The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, imposes conditions on how a group health plan may use and disclose your individual health information, referred to here as “protected health information” (“PHI”). It also gives you certain rights with respect to that information.

This notice describes the privacy practices of the following health plans: Duke Select, Duke Basic, Duke Options, Duke USA, Blue Care, and Duke Plus medical benefits programs; the Express Scripts Pharmacy Benefit program; the Health Care Reimbursement Account program; and the Personal Assistance Service (PAS) program (employee assistance plan).

It is important to note that HIPAA's privacy rules apply to health plans. Different privacy or confidentiality policies may apply to other Duke University-sponsored programs, such as life insurance, disability, or retirement plans.

The Plan's Responsibilities

The Plan is required by law to maintain the privacy of your PHI and to inform you about:

  • The Plan's practices regarding the use and disclosure of your PHI
  • Your rights with respect to your PHI
  • The Plan's duties with respect to your PHI
  • Your right to file a complaint about the use of your PHI
  • A breach of your PHI
  • Whom you may contact for additional information about the Plan's privacy practices

The Plan will follow the terms of this notice, as it may be updated from time to time. The Plan reserves the right to change the terms of its privacy policies at any time and to make new provisions effective for all health information that the Plan maintains.

How the Plan May Use or Disclose Your Health Information

The privacy rules generally allow the use and disclosure of your health information without your written authorization for purposes of treatment, payment and health care operations. Here are some examples of what this encompasses:

Treatment includes providing, coordinating, or managing health care by a health care provider or doctor. Treatment can also include coordination or management of care between a provider and a third-party, and consultation and referrals between providers. For example, the Plan may share health information about you with physicians who are treating you.

Payment includes activities by this Plan, other plans, or providers to obtain premiums, make coverage determinations and provide reimbursement for health care. For example, the Plan may share information about your coverage or the expenses you have incurred with another health plan in order to coordinate payment of benefits.

Health care operations include activities by the Plan such as wellness and risk assessment programs, quality assessment and improvement activities, customer service, and the claims and appeal process. Health care operations also include vendor evaluations, credentialing, training, accreditation activities, underwriting, premium rating, arranging for medical review and audit activities, and business planning and development. The Plan will not use PHI that is genetic information for underwriting purposes. For example, the Plan may use information about your claims to review the effectiveness of wellness programs.

The Plan will only disclose the minimum information necessary with respect to the amount of health information used or disclosed for these purposes. In other words, only information relating to the task being performed will be used or disclosed. Information not required for the task will not be used or disclosed.

The Plan may also contact you to provide information about treatment alternatives or other health-related benefits and services that may be of interest to you.

How the Plan May Share Your Health Information with Duke University

The Plan may disclose your health information without your written authorization to certain employees of Duke University who have been identified as performing plan administration functions. These employees will only use or disclose that information as necessary to perform plan administration functions or as otherwise required by HIPAA, unless you have authorized further disclosures.

In addition, the HIPAA rules allow information to be shared between the Plan and Duke University as follows:

  • The Plan may disclose “summary health information” to Duke University if requested, for purposes of obtaining premium bids to provide coverage under the Plan, or for modifying, amending, or terminating the Plan. Summary health information is information that summarizes participants' claims information, but from which names and other identifying information have been removed.
  • The Plan may disclose information to Duke University as to whether an individual is participating in the Plan, or has enrolled or disenrolled in a health benefit option offered by the Plan.

In addition, you should know that Duke University cannot and will not use health information obtained from the health plans for any employment-related actions. However, health information collected by Duke University from sources other than the Plan, for example under the Family and Medical Leave Act, Americans with Disabilities Act, or workers' compensation is not protected under HIPAA (although this type of information may be protected under other federal or state laws.)

Other Allowable Uses or Disclosures of Your Health Information

Generally, the Plan may disclose your PHI to a friend or family member that you have identified as being involved in your health care or payment for that care. In the case of an emergency, information describing your location, general condition, or death may be provided to a similar person (or to a public or private entity authorized to assist in disaster relief efforts.) In addition, your health information may be disclosed without authorization to your legal representative.

The Plan also is allowed to use or disclose your health information without your written authorization for the following activities:

As required by lawDisclosures to federal, state or local agencies in accordance with applicable law
Workers' compensationDisclosures to workers' compensation or similar programs in accordance with federal, state or local laws
To prevent serious threat to health or safetyDisclosures made in the good-faith belief that releasing your health information is necessary to prevent or lessen a serious and imminent threat to public or personal health or safety; includes disclosures to assist law enforcement officials in identifying or apprehending an individual in certain circumstances
Public health activitiesDisclosures for public health reasons, including: (1) to a public health authority for the prevention or control of disease, injury or disability; (2) a proper government or health authority to report child abuse or neglect; (3) to report reactions to medications or problems with products regulated by the Food and Drug Administration; (4) to notify individuals of recalls of medication or products they may be using; (5) to notify a person who may have been exposed to a communicable disease or who may be at risk for contracting or spreading a disease or condition
Victims of abuse, neglect, or domestic violenceDisclosures to report a suspected case of abuse, neglect, or domestic violence, as permitted or required by applicable law
Judicial and administrative proceedingsDisclosures in response to an order of a court or administrative tribunal or in response to a subpoena, discovery request, or other lawful process once HIPAA's administrative requirements have been met
Law enforcement purposesDisclosures to law enforcement officials required by law or pursuant to legal process for law enforcement purposes
DeathDisclosures to a coroner or medical examiner to identify the deceased or determine cause of death; and to funeral directors to carry out their duties
Organ, eye, or tissue donationDisclosures to organ procurement organizations or other entities to facilitate organ, eye, or tissue donation and transplantation after death
Research purposesDisclosures subject to approval by institutional or private privacy review boards, and subject to certain assurances and representations by researchers regarding necessity of using your health information and treatment of the information during a research project
Health oversight activitiesDisclosures to comply with health care system oversight activities, such as audits, inspections, or investigations and activities related to health care provision or public benefits or services
Specialized government functionsDisclosures to facilitate specified government functions related to the military and veterans, national security or intelligence activities; disclosures to correctional facilities about inmates
HHS investigationsDisclosures of your health information to the Department of Health and Human Services (HHS) to investigate or determine the Plan's compliance with the HIPAA Privacy Rule

Except as described in this notice, other uses and disclosures of PHI, such as marketing purposes, use of psychotherapy notes, and disclosures that constitute the sale of PHI, will be made only with your written authorization.

You may revoke your authorization as allowed under the HIPAA rules. However, you can't revoke your authorization with respect to disclosures the Plan has already made.

Your Individual Rights

You have the following rights in connection with your health information that the Plan maintains. These rights are subject to certain limitations, described below. Remember, Duke University does not generally receive or maintain individually identifiable health information from the Plan. In most cases, you should direct your requests to your medical or dental plan service representative.

Right to Request Restrictions on Certain Uses and Disclosures of Your Health Information and the Plan's Right to Refuse

You have the right to request a restriction or limitation on the Plan's use or disclosure of your health information. For example, you have the right to ask the Plan to restrict the use and disclosure of your health information to family members, close friends, or other persons you identify as being involved in your care or payment for your care.

Because the Plan only uses your health information to administer the Plan, and to comply with the law, it may not be possible to agree to your request. The law does not require the Plan to agree to your request for restriction. However, if the Plan agrees, the Plan will comply with the restriction unless the information is needed to provide emergency treatment to you.

Right to Receive Confidential Communications of Your Health Information

You have the right to request that the Plan communicate with you about your health information at an alternative address or by alternative means if you think that communication through normal processes could endanger you in some way. For example, you may request that the Plan only contact you at work and not at home. [Optional: You must include a statement that disclosure of all or part of the information could endanger you.]

Right to Inspect and Copy Your Health Information

You have the right to inspect or obtain a copy of your health information contained in records that the Plan maintains for enrollment, payment, claims determination, or case or medical management activities, or that the Plan uses to make enrollment, coverage or payment decisions. However, you do not have a right to inspect or obtain copies of psychotherapy notes or information compiled for civil, criminal, or administrative proceedings. In addition, the Plan may deny your right to access, although in certain circumstances you may request a review of the denial. If the Plan doesn't maintain the health information but knows where it is maintained, you will be informed of where to direct your request.

The Plan may provide you with a summary or explanation of the information instead of access to or copies of your health information, if you agree in advance and pay any applicable fees. The Plan also may charge reasonable fees for copies or postage.

Right to Amend Your Health Information that is Inaccurate or Incomplete

With certain exceptions, you have a right to request that the Plan amend your health information if you believe that the information the Plan has about you is incomplete or incorrect. You must include a statement to support the requested amendment. The Plan will notify you of its decision to grant or deny your request.

Right to Receive an Accounting of Disclosures

You have the right to a list of certain disclosures of your health information. The accounting will not include: (1) disclosures made for purposes of treatment, payment or health care operations; (2) disclosures made to you; (3) disclosures made pursuant to your authorization; (4) disclosures made to friends or family in your presence or because of an emergency; (5) disclosure for national security purpose; and (6) disclosures incident to other permissible disclosures.

You may receive information about disclosures of your health information going back for six years from the date of your request. You may make one request in any 12-month period at no cost to you, but the Plan may charge a fee for subsequent requests. You will be notified of the fee in advance and have the opportunity to change or revoke your request.

Right to Access Electronic Records

You may request access to electronic copies of your PHI, or you may request in writing or electronically that another person receive an electronic copy of these records. The electronic PHI will be provided in a mutually agreed-upon format, and you may be charged for the cost of any electronic media (such as a USB flash drive) used to provide a copy of the electronic PHI.

How to Exercise Your Rights in this Notice

To exercise your rights listed in this notice, you should contact: Associate Director, Benefits, Privacy Official, Duke University, Benefits Administration, 705 Broad St., Durham, NC 27705,
(919) 684-5600.

Additional Information

If you have questions regarding this notice or the subjects addressed in it, you may contact: Associate Director, Benefits, Privacy Official, Duke University, Benefits Administration, 705 Broad St., Durham, NC 27705, (919) 684-5600.


If you believe that your privacy rights have been violated, you may file a written complaint with : Associate Director, Benefits, Privacy Official, Duke University, Benefits Administration, 705 Broad St., Durham, NC 27705, (919) 684-5600.

You may also file a complaint with the regional Office for Civil Rights of the United States Department of Health and Human Services. Information on how to file a complaint is available on the Department of Health and Human Services website at

You will not be retaliated against for filing a complaint.

June 2024


There are no Resource items to show.