What is HIPAA?   Privacy Notice   Frequently Asked Questions   SPA Homepage				STATE PERSONNEL ADMINISTRATION HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT PRIVACY AND SECURITY STATEMENT Download the SPA Privacy Notice ( PDF) This Notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. If you have questions or requests, please contact State Personnel Administration Privacy Officer 2 MLK Jr. Drive, SE Suite 502, West Tower Atlanta, GA 30334 404-656-2730 (in metro Atlanta) or 1-888-968-0490 (outside of Atlanta) FAX: 404-463-0221 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that covered entities, including state agencies that deal with Protected Health Information (PHI), provide you with this notice. This notice pertains to those programs specifically administered by the Georgia Merit System (SPA) in which SPA may maintain various types of PHI about you. SPA is required to develop policies and procedures to ensure the security, integrity, privacy and authenticity of health information, and to safeguard access to and disclosure of health information. Overview What is Health Insurance Portability Accountability Act? The Health Insurance Portability and Accountability Act (HIPAA) of 1996, is a federal law regarding the confidentiality and security of Protected Health Information (PHI). It imposes restrictions on how your health information can be used and shared and confirms your individual rights concerning your health information. What is Protected Health Information? Protected Health Information (PHI) is information about you, including demographic information, that can reasonably be used to identify you and that relates to your past, present, or future physical or mental health or condition, the provision of health care to you, or the payment for that care. This information may be maintained or transmitted by SPA. Examples of items containing PHI include: a bill for health services, an explanation of benefits statement, receipts for reimbursement from a health flexible spending account or any list showing the amount of benefits paid that includes a breakdown by social security number. This may also include your employer (state agency, school system, authority, etc.) transmitting information about you to SPA, such as your name, address, birth date, social security number, employee identification number and certain health information. How SPA Uses and Discloses Protected Health Information When services are contracted, SPA may disclose some or all of your information to the company to perform the job SPA has contracted with them to do. SPA requires the company to safeguard your information in accordance with federal and state law. Privacy Law Requirements SPA is required by law to: Maintain the privacy of your information. Provide this notice of its legal duties and privacy and security practices regarding the information that SPA has about you. Abide by the terms of this notice. Refrain from using or disclosing any information about you without your written permission, except for the reasons given in this notice. You may revoke your permission at any time, in writing. That revocation will not apply to information that SPA disclosed prior to receiving your written request. If you are unable to give your permission due to an emergency, SPA may release information, if it is in your best interest. SPA must notify you as soon as possible after releasing the information. Security Law Requirements Federal regulations identify certain information security standards that must be met to ensure compliance with the HIPAA Security Rule. These standards apply to the following three areas: Administrative Safeguards: documented policies and procedures for day-to-day operations; managing the conduct of employees with electronic protected health information (EPHI); and managing the selection, development, and use of security controls. Physical Safeguards: security measures meant to protect an organization's electronic information systems, as well as related buildings and equipment, from natural hazards, environmental hazards, and unauthorized intrusion. Technical Safeguards: security measures that specify how to use technology to protect EPHI, particularly controlling access to it. Accordingly, SPA must: Ensure the confidentiality, integrity and availability of all electronic PHI it creates, receives, maintains or transmits; Protect electronic PHI by implementing reasonable and appropriate physical, administrative and technical safeguards; Ensure that agents and subcontractors to whom this information is provided agree to implement reasonable and appropriate safeguards to protect PHI; Protect against any reasonably anticipated threats or hazards to the security or integrity of such information; Protect against any reasonably anticipated uses or disclosures of such information; Ensure compliance with HIPAA Security regulations by our workforce; and Report any security incident of which a business associate becomes aware to the group flexible benefits plan. Your Health Information Rights You have the following rights regarding the health information maintained by SPA about you: You have the right to see and obtain a copy of your health information. This right does not extend to information needed for a legal action relating to SPA. You have the right to ask SPA to amend health information that is incorrect or incomplete. SPA may deny your request under certain circumstances or request additional documentation. You have the right to request a list of the disclosures that SPA has made of your health information. You have the right to request a restriction on certain uses or disclosures of your health information. SPA is not required to agree with your request. You have the right to request that SPA communicate with you about your health in a way or at a location that will help you keep your information confidential. · You may request a copy of this notice from SPA, or you may obtain a copy from the SPA web site: www.SPA.state.ga.us (Under "HIPAA / Privacy"). For More Information and To Report a Problem If you have questions and would like additional information about Protected Health Information (PHI), you may contact the SPA Privacy Officer at 404-656-2730 (Atlanta calling area) or 1-888-968-0490 (outside of Atlanta calling area). You may also visit SPA’s web site: www.SPA.state.ga.us (Under "HIPAA / Privacy"). SPA does not discriminate on the basis of disability in the admission or access to, or treatment of employment in its programs or activities. If you have a disability and need additional accommodations to participate in any Merit System programs, please contact the SPA Customer Service Division. For TDD relay service only: 1–800–255–0056 (text-telephone) or 1–800–255–0135 (voice). Reporting Violations If you believe your privacy or security rights have been violated: You may file a complaint by calling the SPA Privacy Unit at 404–656–2730 (Atlanta calling area) or 1-888–968–0490 (outside of Atlanta calling area), or by writing to: State Personnel Administration Attn: Privacy Officer 2 MLK Jr. Drive, SE Suite 502, West Tower Atlanta, GA 30334 You may file a complaint with the Secretary of Health and Human Services by writing to: Secretary of Health and Human Services, 200 Independence Ave. SW, Washington, DC 20201. For additional information, call 1-877–696–6775. You may file a grievance with the United States Office for Civil Rights by calling 1-866–OCR–PRIV (1-866–627–7748) or 1-886–788–4989 TTY. There will be no retaliation for filing a complaint or grievance. If SPA changes its privacy or security practices significantly, SPA will post the new notice on its Web site at www.SPA.state.ga.us (Under “Privacy”). This notice, effective April 14, 2003, was amended April 20, 2005.
For questions or comments, please contact us or read our disclaimer. Privacy Policy © 1998-2009 The State of Georgia & State Personnel Administration ALL RIGHTS RESERVED.