HIPAA Privacy Practices

Contact Information

 

 

If you have questions about this Notice or our privacy practices, contact:

 

GAHSF HIPAA Privacy Officer / Director of Human Resources

GAHSF

Attention: HIPAA Privacy Officer

220 N First

Wheeling, IL 60090

 

 

 

Effective Date

 

 

This Notice, as revised, is effective: FEBRUARY 15, 2026

 

 

 

Our Responsibilities

 

 

We are required by law to:

 

• maintain the privacy of your PHI

• provide you with certain rights regarding your PHI

• provide you with a copy of this Notice of our legal duties and privacy practices

• follow the terms of the Notice currently in effect

 

 

We reserve the right to change the terms of this Notice and to make new provisions regarding your PHI we maintain, as allowed or required by law.

 

If we make a material change, we will provide you with a copy of the revised Notice of Privacy Practices.

 

You may also obtain the most recent version by contacting the Privacy Officer (above) or via our intranet at: https://tinyurl.com/GAWELL

 

Except as provided within this Notice, we may not disclose your PHI without your prior authorization.

 

 

 

How We May Use and Disclose Your PHI

 

 

Under the law, we may use or disclose your PHI without your permission in certain circumstances.

 

The categories below describe the ways we may use and disclose PHI. Not every use or disclosure is listed; however, all permitted uses and disclosures fall within one of these categories.

 

 

 

For Treatment

 

 

We may use or disclose your PHI to facilitate medical treatment or services by providers.

 

We may disclose medical information about you to providers involved in your care, including doctors, nurses, technicians, medical students, or other personnel.

 

Example: We might disclose information about prior prescriptions to a pharmacist to determine whether a pending prescription is inappropriate or dangerous.

 

 

 

For Payment

 

 

We may use or disclose your PHI to:

 

• determine eligibility for Plan benefits

• facilitate payment for treatment and services you receive

• determine benefit responsibility under the Plan

• coordinate Plan coverage

 

 

Examples:

 

• We may share medical history to determine whether a treatment is experimental, investigational, or medically necessary.

• We may share PHI with utilization review or precertification service providers.

• We may share PHI with another entity for adjudication/subrogation, or with another health plan to coordinate benefit payments.

 

 

 

 

For Health Care Operations

 

 

We may use and disclose your PHI for Plan operations necessary to run the Plan.

 

Examples include:

 

• quality assessment and improvement activities

• underwriting, premium rating, and other activities relating to Plan coverage

• submitting claims for stop-loss (or excess-loss) coverage

• medical review, legal services, audit services

• fraud & abuse detection programs

• business planning/cost management and general administrative activities

 

 

Genetic Information: The Plan is prohibited from using or disclosing genetic information for underwriting purposes.

 

 

 

To Business Associates

 

 

We may contract with individuals or entities (“Business Associates”) to perform functions on our behalf.

 

Business Associates may receive, create, maintain, use, and/or disclose your PHI only after they agree in writing to appropriate safeguards.

 

Example: We may disclose PHI (including SUD treatment records) to a Business Associate to administer claims or provide services such as utilization management, pharmacy benefit management, or subrogation—only after a Business Associate Agreement is in place.

 

 

 

As Required by Law

 

 

We will disclose your PHI when required by federal, state, or local law.

 

Example: Disclosures required by national security laws or public health disclosure laws.

 

 

 

To Avert a Serious Threat to Health or Safety

 

 

We may use or disclose your PHI when necessary to prevent a serious threat to your health and safety, or that of the public or another person. Disclosures will be made only to someone able to help prevent the threat.

 

Example: Disclosure in a proceeding regarding physician licensure.

 

 

 

To Plan Sponsors

 

 

For Plan administration, we may disclose PHI to certain employees of the Employer.

 

Those employees may use/disclose PHI only as necessary for Plan administration or as required by HIPAA, unless you authorize additional disclosure.

 

Employment Use Restriction: Your PHI cannot be used for employment purposes without your specific authorization.

 

 

 

Special Situations

 

 

In addition to the above, we may use/disclose PHI in the following situations.

 

 

Organ and Tissue Donation

 

 

If you are an organ donor, we may release PHI to organizations involved in organ procurement/transplantation or an organ donation bank as necessary.

 

 

Military and Veterans

 

 

If you are a member of the armed forces, we may release PHI as required by military command authorities, and may release PHI about foreign military personnel to appropriate foreign military authorities.

 

 

Workers’ Compensation

 

 

We may release PHI for workers’ compensation or similar programs providing benefits for work-related injuries or illness.

 

 

Public Health Risks

 

 

We may disclose PHI for public health actions, including:

 

• preventing/controlling disease, injury, or disability

• reporting births and deaths

• reporting child abuse or neglect

• reporting reactions to medications or product problems

• notifying people of product recalls

• notifying persons exposed to disease or at risk of contracting/spreading disease

• notifying authorities if we believe a patient is a victim of abuse, neglect, or domestic violence (only if you agree or as required/authorized by law)

 

 

 

Health Oversight Activities

 

 

We may disclose PHI to health oversight agencies for audits, investigations, inspections, and licensure, as authorized by law.

 

 

Lawsuits and Disputes

 

 

If you are involved in a lawsuit or dispute, we may disclose PHI:

 

• in response to a court or administrative order

• in response to a subpoena, discovery request, or other lawful process (with required safeguards/notice)

 

 

42 CFR Part 2 (SUD Records) Special Rule:

SUD treatment records from programs subject to 42 CFR Part 2 (or testimony relaying their content) may not be used or disclosed in proceedings against you unless based on your written consent or a qualifying court order, as provided in 42 CFR Part 2. A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested record is used or disclosed.

 

 

Law Enforcement

 

 

We may disclose PHI to law enforcement officials:

 

• in response to a court order, subpoena, warrant, summons, or similar process

• to identify/locate a suspect, fugitive, material witness, or missing person

• about a crime victim under limited circumstances

• about a death suspected to be the result of criminal conduct

• about criminal conduct

• in emergencies to report a crime, location of crime/victims, or identity/description/location of a suspect

 

 

 

Coroners, Medical Examiners, and Funeral Directors

 

 

We may release PHI to coroners/medical examiners to identify a deceased person or determine cause of death, and to funeral directors as necessary.

 

 

National Security and Intelligence Activities

 

 

We may release PHI to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.

 

 

Inmates

 

 

If you are an inmate or in custody of law enforcement, we may disclose PHI to a correctional institution or law enforcement official if necessary:

 

1. to provide you health care

2. to protect your health/safety or the health/safety of others

3. for the safety/security of the institution

 

 

 

Research

 

 

We may disclose PHI to researchers when:

 

1. identifiers have been removed; or

2. an institutional review board or privacy board has reviewed and approved protocols to protect privacy

 

 

 

 

Required Disclosures

 

 

 

Government Audits

 

 

We must disclose PHI to the Secretary of the U.S. Department of Health and Human Services when investigating or determining compliance with HIPAA.

 

 

Disclosures to You

 

 

Upon request, we must disclose to you the portion of your PHI that includes medical records, billing records, and other records used to make decisions regarding your health care benefits.

 

We must also provide an accounting of most disclosures, upon request, if the disclosure was for reasons other than treatment, payment, or health care operations, and not made under your authorization.

 

 

Notification of a Breach

 

 

We must notify you if we (or a Business Associate) discover a breach of your unsecured PHI, as defined by HIPAA.

 

 

 

Other Disclosures

 

 

 

Personal Representatives

 

 

We will disclose PHI to individuals authorized by you (or your personal representative, attorney-in-fact, etc.) if you provide written authorization and supporting documents (e.g., power of attorney).

 

We may decline to disclose to a personal representative if we reasonably believe:

 

1. you have been or may be subjected to domestic violence, abuse, or neglect by that person

2. treating them as your personal representative could endanger you

3. it is not in your best interest to treat them as your personal representative

 

 

 

Spouses and Other Family Members

 

 

With limited exceptions, we will send all mail to the employee, including mail relating to covered spouses/family members and benefit usage or denials.

 

If a covered person has requested Restrictions or Confidential Communications (see “Your Rights”), and we have agreed, we will send mail as specified in that request.

 

 

 

Authorizations

 

 

Uses/disclosures not described above—including:

 

• use/disclosure of SUD Part 2 treatment records

• psychotherapy notes

• PHI used for fundraising or marketing

 

 

…will not be made without your written authorization.

 

You may revoke authorization at any time, in writing. Revocation applies only to future uses/disclosures; it does not affect information already used/disclosed based on prior authorization.

 

You may opt out of receiving fundraising communications at any time.

 

 

 

Your Rights

 

 

You have the following rights with respect to your PHI.

 

 

Right to Inspect and Copy

 

 

You may inspect and copy certain PHI used to make decisions about your health care benefits.

 

How to request: Submit a written request to the Privacy Officer at the address listed above.

We may charge a reasonable fee for copying, mailing, or supplies.

We may deny access in very limited circumstances. If denied, you may request review and will receive instructions.

 

 

Right to Amend

 

 

If you believe PHI is incorrect or incomplete, you may request an amendment.

 

How to request: Submit a written request to the Privacy Officer with a reason supporting the request.

 

We may deny if:

 

• not in writing / no reason provided

• not part of the records kept by/for the Plan

• not created by us (unless the creator is no longer available)

• not part of what you may inspect/copy

• already accurate and complete

 

 

If denied, you may file a statement of disagreement; future disclosures will include your statement.

 

 

Right to an Accounting of Disclosures

 

 

You may request an accounting of certain disclosures of your PHI. It will not include:

 

1. treatment, payment, or health care operations

2. disclosures made to you

3. disclosures made under your authorization

4. disclosures to friends/family in your presence or due to emergency

5. national security disclosures

6. incidental disclosures

 

 

How to request: Submit a written request to the Privacy Officer.

Time period must be no longer than six years (three years for electronic health records) or the period the Plan has been subject to HIPAA, if shorter.

 

First request in a 12-month period is free; additional requests may incur a cost (you will be notified and may withdraw/modify before costs are incurred).

 

 

Right to Request Restrictions

 

 

You may request limits on PHI used/disclosed for treatment, payment, or operations, or disclosed to persons involved in your care/payment.

 

We are not required to agree, but if we agree, we will honor it until revoked or we notify you.

 

How to request: Submit a written request stating:

 

1. what information to limit

2. whether to limit use, disclosure, or both

3. to whom the limits apply

 

 

 

Right to Request Confidential Communications

 

 

You may request communications in a certain way or location (e.g., only at work or by mail).

 

How to request: Submit a written request specifying how/where you want to be contacted.

We will not ask the reason.

We will accommodate reasonable requests when you clearly provide information that disclosure could endanger you.

 

 

Right to a Paper Copy of This Notice

 

 

You may request a paper copy at any time, even if you receive this notice electronically.

 

How to request: Telephone or write the Privacy Officer at the contact information above.

 

 

 

Complaints

 

 

If you believe your privacy rights have been violated, you may file a complaint with the Plan or with the U.S. Department of Health and Human Services Office for Civil Rights (OCR).

 

OCR Complaint Options:

 

• Mail: 200 Independence Avenue, S.W., Washington, D.C. 20201

• Phone: 1-877-696-6775

• Website: https://www.hhs.gov/hipaa/filing-a-complaint/complaint-process/index.html

 

 

Plan Complaint: Telephone or write the Privacy Officer at the contact information above.

 

You will not be penalized or retaliated against for filing a complaint.