Protecting Your Health Information
GEHA's Notice of Privacy Practices (NPP) outlines use and disclosure of protected health information (PHI) as required by the Health Insurance Portability and Accountability Act (HIPAA). The NPP has been provided to each GEHA member, and is also available for viewing on the GEHA corporate website, www.gehadental.com, by clicking FAQs & Resources, then Form & Document Library, then Privacy & Security/HIPAA Materials, and then clicking on the NPP for the appropriate insured plan. This further outlines ways GEHA works to protect your health information, as we provide health benefits to meet your medical needs.
Third-Party Business Associates/Vendors
As outlined in the Notice of Privacy Practices (NPP), GEHA shares protected health information with some third-party vendors, known as Business Associates under HIPAA, who work on behalf of GEHA in performing various activities (such as, but not limited to, Express Scripts/Medco and MedSolutions).
GEHA has a written contract with each Business Associate to ensure they protect the privacy of your protected health information to the same extent as GEHA. The Business Associate is responsible to extend the same requirements to any subcontractors or agents it may use. An "Effect of Termination" clause outlines the required handling of all protected health information if a Business Associate contract terminates for any reason:
- The Business Associate, its subcontractors, or agents are to return all health information received from GEHA, or created or received on behalf of GEHA.
- With GEHA's express permission, the Business Associate, its subcontractors, or agents may destroy all health information. If the health information is destroyed, the Business Associate is to provide GEHA with appropriate evidence of destruction.
- If a Business Associate would ever determine that returning or destroying the health information is infeasible, the Business Associate is to provide notification to GEHA of the conditions that make return or destruction infeasible. Upon mutual agreement that return or destruction of health information is infeasible, the Business Associate is to extend the protections outlined in the contract to protected health information and limit further uses and disclosures of the information to the purposes that make the return or destruction infeasible, for so long as the Business Associate maintains the information.
Computer Systems: GEHA maintains computer system security features that protect against unauthorized disclosure of PHI, and maintains policies and procedures that outline the method to establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. Appropriate system access is determined for each employee as required for their specific job responsibilities, and the employee is granted access into a system through an identification/authorization process based on a unique User ID/password combination. Auditing processes monitor system access.
Breach Notification: GEHA takes members' privacy and security of protected health information very seriously, and has processes in place to provide written notification to our members as required by law for breaches of privacy. Members also have the right to request an accounting of disclosures for any disclosures other than for purposes of payment, treatment and health care operations.