Back to Home

Privacy, Use, and Disclosure Policy (HIPAA)

Chartr Health

Updated July 12, 2025

Background

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act and its implementing regulations, provides restrictions on the use and disclosure of protected health information (PHI).

Purpose

This policy specifies the responsibilities, requirements, and procedures for the safeguarding, use, and disclosure of protected health information (PHI) transmitted or maintained in any form or medium (electronic or otherwise) by Chartr Health and its members.

Definitions

Business Associate

An entity, not a member of the Covered Entity's workforce, who:

  • Performs or assists in performing a function or activity regulated by HIPAA, on behalf of a covered entity, involving the creation, receipt, maintenance, or transmission (i.e., use and disclosure) of PHI (including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing); or
  • Provides legal, accounting, actuarial, consulting, data aggregation, management, accreditation, or financial services, where the performance of such services involves giving the service provider access to PHI.

Business Associates include:

  • A health information organization;
  • An e-prescribing gateway;
  • Any entity that provides data transmission services with respect to PHI to a covered entity and that requires routine access to PHI;
  • An entity that maintains PHI for a covered entity, whether or not the entity actually reviews the PHI.

De-identified Information

Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. There are two ways a covered entity can determine that information is de-identified:

  • Professional statistical analysis
  • Removing 18 specific identifiers.

Designated Record Set

A group of records maintained by or for a company that includes:

  • Enrollment, payment, and claims adjudication record of an individual maintained by or for the Plan; or
  • Other protected health information used, in whole or in part, by or for the Plan to make coverage decisions about an individual.

Disclosure

For information that is PHI, disclosure means any release, transfer, provision of access to, or divulging in any other manner of individually identifiable health information to persons not employed by or working within the human resources department of the location(s) of the Employer.

Health Care Operations

Health care operations means any of the following activities to the extent that they are related to Plan administration:

  • Conducting quality assessment and improvement activities;
  • Reviewing health plan performance;
  • Underwriting and premium rating;
  • Conducting or arranging for medical review, legal services and auditing functions;
  • Business planning and development;
  • Business management and general administrative activities;
  • To de-identify the information in accordance with HIPAA Rules as necessary to perform required services.

Payment

Payment includes activities undertaken to obtain Plan contributions or to determine or fulfill the Plan's responsibility for provision of benefits under the Plan, or to obtain or provide reimbursement for health care. Payment also includes:

  • Eligibility and coverage determinations including coordination of benefits and adjudication or subrogation of health benefit claims;
  • Risk adjusting based on enrollee status and demographic characteristics; and
  • Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess loss insurance) and related health care data processing.

Use

The sharing, employment, application, utilization, examination, or analysis of individually identifiable health information by any person working for or within the human resources department of the Employer, or by a Business Associate (defined below) of the Plan.

Scope

Chartr Health is a business entity that is considered to be a Business Associate with respect to protected health information (PHI), as provided by the standards, requirements, and implementation specifications of HIPAA Privacy Rule. Therefore, this policy applies to Chartr Health and all the members of its workforce with access to PHI. Additionally, all third parties, subcontractors, or vendors that provide services to Chartr Health that involve the creation, receipt, maintenance, or transmission of private health information on behalf of the Employer to fulfill its contractual duties, must comply fully with HIPAA's requirements.

Roles and Responsibilities

Privacy personnel designations will be documented and maintained in written or electronic form for six years from time of designation.

Chartr Health's CISO will serve as the Privacy Official, who will be responsible for:

  • Developing and implementing privacy policies and procedures
  • Developing a program to manage complaints
  • Appointing personnel who will serve as contact persons to respond to questions, concerns, or complaints about individual PHI privacy and protection
  • Ensuring compliance with the HIPAA Privacy Rule regarding Business Associates, Business Associate Agreements (BAA)
  • Monitoring compliance of all Business Associates with the HIPAA Privacy Rule, and this policy
  • Developing privacy training schedules and programs

Documentation

This policy and associated procedures are designed to ensure compliance as it applies to Chartr Health, its size, and the type of activities it performs. As documented, this policy will be maintained for at least six years from the date last in effect. Any necessary or appropriate changes to this policy will be:

  • In line with the standards set forth in the HIPAA Privacy Rule;
  • To comply with changes in the law, standards, requirements and implementation specifications (including changes and modifications in regulations);
  • Promptly implemented and documented;
  • Reflected in the notice of privacy practices; and
  • Communicated, if required, in writing or electronically, and documented.

The Plan shall document certain events and actions (including authorizations, requests for information, sanctions, and complaints) relating to an individual's privacy rights.

General Policy (For Covered Entities — § 164.530)

Training

Chartr Health will ensure that all personnel are trained on the company's privacy policies and procedures, and the HIPAA Privacy Rule as applicable, annually. The training will be reviewed and updated as needed, but annually at the least.

Administrative, Technical and Physical Safeguards and Firewall

Chartr Health has appropriate administrative, technical and physical safeguards to prevent PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA's requirements (see company information security policies and procedures, and controls in place).

  • Administrative safeguards include implementing procedures for use and disclosure of PHI, as outlined in this policy.
  • Technical safeguards include limiting access to information by creating computer firewalls, which will ensure that there is only authorized access to PHI at the minimum level necessary for administrative functions.
  • Physical safeguards include locking doors or filing cabinets.

Privacy Notice

Chartr Health's privacy notice will include:

  • Uses and disclosures of PHI that may be made by the Chartr Health;
  • Individual's rights under the HIPAA privacy rules;
  • Chartr Health's legal duties with respect to the PHI;
  • Notification of access to PHI in connection with administrative functions;
  • Complaint procedures; and
  • Other information as required by the HIPAA privacy rules.

Chartr Health will deliver or make available the privacy notice to appropriate individuals:

  • Upon request
  • Within 60 days after a material change to the notice
  • At least once every three years in compliance with the HIPAA Privacy Rule.

Sanctions

Violation of this policy or HIPAA Privacy Rule will be met with sanctions in accordance with Chartr Health's discipline policy, up to and including termination (See Information Security Policy).

Mitigation of Inadvertent PHI Disclosures

Chartr Health will, to the extent possible, mitigate any harmful effects that become known to it of a use or disclosure of an individual's PHI in violation of HIPAA or the policies and procedures set forth in this Policy. As a result, personnel will immediately contact the Privacy Official for the appropriate steps to mitigate the harm to impacted individuals, if the member becomes aware of:

  • A disclosure of PHI, either by an employee or a business associate
  • An employee or business associate that is not in compliance with this policy or HIPAA

No Intimidation or Retaliatory Acts

No Chartr Health member may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA.

No Waiver of HIPAA Privacy

No individual will be required by Chartr Health or any of its members to waive his or her privacy rights under HIPAA, as a condition of treatment, payment, enrollment or eligibility under a health plan.

Policy and Procedures for Use and Disclosure of PHI

Compliance

All members of Chartr Health with access to PHI must comply with this Policy and included procedures.

Access to PHI Is Limited to Certain Employees

The following employees (“employees with access”) have access to PHI:

  • Any employee who performs functions directly on behalf of Chartr Health
  • Any other employee who has access to PHI on behalf of the Employer for its use in “plan administrative functions”.

Employees with access may use and disclose PHI for company administrative functions, and they may disclose PHI to other employees with access for administrative functions (but the PHI disclosed must be limited to the minimum amount necessary to perform the plan administrative function). Employees with access may not disclose PHI to employees (other than employees with access) unless an authorization is in place or the disclosure otherwise is in compliance with this Policy and any associated procedures.

Permitted Uses and Disclosures for Plan Administration Purposes

Chartr Health may disclose the following for its use:

  • (a) de-identified health information;
  • (b) Enrollment information;
  • (c) summary health information for the purposes of obtaining premium bids for providing health insurance coverage under a plan or for modifying, amending, or terminating the plan; or
  • (d) PHI pursuant to an authorization from the individual whose PHI is disclosed.

Permitted Uses and Disclosures: Payment and Health Care Operations

PHI may be disclosed for the purposes of Chartr Health's own payment purposes, and PHI may be disclosed to another covered entity for the payment purposes of that covered entity. Same stands for disclosure for health care operations. PHI may be disclosed to another covered entity for purposes of the other covered entity's quality assessment and improvement, case management, or health care fraud and abuse detection programs, if the other covered entity has (or had) a relationship with the participant and the PHI requested pertains to that relationship.

No Disclosure for Non-Health Plan Purposes

PHI may not be used or disclosed for the payment or operations of the Chartr Health's “non-health” benefits (e.g., disability, workers' compensation, life insurance, etc.), unless the participant has provided an authorization for such use or disclosure or such use or disclosure is required by applicable state law and particular requirements under HIPAA are met.

Mandatory Disclosures: Individual and HHS

A participant's PHI must be disclosed as required by HIPAA in three situations: (1) The disclosure is to the individual who is the subject of the information; (2) the disclosure is required by law; or (3) the disclosure is made to HHS for purposes of enforcing HIPAA.

Permissive Disclosures: Legal and Public Policy Purposes

An employee who receives a request for disclosure of an individual's PHI that appears to fall within one of the permitted categories must contact the Privacy Official. Disclosures must: (1) be approved by the Privacy Official; (2) comply with the “Minimum-Necessary Standard”; and (3) be documented in accordance with the procedure for “Documentation Requirements”. Permitted disclosures include disclosures about victims of abuse, neglect or domestic violence; for judicial and administrative proceedings; to law enforcement officials; to public health authorities; to health oversight agencies; to coroners or medical examiners; for cadaveric organ donation; for limited research purposes; to avert serious threats to health or safety; for specialized government functions; and for workers' compensation programs.

Disclosures Pursuant to an Individual Authorization

PHI may be disclosed for any purpose if an authorization that satisfies all of HIPAA's requirements for a valid authorization is provided by an individual. All uses and disclosures made pursuant to a signed authorization must be consistent with the terms and conditions of the authorization.

Verification of Identity of Those Requesting Protected Health Information

Employees must take steps to verify the identity of individuals who request access to PHI. They must also verify the authority of any person to have access to PHI, if the identity or authority of such person is not known. Separate procedures apply depending on whether the request is made by the individual, a parent seeking access to the PHI of his or her minor child, a personal representative, or a public official seeking access.

Disclosures of PHI to Business Associates

Employees may disclose PHI to Chartr Health's business associates and allow the business associates to create or receive PHI on its behalf. However, prior to doing so, Chartr Health will first obtain assurances from the business associate that it will appropriately safeguard the information. All uses and disclosures by a “business associate” will be made in accordance with a valid business associate agreement.

Complying With the “Minimum-Necessary” Standard

HIPAA requires that when PHI is used or disclosed, the amount disclosed generally must be limited to the “minimum necessary” to accomplish the purpose of the use or disclosure. The minimum-necessary standard does not apply to uses or disclosures made to the individual, pursuant to an individual authorization, to HHS, as required by law, or as required to comply with HIPAA.

Individual's Request for Access

HIPAA provides individuals the right to access and obtain copies of their PHI (or electronic copies of PHI) that Chartr Health (or its business associates) maintains in designated record sets. Requests will be responded to within 30 days, with a possible 30-day extension upon written notice.

Individual's Requests for Amendment

HIPAA also provides individuals the right to request to have their PHI amended. Chartr Health will consider requests for amendment that are submitted in writing by participants. Requests will be responded to within 60 days, with a possible 30-day extension upon written notice.

Request for an Accounting of Disclosures of PHI

An individual has the right to obtain an accounting of certain disclosures of his or her own PHI. The accounting must include disclosures made during the period requested by the individual up to six years prior to the request.

Requests for Confidential Communications

Individuals may request to receive communications regarding their PHI by alternative means or at alternative locations. The Employer shall accommodate such a request if the participant clearly provides information that the disclosure of all or part of that information could endanger the participant.

Requests for Restrictions on Uses and Disclosures of PHI

Individuals may request restrictions on the use and disclosure of the participant's PHI. All requests for limitations on use or disclosure of PHI that are approved must be tracked, and all business associates that may have access to the individual's PHI must be notified of any agreed-to restrictions.

Records

Copies of all of the following items will be maintained for a period of at least six years from the date the documents were created or were last in effect, whichever is later:

  • “Notices of Privacy Practices” that are issued to participants
  • Copies of policies and procedures
  • Individual authorizations
  • When disclosure of certain PHI is made: the date of the disclosure; the name (and if known, the address) of the entity or person who received the PHI; a brief description of the PHI disclosed; a brief statement explaining the purpose of the disclosure; and any other documentation required under these Use and Disclosure Procedures.