Protecting Your Health Information

GEHA's Notice of Privacy Practices (NPP) outlines use and disclosure of protected health information (PHI) as required by the Health Insurance Portability and Accountability Act (HIPAA). The NPP has been provided to each GEHA member, and is also available for viewing on the GEHA corporate website,, by clicking FAQs & Resources, then Form & Document Library, then Privacy & Security/HIPAA Materials, and then clicking on the NPP for the appropriate insured plan. This further outlines ways GEHA works to protect your health information, as we provide health benefits to meet your medical needs.

Your right to access your protected health information
By law, you or your legal representative has the right to view and/or get copies of your protected health information from health care providers who treat you, or by health plans that pay for your care. You also have the right to have a provider or plan send copies of your information to a third party that you choose, such as other providers who treat you, a family member, a researcher or a mobile "app" you use to manage your personal health information.

This includes:

  • Medical and billing records (except psychotherapy notes);
  • Information related to your enrollment in health plans;
  • Claims and case management records; and 
  • Any other records that contain information that doctors or health plans use to make decisions about you or others.

Your providers and plans should have an easy process for you to ask for your health information, and you should be able to ask for it at a time and place that's convenient for you. You may have to fill out a health information "request" form, and pay a reasonable, cost-based fee for copies. Your providers or plans must tell you about the fee when you make the request. The fee can only be for the labor to make the copies, copying supplies and postage (if needed). In most cases, you shouldn't be charged for viewing, searching, downloading or sending your information through an electronic portal.

Generally, you can get your information on paper or electronically. If your providers or plans store your information electronically, they generally must give you electronic copies unless there are security concerns. However, you do have a right to get your records through unencrypted email if you prefer. 

You have the right to get your information as quickly as possible, but it may take up to 30 days to fill the request.

For more information, click Your Rights Under HIPAA.

Third-Party Business Associates/Vendors
As outlined in the Notice of Privacy Practices (NPP), GEHA shares protected health information with some third-party vendors, known as Business Associates under HIPAA, who work on behalf of GEHA in performing various activities (such as, but not limited to, CVS Caremark and MedSolutions).

GEHA has a written contract with each Business Associate to ensure they protect the privacy of your protected health information to the same extent as GEHA. The Business Associate is responsible to extend the same requirements to any subcontractors or agents it may use. An "Effect of Termination" clause outlines the required handling of all protected health information if a Business Associate contract terminates for any reason:

  • The Business Associate, its subcontractors, or agents are to return all health information received from GEHA, or created or received on behalf of GEHA.
  • With GEHA's express permission, the Business Associate, its subcontractors, or agents may destroy all health information. If the health information is destroyed, the Business Associate is to provide GEHA with appropriate evidence of destruction.
  •  If a Business Associate would ever determine that returning or destroying the health information is infeasible, the Business Associate is to provide notification to GEHA of the conditions that make return or destruction infeasible. Upon mutual agreement that return or destruction of health information is infeasible, the Business Associate is to extend the protections outlined in the contract to protected health information and limit further uses and disclosures of the information to the purposes that make the return or destruction infeasible, for so long as the Business Associate maintains the information.

Security Features
Computer Systems: GEHA maintains computer system security features that protect against unauthorized disclosure of PHI, and maintains policies and procedures that outline the method to establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process. Appropriate system access is determined for each employee as required for their specific job responsibilities, and the employee is granted access into a system through an identification/authorization process based on a unique User ID/password combination. Auditing processes monitor system access.

Email Encryption: Information on GEHA's website under Customer Service indicates the secure method of sending emails to GEHA to ensure protection of PHI. Under the Website Privacy Policy section, we share how email responses will be secured through an email encryption system. GEHA's Web Services, which includes member web accounts for online viewing of health claims, indicates that their information is secure by User ID and password authentication and verification methods.

Breach Notification: GEHA takes members' privacy and security of protected health information very seriously, and has processes in place to provide written notification to our members as required by law for breaches of privacy. Members also have the right to request an accounting of disclosures for any disclosures other than for purposes of payment, treatment and health care operations.