Revised Effective July 20, 2020

Covered Entities Duties:
OrchestrateHR (referred to as “we”) is a Business Associate as defined and regulated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  In accordance with its obligations as a Business Associate, OrchestrateHR is required by law to maintain the privacy of protected health information (PHI) of its clients and their plan participants, provide Notice of our legal duties and privacy practices related to PHI in which we are entrusted, abide by the terms of the Notice that is currently in affect and notify impacted individuals in the event of a breach of their unsecured PHI.

PHI is information about a plan participant, including demographic information, that can reasonably be used to identify that individual and that relates to their past, present or future physical or mental health or condition, the provision of health care to a plan participant or the payment for that care. 

This Notice describes how we may use and disclose PHI.  It also describes rights to access, amend and manage PHI and how to exercise those rights.  All other uses and disclosures of PHI not described in this Notice will be made only with their written authorization.

OrchestrateHR reserves the right to change this Notice. We reserve the right to make the revised or changed Notice effective for PHI we already have as well as any of PHI we receive in the future.  OrchestrateHR will promptly revise and distribute this Notice whenever there is a material change to the following:

  • Uses or disclosures
  • Their rights
  • Our legal duties
  • Other privacy practices stated in the notice

We will make any revised Notices available on our website.

Internal Protections of Oral, Written and Electronic PHI:
OrchestrateHR protects PHI of plan participants. These are some of the ways we protect PHI.

  • We train our staff to follow our privacy and security processes.
  • We require our business associates to follow privacy and security processes.
  • We keep our offices secure.
  • We talk about PHI only for a business reason with people who need to know.
  • We keep PHI secure when we send it or store it electronically.
  • We use technology to keep the wrong people from accessing PHI.

Permissible Uses and Disclosures of PHI:
The following is a list of how we may use or disclose PHI without permission or authorization:

  • Treatment – We may use or disclose PHI to a physician or other health care provider providing treatment to a plan participant, to coordinate their treatment among providers, or to assist us in making prior authorization decisions related to their benefits.
  • Payment – We may use and disclose PHI to make benefit payments for the health care services provided to a plan participant. We may disclose PHI to another health plan, to a health care provider, or other entity subject to the federal Privacy Rules for their payment purposes. Payment activities may include:
    • processing claims
    • determining eligibility or coverage for claims
    • issuing premium billings
    • reviewing services for medical necessity
    • performing utilization review of claims
  • Health Care Operations – We may use and disclose PHI to perform our health care operations.  These activities may include:
    • providing customer services
    • responding to complaints and appeals
    • providing case management and care coordination
    • conducting medical review of claims and other quality assessment
    • improvement activities 

In our health care operations, we may disclose PHI to business associates. We will have written agreements to protect the privacy of PHI with these associates. We may disclose PHI to another entity that is subject to the federal Privacy Rules. The entity must also have a relationship with a plan participant for its health care operations. This includes the following:

      • quality assessment and improvement activities
      • reviewing the competence or qualifications of health care professionals
      • case management and care coordination
      • detecting or preventing health care fraud and abuse
  • Group Health Plan/Plan Sponsor Disclosures – We may disclose their protected health information to a sponsor of the group health plan, such as an employer or other entity that is providing a health care program to a plan participant, if the sponsor has agreed to certain restrictions on how it will use or disclose the protected health information (such as agreeing not to use the protected health information for employment-related actions or decisions).

Other Permitted or Required Disclosures of PHI:

  • Underwriting Purposes – We may use or disclosure PHI for underwriting purposes, such as to make a determination about a coverage application or request. If we do use or disclose PHI for underwriting purposes, we are prohibited from using or disclosing PHI that is genetic information in the underwriting process.  
  • As Required by Law – If federal, state, and/or local law requires a use or disclosure of PHI, we may use or disclose PHI to the extent that the use or disclosure complies with such law and is limited to the requirements of such law.  If two or more laws or regulations governing the same use or disclosure conflict, we will comply with the more restrictive laws or regulations.
  • Public Health Activities – We may disclose PHI to a public health authority for the purpose of preventing or controlling disease, injury, or disability.  We may disclosure PHI to the Food and Drug Administration (FDA) to ensure the quality, safety or effectiveness of products or services under the jurisdiction of the FDA. 
  • Victims of Abuse and Neglect – We may disclose PHI to a local, state, or federal government authority, including social services or a protective services agency authorized by law authorized by law to receive such reports if we have a reasonable belief of abuse, neglect or domestic violence.
  • Judicial and Administrative Proceedings – We may disclose PHI in judicial and administrative proceedings. We may also disclose it in response to the following:
    • an order of a court
    • administrative tribunal
    • subpoena
    • summons
    • warrant
    • discovery request
    • similar legal request
  • Law Enforcement– We may disclose their relevant PHI to law enforcement when required to do so, including to identify or locate a suspect, fugitive, material witness, or missing person. For example, in response to a:
    • Court order
    • Court ordered warrant
    • Subpoena
    • Summons by a judicial office
    • Grand jury subpoena
  • Coroners, Medical Examiners and Funeral Directors – We may disclose PHI to a coroner or medical examiner.  This may be necessary, for example, to determine a cause of death.  We may also disclose PHI to funeral directors, as necessary, to carry out their duties.
  • Organ, Eye and Tissue Donation – may disclose PHI to organ procurement organizations. We may also disclose PHI to those who work in procurement, banking or transplantation of:
    • cadaveric organs
    • eyes
    • tissues
  • Threats to Health and Safety – We may use or disclose PHI if we believe, in good faith, that the use or disclosure is necessary to prevent or lessen a serious or imminent threat to the health or safety of a person or the public.
  • Specialized Government Functions – If a plan participant is a member of U.S. Armed Forces, we may disclose PHI as required by military command authorities.  We may also disclose PHI:
    • to authorized federal officials for national security and intelligence activities
    • the Department of State for medical suitability determinations
    • for protective services of the President or other authorized persons
  • Workers’ Compensation – We may disclose PHI to comply with laws relating to workers’ compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.
  • Emergency Situations – We may disclose PHI in an emergency situation, or if a plan participant is incapacitated or not present, to a family member, close personal friend, authorized disaster relief agency, or any other person previous identified by a plan participant.  We will use professional judgment and experience to determine if the disclosure is in their best interests.  If the disclosure is in their best interest, we will only disclose the PHI that is directly relevant to the person’s involvement in their care.
  • Inmates – If a plan participant is an inmate of a correctional institution or under the custody of a law enforcement official, we may release PHI to the correctional institution or law enforcement official, where such information is necessary for the institution to provide a plan participant with health care, to protect their health or safety, or the health or safety of others, or for the safety and security of the correctional institution.
  • Research –Under certain circumstances, we may disclose PHI to researchers when their clinical research study has been approved and where certain safeguards are in place to ensure the privacy and protection of PHI.

Uses and Disclosures of PHI That Require Their Written Authorization

We are required to obtain written authorization to use or disclose PHI, with limited exceptions, for the following reasons:

  • Sale of PHI – We will request their written authorization before we make any disclosure that is deemed a sale of PHI, meaning that we are receiving compensation for disclosing the PHI in this manner.
  • Marketing – We will request their written authorization to use or disclose PHI for marketing purposes with limited exceptions, such as when we have face-to-face marketing communications with a plan participant or when we provide promotional gifts of nominal value.
  • Psychotherapy Notes – We will request their written authorization to use or disclose any of their psychotherapy notes that we may have on file with limited exception, such as for certain treatment, payment or health care operation functions.

Individuals Rights
The following are rights concerning PHI.  If a plan participant would like to use any of the following rights, please contact us using the information at the end of this Notice.

  • Right to Revoke an Authorization– A plan participant may revoke their authorization at any time, the revocation of their authorization must be in writing.  The revocation will be effective immediately, except to the extent that we have already taken actions in reliance of the authorization and before we received their written revocation.
  • Right to Request Restrictions – A plan participant has the right to request restrictions on the use and disclosure of PHI for treatment, payment or health care operations, as well as disclosures to persons involved in their care or payment of their care, such as family members or close friends.  Their request should state the restrictions a plan participant is requesting and state to whom the restriction applies.  We are not required to agree to this request.  If we agree, we will comply with their restriction request unless the information is needed to provide a plan participant with emergency treatment.  However, we will restrict the use or disclosure of PHI for payment or health care operations to a health plan when a plan participant has paid for the service or item out of pocket in full.
  • Right to Request Confidential Communications – A plan participant has the right to request that we communicate with a plan participant about PHI by alternative means or to alternative locations.   This right only applies in the following circumstances:  (1) the communication discloses medical information or provider name and address relating to receipt of sensitive services, or (2) disclosure of all or part of the medical information or provider name and address could endanger a plan participant if it is not communicated by the alternative means or to the alternative location a plan participant want. A plan participant do not have to explain the reason for their request, but their request must clearly state that either the communication discloses medical information or provider name and address relating to receipt of sensitive services or that disclosure of all or part of the medical information or provider name and address could endanger a plan participant if the communication means or location is not changed. We must accommodate their request if it is reasonable and specifies the alternative means or location where PHI should be delivered.
  • Right to Access and Received Copy of PHI – A plan participant has the right, with limited exceptions, to look at or get copies of PHI contained in a designated record set.  A plan participant may request that we provide copies in a format other than photocopies.  We will use the format a plan participant request unless we cannot practicably do so.  A plan participant must make a request in writing to obtain access to PHI.  If we deny their request, we will provide a plan participant a written explanation and will tell a plan participant if the reasons for the denial can be reviewed and how to ask for such a review or if the denial cannot be reviewed.
  • Right to Amend PHI – A plan participant has the right to request that we amend, or change, PHI if a plan participant believe it contains incorrect information.  Their request must be in writing, and it must explain why the information should be amended.  We may deny their request for certain reasons, for example if we did not create the information a plan participant want amended and the creator of the PHI is able to perform the amendment. If we deny their request, we will provide a plan participant a written explanation. A plan participant may respond with a statement that a plan participant disagrees with our decision and we will attach their statement to the PHI a plan participant request that we amend.  If we accept their request to amend the information, we will make reasonable efforts to inform others, including people a plan participant name, of the amendment and to include the changes in any future disclosures of that information.
  • Right to Receive an Accounting of Disclosures – A plan participant has the right to receive a list of instances within the last 6 years period in which we or our business associates disclosed PHI.  This does not apply to disclosure for purposes of treatment, payment, health care operations, or disclosures a plan participant authorized and certain other activities. If a plan participant request this accounting more than once in a 12-month period, we may charge a plan participant a reasonable, cost-based fee for responding to these additional requests. We will provide a plan participant with more information on our fees at the time of their request.
  • Right to File a Complaint – If a plan participant feels their privacy rights have been violated or that we have violated our own privacy practices, a plan participant can file a complaint with us in writing or by phone using the contact information at the end of this Notice.  For Medi-Cal member complaints, members may also contact the California Department of Health Care Services listed in the next section. 

A plan participant can also file a complaint with the Secretary of the U.S. Department of Health and Human Services Office for Civil Rights by sending a letter to 200 Independence Avenue, S.W., Washington, D.C. 20201 or calling 1-800-368-1019, (TTY: 1-866-788-4989) or visiting 


  • Right to Receive a Copy of this Notice – A plan participant may request a copy of our Notice at any time by using the contact information list at the end of the Notice.  If a plan participant receives this Notice on our web site or by electronic mail (e-mail), a plan participant is also entitled to request a paper copy of the Notice.

Contact Information
If a plan participant or client has any questions about this Notice, our privacy practices related to PHI or how to exercise their rights as a plan participant, that individual or a client representative can contact us in writing or by

OrchestrateHR, Inc.
Attn: Privacy Official
15305 Dallas Pkwy, Suite 800
Addison, TX 75001




We are committed to maintaining the confidentiality of personal financial information. For the purposes of this notice, “personal financial information” means information about an enrollee or an applicant for health care coverage that identifies the individual, is not generally publicly available, and is collected from the individual or is obtained in connection with providing health care coverage to the individual.

Information We Collect: We collect personal financial information about a plan participant from the following sources:

  • Information we receive from a plan participant on applications or other forms, such as name, address, age, medical information and Social Security number;
  • Information about their transactions with us, our affiliates or others, such as premium payment and claims history; and
  • Information from consumer reports.  

Disclosure of Information: We do not disclose personal financial information about our enrollees or former enrollees to any third party, except as required or permitted by law. For example, in the course of our general business practices, we may, as permitted by law, disclose any of the personal financial information that we collect about a plan participant, without their authorization, to the following types of institutions:

  • To our corporate affiliates, such as other insurers;
  • To nonaffiliated companies for our everyday business purposes, such as to process their transactions, maintain their account(s), or respond to court orders and legal investigations; and
  • To nonaffiliated companies that perform services for us, including sending promotional communications on our behalf.

Confidentiality and Security: We maintain physical, electronic and procedural safeguards, in accordance with applicable state and federal standards, to protect their personal financial information against risks such as loss, destruction or misuse. These measures include computer safeguards, secured files and buildings, and restrictions on who may access their personal financial information.

Questions about this Notice: If a plan participant has any questions about this notice, please contact us:

OrchestrateHR, Inc.
Attn: Privacy Official
15305 Dallas Pkwy, Suite 800
Addison, TX 75001


* This Notice of Privacy Practices also applies to enrollees in any of the following OrchestrateHR entities:
OrchestrateHR, Inc.; Employers Direct Health, Inc., Employers Direct Administrative Services, Inc., and Vologic, Inc.

Rev. 07/20/2020.