aspire Health to use and disclose your PHI to specified individuals or other recipients for a defined purpose over a particular timeframe.
Aspire Health will specifically require your authorization to disclose sensitive PHI, such as information about mental health or psychiatric treatment (unless an emergency situation exists), HIV status and substance abuse treatment. While most authorizations must be in writing, in certain circumstances, we will accept oral authorizations to the extent permitted by California law. Aspire Health will disclose only the health information that you permit via your authorization.
You may revoke your authorization at any time, but only regarding future uses or disclosures and only to the extent, we have not already used or disclosed your PHI in reliance on your authorization. We may also accept oral revocations and certain electronic revocations of authorizations, but we request that you follow this with a revocation in writing.
Aspire Health may send you marketing materials. In most circumstances, HIPAA and state laws may require you to provide us written authorization before we use or disclosure your health information for marketing purposes. However, we may provide you with promotional gifts of nominal value.
Uses and Disclosures of PHI that are Permitted or Required by Law
In some circumstances, Aspire Health may use or disclose your PHI without your authorization. State and federal privacy laws permit or require such use or disclosure regardless or your authorization because it is in the best interest of our society that the use of disclosure of PHI be made in these situations.
Emergencies: If you are incapacitated and require medical treatment, we will use and disclosure your PHI to your medical providers to ensure you receive the necessary medical services.
Communication barriers: If we try but cannot obtain your authorization to use or disclose PHI because of substantial communication barriers and we infer that you authorize the use or disclosure, Aspire Health will make the use or disclosure.
Required by law: We may disclose PHI to the extent required by law and in a manner limited to the specific requirement of the law.
Public health activities: We may disclose your PHI to a health oversight agency for audits, investigations, inspections and other activities necessary for the appropriate oversight of the health care system and the government benefit programs such as Medicaid and Medicare. Judicial, legal, and administrative proceedings: We may disclose your PHI in the course of any judicial or administrative proceeding in response to an order expressly directing disclosure and, within certain limits, in response to a subpoena, discovery request, or other lawful purpose.
Law enforcement activities: We may disclose your PHI to a law enforcement officer For law enforcement purposes, or about a victim of a crime if, under limited circumstances, we are unable to obtain the person’s agreement; or, in emergency circumstances, to report a crime, the location of the crime or victim, or the identity, description, or location of the person who committed the crime. Organ and tissue donation requests and work with a medical examiner or funeral director: We can share health information about you with organ procurement organizations. We can also share health information with a coroner, medical examiner, or funeral director when an individual passes away.
Research: We may disclose your PHI for certain medical or scientific research where the researchers have a protocol to ensure the privacy of your PHI. Serious threats to health and safety: We may disclose your PHI to prevent or reduce a serious and imminent threat to the health or safety of a person or the public.
Armed forces personnel and national security: We may disclose the PHI of members of the armed forces for activities deemed necessary by appropriate military command authorities to assure proper execution of the military mission. We also may disclose your PHI to certain federal officials for lawful intelligence, counterintelligence, and other national security activities.
Correctional facilities: Regarding inmates, we may disclose your PHI to a correctional institution or law enforcement official to the extent required by law, by court order, or as authorization by law or rule.
Workers’ compensation: We may disclose your PHI as authorized by and to the extent necessary, to comply with the Maine Worker’s Compensation Act or other similar programs that provide benefits for work-related injuries or illness without regard to fault.
Department of Health and Human Services: We must disclose your PHI to the Secretary of the US Department of Health and Human Services to investigate or determine Generations.
Medicare Advantage Plans compliance with the privacy laws.
Your Rights Regarding PHI
We must disclose your PHI to you upon request. You have the following rights:
Right to request restriction of uses and disclosures: You have the right to request that we not use or disclose any part of your PHI unless it is a use or disclosure required by law. Please advise us of the specific PHI you wish to restrict and the individual(s) who should not receive the restricted PHI. We are not required to agree to your restriction request, but if we do agree to the request, we will not use or disclose the restricted PHI unless it is necessary for emergency treatment. In that case, we will ask the recipient to keep your PHI private and not disclose it to other persons or entities. If certain conditions are met, we have the right to terminate our agreement to the restriction.
Right to access your PHI: You have the right to receive and inspect a copy of your PHI. You may not have a right to psychotherapy notes or information compiled in reasonable anticipation of a civil, criminal, or administrative proceeding. Also, your right of access may be limited if providing certain PHI to you may endanger the health or safety of yourself or others. If we are unable to grant your request to access to your health information, we will inform you about the reason and your rights to challenge this decision within 30 days from the date of your request. Contact us to find out how to access your PHI. We have the right to charge a reasonable fee for providing copies of your PHI.
Right to confidential communications: You can ask us to contact you in a specific way (for example, by home or office phone) or to send mail to a different address. We will consider all reasonable requests, and must comply if you tell us you would be in danger if we do not.
Rights to choose someone to act for you: If you have given someone medical or financial power of attorney or if someone is your legal guardian, that person can exercise your rights and make choice about your health information. We will make sure the person has this authority and can act for you before we take any action.
Right to amend your PHI: You have the right to request that we amend the PHI in your“ designated record set” for as long as we maintain the PHI in such format. Please make your request in writing to our Privacy Contact. We will respond to your request as soon as possible, but no later than 60 days from the date of your request, unless we provide you with written notice regarding a delay. If we deny your request for amendment, you have the right to submit a written statement of reasonable length disagreeing with the denial and we have the right to submit a rebuttal statement. A record of any disagreement about amendment will become part of your medical records and may be included in subsequent disclosures of your PHI. We will not delete any health information or PHI in your records. We will require that you identify persons who have received disclosure of the PHI that you have corrected, clarified, or amended and will request your agreement to share the corrected, clarified, or amended PHI with such person(s) and with our Business Associates or other that may have relied on the PHI to your detriment.
Right to accounting of disclosures: Subject to certain limitations, you have the right to a written accounting of disclosures by us of your PHI for not more than six years prior to the date of your request. Your right to an accounting applies to all disclosures except those for treatment, payment, or health care operations; to yourself, to your legal guardian, or persons with Power of Attorney involved in your care; or for notification purposes. Please make your request in writing to our Privacy Contact. We will respond to your request as soon as possible, but no later than 60 days from the date of your request, unless we provide you with written notice regarding a delay. We will provide you with one accounting every 12 months free of charge. We will charge a reasonable fee based upon our costs for any subsequent accounting requests.
Right to Breach Notification: Pursuant to the Health Information Technology for Economic and Clinical Health Act of 2009 (the “HITECH Act”) and the HIPAA Omnibus FinalRule (2013), you have a right to receive notice of any breach of your unsecured PHI. Generally, a breach occurs if an unauthorized acquisition, access, use, or disclosure of PHI compromises the security or privacy of such information. Security and privacy are considered compromised when the disclosure poses a significant risk of financial, reputational, or other harm to you. We have implemented policies and procedures to comply with the breach notification requirements under the HITECH Act.
Right to a copy of our Notice of Privacy Practices: We may periodically amend the Notice of Privacy Practices and you may obtain an updated Notice from our Privacy Contact at any time.
If You Have a Complaint
If you have a complaint about the denial of any of the specific rights listed in Section 6 above about our Notice of Privacy Practices, or about our compliance with state and federal privacy law, please make your complaint in writing to our Compliance Officer. We will respond to your complaint in writing within the periods listed in Section 6 above or in any case within 60 days of the date of your complaint.
Please write to: Anthony Serrano/Compliance Officer c/oCompliance Department 10 Ragsdale Drive, Suite 101 Monterey, CA 93940
If you believe we are not complying with our legal obligations to protect the privacy of your PHI, you may file a complaint with the Secretary of the U.S. Department of Health and Human Services.
Send your complaint to: Medical Privacy, Complaint Division, Office for Civil Rights (OCR) US Department of Health and Human Services, 200 Independence Avenue SW, Room 509F, HHH Building, Washington DC, 20201
You may also contact OCR’s Voice Hotline Number at 1-800-368-1019 or send the information to their Internet address www.hhs.gov/ocr. Aspire Health will not take, retaliatory action against you if you file a complaint about our privacy practices with us or with the Office for Civil Rights. Covered entities and HIPAA enforcement The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules. The HIPAA Rules apply to covered entities and business associates. As a covered entity, Aspire Health is subject to HIPAA (as are most other health care providers, such as hospitals, doctors, clinics, and dentists). Click here to learn more about the types of organizations that meet the definition of a covered entity or business associate. To learn more about your rights under HIPAA and find who is obligated to comply with HIPAA you can visit the HHS Health Information Privacy website.
Submitting a HIPAA privacy complaint
If you believe that a HIPAA-covered entity or its business associate violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy, Security, or Breach Notification Rules, you may file a complaint with OCR. Click here to learn more about how to file a complaint with OCR. You may also file a complaint with Aspire Health please contact our Privacy hotline at 1-800-810-0176.
You may also write to: Anthony Serrano/Compliance Officer c/o Compliance Department 10 Ragsdale Drive,
Suite 101 Monterey, CA 93940.
Apps and privacy enforcement
We want you to know the app you choose will have access to all of your information. The app is not subject to the HIPAA Rules, which generally protect your health information. Once your protected health information is received from Aspire Health, at your direction, by an app that is neither a covered entity nor a business associate under HIPAA, the information is no longer subject to the protections of the HIPAA Rules. Instead, the app’s privacy policy describes self-imposed limitations on how the app will use, disclose, and (possibly) sell information about you. The Federal Trade Commission Act protects against deceptive acts (such as an app that discloses personal data in violation of its privacy notice). An app that violates the terms of its privacy notice is subject to the jurisdiction of the Federal Trade Commission (FTC). The FTC provides information about mobile App privacy and security for consumers here.
If you believe an App inappropriately used, disclosed, or sold your information, you should contact the FTC. You may file a complaint with the FTC using the FTC complaint assistant.