UMP notice of privacy practices

Note: UMP is updating its Notice of Privacy Practices. The updated UMP Notice of Privacy Practices will become effective November 1, 2018.

For your convenience, the UMP notice of privacy practices is also available in PDF format.

Download now

Effective November 1, 2017
This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

Why am I getting this notice?

The Washington State Health Care Authority (HCA) and Uniform Medical Plan (UMP) are committed to protecting your health information. UMP is required by law to maintain the privacy of information about you and to provide this notice to all UMP subscribers. This notice does not affect your eligibility for services or coverage.

What does UMP do with my information?

UMP is required by law to keep your information confidential. Other than as explained in this notice, UMP does not disclose your information to anyone outside UMP, its administrators, and your providers. When UMP does disclose information, it usually provides only the minimum information necessary. Employees and contractors who violate confidentiality standards can be punished and even dismissed.

In what situations can UMP use and disclose my information without my permission?

Treatment

This includes care provided to you and the coordination or management of your care. For example, UMP might disclose information to alert your health care provider to possible problems in your care.

Payment

This includes meeting UMP’s obligations to cover or provide benefits for your care, and collecting premiums and other amounts due. For example, when UMP pays a provider, UMP usually specifies the treatment for which it is paying. Or, if a provider wants to discuss the amount paid, UMP may need to use and disclose your information. Another example would be exchanging information with a person or company that may be responsible for paying your medical expenses, such as another plan.

Health care operations

This refers to what UMP does to keep the plan operating, including quality control, medical and legal reviews, working with auditors and examiners, compliance reviews, and using protected health information to create data sets that do not have individual members’ identifiable information. For example, UMP discloses information to business associates that handle claims processing and customer service, such as its plan administrator, pharmacy benefit manager, and contractors working on subrogation. These business associates also must protect your privacy. They may in turn disclose to subcontractors of their own, and those subcontractors too must protect your privacy.

Health benefits and services

For example, UMP may use or disclose your personal information to:

  • You, about treatment alternatives or health-related benefits or services.
  • Vendors hired to assist in contacting you.
  • Contractors hired to provide services, and contractors hired by those contractors, regarding services such as:
    • Disease management.
    • Case management.
    • Health assessment.
    • Evaluating your prescription drug use.
    • Conferring with you or your providers about these programs or other services.
  • An IRO (Independent Review Organization; also called an external review organization) that reviews your appeal at your request.

To the HCA

The HCA is the state agency designated by the state of Washington to create health plans for state employees and other eligible persons. UMP is a self-funded health plan sponsored by the HCA. As the plan sponsor, the HCA may receive information about your participation in UMP, including whether you have enrolled or disenrolled, and a summary of your claims history.

The HCA may also receive health information to fulfill administrative functions that the HCA provides for UMP. To fulfill administrative functions, the HCA may make any of the uses and disclosures described in this notice. However, the HCA will not:

  • Further use or disclose your health information except as required by law.
  • Use or disclose the information for employment-related actions or decisions.
  • Disclose your health information to state employees other than to HCA employees working on UMP administrative functions.
  • Use or disclose the information in connection with any other benefit plan.

The HCA has implemented administrative, physical, and technical safeguards that reasonably and appropriately protect your health information. It has created security measures that make sure your health information is only used by appropriate HCA employees working on UMP administrative functions.

Other situations where UMP might disclose your information without your permission

UMP may disclose your information:

  • When UMP believes it is required by law to do so, such as when responding to a subpoena or summons.
  • To public health agencies (such as the Washington State Department of Health and the Washington State Department of Social and Health Services) as provided by state and federal laws to:
    • Prevent or control disease.
    • Report births or deaths.
    • Report child abuse or neglect.
    • Report problems with medicines or products to the U.S. Food and Drug Administration (FDA).
    • Notify you if a product you are using is recalled.
    • Give notice of exposure to a disease or condition that is a health risk.
  • For oversight activities authorized (allowed) by law. Examples of these activities include audits, examinations, inspections, investigations, and health professionals licensing.
  • When required to do so in the course of lawsuits or administrative hearings.
  • To UMP’s and HCA’s attorneys for purposes of legal advice or litigation.
  • To law enforcement officials.
  • After your death, to a coroner, funeral director, or organ transplant organization.
  • Fifty years after your death, when your information is no longer protected.
  • In connection with certain research projects in which your privacy is protected.
  • If disclosure is necessary to avert a serious and imminent threat to your, or someone else’s, health or safety, or to permit law enforcement authorities to identify or apprehend an individual.
  • To an authorized government agency if UMP thinks you might be a victim of abuse, neglect, or domestic violence.
  • To military authorities, in some situations, if you are armed forces personnel.
  • To an authorized federal official or other authorized persons for purposes of national security, for providing protection to the President or others, or to conduct special investigations, as authorized by law.
  • To other government agencies to help determine your eligibility for benefits or services.
  • To entities for accreditation, certification, or review of a UMP operation or program.
  • To a subscriber (if the information relates to family members enrolled on the account) to explain payments, benefits, deductibles, and other matters relating to payment.
  • To the Secretary of the U.S. Department of Health and Human Services, or a designee, as needed to comply with regulations.
  • To state or federal agencies and programs, where permitted or required by law.
  • To your parent or guardian, or someone else with a similar role, if you are under 18 years old. There are some exceptions to this disclosure. UMP will not give information to a parent or guardian:
    • If you are younger than 18, and the information relates to abortions, birth control, and prenatal care.
    • If you are 13 years old or older, and the information is about mental health and outpatient substance abuse treatment.
    • If you are 14 years old or older, and the information is about sexually transmitted infections.

In all these cases, however, UMP will disclose to a parent or guardian if you authorize it or if it is required by law.

  • To a family member or friend involved in your care, if you consent or do not object.
  • To a family member or friend (if you cannot authorize disclosure, such as in some medical emergencies) if UMP thinks it is in your best interest.
  • To the Department of Retirement Systems (DRS), if you are a retiree receiving benefits from DRS, so DRS can better serve you.

If disclosure to you or another person might be harmful to you or someone else, UMP may limit the information provided.

Are there specially protected types of information?

Yes, some types of information have greater protection under Washington State or federal laws. The above disclosure practices don’t necessarily apply to specially protected types of information, which include:

  • Confidential HIV-related information protected by Washington State laws.
  • Alcohol and substance abuse treatment information protected under both Washington State and federal laws.
  • Mental health treatment information protected under both Washington State and federal laws.

When might I need to approve a disclosure?

Unless required by law, UMP will not make any use or disclosure of your information other than the uses listed in this Notice unless you authorize it.

You may be asked to sign an authorization form allowing your information to be shared if any of the following apply:

  • UMP needs to send information to other places not covered by the descriptions above.
  • You want UMP to send information to an agency or provider.
  • You want information sent to another person, such as an attorney or relative.

Your authorization is effective until the expiration time you choose. UMP will share only the information you list. If you do authorize a use or disclosure, you can revoke (take back) that authorization later. Your revocation does not affect any use or disclosure already made before we received your revocation. Your legally authorized personal representative may act on your behalf. UMP would treat a disclosure to your legally authorized personal representative as a disclosure to you.

What are my rights?

Although the below sections only refer to UMP, you may exercise your rights to access and control information held by the HCA to the same extent you can exercise your rights to access and control information held by UMP.

Request restrictions (limit disclosures)

You may ask UMP to restrict its use and disclosure of your personal information for treatment, payment, and health care operations, and to restrict disclosures to persons you identify. UMP will consider your request but, in most cases, it is not required to agree to your request. If UMP does agree, it will abide by the agreement except in an emergency.

Inspect and copy

You may review the personal information UMP has about you by asking, in writing, for access to it or a copy of it. If you make your request to the HCA and have records in more than one part of the HCA–such as if you were previously enrolled in HCA’s Apple Health (Medicaid) program–you need to identify which records you want to see.

UMP may charge a fee for copies. In many situations, it will provide the copies in electronic format upon request.

The information you may review and copy does not include:

  • Psychotherapy notes.
  • Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
  • Information that UMP cannot legally disclose to you.
  • Information received from someone other than a health care provider under a promise of confidentiality if the access requested would be reasonably likely to reveal the source of the information.
  • Information that a licensed health care professional or UMP determines should not be disclosed to you because it might harm you or someone else.

Except for the exclusions listed above, here are the records you may review and copy:

  • Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for UMP.
  • Other records UMP uses to make decisions about you.

Amend (add to or correct)

You may ask UMP to amend your personal information if you believe it is incorrect or incomplete. You must make the request in writing, identify which information you want changed, and explain why it should be changed.

UMP is not necessarily required to make the changes you request. For example, it is not required to change information that it did not create or information that is correct. If UMP does not make the change you request, it will tell you why. If UMP does make the changes, it will make a reasonable effort to inform others to whom it gave the information or others you tell UMP received the information.

These are the records that you may ask to be amended:

  • Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for UMP.
  • Other records UMP uses to make decisions about you.

Accounting of disclosures

You may ask for an accounting of disclosures that UMP makes of your personal information. This does not include any of the following:

  • Disclosures for treatment, payment, and health care operations.
  • Disclosures to you or with your authorization.
  • Disclosures made more than six years before your request.
  • Certain other disclosures.

UMP will respond to you within 60 days of your request. If you ask for more than one accounting in any 12-month period, UMP may charge you a reasonable fee.

Notice of breach

UMP will notify you if there is a breach of the confidentiality of your information.

Sending by alternative means or to an alternative location

You may ask UMP to send personal information to you by alternative means or to an alternative location. UMP will accommodate any reasonable request if you clearly state that disclosure of all or part of the information to your location on file could endanger you. If the request does not state that, UMP will consider the request, but may or may not accommodate it.

Get a paper copy of this notice

You may request a paper copy of this notice by calling UMP Customer Service at 1-888-849-3681 (TRS: 711).

For questions or complaints

If you believe your privacy rights have been violated or you have questions, contact the HCA privacy officer by calling 1-844-284-2149 (toll-free) or writing to:

Privacy Officer
Health Care Authority
PO Box 42704
Olympia, WA 98504-2704

If you prefer, you may contact the Secretary of the U.S. Department of Health and Human Services. You will not be retaliated against for filing a complaint.

Changes and availability

UMP reserves the right to change its privacy practices at any time and apply the changes to information it created or received before it made the changes. If UMP changes its privacy practices, the new Notice of Privacy Practices will be posted on the UMP website, and UMP will inform you in the next annual mailing (or earlier). At any given time, UMP will comply with the notice that is currently in effect.