HIPAA Privacy Notice

Concordia Health Plan

Notice of Privacy Practices

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

This HIPAA Notice of Privacy Practices (Notice) describes the legal obligations of the Concordia Health Plan (Plan) and your legal rights under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH Act), and other federal law as may be amended from time to time. The Plan’s current Notice is posted at ConcordiaPlans.org. You also have the right to receive a paper copy of this Notice and may request one at any time.

1. Why am I receiving this Notice?

The privacy of your personal health information that is created, used, or disclosed by the Plan is protected by HIPAA.

The Plan is required by law to:

  • Provide you with this Notice of Privacy Practices;
  • Maintain the privacy of your protected health information (PHI);
  • Provide you with certain rights with respect to your PHI;
  • Notify affected individuals following a breach of unsecured PHI; and
  • Abide by the terms of this Notice.

2. What is PHI?

PHI is the identifiable health information, including demographic information, about you that is created, received, or maintained by the Plan (regardless of the form or medium of the information) from which it is possible to individually identify you. To be protected under HIPAA, the information must relate to (1) your past, present, or future physical or mental health or condition; (2) the provision of health care to you; or (3) the past, present, or future payment for the provision of health care to you. It does not include employment records held by your employer.

3. How the Plan may use my PHI?

HIPAA generally permits the use and disclosure of your health information without your permission for specific purposes. These uses and disclosures are more fully described below. This Notice does not list every use or disclosure; instead, it gives examples of the most common uses and disclosures.

  • Treatment. The Plan may disclose PHI about you to facilitate medical treatment or services by your health care providers or the coordination or management of that care. For example, the Plan may disclose your PHI as requested by a physician or hospital to assist them in providing you with treatment.
  • Payment. The Plan may use and disclose your PHI to pay benefits. For example, payment activities may include verification to your providers that you are eligible for benefits under the Plan, receiving claims or bills from your health care providers, processing payments, sending explanation of benefits (EOBs) to the Plan member, reviewing the medical necessity of the services rendered, conducting claims appeals, and coordinating the payment of benefits between multiple medical plans. Payment activities may also include the preparation and forwarding of the contribution statement to employers or any other appropriate person to receive such contribution statement. This statement may include a list of covered dependents and any plan selections made.
  • Health Care Operations. The Plan may use or disclose your PHI for activities such as enrollment, evaluation of the plan and other administrative activities, including audits of claims. In no event will the Plan use or disclose genetic information for any underwriting purposes.
  • Health-Related Benefits and Services. The Plan may use and disclose your PHI to provide information to you about disease management programs, treatment alternatives, or other health-related benefits and services that may be of interest to you.
  • Business Associates. The Plan has contracted with entities (defined as “Business Associates” under HIPAA) to help administer your benefits. The Plan may disclose your PHI to our Business Associates. The Plan has entered into contracts with these entities requiring them to safeguard your information and only use or disclose your information in accordance with applicable law. For example, The Plan may disclose your PHI to a Business Associate to process your claims for Plan benefits or to provide support services, such as utilization management, pharmacy benefit management or subrogation.
  • Required by Law. The Plan will disclose PHI when required to do so by federal, state, or local law. The Plan must disclose your PHI to you or your personal representative when you ask for information and to the U.S. Department of Health and Human Services, if necessary; to make sure your privacy is protected.
  • Plan Sponsor. The Plan may disclose PHI to certain employees of the Plan Sponsor, The Lutheran Church—Missouri Synod and the Board of Trustees—Concordia Plans for health care operations and plan administration purposes.
  • Lawsuits and Disputes. If you are involved in a lawsuit or a dispute, we may disclose your PHI in response to a court or administrative order. We may also disclose your PHI in response to a subpoena, discovery request, or other lawful process by someone involved in a legal dispute. However, records relating to substance use disorder treatment that are protected under 42 C.F.R. Part 2 generally may not be used or disclosed in civil, criminal, administrative, or legislative proceedings without your written consent or a court order that meets the specific requirements of that regulation.
  • Personal Representatives. The Plan will disclose your PHI to individuals authorized by you, or to an individual designated as your personal representative, attorney-in-fact, etc., so long as you provide the Plan with a written authorization and any supporting documents (i.e., power of attorney). If you have covered dependents age 18 or older (e.g., a spouse or an adult child) covered under the Plan, you will generally need to be designated as such their personal representative in order for you to be able to access his or her protected health information. The Plan will consider a parent, guardian, or other person acting in loco parentis as the personal representative of an unemancipated minor (a child generally under age 18) unless the applicable law requires otherwise.
  • Special Situations. The Plan may disclose your PHI to a family member, relative, close personal friend or any other person whom you identify, when that information is directly relevant to the person’s involvement with your care or payment related to your care. If you are incapacitated, there is an emergency, or you otherwise do not have the opportunity to agree or to object to such use or disclosure, the Plan may take such action as it determines to be in your best interest regarding such disclosure and will disclose only information that is directly relevant to the person’s involvement with your health care or payment for such care.
  • Other Disclosures. The Plan is also permitted to use or disclose your PHI, without obtaining a written authorization from you, in the following circumstances:
    • For certain required public health activities (such as reporting disease outbreaks);
    • To prevent serious harm to you or other potential victims, where abuse, neglect, or domestic violence is involved;
    • To a health oversight agency for oversight activities authorized by law;
    • In the course of any judicial or administrative proceeding in response to a court or administrative tribunal’s order, subpoena, discovery request, complaint, or other lawful process or to comply with federal, state, or local laws and regulations;
    • For a law enforcement purpose to a law enforcement official if certain legal conditions are met (such as providing limited information to locate a missing person);
    • For research studies that meet all privacy law requirements (such as research related to the prevention of disease or disability);
    • To avert a serious threat to the health or safety of you or any other person; and

To the extent necessary to comply with laws and regulations related to workers’ compensation or similar programs.

The Plan will always try to ensure that the PHI used or disclosed is limited to the minimum amount necessary and is available only to the individuals who need the information to conduct the activities described above, unless otherwise permitted or required by law.

Any other use or disclosure of your PHI not identified within this Notice will be made only with your written authorization. For example, the Plan would need your written authorization to use or disclose your PHI for marketing purposes, for most uses or disclosures of psychotherapy notes, or if the Plan ever intended to sell your PHI. You may give the Plan written authorization to use or disclose your PHI to anyone for any purpose. You may revoke your authorization in writing at any time. However, any revocation will not affect actions the Plan has already taken in reliance on your previous authorization. Also please note that if your information is disclosed to another person, it may be subject to redisclosure and may no longer be protected by HIPAA.

4. How will the Plan protect my privacy?

The Plan will not disclose PHI without authorization except as described in this Notice or permitted by law. The Plan restricts internal access to your PHI to employees who need that information to operate the Plan and provide your benefits. The Plan trains those individuals on policies and procedures designed to protect your privacy.

5. Do state or other privacy laws also apply to PHI?

If your state laws provide more stringent privacy protections than HIPAA, the more stringent state law may apply to protect your rights. Similarly, where federal law provides more stringent privacy protections than HIPAA, including 42 C.F.R. Part 2, which governs records relating to substance use disorder treatment, those federal protections will apply. If you have any questions about your rights under any particular federal or state law, please contact the person identified below as the Privacy Officer.

6. How do I authorize a release of my PHI or my dependents’ PHI?

You will need to complete a written authorization form. An authorization form is available by calling 888-927-7526, ext. 6000, or can be obtained from the Plan’s website at ConcordiaPlans.org. Your authorization may limit the type of information the Plan may disclose and the persons to whom it may be disclosed. You may revoke your written authorization at any time, and the revocation will be allowed to the extent action on the authorization has not yet been taken.

7. What are my Individual Rights with respect to my PHI?

You have the right to:

  • Request the Plan to restrict its uses and disclosures of your PHI (even for Payment and Health Care Operations purposes as explained in this Notice). The Plan is not required to agree to a requested restriction. To request a restriction, please write to the Privacy Officer (identified at the end of this Notice) and provide specific information as to the disclosures that you wish to restrict and the reasons for your request. The Privacy Officer will respond in writing.
  • Request that the Plan’s confidential communications of your PHI be sent to another location or by alternative communicative means. For example, you may ask that we send all explanation of benefit statements (EOBs) to your office rather than your home address. The Plan is not required to accommodate your request unless your request is reasonable and you state that the Plan’s ordinary communication process could endanger you.
  • Inspect and obtain a copy of your PHI held by the Plan. However, access to psychotherapy notes, information compiled in reasonable anticipation of, or for use in legal proceedings, and access under certain other relatively unusual circumstances may be denied. If your PHI is maintained electronically, you will also have the right to request a copy in electronic format. Your request should be made in writing. A reasonable fee may be imposed for copying and mailing the requested information.
  • Request that the Plan amend, correct, or update your PHI or record if you believe the information is incorrect or incomplete. The Plan is not required to agree to make the amendment, correction, or update of your dependents’ or your PHI.
  • Receive a list of those individuals or entities with whom your PHI has been disclosed, other than certain types of disclosures not required by HIPAA to be listed including, but not limited to disclosures (i) for Treatment, Payment or Health Care Operations, (ii) to you or your personal representative, or (iii) that you or your personal representative have authorized in writing. Such list is also referred to as an accounting.
  • Receive a notice in the event that the Plan (or a Business Associate) discovers a breach of unsecured PHI that could affect you.
  • Get a paper copy of this Notice at any time, even if you have agreed to receive it electronically.

8. How do I make a complaint if I think my rights have been violated?

You may file a complaint with the Plan’s Privacy Officer and with the Office of Civil Rights of the United States Department of Health and Human Services if you believe your privacy rights have been violated by the Plan. Their addresses are available below. All complaints must be filed in writing. You will not be retaliated against for filing a complaint.

9. Who is the Plan’s Privacy Officer?

If you have any questions about this Notice, please contact the Privacy Officer:

Sandy Greenfield
Privacy Officer
1333 S. Kirkwood Road
St. Louis, Missouri 63122
[email protected] or 888-927-7526, ext. 6739

10. How do I contact the federal government if I want to make a complaint or inquiry?

To contact the Secretary of Health and Human Services, write to:

Office for Civil Rights
U.S. Department of Health and Human Services
601 East 12th Street, Room 353
Kansas City, Missouri 64106

Voice Phone: 800-368-1019
Fax: 202-619-3818
TDD: 800-537-7697
Email: [email protected]

11. What is the effective date of this Notice?

The effective date of this Notice is Feb. 1, 2026.

12. Can changes be made to this Notice?

The Plan reserves the right to change the terms of this Notice and its information practices and to make the new provisions effective for all PHI it maintains. If any material change is made to this Notice, a revised copy of the Notice will be posted at ConcordiaPlans.org, and/or the Plan will promptly publish a notice of how to obtain a hard copy of the Notice.