1

HIPAA Notice of Privacy Practices for Personal Health Information

This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

The Department of Personnel and Administration (DPA) of the State of Colorado (State), is committed to protecting the privacy of health information maintained by the group health plans sponsored by the State. This is your Health Information Privacy Notice from the State of Colorado’s medical insurance plan (referred to as We or Us). This notice is solely for your information. You do not need to take any action. In this notice, the terms your “medical information” or your “health information” or your “Personal Health Information” (PHI) mean personal information that identifies you and that relates to your past, present, or future physical or mental health; the provisions of health care services to you; or the payment of health care services provided to you.

This notice provides you with information about the way in which We protect PHI that We have about you. The Health Insurance Portability and Accountability Act (“HIPAA”) requires Us to: keep PHI about you private; provide you this notice of our legal duties and privacy notices with respect to your PHI; and follow the terms of the notice that are currently in effect.

The effective date of this notice is February 16, 2026, and this notice replaces notices previously distributed to you.

The group health plans are administered by select State Employees and third party administrators. For a more detailed explanation of the limited ways that State employees provide plan administration functions, please see the section below on Plan Sponsor.

This notice explains how we use your health information and when we can share that information with others. It also informs you of your rights with respect to your health information and how you can exercise those rights. We are required to follow the terms of this notice until the notice is replaced. We reserve the right to change the terms of this notice and to make the new notice effective for all protected health information we maintain. Once revised, we will provide you with a copy of the new notice.

How We May Use Or Disclose Your Health Information

We obtain PHI in the course of providing and/or administering health insurance benefits for you. In administering your benefits, We may use and/or disclose PHI about you and your dependents. The following are some examples, however, not every use or disclosure in a category will be listed.

Treatment. We may use and disclose information when communicating with your Physicians to help them provide medical care to you. For example, we might suggest to your Physician a disease management or wellness program that could improve your health.

Payment. We may use and disclose information about you so that the medical services you receive can be properly billed and paid. For example, we may need to give your insurance information to health care providers so they can bill us for treating you.

Operations. We may use and disclose information about you for our business operations. For example, we may disclose information about you to
consultants who provide legal, actuarial, or auditing services. We will not disclose your health information to outside groups unless they agree in writing to keep it protected.

Data Aggregation. For example, We may combine PHI about many insured participants to make plan benefit decisions, and the appropriate premium rate to charge.

Research. We may use or disclose information to conduct research as permitted by the HIPAA privacy rule.

To You About Dependents. For example, We may use and disclose PHI about your dependents for any purpose identified herein. We may provide an explanation of benefits for you or any of your dependents to you.

To Business Associates. For example, We may disclose PHI to administrators who are contracted with us who may use the PHI to administer health insurance benefits on our behalf and such administrators may further disclose PHI to their contractors or vendors as necessary for the administration of health insurance benefits.

We may also use or disclose your health information for other health-related Benefits and services. For example, we may send you appointment reminders or information about programs that may be of interest to you, such as smoking cessation or weight loss.

There are also state and federal laws that may require or allow us to use or disclose your health information without your authorization. The examples below are provided to describe generally the ways in which we may use or disclose your information.

  • To state and federal regulatory agencies;
  • For public health activities;
  • To public health agencies if we believe there is a serious health or safety threat;
  • With a health oversight agency for certain activities such as audits and examinations;
  • To a court or administrative agency pursuant to a court order or search warrant;
  • For law enforcement purposes;
  • To a government authority regarding child abuse, neglect, or domestic violence;
  • With a coroner or medical examiner, or with a funeral director;
  • For procurement, banking or transplantation of organs, eyes, or tissue;
  • For specialized government functions, such as military activities and national security;
  • Due to the requirements of state worker compensation laws.

Plan Sponsor

Health information may be disclosed to or used by the State, as plan sponsor. For example, We may disclose to the State, information on whether you are participating in, enrolled in, or dis-enrolled from a group health plan. We may also disclose to the State, as plan sponsor, health information necessary to administer the group health plans. For example, the State may need your health information to review denied claims, to audit or monitor the business operations of the group health Plans, or to ensure that the group health Plans are operating effectively and efficiently. We will not use or disclose your health information to the State for any employment-related functions. State employees who perform services to administer the group health plans are primarily, but not exclusively, in DPA’s Division of Human Resources, Employee Benefits Unit. When State employees are conducting plan administration functions, they are acting as an administrator of the group health plans. Group health plan administrators will keep your health information separate from employment information and will not share it with anyone not involved in plan administration. For us to use or disclose your health information for any reason other than those identified in this section (“How We May Use or Disclose Your Health Information”), we must get written authorization from you. You may revoke the authorization at any time, but your revocation must also be in writing. The revocation will not affect any uses or disclosures consistent with the authorization made prior to receipt of the revocation by DPA’s HIPAA Compliance Officer.

Your Rights Regarding PHI That We Maintain About You

You have various rights as a consumer under HIPAA concerning your PHI. You may exercise any of these rights by writing to Us in care of:

HIPAA Privacy Officer State of Colorado
Colorado Department of Personnel and Administration Division of Human Resources
1313 Sherman, First Floor Denver, Colorado 80203

The following are your rights with respect to your health information:

You have the right to ask us to restrict how we use or disclose your information for treatment, payment, or health care operations. All requests must be made in writing and state the specific restriction requested. We will try to honor your request, but we are not required to agree to a restriction. 

You have the right to ask to receive confidential communications of information. For example, if you believe you would be harmed if we send information to your current mailing address (for example, in situations involving domestic disputes or violence), you can ask us to send the information by alternative means (for example, by telephone) or to an alternative address. We will accommodate a reasonable request if the normal method or disclosure could endanger you and you state that in your request. Any such request must be made in writing.

You have the right to inspect and obtain a copy of information that we maintain about you in your designated record set. A “designated record set” is a group of records that may include enrollment, payment, claims adjudication, and case or medical management records. However, you do not have the right to access certain types of information such as psychotherapy notes and information compiled for legal proceedings. If we deny your request, we will notify you in writing and may provide you with a right to have the denial reviewed.

You have the right to ask us to amend the information we maintain about you in your designated record set (as defined above). Your request must be made in writing and you must provide a reason for the request. If we agree to your request, we will amend our records accordingly. We will also provide the amendment to any person that we know has received your health information from us, and to other persons identified by you. If we deny your request, we will notify you in writing of the reason for the denial. Reasons may include that the information was not created by us, is not part of the designated record set, is not information that is available for inspection, or that the information is accurate and complete.

You have the right to receive an accounting of certain disclosures of your information made by us during the six years prior to your request, but no earlier than July 1, 2005. We are not required to account for certain disclosures, such as disclosures made for purposes of treatment, payment, or health care operations, and disclosures made to you or authorized by you. Your request must be made in writing. Your first accounting in a 12-month period will be free. We may charge you a fee for additional accountings made within 12 months of the free accounting. We will inform you in advance of the fee and provide you with an opportunity to withdraw or modify your request.

You have a right to receive a copy of this notice upon request at any time. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice upon request. You may request a paper copy of this notice for by submitting the request to: HIPAA Privacy Officer, State of Colorado, Department of Personnel and Administration, Division of Human Resources, 1313 Sherman Street, First Floor, Denver, Colorado 80203.

Additional Rights under HIPAA

  • Most uses of and disclosures of PHI for marketing purposes and sales of PHI require your authorization.
  • Most uses of and disclosures of psychotherapy notes require your authorization.
  • You may be contacted to help raise funds and have the right to opt out of receiving such communications.
  • You retain the right to obtain an electronic copy of the PHI maintained about you.
  • You retain the right to be notified of a breach of your unsecured PHI.
  • Substance use disorder treatment records (SUD Records) received from a program covered by 42 CFR Part 2 (a “Part 2 Program”), or testimony relaying the content of such records, shall not be used or disclosed in civil, criminal, administrative, or legislative proceedings against the individual unless based on written consent, or a court order after notice and an opportunity to be heard is provided to the individual or the holder of the record, as provided under law. A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested SUD Record is used or disclosed.
  • If the Plan receives SUD Records about you from a Part 2 Program pursuant to a consent you provided to the Part 2 Program to use and disclose your SUD records for all future purposes of treatment, payment or health care operations, the Plan may use and disclose your SUD records for the purposes of treatment, payment or health care operations, as described above, consistent with such consent until the Plan receives notification that you have revoked such consent in writing. When disclosed to the Plan for treatment, payment, and health care operations activities, the Plan may further disclose those SUD records in accordance with HIPAA regulations, except for uses and disclosures for civil, criminal, administrative, and legislative proceedings against you.

Contacts

For further information, to receive a copy of this notice, or if you believe your privacy rights may have been violated and you want to file a complaint, please contact Department of Personnel and Administration’s HIPAA Compliance Officer by U.S. mail or by e-mail, as follows:

U.S. Mail:

HIPAA Compliance Officer State of Colorado
Department of Personnel and Administration Division of Human Resources
1313 Sherman Street, First Floor Denver, CO 80203

E-mail:

dpahipaacompliance@state.co.us

You may also notify the Secretary of the U.S. Department of Health and Human Services of your complaint. No action will be taken against you for exercising your rights or for filing a complaint.

Changes To This Notice

We reserve the right to modify this Privacy Notice and our privacy policies at any time. If We make any modifications, the new terms and policies will apply to all PHI before and after the effective date of the modifications that We maintain. If We make material changes, We will send a new notice to the insured/subscribers.