Member Privacy and Confidentiality
Concordia Behavioral Health (Concordia) is committed to requiring that all of its staff and agents protect the confidentiality of member information and records. We focus on insuring that all data and information received and used by Concordia is kept and utilized with confidentiality and security.
Member-identifiable, or protected health information (PHI) includes data such as name, social security number, member number, address, telephone number, and date of birth. Concordia considers this data to be confidential. This data is used for verifying eligibility, managing benefits, coordinating care, paying claims, reporting quality assurance, determining practitioner performance, and complying with health care regulations.
Concordia has several policies in place to protect member-identifiable information and ensure privacy for our members and subscribers. The following items are covered under these policies.
Routine Uses and Disclosures of Protected Health Information
Concordia is responsible for managing mental health and chemical dependency treatment benefits. In order to carry out these responsibilities, we receive and use information about the individuals who are eligible to receive these benefits. When an eligible individual uses his or her behavioral health benefits, we usually need to obtain and use additional information about that individual to do our job.
Concordia uses information about enrollees and their dependents (if applicable) for treatment, payment, and health care operations, such as enabling us to verify eligibility for services; authorize treatment; pay claims; coordinate care; resolve inquiries, complaints and appeals; improve the care and service rendered by Concordia and its network of practitioners and facilities; and meet regulatory requirements and accreditation standards.
If we use information for reasons other than treatment, payment, and health care operations, we will change or remove any portions of the information that could allow someone to identify the enrollee or his/her dependent or we will contact the enrollee or his/her legal representative to ask for written authorization to use the information. Enrollees may contact the Concordia Chief Privacy Officer at any time to find out how their PHI is being used to manage their behavioral health benefits. Enrollees may also contact the Privacy Officer if they feel their PHI is incorrect or requires additional explanation.
Use of Authorizations
Concordia obtains special authorization to disclose protected health information (PHI). The following individuals can, in most cases, give authorization for the disclosure of PHI:
- An adult enrollee
- The natural or adoptive parents of a minor enrollee on behalf of the minor
- A legally-authorized representative of an enrollee
Enrollees have the right to authorize or deny the release of PHI beyond uses for treatment, payment, or health care operations.
Access to PHI
Members have the right to inspect and obtain a copy of PHI/Member-identifiable information in a Designated Record Set that is in Concordia’s possession. In general, the Designated Record Set includes the following:
- Member demographic and insurance information.
- Claims explanation of benefits.
- Authorizations of care.
- Clinical event documentation.
- Written utilization management records.
Members must make requests to inspect and obtain a copy of the Designated Record Set in writing to the Concordia Privacy Officer.
Concordia may deny a member access to the Designated Record Set without providing the individual an opportunity for review in the following circumstances:
- Psychotherapy notes kept separate from the Medical Record.
- Information that is gathered for use in a civil, criminal, or administrative proceeding.
- Information that was provided to Concordia by someone under a promise of confidentiality.
- Concordia may deny members access to all or part of a designated record set, when a licensed health care professional has determined that harm would be caused to the enrollee or others if access to the information was granted.
- Enrollees may request a review of the denial of access.
Internal Protection of Oral, Written, and Electronic PHI
Concordia has an array of security provisions to protect PHI and confidential data and information.
Concordia’s Agents, Contractors, Employees, and Staff may not discuss PHI or confidential data and information in any area where individuals who do not have the right to know about the information, may overhear it.
- Printouts with PHI are secured in locked file cabinets in locked file rooms, accessible only to the staff members who need to see them. Faxed information is sent out with a cover sheet that has a confidentiality notice, and mailed information is marked “Confidential.” When not hand-carried and personally delivered to the recipient, printouts containing PHI and confidential data and information must be placed in a sealed envelope marked “Confidential.”
- Computer files with this information are kept on computers that are password-protected. These files are only available to those staff members who need to have access to them. Data sent electronically (through e-mail) is encrypted or coded and password-protected, and the e-mail message contains a confidentiality notice.
- Any information that is no longer required for business purposes is destroyed. Printouts are shredded, computer files are permanently erased, and computer media is destroyed.
Practitioners keep medical records for members in their offices; therefore, they are required by Concordia to have privacy, security, and confidentiality practices in effect to keep PHI secure. In a practitioner’s office, PHI can be found in medical records, appointment books, correspondence, lab results, billing records, and treatment records. This information must be stored in locked cabinets or in a locked area, and computer files should be password-protected. Information submitted electronically must be encrypted or coded, and bear a prominent confidentiality statement. Faxed information should be sent out with a cover sheet that has a confidentiality notice, and mailed information should be marked “Confidential”.
Protection of Information Disclosed to Plan Sponsors or Employers
Concordia does not share protected health information with employers without specific consent of the subscriber, member, or the member’s legal representative. If Concordia must release member-identifiable data or information to an employer (self-insured or fully insured), we require that the employer agree in writing to protect all data and information from being used in any decisions affecting the Member, and that the employer allows enrollees to access and/or amend their PHI. Summarized data without PHI will be provided to the employers, if possible.
If you would like a complete copy of the Concordia Privacy, Security and Confidentiality Policy and Procedure, or additional information regarding this, please call Concordia at 1-855-541-5300. For more information about the Health Insurance Portability and Accountability Act (HIPAA), please click here, or visit the HIPAA information website at www.hhs.gov/ocr/privacy.