Notice of Washington and Lee University Health Benefit Plan Privacy Practices


The health privacy provisions contained in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH Act), and the related regulations ("Privacy Rule" and "Security Rule"), impose certain legal obligations on the Washington and Lee University Health Benefit Plan (employee medical, dental, flexible spending account, and employee assistance plan benefits and retiree health benefits). The obligations include maintaining the privacy of health information, notifying plan participants and beneficiaries about their legal rights and the Plan's legal duties, policies and practices to protect the confidentiality of their protected health information, and abiding by the terms of this Notice and Plan policies and practices. This document is intended to satisfy HIPAA's Privacy Notice requirement, as well as its privacy policy/procedures requirement, with respect to all protected health information created, received, or maintained by the Washington and Lee University Health Benefit Plan ("the Plan"), as sponsored by Washington and Lee University ("the Plan Sponsor"). This document is also intended to notify plan participants and beneficiaries of the identity of the Plan's Security Official responsible for overseeing the Plans' compliance with HIPAA Security Standards.

The Plan needs to create, receive, and maintain records that contain certain health information about you in order to administer the Plan and provide you with health care benefits. The Plan collects this health information, which identifies you, from various sources, which could include applications and other forms that you complete, conversations you may have with the Plan's administrative staff and health care providers, and from reports and data provided to the Plan by health care service providers or other employee benefit plans. This health information includes, among other things, your name, address, phone number, birth date, social security number, employment information, and enrollment and claims information. This Notice describes the Plan's health information privacy policy and practices with respect to your medical, dental, flexible spending account, and employee assistance plan benefits, and retiree health benefits. The Notice tells you the ways the Plan may use and disclose protected health information about you, describes your rights, and the obligations the Plan has regarding the use and disclosure of your protected health information.

Privacy Policy, Procedures and Practices:
The privacy policy, procedures and practices of the Washington and Lee University Employee Health Benefit Plan protect confidential health information that identifies you or could be used to identify you and that relates to a physical or mental health condition, provision of health care to you, or the payment of your health care expenses. This individually identifiable health information about you is known as "Protected Health Information" (PHI). If this information is transmitted electronically, it is subject to the Security Rules under HIPAA, under the term "Electronic Protected Health Information" ("e-PHI"). The HIPAA Privacy Rule protects only that certain medical information known as PHI. Your PHI will not be used or disclosed without a written authorization from you, except as described in this Notice or as otherwise permitted by federal and state health information privacy laws. When required by law, the Plan, Plan Sponsor, and/or Business Associates will restrict disclosures to limited data sets or the minimum necessary information as needed under the circumstances.

Contact Information for Plan Privacy Official and Security Official
The Plan's Privacy Official is Amy Diamond Barnes, Executive Director of Human Resources. If you have any questions about this Notice or about how the Plan uses or shares PHI, or want a paper copy of this notice, please contact Amy Diamond Barnes, Executive Director of Human Resources, Washington and Lee University, Lexington, VA 24450, (540) 458-8920,

The Plan's Security Official is Dean E. Tallman, Director of Enterprise Applications. If you have any questions about how the Plan protects the security of electronic PHI in compliance with HIPAA Security Standards or wish more information on the Plan's security policies, practices, and procedures, please contact Dean Tallman, Director of Enterprise Applications, Washington and Lee University, Lexington, VA 24450, (540) 458-8089,

The Plan's Privacy Obligations:
The Plan is required by law to:

  • make sure that health information that identifies you is kept private;
  • give you this Notice of the Plan's legal duties and privacy practices with respect to health information about you;
  • follow the terms of the Notice that are currently in effect;
  • designate a Privacy Official who is responsible for implementing the Plan's privacy policies and for receiving complaints regarding privacy of health information
  • establish policies and procedures concerning PHI, including provision for discipline and a complaint mechanism for inappropriate privacy disclosures;
  • train employees with access to PHI on policies and procedures;
  • establish appropriate administrative, technical, and physical safeguards to maintain the privacy of PHI;
  • mitigate any harmful effect from a known violation of privacy policies and procedures;
  • keep for six years documentation of required policies, procedures, training, and other required written communications under the HIPAA Privacy Rule;
  • avoid retaliating against any person who exercises a right under the HIPAA Privacy Rules;
  • refrain from requiring anyone to waive rights under the HIPAA Privacy Rule;
  • amend its plan documents to reflect its obligation to protect the privacy of your protected health information; and
  • receive certification from the Plan Sponsor that it will protect the privacy of your protected health information.

Circumstances Under Which the Plan May Use and Disclose Health Information About You Without Your Authorization:

  • For Treatment. The Plan may disclose your PHI to a health care provider who renders treatment on your behalf. For example, if you are unable to provide your medical history as the result of an accident, the Plan may advise an emergency room physician about the types of prescription drugs you currently take.
  • For Payment. The Plan may use and disclose your PHI so claims for health care treatment, services, and supplies you receive from health care providers may be paid according to the Plan's terms. For example, the Plan may receive and maintain information about surgery you received to enable the Plan to process a hospital's claim for reimbursement of surgical expenses incurred on your behalf, or the Plan may provide information regarding your coverage or health care treatment to other health plans to coordinate payment of benefits.
  • For Health Care Operations. The Plan may use and disclose your PHI to enable it to operate or operate more efficiently or make certain all of the Plan's participants receive their health benefits. For example, the Plan may use your PHI for:
  • Quality assessment and improvement activities.
  • Activities designed to improve health or reduce health care costs.
  • Clinical guideline and protocol development, case management and care coordination.
  • Contacting health care providers and participants with information about treatment alternatives and other related functions.
  • Health care professional competence or qualifications review and performance evaluation.
  • Accreditation, certification, licensing or credentialing activities.
  • Underwriting, premium rating or related functions to create, renew or replace health insurance or health benefits.
  • Review and auditing, including compliance reviews, actuarial studies, and/or for fraud and abuse detection, medical reviews, legal services and compliance programs.
  • Business planning and development including cost management and planning related analyses and formulary development.
  • Business management and general administrative activities of Health Plan, including customer service and resolution of internal grievances.

In addition, the Plan may also combine health information about many Plan participants and disclose it to Washington and Lee University in summary fashion so the University can decide what coverages the Plan should provide. The Plan may remove information that identifies you from health information disclosed to Washington and Lee University so it may be used without the University learning who the specific participants are.

  • To Washington and Lee University. The Plan may disclose your PHI to designated University personnel so they can carry out their Plan-related administrative functions, including the uses and disclosures described in the Notice. Such disclosures will be made only to the University's Office of Human Resources and/or Business Office (Plan Sponsor) Staff who have Plan-related responsibilities. These individuals will protect the privacy of your health information and ensure it is used only as described in this Notice or as permitted by law. Unless authorized by you in writing, your health information: (1) may not be disclosed by the Plan to any other University employee or department and (2) will not be used by the University for any employment-related actions and decisions or in connection with any other employee benefit plan sponsored by the University. The Plan may disclose health and eligibility information, without your authorization, to Washington and Lee University for purposes of eligibility determinations, enrollment and disenrollment activities, and Plan amendments and termination. Washington and Lee University has certified to the Plan that it will protect the privacy of your health information and that it has amended the plan documents to reflect its obligation to protect the privacy and security of your health information.
  • To Other Covered Entities or to a Business Associate. Certain services are provided to the Plan by insurers, third party administrators or other vendors [including, for example, Anthem, Express Scripts, United Concordia, Pay Flex, Employee Assistance Plan, Evolve Wellness, Health Advocate, Charon Planning, and (for certain retiree benefits) TIAA/CREF, Extend Health, or ConnectYourCare]. Some of these entities are themselves covered under HIPAA, and they are directly responsible for compliance with all HIPAA Privacy and Security regulations and standards in sharing PHI with the Plan and in making any other disclosures of your PHI. Others of these entities, are known as "business associates." The Plan may disclose your PHI to these business associates in connection with their services for the Plan. (For example, the Plan may input information about your health care treatment into an electronic claims processing system maintained by the Plan's business associate so your claim may be paid. In so doing, the Plan will disclose your PHI to its business associate so it can perform its claims payment function.) However, the Plan will require all of its business associates who need to use PHI or e-PHI, through contract, to appropriately safeguard the privacy and security of your health information. As well, HIPAA requires business associates to comply directly with many of HIPAA's provisions.
  • Treatment Alternatives. The Plan may use and disclose your PHI to tell you about possible treatment options or alternatives that may be of interest to you.
  • Health-Related Benefits and Services. The Plan may use and disclose your PHI to tell you about health-related benefits or services that may be of interest to you.
  • Individual Involved in Your Care or Payment of Your Care. In limited circumstances, the Plan may disclose your PHI to a close friend or family member involved in or who helps pay for your health care. The Plan may also, upon request, advise a family member or close friend about your condition, your location (for example, that you are in the hospital), or death. If you do not want such information to be shared with these individuals, you may request that these disclosures be restricted as provided in the section of this notice dealing with your rights.
  • As Required by Law. The Plan will disclose your PHI when required to do so by federal, state, or local law, including those that require reporting of certain types of wounds or physical injuries.

Special Use and Disclosure Situations:
The Plan may also use or disclose your PHI without your authorization under the following circumstances:

  • Lawsuits and Disputes. If you become involved in a lawsuit or other legal action, the Plan may disclose your PHI in response to a court or administrative order, a subpoena, warrant, discovery request, or other lawful due process.
  • Law Enforcement. The Plan may release your PHI if asked to do so by a law enforcement official, for example, to identify or locate a suspect, material witness, or missing person or to report a crime, the crime's location or victims, or the identity, description, or location of the person who committed the crime.
  • Workers' Compensation. The Plan may disclose your PHI to the extent authorized by and to the extent necessary to comply with workers' compensation law or other similar programs.
  • Military and Veterans. If you are or become a member of the U.S. armed forces, the Plan may release medical information about you as deemed necessary by military command authorities.
  • To Avert Serious Threat to Health or Safety. The Plan may, consistent with applicable law and ethical standards of conduct, disclose your PHI if the Plan, in good faith, believes that such disclosure is necessary to prevent or lessen a serious and imminent threat to your health or safety or to the health and safety of the public.
  • Public Health Risk. The Plan may disclose health information about you for public health activities. These activities include preventing or controlling disease, injury or disability; reporting births and deaths; reporting child abuse or neglect; or reporting reactions to medication or problems with medical products or to notify people of recalls of products they have been using.
  • Emergency Situations. The Plan may disclose your PHI to a family member or other person responsible for your care in the event of an emergency, or to a disaster relief entity in the event of a disaster.
  • Personal Representative. The Plan may disclose your PHI to people you have authorized to act on your behalf, or people who have a legal right to act on your behalf. For example, parents of minor children and those having a Power of Attorney for adults.
  • Health Oversight Activities. The Plan may disclose your PHI to a health oversight agency for audits, investigations, inspections, and licensure necessary for the government to monitor the health care system and government programs.
  • Research. Under certain circumstances, and in accordance with the privacy procedures required by law, the Plan may use and disclose your PHI for medical research purposes.
  • National Security, Intelligence Activities, and Protective Services. The Plan may release your PHI to authorized federal officials: (1) for intelligence, counterintelligence, and other national security activities authorized by law; and (2) to enable them to provide protection to the members of the U.S. government or foreign heads of state; (3) to conduct special investigations; and (4) correctional institutions and inmates.
  • Organ and Tissue Donation. If you are an organ donor, the Plan may release medical information to organizations that handle organ procurement or organ, eye, or tissue transplantation or to an organ donation bank to facilitate organ or tissue donation and transplantation.
  • Coroners, Medical Examiners, and Funeral Directors. The Plan may release your PHI to a coroner or medical examiner. This may be necessary, for example, to identify a deceased person or to determine the cause of death. The Plan may also release your PHI to a funeral director, as necessary, to carry out his/her duty.

Other Uses and Disclosures of Health Information Only By Authorization:
Other uses and disclosures of health information not covered by this Notice or by law that apply to the Plan will be made only with your written authorization, including the use or disclosure of psychotherapy notes. If you authorize the Plan to use or disclose your PHI, you may revoke the authorization, in writing, at any time. If you revoke your authorization, the Plan will no longer use or disclose your PHI for the reasons covered by your written authorization; however, the Plan will not reverse any uses or disclosures already made in reliance on your prior authorization.

Once your PHI has been disclosed pursuant to your authorization, the federal privacy protections may no longer apply to the disclosed PHI, and that information may be re-disclosed by the recipient without your or the Plan's knowledge or authorization.

However, you may revoke your authorization to use or disclose PHI at any time by contacting the Privacy Officer. Such revocations of authorizations will be made on a prospective basis only.

Uses and Disclosures of Genetic Information:
The Plan is prohibited from using PHI that is genetic information for underwriting purposes with the exception of long-term care insurance if offered as part of the Plan.

Fundraising and Marketing Use of Health Information:
The Plan will NOT use or disclose your PHI for fundraising or marketing purposes, as defined by HIPAA and its implementing regulations.

Your Rights Regarding Health Information About You:
If you would like to exercise the following rights, please contact the Plan's HIPAA Privacy Official (contact information at the end of this notice) by submitting a written request. The Plan will not require you to waive your rights, nor will you be retaliated against for exercising any of these rights.

Your rights regarding the health information the Plan maintains about you are as follows:

  • Right to Inspect and Copy. You have the right to inspect and copy your PHI, generally within thirty (30) days of your request. This includes information about your plan eligibility, claim and appeal records, and billing records, but does not include psychotherapy notes. As of February 2010, if your PHI is maintained by the Plan in electronic format, you have the right to obtain a copy in electronic format and to direct that the Plan transmit the copy to an entity or person that you designate. The Plan may charge a fee for the cost of copying and/or mailing your request. In limited circumstances, the Plan may deny your request to inspect and copy your PHI. Generally, if you are denied access to health information, you may request a review of the denial.
  • Right to Amend. If you feel that health information the Plan has about you is incorrect or incomplete, you may ask the Plan in writing to amend it. You have the right to request an amendment for as long as the information is kept by or for the Plan. You must provide the reason(s) to support your request. Generally, the Plan has sixty (60) days to respond to your request, advising you of whether the amendment has been accepted or denied and informing you of details relevant to the acceptance or denial of your request. The Plan may deny your request if you ask the Plan to amend health information that was: (1) accurate and complete; (2) not created by the Plan; (3) not part of the health information kept by the Plan; or (4) not information that you would be permitted to inspect or copy. If your request is denied, you have the right to submit a statement disagreeing with the denial. The Plan must keep a copy of your request for amendment and any statement disagreeing with the denial of the amendment with your PHI and must disclose such documents when it discloses the PHI that is the subject of the requested amendment.
  • Right to an Accounting of Disclosures. You have the right to request in writing an "accounting of disclosures." This is a list of disclosures of your PHI that the Plan has made to others, except for those necessary to carry out health care treatment, payment, or operations; disclosures made to you or under an authorization you provided; or in certain other situations in accordance with HIPAA law and regulations. Your request must state a time period for which you are requesting the information, but may not start earlier than April 14, 2004. Accounting requests may not be made for periods of time going back more than six (6) years. Generally, the Plan has sixty (60) days to respond to your request, and the accounting should include the date of each disclosure, the name and address of the person/entity to whom PHI was disclosed, a brief description of the PHI disclosed, and the purpose for the disclosure or a copy of the written request for disclosure. The Plan will provide the first accounting you request during any 12-month period without charge. Subsequent accounting requests may be subject to a reasonable cost-based fee. The Plan will inform you in advance of the fee, if applicable. If the Plan uses or maintains your PHI in an electronic health record (created by health care clinicians or staff and transferred to the Plan), you may have a right to an additional, limited accounting of disclosures of such an electronic health record made for payment, treatment, or health care operations, in accordance with the amendments to HIPAA under the American Recovery and Reinvestment Act of 2009 and implementing regulations. You have the right to be notified in the event that the Plan or a business associate discovers a breach of unsecured PHI. In addition, you have a right to receive reports of any security incidents that Washington and Lee University becomes aware of as required under the Security Rules.
  • Right to Request Restrictions. You have the right to request in writing a restriction on the health information the Plan uses or discloses about you for treatment, payment, or health care operations. You also have the right to request a limit on the health information the Plan discloses about you to someone who is involved in your care or the payment for your care, like a family member or friend. For example, you could ask that the Plan not use or disclose information about a surgery you had. You must advise us: (1) what information you want to limit; (2) whether you want to limit the Plan's use, disclosure, or both; and (3) to whom you want the limit(s) to apply. Note: The Plan is not required to agree to your request, except in circumstances after February 2010 where you are requesting that PHI not be disclosed to a health plan for payment or health care operations if the PHI relates solely to a service or item for which you have paid for in full out of pocket .
  • Right to request Confidential Communications. You have the right to request in writing that the Plan communicate with you about your health matters by certain means or at a certain location. For example, you can ask that the Plan only communicate with you at a certain telephone number or by email, or at a specific address. The Plan will accommodate all reasonable requests. Your request must specify that disclosure of all or part of the information could endanger you, how or where you wish to be contacted and, where applicable, how payment will be handled.
  • Right to a Paper Copy of this Notice. You have the right to a paper copy of this Notice.

Changes to this Notice:

The Plan reserves the right to change this Notice at any time and to make the revised or changed Notice effective for health information the Plan already has about you, as well as any information the Plan receives in the future. If the Plan materially changes its privacy or security policies and practices, the Plan will revise this Notice and will provide a copy of the revised Notice to you within 60 days of the change by mail to your last-known address on file, or the Plan will post a copy of the revised Notice prominently on the Human Resources web page by the effective date of the material change and then provide a hard copy of the revised notice (or information about the material change and how to obtain the revised notice) in its next annual mailing.

If you believe your privacy rights under this policy have been violated, you may file a written complaint with the Plan's Privacy Official at the address listed below. Alternatively, you may complain to the Secretary of the U.S. Department of Health and Human Services, generally, within 180 days of when the act or omission complained of occurred. Note: You will not be penalized or retaliated against for filing a complaint with the Plan or the Department of Health and Human Services.

Amy Diamond Barnes, Privacy Official
Executive Director of Human Resources
Office of Human Resources
Washington and Lee University
204 West Washington Street
Lexington, VA 24450
Tele: (540) 458-8920

The Privacy Official will investigate any complaint and, in the event a violation of these and/or other applicable University privacy policies, procedures and practices is found (including but not limited to the University's Confidentiality Policy), will take prompt action to see that the responsible person(s) is/are disciplined, up to and including termination. The Plan will take all reasonable steps to mitigate any harmful effect resulting from known violations of its privacy policies, procedures and practices.

Current Amended Notice Effective Date: September 23, 2013
Prior Amended Notice Effective Date: September 30, 2012
Prior Amended Notice Effective Date: October 14, 2011
Prior Amended Notice Effective Date: November 15, 2009
Original Notice Effective Date: April 14, 2004