HIPAA Privacy Notice

Concordia Health Plan

Notice of Privacy Practices


This Notice of Privacy Practices describes the legal obligations of the Concordia Health Plan and your legal rights under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

  1. Why am I receiving this Notice?

    The privacy of your dependents’ and your personal health information that is created, used, or disclosed by the Plan is protected by HIPAA. The Plan is required by law to:
    • Provide you with this Notice of Privacy Practices;
    • Maintain the privacy of your dependents’ and your protected health information (PHI);
    • Provide your dependents and you with certain rights with respect to your PHI;
    • Notify affected individuals following a breach of unsecured PHI; and
    • Abide by the terms of this Notice.

  2. What is PHI?

    PHI is the identifiable health information, including demographic information, about your dependents or you that is created, received, or maintained by the Plan (regardless of the form or medium of the information) from which it is possible to individually identify your dependents or you. To be protected under HIPAA, the information must relate to (1) your dependents’ or your past, present, or future physical or mental health or condition; (2) the provision of health care to your dependents or you; or (3) the past, present, or future payment for the provision of health care to your dependents or you. It does not include employment records held by your employer.

  3. How will the Plan use my PHI?

    Under HIPAA, the Plan may use or disclose your PHI under certain circumstances without your permission. The following categories describe the different ways that the Plan may use and disclose your PHI. Not every use or disclosure in each category will be listed, but all of the ways in which the Plan is permitted to use and disclose PHI without your authorization will fall within one of the listed categories.

    • Treatment. The Plan may disclose PHI to your dependents’ or your providers for treatment, including the provision of care (diagnosis, cure, etc.) or the coordination or management of that care. For example, the Plan may disclose your PHI as requested by a physician or hospital to assist them in providing you with treatment.
    • Payment. The Plan may use and disclose your dependents’ or your PHI to pay benefits. For example, payment activities may include verification to your doctors or hospitals that you are eligible for benefits under the Plan, receiving claims or bills from your health care providers, processing payments, sending explanation of benefits (EOBs) to the Plan member, reviewing the medical necessity of the services rendered, conducting claims appeals, and coordinating the payment of benefits between multiple medical plans. Payment activities may also include the preparation and forwarding of the contribution statement to employers or any other appropriate person to receive such contribution statement. This statement may include a list of covered dependents and any plan selections you have made.
    • Health Care Operations. The Plan may use or disclose your dependents’ or your PHI for activities such as enrollment, disease management programs and other administrative activities, including audits of claims. In no event will the Plan use or disclose genetic information for any underwriting purposes.
    • Health-Related Benefits and Services. The Plan may use and disclose your dependents’ or your PHI to provide information to you about disease management programs, treatment alternatives, or other health-related benefits and services that may be of interest to you.
    • Business Associates. The Plan may contract with individuals or entities known as Business Associates to perform various functions on its behalf or to provide certain types of services. In order to maintain these functions or to provide these services, Business Associates will receive, create, maintain, transmit, use, and/or disclose your PHI, but only after they agree in writing to implement appropriate safeguards regarding your PHI. For example, The Plan may disclose your PHI to a Business Associate to process your claims for Plan benefits or to provide support services, such as utilization management, pharmacy benefit management or subrogation.
    • Required by Law. The Plan will disclose PHI when required to do so by federal, state, or local law. The Plan must disclose your dependents’ or your PHI to you or your personal representative when you ask for information and to the U.S. Department of Health and Human Services, if necessary; to make sure your privacy is protected.
    • Plan Sponsor. The Plan may disclose PHI to certain employees of the Plan Sponsor, The Lutheran Church—Missouri Synod and the Board of Trustees—Concordia Plans for health care operations and plan administration purposes.
    • Lawsuits and Disputes. If you are involved in a lawsuit or a dispute, we may disclose your PHI in response to a court or administrative order. We may also disclose your PHI in response to a subpoena, discovery request, or other lawful process by someone involved in a legal dispute.
    • Personal Representatives. The Plan will disclose your PHI to individuals authorized by you, or to an individual designated as your personal representative, attorney-in-fact, etc., so long as you provide the Plan with a written notice authorization and any supporting documents (i.e., power of attorney). If you have covered dependents age 18 and older (e.g., a spouse or an adult child) covered under the Plan, you would generally need to be designated as such adult dependent's personal representative in order for you to be able to access his or her protected health information. The Plan will consider a parent, guardian, or other person acting in loco parentis as the personal representative of an unemancipated minor (a child generally under age 18) unless the applicable law requires otherwise.
    • Special Situations. The Plan may disclose your PHI to a family member, relative, close personal friend or any other person whom you identify, when that information is directly relevant to the person’s involvement with your care or payment related to your care. If you are incapacitated, there is an emergency, or you otherwise do not have the opportunity to agree or to object to such use or disclosure, the Plan may take such action as it determines to be in your best interest regarding such disclosure and will disclose only information that is directly relevant to the person's involvement with your health care or payment for such care.
    • Other Disclosures. The Plan is also permitted to use or disclose your dependents’ or your PHI, without obtaining a written authorization from you, in the following circumstances:
      • For certain required public health activities (such as reporting disease outbreaks);
      • To prevent serious harm to you or other potential victims, where abuse, neglect, or domestic violence is involved;
      • To a health oversight agency for oversight activities authorized by law;
      • In the course of any judicial or administrative proceeding in response to a court or administrative tribunal's order, subpoena, discovery request, complaint, or other lawful process or to comply with federal, state, orlocal laws and regulations;
      • For a law enforcement purpose to a law enforcement official if certain legal conditions are met (such as providing limited information to locate a missing person);
      • For research studies that meet all privacy law requirements (such as research related to the prevention of disease or disability);
      • To avert a serious threat to the health or safety of you or any other person; and
      • To the extent necessary to comply with laws and regulations related to workers' compensation or similar programs.
    Unless you authorize the Plan otherwise in writing (or the individually identifying data is deleted from the information), our dependents’ or your PHI will be available only to the individuals who need the information to conduct the activities in the categories described above and the release of your dependents’ or your PHI will be limited to the minimum disclosure required, unless otherwise permitted or required by law.
    Any other use or disclosure of your dependents’ or your PHI not identified within this Notice will be made only with your dependents’ or your written authorization. For example, the Plan would need your written authorization to use or disclose your PHI for marketing purposes, for most uses or disclosures of psychotherapy notes, or if the Plan ever intended to sell your PHI. You may give the Plan written authorization to use or disclose your PHI to anyone for any purpose. You may revoke your authorization in writing. However, any revocation will not affect actions the Plan has already taken in reliance on your previous authorization.

  4. How will the Plan protect my privacy?

    The Plan will not disclose PHI without authorization except as described in this Notice or permitted by law. The Plan restricts internal access to your dependents’ and your PHI to employees who need that information to operate the Plan and provide your benefits. The Plan trains those individuals on policies and procedures designed to protect your privacy.

  5. Does my State Privacy Law also apply to PHI?

    If your state laws provide more stringent privacy protections than HIPAA, the more stringent state law may apply to protect your rights. If you have any questions about your rights under any particular federal or state law, please contact the person identified below as the Privacy Officer.

  6. How do I authorize a release of my PHI or my dependents' PHI?

    You will need to complete a written authorization form. An authorization form is available by calling 888-927-7526, extension 6000, or can be obtained from the Plan’s website at ConcordiaPlans.org. Your authorization may limit the type of information the Plan may disclose and the persons to whom it may be disclosed. You may revoke your written authorization at any time, and the revocation will be allowed to the extent action on the authorization has not yet been taken.

  7. What are my Individual Rights with respect to my PHI?

    You have the right to:
    • Request the Plan to restrict its uses and disclosures of your dependents’ or your PHI (even for Payment and Health Care Operations purposes as explained in this Notice). The Plan is not required to agree to a requested restriction. To request a restriction, please write to the Privacy Officer (identified at the end of this Notice) and provide specific information as to the disclosures that you wish to restrict and the reasons for your request. The Privacy Officer will respond in writing.
    • Request that the Plan’s confidential communications of your dependents’ or your PHI be sent to another location or by alternative communicative means. For example, you may ask that we send all explanation of benefit statements (EOBs) to your office rather than your home address. The Plan is not required to accommodate your request unless your request is reasonable and you state that the Plan’s ordinary communication process could endanger you.
    • Inspect and obtain a copy of the PHI held by the Plan. However, access to psychotherapy notes, information compiled in reasonable anticipation of, or for use in legal proceedings, and access under certain other relatively unusual circumstances may be denied. If your PHI is maintained electronically, you will also have the right to request a copy in electronic format. Your request should be made in writing. A reasonable fee may be imposed for copying and mailing the requested information.
    • Request that the Plan amend, correct, or update your dependents’ or your PHI or record if you believe the information is incorrect or incomplete. The Plan is not required to agree to make the amendment, correction, or update of your dependents’ or your PHI.
    • Receive a list of those individuals or entities to whom your dependents’ or your PHI has been disclosed, other than certain types of disclosures not required by HIPAA to be listed including, but not limited to disclosures (i) for Treatment,Payment or Health Care Operations, (ii) to you or your personal representative, or (iii) that you or your personal representative have authorized in writing. Such list is also referred to as an accounting.
    • Receive a notice in the event that the Plan (or a Business Associate) discovers a breach of unsecured PHI that could affect you.
    • Get a paper copy of this Notice at any time, even if you have agreed to receive it electronically.
  8. How do I make a complaint if I think my rights have been violated?

    You may file a complaint with the Plan’s Privacy Officer and with the Office of Civil Rights of the United States Department of Health and Human Services if you believe your privacy rights have been violated by the Plan. Their addresses are available under contact information below. All complaints must be filed in writing. You will not be retaliated against for filing a complaint.

  9. Who is the Plan’s Privacy Officer?

    If you have any questions about this Notice, please contact the Privacy Officer:
    Sandy Greenfield
    Privacy Officer
    1333 S. Kirkwood Road
    St. Louis, Missouri 63122
    [email protected] OR 888-927-7526 extension 6739

  10. How do I contact the federal government if I want to make a complaint or inquiry?
    To contact the Secretary of Health and Human Services, write to:
    Office for Civil Rights
    U.S. Department of Health and Human Services
    601 East 12th Street, Room 353
    Kansas City, Missouri 64106

    Voice Phone: (800) 368-1019
    FAX: (202) 619-3818
    TDD: (800) 537-7697
    E-Mail send to: [email protected]

  11. What is the effective date of this Notice?

    The effective date of this Notice is January 1, 2018.

  12. Can changes be made to this Notice?

    The Plan reserves the right to change the terms of this Notice and its information practices and to make the new provisions effective for all PHI it maintains. If any material change is made to this Notice, a revised copy of the Notice will be posted at ConcordiaPlans.org, and/or the Plan will promptly publish a notice of how to obtain a hard copy of the Notice.