Notice of Privacy Practices
Capital District Physicians’ Health Plan, Inc., CDPHP Universal Benefits, Inc., and Capital District Physicians’ Healthcare Network, Inc. (collectively referred to as “CDPHP®”) Notice of Privacy Practices are set forth below.
The effective date of this notice is December 1, 2024.
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
Our Commitment to Your Privacy
At CDPHP, we believe in keeping your protected health information (“PHI”) safe. PHI includes information that we have created or received about your past, present, or future health or medical condition that could be used to identify you. It also includes information about medical treatment you have received and about payment for health care you have received. We may receive this information in our capacity as a health insurance issuer for your medical plan, or as a third-party administrator of group health plan benefits offered by your employer. If you are enrolled in a medical plan insured by CDPHP through your employer, and your employer has also contracted with CDPHP for third-party administration services for its health flexible spending account (“FSA”) and/or health reimbursement arrangement (“HRA”), then this notice also describes privacy practices with respect to PHI we collect and use in relation to administration of the FSA and HRA plans offered by your employer.
CDPHP keeps PHI in strict confidence. As part of providing services, we may get nonpublic personal information from applications, forms, claims, and other information provided to us. This information can be given to us in writing, in person, by telephone, electronically, or by any other means. We do not give out any PHI about our current or former members, except as permitted by law or to provide services to our members.
CDPHP restricts internal access to PHI to those CDPHP employees who need to know that information to provide services. We also maintain physical, electronic, and procedural safeguards that comply with federal and state regulations to guard your information.
Our Legal Duties
This Notice of Privacy Practices explains how CDPHP uses information about you and when we can share that information with others. The law requires CDPHP to maintain the privacy of your PHI. We are also required to give you this notice about our legal duties, our privacy practices, and your PHI rights. CDPHP must follow the terms of this notice. If you have questions about any part of this notice or if you want more information about the privacy practices at CDPHP please contact the CDPHP Privacy Officer at (518) 641-5261 or 1-888-258-0477.
CDPHP has the right to change this Notice of Privacy Practices as well as CDPHP privacy policies and procedures as business needs and changes in federal and state law require. If we make a significant change to the privacy practices in this notice, we will post the revised notice on the CDPHP website by the effective date of the revision and provide the revised notice in our annual newsletter. Except as required by law, CDPHP will not put into practice a significant change to any part of this notice before the effective date of the new notice.
Routine Uses and Disclosures of Your Protected Health Information
CDPHP uses and discloses PHI in a number of different ways in connection with your treatment, payment for your health care, and our health care operations. Please note that PHI disclosed in accordance with this notice may be subject to redisclosure by the recipient and, in some cases, may no longer be protected by HIPAA upon re-disclosure. The following are the types of uses and disclosures of your PHI that we are allowed to make without your authorization.
Treatment
We may share your information with your doctors or hospitals to help them provide medical management and care to you.
Payment
We may use and disclose your PHI to pay claims to providers who render services to you.
Health Care Operations
We may use and disclose your PHI to perform our healthcare operations. Examples of health care operations functions include determining premiums for your health plan, conducting quality improvement activities, and engaging in care coordination or case management. We may not use or disclose your PHI that is genetic information, for purposes of enrollment, determining your premiums, or underwriting. Where you are enrolled in a medical plan insured by CDPHP and sponsored by your employer, and your employer has hired CDPHP to be the third-party administrator for its health flexible spending account (“FSA”) and/or a health reimbursement arrangement (“HRA”), the medical plan insured by CDPHP and the FSA/HRA plan(s) are part of an Organized Health Care Arrangement (“OHCA”) wherein the sharing of PHI between the medical plan and the FSA/HRA plan(s) may occur as part of health care operations.
Health-Related Benefits and Services
We may use your information to tell you about health-related benefits or services. For example, we might send you information about programs to help you manage your asthma or diabetes.
Disclosures to Business Associates
CDPHP may disclose your PHI to outside persons or organizations to perform specific functions on our behalf. These companies are called business associates. We may only disclose PHI to business associates upon completion of a written contract which requires the business associates to appropriately safeguard your information, among other provisions required by HIPAA.
Disclosures to Persons Involved in Your Care
CDPHP may disclose PHI to a person involved in your care, such as a family member or friend, limited to the information directly relevant to the person’s involvement with your health care or payment for your health care. CDPHP will do so only in exceptional circumstances wherein you are present or if you are not present or cannot object for other reasons and we reasonably determine that 1) the person is involved in your care; and 2) the disclosure is in your best interest. In those circumstances we would limit our disclosure to PHI that is directly relevant to the person’s involvement with your health care. You may request that CDPHP limit this kind of disclosure by contacting the CDPHP Privacy Officer in writing at the address listed in this notice.
Disclosures to Plan Sponsors
If you are enrolled in a group health plan, we may disclose summary PHI and enrollment and disenrollment information to the plan sponsor of the group health plan for limited plan administration purposes. A plan sponsor is normally an employer or a company that manages the employee’s benefit plan. To share any other PHI, CDPHP must obtain a signed certification from the plan sponsor in accordance with HIPAA.
Eligibility Determinations
If you are enrolled in a CDPHP government program plan, such as Select Plan (Medicaid eligible recipients), we may disclose your PHI to a business associate to determine your eligibility for the plan or for additional public benefits.
Non-Routine Uses and Disclosures of Your Protected Health Information
Required by Law
CDPHP may disclose your PHI to report information to state and federal agencies that regulate us such as the U.S. Department of Health and Human Services and where otherwise as required by federal, state, or local law.
Health Oversight
We are also allowed to disclose your PHI to a government agency authorized to oversee the health insurance system, such as for audits or to maintain our license.
Law Enforcement
We may disclose your PHI for certain law enforcement purposes. For example, we may give information to a law enforcement official for the purpose of identifying or locating a suspect, fugitive, or material witness.
Public Health and Safety
We may share PHI about you for certain public health and safety reasons, including preventing disease, helping with product recalls, reporting adverse reactions to medications, reporting suspected abuse, neglect, or domestic violence and preventing or reducing a serious threat to anyone’s health or safety.
Workers’ Compensation
We may use or disclose your PHI for workers’ compensation claims.
Legal Proceedings
We may disclose your PHI in response to a court order or subpoena or other lawful process such as in the course of a judicial or administrative proceeding.
Disaster Relief
We may disclose your PHI to an entity authorized by law or charter to assist in disaster relief efforts.
Research
We may use and/or disclose your PHI for research as permitted by and subject to federal law.
National Security and Government Requests
We may share information relative to specialized government functions such as military, presidential protective services, national security, and intelligence activities.
Fundraising
CDPHP may contact you for purposes of fundraising. You have the right to opt out of future fundraising efforts by contacting us at foundation@cdphp.com. Additionally, if we use or disclose records covered by 42 C.F.R. Part 2 for fundraising efforts, we will first provide you with a clear and conspicuous opportunity to opt out of receiving any fundraising communications.
Coroner, Medical Examiners and Funeral Directors
We may disclose your PHI to coroners and medical examiners for purposes of identifying a deceased person, determining a cause of death or other duties as authorized by law and to funeral directors as necessary for them to carry out their duties.
Correctional Institutions
We may disclose your PHI to a correctional institution or custodial law enforcement official that has custody of the individual who is the subject of the PHI.
HHS HIPAA Compliance Investigation
We may disclose your PHI to the Secretary of the Department of Health and Human Services (“HHS”) for the purpose of investigating or determining CDPHP compliance with HIPAA administrative simplification provisions.
Cadaveric Organ, Eye or Tissue Donation
We may disclose your PHI to organ procurement, banking, or transplanting organizations to facilitate organ, eye, or tissue donation and transplantation.
Uses and Disclosures of PHI with an Authorization
For any other uses or disclosures not described in this notice, including most uses and disclosures of psychotherapy notes, for marketing and the sale of PHI, CDPHP must get a member’s signed written authorization, and the information is only used or disclosed as stated in the authorization. You may cancel or revoke your authorization, in writing, at any time, except to the extent that CDPHP or another company or person has already relied on the authorization.
Also, where federal and state law further restrict the disclosure of sensitive information such as HIV/AIDS, mental health, substance abuse, reproductive health information, and sexually transmitted diseases, CDPHP will only disclose such information in accordance with law, a court order, or with your authorization.
SMS Messaging Communications
We may send SMS text messages to members, when: (1) we may not have formal opt-in from the member, but we have a valid mobile phone number on file that was provided by the member; and (2) the messages are either (i) for care coordination or case management purposes or (ii) within the scope of the purpose for which the member provided the mobile phone number.
You can cancel the SMS service at any time. Just text “STOP” to the short code 237471. After you send the SMS message “STOP” to us, we will send you an SMS message to confirm that SMS messages will no longer be sent. If you want to resume service, reply “JOIN” and we will start sending SMS messages to you again.
Message and data rates may apply for any messages sent to you from us and to us from you.
SMS messaging may be used for multi-factor authentication for your mobile number using a One-Time PIN (“OTP”). You will receive a new multi-factor authentication each time you register a new device or each time you sign in to our service, depending on your settings.
If you have any questions, refer to our Terms & Conditions for SMS.
Uses and Disclosures of Reproductive Health Information
Scope of Prohibition
We will not use or disclose your PHI or otherwise identify you in relation to conducting a criminal, civil, or administrative investigation into any person, or imposing liability as a result of such investigation, for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
This prohibition only applies where the relevant activity is in connection with any person seeking, obtaining, providing, or facilitating reproductive health care, and we have reasonably determined that one or more of the following conditions exists:
-
The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided;
-
The reproductive health care is protected, required, or authorized by Federal law, including the United States Constitution, under the circumstances in which such health care is provided, regardless of the state in which it is provided; or
-
Where we have a presumption that the reproductive health care was lawful, which presumption exists unless we have either:
-
actual knowledge that the reproductive health care was not lawful under the circumstances in which it was provided; or
-
factual information supplied by the person requesting the use or disclosure of PHI that demonstrates a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided.
Based on this prohibition, this means that if we received a request for information regarding insurance coverage provided to you for Mifepristone in New York, we will not release such information so long as the medication was sought within or including the first twenty-four (24) weeks of pregnancy and/or if your pregnancy or health was at risk.
Attestation
For the purposes of health oversight activities, judicial, administrative, or law enforcement proceedings, or in relation to information provided to coroners and medical examiners, we may disclose your reproductive health information, but only if we receive an attestation from the entity requesting the information which includes, among other provisions, a statement that verifies that the use or disclosure of your reproductive health information does not violate the prohibition described above.
Your Protected Health Information Rights
You have the following rights with respect to your PHI. You can contact the CDPHP member services department at the phone number on your identification card or (518) 641-3000 or 1-888-258-0477 to obtain the appropriate form needed to exercise any of these rights. We also provide links to the appropriate forms below, and completed forms can be sent via mail to Privacy Compliance Administrator Corporate Compliance, Capital District Physicians' Health Plan, Inc., 6 Wellness Way, Latham, NY 12110 or by fax at 518-641-5504.
Access Right
You have the right to look at and get a copy of your PHI that is in your designated record set. You have a right to receive a paper or electronic copy and to receive a response to your request in a timely manner. If you would like to get your information, you must make your request in writing on the Inspection and Copying Request Form. You have the right to direct that the copy of your PHI be forwarded to a third party. If CDPHP does not have the information you asked for, we will tell you how you may be able to get it. CDPHP will respond in writing to your request. In certain situations, we may deny your request. If we do, we will tell you in writing the reason we are denying your request.
If you ask for a copy of your PHI, we may charge you a fee of up to seventy-five (75) cents per page for the cost of copying. We can send you your PHI, or if you request, we may send you a summary or general explanation of your PHI if you agree to the cost of preparing and sending it.
Restriction Right
You have the right to ask for restrictions on our use or disclosure of your PHI for treatment, payment, or health care operations purposes. CDPHP is not required to agree to restriction requests unless the disclosure is to a health plan for the purpose of carrying out payment or health care operations, is not otherwise required by law, and the information pertains solely to a health care item or service for which you have paid us in full. If the restriction is granted, CDPHP will be bound by the agreement except in cases of emergency treatment. You can contact the CDPHP member services department at the phone number on your identification card or (518) 641-3000 or 1-888-258-0477 to ask for a restriction request.
Amendment Right
You have the right to ask us to correct your PHI or add missing information if you think there is a mistake in your PHI. You must send us your request in writing on the Request for Amendment of Health Information Form and give the reason for your request. We will respond to you in writing. If we approve your request, we will make the change to your PHI and advise you that we have made the change. We will also advise others who need to know about the change to your PHI.
We may deny your request if your PHI is: a) correct and complete; b) not made by us; c) not allowed to be disclosed; or d) not part of our records. Our written denial will also explain your rights to file a written statement of disagreement. You have the right to ask that your written request, our written denial, and your statement of disagreement be attached to your PHI any time we give it out in the future.
Confidential Communications Right
You have the right to ask that we send PHI to you at an address of your choice or to communicate with you in a certain way. All requests for confidential communications must be made in writing on the Confidential Communications Request Form. We will respond to you in writing.
Accounting of Disclosures Right
You have the right to get a list of instances in which we have given out your PHI by completing the Accounting of Disclosures Request Form. The list we provide will not include disclosures for the purposes of: a) treatment; b) payment for your treatment; c) health care operations; d) disclosures made directly to you or to people you choose; e) disclosures made to corrections or law enforcement personnel; f) disclosures we made before April 14, 2003; or g) disclosures we made when we had your authorization.
We will respond to your request in writing. Your request must state a time period that may not be longer than six (6) years and may not include dates before April 14, 2003.
The list will include: a) the date of the disclosure; b) the person to whom PHI was disclosed (including that person’s address, if known); c) a description of the information disclosed; and d) the reason for the disclosure. If you ask, we will give you one (1) list of disclosures every twelve (12) months for free. However, if you ask for another list within twelve (12) months of getting your free list, we will send you one (1) if you agree to pay the reasonable fee we will charge for the additional list. We will tell you in advance of the fee and give you a chance to cancel or change your request.
Notice of Privacy Practices Right
You have the right to receive a paper copy of this Notice of Privacy Practices at any time. You can call the member services number on your identification card to request a copy of this notice. Or you can get a copy of this notice from our website at www.cdphp.com. Individuals with disabilities who are unable to usefully access our Privacy Policy online may contact us to inquire how they can obtain a copy of our policy in another, more easily readable format.
Notice of Breach of Confidentiality
You have the right to be notified by CDPHP after a breach of unsecured PHI.
Contact Us
If you want more information about our privacy practices or have questions or concerns, please contact the CDPHP Privacy Officer at (518) 641-5261. If you think that your privacy rights may have been violated, you may send a written complaint to: CDPHP Privacy Officer, 6 Wellness Way, Latham, NY 12110. You also may submit a written complaint to the Office for Civil Rights, U.S. Department of Health and Human Services. At CDPHP, we are committed to safeguarding your information. Therefore, you will not be penalized in any way for filing a complaint about our privacy practices.