Notice of privacy practices

This notice describes how health information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

At Providence Health Assurance (PHA), we are required by federal and state law to protect the privacy of your protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA). PHA must provide you with this notice and abide by the terms of this notice. This notice explains how PHA may use and share information about you to administer your benefits and informs you about your rights as a valued member. It also explains how you can exercise these rights. PHI, also called your health information, refers to information about your health or healthcare services that can be used to identify you as an individual. This includes:

Details about your past, present, or future physical or mental health or condition
Information related to the provision of health care to you
Payment information related to your health care services

In addition to PHI, PHA also protects your Personally Identifiable Information (PII), which includes data that can be used to identify you individually such as your name, address, date of birth, or Social Security number. PHA understands the sensitivity of this information and has policies in place to safeguard it from unauthorized access, use, or disclosure. PHA collects PII as part of business operations to verify your identity, manage member accounts, and support the delivery of health plan services. Protecting your PII is an essential part of earning and maintaining your trust as a valued member.

Notice of Privacy Practice forms
You have the right to obtain a new copy of this notice at any time. Even if you have agreed to receive this notice by electronic means, you still have the right to a paper copy. We reserve the right to change the terms of this notice and to make the new notice effective for all protected health information we maintain. If revised, we will prominently post the change of our revised notice on our web site by the effective date of the material change to the notice, and provide the revised notice, or information about the material change and how to obtain the revised notice, in our next annual mailing to subscribers/members then covered by the plan.
- Notice of Privacy Practice (PDF)
- Notice of Privacy Practice - Spanish (PDF)
- Notice of Privacy Practice - Vietnamese (PDF)
- Notice of Privacy Practice - Russian (PDF)
- Notice of Privacy Practice - Arabic (PDF)
- Notice of Privacy Practice - Chinese (PDF)
- Notice of Privacy Practice - Somali (PDF)

How PHA Uses and Discloses your PHI without your written authorization

PHA may use and disclose your protected health information for different purposes. PHA will use PHI and may share it with others while providing health benefits. The examples below are provided to illustrate the types of uses and disclosures PHA may make without your authorization for treatment, payment, and health care operations.

Treatment:

PHA does not provide treatment. This is the role of your healthcare provider, such as your doctor or a hospital.
PHA may use and disclose your health information as needed to coordinate, manage or support your care with your healthcare providers.

Payment:

PHA may use and share your health information to process and pay claims submitted by your healthcare providers.
PHA may share an Explanation of Benefits (EOB) with the subscriber of your plan to help with payment of claims.
PHA may use and disclose your health information to collect premiums and calculate cost-sharing amounts.

Healthcare Operations:

PHA may use or disclose your health information to assist you with benefit, claim or coverage questions.
PHA may use your health information to review the quality of care and services you receive.
PHA may use your health information to coordinate and improve preventive services and chronic condition management programs (such as immunizations, cancer screenings, or programs for asthma, diabetes, or high blood pressure).
PHA may use or disclose your health information for subrogation or third-party liability activities to recover costs of care.
PHA may use or disclose your health information to an independent review organization (IRO) if you request an external review of a coverage decision.
PHA may use or disclose your health information with accreditation and credentialing organizations to maintain PHA’s licenses and certifications.
PHA may use the minimum necessary health information from your electronic medical record such as hospital discharge notes or treatment summaries to help coordinate your care or connect you with follow-up services.

Plan Sponsor/Administrator

If you receive health plan benefits through your employment, PHA may share limited information with your employer’s health plan administrator.

We may share your health information with your plan sponsor (your employer or group health plan) only when needed to obtain bids, manage, or administer the plan.
If your employer helps pay your premium but does not pay your medical claims, your employer:
- May not access your health information except as needed to obtain bids, manage, or end the plan.
- Must agree in writing to protect your information and use it only as permitted by law.

Sharing Your Health Information with Those Involved in Your Care

PHA may share your health information in some cases with family members, friends, or others who are involved in your care or payment for your care.

PHA may share information when you give us your verbal or written permission.
If there is an emergency and you are unable to communicate, PHA may share information if PHA believes it is in your best interest.
PHA may also share information to help protect your health and safety or the health and safety of others.

Other Ways PHA May Use and Share Your Health Information Without Authorization

For Legal and Law Enforcement Purposes

When required by law.
In response to a court order, subpoena, or other legal request.
To law enforcement officials when required by law, such as to locate a suspect or report a crime.
To government agencies involved in national security, military, or protective services.

For Oversight and Compliance

To government agencies that oversee health care, such as licensing boards, auditors, or regulators.
To the Secretary of the U.S. Department of Health and Human Services to oversee our compliance with HIPAA.

For Research

For research purposes when permitted by law and subject to required protections.

For Organ Donation and Decedents

To help identify a deceased person, determine the cause of death, or facilitate organ or tissue donation.

With Business Associates

To vendors or contractors (called “business associates”) who help PHA operate and deliver services. These partners are required by law to protect your information.

Disclosures requiring Your Written Authorization

PHA is required to obtain your written authorization to use or disclose your protected health information, with limited exceptions, for the following reasons:

Marketing. PHP will request your written authorization to use or disclose your protected health information for marketing purposes with limited exceptions, such as when we have face-to-face marketing communications with you or provide promotional gifts of nominal value.
Sale of Protected Health Information. PHP does not sell PHI or PII and must request your written authorization before making any disclosure that is considered a sale of your protected health information.
Other Uses or Disclosures. Any other uses or disclosures of your protected health information not described in this Notice will be made only with your written authorization, unless otherwise permitted or required by law.

Additional Privacy Protections for Sensitive Health Information

Federal and state laws may require enhanced privacy protections for certain types of health information. These may include:

Alcohol, drug and substance use (diagnosis, treatment and referral information)
Gender-affirming care
Genetic information (services or tests)
HIV (testing and treatment)
Psychotherapy or counseling notes
Reproductive health care

If PHA receives substance use disorder information from a federally assisted program covered by 42 CFR Part 2, PHA is required to implement additional safeguards to protect your SUD information.

If you provide a general consent to the Part 2 program permitting your information to be used or disclosed for treatment, payment, or health care operations, PHA may use and disclose that information as permitted under HIPAA.
If you give specific consent directly to PHA or another party, PHA will use and disclose your Part 2 information only as expressly permitted in that consent.
PHA may use or disclose this information for treatment, payment, or health care operations.
PHA will not use or disclose your Part 2 records, or any related testimony, in civil, criminal, administrative, or legislative proceedings without your consent or a court order that provides you notice before release.

If your PHI is subject to enhanced protection, PHA may only disclose it with your prior written authorization unless otherwise permitted or required by law.

Revocation of an Authorization

You may cancel your authorization in writing at any time before it expires.
If your information was shared based on your permission, it may be re-disclosed by others and may no longer be protected under state or federal privacy laws.
Some laws may limit the re-disclosure of certain types of sensitive health information, such as mental health information, genetic information or substance use disorder information (diagnosis, treatment or referral).

Privacy Rights Regarding Your Health Information

Right to Access your Health Information:

You have the right under HIPAA to request a copy of your health information that is maintained by PHA.
You may request your health information in a paper copy or in an electronic format. PHA will provide it in the format you request if it is available. If not, we will provide it in a readable format.
PHA requires that your request for your health information be made in writing.
If PHA denies your request for your health information, PHA will notify you in writing and explain the reason and how you can appeal or respond.
You also have the right to request a copy of your medical records from your doctor or another health care provider.

Right to an Accounting of Disclosures of Your Health Information

You have the right under HIPAA to receive a list of disclosures PHA has made of your health information, except for those made for treatment, payment, or health care operations, or disclosures made with your authorization.
This list may include disclosures made for public health reporting, law enforcement or other legal requirements.
PHA requires that your request for an accounting of disclosures be made in writing and includes the time period you are requesting.
The time period may not be longer than six years from the date of your request.

Right to Amend Your Health Information:

You have the right under HIPAA to request a change to your health information that is maintained by PHA, if you believe it is inaccurate or incomplete.
PHA requires that your request to amend your health information be made in writing.
If PHA approves your request, the amendment will be added to your record, and PHA will inform others who received the original information, if they need to know about the change.
If PHA denies your request for amendment of your health information, PHA will notify you in writing and explain the reason and how you can appeal or respond.

Right to Confidential Communications:

You have the right under HIPAA to request that PHA communicate with you using a specific method or at an alternative location if you believe the disclosure of your health information could endanger you. For example, you may ask PHA to send your health information only by U.S. mail or to an address other than your home. PHA will accommodate reasonable requests.
All PHA members have the right to request their health information be sent to a different address if sending to your current address may put you in danger. PHA will accommodate reasonable requests of this kind. PHA will not require you to explain why you believe you are in danger to process your request. You may make this request either in writing or verbally.
Some state laws provide additional privacy protections for which members have the right to request their plan information containing health or personal information be sent to another address, or that PHA may not disclose your information to the policyholder/subscriber. These state-specific requests must be made in writing.

Right to Request Restrictions on the Use and Disclosure of Your Health Information

You have the right under HIPAA to request that we restrict or limit how we use or disclose your health information for treatment, payment or health care operations.
If we agree, we will comply with your request unless the information is needed in an emergency. While we will consider your request for a restriction, by law we are not required to agree, as some requests may not be possible based on our operations or legal obligations.
PHA requires that your request to restrict your information must be made in writing.

Right to a Notice in the Event of a Breach of Your Health Information

You have the right under HIPAA to receive a notice if PHA determines that your health information was involved in a breach.
PHA will provide this notice without unreasonable delay and no later than 60 days after discovering the breach. The notice will include a description of what happened, the type of information involved, the actions PHA has taken to investigate and prevent further disclosures, the steps you can take to protect yourself from potential harm and how to contact PHA for more information.

How PHA Protects and Secures Your Information

All caregivers are required to comply with the HIPAA security and privacy policies. PHA has policies and procedures in place to ensure the confidentiality of your health information. PHA keeps your verbal, written, and electronic health information safe using administrative (policies), technical (encryption), and physical (locked storage) safeguards that follow federal and state laws. Some of the ways we protect your information include:

Our caregivers are required to:
- Sign the Acceptable Use Agreement, Confidentiality and Nondisclosure statement.
- Complete privacy and security training when hired and on an annual basis.
- Only access your health information when needed to perform job duties.
- Securely dispose of written health information.
- Report any privacy or security violations.
- Use secure logins and passwords to access PHA systems.
- Work in systems protected by firewalls, encryption, and data back-up protocols.
- Wear ID badges when entering PHA buildings.
PHA agreements with providers include confidentiality provisions that require them to protect your health information in accordance with HIPAA and other applicable privacy laws.
PHA monitors its systems to detect and prevent unauthorized access to your health information.
PHA limits the amount of health information it uses or shares to only what is necessary for the intended purpose.
PHA requires vendors and contractors who handle your information to meet privacy and security standards.

How to Use Your HIPAA Rights:

You may also find the Member Authorization and Privacy forms on our website at: https://www.providencehealthplan.com/medicare/medicare-advantage-plans/members/forms-and-documents

You can also use our secure online portal to ask privacy-related questions. You will need to log in to your MyProvidence account, or register for one if you don’t have an account yet: www.myprovidence.com

You can use your HIPAA rights by contacting Customer Service.

If you have any questions about your health information or if you believe that your privacy rights have been violated, please contact Customer Service at:
503-574-8000 or 1-800-603-2340. TTY users should call 711.
We are open seven days a week, between 8 a.m. and 8 p.m. (Pacific Time). Between April 1st to September 30th, we are closed Saturdays and Sundays.

You may file a complaint with PHA in writing at:

Providence Health Assurance
Attn: Appeals and Grievance Dept.
P.O. Box 4327
Portland, OR 97208-4327

If you have questions or concerns about PHA’s privacy practices or your privacy rights, please contact our HIPAA Privacy Rights Hotline at (503) 574-7770.

You have the right to file a complaint with the Office for Civil Rights (U.S. Department of Health and Human Services) if you believe your privacy rights have been violated. PHA will not retaliate against you for filing a complaint. You may contact the Office for Civil Rights at:

Office for Civil Rights
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Room 509F, HHH Building
Washington, D.C. 20201

OCR Hotlines-Voice: 1-800-368-1019

E-mail: OCRComplaint@hhs.gov

Website: Office for Civil Rights www.hhs.gov/ocr/index.html

Your Rights to Receive This Notice

You have the right to request a copy of this notice at any time, including a paper copy, even if you agreed to receive it electronically.
PHA may change the terms of this notice at any time. If that happens, the updated notice will apply to all health information PHA maintains.
PHA will post the revised notice on its website by the effective date of the change.
PHA will also include the revised notice in the next annual mailing to members.

The most current version will always be available online at: https://www.providencehealthplan.com/medicare/medicare-advantage-plans/members/notice-of-privacy-practices

Effective date of this notice

The original effective date of this Notice was April 14, 2003. The most recent revision date is February 1, 2026.

Need help?

Shop Plans

Member Resources

For Producers & Employers

For Providers

About Us