To effectively administer the claims processing of our client’s health benefit plans, Health Design Plus, Inc. (HDP) must collect and sometimes disclose Protected Health Information (PHI) of the plan participants.

This Notice describes how HDP may use and disclose your protected health information. This Notice also sets out the Plan’s legal obligations concerning your protected health information and describes your rights to control and access your health information under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act. This notice has been drafted in accordance with the HIPAA Privacy Rule, contained in the Code of Federal Regulations at 45 CFR Parts 160 and 164. Terms not defined in this Notice have the same meaning as they have in the HIPAA Privacy Rule.

If you have any questions or want additional information about this Notice or the policies and procedures described in this Notice, please contact HDP using the Contact Information provided at the end of this Notice.

Under federal law, your patient health information and personal identifiers (PI) is protected and confidential. This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

We reserve the right to change the terms of this notice and make the provisions of the new notice effective for all PHI/PI we maintain. Updates to this notice will be posted to when applicable.


We are required by law to maintain the privacy of your health information (PHI) as well as your personal identifiers (PI) and to provide you with this notice of our legal duties and privacy practices with respect to your information. When we use or disclose your Protected Health Information and/or personal identifiers, we are required to abide by the terms of this Notice (or other notice in effect at the time of the use or disclosure).


In certain situations, which we will describe in Section D below, we must obtain your written authorization in order to use and/or disclose your PHI. However, we do not need any type of authorization from you for the following uses and disclosures:

  1. Uses and Disclosures For Treatment, Payment and Healthcare Operations — We may use and disclose PHI, but not your Highly Confidential Information (defined in Section D below), in order to process payment for services provided to you and conduct our Healthcare Operations as detailed below:
    • Treatment — We disclose PHI to healthcare providers involved in your treatment. We may also disclose PHI for claims processing purposes, utilization review and care management, Disease Management, medical necessity review, coordination of benefits, subrogation and reimbursement procedures, administration of reinsurance and excess or stop loss insurance policies, and other activities.
    • Payment – We may use and disclose your PHI to process payment for services provided to you.
    • Healthcare Operations — We may use and disclose your PHI for our healthcare operations, which include internal administration and planning and various activities that may include business management, quality improvement and assurance, peer review, data and information systems management, credentialing of participating network/preferred providers, accreditation, eligibility enrollment, compliance, auditing, and other business functions that may be related to your employer’s group health plan. We may use PHI in quality assessment and improvement activities, such as credentialing of participating network/preferred providers, accreditation by the National Committee for Quality Assurance, American Accreditation HealthCare Commission (URAC), and other independent oversight organizations, where applicable.
  2. We may disclose your PHI related to payment of your healthcare to a family member, other relative, a close personal friend or any other person identified by you. We would disclose only information that we believe is relevant to the person’s involvement with payment related to your healthcare.
  3. We may disclose your PHI for the following public health activities: (1) to report health information to public health authorities for the purpose of preventing or controlling disease, injury or disability; (2) to report information about products and services under the jurisdiction of the U.S. Food and Drug Administration.
  4. We may disclose your PHI to a health oversight agency that oversees the healthcare system and is charged with responsibility for ensuring compliance with the rules of government health programs such as Medicaid or Medicare.
  5. We may disclose your PHI to the police or other law enforcement officials as required or permitted by law or in compliance with a court order or a grand jury or administrative subpoena.
  6. We may disclose your PHI to a coroner or medical examiner as authorized by law.
  7. We may use or disclose your PHI to prevent or lessen a serious and imminent threat to a person’s or the public’s health or safety.
  8. We may disclose your PHI as authorized by and to the extent necessary to comply with state law relating to workers’ compensation or other similar programs.
  9. We may use and disclose your PHI when required to do so by any other law not already referred to in the preceding categories.
  10. We may disclose your PHI to the Secretary of Health and Human Services (HHS) or any employee of HHS as part of an investigation to determine our compliance with the HIPAA Privacy Rules.
  11. We may disclose your PHI to another Business Associate as part of a contracted agreement to perform services for the group health plan. To a health oversight agency, such as the Department of Labor (DOL), the Internal Revenue Service (IRS) and the Insurance Commissioner’s Office, to respond to inquiries or investigations of the plan, requests to audit the plan, or to obtain necessary licenses.
  12. We may disclose your PHI to the Plan Sponsor, as necessary to carry out administrative functions of the plan such as evaluating renewal quotes for reinsurance of the plan, funding check registers, reviewing claim appeals, approving subrogation settlements and evaluating the performance of the plan.

The examples of permitted uses and disclosures listed above are not provided as an all inclusive list of the ways in which PHI may be used. They are provided to describe in general the types of uses and disclosures that may be made.


Use or Disclosure with Your Authorization — For any purpose other than the ones described above in Section C, we may only disclose your PHI when you grant us your written authorization on our authorization form. In addition, federal and state law requires special privacy protections for certain highly confidential information about you including the subset of your PHI that is about HIV/AIDS testing, diagnosis or treatment. Most uses and disclosures of psychotherapy notes will require authorization.

HDP is required to disclose to you or your personal representative most of your protected health information when you request access to this information. HDP will disclose your protected health information to an individual who has been designated by you as your personal representative and who has qualified for such designation in accordance with relevant law. Prior to such a disclosure, however, HDP must be given written documentation that supports and establishes the basis for personal representation.

Uses or disclosures of protected health information for marketing purposes will require authorization.

A disclosure that constitutes the sale of protected health information (PHI) will require authorization.

The Privacy Rule requires a statement that the individual has the right to opt out of receiving fundraising communications.

Other uses and disclosures of your protected health information that are not described above will be made only with your written authorization. If you provide HDP with an authorization, you may revoke the authorization in writing, and this revocation will be effective for future uses and disclosures of protected health information. However, the revocation will not be effective for information that HDP has used or disclosed in reliance on the authorization.


The following is a description of your rights with respect to your protected health information

  • Right to Request a Restriction — The HIPAA Privacy Rule provides that you may request a restriction on the protected health information HDP uses or discloses about you for payment or health care operations. It also provides that you have a right to request a limit on disclosures or your protected health information to family members or friends who are involved in your care or the payment for your care.
  • Right to Receive Confidential Communications — If you believe that a disclosure of all or part of your protected health information may endanger you, you may request that HDP communicate with you in an alternative manner or at an alternative location. For example, you may ask that all communications be sent to your w9ork address. You may request a confidential communication using the Contact Information at the end of this Notice. Your request must specify the alternative means or location for communication with you. It also must state that the disclosure of all or part of the rotected health information in a manner inconsistent with your instructions would put you in danger. HDP will accommodate a request for confidential communications that is reasonable and that states that the disclosure of all or part of your protected health information could endanger you.
  • Right to Request Access — You have the right to inspect and copy protected health information that may be used to make decisions about your benefits. You must submit your request in writing. For your convenience, you may request a form using the Contact Information at the end of this Notice. If you request copies, HDP may impose reasonable copy charges (which may include a labor charge), as well as postage if you request copies be mailed to you.

    Note that under federal law, you may not inspect or copy the following records: psychotherapy notes; information compiled in reasonable anticipation of, or use in, a civil, criminal, or administrative action or proceeding; and protected health information that is subject to law that prohibits access to protected health information. Depending on the circumstances, a decision to deny access may be reviewable. In some, but not all circumstances, you may have a right to have this decision reviewed.

  • Right to Request an Amendment — You have the right to request an amendment of your protected health information held by HDP if you believe that information is incorrect or incomplete. If you request an amendment of your protected health information, your request must be submitted in writing using the Contact Information at the end of this Notice and must set forth a reason(s) in support of the proposed amendment.

    In certain cases, HDP may deny your request for an amendment. For example, HDP may deny your request if the information you want to amend is accurate and complete or was not created by HDP. If HDP denies your request, you have the right to file a statement of disagreement. Your statement of disagreement will be included with the disputed information and all future disclosures of the disputed information will include your statement.

  • Right to Request an Accounting — You have the right to request an accounting of certain disclosures HDP has made of your protected health information. You may request an accounting using the Contact Information at the end of this Notice. You can request an accounting of disclosures made up to six years prior to the date of your request, except that HDP is not required to account for disclosures made prior to April 14, 2003. You are entitled to one accounting free of charge during a twelve-month period. HDP will notify you of the cost involved and you may choose to withdraw or modify your request before any costs are incurred.
  • Right to restrict certain disclosure of PHI — You have the right to restrict certain disclosure of PHI to the health plan when you have paid in full for a health care item or service.
  • Right to be notified of a Breach — You have the right to be notified in the event that HDP discovers a breach of unsecured protected health information.
  • Right to a Paper Copy of this Notice — You have the right to a paper copy of this Notice, even if you have agreed to accept this Notice electronically. To obtain such a copy, please contact HDP using the Contact Information at the end of this Notice.

Uses and disclosures not addressed may require a written authorization from the member. If you believe your privacy rights have been violated, you may file a complaint with Health Design Plus or the Secretary of Health and Human Services. Complaints should be filed, in writing, with the Compliance Officer listed in this Notice. The plan will not retaliate against you for filing a complaint.


The individual has the right to opt out of receiving fundraising communications.

HDP reserves the right to change the provisions of this Notice and make the new provisions effective for all protected health information that it maintains. If HDP makes a material change to this Notice, it will provide a revised Notice to you at the address that HDP has on record for the participant enrolled in the Health Plan.


In the event of any “breach” of “unsecured PHI” in HDP’s control, as defined in Sec. 13402 of the American Reinvestment and Recovery Act of 2009 (“ARRA”) and the Breach Notification Rule as modified by HHS, HDP must notify HHS of all breaches of unsecured PHI affecting fewer than 500 individuals no later than 60 days after the end of the calendar year in which the breaches were discovered. All breaches involving 500 or more individuals must be immediately reported to HHS.


If you have any questions, requests or complaints, please contact:

Health Design Plus
Compliance Officer
1755 Georgetown Road
Hudson, OH 44236
P: (330) 656-1072

Effective Date of This Notice: April 14, 2003
Amended: July 11, 2007
ARRA Effective date: 9-23-2009
Amended: February 1, 2010
HIPAA Omnibus Rule effective: March 26, 2013
Amended: June 24, 2013

* Information we collect through our Internet website is subject to our Web Privacy Statement, which is also available on our website.