HIPAA Notice of
Privacy Practices

About This Notice

This Notice of Privacy Practices ("Notice") describes the privacy practices of HealthPass by Legacy Health Network and its affiliated healthcare providers operating under the Legacy Health Network and ChiroFirst Alliance ("we," "our," or "us"). It explains how we may use and disclose your protected health information (PHI), your rights regarding that information, and our legal obligations.

We are required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations (45 CFR Parts 160 and 164) to maintain the privacy of your protected health information, to provide you with this Notice of our legal duties and privacy practices, and to follow the terms of the Notice currently in effect.

Who We Are

HealthPass by Legacy Health Network operates as part of an Organized Health Care Arrangement (OHCA) that includes Legacy Health Network providers and ChiroFirst Alliance affiliated practices. This means that covered entities participating in our network may share your protected health information with each other for treatment, payment, and health care operations purposes as permitted by HIPAA.

We have entered into Business Associate Agreements (BAAs) with all third-party vendors and partners who may create, receive, maintain, or transmit protected health information on our behalf, requiring them to appropriately safeguard your information consistent with HIPAA requirements.

What Is Protected Health Information

Protected Health Information (PHI) is any individually identifiable health information that we create, receive, maintain, or transmit in connection with providing health care services or health plan administration. PHI includes information about your:

PHI includes information in any form — written, oral, or electronic — that can be used to identify you. Examples include your name, address, date of birth, Social Security number, medical record number, health plan beneficiary number, diagnosis codes, treatment notes, and prescription information when linked to your identity.

Electronic PHI (ePHI) refers to PHI that is created, stored, transmitted, or received in electronic form. We apply appropriate technical, administrative, and physical safeguards to protect ePHI in compliance with the HIPAA Security Rule.

How We May Use & Disclose Your Health Information

HIPAA permits us to use and disclose your protected health information without your written authorization for the following primary purposes:

We may use and disclose your PHI to provide, coordinate, or manage your health care and related services. This includes sharing information with physicians, chiropractors, specialists, therapists, and other health care providers involved in your care — both within and outside the Legacy Health Network — to ensure you receive appropriate, coordinated treatment.

Example: Your primary care provider may share your medical history with a ChiroFirst Alliance chiropractor to coordinate your musculoskeletal care plan.

We may use and disclose your PHI to obtain payment for the health care services we provide, or to facilitate payment for services provided by other covered entities. This includes billing, claims processing, eligibility verification, prior authorization, and coordination of benefits with your insurance carrier or HSA administrator.

Example: We may submit claims information including diagnosis and procedure codes to your insurance carrier to obtain reimbursement for services covered under your HealthPass HDHP plan.

We may use and disclose your PHI for health care operations necessary to run our organization and improve the quality of care we provide. This includes quality assessment, care coordination, training, credentialing, accreditation, auditing, compliance activities, and business management functions.

Example: We may review member utilization patterns in de-identified form to evaluate the effectiveness of our whole-person care model and improve service delivery.

As noted above, we participate in an Organized Health Care Arrangement with Legacy Health Network providers and ChiroFirst Alliance. Within this arrangement, we may share your PHI for joint treatment, payment, and operations activities without separate authorization, consistent with HIPAA.

Other Permitted Disclosures

In addition to treatment, payment, and operations, HIPAA permits or requires us to disclose your PHI in certain other circumstances without your written authorization:

We will disclose your PHI when required to do so by federal, state, or local law, including in response to a court order, subpoena, or other lawful process.

We may disclose your PHI to public health authorities authorized to collect information for the purpose of preventing or controlling disease, injury, or disability, including reporting births and deaths, reporting child abuse or neglect, and reporting reactions to medications or problems with products.

We may disclose your PHI to a health oversight agency for activities authorized by law, such as audits, investigations, inspections, and licensure activities, including disclosures to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.

We may use or disclose your PHI when necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, consistent with applicable law and ethical standards.

We may disclose your PHI as authorized by and to the extent necessary to comply with laws relating to workers' compensation or other similar programs established by law.

We may disclose your PHI to law enforcement officials for limited purposes permitted by HIPAA, including to identify or locate a suspect, fugitive, material witness, or missing person, and to report certain types of wounds or injuries.

We may disclose PHI about a deceased individual to a coroner, medical examiner, or funeral director as necessary for their lawful duties, and to organ procurement organizations in limited circumstances.

We may use or disclose your PHI for research purposes when an Institutional Review Board or Privacy Board has approved the research and established appropriate protocols to protect the privacy of your health information, or when the research involves only de-identified data.

Your Rights Regarding Your Health Information

You have the following rights with respect to your protected health information. To exercise any of these rights, please submit a written request to our Privacy Officer using the contact information in Section 12.

Our Legal Duties

We are required by law to:

We reserve the right to change our privacy practices and the terms of this Notice at any time, provided such changes are permitted by applicable law. Changes to our privacy practices will apply to all PHI we maintain, including information created or received prior to the change. When we make a material change to this Notice, we will revise the effective date and make the updated Notice available on our website and upon request.

Uses Requiring Your Written Authorization

Other than the uses and disclosures described in this Notice, we will only use or disclose your PHI with your written authorization. You have the right to revoke your authorization at any time by notifying us in writing. However, revocation will not apply to uses or disclosures already made in reliance on your authorization prior to receiving your written revocation.

The following uses and disclosures require your specific written authorization:

Minors & Dependent Members

In general, a parent or legal guardian is the personal representative of a minor child and may access the child's protected health information. However, there are exceptions under state and federal law where a minor may consent to certain types of care independently, in which case the minor may have privacy rights independent of their parent or guardian.

Oregon law provides minors with the right to consent to certain services — including mental health counseling, substance use treatment, and reproductive health services — without parental consent. In these circumstances, we may be required to keep that information confidential from the parent or guardian, consistent with applicable Oregon law and HIPAA.

When a minor is enrolled as a dependent under a parent or guardian's HealthPass benefit plan, the parent or guardian may receive explanation of benefits statements and other plan communications that may reference services the minor received. If you have concerns about confidentiality of a minor's health information, please contact our Privacy Officer.

Breach Notification

In the event of a breach of your unsecured protected health information, we are required by the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414) to notify you without unreasonable delay and in no case later than 60 days following discovery of the breach.

Breach notification will be provided to you by first-class mail at the last known address we have on file, or by email if you have specified a preference for email communication. If the breach affects 500 or more individuals in a state or jurisdiction, we will also provide notification to prominent media outlets and to the Secretary of HHS.

Breach notification will include, to the extent possible: a brief description of the breach, the types of information involved, steps you should take to protect yourself from potential harm, a brief description of what we are doing to investigate, mitigate harm, and prevent future breaches, and contact information for you to ask questions or receive further information.

Filing a Complaint

If you believe your privacy rights have been violated, you have the right to file a complaint with us or with the U.S. Department of Health and Human Services Office for Civil Rights.

You may submit a written complaint to our Privacy Officer using the contact information in Section 12. We will investigate all complaints and respond in writing within 30 days. We will not retaliate against you in any way for filing a complaint.

You may file a complaint directly with the U.S. Department of Health and Human Services, Office for Civil Rights:

Contact Our Privacy Officer

For questions about this Notice, to exercise your privacy rights, to request a paper copy of this Notice, or to file a privacy complaint, please contact our designated Privacy Officer: