Ill. Admin. Code tit. 80, § 2170.270 - Health Insurance Portability and Accountability Act (HIPAA)

CMS and HFS shall comply with the uses and disclosures of Protected Health Information (PHI), permitted by HIPAA, where applicable as referenced in the plan documents.

a) An annual notice of privacy practices shall be provided that outlines the legal duties and privacy practices concerning the PHI of Participants.

b) PHI may be disclosed:

1) to healthcare providers who take care of Participants;

2) to process claims and make payments for covered services;

3) for healthcare operations;

4) to remind Participants of an upcoming appointment; and

5) as required or authorized by law.

c) Participants have the right to:

1) request restrictions on how their PHI is used for purposes of treatment, payment and healthcare operations;

2) receive confidential communications about their PHI;

3) request to inspect information used to make decisions about them;

4) request an amendment to their PHI;

5) receive an accounting of disclosures that have been made of their PHI;

6) obtain a paper copy of the annual notice of privacy practices; and

7) file a complaint if they believe that their privacy rights have been violated.

d) PHI may not be disclosed:

1) for any purpose other than administration of the benefit plan;

2) for any fundraising activity; or

3) for the marketing of any products or services.

Notes

Ill. Admin. Code tit. 80, § 2170.270

Amended at 34 Ill. Reg. 838, effective December 31, 2009