Regulatory Affairs

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) affects every facet of the healthcare industry. HIPAA is intended to facilitate the most efficient and effective use of modern communication technology to reduce the immense cost of administrative overhead in the healthcare industry, while ensuring that the confidentiality, integrity, and availability of patient information is not unduly compromised. While no software application vendor can render your facility 'HIPAA-compliant' simply by using their product, we can provide products and services that make it easier for you, our valued customer, to meet your compliance requirements.

Elekta Software has provided customers with practical solutions that efficiently manage the process of delivering care. Elekta Software stands side-by-side with you to assist you in maintaining a high level of quality care.

Elekta is busy keeping pace with legislative developments so that our products continue to offer you the functionality you require.

Contact us with questions or concerns

Elekta Region North America

For more information about Elekta Region North America HIPAA efforts, HIPAA, Privacy or Security, please contact:

Chelsea Beaman
Data Privacy/HIPAA Privacy Officer
Elekta
400 Perimeter Center Terrace, Suite 50
Atlanta, GA 30346, United States
+1 (317) 219 9496
chelsea.beaman@elekta.com

Elekta Software

For more information about Elekta Software's HIPAA efforts, HIPAA, Privacy or Security, please contact:

Chelsea Beaman
Data Privacy/HIPAA Privacy Officer
Elekta
400 Perimeter Center Terrace, Suite 50
Atlanta, GA 30346, United States
+1 (317) 219 9496
chelsea.beaman@elekta.com

Helpful HIPAA Links

HIPAA Overview

The Health Insurance Portability and Accountability Act (HIPAA) was created to satisfy three objectives:

  1. To provide for continued coverage of benefits between employment gaps (Portability),
  2. To reduce healthcare fraud (Accountability), and
  3. To reduce the cost of the administration of the healthcare industry (Administrative Simplification).

Administrative Simplification began as President George Bush, Sr. assembled a group of healthcare industry leaders to discuss the reduction of healthcare administration costs; increased electronic data interchange (EDI) was the overwhelming answer. Faced with resistance in Congress, the Act only passed with extensive industry support.

The Department of Health and Human Services (DHHS) defines the purposes of the Administrative Simplification rule thusly:

  1. To protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information;
  2. To improve the quality of healthcare in the U.S. by restoring trust in the healthcare system among consumers, healthcare professionals, and the multitude of organizations and individuals committed to the delivery of care; and
  3. Improve the efficiency and effectiveness of healthcare delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, and individual organizations and individuals.

[65 Fed. Reg. 82463 (December 28, 2000)]

Three Major Elements of Administrative Simplification

The Standards for Electronic Transactions and Code Sets

The cost of administration in the healthcare industry is very high. Providers, insurers, health plans, and others have utilized many different electronic data formats and transmission requirements. This complex web of data interchange has resulted in delays, confusing rejections, bureaucratic authorization processes, and low levels of remittance. The creation of national conformance standards covering the most routine electronic transmissions has the potential of reducing the resources – financial, time, and human – necessary to do business in the healthcare industry, as well as enhance the effectiveness of the intended transactions. The Standards for Electronic Transactions regulation has established mandatory transaction and coding requirements for defined electronic transactions. Providers are able to submit standard transactions to health plans and payers that have to accept them. Hence, electronic data interchange enables healthcare facilities to pursue the most effective and efficient use of modern information technology in the administration of their organizations.

Congress also recognized the power of modern information technology. Continually advancing technology enables the collection and aggregation of large quantities of data in any desired format or structure; subjects these data to endless permutations of sorting, filtering, and analysis; and the instantaneously widely distributes the raw data or analysis results – all without significant human thought. Hence, the need to protect the privacy and security of patient health information is unquestionable.

The Security and Electronic Signature Standard (“Security”) and the Privacy of Individually Identifiable Health Information Standard (“Privacy”) comprise a team of regulations intended to protect patient health information. Privacy defines the permissible means of access, use, and disclosure of the applicable patient information, while Security governs the operational, physical, and technical mechanisms necessary to protect this information.

Standards for Privacy of Individually Identifiable Health Information

The Privacy rule is intended to prevent the unreasonable offense against patient's interest in restricting unnecessary knowledge or dissemination of personal information provided or accumulated to assist in their diagnosis or treatment. The specific requirements restrict access, use, or disclosure of personal patient information to those legitimately involved in the patient's treatment, the healthcare facility's required operations, and billing for the treatment.

Security and Electronic Signature Standards

The Security rule is intended to ensure that organizations that hold personal patient information provide operational, physical, and technical protections to support privacy restrictions. That is, the organization must create a comprehensive system of operational, physical, and technical protections to prevent unintended access, use, and disclosure of protected information. Security refers to protections at three levels:

  • Confidentiality – Protection of entrusted information from unauthorized use, access, or disclosure;

  • Integrity – Preservation of the specific nature, character, and content of the information; and

  • Availability – Ability to access, use, or disclose information as intended in an effective and efficient time, place, and manner.

Notice Of HIPAA Privacy Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.  PLEASE REVIEW IT CAREFULLY.

Protecting The Privacy Of Your Health Information

This Notice of Privacy Practices (the "Notice") is required by law under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"). This Notice describes the legal obligations of the Elekta, Inc. Health & Welfare Plan (the "Plan"), as well as your legal rights regarding your Protected Health Information ("PHI") held by the Plan.

This Notice is intended to inform you of the privacy practices followed by the health plan options under the Plan. It also explains the Federal privacy rights afforded to you and the members of your family as Plan Participants covered under the Plan regarding your Protected Health Information ("PHI").

PHI includes all "individually identifiable health information" held or transmitted by the Plan or its business associate, in any form or media, whether electronic, paper, or oral. "Individually identifiable health information" is information collected from you or created or received by a health care provider, the Plan, the Plan sponsor, or a business associate, including the third-party administrator for the Plan, that relates to: 

  • Your past, present, or future physical or mental health or condition,
  • The provision of health care to you, or
  • The past, present, or future payment for the provision of health care to you,

and that identifies you or for which there is a reasonable basis to believe it can be used to identify you. Individually identifiable health information includes, for example, your name, address, birth date, and Social Security Number.  PHI does not include employment records that Elekta Inc. may maintain in its role as an employer.

The Plan is part of an organized health care arrangement under the HIPAA Privacy Rule. It is important to note that this Notice applies primarily to the self-insured medical and prescription drug, employee assistance, and health care flexible spending account offered as part of the Plan. As applicable, the Plan and the insurers participating in the organized health care arrangement will share PHI with each other as necessary to carry out treatment, payment, or health care operations relating to the organized health care arrangement. The insurers are separate covered entities under HIPAA and if you are enrolled in an insured health plan, the applicable insurer will provide you with a separate notice describing the insurer's own privacy practices.  The Plan is a hybrid entity under the HIPAA Privacy Rule that includes health care components subject to HIPAA and non-health care components that are not subject to HIPAA. This Notice applies only to the health care components subject to HIPAA.

As a plan sponsor, Elekta, Inc. often needs access to health information in order to perform Plan Administrator functions. While this Notice does not apply to Elekta, Inc. as the plan sponsor, Elekta, Inc. wants to assure the Plan Participants that the Plan complies with Federal privacy laws and respects your right to privacy. The Plan is required by law to:

  • Safeguard the privacy and security of your PHI;
  • Ensure that your PHI is used or disclosed only in accordance with HIPAA and the provisions of this Notice;
  • Give you this Notice of your legal rights with respect to your PHI and the Plan's legal duties and privacy practices with respect to PHI about you;
  • Notify you in the event of a breach of your unsecured PHI; and
  • Follow the terms of the Notice that are in effect.

The Plan requires all members of our workforce and business associates that are provided access to health information to comply with the privacy practices outlined below. For purposes of this Notice, any reference to "the Plan" includes our business associates. The Plan will not use or share your PHI other than as described in this Notice unless you tell us it can in writing.

How The Health Plan May Use Or Disclose Your Health Information Without Your Authorization

This section describes the different ways that the Plan is legally allowed or required to use and disclose your PHI without your prior written authorization.

  • Healthcare Operations. The Plan uses and discloses health information about you in order to perform Plan administration functions such as quality assurance activities, resolution of internal grievances, and evaluating plan performance. For example, the Plan review claims experience in order to understand utilization and to evaluate or make plan design changes that are intended to control health care costs.
  • Payment. The Plan may also use or disclose identifiable health information about you without your written authorization in order to determine eligibility for benefits, seek reimbursement from a third party, or coordinate benefits with another health plan under which you are covered. For example, a healthcare provider that provided treatment to you will provide us with your health information. The Plan uses that information to determine whether those services are eligible for payment under the Plan.
  • Treatment. Although the law allows use and disclosure of your health information for purposes of treatment, the Plan generally does not need to disclose your information for treatment purposes. For example, a doctor sends the Plan information about your diagnosis and treatment plan so the Plan can arrange for additional services. Your physician or healthcare provider is required to provide you with an explanation of how they use and share your health information for purposes of treatment, payment, and healthcare operations.
  • For Plan Administration. The Plan may disclose your PHI to your health plan administrator or sponsor or your disability benefits plan administrator or sponsor for the purpose of Plan Administration.
  • Disclosures to You. At your request, the Plan is required to provide your PHI, including medical records, billing records, and an accounting of most disclosures of your PHI, that are in the control of the Plan to you.
  • For Public Safety or Health Purposes. The Plan can share your PHI under certain public safety situations, including, but not limited to, preventing disease; helping with product recalls; reporting adverse reactions to medications; reporting suspected abuse, neglect, or domestic violence; and preventing or reducing a serious threat to anyone's health or safety. The Plan may also disclose PHI if directed by a public health authority, to a foreign government agency that is collaborating with the public health authority.
  • Research. The Plan may use or disclose your PHI for research approved by an institutional review or privacy board and where appropriate steps have been taken to protect such PHI.
  • As Required by Law. The Plan will share your PHI if state or federal laws require it, including with the Department of Health and Human Services, in order to show that the Plan is complying with federal privacy law.
  • Organ or Tissue Donation; About Decedents. The Plan can share your PHI with organ procurement organizations or with a coroner, medical examiner, or funeral director after you die.
  • Workers' Compensation, Law Enforcement, and Other Government Requests. The Plan can use or share PHI for workers' compensation claims; for law enforcement purposes or with law enforcement officials; with health oversight agencies for activities authorized by law; and for special government functions such as military, national security, and presidential protective services.
  • Lawsuits and Disputes. If you are involved in a lawsuit or dispute, the Plan may disclose health PHI in response to a court or administrative order. The Plan may also disclose PHI about you in response to a subpoena, discovery request, or other lawful process.
  • State Law. The Plan will comply with any additional use or disclosure requirements of your PHI that are more stringent under applicable state or local law.

Uses And Disclosures Of Health Information Requiring Authorization

The following categories describe ways that the Plan may use and disclose your PHI after you have been informed in advance of such use or disclosure and have had the opportunity to agree or object. If you are not available to give your permission, the Plan may generally share your PHI if it is in your best interests.

  • Friends and Family Involved in Your Care and Disaster Relief. Unless you object, the Plan may share your PHI with a family member or another person who you have identified as being involved with your care. In the event of a disaster, the Plan may provide your PHI to disaster relief organizations so that your family can be notified about your condition, status, and location. If you are not present or able to agree to these disclosures of your PHI, then the Plan may, using our professional judgment, determine whether the disclosure is in your best interest.

The following categories describe ways that the Plan may use and disclose your PHI only after receiving your written authorization:

  • Psychotherapy Notes. In general, and subject to certain exceptions including lawsuits and disputes or legal requirements, the Plan will not use or disclose your psychotherapy notes unless the Plan receives your prior written authorization.
  • Marketing. The Plan will not use or disclose your PHI for purposes of marketing unless the Plan receives your prior written authorization.
  • Sale. The Plan will not sell your PHI unless it receives your prior written authorization.

If you choose to sign an authorization to disclose information, you can later revoke that authorization to cease any future uses or disclosures.

Your Rights Regarding Your Health Information

You have the following rights regarding the protected health information that the Plan maintains about you:

  • Right to Inspect and Copy. In most cases, you have a right to inspect and copy the PHI the Plan maintains about you. If the PHI you request is maintained electronically, and you request an electronic copy, the Plan will provide a copy in electronic form and format, if the PHI can be readily produced in that form and format. If the PHI cannot be readily produced electronically, the Plan will work with you to come to an agreement on form and format. If you request paper copies, the Plan will charge you $0.05 (5 cents) for each page. Your request to inspect or review your health information must be submitted in writing to the person listed below. The Plan will usually provide you with a copy within 30 days of your request. The Plan may deny your request in writing in certain very limited circumstances. If you are denied access, you may request that the denial be reviewed by submitting a written request.
  • Right to an Accounting of Disclosures. You have a right to receive a list of instances where the Plan has disclosed health information about you for reasons other than treatment, payment, healthcare operations, or pursuant to your written authorization. The request must be made in writing and state the time period of the request, which may not exceed six years prior to the request. The Plan will usually respond to requests within 60 days. The first request within a 12-month period will be provided to you free of charge, and any additional requests within this time period may be subject to a reasonable, cost-based fee.
  • Right to Amend. If you believe that information within our records is incorrect or missing, you have a right to request that the Plan correct the incorrect or missing information. You must provide the request and your reason(s) for the request in writing. You will be notified in writing, usually within 60 days, if your request has been denied and provided the basis for the denial. If your request is denied, you have the right to submit a written statement disagreeing with the denial, which will be appended or linked to the PHI in question.
  • Right to Request Restrictions. You may request in writing that the Plan not use or disclose information for treatment, payment, or other administrative purposes except when specifically authorized by you, when required by law, or in emergency circumstances. The Plan will consider your request, but it is not legally obligated to agree to those restrictions.
  • Right to Request Confidential Communications. You have a right to receive confidential communications containing your health information. The Plan is required to accommodate reasonable requests. For example, you may ask that the Plan contact you at your place of employment or send communications regarding treatment to an alternate address.
  • Right to Receive a Paper Copy of this Notice. If you have agreed to accept this notice electronically, you also have a right to obtain a paper copy of this notice from us upon request. To obtain a paper copy of this notice, please contact the person listed below. Copies of this Notice are also available at https://www.elekta.com/regulatory-affairs/.
  • Right to Receive Notification in the Event of a Breach. You have a right to receive notification if there is a breach of your unsecured PHI, which compromises the security or privacy of the PHI. After learning of a breach, the Plan must provide notice to you without unreasonable delay and in no event later than 60 calendar days after our discovery of the breach, unless a law enforcement official requires the Plan to delay the breach notification.
  • Right to File a Complaint. If you feel that your privacy rights have been violated, you have the right to file a complaint in writing to the Plan by writing to the person  listed below. You may also file a complaint with the Office for Civil Rights of the United States Department of Health and Human Services by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting www.hhs.gov/ocr/privacy/hipaa/complaints/. You will not be penalized or retaliated against for filing a complaint.

Changes To This Privacy Notice

The Plan may change our policies at any time. Before the Plan makes a significant change in our privacy policies, the Plan will provide you with a revised copy of this notice. You can also request a copy of our current notice at any time. For more information about our privacy practices, contact the person listed below:

Elekta, Inc.
Faith Gordon
HR Administration Manager
400 Perimeter Center Terrace, Suite 50
Atlanta, GA 30346
Human.Resources@elekta.com

If you have any questions or complaints, please contact the Plan Administrator. 
Effective Date of this revised Notice is: 07/26/2021