Policy 1604: Confidentiality & Release of Protected Health Information


Policy Name:

Confidentiality and Release of Protected Health Information

Policy Number:  1604

Policy Manual Section:

Board of Directors

Related Policies:

Policy 1601:  Corporate CompliancePolicy 1605:  Board Members & Sr. Staff Health Care Benefit IssuesPolicy 1800:  Board Access to Confidential & Proprietary InformationHPP Adopted:  05/25/06;12/02/10HPO Adopted:  11/18/10HPI Adopted:  11/08/06; 11/16/10 

Issuing Department:


Original Policy Date:


Revision Date(s):

11/22/2000, 01/21/2003, 03/27/2003; 04/27/2006; 08/27/2009; 08/25/2011

Reviewed Date(s):

  (No Revisions)


Replaces Policy Number:

C0893A.01; 3303

I.    Policy Purpose/Statement of Intent/Background

  •  “HealthPlus” shall refer to HealthPlus of Michigan, Inc. and its affiliated entities, HealthPlus Partners, Inc., HealthPlus Options, Inc., and HealthPlus Insurance Company, unless otherwise stated.
  • The policy shall pertain to the Commercial, Medicaid, MIChild, County Health Plan, and Medicare product lines and their respective products e.g., HMO, PPO, TPA, and Medicare Part D.
  • To assure that the organization complies with all applicable state and federal laws and regulations, including, but not limited to, those pertaining to the Medicaid, Medicare, and Medicare Part D programs.
  • To assure the confidentiality of member information.
  • To assure that confidential information is treated in accordance with Federal and State law, including the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH).


II.   Definitions




Protected Health Information (PHI) shall be defined as individually identifiable health information, including demographic information, transmitted or maintained in any form, that is:

  • created or received by HealthPlus;
  • relates to a past, present, or future physical or mental health condition or payment for health care; and
  • either identifies the individual or provides a reasonable opportunity to potentially identify the individual.


Health Insurance Portability & Accountability Act


II.   Policy Statement


  1. HealthPlus shall follow all applicable rules and regulations and shall implement appropriate administrative, technical, and physical safeguards to protect the privacy of Protected Health Information (PHI).[1] 


  1. HealthPlus may use and disclose PHI to carry out treatment, payment, and health care operations consistent with the Privacy Rule.[1] 
  1. HealthPlus shall obtain authorization when use or disclosure of PHI goes beyond treatment, payment, or health care operations and/or when authorization is required under the HIPAA Privacy Standards or other applicable law.


  1. HealthPlus shall designate a privacy official responsible for the development and implementation of policies and procedures for the protection of PHI.  The privacy official shall be the contact person responsible for receiving complaints regarding the privacy rights of individuals and for providing further information.


  1. HealthPlus shall train all current and new members of its workforce on the policies and procedures regarding PHI so that they may carry out their duties with regard to this policy.


  1. HealthPlus shall revise its policies and procedures, as appropriate, to comply with changes in governing laws and regulations covering privacy.


  1. HealthPlus shall provide members with the right to:
    • Periodically obtain a Notice of Privacy Practices from HealthPlus describing how HealthPlus uses and discloses their information and their rights under applicable law;
    • Restrict the use and disclosure of their PHI in certain circumstances;
    • Request confidential communications be established;
    • Obtain access to their PHI;
    • Request amendment to their PHI; and
    • Request an accounting of the uses and disclosures of their PHI which were not related to treatment, payment, and/or health care operations, or pursuant to an authorization.


  1. HealthPlus shall obtain appropriate agreements with all applicable contractors and providers (including first-tier, downstream, and related entities) to protect the confidentiality of PHI.


  1. HealthPlus’ standard shall be to limit use and disclosure of PHI to the minimum necessary to accomplish the intended purpose of the request, use, or disclosure.


  1. HealthPlus shall not disclose information that could result in the member being contacted by another organization for marketing purposes.  Marketing is defined as a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.


  1. HealthPlus shall recognize the personal representatives of minors and other legal representatives of members for use and disclosure of PHI.


  1. Outside of health care operations, HealthPlus shall use and/or disclose PHI under the following circumstances and obtain authorization when required by applicable law:
  • When it is required by law;
  • For public health activities and purposes;
  • About an individual whom HealthPlus reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence;
  • To a health oversight agency (such as the Department of Health and Human Services) for oversight activities;
  • In the course of any judicial or administrative proceeding;
  • to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law.


  1. HealthPlus shall provide a process for individuals to make complaints concerning HealthPlus’ policies and procedures regarding PHI.


  1. In the event this policy is violated, HealthPlus shall minimize the impact, to the extent practicable, of any known potentially harmful or harmful effects concerning use or disclosure of PHI in violation of its policies and procedures or applicable law.


  1. HealthPlus shall apply appropriate sanctions to members of its workforce who fail to comply with the privacy policies and procedures of HealthPlus. 


  1. HealthPlus shall not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against an individual for exercising rights under HIPAA.


  1. HealthPlus shall not require individuals to waive their rights to file a complaint under the HIPAA privacy standards as a condition for the provision of treatment, payment, and enrollment, or eligibility for benefits.


  1. HealthPlus shall retain policies and procedures and HIPAA compliance records for a minimum of six (6) years.


III.  Implementation

HealthPlus staff is responsible for establishing, publishing, and maintaining procedures and work rules to implement this policy.

         [1] The Privacy Rule