NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION
REVIEW IT CAREFULLY. THE PRIVACY OF YOUR MEDICAL INFORMATION IS IMPORTANT TO US
OUR LEGAL DUTIES
Triple-S Salud, Inc. is required by law to maintain the privacy of your medical information. This notice informs you on our privacy practices and your rights regarding your medical information. As part of Triple-S Salud legal duties we are require to provide subscriber of this notice. We will follow the privacy practices described in this notice while it is in effect.
This notice contains some examples of the types of information we collect and describe the types of uses and disclosures we execute, and your rights.
This notice provides examples for illustrative purposes and shall not be construed as a complete listing of such uses and disclosures.
Triple-S Salud is required to abide by the terms of this Notice. However, we reserve the right to change our privacy practices and the terms of this notice. Before we make a significant change in our privacy practices, we will change this notice and send an updated notice to our active subscribers. This privacy notice is effective from September 1, 2019 on
SUMMARY OF PRIVACY PRACTICES
Our pledge is to limit to the minimum necessary the information we collect in order to administer your insurance products or benefits. As part of our administrative functions, we may collect your personal, financial or health information from sources such as:
- Applications and other documents you have provided to obtain a product or insurance service;
- Transactions you make with us or our affiliates;
- Consumer credit reporting agencies;
- healthcare providers;
- Government health programs
Protected Health information (PHI) is information that can identify you (name, last name, social security number); including demographic information (like address, zip code), obtained from you through a request or other document in order to obtain a service, created and received by a health care provider, a medical plan, intermediaries who submit claims for medical services, business associates, and that is related to (1) your health and physical or mental condition, past, present, or future; (2) the provision of medical care to you, or (3) past, present, or future payments for the provision of such medical care. For purposes of this Notice, this information will be called PHI. This Notice of Privacy Practices has been written and amended, so that it will comply with the HIPAA Privacy Regulation. Any term not defined in this Notice will hold the same meaning as in the HIPAA Privacy Regulation. We have also implemented policies and procedures for the handling of PHI, which you may examine, at your request.
We do not use or disclose genetic information for underwriting purposes.
LAWS AND REGULATIONS
HIPAA: Health Insurance Portability and Accountability Act of 1996 implements rules relating to the use, storage, transmission, and disclosure of protected health information pertaining to beneficiaries in order to standardize communications and protect the privacy and security of personal, financial and health information.
HITECH: The Health Information Technology for Economic and Clinical Health Act of 2009, promotes the adoption and meaningful use of health information technology. It also addresses privacy and security concerns associated with
the electronic transmissions of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
Privacy and Security Rule: Standards for Privacy of Individually Identifiable Health, as well as Security Standards for the Protection of Electronic Protected Health Information are guided through 45 C.F.R. Part 160 and Part 164.
ORGANIZATION COVERED BY THIS NOTICE
USES AND DISCLOSURES OF INFORMATION
Triple-S Salud will not disclose or use your information for any other purpose other than those mentioned in this notice unless you provide written authorization. You may revoke the authorization in writing at any time, but your revocation will not affect any use or disclosure permitted by your authorization while it was in effect. Triple-S will not disclose information for fundraising activities.
Triple-S Salud may use and disclose PHI for the following:
Disclosures to you: We are required to disclose to you most of your PHI. This includes, but is not limited to, all information related to your claims history and utilization report. For example: You have the right to request claims history, prescription history and any other information that is related to your protected health information.
As part of our administrative functions, we may use or disclose your information, without your authorization, for treatment, payment and healthcare operations, and when authorized or permitted by law. For example:
Treatment: To a physician or other health care provider who provides you medical services including treatment, services coordination, monitoring of your health and other services related. For example, the plan may disclose your medical information to your provider to coordinate your treatment.
Payment: To pay your medical claims, to determine your eligibility for benefits, to coordinate your benefits with other payers, or to collect premiums, and other related activities. For example, the plan may use or disclose information to pay claims related to health services received by you or to provide eligibility information to your health care provider when you receive treatment.
Health Care Operations: For audits, legal services, including fraud and abuse detection, compliance, business planning, general administration, and patient safety activities, credentialing, disease management, training of medical students. For example: The plan may use or disclose your health information to communicate with you to provide reminders of meetings, appointments or treatment information.
We may disclose your medical information to another health plan or to a health care provider subject to federal or local privacy protection laws, as long as the plan or provider has or had a relationship with you.
Affiliated Covered Entities: In order to perform our duties as insurance or benefit administrator, we may use or disclose PHI with the following entity: Triple-S Advantage, Inc.
Business Associate: Triple-S Salud may use and disclose your personal information to our business associates, who provide services on our behalf and contribute in the administration or coordination of your services.
Your Employer, union or other employee organization: Triple-S Salud may disclose summarize health information to your employer on whether you are enrolled or disenrolled in the health plan your employer sponsors. The summary of health information may include aggregated claims history, claims expenses or types of claims experienced by the enrollees in your group health plan to be used for the administration of the group health plan.
For Research: We may use or disclose your PHI for research purposes, if an Institutional Review Board or an Ethics Committee, has reviewed the research proposal and has established protocols to protect your information’s confidentiality, and has approved the research as part of a limited data set, which does not include individual identifiers.
Required by Law: We may use or disclose your PHI whenever Federal, State, or Local Laws require its use or disclosure. In this Notice, the term “as required by Law” is defined the same as in the HIPAA Privacy regulation. For these purposes your authorization or opportunity to agree or object will not be required. The information will be disclosed in compliance with the safeguards established and required by law.
Legal proceedings: We may use or disclose your PHI during the course of any judicial or administrative proceedings in response to an order from a court or administrative tribunal (provided that the covered entity discloses only the PHI expressly specified by such order); or in response to a subpoena, discovery request, or other lawful process.
Forensic Pathologists, Funeral directors, and organ donation cases: We may use or disclose your PHI to a medical examiner (Pathologist) for the purpose of identifying a deceased person, determining a cause of death, or other duties authorized by law. We may also disclose your information to a funeral director, as necessary to carry out its duties with respect to a decedent and to other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue.
Worker’s compensation: We may use or disclose your PHI to comply with laws relating to workers’ compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.
Disaster relief or emergency situations, Government Sponsored Benefits Programs: We may disclose your PHI to a public or private entity authorized by law or statutes involved in an effort to help disaster. In this way, your family can be notified about your health condition and location in case of disaster or an emergency.
Monitoring activities of regulatory agencies: We may disclose medical information to a regulatory agency such as the Department of Health (DHHS) for audit purposes, monitoring of regulatory compliance, investigations, inspections or license. These disclosures may be necessary for certain state and federal agencies to monitor the health care system agencies, government programs and the compliance with civil rights laws.
Public Health and Safety Activities: We may use and disclose your medical information when required or permitted by law for the following activities, for these purposes your authorization or opportunity to agree or object will not be required:
- Public health, including to report disease and vital statistics, for specialized government functions, among others;
- Healthcare oversight, fraud prevention and compliance;
- To report child and/or adult abuse or domestic violence;
- Regulators Agency activities;
- In response to court and administrative orders;
- To law enforcement officials or matters of national security;
- To prevent an imminent threat to public health or safety;
- For cadaveric organ, eye or tissue donation purposes;
- For statistical investigations and research purposes;
- About descendant purposes;
- As otherwise required by applicable laws and regulations
Military activity, national security, protective services: We may disclose your PHI to appropriate military command authorities if you are a member of the Armed Forces, or a veteran. Also, to authorized federal officials for the conduct of national security activities, lawful intelligence, counter-intelligence, or other national security and intelligence activities for the protection of the President, and other authorities, or heads of state.
Health-Related Products and Services: We may use your medical information to inform you about health-related products, benefits and services we provide or include in our benefits plan, or treatment alternatives that may be of interest to you. We will call or send you reminders of your medical appointments or the preventive services that you need according to your age or health condition.
With Your Authorization: You may give us a written authorization to disclose and permit access to your health information to anyone for any purpose. Activities such as marketing of non-health related products or services or the sale of health information must be authorized by you. In these cases, your health insurance policy and your benefits will not be affected if you deny the authorization.
The authorization must be signed and dated, it must mention the entity authorized to provide or receive the information, and a brief description of the data to be disclosed. The expiration date will not exceed 2 years from the date on which it was signed, except if you signed the authorization for one of the following purposes:
- to substantiate a request for benefits under a life insurance policy, its reinstallation or modifications to such policy, in which case the authorization will be valid for thirty (30) months or until the application is denied, the earlier of the two events; or
- to substantiate or facilitate the communication of an ongoing treatment of a chronic disease or rehabilitation of an injury.
The information disclosed pursuant to the authorization provided by you may be disclosed by the recipient of the same and not be protected by the applicable privacy laws. You may revoke the authorization in writing at any time, but your revocation will not affect any use or disclosure permitted by your authorization while it was in effect. We will keep copies of the authorizations and revocations executed by you.
Family and Friends Involved in Your Care or Payment for Care: Unless you request a restriction, we may disclose limited information about you to family members or friends who are involved in your medical care or who are responsible for paying for medical services.
Before we disclose your health information to any person related to your medical care or payment for health services, we will provide you with the opportunity to object to such disclosure. If you are not present, disabled or an emergency situation, we will use our professional judgment in the disclosure of information that we understand will be in your best interest.
Terminated accounts: We will not share the data of persons who are no longer our customers or who do not maintain a service relationship with us, except as required or permitted by law.
YOU HAVE THE FOLLOWING RIGHTS REGARDING YOUR PHI
Access: You have the right to examine and receive an electronic or paper copy of your protected health, personal or financial information, with regards to enrollment and medical claims within the limits and exceptions provided by law. You must make a written request. Upon receipt of your request, we will have thirty (30) days to do any of the following activities:
- request for additional time
- provide the requested information or allow you to examine your information during working hours
- inform you that we do not have the requested information, in which case, we will orient you where to find it if we know the source
- deny the request, partially or in its entirety, because the information originates from a confidential source or was compiled in anticipation of a legal proceeding, investigations by law enforcement agencies or the anti-fraud unit or quality assurance programs which disclosures are prohibited by law. We will notify you in writing the reasons for the denial, except in the event there’s an ongoing investigation or in anticipation of a legal proceeding.
The first report will be free of charge, but we may charge you reasonable, cost-based fees for subsequent reports.
Disclosure accounting: You have the right to a list of instances in which we disclose your protected health information for purposes other than treatment, payment, health care operations, or as authorized by you. The report will provide the name of the entity to which we disclosed your information, the date and purpose of the disclosure and a brief description of the data disclosed. If you request this accounting more than once in a 12-month period, we may charge you the costs of processing the additional request (s). The report only covers the last six (6) years.
Restriction: You have the right to request that we restrict our use or disclosure of your medical information.
We are not required to agree to your request. If we do agree, we will abide by our agreement, except in a medical emergency or as required or authorized by law. Any agreement we may make to a request for restriction must be in writing signed.
Confidential communication: You have the right to request that we communicate with you about your medical information in confidence by alternative means or to alternative locations. You must make your request in writing. We will accommodate your request if it is reasonable.
Amendment: You have the right to request that we correct your medical information. Your request must be in writing, and it must include explanation or evidence that justify the amendment request. We will respond to your request within 60 days. If additional time is needed, we will notify you in written request an additional period of 30 days.
We may deny your request if we do not originate the information you request to be amended and the originator is available to receive your request, or for other reasons. If we deny your request, we will provide you with a written explanation. You have the right to send a statement of disagreement and demand it be included with our determination for any future disclosures. If we accept your request, we will make the reasonable efforts to inform others, including our business associates, and we will include the amendment in any future disclosure of such information
Notice of privacy and security breaches in which your health information may be at risk: We will let you know promptly if a breach occurs that may have compromised the privacy, security or confidentiality of your information.
Electronic notice: If you receive this notice on our web site www.ssspr.com or by e-mail, you are entitled to receive this notice in written form.
QUESTION AND COMPLAINTS
If you want more information about our privacy practices or have questions or concerns, please contact us. All the forms to exercise your rights are available at: www.ssspr.com
If you are concerned that we or any of our business associates may have violated your privacy rights, or you disagree with a decision we made about access to your health information, in response to a request you made to amend, restrict the use or disclosure of, or communicate in confidence about your medical information, you have the right to file a complaint with us to the following address:
Contact Office: Compliance Department
Attention: Privacy Officer
Phone Number: (787) 620-1919
Fax: (787) 993-3260
Address: P. O. Box 11320 San Juan, PR 00922
You also may submit a written complaint to the Office for Civil Rights (OCR) of the United States Department of Health and Human Services (DHHS) to the following address:
U.S. Department of Health and Human Services
200 Independence Avenue, S.W
Room 509F HHH Bldg.
Washington, D.C. 20201
Email to OCRComplaint@hhs.gov
Customer Response Center: (800) 368-1019 Fax: (202) 619-3818 TDD: (800) 537-7697
We support your right to the privacy of your medical information. We will not retaliate in any way if you choose to file a complaint with us or with the OCR.
Si interesa recibir copia de este aviso en español, envíe su solicitud a la dirección arriba indicada o visite nuestra página www.ssspr.com
Notice of Privacy Practice Revision date: Mayo 2019