Wesleyan University Health Plans Privacy Notice


Summary: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires health plans to notify plan participants and beneficiaries about the policies and practices the plans have adopted in order to protect the confidentiality of health information. This notice describes the health information policy for health information created, received, or maintained by Wesleyan University health plans; including the Wesleyan health, dental, vision, retiree health and medical expenses reimbursement account (MERA) plans. This notice is intended to satisfy HIPAA’s notice requirement.

Wesleyan health plans need to create, receive, and maintain records that contain health information in order to administer the plans and provide health care benefits. This notice describes:

  • Ways the plans may use and disclose protected health information.
  • Your rights with respect to this information.
  • Obligations the plans have regarding the use and disclosure of protected health information.

This notice does not, however, address the health information policies or practices of health care providers.

Wesleyan Health Plans Pledge Regarding Health Information Privacy

The privacy policy and practices of Wesleyan health plans protect confidential health information that relate to a physical or mental health condition or the payment of health care expenses; and that identifies you, or could be used to identify you. This information is known as "protected health information". Your protected health information will not be used or disclosed without a written authorization from you, except as described in this notice. Protected health information for HIPAA purposes does not include medical information. Wesleyan maintains in its role as an employer as opposed to its role as a health plan sponsor. This information includes medical information Wesleyan needs to carry out is obligations under the Family and Medical Leave Act (FMLA), the American with Disabilities Act (ADA), and similar laws; as well as medical information related to requests for worker compensation, disability benefits or sick leave; and medical information related to fitness-for-duty tests. Wesleyan will, however, maintain the confidentiality of this kind of information as it has in the past and it will only be used for employment related purposes.

Privacy Obligations of Wesleyan Health Plans

Wesleyan health plans are required by law to:

  • Make certain that protected health information is kept private as provided in this notice.
  • Give you this notice of the plans’ legal oblations, and their policies and privacy practices, concerning protected health information.
  • Follow the terms of their current privacy notice.

This notice is provided to you on behalf of the Wesleyan University Group Insurance Program.

The Plan’s Duty to Safeguard Your Protected Health Information

Individually identifiable information about your past, present, or future health or condition, the provision of health care to you, or payment for the health care is considered “Protected Health Information” (“PHI”). The Plan is required to extend certain protections to your PHI, and to give you this notice about its privacy practices that explains how, when, and why the Plan may use or disclose your PHI. Except in specified circumstances, the Plan may use or disclose only the minimum necessary PHI to accomplish the purpose of the use or disclosure.

The Plan is required to follow the privacy practices described in this notice, though it reserves the right to change those practices and the terms of this notice at any time. If it does so, and the change is material, you will receive a revised version of this Notice either by hand delivery, mail delivery to your last known address, or some other fashion. This notice, and any material revisions of it, will also be provided to you in writing upon your request (ask your Human Resources representative, or contact the Plan’s Privacy Official, described below), and will be posted on any website maintained by Wesleyan University that describes benefits available to employees and dependents.

You may also receive one or more other privacy notices from insurance companies that provide benefits under the Plan. Those notices will describe how the insurance companies use and disclose PHI and your rights with respect to the PHI they maintain.

How the Plan May Use and Disclose Your Protected Health Information

The Plan uses and discloses PHI for a variety of reasons. For its routine uses and disclosures it does not require your authorization, but for other uses and disclosures, your authorization (or the authorization of your personal representative (e.g., a person who is your custodian, guardian, or has your power-of-attorney) may be required. The following offers more description and examples of the Plan’s uses and disclosures of your PHI.

Uses and Disclosures Relating to Treatment, Payment, or Health Care Operations.

  • Treatment: Generally, and as you would expect, the Plan is permitted to disclose your PHI for purposes of your medical treatment. Thus, it may disclose your PHI to doctors, nurses, hospitals, emergency medical technicians, pharmacists, and other health care professionals where the disclosure is for your medical treatment. For example, if you are injured in an accident, and it’s important for your treatment team to know your blood type, the Plan could disclose that PHI to the team in order to allow it to more effectively provide treatment to you.
  • Payment: Of course, the Plan’s most important function, as far as you are concerned, is that it pays for all or some of the medical care you receive (provided the care is covered by the Plan). In the course of its payment operations, the Plan receives a substantial amount of PHI about you. For example, doctors, hospitals, and pharmacies that provide you care send the Plan detailed information about the care they provided, so that they can be paid for their services. The Plan may also share your PHI with other plans in certain cases. For example, if you are covered by more than one health care plan (e.g., covered by this Plan and your spouse’s plan or covered by the plans covering your father and mother), we may share your PHI with the other plans to coordinate payment of your claims.
  • Health care Operations: The Plan may use and disclose your PHI in the course of its “health care operations.” For example, it may use your PHI in evaluating the quality of services you received or disclose your PHI to an accountant or attorney for audit purposes. In some cases, the Plan may disclose your PHI to insurance companies for purposes of obtaining various insurance coverages. However, the Plan will not disclose, for underwriting purposes, PHI that is genetic information.
  • Other Uses and Disclosures of Your PHI Not Requiring Authorization. The law provides that the Plan may use and disclose your PHI without authorization in the following circumstances:
  • To the Plan Sponsor: The Plan may disclose PHI to the employers (such as Wesleyan University) who sponsor or maintain the Plan for the benefit of employees and dependents. However, the PHI may only be used for limited purposes, and may not be used for purposes of employment-related actions or decisions or in connection with any other benefit or employee benefit plan of the employers. PHI may be disclosed to: the human resources or employee benefits department for purposes of enrollments and disenrollments, census, claim resolutions, and other matters related to Plan administration; payroll department for purposes of ensuring appropriate payroll deductions and other payments by covered persons for their coverage; information technology department, as needed for preparation of data compilations and reports related to Plan administration; finance department for purposes of reconciling appropriate payments of premium to and benefits from the Plan, and other matters related to Plan administration; internal legal counsel to assist with resolution of claim, coverage, and other disputes related to the Plan’s provision of benefits.
  • To the Plan’s Service Providers: The Plan may disclose PHI to its service providers (“business associates”) who perform claim payment and plan management services. The Plan requires a written contract that obligates the business associate to safeguard and limit the use of PHI.
  • Required by Law: The Plan may disclose PHI when a law requires that it report information about suspected abuse, neglect, or domestic violence, or relating to suspected criminal activity, or in response to a court order. It must also disclose PHI to authorities that monitor compliance with these privacy requirements.
  • For Public Health Activities: The Plan may disclose PHI when required to collect information about disease or injury, or to report vital statistics to the public health authority.
  • For Health Oversight Activities: The Plan may disclose PHI to agencies or departments responsible for monitoring the health care system for such purposes as reporting or investigation of unusual incidents.
  • Relating to Decedents: The Plan may disclose PHI relating to an individual’s death to coroners, medical examiners, or funeral directors, and to organ procurement organizations relating to organ, eye, or tissue donations or transplants.
  • For Research Purposes: In certain circumstances, and under strict supervision of a privacy board, the Plan may disclose PHI to assist medical and psychiatric research.
  • To Avert Threat to Health or Safety: In order to avoid a serious threat to health or safety, the Plan may disclose PHI as necessary to law enforcement or other persons who can reasonably prevent or lessen the threat of harm.
  • For Specific Government Functions: The Plan may disclose PHI of military personnel and veterans in certain situations, to correctional facilities in certain situations, to government programs relating to eligibility and enrollment, and for national security reasons.
  • Uses and Disclosures Requiring Authorization: For uses and disclosures beyond treatment, payment, and operations purposes, and for reasons not included in one of the exceptions described above, the Plan is required to have your written authorization. For example, uses and disclosures of psychotherapy notes, uses and disclosures of PHI for marketing purposes, and disclosures that constitute a sale of PHI would require your authorization. Your authorization can be revoked at any time to stop future uses and disclosures, except to the extent that the Plan has already undertaken an action in reliance upon your authorization.
  • Uses and Disclosures Requiring You to Have an Opportunity to Object: The Plan may share PHI with your family, friend, or other person involved in your care, or payment for your care. We may also share PHI with these people to notify them about your location, general condition, or death. However, the Plan may disclose your PHI only if it informs you about the disclosure in advance and you do not object (but if there is an emergency situation and you cannot be given your opportunity to object, disclosure may be made if it is consistent with any prior expressed wishes and disclosure is determined to be in your best interests; you must be informed and given an opportunity to object to further disclosure as soon as you are able to do so).

Your Rights Regarding Your Protected Health Information

You have the following rights relating to your protected health information:

  • To Request Restrictions on Uses and Disclosures: You have the right to ask that the Plan limit how it uses or discloses your PHI. The Plan will consider your request, but is not legally bound to agree to the restriction. To the extent that it agrees to any restrictions on its use or disclosure of your PHI, it will put the agreement in writing and abide by it except in emergency situations. The Plan cannot agree to limit uses or disclosures that are required by law.
  • To Choose How the Plan Contacts You: You have the right to ask that the Plan send you information at an alternative address or by an alternative means. To request confidential communications, you must make your request in writing to the Privacy Official. We will not ask you the reason for your request. Your request must specify how or where you wish to be contacted. The Plan must agree to your request as long as it is reasonably easy for it to accommodate the request.
  • To Inspect and Copy Your PHI: Unless your access is restricted for clear and documented treatment reasons, you have a right to see your PHI in the possession of the Plan or its vendors if you put your request in writing. The Plan, or someone on behalf of the Plan, will respond to your request, normally within 30 days. If your request is denied, you will receive written reasons for the denial and an explanation of any right to have the denial reviewed. If you want copies of your PHI, a charge for copying may be imposed but may be waived, depending on your circumstances. You have a right to choose what portions of your information you want copied and to receive, upon request, prior information on the cost of copying.
  • To Request Amendment of Your PHI: If you believe that there is a mistake or missing information in a record of your PHI held by the Plan or one of its vendors you may request in writing that the record be corrected or supplemented. The Plan or someone on its behalf will respond, normally within 60 days of receiving your request. The Plan may deny the request if it is determined that the PHI is: (i) correct and complete; (ii) not created by the Plan or its vendor and/or not part of the Plan’s or vendor’s records; or (iii) not permitted to be disclosed. Any denial will state the reasons for denial and explain your rights to have the request and denial, along with any statement in response that you provide, appended to your PHI. If the request for amendment is approved, the Plan or vendor, as the case may be, will change the PHI and so inform you, and tell others that need to know about the change in the PHI.
  • To Find Out What Disclosures Have Been Made: You have a right to get a list of when, to whom, for what purpose, and what portion of your PHI has been released by the Plan and its vendors, other than instances of disclosure for which you gave authorization, or instances where the disclosure was made to you or your family. In addition, the disclosure list will not include disclosures for treatment, payment, or health care operations. The list also will not include any disclosures made for national security purposes, to law enforcement officials or correctional facilities, or before the date the federal privacy rules applied to the Plan. You will normally receive a response to your written request for such a list within 60 days after you make the request in writing. Your request can relate to disclosures going as far back as six years. There will be no charge for up to one such list each year. There may be a charge for more frequent requests.

Contact Information

If you have any questions about this notice, please contact:

Lisa D. Brommer

Associate Vice President for Human Resources
Wesleyan University
212 College Street
Middletown, CT 06459
Telephone Number: 860 685 2100
Notice Effective Date: August 22, 2019