Privacy Statement: Use and Disclosure of Protected Health Information


A. Use and disclosure of Protected Health Information (PHI).
PHI is any individually identifiable health information that is transmitted or maintained by electronic media, or in any other form or medium. It is information that is created or received by your health care provider, health plan, or employer which relates to your past, present, or future (1) physical or mental health or condition; (2) receipt of health care; or (3) payment for health care and which identifies you as an individual or creates a reasonable basis to believe the information can be used to identify you.
The Plan will use PHI only to the extent and in accordance with the uses and disclosures permitted by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Specifically, the Plan will use and disclose protected health information for purposes related to health care treatment, payment for health care and health care operations.
“Payment” includes activities undertaken by the Plan to obtain premium payments or determine or fulfill its responsibility for coverage and provision of plan benefits that relate to an individual to whom health care is provided. For example, the Plan may share information about you with your dental plan to coordinate payment for your dental work. Payment activities include, but are not limited to, the following:

·         Determination of eligibility, coverage, and cost sharing amounts (e.g., cost of a benefit, plan      maximums, and copayments as determined for an individual’s claim);

·         Coordination of benefits;

·         Adjudication of health benefit claims (including appeals and other payment disputes);

·         Subrogation of health benefit claims;

·         Establishing employee contributions;

·         Risk adjusting amounts due based on enrollee health status and demographic characteristics;

·         Billing, collection activities and related health care data processing;

·         Claims management and related health care data processing, including auditing payments, investigating and resolving payment disputes and responding to participant (and their authorized representatives) inquiries about payments;

·         Obtaining payment under a contract for reinsurance (including stop-loss and excess of loss insurance);

·         Medical necessity reviews, or reviews of appropriateness of care or justification of charges;

·         Utilization review, including pre-certification, pre-authorization, concurrent review and retrospective review;

·         Disclosure of consumer reporting agencies related to collection of premiums or reimbursement (the following PHI may be disclosed for payment purposes: name and address, date of birth, SSN, payment history, account number, and name and address of the provider and/or health plan);

·         Reimbursement to the plan.

“Health Care Operations” consist of activities necessary to run our organization. For example, we may use health information about you to develop better services for you. Health Care Operations include, but are not limited to, the following activities:

·         Quality Assessment.

·         Population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, disease management, contacting of healthcare providers and patients with information about treatment alternatives; and related functions.

·         Rating provider and plan performance, including accreditation, certification, licensing, or credentialing activities.

·         Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract of reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance).

·         Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs.

·         Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development ad administrations, development or improvement of methods of payment or coverage policies.

·         Business management and general administrative activities of the entity, including, but not limited to:

·         Management activities relating to implementation of and compliance with the requirements of HIPAA Administrative Simplification;

·         Customer service, including the provision of data analyses for policyholders, Plan Sponsors or other customers.

·         Resolution of internal grievances.

·         Due diligence in connection with the sale or transfer of assets to a potential successor in interest, if the potential successor in interest is a covered entity or, following completion of the sale or transfer, will become a covered entity.

HIPAA allows a Plan to disclose for certain purposes other than payment, health care operations and those required by law if the Plan includes a description of such additional uses/disclosures in its Notice of Privacy Practice. The following are examples of such uses/disclosures for the Plan to consider including:

Other Disclosures.

·         Public Health and Health Oversight Activities. The Plan may disclose your PHI to public health authorities that are authorized by state, federal or local law to collect information for purposes such as preventing or controlling disease, injury or disability or notification of exposure to communicable diseases. The Plan may also disclose your PHI to a federal, state or local agency required by law to oversee, license, inspect or investigate programs where health related information is collected or used.

·         Lawsuits or Similar Proceedings. The Plan may disclose your PHI in response to a court order or an administrative order. The Plan may also disclose your PHI in response to a subpoena or other type of lawful request from an attorney involved in a lawsuit, or from a government agency or investigator involved in an administrative proceeding. In the case of a subpoena or other lawful request, the Plan is required to make sure you are aware of the request or obtain an assurance that your PHI will be used appropriately.

·         Law Enforcement. The Plan may disclose your relevant PHI in response to a court ordered warrant, subpoena or summons; a grand jury subpoena; or a civil investigative demand made by an agency or officer for legitimate law enforcement purpose.

·         Coroners, Medical Examiners, and Funeral Directors. The Plan may disclose your PHI to a coroner or medical examiner for purposes of identifying a deceased person or determining the cause of death, or to a funeral director.

·         Organ, Eye or Tissue Donation.   The Plan may disclose your PHI to facilitate organ, eye or tissue donation or transplantation as allowed by the state’s organ procurement laws.

·         Threats to Public Health. The Plan may be required to disclose limited PHI to the extent the Plan in good faith determines such disclosure is necessary to prevent or lessen a serious and imminent threat to public health or safety, or to the health or safety of a specific individual.

·         Specialized Government Functions. The Plan may be required to disclose your PHI to the United States or a State government if you are an active or veteran member of the military, seeking a government security clearance or permission to travel abroad, if you are in lawful custody, or if the government requires such information to conduct lawful national security activities.

·         Worker’s Compensation. The Plan may disclose your PHI as authorized by the state’s workers’ compensation laws.

B. The Plan will use and disclose PHI as required by law and as permitted by written authorization of a Plan Participant or Beneficiary. Only with an authorization, will the plan disclose PHI to pension plans, disability plans, workers’ compensation insurers, etc.) for purposes related to administration of these plans.

C. The Plan will never sell your PHI or use your PHI for marketing purposes without your prior, written permission.

D. For purposes of this section, the SCMA is the Plan Sponsor. The Plan will disclose PHI to the Plan Sponsor only upon receipt of a certification from the Plan Sponsor that the Summary Plan Description (“SPD”) has been amended to incorporate the following provisions.

With respect to PHI, the Plan Sponsor agrees to:

·         Not use or further disclose the information other than as permitted or required by the “SPD” or as required by law;

·         Ensure that any agents, including a subcontractor, to whom the Plan Sponsor provides PHI received from the plan agree to the same restrictions and conditions that apply to the Plan Sponsor with respect to such information;

·         Not use or disclose the information for employment-related actions and decisions unless authorized by the individual in writing;

·         Not use or disclose the information in connection with any other benefit or employee benefit plan of the Plan Sponsor unless authorized by the individual in writing;

·         Report to the Plan any use or disclosure of the PHI that is inconsistent with the uses or disclosures provided for of which the Plan Sponsor becomes aware;

·         Make PHI available to the individual in accordance with the access requirements of HIPAA;

·         Make PHI available for amendment and incorporate any amendments to PHI in accordance with HIPAA;

·         Make available the information required to provide an accounting of disclosures;

·         Make internal practices, books, and records relating to the use and disclosure of PHI received from the Plan available to the Secretary of HHS for the purposes of determining the Plan’s compliance with HIPAA;

·         If feasible, return or destroy all PHI received from the plan that the Sponsor still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made. If return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction infeasible.

E. Adequate separation between the plan and the Plan Sponsor must be maintained. Therefore, in accordance with HIPAA, only the following employees or classes of employees may be given access to PHI.

·         The Plan Administrator
·         Staff Designated by the Plan Administrator
o   MIT Vice President
o   MIT Director of Operations
o   MIT Insurance Coordinator
o   MIT Administrative Assistant
o   MIT Marketing Services Manager
o   MIT Board of Trustees
o   SCMA Vice President of Information Technology

F. The persons described in section E may only have access to and use and disclose PHI for Plan administration functions that the Plan Sponsor performs for the Plan.

G. If the persons described in section E do not comply with this Plan document, the Plan Sponsor shall provide a mechanism for resolving issues of noncompliance, including disciplinary sanctions.

H. For purposes of complying with the HIPAA privacy rules, this Plan is a “Hybrid Entity” because it has both health plan and non-health plan functions. The Plan designates that its health care components that are covered by the privacy rules include only health benefits and not other plan functions or benefits.

I.   Your Rights. You may make a written request to the Plan to do one or more of the following concerning your PHI that the Plan maintains: 

·         To put additional restrictions on the Plan’s use and disclosure of your PHI for payment, health care operations, or to someone who is involved in your care or the payment for it. Except in limited circumstances, the Plan does not have to agree to your request.

·         To ask the Plan to communicate with you in confidence about your PHI by a different means or at a different location than the Plan is currently using. The Plan will consider and accommodate reasonable requests. Your request must specify the alternative means or location to communicate with you in confidence.

·         To see and get copies of your PHI that is created or maintained by the Plan or its business associates. For any portion of your health record maintained in an electronic health record, you may request we provide that information to you in an electronic format. If you make that request, we are required to provide that information to you electronically. In limited cases, the Plan does not have to agree to your request.

·         To correct your PHI that is created or maintained by the Plan. In some cases, the Plan does not have to agree to your request but will respond in writing within 60 days.

·         To receive a list of disclosures of your PHI that the Plan and its business associates made for the last 6 years (but not for disclosures made before April 14, 2004, and subject to Section 13405(c) of the HITECH Act). The Plan is not required to list disclosures made for treatment, payment or health care operations (except when required by, and upon the effective date of, Section 13405(c) of the HITECH Act), or disclosures made with your authorization. We will provide one accounting a year for free but will charge a reasonable, cost-based fee if you ask for another one within 12 months.

·         To send you a paper copy of this notice even if you have previously agreed to receive this notice by e-mail or on the internet.

·         To be notified if there is a breach to the security or privacy of your PHI due to your information being unsecured. We are required to notify you within 60 days of discovery of a breach.

Contact Office: 

SCMA Members’ Insurance Trust

Privacy Officer:

Stewart Samples






Stewart Samples


P.O. Box 11188
Columbia, SC 29221

L. THE EFFECTIVE DATE OF THIS AMENDED NOTICE IS SEPTEMBER 23, 2013. The Plan is required to follow the terms of this notice until it is replaced. The Plan reserves the right to change the terms of this notice at any time. If the Plan makes significant changes to this Notice, the Plan will revise it and send a new notice at that time. The Plan reserves the right to make the new changes apply to all your PHI maintained by or for the Plan before and after the effective date of the new notice.  

M.      Effective April 21, 2005, the Plan Sponsor:

1.      Implemented administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of electronic PHI that it creates, receives, maintains, or transmits on behalf of the group health plan.

2.      Ensured that the adequate separation discussed in D above, specific to electronic PHI, is supported by reasonable and appropriate security measures,

3.      Ensured that any agent, including a subcontractor, to whom it provides electronic PHI agrees to implement reasonable and appropriate security measures to protect the electronic PHI, and

4.      Reports to the Plan an security incident of which it becomes aware concerning electronic PHI.