HIPAA Compliance and Important Notices

HIPAA Compliance

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has several required components that have been enacted in stages since 1996. The latest provision of HIPAA now implemented by the Benefits Office incorporates changes mandated by the Genetic Information Nondiscrimination Act (GINA). While the Benefits Office has always treated health information with the utmost care, HIPAA requires that we issue notification of U of M’s compliance with HIPAA privacy rules.

The Benefits Office uses PHI for determining benefits eligibility and to enable the general administration of your health and dental benefits. The Benefits Office is committed to continuing to use the utmost care in handling this information to ensure its privacy and security.

Please read U-M’s Commitment to HIPAA Compliance and the Privacy Notice which explain how the Benefits Office and the university use and protect PHI. We urge you to read this information carefully and call the SSC Contact Center at 5-2000 from the Ann Arbor campus, 734-615-2000 locally, or 866-647-7657 toll free, Monday through Friday from 8 a.m. to 5 p.m. if you have any questions.

Compliance with HIPAA Privacy Regulations Concerning Employee Health Plans

The University of Michigan, as the plan sponsor of your employee health benefit plans (Employee Plans/Affiliated Plans), makes the following commitments as required by HIPAA:

  1. We will use protected health information (PHI as defined in HIPAA) as needed to carry out our responsibilities as the plan sponsor of the Employee Plans, provided such uses and disclosures are consistent with the requirements of HIPAA.
  2. We will not use or further disclose any PHI except as permitted or required to carry out our responsibilities as plan sponsor.
  3. We will require any agents, including subcontractors who assist us in plan administration, and receive PHI, to agree to the same restrictions, conditions and protections that we follow with respect to such information. This includes any agent or subcontractor such as a third party administrator, pharmacy benefit administrator or consultant that receives PHI we may receive from Employee Plans.
  4. We will not use or disclose PHI obtained as the plan sponsor, for employment related actions and decisions or in connection with any other benefit or employee benefit plan of the university.
  5. We will use de-identified aggregate data to improve the health of the workforce and to promote wellness or other health improvement programs.
  6. We will report to the Employee Plans any use or disclosure of PHI that is inconsistent with the uses or disclosures provided for of which we become aware.
  7. We will make PHI available to you as an Employee Plan member.
  8. We will make PHI available to the Employee Plans for amendment and will incorporate any amendments as required.
  9. We will make the information available when required for an accounting of disclosures.
  10. We will make our internal practices, books and records relating to the use and disclosure of PHI received from the Employee Plans available to the Secretary of Health and Human Services for purposes of assessing compliance by Employee Plans with HIPAA.
  11. We will, if feasible, return or destroy all PHI received from the Employee Plans that we maintain in any form. We will not retain copies of such information when no longer needed for the purpose for which it was disclosed. If destruction or return is not feasible we will limit any further uses of the information to those purposes that make the return or destruction infeasible.
  12. While any employee of the University of Michigan who has a need to access or use PHI as the university carries out its plan administration responsibilities may receive PHI, PHI will generally only be disclosed to employees in the Benefits Office and then only the minimum necessary amount will be disclosed. Any University of Michigan employee accessing or using PHI may do so only in carrying out the plan administration functions that the university performs for the employee plans.
  13. If there is any non-compliance with the required commitments to the Employee Plans, the issue of noncompliance will immediately be brought to the attention of the Benefits Office Director and the University of Michigan Privacy Officer for immediate attention.

HIPAA-Covered Health Plans

Privacy Rules under the Health Insurance Portability and Accountability Act (HIPAA), apply to participants in certain types of health plans.   The general types of health plans covered by HIPAA’s privacy rules include medical plans, prescription drug plans, dental plans, vision plans, health care flexible spending accounts, and long-term care insurance policies.

The university is obligated under HIPAA to provide participants in these self-insured plans with a Notice of Privacy Practices (NPP):

  • Blue Cross Blue Shield of Michigan Community Blue PPO
  • Comprehensive Major Medical Plan (administered by Blue Cross Blue Shield of Michigan)
  • GradCare (administered by BCN Service Company)
  • U-M Premier Care  (administered by BCN Service Company)
  • University of Michigan Dental Plan (administered by Delta Dental of Michigan)
  • University of Michigan Prescription Drug Plan (administered by MedImpact and NoviXus Pharmacy Services)
  • University of Michigan Health Care Flexible Spending Account Plan (administered by PayFlex)

If you are a participant in any of the university sponsored insured health plans listed below, you will also receive a Notice of Privacy Practices directly from that plan:

  • Health Alliance Plan HMO
  • John Hancock Long-Term Care Insurance
  • Davis Vision Plan

For additional information on HIPAA legislation, visit the Health and Human Services website at cms.gov.

HIPAA Privacy Notice

Read the University of Michigan HIPAA Notice of Privacy Practices.