HIPAA Privacy Notice
The Federal Long Term Care Insurance Program's Health Insurance Portability and Accountability Act (HIPAA) Notice of Privacy Practices for Protected Health Information
This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.
This HIPAA Notice of Privacy Practices for Protected Health Information describes the medical information privacy policy of John Hancock Life & Health Insurance Company for the Federal Long Term Care Insurance Program (FLTCIP). FedPoint, which administers the FLTCIP, is required to treat protected health information (PHI) in a manner that is consistent with the privacy policy described in this notice.
We strongly believe in protecting the confidentiality and security of your PHI. PHI includes individually identifiable information that relates to your past, present, or future health, treatment, or payment for health care services (including long term care).
We are required by HIPAA to provide this notice to you. We are required by law to:
- maintain the privacy of your PHI
- provide you this notice of our legal duties and privacy practices with respect to your PHI
- follow the terms of this privacy notice
We reserve the right to change the terms of this notice at any time. A change may apply to the PHI we already have about you as well as any PHI we receive in the future. If we make a material change to this notice while you are covered under the FLTCIP, we will send you a revised notice.
We protect your PHI from inappropriate use or disclosure. Our employees, and those of other companies that help us service the FLTCIP, are required to comply with our requirements that protect the confidentiality of PHI.
We will not disclose your PHI to any other company for their use in marketing their products to you. We are required to inform you that uses and disclosures of PHI for marketing purposes (for example, communications to individuals about health-related products or services where the insurer would receive financial remuneration in exchange for making the communication from or on behalf of a third party whose product or service is being described) and disclosures that constitute a sale of PHI would require your prior authorization. However, as described below, we will use and disclose PHI about you for business purposes relating to your FLTCIP application or coverage.
The main reasons for which we may use and disclose your PHI are to evaluate and process any requests for coverage and claims for benefits you may make. The following describe these and other permitted uses and disclosures, together with some examples.
For Payment
We may use and disclose PHI for premium collection or claim-related purposes under the FLTCIP. For example, if you present a claim, we may obtain medical records from your doctors to determine if you are eligible for benefits under the terms of the policy. Claim-related purposes may include determining eligibility for benefits, claim decision-making, making claim payments, coordinating benefits with other insurance companies or payers, care coordination, obtaining reinsurance payment, claim appeals, and claim management.
For Health Care Operations
We may use and disclose PHI to administer the FLTCIP and for other purposes related to our health care operations. For example, if you apply for coverage, we will review the medical information you provided on your application, and we may obtain medical records from your doctors or other health care professionals if needed to evaluate your application. Purposes related to health care operations may include underwriting, inflation and coverage enhancement offers, and other activities related to the issuance of coverage or the availability of FLTCIP products and services. They may also include customer service, quality assurance, auditing, legal services, reinsurance, and our activities related to a possible sale, merger or similar transaction. We may also disclose PHI to business associates, if they need to receive such information to provide a service to us and agree to abide by specific HIPAA rules relating to the protection of PHI.
For Health Oversight Activities
We may disclose PHI to a governmental agency that has oversight responsibilities for the FLTCIP, such as the U.S. Office of Personnel Management, where necessary to enable them to determine our compliance with FLTCIP requirements and standards.
For Public Health Activities
We may disclose PHI for public health activities such as disease control and prevention, the safety of FDA-regulated products, and disaster relief and assistance. We may disclose PHI to government authorities in cases of suspected abuse, neglect or domestic violence. We may also release PHI to a coroner or medical examiner to assist in identifying a deceased individual or to determine the cause of death.
For Law Enforcement or Specific Government Functions
We may disclose PHI in response to a request by a law enforcement official made through a court order, subpoena, warrant, summons, or similar process. We may disclose PHI to federal officials for intelligence, counterintelligence, and other national security activities authorized by law. Additionally, we may disclose PHI if required by other statutes and regulations.
For Regulatory or Legal Proceedings
If you or your estate is involved in a lawsuit or a legal dispute, we may disclose PHI about you in response to a court or administrative order. We may also disclose PHI about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made by us, or on our behalf, to tell you about the request or to obtain an order protecting the PHI requested. We may disclose PHI to any governmental agency or regulator with whom you have filed a complaint or as part of a regulatory agency examination.
Other Disclosures of Protected Health Information
We may disclose your PHI to your family member, friend, personal representative, or other individual you identify who is involved in your care or reimbursement for your care, but we will first give you an opportunity to give or withhold your consent, where possible. If you are not available to give such consent, or in an emergency, we may disclose your PHI that is directly relevant to such person's involvement with your care or payment for such care. We may also disclose your PHI for the treatment activities of a doctor or other health care professional (for example, in the case of an emergency medical situation).
Your Authorization to Use and Disclose Protected Health Information
We will not use or disclose your PHI in any way that is not covered by this notice unless we have your written authorization or that of your legal representative. If we obtained your authorization to use or disclose your PHI, you may revoke that authorization, in writing, at any time, except to the extent that we have taken action relying on the authorization or we have a right to contest your FLTCIP claim or coverage.
Your Rights Regarding Protected Health Information We Maintain about You
The following are your rights as a consumer under HIPAA concerning your PHI. Should you wish to exercise a specific right, please write to FLTCIP, Attn: FedPoint, P.O. Box 797, Greenland, NH 03840-0797.
Right to Inspect and Copy Your Protected Health Information
In most cases, you have the right to inspect and obtain a paper or electronic copy of the PHI that we maintain about you. To inspect and copy PHI, you must submit your request in writing. You may be charged a fee for the costs of copying, mailing, or other supplies associated with your request. We will respond within 30 days unless we tell you in writing why we need more time, in which case we will respond within 60 days. Please note that certain types of PHI will not be made available for inspection and copying. This includes psychotherapy notes, and also includes PHI collected by us in connection with, or in reasonable anticipation of, any claim or legal proceeding. If you would like to specify a particular form or format for the information, we will try to accommodate your request if it can readily be produced in that manner; otherwise, we will provide a paper copy or other form or format that we agree upon. We may deny your request in very limited circumstances, such as where a doctor has determined that giving you this information could cause you substantial harm. If that occurs, we will give you a written explanation and you may request that the denial be reviewed. The review will be conducted by an individual chosen by us who was not involved in the original decision to deny your request. We will comply with the outcome of that review.
Right to Amend Your Protected Health Information
If you believe that your PHI is incorrect or that an important part of it is missing, you have the right to ask us to amend your PHI while it is kept by or for us. You must provide your request and your reason for the request in writing. We will respond to your request within 60 days. If we agree with your request, we will amend all appropriate records, and take steps to notify appropriate persons you identify as well as persons we know to have the erroneous or incomplete PHI. We may deny your request if you ask us to amend PHI that:
- is accurate and complete
- was not created by us, unless the person or entity that created the Protected Health Information is no longer available to make the amendment
- is not part of the PHI kept by or for us
- is not part of the PHI which you would be permitted to inspect and copy
If we deny your request, we will tell you our reason and give you notice of your rights (1) to submit a written statement of disagreement (which we may rebut), (2) to request that we include your request and our denial with any future disclosures of such PHI, and (3) to file a complaint.
Right to an Accounting of Disclosures
You have the right to request an accounting of the disclosures we have made of PHI about you, subject to certain exceptions. This list may not include disclosures made: for treatment, payment, or health care operations; for purposes of national security; to law enforcement or to corrections personnel; pursuant to your authorization; or directly to you. To request this accounting, you must submit your request in writing. We will respond within 60 days unless we tell you in writing why we need more time, in which case we will respond within 90 days. Your request must state the time period for which you want to receive a list of disclosures. Under HIPAA, the time period may not be longer than six years and may not include dates before April 14, 2003. Your request should indicate in what form you want the list (for example, on paper or electronically). The first accounting you request within a 12 month period will be free. We may charge you for responding to any additional requests. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.
Right to Request Restrictions
You have the right to request a restriction or limitation on PHI we use or disclose about you for treatment, payment, or health care operations, or that we disclose to someone who may be involved in your care or payment for your care, like a family member or friend. While we will consider your request, we are not required to agree to it. We will not agree to a restriction on the use or disclosure of PHI that is legally required, or that is necessary to administer our business. If we do agree to your request, we will comply with it except if you need emergency treatment, in which case we will request that your medical provider not further use or disclose it. To request a restriction, you must make your request in writing. In your request, you must tell us (1) what information you want to limit; (2) whether you want to limit our use, disclosure, or both; and (3) to whom you want the limits to apply (for example, disclosures to your spouse or parent). We may terminate the restriction upon your written request or with your agreement. We may also terminate it without your consent, but only as it affects PHI created or received after we advise you of the termination.
Right to Request Confidential Communications
You have the right to request how or where we communicate with you about your PHI (to avoid endangering you). For example, you may ask that we only contact you at work or by mail. To request confidential communications, you must make your request in writing and specify how or where you wish to be contacted. We will accommodate all reasonable requests.
Right to Be Notified Following a Breach of Unsecured Protected Health Information
You have the right to and will receive notification if we or one of our business associates has a breach of information security involving your unsecured PHI.
Additional Information
To make a request as described in the section entitled "Your Rights Regarding Protected Health Information We Maintain About You," please send your request in writing to FLTCIP, Attn: FedPoint, P.O. Box 797, Greenland, NH 03840-0797.
Right to File a Complaint
If you believe your privacy rights have been violated, you may file a complaint with John Hancock by contacting FedPoint at the address above, or with the Secretary of the U.S. Department of Health and Human Services. All complaints must be submitted in writing. You will not be penalized for filing a complaint. If you have questions regarding filing a complaint or wish further information, please contact the HIPAA privacy line at 1-800-876-1074 or forward your inquiry to the address listed above.
Effective: September 1, 2024