Notice of privacy practices

This notice describes how health information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

At Providence Health Plan (PHP), we are required by federal and state law to protect the privacy of your protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA). PHP must provide you with this notice and abide by the terms of this notice. This notice explains how PHP may use and share information about you to administer your benefits and informs you about your rights as a valued member. It also explains how you can exercise these rights. PHI, also called your health information, refers to information about your health or healthcare services that can be used to identify you as an individual. This includes:

  • Details about your past, present, or future physical or mental health or condition
  • Information related to the provision of health care to you
  • Payment information related to your health care services

In addition to PHI, PHP also protects your Personally Identifiable Information (PII), which includes data that can be used to identify you individually such as your name, address, date of birth, or Social Security number. PHP understands the sensitivity of this information and has policies in place to safeguard it from unauthorized access, use, or disclosure. PHP collects PII as part of business operations to verify your identity, manage member accounts, and support the delivery of health plan services. Protecting your PII is an essential part of earning and maintaining your trust as a valued member.




How PHP Uses and Discloses Your PHI Without Your Written Authorization


PHP may use and disclose your protected health information for different purposes. PHP will use PHI and may share it with others while providing health benefits. The examples below are provided to illustrate the types of uses and disclosures PHP may make without your authorization for treatment, payment, and health care operations.


Treatment:

  • PHP does not provide treatment. This is the role of your healthcare provider, such as your doctor or a hospital.
  • PHP may use and disclose your health information as needed to coordinate, manage or support your care with your healthcare providers.


Payment:


  • PHP may use and share your health information to process and pay claims submitted by your healthcare providers.
  • PHP may share an Explanation of Benefits (EOB) with the subscriber of your plan to help with payment of claims.
  • PHP may use and disclose your health information to collect premiums and calculate cost-sharing amounts.


Healthcare Operations:


  • PHP may use or disclose your health information to assist you with benefit, claim or coverage questions.
  • PHP may use your health information to review the quality of care and services you receive.
  • PHP may use your health information to coordinate and improve preventive services and chronic condition management programs (such as immunizations, cancer screenings, or programs for asthma, diabetes, or high blood pressure).
  • PHP may use or disclose your health information for subrogation or third-party liability activities to recover costs of care.
  • PHP may use or disclose your health information to an independent review organization (IRO) if you request an external review of a coverage decision.
  • PHP may use or disclose your health information with accreditation and credentialing organizations to maintain PHP’s licenses and certifications.
  • PHP may use the minimum necessary health information from your electronic medical record such as hospital discharge notes or treatment summaries to help coordinate your care or connect you with follow-up services.


Plan Sponsor/Administrator


If you receive health plan benefits through your employment, PHP may share limited information with your employer’s health plan administrator.


  • We may share your health information with your plan sponsor (your employer or group health plan) only when needed to obtain bids, manage, or administer the plan.
  • If your employer helps pay your premium but does not pay your medical claims, your employer:
    • May not access your health information except as needed to obtain bids, manage, or end the plan.
    • Must agree in writing to protect your information and use it only as permitted by law.



Sharing Your Health Information with Those Involved in Your Care


PHP may share your health information in some cases with family members, friends, or others who are involved in your care or payment for your care.


  • PHP may share information when you give us your verbal or written permission.
  • If there is an emergency and you are unable to communicate, PHP may share information if PHP believes it is in your best interest.
  • PHP may also share information to help protect your health and safety or the health and safety of others.



Other Ways PHP May Use and Share Your Health Information Without Authorization


For Legal and Law Enforcement Purposes


  • When required by law.
  • In response to a court order, subpoena, or other legal request.
  • To law enforcement officials when required by law, such as to locate a suspect or report a crime.
  • To government agencies involved in national security, military, or protective services.


For Oversight and Compliance

  • To government agencies that oversee health care, such as licensing boards, auditors, or regulators.
  • To the Secretary of the U.S. Department of Health and Human Services to oversee our compliance with HIPAA.


For Research


  • For research purposes when permitted by law and subject to required protections.


For Organ Donation and Decedents


  • To help identify a deceased person, determine the cause of death, or facilitate organ or tissue donation.


With Business Associates


  • To vendors or contractors (called “business associates”) who help PHP operate and deliver services. These partners are required by law to protect your information.



Disclosures Requiring Your Written Authorization


PHP is required to obtain your written authorization to use or disclose your protected health information, with limited exceptions, for the following reasons:


  • Marketing. PHP will request your written authorization to use or disclose your protected health information for marketing purposes with limited exceptions, such as when we have face-to-face marketing communications with you or provide promotional gifts of nominal value.
  • Sale of Protected Health Information. PHP does not sell PHI or PII and must request your written authorization before making any disclosure that is considered a sale of your protected health information.
  • Other Uses or Disclosures. Any other uses or disclosures of your protected health information not described in this Notice will be made only with your written authorization, unless otherwise permitted or required by law.



Additional Privacy Protections for Sensitive Health Information


Federal and state laws may require enhanced privacy protections for certain types of health information. These may include:


  • Alcohol, drug and substance use (diagnosis, treatment and referral information)
  • Gender-affirming care
  • Genetic information (services or tests)
  • HIV (testing and treatment)
  • Psychotherapy or counseling notes
  • Reproductive health care


If PHP receives substance use disorder information from a federally assisted program covered by 42 CFR Part 2, PHP is required to implement additional safeguards to protect your SUD information.


  • If you provide a general consent to the Part 2 program permitting your information to be used or disclosed for treatment, payment, or health care operations, PHP may use and disclose that information as permitted under HIPAA.
  • If you give specific consent directly to PHP or another party, PHP will use and disclose your Part 2 information only as expressly permitted in that consent.
  • PHP may use or disclose this information for treatment, payment, or health care operations.
  • PHP will not use or disclose your Part 2 records, or any related testimony, in civil, criminal, administrative, or legislative proceedings without your consent or a court order that provides you notice before release.

     


If your PHI is subject to enhanced protection, PHP may only disclose it with your prior written authorization unless otherwise permitted or required by law.



Revocation of an Authorization


  • You may cancel your authorization in writing at any time before it expires.
  • If your information was shared based on your permission, it may be re-disclosed by others and may no longer be protected under state or federal privacy laws.
  • Some laws may limit the re-disclosure of certain types of sensitive health information, such as mental health information, genetic information or substance use disorder information (diagnosis, treatment or referral).



Privacy Rights Regarding Your Health Information


Right to Access your Health Information:


  • You have the right under HIPAA to request a copy of your health information that is maintained by PHP.
  • You may request your health information in a paper copy or in an electronic format. PHP will provide it in the format you request if it is available. If not, we will provide it in a readable format.
  • PHP requires that your request for your health information be made in writing.
  • If PHP denies your request for your health information, PHP will notify you in writing and explain the reason and how you can appeal or respond.
  • You also have the right to request a copy of your medical records from your doctor or another health care provider.


Right to an Accounting of Disclosures of Your Health Information:


  • You have the right under HIPAA to receive a list of disclosures PHP has made of your health information, except for those made for treatment, payment, or health care operations, or disclosures made with your authorization.
  • This list may include disclosures made for public health reporting, law enforcement or other legal requirements.
  • PHP requires that your request for an accounting of disclosures be made in writing and includes the time period you are requesting.
  • The time period may not be longer than six years from the date of your request.


Right to Amend Your Health Information:


  • You have the right under HIPAA to request a change to your health information that is maintained by PHP, if you believe it is inaccurate or incomplete.
  • PHP requires that your request to amend your health information be made in writing.
  • If PHP approves your request, the amendment will be added to your record, and PHP will inform others who received the original information, if they need to know about the change.
  • If PHP denies your request for amendment of your health information, PHP will notify you in writing and explain the reason and how you can appeal or respond.


Right to Confidential Communications:


  • You have the right under HIPAA to request that PHP communicate with you using a specific method or at an alternative location if you believe the disclosure of your health information could endanger you. For example, you may ask PHP to send your health information only by U.S. mail or to an address other than your home. PHP will accommodate reasonable requests.
  • All PHP members have the right to request their health information be sent to a different address if sending to your current address may put you in danger. PHP will accommodate reasonable requests of this kind. PHP will not require you to explain why you believe you are in danger to process your request. You may make this request either in writing or verbally.
  • Some state laws provide additional privacy protections for which members have the right to request their plan information containing health or personal information be sent to another address, or that PHP may not disclose your information to the policyholder/subscriber. These state-specific requests must be made in writing.


Right to Request Restrictions on the Use and Disclosure of Your Health Information


  • You have the right under HIPAA to request that we restrict or limit how we use or disclose your health information for treatment, payment or health care operations.
  • If we agree, we will comply with your request unless the information is needed in an emergency. While we will consider your request for a restriction, by law we are not required to agree, as some requests may not be possible based on our operations or legal obligations.
  • PHP requires that your request to restrict your information must be made in writing.


Right to a Notice in the Event of a Breach of Your Health Information

  • You have the right under HIPAA to receive a notice if PHP determines that your health information was involved in a breach.
  • PHP will provide this notice without unreasonable delay and no later than 60 days after discovering the breach. The notice will include a description of what happened, the type of information involved, the actions PHP has taken to investigate and prevent further disclosures, the steps you can take to protect yourself from potential harm and how to contact PHP for more information.



How PHP Protects and Secures Your Information

All caregivers are required to comply with the HIPAA security and privacy policies. PHP has policies and procedures in place to ensure the confidentiality of your health information. PHP keeps your verbal, written, and electronic health information safe using administrative (policies), technical (encryption), and physical (locked storage) safeguards that follow federal and state laws. Some of the ways we protect your information include:


  • Our caregivers are required to:
    • Sign the Acceptable Use Agreement, Confidentiality and Nondisclosure statement.
    • Complete privacy and security training when hired and on an annual basis.
    • Only access your health information when needed to perform job duties.
    • Securely dispose of written health information.
    • Report any privacy or security violations.
    • Use secure logins and passwords to access PHP systems.
    • Work in systems protected by firewalls, encryption, and data back-up protocols.
    • Wear ID badges when entering PHP buildings.

  • PHP agreements with providers include confidentiality provisions that require them to protect your health information in accordance with HIPAA and other applicable privacy laws.
  • PHP monitors its systems to detect and prevent unauthorized access to your health information.
  • PHP limits the amount of health information it uses or shares to only what is necessary for the intended purpose.
  • PHP requires vendors and contractors who handle your information to meet privacy and security standards.



How to Use Your HIPAA Rights:


You may also find the Member Authorization and Privacy forms on our website at:
https://healthplans.providence.org/members/understanding-plans-benefits/benefit-basics/forms/


You can also use our secure online portal to ask privacy-related questions. You will need to log in to your MyProvidence account, or register for one if you don’t have an account yet:
www.myprovidence.com


You can use your HIPAA rights by contacting Customer Service.


  • If you have any questions about your health information or if you believe that your privacy rights have been violated, please contact Customer Service at: 503-574-7500 or 1-800-878-4445.
  • If you are hearing impaired and use a Teletype (TTY) Device, please call our TTY line at 711. Customer Service Representatives can be reached Monday through Friday, between 8 a.m. and 5 p.m.


You may file a complaint with PHP in writing at:


Providence Health Plan
Attn: Appeals and Grievance Dept.
P.O. Box 4327
Portland, OR 97208-4327


If you have questions or concerns about PHP’s privacy practices or your privacy rights, please contact our HIPAA Privacy Rights Hotline at (503) 574-7770.


You have the right to file a complaint with the Office for Civil Rights (U.S. Department of Health and Human Services) if you believe your privacy rights have been violated. PHP will not retaliate against you for filing a complaint. You may contact the Office for Civil Rights at:


Office for Civil Rights
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Room 509F, HHH Building
Washington, D.C. 20201


OCR Hotlines-Voice: 1-800-368-1019
E-mail: OCRComplaint@hhs.gov
Website: Office for Civil Rights https://www.hhs.gov/ocr/index.html



Your Rights to Receive This Notice


  • You have the right to request a copy of this notice at any time, including a paper copy, even if you agreed to receive it electronically.
  • PHP may change the terms of this notice at any time. If that happens, the updated notice will apply to all health information PHP maintains.
  • PHP will post the revised notice on its website by the effective date of the change.
  • PHP will also include the revised notice in the next annual mailing to members.

The most current version will always be available online at: https://healthplans.providence.org/about-us/privacy-notices-policies/notice-of-privacy-practices/



Effective date of this notice

The original effective date of this Notice was April 14, 2003. The most recent revision date is Feb. 1, 2026.

Additional privacy notices and policies

  • Providence non-discrimination and communication assistance
  • HIPAA overview

    The Health Insurance Portability and Accountability Act of 1996 (HIPAA) allows members the right to receive a notice that describes how individual health information may be used and/or disclosed and how to acquire access to this information. Under HIPAA, any electronic, written, or oral health information that can identify a specific member is considered protected health information (PHI).

    Providence Health Plans is dedicated to protecting your PHI. All Providence caregivers are trained regarding the private and confidential nature of your health information. We respect the privacy of our members and take great care to determine when it is legally appropriate to share your PHI. Providence Health Plans makes every effort to release only the minimal amount of information necessary. Also, wherever feasible, identifiable information is removed from any information shared within and outside of Providence Health Plans.


    More member information

    If you have questions or concerns about your HIPAA Privacy Rights, you may call us at 503-574-7770.

    If you are calling for any other reason, please refer to the phone number on your ID card to call Customer Service.



    Office for Civil Rights - HIPAA

    http://www.hhs.gov/ocr/hipaa/

  • Confidentiality of member information

    Medical care is a deeply personal issue for people. All of us need to know that information about our health care is private and confidential. Providence Health Plan respects the privacy of our members and takes great care to determine when it is appropriate to share your personal health information. Such uses may include intervention programs that improve your medical treatment; quality measurement processes; and audit of your claims record to ensure accurate and timely payment and release of information to your primary or secondary insurance carrier to assist with coordination of benefits.

    Providence Health Plan makes every effort to release only the amount of information necessary to meet any release requirement and only releases information on a need-to-know basis. Also, wherever feasible, identifiable information is removed from any information shared within and outside of Providence Health Plan.

    To secure the confidentiality of medical information, Providence Health Plan has the following procedures in place:


    • Access to a member's medical information held by the plan is restricted to only those Providence employees who need this information and to the member. Entries into member records are tracked for security purposes. Employees must report any security violations.
    • Unique and secured log-in names and passwords are required to access the Providence Health Plan computer system. In addition, firewalls, encryption and data backup systems are used. Similar strategies are used for protecting confidential information on our website.
    • Providence employees are educated about privacy issues and sign a confidentiality statement upon employment, then review the information and sign again each year.
    • Each department within Providence Health Plan adopts specific policies to monitor the handling of member information.
    • Providence Health Plan uses member personal health information within Providence Health Plan to process claims, or for the purposes of disease management or quality improvement.
    • Members must sign an authorization to release identifiable member information outside of Providence Health Plan or its authorized agents, except when the law requires or permits such a release or for treatment, billing and health care operations.
    • When member information is used in health studies, identifiable information is not released. All member-specific information has identifying information removed, and aggregated data are used as early in the measurement process as possible. The privacy of Providence Health Plan members is completely protected.
    • Our agreements with participating providers contain confidentiality provisions that require these providers to treat your personal health information with the same care as Providence Health Plan.
    • You have the right to register a complaint if you believe your privacy is compromised in any manner.
    • Members may request to see their medical records. Call your physician's or provider's office to ask how to schedule a visit for this purpose.

    If you have questions about your own medical information or those of another member of your household, please contact your Customer Service Team.

  • Protected health information and your employer

    Providence Health Plan’s practice is to keep our members' protected health information (PHI) confidential from their employers or their employers' agents when possible. However, there are circumstances that may require Providence Health Plan to release PHI to your employer or their agent if you receive your health insurance through your employer. Although these circumstances are rare, Providence Health Plan considers it important that you are educated about these rare circumstances. Please take the time to educate yourself by reviewing this document.

    The Health Insurance Portability and Accountability Act (HIPAA) allows employers and their agents to request PHI for the purposes of obtaining health care coverage bids, as well as for modifying, amending or terminating their existing health plan. Currently, Providence Health Plan works with employers and their agents to provide this information in a way that does not release your identity. However, a situation may arise that requires and allows the release of PHI for these purposes.

    HIPAA also allows an employer or their agent, acting as a Plan Sponsor, to have access to their employee’s PHI if they certify to Providence Health Plan that they are in compliance with HIPAA. For your employer or their agent to be in compliance with HIPAA as a Plan Sponsor, they must incorporate certain provisions into their plan documents. Your employer’s plan documents must:

     

    • Establish the permitted and required uses and disclosures of PHI. These permitted uses and disclosures must not conflict with use and disclosure limits set by plan documents, the law, or with any of the following requirements.
    • State that PHI sent from us to your employer or their representative will not be used or disclosed for the purposes of employment related actions.
    • State that PHI sent from us to your employer or their representative will not be used or disclosed for actions related to benefits or any other benefit plan.
    • Establish that any agent or entity with access to PHI that we have shared with your employer agrees to these requirements.
    • State that your employer will make the PHI it receives available for you to review, and, should you request an amendment, follow HIPAA requirements regarding that amendment.
    • Ensure and establish adequate separation between Plan Sponsor employees with access to PHI and Providence Health Plan. HIPAA requires that your employer or their agent describe in plan documents what employees or classes of employees require access to PHI for plan administration purposes. Your employer must have an effective mechanism for resolving any noncompliance by these employees.
    • State that methods to track any disclosures are in practice and that they will make a report of this available to you per HIPAA requirements. If Providence Health Plan is required to share PHI with a Plan Sponsor, we require the Plan Sponsor to provide us with an accounting of disclosures that we can provide to you, should you request an accounting from us.
    • Allow the U.S. Department of Health & Human Services and the Office for Civil Rights to audit the Plan Sponsor to ensure that Providence Health Plan has been compliant with HIPAA when sharing PHI with the Plan Sponsor.
    • State that they will report to Providence Health Plan any use or disclosure of PHI that does not comply with these provisions. Providence Health Plan will investigate the reported situation to determine what steps are needed to protect your PHI and whether PHI should be shared with the Plan Sponsor in the future.
    • State that, if feasible, your employer or their agents will return or destroy all PHI we release to them, or, if not feasible, to protect the PHI once it is no longer needed.

     

    Although Providence Health Plan avoids sharing PHI with employers when possible, the landscape of health care continues to change. Providence Health Plan is committed to working with your employer to meet their needs while complying with the law and maintaining our commitment to your privacy. To educate yourself about Providence Health Plan’s PHI uses, disclosures, and requirements as well as about your privacy rights, please review Providence Health Plan’s notice of privacy practices.

  • Request for confidential communications

    You have the right to have protected health information sent directly to you instead of the person who pays for your health insurance plan. This can be done by completing one of the forms below:



    If you have any questions about this request, you may contact Customer Service at 503-574-7500 or 800-878-4445, TTY: 711.

  • Privacy forms
    Request access to your health plan records for members of:

    Make changes to your health plan records for members of:

    Restrict access to your health plan records for members of:

    Allow Providence Health Plans to share your protected health information with a third party for members of: