Unity’s policies and procedures are designed to protect the confidentiality of member information. The Unity Confidentiality Committee sets standards for employees as well as external parties, such as health care providers and vendors. The Confidentiality Committee is charged with –
- Reviewing internal and external requests for member information
- Identifying opportunities for reducing unnecessary collection of member data
- Monitoring and regulating the use of member data
A Unity Privacy Official monitors the organization’s adherence to confidentiality policies.
HIPAA requires Unity to safeguard the confidentiality of personal health information (PHI) and personally identifiable information (PII). Unity’s policies and procedures establish requirements for the proper handling of health records used in benefit administration. When responding to a request for information, Unity releases only the minimum necessary information to fulfill the request. (Note that the “minimum necessary” requirement does not apply to information disclosed to health care providers.)
Authorization for release of information
At times, Unity receives a legitimate request to obtain or disclose member information for purposes other than treatment, payment or health care operations. In these cases, the member is asked to sign an authorization form that gives permission to release the information. This authorization must be obtained under the following circumstances:
- Release of information to a family member, power of attorney, employer or lawyer
- Release of information that could result in another company contacting a member for marketing purposes
- Research (if the disclosure includes personally identifiable member information)
If a member is unable to provide authorization, Unity requires a valid court order or other written proof of legal authority prior to releasing information.
Member access to medical records
Unity does not maintain original medical records. We advise members to contact their doctor’s office or other health care provider, such as a clinic or hospital, to obtain medical records.
Members must follow the provider's procedures for accessing medical information. Family members or other individuals may access medical information only when the member gives written consent (except in limited circumstances when the member is unable to provide consent).
Disclosure of information to employers
Unity provides certain types of information to employers as part of standard health care operations. Disclosure to employers is limited to the information the employer needs to administer the health plan. However, employers do not have access to personal health information or personally identifiable member information without specific member consent.
Employers must agree not to use the information to make employment-related decisions (for example, promotion, hiring, lay-off) or to administer other benefit plans (for example, life and disability plans). The employer must identify persons or positions that may have access to the information and must ensure there are measures in place to prevent unauthorized access.
Practitioners and providers are also governed by HIPAA and are expected to implement confidentiality policies and procedures to address the disclosure of medical information, patient access to medical information, and the storage and protection of medical information. Unity reviews practitioner confidentiality processes during pre-contractual site visits for primary care physicians and certain specialty care physicians.
Data for quality improvement measures is collected from claims, pharmacy and member medical records. Unity protects this confidential information by reviewing records in secure areas and excluding member identifiable information from written reports.