Notice of privacy practices
This notice describes how medical information about you may be used and disclosed and how you can obtain access to this information. Please review it carefully.
At Providence Health Plan, we respect the privacy and confidentiality of your protected health information (PHI). We are required by law to maintain the privacy of your protected health information, (commonly called PHI or your personal information) including in electronic format. When we use the term “personal information” we mean information that identifies you as an individual such as your name and Social Security Number, as well as financial, health and other information about you that is nonpublic, and that we obtain so we can provide you with insurance coverage. Providence Health Plan maintains policies that protect the confidentiality of personal information, including Social Security numbers, obtained from its members in the course of its regular business functions. We must provide you with this notice, and abide by the terms of this notice. This notice explains how we may use and disclose information about you in administering your benefits and it also informs you about your rights as our valued member. Finally, this notice provides you with information about exercising these rights.
How Providence Health Plan uses and discloses your PHI without your written Authorization
We may use and disclose your protected health information for different purposes. We use PHI and may share it with others while providing health benefits. The examples below are provided to illustrate the types of uses and disclosures we may make without your authorization for payment, health care operations and treatment:
- Payment: We may use or disclose your PHI to make coverage determinations, to coordinate benefits with other coverage you may have, and to help pay your medical bills that have been submitted to us by doctors and hospitals for payment. We may also use and disclose PHI to collect premiums and calculate cost-sharing amounts.
- Health Care Operations: We may use or disclose your PHI to provide customer service, to support and improve programs and services we offer you and as necessary to operate and manage our business activities related to providing and managing your healthcare coverage. For example, we might talk to your doctor to suggest a disease management or wellness program that could help improve your health.
- Treatment: We do not provide treatment. This is the role of a healthcare provider, such as your doctor or a hospital. We may use and disclose your PHI with your doctors or hospitals to help them provide medical care to you.
- Plan Sponsor/Administrator: If you are enrolled with Providence Health Plan through an employer-sponsored group health plan, Providence Health Plan may share PHI with your group health plan. We may share your information with your plan sponsor if requested so that your plan sponsor can obtain premium bids or modify, amend, or terminate the plan. If your employer pays your premium or part of your premium, but does not pay your health insurance claims, your employer is not allowed to receive your PHI for purposes other than obtaining premium bids or to modify, amend, or terminate the plan, unless your employer promises to protect your PHI and makes sure the PHI will be used for legal reasons only.
Person(s) Involved in Your Care or Payment for Your Care:
We may also disclose protected health information to a person, such as a family member, relative, or close personal friend, who is involved with your care or payment. We may disclose the relevant protected health information to these persons if you do not object or we can reasonably infer from the circumstances that you do not object to the disclosure; however, when you are not present or are incapacitated, we can make the disclosure if, in the exercise of professional judgment, we believe the disclosure is in your best interest.
Other uses and disclosures that we may make without your Authorization
There are a number of ways that your health information may be used or disclosed without your authorization. Generally, these uses and disclosures are either required by law or for public health and safety purposes.
- As Required by Law: We must disclose protected health information about you when required to do so by law.
- Business Associate: We may use or disclose your PHI with individuals who perform business functions on our behalf or provide us with services if the information is necessary for such functions or services. Our business associates are required, under contract with us and pursuant to federal law, to protect the privacy of your information and are not allowed to use or disclose any information other than as specified in our contract and as permitted by federal law.
- Coroners, Funeral Directors, Organ Donation: We may disclose protected health information to coroners or funeral directors as necessary to allow them to carry out their duties or in connection with organ or tissue donation.
- Health Oversight: We may disclose protected health information to state and federal agencies that regulate us, including but not limited to the U.S. Department of Health and Human Services, the Oregon Division of Financial Regulation and the Washington Office of Insurance Commissioner.
- Judicial and Administrative Proceedings: We may disclose protected health information in response to a court or administrative order, or in response to a subpoena, discovery request, or other lawful process.
- Law Enforcement: We may disclose protected health information under limited circumstances to a law enforcement official in response to a warrant or to identify or locate a suspect or to provide information about the victim of a crime.
- Public Health Activities: We may disclose protected health information to public health agencies for reasons such as preventing or controlling disease, injury or disability.
- Research: We may disclose your health information to researchers, provided that the research has been approved by an Institutional Review Board and/or a Privacy Board, and the research protocols have been approved to ensure your privacy. We may disclose healthcare information about you to people preparing to conduct a research project.
- Specialized Government Functions: We may disclose information as required by military authorities or to authorized federal officials for national security and intelligence activities.
- To Avert a Serious Threat to Health or Safety: We may disclose protected health information about you, with some limitations, when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person.
- Victims of Abuse, Neglect, or Domestic Violence: We may disclose protected health information to government agencies about abuse, neglect, or an act of domestic violence.
- Workers Compensation: We may disclose PHI as authorized by, or to the extent necessary to comply with, state workers’ compensation laws that govern job-related injuries or illnesses.
Other uses and disclosures requiring your written Authorization
We are required to obtain your written authorization to use or disclose your protected health information, with limited exceptions, for the following reasons:
- Marketing. We will request your written authorization to use or disclose your protected health information for marketing purposes with limited exceptions, such as when we have face-to-face marketing communications with you or when we provide promotional gifts of nominal value.
- Sale of Protected Health Information. We will request your written authorization before we make any disclosure that is deemed a sale of your protected health information; we do not currently sell or plan to sell your health information.
- Other Uses or Disclosures. All other uses or disclosures of your protected health information not described in this Notice will be made only with your written authorization, unless otherwise permitted or required by law.
Disclosures of certain PHI deemed “Highly Confidential.”
For certain kinds of PHI, federal and state law may require enhanced privacy protection. These might include PHI that is:
- About alcohol and drug abuse prevention, treatment and referral
- About HIV/AIDS testing, diagnosis or treatment
- About genetic testing
- About psychotherapy notes.
If the PHI is subject to enhanced protection, we can only disclose it with your prior written authorization unless specifically permitted or required by law.
Revocation of an Authorization
You may revoke an authorization at any time in writing, except to the extent that we have already taken action on the information disclosed or if we are permitted by law to use the information to contest a claim or coverage under the Plan.
NOTE: If we disclose information as a result of your written permission, it may be re-disclosed by the receiving party and may no longer be protected by state and federal privacy rules. However, federal or state law may restrict re-disclosure of additional information such as HIV/AIDS information, mental health information, genetic information and drug/alcohol diagnosis, treatment or referral information.
Privacy rights regarding your Protected Health Information
Right to Access your Protected Health Information: You have the right to inspect, review or obtain a copy of your information that is kept by Providence Health Plan in your designated record set with some limited exceptions. The designated record set includes any records used to make decisions about you as a member. You may request that we provide a copy of this protected health information in a format other than photocopies, such as providing them to you electronically, if it is readily producible in such form and format. We require that your request for information be made in writing. We will charge you a reasonable fee based for the cost of producing and providing your designated record set. You may request a copy of the portion of your enrollment and claim record related to an appeal or grievance, free of charge. If we deny your request for your information, we will notify you in writing and will provide you with a right to have the denial reviewed if applicable. You have similar rights with respect to your medical records. However, Providence Health Plan will generally not have your medical records unless they were received from your physician or provider for a purpose described above. Call your physician's or provider's office to ask how to receive a copy.
Right to an Accounting of Disclosures by the Plan: You have a right to a listing of the disclosures we make of your protected health information, except for those disclosures made for treatment, payment, or health care operations, or those disclosures made pursuant to your authorization. The type of disclosures typically contained in a listing would be disclosures made for mandatory public health purposes, law enforcement or legal proceedings. We require that your request for an accounting of disclosures be made in writing and must state a time period for which you want an accounting. This time period may not be longer than six years and may not include dates before April 14, 2003. The first accounting that you request within a 12-month period will be free.
Right to Amend Your Protected Health Information: If you believe that protected health information maintained by the Plan is incorrect or incomplete, you may request that we amend or change, the information. We require that your request be in writing and that you provide a reason for your request. If we make the amendment, we will notify you that it was made, and we will notify appropriate others, including business associates, of the amendment. If we deny your request to amend, we will notify you in writing of the reason for the denial. You have the right to appeal our denial by filing a written statement of disagreement.
Right to Confidential Communications: You have the right to request that we use a certain method to communicate with you about the Plan or that we send Plan information to a certain location if the communication could endanger you. For example, you may request that we send your information by a specific means (for example, U.S. mail only) or to a specified address. Methods of requesting confidential communications are:
- All Providence Health Plan members have the right to request that their PHI be sent to a different address if sending PHI to your current address might put you in danger. Providence Health Plan will accommodate a reasonable request of this nature. We will not ask you to explain why you believe you are in danger. These requests can be made verbally.
- If applicable, some state laws provide additional privacy protections whereby members have the right to request that their plan information that contains PHI or personal information be sent to another address other than their home, or to refrain from disclosing such information to the policyholder/subscriber. We require that these requests be made in writing. Additional information may be found at the bottom of this page in the "Additional privacy notices and policies" section under the tab "Oregon request for confidential communications".
Right to a Notice in the event of a Breach: You have a right to receive a notice of a breach involving your protected health information (PHI) should one occur.
Right to Request Restrictions on the Use and Disclosure of Your Protected Health Information: You have the right to request that we restrict or limit how we use or disclose your protected health information for treatment, payment or health care operations. If we do agree, we will comply with your request unless the information is needed for an emergency. While we may honor your request for restrictions, we are not required to agree to these restrictions. Your request for a restriction must be made in writing.
How we protect your privacy and secure your information
Providence Health Plan has policies and procedures in place to ensure the confidentiality of your PHI. We keep your oral, written and electronic PHI safe using physical, electronic and procedural means. These safeguards follow federal and state laws. Some of the ways we keep your PHI safe include:
- Providence Health Plans employees are educated about the Privacy and Security rules and sign a confidentiality statement upon employment.
- Employees are trained that they may only speak about PHI with those that need to know the information, such as a provider or a supervisor. And that they should not speak about PHI in public spaces, including health plan restrooms or hallways.
- Where appropriate, employees must lock storage areas and filing cabinets.
- Employees are required to securely dispose of written PHI.
- Employees must report any privacy and/or security violations.
- Unique and secured log-in names and passwords are required to access the computer system. In addition, firewalls, encryption and data backup systems are used. To enter the health plan buildings, an ID badge must be used to open the door.
- Our agreements with participating providers contain confidentiality provisions that require these providers to treat your PHI with the same care as Providence Health Plan.
- Our agreements with business associates who perform functions or activities on our behalf require them to appropriately safeguard your PHI with the same care as Providence Health Plan.
Exercising your rights
You may exercise any of the rights described above by contacting Customer Service or the Office for Civil Rights, U.S. Department of Health and Human Services. You may find the Member Authorization and Privacy forms at the bottom of this page or access them here.
Contacting Customer Service
If you have any questions about your PHI or if you believe your privacy rights have been violated, please contact Customer Service at:
Toll free: 800-878-4445 TTY: 711
Monday through Friday, 8 a.m. to 5 p.m. (Pacific time)
You may file a complaint with us in writing at:
Providence Health Plan
Attn: Appeals and Grievance Dept.
P.O. Box 4327
Portland, OR 97208-4327
Contacting support outside of Providence Health Plan
You may notify the Office for Civil Rights, U.S. Department of Health and Human Services if you believe your privacy rights have been violated. We will not take any action against you for filing a complaint.
You may file the complaint at the Office for Civil Rights at:
Office for Civil Rights
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Room 509F, HHH Building
Washington, D.C. 20201
OCR Hotlines-Voice: 1-800-368-1019
Website: Office for Civil Rights www.hhs.gov/ocr/privacy/hipaa/complaints/.
If you have further questions about Providence Health Plan privacy practices, please call our Privacy Program at:503-574-7770
Copies and Changes to the Notice
You have the right to obtain a new copy of this notice at any time. Even if you have agreed to receive this notice by electronic means, you still have the right to a paper copy. We reserve the right to change the terms of this notice and to make the new notice effective for all protected health information we maintain. If revised, we will prominently post the change of our revised notice on our web site by the effective date of the material change to the notice, and provide the revised notice, or information about the material change and how to obtain the revised notice, in our next annual mailing to subscribers/members then covered by the plan. The new notice will also be available online at https://providencehealthplan.com/notice-of-privacy-practice/.
Effective date of this notice
The original effective date of this Notice was April 14, 2003. The most recent revision date is Jan. 16, 2020.
Additional privacy notices and policies
Providence non-discrimination and communication assistance
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) allows members the right to receive a notice that describes how individual health information may be used and/or disclosed and how to acquire access to this information. Under HIPAA, any electronic, written, or oral health information that can identify a specific member is considered protected health information (PHI).
Providence Health Plans is dedicated to protecting your PHI. All Providence caregivers are trained regarding the private and confidential nature of your health information. We respect the privacy of our members and take great care to determine when it is legally appropriate to share your PHI. Providence Health Plans makes every effort to release only the minimal amount of information necessary. Also, wherever feasible, identifiable information is removed from any information shared within and outside of Providence Health Plans.
More member information
If you have questions or concerns about your HIPAA Privacy Rights, you may call us at 503-574-7770.
If you are calling for any other reason, please refer to the phone number on your ID card to call Customer Service.
Office for Civil Rights - HIPAA
Confidentiality of member information
Medical care is a deeply personal issue for people. All of us need to know that information about our health care is private and confidential. Providence Health Plan respects the privacy of our members and takes great care to determine when it is appropriate to share your personal health information. Such uses may include intervention programs that improve your medical treatment; quality measurement processes; and audit of your claims record to ensure accurate and timely payment and release of information to your primary or secondary insurance carrier to assist with coordination of benefits.
Providence Health Plan makes every effort to release only the amount of information necessary to meet any release requirement and only releases information on a need-to-know basis. Also, wherever feasible, identifiable information is removed from any information shared within and outside of Providence Health Plan.
To secure the confidentiality of medical information, Providence Health Plan has the following procedures in place:
- Access to a member's medical information held by the plan is restricted to only those Providence employees who need this information and to the member. Entries into member records are tracked for security purposes. Employees must report any security violations.
- Unique and secured log-in names and passwords are required to access the Providence Health Plan computer system. In addition, firewalls, encryption and data backup systems are used. Similar strategies are used for protecting confidential information on our website.
- Providence employees are educated about privacy issues and sign a confidentiality statement upon employment, then review the information and sign again each year.
- Each department within Providence Health Plan adopts specific policies to monitor the handling of member information.
- Providence Health Plan uses member personal health information within Providence Health Plan to process claims, or for the purposes of disease management or quality improvement.
- Members must sign an authorization to release identifiable member information outside of Providence Health Plan or its authorized agents, except when the law requires or permits such a release or for treatment, billing and health care operations.
- When member information is used in health studies, identifiable information is not released. All member-specific information has identifying information removed, and aggregated data are used as early in the measurement process as possible. The privacy of Providence Health Plan members is completely protected.
- Our agreements with participating providers contain confidentiality provisions that require these providers to treat your personal health information with the same care as Providence Health Plan.
- You have the right to register a complaint if you believe your privacy is compromised in any manner.
- Members may request to see their medical records. Call your physician's or provider's office to ask how to schedule a visit for this purpose.
If you have questions about your own medical information or those of another member of your household, please contact your Customer Service Team.
Protected health information and your employer
Providence Health Plan’s practice is to keep our members' protected health information (PHI) confidential from their employers or their employers' agents when possible. However, there are circumstances that may require Providence Health Plan to release PHI to your employer or their agent if you receive your health insurance through your employer. Although these circumstances are rare, Providence Health Plan considers it important that you are educated about these rare circumstances. Please take the time to educate yourself by reviewing this document.
The Health Insurance Portability and Accountability Act (HIPAA) allows employers and their agents to request PHI for the purposes of obtaining health care coverage bids, as well as for modifying, amending or terminating their existing health plan. Currently, Providence Health Plan works with employers and their agents to provide this information in a way that does not release your identity. However, a situation may arise that requires and allows the release of PHI for these purposes.
HIPAA also allows an employer or their agent, acting as a Plan Sponsor, to have access to their employee’s PHI if they certify to Providence Health Plan that they are in compliance with HIPAA. For your employer or their agent to be in compliance with HIPAA as a Plan Sponsor, they must incorporate certain provisions into their plan documents. Your employer’s plan documents must:
- Establish the permitted and required uses and disclosures of PHI. These permitted uses and disclosures must not conflict with use and disclosure limits set by plan documents, the law, or with any of the following requirements.
- State that PHI sent from us to your employer or their representative will not be used or disclosed for the purposes of employment related actions.
- State that PHI sent from us to your employer or their representative will not be used or disclosed for actions related to benefits or any other benefit plan.
- Establish that any agent or entity with access to PHI that we have shared with your employer agrees to these requirements.
- State that your employer will make the PHI it receives available for you to review, and, should you request an amendment, follow HIPAA requirements regarding that amendment.
- Ensure and establish adequate separation between Plan Sponsor employees with access to PHI and Providence Health Plan. HIPAA requires that your employer or their agent describe in plan documents what employees or classes of employees require access to PHI for plan administration purposes. Your employer must have an effective mechanism for resolving any noncompliance by these employees.
- State that methods to track any disclosures are in practice and that they will make a report of this available to you per HIPAA requirements. If Providence Health Plan is required to share PHI with a Plan Sponsor, we require the Plan Sponsor to provide us with an accounting of disclosures that we can provide to you, should you request an accounting from us.
- Allow the U.S. Department of Health & Human Services and the Office for Civil Rights to audit the Plan Sponsor to ensure that Providence Health Plan has been compliant with HIPAA when sharing PHI with the Plan Sponsor.
- State that they will report to Providence Health Plan any use or disclosure of PHI that does not comply with these provisions. Providence Health Plan will investigate the reported situation to determine what steps are needed to protect your PHI and whether PHI should be shared with the Plan Sponsor in the future.
- State that, if feasible, your employer or their agents will return or destroy all PHI we release to them, or, if not feasible, to protect the PHI once it is no longer needed.
Although Providence Health Plan avoids sharing PHI with employers when possible, the landscape of health care continues to change. Providence Health Plan is committed to working with your employer to meet their needs while complying with the law and maintaining our commitment to your privacy. To educate yourself about Providence Health Plan’s PHI uses, disclosures, and requirements as well as about your privacy rights, please review Providence Health Plan’s notice of privacy practices.
Request for confidential communications
You have the right to have protected health information sent directly to you instead of the person who pays for your health insurance plan. This can be done by completing one of the forms below:
- Oregon Request for Confidential Communication form (PDF)
- Washington Request for Confidential Communication form (PDF)
Request access to your health plan records for members of:
Make changes to your health plan records for members of:
Restrict access to your health plan records for members of:
Request for confidential communications- Oregon, for members of:
Request for confidential communications- Washington, for members of:
Allow Providence Health Plans to share your protected health information with a third party for members of: