Notice of Privacy Practices & Policies
This provides notice of the privacy practices and policies of CDA Insurance LLC. These protections have been adopted to ensure that the information that we obtain and
maintain for our clients and customers, which may also include information about the employees, dependents, former employees and dependents, and other eligible participants on a group health plan for
which we are providing services (“Protected Parties”). The Notice outlines our practices, policies, and legal duties to maintain and protect against prohibited disclosure of personally-identifiable
financial information (as required by the federal Gramm-Leach-Bliley Financial Modernization Act (“GLB Act”), and the various state laws implementing those requirements) and protected health
information of those Protected Parties (under the privacy regulations mandated by the Health Insurance Portability and Accountability Act (“HIPAA Privacy”) and further expanded by the Health
Information Technology for Economic and Clinical Health Act (“HITECH”) provisions in Title XIII of the American Recovery and Reinvestment Act (ARRA).
Your Information. Your Rights. Our Responsibilities.
This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.
Statement of Our Duties.
We are required by law to maintain the privacy of non-public personal information (“NPPI”) and protected health information (“PHI”) (collectively referred herein as “Protected Information”) of the Protected Parties and to provide our clients with this notice of our privacy practices and legal duties. We are required to abide by the terms of this notice. We reserve the right to change the terms of this notice and to adopt any new provisions regarding the Protected Information that we maintain about the Protected Parties. If we revise this notice, we will provide each client or customer with whom there is a current and direct business relationship with a revised notice by mail, electronic mail, telefacsimile, or hand delivery.
Statement of the Client’s Rights under HIPAA Privacy and HITECH.
As our client or customer, you have a right to know how we may use or disclose the Protected Information we maintain on those Protected Parties with whom there is a direct relationship. In the event that our customer or client is an employer sponsoring a group health plan, we do not have a direct duty to their employees, dependents, former employees or dependents or other eligible participants on the group health plan. Our obligations to not disclose the Protected Health Information we maintain about those individuals may arise due to our contractual obligations as a Business Associate of both the client or customer, as well as to any other third party who is a Covered Entity under the HIPAA Privacy Regulations and as revised by HITECH, but does not create a special legal duty to provide notice to those individuals of their rights through a Notice of Privacy Practices.
Primary Uses and Disclosures of Protected Health Information. We use and disclose protected health information about Protected Parties for payment and health care operations. HIPAA Privacy does not generally “preempt” (or take precedence over) state privacy or other applicable laws that provide individuals greater privacy protections. As a result, to the extent state law applies, the privacy laws of a particular state, or other federal laws, rather than the HIPAA Privacy, might impose a privacy standard under which we will be required to operate. For example, where such laws have been enacted, we will follow more stringent state privacy laws that relate to uses and disclosures of the protected health information concerning HIV or AIDS, mental health, substance abuse/chemical dependency, genetic testing, reproductive rights.
In addition to these state law requirements, we also may use or disclose Protected Information in the following situations:
- Payment: We might use and disclose your protected health information for all activities that are included within the definition of “payment” within the HIPAA Privacy regulations. For example, we might use and disclose a Protected Party’s Protected Information to assist with the payment of claims for services provided to that Protected Party by doctors, hospitals, pharmacies and others for services that are covered by a group health plan. We might also use your information to determine your eligibility for benefits, to coordinate benefits, to examinemedical necessity, to obtain premiums, and to issue explanations of benefits to the person who subscribes to the health plan in which you participate.
- Health Care Operations: We might use and disclose a Protected Party’s Protected Information for all activities that are included within the definition of “health care operations” within the HIPAA Privacy regulations. For example, we might use and disclose the Protected Information of a Protected Party to an insurer to determine the premiums for your health plan, to conduct quality assessment and improvement activities, to engage in care coordination or case management, and to manage our business.
- Business Associates: In connection with our payment and health care operations activities, we contract with individuals and entities (called “Business Associates”) to perform various functions on our behalf or to provide certain types of services. To perform these functions or to provide the services, our business associates will receive, have access to, create, maintain, use, or disclose protected health information, but only after we require the business associates to agree in writing to contract terms designed to appropriately safeguard your information.
- Other Covered Entities: In addition, we might use or disclose your protected health information to assist health care providers in connection with their treatment or payment activities, or to assist other covered entities in connection with certain of their health care operations. For example, we might disclose a Protected Party’s Protected Information to a health care provider when needed by the provider to render treatment to that party, and we might disclose protected health information to another covered entity to conduct health care operations related to billing, claims payment or enrollment.
For all other uses and disclosures, we first must obtain your permission.
In addition, you have the following rights:
- The right to request that we place additional restrictions on our uses and disclosures of the personal health information of Protected Parties. However, we are not obligated to
agree to impose any such additional restrictions.
- The right to access, inspect and copy the protected information pertaining to Protected information that we create in error. Requests to access or amend your health information
should be sent to the contact person and address provided below.
- The right to receive an accounting of the disclosures of the Protected Information we maintain on Protected Parties that we make for purposes other than activities related to
payment functions or other health care operations.
- The right to request that communications containing a protected party’s Protected Information are sent in a confidential manner.
- If you received this notice electronically, you also have the right to obtain a paper copy of this notice from us on request.
- The right to get a list of those with whom we’ve shared your information
- The right to get a copy of this privacy notice
- The right to choose someone to act for you
- The right to file a complaint if you believe your privacy rights have been violated
You have some choices in the way that we use and share information as we:
- Answer coverage questions from your family and friends
- Provide disaster relief
Our Uses and Disclosures
Permissible Uses and Disclosures of Protected Information. We disclose the information we receive regarding current or prospective plan participants only in accordance with the terms and conditions of the various Business Associate contracts we have entered to with Covered Entities under HIPAA Privacy Regulations and as permitted under state and federal laws concerning the privacy of your insurance and financial information. Those include:
- Situations Permitted or Required by Law. We also may use or disclose your protected health information without your written permission for other purposes permitted or required by law, including, but not limited to the following:
- As authorized by and to the extent necessary to comply with workers’ compensation or other no-fault laws;
- To an oversight or insurance regulatory agency for activities including audits or civil, criminal or administrative actions;
- To a public health authority for purposes of public health activities (such as to the Federal Food and Drug Administration to report consumer product defects);
- To a law enforcement official for law enforcement purposes or in response to a court order or in the course of any judicial or administrative proceeding;
- To organ procurement organizations or other entities for approved research; or
- To a governmental authority, including a social service or protective services agency, authorized to receive reports of abuse, neglect or domestic violence.
- For any Purposes to Which you have Not Objected. In certain limited circumstances, we may use or disclose your protected health information after we have given you an opportunity to object and you have not objected. For example, if you do not object, we may use limited information about you to maintain an office directory, to notify family members or any other person identified by you regarding issues directly related to such person’s involvement with your care or payment for that care, or in emergency circumstances.
- For Purposes for Which We Have Obtained your Written Permission. All other uses or disclosures of your protected health information will be made only with your written permission, and you may revoke any permission that you give us at any time.
When it comes to your health information, you have certain rights. This section explains your rights and some of our responsibilities to help you.
Request confidential communications
- You can ask us to contact you in a specific way (for example, home or office phone) or to send mail to a different address.
- We will consider all reasonable requests, and must say “yes” if you tell us you would be in danger if we do not.
Ask us to limit what we use or share
- You can ask us not to use or share certain health information for treatment, payment, or our operations.
- We are not required to agree to your request, and we may say “no” if it would affect your care.
Get a list of those with whom we’ve shared information
- You can ask for a list (accounting) of the times we’ve shared your health information for six years prior to the date you ask, who we shared it with, and why.
- We will include all the disclosures except for those about treatment, payment, and health care operations, and certain other disclosures (such as any you asked us to make). We’ll provide one accounting a year for free but will charge a reasonable, cost-based fee if you ask for another one within 12 months.
Get a copy of this privacy notice
You can ask for a paper copy of this notice at any time, even if you have agreed to receive the notice electronically. We will provide you with a paper copy promptly.
Choose someone to act for you
- If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your health information.
- We will make sure the person has this authority and can act for you before we take any action.
File a complaint if you feel your rights are violated
- You can complain if you feel we have violated your rights by contacting us using the information at the bottom of the page.
- You can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201, calling 1-877-696-6775, or visiting www.hhs.gov/ocr/privacy/hipaa/complaints/.
- We will not retaliate against you for filing a complaint.
For certain health information, you can tell us your choices about what we share. If you have a clear preference for how we share your information in the situations described below, talk to us. Tell us what you want us to do, and we will follow your instructions.
In these cases, you have both the right and choice to tell us to:
- Share information with your family, close friends, or others involved in payment for your care
- Share information in a disaster relief situation
If you are not able to tell us your preference, for example if you are unconscious, we may go ahead and share your information if we believe it is in your best interest. We may also share your information when needed to lessen a serious and imminent threat to health or safety.
In these cases we never share your information:
- Marketing purposes
- Sale of your information
Our Uses and Disclosures
How do we typically use or share your health information?
We typically use or share your health information in the following ways.
Run our organization
- We can use and disclose your information to run our organization and contact you when necessary.
- We are not allowed to use genetic information to decide whether we will give you coverage and the price of that coverage. This does not apply to long term care plans.
Example: We use health information about you to develop better services for you.
Administer your plan
We may disclose your health information to your health plan sponsor for plan administration.
Example: Your company contracts with us to provide a health plan, and we provide your company with certain statistics to explain the premiums we charge.
How else can we use or share your health information?
We are allowed or required to share your information in other ways – usually in ways that contribute to the public good, such as public health and research. We have to meet many conditions in the law before we can share your information for these purposes. For more information see: www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html.
Comply with the law
We will share information about you if state or federal laws require it, including with the Department of Health and Human Services if it wants to see that we’re complying with federal privacy law.
Address workers’ compensation, law enforcement, and other government requests
We can use or share health information about you:
- For workers’ compensation claims
- For law enforcement purposes or with a law enforcement official
- With health oversight agencies for activities authorized by law
- For special government functions such as military, national security, and presidential protective services
Respond to lawsuits and legal actions
We can share health information about you in response to a court or administrative order, or in response to a subpoena.
- We are required by law to maintain the privacy and security of your protected health information.
- We will let you know promptly if a breach occurs that may have compromised the privacy or security of your information.
- We must follow the duties and privacy practices described in this notice and give you a copy of it.
- We will not use or share your information other than as described here unless you tell us we can in writing. If you tell us we can, you may change your mind at any time. Let us know in writing if you change your mind.
For more information see: www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/noticepp.html.
Changes to the Terms of this Notice
We can change the terms of this notice, and the changes will apply to all information we have about you. The new notice will be available upon request, on our web site, and we will mail a copy to you.
Other Instructions for Notice
Contact Person for Filing Complaint or Obtaining Other Information.
Our contact is:
CDA Insurance LLC
2160 W 11th Ave., Suite D
Eugene, Oregon 97402
Phone Number: 800-884-2343
Fax Number: 541-284-2994