If you are the dependent of a student enrolled at Princeton University and have chosen to participate in the Princeton University Student Health Plan (SHP), this notice applies to you. It describes how medical information about you may be used and disclosed, and how you can get access to this information. If you have any questions about this Notice or our privacy practices, contact the Privacy Officer (contact information below).Effective September 2019Disclosure Limitations of Your Health InformationPrinceton University sponsors the Student Health Plan, which is administered by Aetna Student Health Plan and OptumRx Prescription Drug Plan (hereinafter referred to as “the PLAN”). The PLAN is required by law to maintain the privacy of your “Protected Health Information” (as described below), to provide you with notice of its legal duties and privacy practices with respect to your Protected Health Information and to comply with the terms of the notice currently in effect. Protected Health Information generally includes information received or created by the PLAN that identifies you and relates to your physical or mental health or condition, the health care you receive, or payment for your care. We refer to your Protected Health Information as your “health information” in this Notice.How We May Use and Disclose Your Health InformationWe use and disclose your health information to carry out our responsibilities as a health plan. We are permitted to use and disclose your health information without your authorization in the following circumstances:For payment purposes. We may use or disclose your health information for payment purposes, such as paying doctors and hospitals for covered services. Payment purposes also includes determining eligibility for benefits, reviewing services for medical necessity, performing utilization review, obtaining premiums, coordinating benefits, subrogation of claims or collection activities.For healthcare operations. We may use or disclose your health information to conduct our healthcare operations (such as using health information to do a cost analysis of the PLAN, to coordinate or manage care, to assess and improve the quality of healthcare services or to review the qualifications and performance of providers). Healthcare operations also includes our business activities, such as underwriting, placing or replacing coverage, determining coverage policies, arranging for legal and audit services, and obtaining accreditations and licenses. However, we do not use or disclose genetic information for any underwriting purposes, including determining eligibility for benefits or premiums. For treatment purposes. We may use or disclose health information to facilitate medical treatment or services by providers. For example, we may disclose health information to a doctor who is determining how to treat your health condition or to ensure that you receive the services that you need. We may also use your health information to contact you about treatment alternatives or other health-related benefits and services that may be of interest to you.We may also use and disclose your health information without your authorization in these limited circumstances:When we are required to do so by federal, state or local law. For example, we must disclose your health information to the U.S. Department of Health and Human Services upon request if they wish to determine if the PLAN is in compliance with federal privacy laws.In connection with a judicial or administrative proceeding, such as pursuant to a court order or in response to a subpoena, discovery request or other lawful process under certain circumstances.To law enforcement under certain circumstances, such as to identify or locate a suspect, fugitive, material witness or missing person.To certain government authorities or agencies, such as military authorities if you are member of the armed forces, correctional facilities if you are an inmate, authorized federal officials for intelligence and national security purposes or social/protective service agencies if we reasonably suspect abuse, neglect, or domestic violence. In connection with a worker’s compensation program or similar program that provides benefits for work-related injuries or illness.If necessary to prevent a serious and imminent threat to your health and safety or the health and safety of the public or another person. For public health activities, such as reporting births, deaths, child abuse or neglect, to prevent or control communicable diseases, injuries or disabilities, reporting reactions to medications or problems with products or to enable product recalls.To a healthcare oversight agency for activities authorized by law, including, but not limited to, licensure, certification, audits, investigations, and inspections.To coroners, medical examiners and funeral directors or to facilitate organ, eye, or tissue donation.To our business partners (such as third-party administrators and other plan administrators) so that they can provide services to us or perform functions on our behalf. These business partners must agree in writing to safeguard your health information and are required by law to secure and protect the privacy of your health information. To researchers provided that certain established measures are taken to protect your privacy.To assist in disaster relief efforts.To your personal representative, if any. A personal representative has legal authority to act on your behalf regarding your health care and health care benefits. For example, an individual named in a durable power of attorney or a parent or guardian of an unemancipated minor are personal representatives. To a person involved in your care or who helps pay for your care, such as a family member or friend, when you are incapacitated or in an emergency, or when you agree or fail to object when given the opportunity. If you are unavailable or unable to object, we will use our best judgment to determine if the disclosure is in your best interest. Special rules apply regarding when we can disclose health information to family members and others involved in a deceased individual’s care. Uses and Disclosures Requiring AuthorizationOther than as set forth above, the PLAN cannot disclose your health information without a written authorization from you or your personal representative. For example, except in limited circumstances, we must obtain your authorization to use or disclose psychotherapy notes about you, to sell your health information or to use or disclose your health information for marketing activities.If you authorize the PLAN to use and disclose your health information, you may revoke that authorization at any time by writing the Privacy Officer. However, your written revocation will not apply to actions we already took based on your authorization.Additional RestrictionsCertain federal and state laws may prohibit or limit the use and disclosure of certain health information, including highly confidential information. “Highly confidential information” may include information relating to: HIV/AIDS, mental health, genetic tests, alcohol and drug abuse, sexually transmitted diseases and reproductive health. If a use or disclosure of health information is prohibited or materially limited by other laws that apply to the PLAN, we intend to meet the requirements of those more stringent laws. For more information on more stringent laws that may apply to your health information, contact the Privacy Officer.Your Rights Regarding Your Health InformationYour rights regarding your health information include:The right to request restrictions. You may request that we limit the way we use or disclose your health information. This includes the right to ask that we not disclose your health information to family members or friends involved in your care. Such a request must be in writing and directed to the Privacy Officer. We will consider your request, but we are not required to agree to it. The right to request to receive confidential communications. You may ask that we send you information by alternative means or at alternative locations – for example, at a specified phone number or mailing address or email address. You must make this type of request (or change or cancel an earlier request) in writing to the Privacy Officer. We will honor all reasonable requests.The right to request access to your health information. You have the right to see and obtain a copy of your health information contained in your medical/billing record. Such a request must be in writing and directed to the Privacy Officer. To the extent we maintain your health information electronically, you can ask that we provide you the information in an electronic form or format. You can also direct us to send your health information to a third-party. We may charge you a reasonable, cost-based fee for a copy of your health information. In certain situations, we may deny your request to access your health information, but we will tell you why we denied it. You have the right to ask for a review of our denial.The right to request an amendment to your health information. You may ask us to correct or amend your health information contained in your medical/billing record. Such a request must be in writing and directed to the Privacy Officer and must specify the reason for the request. We may deny your request, but you may respond by filing a written statement of disagreement and ask that the statement be included with your record.The right to request a list of disclosures. You have the right to request a list of certain disclosures of your health information. Such a request must be made in writing to the Privacy Officer. You are entitled to one such list in any 12-month period at no charge. If you request any additional lists within a 12-month period, we may charge you a fee.The right to be notified of a breach. We are required to notify you in the event of a breach of your unsecured health information.The right to request a paper copy of this Notice. You can request a paper copy of this Notice at any time even if you agreed to receive this Notice electronically. You can also view and/or print a copy of this Notice from our website: https://uhs.princeton.edu/student-health-plan.Changes to this NoticeThe PLAN may change the terms of this Notice from time to time, and it will make the terms of the revised Notice effective for all health information it maintains. You may obtain the most current Notice by visiting our website: https://uhs.princeton.edu/student-health-plan or by contacting the Privacy Officer. If we make a material change to this Notice, we will use one of our periodic mailings to inform members then covered by the PLAN about the revised Notice. Questions or ComplaintsIf you have any questions about this Notice, please contact the Privacy Officer. If you believe your privacy rights have been violated, you may file a complaint with the Privacy Officer, the Office of the Director, University Health Services or the third-party administrator for the PLAN. Contact information is listed below. You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services. We will not take any action against you for filing a complaint.ContactsPrivacy OfficerTo exercise any of your HIPAA rights, please contact the PLAN’s designated Privacy Officer.Director of Risk Management701 Carnegie Center, Suite 439Princeton, NJ 08544phone: 609-258-2169fax: 609-258-3448Other HIPAA ContactsDirector, University Health Services Frist Health Center, Room 25010 Guyot Lane Princeton, NJ 08544phone: 609-258-6830 OptumRx (Prescription Drug Plan)Member Services phone: 877-615-6319Aetna Student Health (Medical Health Plan) Member Services phone: 877-437-6511