Notice of Privacy Practices

Last Modified: June 30, 2026

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.


  1. HARVARD UNIVERSITY GROUP HEALTH PLAN (the “Plan”, “we” or “us”) IS COMMITTED TO PROTECTING THE PRIVACY OF OUR MEMBERS.

We understand that your medical information is personal, and that protecting that information is important. In order to administer your health benefits, we may use and disclose personal information about you in various ways, including the ways described in this notice.

We are required by law to protect the privacy of individually identifiable health information about you (“Your Protected Health Information”), to give you this notice of our legal duties and our privacy practices, to follow the terms of this notice, and to notify you in the event you are affected by a breach of Your Protected Health Information. 

To Students:

Although the Health Insurance Portability and Accountability Act privacy regulations do not apply to student medical records, those records are protected under state privacy laws and other federal laws such as the Family Educational Rights and Privacy Act (FERPA), and in most instances will be treated in the same manner described in this Notice of Privacy Practices, with certain exceptions. In particular, students should note that there may be special student privacy rights that apply to them that are described in their Schools’ student handbooks. To the extent that any conflict exists between the privacy rights contained in this notice and the privacy rights contained in applicable student handbooks, the privacy rights contained in the student handbooks will control.


  1. USES AND DISCLOSURES OF YOUR PROTECTED HEALTH INFORMATION WITHOUT YOUR WRITTEN CONSENT OR AUTHORIZATION:

    The following categories show the different ways we may use and disclose to others Your Protected Health Information without obtaining your written consent or authorization. For each category of uses or disclosures, we provide some examples. Your Protected Health Information will not be used or disclosed without your written consent or authorization for purposes other than those described in this Section. Later sections of this notice describe our policy regarding uses and disclosures of Your Protected Health Information for which your consent or authorization is required.

    1. Use and Disclosures for Treatment, Payment, and Health Care Operations: In general, we may use and disclose Your Protected Health Information to facilitate your treatment, process payment for services provided to you and conduct our “health care operations” (as detailed below) without your written consent or authorization.
      1. For Treatment: Your Protected Health Information may be used and disclosed by us to facilitate your treatment and for the coordination and management of your health care.  For example, a doctor treating you for a particular condition may request information from us about prior treatment of a similar or different condition. 
      2. For Payment: Your Protected Health Information may be used and disclosed by us for payment activities, such as to determine eligibility, to collect premiums, to help a health care provider with payment activities, to assist with coverage determinations, to administer claims, and to coordinate benefits with other coverage that you may have. For example, a doctor submits a claim to us following your hospital visit for knee surgery and we may use Your Protected Health Information in connection with paying the provider for that service. 
      3. For Health Care Operations: Your Protected Health Information may be used and disclosed by us for a variety of health care-related purposes that are necessary for the Plan to function. We may use Your Protected Health Information to engage in activities to improve the quality of care for our members and to ensure that the Plan continues to comply with federal and state laws.  For example, we may use Your Protected Health Information to do business planning and conduct quality assessments and improvement activities. We may disclose Your Protected Health Information to another health plan or health care provider that has or had a relationship with you for it to conduct quality assessment and improvement activities, accreditation, or credentialing activities. In addition, we may use and disclose Your Protected Health Information to contact you to tell you about alternative treatments or health-related benefits and services that may be of interest to you. Some of the information may be shared with outside parties who perform these health care operations or other services on behalf of us, such as third party administrators (“business associates”). We will obtain assurances from our business associates that they will appropriately safeguard Your Protected Health Information.
    2. Disclosures to the Plan Sponsor: We may disclose Your Protected Health Information to the sponsor of the Plan, Harvard University. These disclosures are made so that the Plan sponsor can perform Plan administration functions. For example, we may disclose information to the Plan sponsor about whether you are participating in the Plan or if you are enrolled or have disenrolled in certain health benefit options offered by the Plan. The Plan sponsor has agreed to specific restrictions on how it will use or disclose this information. For example, the Plan sponsor will not use such information for any employment-related actions and decisions.

      We may also disclose “summary health information” to the Plan sponsor so that the Plan sponsor may solicit premium bids or modify, amend or terminate the Plan. Summary health information is information that does not contain identifying information, other than certain geographic information. Summary health information can contain a summary of claims history, claims expenses, or type of claims experienced by you for which the Plan sponsor has provided health benefits under the Plan. 

    3. Use and Disclosure for Other Reasons: In addition to payment, treatment and health care operations, we may use or disclose Your Protected Health Information without your written consent or authorization for purposes such as the following:
      1. Research: We may use and disclose Your Protected Health Information when a waiver of authorization is obtained from an Institutional Review Board. Otherwise, we will only use or disclose your information for research with your written authorization. However, we may use Your Protected Health Information to identify you as a potential research study subject but will not conduct any research without a proper authorization from you or a waiver of authorization from an Institutional Review Board.
      2. To Avert a Serious Threat to Health or Safety: We may use and disclose Your Protected Health Information when necessary to prevent a serious danger to you or others. Any disclosure, however, would only be to someone able to help prevent the threat.
      3. Organ and Tissue Donation: If you are an organ donor, we may release Your Protected Health Information to organizations that handle organ procurement or organ, eye, or tissue transplantation or to an organ donation bank, as necessary to facilitate organ or tissue donation and transplantation.
      4. Military and Veterans: If you are a member of the armed forces, we may release Your Protected Health Information as required by military command authorities.
      5. Workers’ Compensation: We may release Your Protected Health Information as necessary to comply with workers’ compensation laws. 
      6. Public Health Activities: We may disclose Your Protected Health Information to public health authorities for the purposes of preventing or controlling disease, reporting child abuse or neglect or certain other public health reasons. 
      7. Health Oversight Activities: We may disclose Your Protected Health Information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs (such as Medicare and Medicaid), and compliance with civil laws.
      8. Lawsuits and Disputes: We may disclose Your Protected Health Information in response to a subpoena, discovery request or other lawful order from a court. We will take reasonable steps to notify you or your attorney before responding to such requests.
      9. Law Enforcement: We may release Your Protected Health Information as part of law enforcement activities: in investigations of criminal conduct or of victims of crime; in response to court orders; in emergency circumstances; or when required to do so by law.
      10. National Security: We may release Your Protected Health Information to authorized federal officials so they may provide protective services to the President or other authorized persons or foreign heads of state, to conduct special investigations, or for intelligence, counterintelligence, and other national security activities authorized by law.
      11. Inmates: If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release Your Protected Health Information in limited circumstances.
      12. Underwriting: We may use or disclose Your Protected Health Information for the purpose of underwriting and other activities relating to health benefits. We are prohibited from using or disclosing your genetic information for such purposes.
      13. As Required by Law: We will disclose Your Protected Health Information when required to do so by federal, state, or local law.
      14. Other: We may share Protected Health Information with a medical examiner or funeral director when an individual dies.

  1. DISCLOSURES REQUIRING YOUR CONSENT OR AUTHORIZATION:
    1. Disclosures Requiring Your Consent:
      • Individuals involved in payment for your care: With your consent (verbal or written) we may release information about you (except Highly Confidential Information) to a family member or friend who is involved in payment for your care. 
      • Certain uses of Your Protected Health Information: Your prior authorization is required for most uses and disclosures of Your Protected Health Information for marketing purposes, and for the sale of Your Protected Health Information. 
    2. Disclosures of Your Highly Confidential Information: As discussed above, your written authorization is generally not needed when we use or share Your Protected Health Information for treatment, payment or health care operations. However, some kinds of information are considered so sensitive that federal or state law provide special privacy protections for them (“Highly Confidential Information”). This means that, even if the particular information relates to treatment, payment or health care operations, we may get your written consent in order to disclose (and in some cases, to use) that information unless the use or disclosure is otherwise permitted by law. For example, there are special protections under federal or state law for medical information that: (1) is about HIV/AIDS status; (2) is about genetic testing; (3) constitutes confidential communications with a mental health provider (such as a psychologist or social worker); (4) is about substance abuse (alcohol or drug); (5) is about certain sexually transmitted diseases; (6) is an abortion consent form(s); (7) constitutes mammography records; (8) is about the treatment or diagnosis of emancipated minors; and (9) is about research involving controlled substances.
    3. Other Uses and Disclosures of Your Protected Health Information. Other uses and disclosures of Your Protected Health Information not covered by this notice will be made only with your written authorization.

  1. RESIDCLOSURE:

    When we disclose Your Protected Health Information in accordance with this notice, we cannot guarantee that the recipient will not re-disclose Your Protected Health Information to a third party or that Your Protected Health Information will continue to be protected by federal privacy laws. 


  1. SUBSTANCE USE DISORDER TREATMENT RECORDS:

    Federal law imposes strict limitations on the use and disclosure of protected substance use disorder treatment records (“SUD Records”). We will not use or disclose your SUD Records, or testimony relaying their contents, in civil, criminal, administrative, or legislative proceedings against you, unless we have either your written consent or a court order (issued after you have been given notice and an opportunity to be heard), and any such court order is accompanied by a subpoena or other legal requirement compelling disclosure. If you provided consent to us or a third party regarding use and disclosure of your SUD Records, we will use and disclose your SUD Records only as expressly permitted by you in that consent. If you provided consent to a Substance Use Disorder Program for all future uses and disclosures of SUD Records for treatment, payment and health care operations, we may use and disclose your SUD Records for such purposes in accordance with this notice.


  1. YOUR RIGHTS REGARDING YOUR PROTECTED HEALTH INFORMATION:

    You have the following rights regarding Your Protected Health Information:

    1. Right to Revoke Authorization: You may revoke your written authorization, except to the extent that we have taken action in reliance upon it, by delivering a written revocation statement to the Privacy Officer identified below. 
    2. Right to Inspect and Copy: With certain exceptions, you have the right to inspect and to make a copy of Your Protected Health Information maintained by the Plan. Usually, this includes enrollment, payment, claims adjudication, and case or medical management records maintained by or on behalf of the Plan. All requests for access must be made in writing and submitted to Member Services. If you request a copy of the information, we may charge a reasonable fee for the costs of copying and postage. Under limited circumstances, we may deny your request to access and copy certain of Your Protected Health Information. In the event we maintain Your Protected Health Information electronically, you shall have a right to obtain a copy of such information in electronic format and, if you choose to direct us to transmit such copy directly to another recipient. 
    3. Right to Request Amendment: If you feel that Your Protected Health Information that we have about you in the set of records we maintain is incorrect or incomplete, you may ask us to amend the information. To request an amendment, your request must be made in writing and submitted to our Privacy Officer. In addition, you must provide a reason that supports your request. You may obtain a form for this purpose from the Privacy Officer. We may deny your request for an amendment if the information contained in your medical record file or billing record is accurate and complete or if other special circumstances apply, although you submit a written statement disagreeing with our denial.
    4. Right to an Accounting of Disclosures: You have the right to a list or report of certain disclosures of Your Protected Health Information. This does not include disclosures for purposes of treatment, payment or health care operations, disclosures for which you provided written authorization, sharing your information with persons involved in payment for your care, sharing information for national security or intelligence purposes or to correctional institutions and law enforcement officials who have custody of you, among other exceptions. To request this list or accounting of disclosures, you must submit your request in writing to our Privacy Officer. Your request must state a time period that may not be longer than six years prior to the request date. The first list you request within a 12-month period will be free. For additional lists during the same 12-month period, we may charge you for the cost of providing the list. We will notify you of the cost involved, and you may choose to withdraw or modify your request at the time before any costs are incurred.
    5. Right to Request Restrictions: You have the right to request a restriction or limitation on Your Protected Health Information that we use or disclose for treatment, payment, or health care operations. We will comply with your restriction requests if the disclosure is not related to your treatment and the services to which Your Protected Health Information relates have been paid out of pocket and in full. You also have the right to request a limit on Your Protected Health Information we disclose to someone who is involved in your care or the payment of your care, such as a family member or friend. We are not required to agree to your request. If we do agree, we will comply with your request unless the information is needed to provide you with emergency treatment. To request restrictions, you must make your request in writing to our Privacy Officer. In your request, you must state (1) what use or disclosure you want to limit, (2) what information you want to limit, and/or (3) to whom you want the limits to apply. No agreement to comply with a requested restriction shall be effective unless an authorized representative of the Plan signs the agreement.
    6. Right to Request Confidential Communications: You have the right to request, and we will accommodate any reasonable written request, to receive Your Protected Health Information by alternative means of communication or that confidential communications be sent to alternative locations. Please note that in certain circumstances such as eligibility and enrollment concerns, the Plan is obliged to communicate directly with the subscriber rather than a dependent member. 
    7. Right to a Paper Copy of This Notice: You have the right to a paper copy of this notice at any time, even if you have agreed to receive this notice electronically. To obtain a paper copy of this notice, please request one from Member Services.
    8. Right to Notice of Breach: You have a right to receive a breach notification that complies with applicable laws and regulations in the event of a breach of your unsecured Protected Health Information.

  1. CHANGES TO THIS NOTICE:

    We reserve the right to change this notice. We reserve the right to make the revised or changed notice effective for Protected Health Information we already have about you as well as any information we receive in the future. We will post a copy of the current notice on our website at https://hughp.harvard.edu/notice-privacy-practices. Our notice will contain the effective date in the top left-hand corner of the first page.


  1. COMPLAINTS:

If you believe your privacy rights have been violated or we are not in compliance with these privacy practices, you may file a complaint with the Plan’s Privacy Officer at the address listed below or with the Secretary of the Department of Health and Human Services. All complaints must be submitted in writing. The Privacy Officer and the Plan will investigate all complaints. You will not be penalized in any way for making a complaint.

Complaints filed with the Secretary of the Department of Health and Human Services must be in writing and must be sent within 180 days of when you knew (or should have known) that the act or omission occurred to the Office of Civil Rights, U.S. Department of Health and Human Services:

Office for Civil Rights
Department of Health and Human Services
200 Independence Ave., SW
Rm. 509F, HHH Building
Washington, D.C.  20201
Website: https://www.hhs.gov/hipaa/filing-a-complaint/index.html


  1. CONTACT INFORMATION:

You may contact us at:

Member Services
Harvard University Group Health Plan 
First Floor
75 Mount Auburn Street 
Cambridge, MA 02138
mservices@huhs.harvard.edu

Privacy Officer
Harvard University Student Health Plan 
First Floor
75 Mount Auburn Street
Cambridge, MA 02138
Telephone: (617) 496-1630

NOTICE OF AVAILABILITY OF LANGUAGE ASSISTANCE SERVICES AND AUXILIARY AIDS AND SERVICES

The Plan provides language assistance services and appropriate auxiliary aids and services free of charge, when necessary. To access these services, call 617-495-5711 and indicate the language that is needed. (TTY: 1-800-439-0183).