Northern California Notice of Privacy Practices

Learn about our commitment to nondiscrimination and language assistance

Download a printable version
Download this Notice of Privacy Practices

Download a printable version
Download this Notice of Privacy Practices (Chinese)

Download a printable version
Download this Notice of Privacy Practices (Vietnamese)

Descargue una versión para imprimir
Descargue el Aviso sobre la aplicación del derecho a la privacidad

Notice of Privacy Practices

KAISER PERMANENTE — NORTHERN CALIFORNIA REGION

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

PLEASE REVIEW IT CAREFULLY.

In this notice we use the terms "we," "us," and "our" to describe Kaiser Permanente—Northern California Region. For more details, please refer to section IV of this notice.

I. WHAT IS "PROTECTED HEALTH INFORMATION"?

Your protected health information (PHI) is individually identifiable health information, including demographic information, about your past, present or future physical or mental health or condition, health care services you receive, and past, present or future payment for your health care. Demographic information means information such as your name, social security number, address, and date of birth. PHI also includes race/ethnicity, language, gender identity, sexual orientation, and pronoun data.

PHI may be in oral, written or electronic form. Examples of PHI include your medical record, claims record, enrollment or disenrollment information, and communications between you and your health care provider about your care.

If your PHI is de-identified in accordance with HIPAA standards, it is no longer PHI.

If you are a Kaiser Foundation Health Plan member and also an employee of any Kaiser Permanente company, PHI does not include the health information in your employment records.

II. ABOUT OUR RESPONSIBILITY TO PROTECT YOUR PHI

By law, we must

  1. protect the privacy of your PHI;
  2. tell you about your rights and our legal duties with respect to your PHI;
  3. notify you if there is a breach of your unsecured PHI; and
  4. tell you about our privacy practices and follow our notice currently in effect.

We take these responsibilities seriously and, have put in place administrative safeguards (such as security awareness training and policies and procedures), technical safeguards (such as encryption and passwords), and physical safeguards (such as locked areas and requiring badges) to protect your PHI and, as in the past, we will continue to take appropriate steps to safeguard the privacy of your PHI.

III. YOUR RIGHTS REGARDING YOUR PHI

This section tells you about your rights regarding your PHI and describes how you can exercise these rights.

Your right to access and amend your PHI

Subject to certain exceptions, you have the right to view or get a copy of your PHI that we maintain in records relating to your care or decisions about your care or payment for your care. Subject to certain exceptions, requests must be in writing. We may charge you a reasonable, cost-based fee for the copies, summary or explanation of your PHI.

If we do not have the record you asked for but we know who does, we will tell you who to contact to request it. In limited situations, we may deny some or all of your request to see or receive copies of your records, but if we do, we will tell you why in writing and explain your right, if any, to have our denial reviewed.

If you believe there is a mistake in your PHI or that important information is missing, you may request that we correct or add to the record. Requests must be in writing, tell us what corrections or additions you are requesting, and why the corrections or additions should be made. We will respond in writing after reviewing your request. If we approve your request we will make the correction or addition to your PHI. If we deny your request, we will tell you why and explain your right to file a written statement of disagreement. Your statement must be limited to 250 words for each item in your record that you believe is incorrect or incomplete. You must clearly tell us in writing if you want us to include your statement in future disclosures we make of that part of your record. We may include a summary instead of your statement.

Submit all written requests to the Kaiser Permanente facility or medical office where you received your care. If you need that address, please call the Member Service Call Center at 1-800-464-4000 (TTY 711). However, if you don't know where the record that you want is located, please write to us at the Director of Privacy & Security Compliance, Kaiser Permanente Ethics & Compliance Office, 1 Kaiser Plaza, Oakland, CA 94612, 12th Floor.

Your right to choose how we send PHI to you or someone else

You may ask us to send your PHI to you at a different address (for example, your work address) or by different means (for example, fax instead of regular mail).

If your PHI is stored electronically, you may request a copy of the records in an electronic format offered by Kaiser Permanente. You may also make a specific written request to Kaiser Permanente to transmit a copy of your PHI to a designated third party. We may charge a reasonable, cost-based fee.

Your right to receive confidential communications

You have the right to request that we communicate with you about health matters at an alternative mailing address, email address, or telephone number.

You may provide us with an alternative address so that we may direct communications regarding your receipt of sensitive services (health care services related to mental or behavioral health, sexual and reproductive health, sexually transmitted infections, substance use disorder, gender affirming care, and intimate partner violence) directly to you. If you do not designate an alternative address, we will send all communication related to your receipt of sensitive services in your name at the address or telephone number on file.

Communications subject to this paragraph shall include the following written, verbal, or electronic communications:

(i) Bills and attempts to collect payment.
(ii) A notice of adverse benefits determinations.
(iii) An explanation of benefits notice.
(iv) A health insurer’s request for additional information regarding a claim.
(v) A notice of a contested claim.
(vi) The name and address of a provider, description of services provided, and other information related to a visit.
(vii) Any written, oral, or electronic communication from a health insurer that contains protected health information.

To provide a confidential address for receipt of confidential communications, you can complete the confidential communications request form located at the bottom of the KP.org home page or contact the Member Service Call Center at 1-800-464-4000 (TTY 711) for assistance.

Your right to an accounting of disclosures of PHI

You may ask us for a list of our disclosures of your PHI. Write to us at Director of Privacy & Security Compliance, Kaiser Permanente Ethics & Compliance Office, 1 Kaiser Plaza, Oakland, CA 94612, 12th Floor. You are entitled to one disclosure accounting in any 12-month period at no charge. If you request any additional accountings less than 12 months later, we may charge a fee.

An accounting does not include certain disclosures, for example, disclosures:

  • to carry out treatment, payment and health care operations;
  • for which Kaiser Permanente had a signed authorization;
  • of your PHI to you;
  • from a Kaiser Permanente facility directory;
  • for notifications for disaster relief purposes;
  • to persons involved in your care and persons acting on your behalf; or
  • not covered by the right to an accounting.

Your right to request limits on uses and disclosures of your PHI

You may request that we limit our uses and disclosures of your PHI for treatment, payment, and health care operations purposes. We will review and consider your request. You may write to the Kaiser Permanente facility or medical office where you received your care for consideration of your request. If you need that address please call the Member Service call Center at 1-800-464-4000 (TTY 711). However, if you don't know where the record that you want is located, please write to us at the Director of Privacy & Security Compliance, Kaiser Permanente Ethics & Compliance Office, 1 Kaiser Plaza, Oakland, CA 94612, 12th Floor.

We are not required to agree to your request, except to the extent that you request a restriction on disclosures to a health plan or insurer for payment or health care operations purposes and the items or services have been paid for out of pocket in full. However, we can still disclose the information to a health plan or insurer for the purpose of treating you. For requests to restrict your PHI for payment or health care operations purposes, please request the restriction prior to receiving services at the Kaiser Permanente facility or medical office where you receive your care.

You can ask us not to use or share certain health information for treatment, payment, or our operations. We are not required to agree to your request, and we may say ‘no’ if it would affect your care. We will consider all submitted requests and, if we deny your request, we will notify you in writing.

Your right to receive a paper copy of this notice

You also have a right to receive a paper copy of this notice upon request.

IV. KAISER PERMANENTE COMPANIES SUBJECT TO THIS NOTICE

This notice applies to the Kaiser Permanente, Northern California Region, which includes

  • The Permanente Medical Group (TPMG),
  • Kaiser Foundation Health Plan, Inc., including its health plan and provider operations, and
  • Kaiser Foundation Hospitals (KFH).

Our health care delivery sites include TPMG medical offices, KFH hospitals, and KFH ambulatory surgery centers, and any other licensed facilities of KFH in the region, member call advice and appointment centers, and our member Web sites and mobile applications.

To provide you with the health care you expect, to treat you, to pay for your care, and to conduct our operations, such as quality assurance, accreditation, licensing and compliance, these Kaiser Permanente companies share your PHI with each other.

Our personnel may have access to your PHI either as employees, physicians, professional staff members of KFH facilities and others authorized to enter information in a KFH facility medical record, volunteers, or persons working with us in other capacities.

V. HOW WE MAY USE AND DISCLOSE YOUR PHI

Your confidentiality is important to us. Our physicians and employees are required to maintain the confidentiality of the PHI of our members/patients, and we have policies and procedures and other safeguards to help protect your PHI from improper use and disclosure. Sometimes we are allowed by law to use and disclose certain PHI without your written permission. We briefly describe these uses and disclosures below and give you some examples.

How much PHI is used or disclosed without your written permission will vary depending, for example, on the intended purpose of the use or disclosure. Sometimes we may only need to use or disclose a limited amount of PHI, such as to send you an appointment reminder or to confirm that you are a health plan member. At other times, we may need to use or disclose more PHI such as when we are providing medical treatment.

  • Treatment: This is the most important use and disclosure of your PHI. For example, our physicians, nurses, and other health care personnel, including trainees, involved in your care use and disclose your PHI to diagnose your condition and evaluate your health care needs. Our personnel will use and disclose your PHI in order to provide and coordinate the care and services you need: for example, prescriptions, X-rays, and lab work. If you need care from health care providers who are not part of Kaiser Permanente, such as community resources to assist with your health care needs at home, we may disclose your PHI to them.
  • Payment: Your PHI may be needed to determine our responsibility to pay for, or to permit us to bill and collect payment for, treatment and health-related services that you receive. For example, we may have an obligation to pay for health care you receive from an outside provider. When you or the provider sends us the bill for health care services, we use and disclose your PHI to determine how much, if any, of the bill we are responsible for paying.
  • Health care operations: We may use and disclose your PHI for certain health care operations—for example, quality assessment and improvement, training and evaluation of health care professionals, licensing, accreditation, and determining premiums and other costs of providing health care.
  • Business associates: We may contract with business associates to perform certain functions or activities on our behalf, such as payment and health care operations. These business associates must agree to safeguard your PHI.
  • Appointment reminders: We may use your PHI to contact you about appointments for treatment or other health care you may need.
  • Identity verification: We may photograph you for identification purposes, storing the photo in your medical record. This is for your protection and safety, but you may opt out.
  • Health Information Exchange: We may share your health information electronically with other organizations through a Health Information Exchange (HIE) network. These other organizations may include hospitals, laboratories, health care providers, public health departments, health plans, and other participants. Kaiser Permanente operates an HIE network among Kaiser Permanente regions and participates in several HIE networks with other health care providers outside of Kaiser Permanente who also have electronic medical record systems. Sharing information electronically is a faster way to get your health information to the health care providers treating you. For example, if you go to a hospital emergency room that participates in the same HIE network as Kaiser Permanente, the emergency room physicians would be able to access your Kaiser Permanente health information to help make treatment decisions for you. HIE participants like Kaiser Permanente are required to meet rules that protect the privacy and security of your health and personal information.
    • If your medical record contains certain information (such as from a substance use disorder program) that requires your authorization under state or federal law before information is shared, then Kaiser Permanente will not release that information to your other treating providers through HIE until you provide authorization. To check if your authorization is required before Kaiser Permanente can release your records through HIE and to provide authorization.
  • Specific types of PHI: There are stricter requirements for use and disclosure of some types of PHI—for example, mental health and drug and alcohol abuse patient information, HIV tests, and genetic testing information. However, there are still circumstances in which these types of information may be used or disclosed without your authorization. If you become a patient in our chemical dependency program, we will give you a separate written notice, as required by law, about your privacy rights for your chemical dependency program PHI.
  • Underwriting: We may use and disclose your PHI, to the extent permitted under applicable law, for underwriting purposes, including the determination of benefit eligibility and costs of coverage and to perform other activities related to issuing a benefit policy. However, we exclude from review or disclosure for underwriting purposes, genetic information, race/ethnicity, language, gender identity, sexual orientation, and pronoun data. Your genetic information includes information about your genetic tests, your family members’ genetic tests, and requests for or receipt of genetic services by you or any family members. 
  • Communications with family and others when you are present: Sometimes a family member or other person involved in your care will be present when we are discussing your PHI with you. If you object, please tell us and we won't discuss your PHI, or we will ask the person to leave.
  • Communications with family and others when you are not present: There may be times when it is necessary to disclose your PHI to a family member or other person involved in your care because there is an emergency, you are not present, or you lack the decision-making capacity to agree or object. In those instances, we will use our professional judgment to determine if it's in your best interest to disclose your PHI. If so, we will limit the disclosure to the PHI that is directly relevant to the person's involvement with your health care. For example, we may allow someone to pick up a prescription for you.
  • Disclosure in case of disaster relief: We may disclose your name, city of residence, age, gender, and general condition to a public or private disaster relief organization to assist disaster relief efforts, unless you object at the time.
  • Disclosures to parents as personal representatives of minors: In most cases, we may disclose your minor child's PHI to you. In some situations, however, we are permitted or even required by law to deny your access to your minor child's PHI. An example of when we must deny such access based on type of health care is when a minor who is 12 or older seeks care for a communicable disease or condition. Another situation when we must deny access to parents is when minors have adult rights to make their own health care decisions. These minors include, for example, minors who were or are married or who have a declaration of emancipation from a court.
  • Facility Directories: When you are a patient in one of our facilities, we may create a directory that includes your name, room location, and your general condition. This information may be disclosed to a person who asks for you by name. In addition, we may provide your religious affiliation, if any, to clergy. You may object to the use or disclosure of some or all of this information. If you do, we will not disclose it to visitors or other members of the public.
  • Research: Kaiser Permanente engages in extensive and important research. Some of our research may involve medical procedures and some is limited to collection and analysis of health data. Research of all kinds may involve the use or disclosure of your PHI. Your PHI can generally be used or disclosed for research without your permission if an Institutional Review Board (IRB) approves such use or disclosure. An IRB is a committee that is responsible, under federal law, for reviewing and approving human subjects research to protect the safety of the participants and the confidentiality of PHI.
  • Organ donation: We may use or disclose PHI to organ-procurement organizations to assist with organ, eye, or other tissue donations.
  • Public health activities: Public health activities cover many functions performed or authorized by government agencies to promote and protect the public's health and may require us to disclose your PHI.
    • For example, we may disclose your PHI as part of our obligation to report to public health authorities' certain diseases, injuries, conditions, and vital events such as births. Sometimes we may disclose your PHI to someone you may have exposed to a communicable disease or who may otherwise be at risk of getting or spreading the disease.
    • The Food and Drug Administration (FDA) is responsible for tracking and monitoring certain medical products, such as pacemakers and hip replacements, to identify product problems and failures and injuries they may have caused. If you have received one of these products, we may use and disclose your PHI to the FDA or other authorized persons or organizations, such as the maker of the product.
    • We may use and disclose your PHI as necessary to comply with federal and state laws that govern workplace safety.
  • Health oversight: As health care providers and health plans, we are subject to oversight conducted by federal and state agencies. These agencies may conduct audits of our operations and activities and in that process, they may review your PHI.
  • Disclosures to your employer or your employee organization: If you are enrolled in Kaiser Foundation Health Plan, Inc. through your employer or employee organization, we may share certain PHI with them without your authorization, but only when allowed by law. For example, we may disclose your PHI for a workers' compensation claim or to determine whether you are enrolled in the plan or whether premiums have been paid on your behalf. For other purposes, such as for inquiries by your employer or employee organization on your behalf, we will obtain your authorization, when necessary under applicable law.
  • Workers' compensation: We may use and disclose your PHI in order to comply with workers’ compensation laws. For example, we may communicate your medical information regarding a work-related injury or illness to claims administrators, insurance carriers, and others responsible for evaluating your claim for workers' compensation benefits.
  • Military activity and national security: We may sometimes use or disclose the PHI of armed forces personnel to the applicable military authorities when they believe it is necessary to properly carry out military missions. We may also disclose your PHI to authorized federal officials as necessary for national security and intelligence activities or for protection of the president and other government officials and dignitaries.
  • Fundraising: We may use or disclose your demographic information and other limited PHI such as dates and where health care was provided, to certain organizations for the purpose of contacting you to raise funds for our organization. If we contact you for fundraising purposes, we will provide you with a clear opportunity to elect not to receive any further fundraising communications.
  • Required by law: In some circumstances federal or state law requires that we disclose your PHI to others. For example, the secretary of the Department of Health and Human Services may review our compliance efforts, which may include seeing your PHI.
  • Lawsuits and other legal disputes: We may use and disclose PHI in responding to a court or administrative order, a subpoena, or a discovery request. We may also use and disclose PHI to the extent permitted by law without your authorization, for example, to defend a lawsuit or arbitration.
  • Law enforcement: We may disclose PHI to authorized officials for law enforcement purposes, for example, to respond to a search warrant, report a crime on our premises, or help identify or locate someone.
  • Serious threat to health or safety: We may use and disclose your PHI if we believe it is necessary to avoid a serious threat to your health or safety or to someone else's.
  • Abuse or neglect: By law, we may disclose PHI to the appropriate authority to report suspected child abuse or neglect or to identify suspected victims of abuse, neglect, or domestic violence.
  • Coroners and funeral directors: We may disclose PHI to a coroner or medical examiner to permit identification of a body, determine cause of death, or for other official duties. We may also disclose PHI to funeral directors.
  • Inmates: Under the federal law that requires us to give you this notice, inmates do not have the same rights to control their PHI as other individuals. If you are an inmate of a correctional institution or in the custody of a law enforcement official, we may disclose your PHI to the correctional institution or the law enforcement official for certain purposes, for example, to protect your health or safety or someone else's.
  • De-Identification: We or a business associate with whom we have contracted may use PHI to de-identify it in accordance with HIPAA standards and may further disclose the de-identified data to third parties in connection with KP’s operations. 

VI. ALL OTHER USES AND DISCLOSURES OF YOUR PHI REQUIRE YOUR PRIOR WRITTEN AUTHORIZATION

Except for those uses and disclosures described above, we will not use or disclose your PHI without your written authorization. Some instances in which we may request your authorization for use or disclosure of PHI are:

  • Marketing: We may ask for your authorization in order to provide information about products and services that you may be interested in purchasing or using. Note that marketing communications do not include our contacting you with information about treatment alternatives, prescription drugs you are taking or health-related products or services that we offer or that are available only to our health plan enrollees. Marketing also does not include any face-to-face discussions you may have with your providers about products or services.
  • Sale of PHI: We may only sell your PHI if we received your prior written authorization to do so.
  • Psychotherapy Notes: On rare occasions, we may ask for your authorization to use and disclose “psychotherapy notes”. Federal privacy law defines “psychotherapy notes” very specifically to mean notes made by a mental health professional recording conversations during private or group counseling sessions that are maintained separately from the rest of your medical record. Generally, we do not maintain psychotherapy notes, as defined by federal privacy law.

When your authorization is required and you authorize us to use or disclose your PHI for some purpose, you may revoke that authorization by notifying us in writing at any time. Please note that the revocation will not apply to any authorized use or disclosure of your PHI that took place before we received your revocation. Also, if you gave your authorization to secure a policy of insurance, including health care coverage from us, you may not be permitted to revoke it until the insurer can no longer contest the policy issued to you or a claim under the policy.

VII. HOW TO CONTACT US ABOUT THIS NOTICE OR TO COMPLAIN ABOUT OUR PRIVACY PRACTICES

If you have any questions about this notice or want to lodge a complaint about our privacy practices, please write to us at the Director of Privacy & Security Compliance, Kaiser Permanente Ethics & Compliance Office, 1 Kaiser Plaza, Oakland, CA 94612, 12th Floor. or let us know by calling Member Service Call Center at 1-800-464-4000 (TTY 711). You also may notify the secretary of the Department of Health and Human Services.

We will not take retaliatory action against you if you file a complaint about our privacy practices.

VIII. CHANGES TO THIS NOTICE

We may change this notice and our privacy practices at any time, as long as the change is consistent with state and federal law. Any revised notice will apply both to the PHI we already have about you at the time of the change, and any PHI created or received after the change takes effect. If we make an important change to our privacy practices, we will promptly change this notice and make the new notice available on our Web site at www.kp.org/privacy. Except for changes required by law, we will not implement an important change to our privacy practices before we revise this notice.

IX. EFFECTIVE DATE OF THIS NOTICE

This notice is effective on September 22, 2023.

The following Supplemental Notice of Privacy Practices for Member of a Kaiser Foundation Health Plan Medi-Cal Plan applies only to Medi-Cal members who are enrolled with Kaiser Foundation Health Plan through one of the following entities: Geographic Managed Care Sacramento, Geographic Managed Care San Diego, or Prepaid Health Plan. This Supplemental Notice is included in the Medi-Cal Member Handbook.

Supplemental Notice of Privacy Practices for Member of a Kaiser Foundation Health Plan Medi-Cal Plan* 
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

As a new member, you should have received (or will soon receive) a copy of the Kaiser Permanente Northern California Regional or Southern California Regional HIPAA Notice of Privacy Practices (the "Regional Notices") with your new Kaiser Permanente identification card. The Regional Notices tell you about your rights and our duties concerning your health information. The Regional Notices also describe and give examples of when we are allowed by law to use and disclose certain protected health information without your written permission: for example, for treatment or for health care operations, such as quality improvement.

This Supplemental Notice is for members of Kaiser Permanente Medi-Cal plans. This Supplemental Notice tells you about differences in state law that, in some situations, require us to get your written permission as a Medi-Cal member to disclose health information but do not require us to get the written permission of someone who is not a Medi-Cal member.

UNDER STATE LAW APPLICABLE TO MEDI-CAL BENEFICIARIES, KAISER PERMANENTE NEEDS YOUR PERMISSION TO USE OR DISCLOSE YOUR MEDICAL INFORMATION IN THE FOLLOWING SITUATIONS:

  • To give medical information to organ-procurement organizations, unless the medical information specifically relates to your treatment when you are a candidate for or a recipient of an organ transplant;
  • To comply with workplace safety laws or workers' compensation laws, except disclosures for treatment or to state or local officials;
  • To allow other companies to market their products or services to you;
  • To raise funds for our organization;
  • To respond to subpoenas or court orders, or orders from government agencies, unless they relate to administration of the Medi-Cal program or are otherwise authorized by law;
  • To report problems with certain medical products to the FDA or to other persons or organizations, such as the maker of the product.

Except in these cases, Kaiser Permanente may use and disclose your protected health information as described in the Regional Notices.

Except as modified by this Supplemental Notice applicable to you as a Medi-Cal member, the Regional Notices still apply. For example, as noted in the Regional Notices, you have the right to request access to your records. Another example is that the section regarding changes to the Regional Notices also applies to this Supplemental Notice.

The Regional Notices also tell you how to contact us if you have any questions about the Regional Notices. If you have any questions about this Supplemental Notice or you want to lodge a complaint about our privacy practices, please call our Member Service Call Center at 1-800-464-4000. You may also notify the Privacy Officer of the California Department of Health Services by phone or in writing using the contact information at the end of this Supplemental Notice.

We take our responsibility to protect the health information of all our members and patients seriously and will continue to take appropriate steps to protect that information. As always, thank you for entrusting your health care to Kaiser Permanente.

Si necesita ayuda en su idioma, llame a nuestro Centro de Llamadas para Servicios a los Miembros al 1-800-788-0616.

Contact information for the California Department of Health Services Privacy Officer:

Privacy Officer
California Department of Health Services
P.O. Box 942732
Sacramento, CA 94234-7320
(916) 255-5259 or 1-877-735-2929 (TTY)

* Geographic Managed Care Sacramento, Geographic Managed Care San Diego, or Prepaid Health Plan.