UMP notice of privacy practices

For your convenience, this document is also available in PDF format.

Download the UMP notice of privacy practices

Effective November 1, 2016
This notice describes how medical information about you may be used and  disclosed and how you can get access to this information. Please review it carefully.

Why am I getting this notice?

The Washington State Health Care Authority (HCA) is required by law to maintain the privacy of information about you and to provide this notice to all Uniform Medical Plan (UMP) subscribers. This notice does not affect your eligibility for services or coverage.

Where does the HCA get this information about me?

The HCA collects personal information about you in a number of ways. For example, the HCA might get information from your provider, such as when the provider applies for payment. The HCA might also get information from you, such as when you enroll in UMP, send in a claim, call Customer Service, or submit a complaint or appeal. This information may be related to your medical care or health, or other information about you. The HCA usually has little personal information about you. Most of the information the HCA has is information you or your providers send so the HCA can pay claims.

What does the HCA do with my information?

The HCA is required by law to keep your information confidential. Other than as explained in this notice, the HCA does not disclose it to anyone outside the HCA, our administrators, and your providers. When the HCA does disclose information, the HCA usually provides only the minimum information necessary. HCA employees and contractors who violate the confidentiality standards can be punished and even dismissed.

In what situations can the HCA use and disclose my information without my authorization?


This includes care provided to you and the coordination or management of your care. For example, the HCA might disclose information to alert your health care provider to possible problems in your care.


This includes meeting HCA’s obligations to cover or provide benefits for your care, and collecting premiums and other amounts due. For example, when the HCA pays a provider, the HCA usually specifies the treatment for which it is paying. Or, if a provider wants to discuss the amount paid, the HCA may need to use and disclose your information. Another example would be exchanging information with a person or company that may be responsible for paying your medical expenses, such as another plan.

Health care operations

This refers to what the HCA does to keep the plan operating, including quality control, medical and legal reviews, working with auditors and examiners, compliance reviews, and using protected health information to create data sets that do not have individual members’ identifiable information. For example, the HCA discloses information to contracted business associates that handle claims processing and customer service, such as our plan administrator, our pharmacy benefit manager, and contractors working on subrogation. These business associates also must protect your privacy. They may in turn disclose to subcontractors of their own, and those subcontractors too must protect your privacy.

Health benefits and services

For example, the HCA may use or disclose your personal information to:

  • You, about treatment alternatives or health-related benefits or services.
  • Vendors hired to assist in contacting you.
  • Contractors hired by HCA to provide services, and contractors hired by those contractors, regarding services such as:
    • Disease management.
    • Case management.
    • Health assessment.
    • Evaluation of HCA programs.
    • Evaluating your prescription drug use.
    • Conferring with you or your providers about these programs or other services.
  • An IRO (Independent Review Organization, also called an external review organization) that reviews your appeal at your request.

Other situations where the HCA might disclose your information without your authorization

The HCA may disclose your information:

  • When the HCA believes it is required by law to do so. That includes, for example, cases where the HCA receives a subpoena or summons.
  • To public health agencies (such as the Washington State Department of Health and the Washington State Department of Social and Health Services) as provided by state and federal laws to:
    • Prevent or control disease.
    • Report births or deaths.
    • Report child abuse or neglect to authorized agencies.
    • Report problems with medicines or products to the federal Food and Drug Administration (FDA).
    • Notify you if a product you are using is recalled.
    • Give notice of exposure to a disease or condition that is a health risk.
  • Within the HCA and with other agencies, and to our auditors for oversight activities authorized by law. Examples of these oversight activities include audits, examinations, inspections, investigations, and health professions licensing.
  • When required to do so in the course of lawsuits or administrative hearings.
  • To law enforcement officials.
  • After your death to a coroner, funeral director, or organ transplant organization.
  • Fifty years after your death, when your information is no longer protected.
  • In connection with certain research projects in which your privacy is protected.
  • If the HCA thinks disclosure is necessary to avert a serious and imminent threat to your health or safety or someone else’s, or to permit law enforcement authorities to identify or apprehend an individual.
  • To an authorized government agency if the HCA thinks you might be a victim of abuse, neglect, or domestic violence.
  • To military authorities, in some situations, if you are Armed Forces personnel.
  • To an authorized federal official or other authorized persons for purposes of national security, for providing protection to the President or others, or to conduct special investigations, as authorized by law.
  • To other government agencies to help determine your eligibility for benefits or services.
  • To entities for accreditation, certification, or review of an HCA operation or program.
  • To a subscriber, if the information relates to family members enrolled on the account, to explain payments, benefits, deductibles, and other matters relating to payment.
  • To the Secretary of the federal Department of Health and Human Services or a designee, as needed to comply with regulations.
  • To state or federal agencies and programs, where permitted or required by law.
  • To your parent or guardian or someone else with a similar role, if you are under 18 years old. There are some exceptions to when we will give information to a parent or guardian:
    • If you are younger than 18, information related to abortions, birth control, and prenatal care.
    • If you are 13 years old or older, information about mental health and outpatient substance abuse treatment.
    • If you are 14 years old or older, information about sexually transmitted infections.

In all these cases, however, we will disclose to a parent or guardian if you authorize it or it is required by law.

  • To a family member or friend involved in your care, if you consent or do not object.
  • To a family member or friend (if you cannot authorize disclosure, such as in some medical emergencies). The HCA will do this only if its employees think it is in your best interest.
  • If you are a retiree receiving benefits from the Department of Retirement Systems (DRS), the PEBB Program may share your information with DRS to better serve you.

If disclosure to you or another person might be harmful to you or someone else, the HCA may limit the information provided.

Are there specially protected types of information?

Yes, some types of information have greater protection under Washington State or federal laws. The above disclosure practices don’t necessarily apply to specially protected types of information, which include confidential HIV-related information protected by Washington State laws; alcohol and substance abuse treatment information protected under both Washington State and federal laws; and mental health treatment information protected under both Washington State and federal laws.

When might I need to approve a disclosure?

The HCA will not make any use or disclosure of your information other than the uses listed in this Notice unless you authorize (approve) it. For example, disclosure of information regarding behavioral health services, such as psychotherapy notes, usually requires your authorization.

You may be asked to sign an authorization form allowing your information to be shared if:

  • The HCA needs to send information to other places not covered by the descriptions above;
  • You want us to send information to an agency or provider; or
  • You want information sent to another person such as an attorney or relative.

Your authorization is effective until the expiration time you designate. The HCA will share only the information you list. If you do authorize a use or disclosure, you can revoke (take back) that authorization later. Your revocation does not affect any use or disclosure already made before we received your revocation. Your legally authorized personal representative may act on your behalf. We would treat a disclosure to your legally authorized personal representative as a disclosure to you.

What are my rights?

Request restrictions (limit disclosures)

You may ask the HCA to restrict its use and disclosure of your personal information for treatment, payment, and health care operations, and to restrict disclosures to persons you identified. The HCA will consider your request but, in most cases, it is not required to agree to it. If the HCA does agree, it will abide by the agreement except in an emergency.

Inspect and copy

You may review the personal information the HCA has about you by asking, in writing, for access to it or a copy of it. The HCA may charge a fee for copies. If you have records in more than one part of the HCA, you need to identify which records you want to see. In many situations, the HCA will provide the copies in electronic format if you request. The information you may review and copy does not include psychotherapy notes; information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; information that the HCA cannot legally disclose to you; information received from someone other than a health care provider under a promise of confidentiality if the access requested would be reasonably likely to reveal the source of the information; or information that a licensed health care professional or HCA determines should not be disclosed to you because it might harm you or someone else.

Except for the exclusions listed above, here are the records you may review and copy:

  • Records that are enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for HCA; and
  • Other records HCA uses to make decisions about you.

Amend (add to or correct)

You may ask us to amend your personal information if you believe it is incorrect or incomplete. You must make the request in writing, and identify which information you want changed and why it should be changed. The HCA is not necessarily required to make the changes you request. For example, the HCA is not required to change information that the HCA did not create or information that is correct. If the HCA does not make the change you request, the HCA will tell you why. If the HCA does make the changes, the HCA will make a reasonable effort to inform others to whom the HCA gave the information or who you tell us received the information.

These are the records that you may ask to be amended:

  • Records that are enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for HCA; and
  • Other records HCA uses to make decisions about you.

Accounting of disclosures (who did the HCA tell, what did the HCA tell them)

You may ask for an accounting of disclosures that the HCA makes of your personal information. This does not include disclosures for treatment, payment, and health care operations; disclosures to you or with your authorization; disclosures made more than six years before your request; and certain other disclosures. The HCA will respond to you within 60 days of your request. If you ask for more than one accounting in any 12-month period, the HCA may charge you a reasonable fee.

Notice of breach

The HCA will notify you if there is a breach of the confidentiality of your information.

Sending by alternative means or to an alternative location.

You may ask the HCA to send personal information to you by alternative means or to an alternative location. The HCA will accommodate any reasonable request if you clearly state that disclosure of all or part of the information to your location on file could endanger you. If the request does not state that, the HCA will consider the request but may or may not accommodate it.

Get a paper copy of this notice

You may request a paper copy of this notice by calling Uniform Medical Plan Customer Service at 1-888-849-3681.

For questions or complaints

If you believe your privacy rights have been violated or you have questions, contact the HCA privacy officer by calling 1-844-284-2149 (toll-free) or writing to HCA Privacy Officer, P.O. Box 42704, Olympia, WA 98504-2700. If you prefer, you may complain to the Secretary of the United States Department of Health and Human Services. You will not be retaliated against for filing a complaint.

Changes and availability

We reserve the right to change our practices at any time and apply the changes to information we created or received before we made the changes. We will put the new Notice on the UMP website if we change it, and we will inform you in the next annual mailing (or earlier). At any given time, we will comply with the Notice that is in effect then. The current Notice is available at