Concern Notice of Privacy Practices

Effective July 1, 2017; ref: May 6, 2021; rev: July 25, 2025; ref: February 24, 2026

This notice describes;

  • HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
  • YOUR RIGHTS WITH RESPECT TO YOUR HEALTH INFORMATION
  • HOW TO FILE A COMPLAINT CONCERNING A VIOLATION OF THE PRIVACY OR SECURITY OF YOUR HEALTH INFORMATION, OR OF YOUR RIGHTS CONCERNING YOUR INFORMATION

YOU HAVE A RIGHT TO A COPY OF THIS NOTICE (IN PAPER OR ELECTRONIC FORM) AND TO DISCUSS IT WITH THE CONCERN PRIVACY OFFICER BY CALLING (800) 344-4222 OR BY WRITING TO: Concern Privacy Office, 2490 Hospital Drive, Suite 310; Mountain View, CA 94040, IF YOU HAVE ANY QUESTIONS ABOUT THIS NOTICE.

Throughout this notice ("Notice"), CONCERN: EAP will be referred to as "Us" or "We" or "Concern." The person accessing or utilizing Concern's services or content, including such found on its website at the internet domain www.concernhealth.com and any associated mobile application sites including app.concernhealth.com ("Concern Web Site"), is referred to as "You" or "Your" throughout this Notice.

We understand that information about You is personal, and We are committed to protecting Your privacy, and we are required by law to respect your confidentiality. In the normal course of business, We collect information and create records about You and the services We provide to You. We may collect information from other persons or entities, such as employers or health care providers, to provide our services to You. For example, We may collect enrollment information from Your employer to determine eligibility for our services. The information that We collect and create about You includes Protected Health Information.

Protected Health Information is information that could be used to identify You, and relates to (1) Your past, present, or future physical or mental health or conditions, (2) the provision of health care to You, or (3) the past, present, or future payment for Your health care.

How We Protect Your Privacy

We are required by law to maintain the privacy of Protected Health Information and to give You this Notice explaining our privacy practices with regard to that Protected Health Information. You have certain rights – and We have certain legal obligations – regarding the privacy of Your Protected Health Information, and this Notice also explains Your rights and our obligations. To protect Your privacy, We maintain physical, technical, and administrative safeguards. For example, only employees who are authorized and trained to handle Protected Health Information are given access to such Protected Health Information. Some other examples include password-protecting computers and locking filing cabinets that contain personal information.

We are required to abide by the terms of the current version of this Notice, and We are prohibited from any disclosure of Protected Health Information beyond what is allowed by law.

How We May Use and Disclose Your Protected Health Information

We may use and disclose Your Protected Health Information without Your authorization in the following circumstances:

For Treatment: We may use Your Protected Health Information to provide You with treatment or services and to manage and coordinate Your medical care. We may also disclose Your Protected Health Information for purposes of diagnosis and treatment to doctors, nurses, technicians, or other personnel who are involved in taking care of You, including people outside our practice, such as referring or specialist physicians. For example, We may share the details of the health issue that You wish to resolve with a provider to ensure an appropriate referral.

For Payment: We may use and disclose Your Protected Health Information to obtain payment of premiums for Your coverage and to pay providers for the covered services You receive. We may also use and disclose Your Protected Health Information to make coverage determinations or to otherwise determine and fulfill our responsibility to provide care benefits. For example, if You are covered by another health plan, We may use or disclose Your Protected Health Information to the other health plan to coordinate care benefits.

For Health Care Operations: We may use and disclose Protected Health Information for our health care operations and to improve patient care. For example, We may use Protected Health Information for our general business management activities, for checking on the performance of our providers in caring for You, for our cost-management activities, for audits, or to get legal services. We may disclose Protected Health Information to other health care entities for purposes of reviewing provider competence and qualifications or the medical necessity, level of care, quality of care, or justification of charges of health care services.

Communications: We may use and disclose Protected Health Information to contact You with information about alternative treatments or health-related benefits and services, or to remind You that You have an appointment for care.

Minors: We may disclose the Protected Health Information of minor children to their parents or guardians unless such disclosure is otherwise prohibited by law.

Personal Representative: If You have a personal representative, such as a legal guardian (or an executor or administrator of Your estate after Your death), We will treat that person as if that person is You with respect to disclosures of Your Protected Health Information.

As Required by Law: We will disclose Protected Health Information about You when required to do so by international, federal, state, or local law.

To Avert a Serious Threat to Health or Safety: We may use and disclose Protected Health Information when necessary to prevent a serious threat to Your health or safety or to the health or safety of others. But We will only disclose the Protected Health Information to someone who may be able to help prevent the threat.

Business Associates: We may disclose Protected Health Information to our business associates who perform functions on our behalf or provide Us with services, but only if the Protected Health Information is necessary for those functions or services. For example, We may use another company to do our billing, or to provide other services for us. All of our business associates are contractually obligated to protect the privacy of Your Protected Health Information.

Military: If You are a member of the armed forces, We may use and disclose Your Protected Health Information for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission. We also may release Protected Health Information to the appropriate foreign military authority if You are a foreign military member.

Workers' Compensation: We may use or disclose Protected Health Information for workers' compensation or similar programs that provide benefits for work-related injuries or illness.

Public Health Risks: We may disclose Protected Health Information for public health activities. This includes disclosures to: (1) a person subject to the jurisdiction of the Food and Drug Administration ("FDA") for purposes related to the quality, safety or effectiveness of an FDA-regulated product or activity; (2) prevent or control disease, injury or disability; (3) report births and deaths; (4) report the abuse or neglect of a child, elder, or dependent adult; (5) report reactions to medications or problems with products; (6) notify people of recalls of products they may be using; (7) a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; and (8) the appropriate government authority if We believe a patient has been the victim of abuse, neglect, or domestic violence and the patient agrees or We are required or authorized by law to make that disclosure.

Health Oversight Activities: We may disclose Protected Health Information to a health oversight agency for activities authorized by law. For example, these oversight activities include audits, investigations, inspections, licensure, and similar activities that are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.

Employment-Related Health Care Services: We may disclose Your Protected Health Information to Your employer if the Protected Health Information was created as a result of employment-related health care services provided to You at the specific prior written request and expense of Your employer, and it: (1) is relevant to and will be used only in a lawsuit, arbitration, grievance, or other claim or challenge to which You and Your employer are parties and in which You have placed Your medical history, condition, or treatment at issue; or (2) describes Your functional limitations that may entitle You to leave work for medical reasons or limit Your fitness to perform Your present employment, provided that no statement of medical cause is disclosed.

Lawsuits and Disputes: If You are involved in a lawsuit or a dispute, We may disclose Protected Health Information in response to a court or administrative order. We also may disclose Protected Health Information in response to a subpoena, discovery request, or other legal process from someone else involved in the dispute, but only if efforts have been made to tell You about the request or to get an order protecting the Protected Health Information requested. We may also use or disclose Your Protected Health Information to defend ourselves if You sue us.

Law Enforcement: We may disclose your Protected Health Information to the police or other law enforcement officials in certain limited, allowable circumstances or in compliance with a warrant, a court order, or a grand jury or an administrative subpoena.

National Security: We may release Protected Health Information to authorized federal officials for national security activities authorized by law. For example, We may disclose Protected Health Information to those officials so they may protect the President.

Coroners, Medical Examiners, and Funeral Directors: We may release Protected Health Information to a coroner, medical examiner, or funeral director so that they can carry out their duties. For example, disclosure of Protected Health Information may be necessary to identify a deceased person or determine cause of death.

Organ Donations: We may release Protected Health Information to organ-procurement organizations or tissue banks, as necessary to assist with organ or tissue donation.

Research: Under certain circumstances, We may use and disclose Your Protected Health Information for research purposes, provided certain measures are taken to protect Your privacy.

Your Choices:

Individuals Involved in Your Care or Payment for Your Care: We may disclose Protected Health Information to a person who is involved in Your medical care or helps pay for Your care, such as a family member or friend, to the extent it is relevant to that person's involvement in Your care or payment for Your care. We will provide You with a prior opportunity to object to and opt out of such a disclosure whenever We practicably can do so.

Disaster Relief: We may disclose Your Protected Health Information to disaster relief organizations that seek Your Protected Health Information to coordinate Your care, or notify family and friends of Your location or condition in a disaster. We will provide You with an opportunity to agree or object to such a disclosure whenever We practicably can do so.

Fundraising: We do not use or disclose Protected Health Information for fundraising purposes, but We are required to inform You that You would have the right to opt out of receiving fund-raising communications.

Other Uses and Disclosures Requiring Your Written Authorization

Your written authorization is required for:

  • Disclosures of any Protected Health Information for marketing purposes and disclosures that constitute the sale of Protected Health Information.
  • Use and disclosure of "therapy notes" that are maintained by us, except under certain circumstances. For example, We may use or disclose therapy notes without Your authorization to defend ourselves in a legal action or other proceeding initiated by You.
  • Other uses and disclosures of Protected Health Information not covered by this Notice or the laws that apply to Us will be made only with Your written authorization. If You do give Us authorization for a use or disclosure, You may revoke it at any time by submitting a written revocation to our Privacy Officer and We will no longer disclose such Protected Health Information. However, disclosures that We made in reliance on Your authorization before You revoked it will not be affected by the revocation.

Special Protections for Highly Confidential Information

Federal and state laws protect the confidentiality of and require special privacy protections for certain highly sensitive information about You ("Highly Confidential Information"), including the subset of Your Protected Health Information that:

  1. is maintained in psychotherapy notes;
  2. relates to alcohol and drug abuse prevention or Substance Use Disorder (SUD) treatment and referral;
  3. relates to reproductive health services, including treatment or testing for HIV/AIDS or sexually transmitted infections and abortion or abortion-related services;
  4. relates to mental or behavioral health treatment; and
  5. contains genetic information, including genetic testing results.

Uses and disclosures of Highly Confidential Information are subject to additional restrictions under applicable federal and state laws. For purposes not permitted or required by law, and where applicable, we will obtain Your written authorization or consent before disclosing such Highly Confidential Information. Please check with our Privacy Officer for information about the special protections that do apply.

Information Related to Substance Use Disorder Treatment

Some Highly Confidential Information maintained by Concern related to substance use disorder diagnosis, treatment, or referral for treatment is protected by a federal law called 42 Code of Federal Regulations (CFR) Part 2. Except as permitted by law, Concern will not use or disclose Highly Confidential Information protected by 42 CFR Part 2 without Your written authorization.

If You provide written authorization, Concern may use and disclose Highly Confidential Information protected by 42 CFR Part 2 for purposes such as treatment, payment, health care operations, care coordination, and other purposes permitted by federal law.

Federal law allows You to provide a single written consent for all future uses and disclosures of Your substance use disorder treatment information for treatment, payment, and health care operations purposes. You may revoke that consent in writing at any time, except to the extent action has already been taken in reliance on it.

Notwithstanding the disclosures elsewhere in this Notice, federal law prohibits using or disclosing SUD treatment records, or testimony about such records, in civil, criminal, administrative, or legislative proceedings against You unless You provide specific written consent or a court orders disclosure in accordance with 42 CFR Part 2.

Federal law prohibits recipients of Highly Confidential Information protected by 42 CFR Part 2 from making any further disclosure unless expressly permitted by Your written authorization or otherwise allowed by law.

Your Rights Regarding Your Protected Health Information 

You have the following rights, subject to certain limitations, regarding Your Protected Health Information:

Right to Inspect and Copy: You have the right to inspect and copy Protected Health Information that may be used to make decisions about Your care or payment for Your care. We may charge You a fee for the costs of copying, mailing or other supplies associated with Your request. We may not charge You a fee if You need the information for a claim for benefits under the Social Security Act or any other state or federal needs-based benefit program. We may deny Your request in certain limited circumstances. If We do deny Your request, You have the right to have the denial reviewed by a licensed healthcare professional who was not directly involved in the denial of Your request, and We will comply with the outcome of the review.

Right to an Electronic Copy of Electronic Medical Records: If Your Protected Health Information is maintained in an electronic format (known as an electronic medical record or an electronic health record), You have the right to request that an electronic copy of Your record be given to You or transmitted to another individual or entity. We may charge You a reasonable, cost-based fee for the labor associated with transmitting the electronic medical record.

Right to a Paper Copy of This Notice: You have the right to a paper copy of this Notice, even if You have agreed to receive this Notice electronically. You may request a copy of this Notice at any time.

Right to Get Notice of a Security Breach: We are required to notify you by first class mail or by e-mail (if you have indicated a preference to receive information by e-mail), of any breach of your Unsecured Protected Health Information as soon as possible, but in any event, no later than 60 days after we discover the breach. "Unsecured Protected Health Information" is Protected Health Information that has not been made unusable, unreadable, and undecipherable to unauthorized users. The notice will give you the following information:

  • a short description of what happened, the date of the breach and the date it was discovered;
  • the steps you should take to protect yourself from potential harm from the breach;
  • the steps we are taking to investigate the breach, mitigate losses, and protect against further breaches; and
  • contact information where you can ask questions and get additional information.

If the breach involves 10 or more patients whose contact information is out of date we will post a notice of the breach in a major print or broadcast media.

Right to Request Amendments: If You feel that Protected Health Information We have is incorrect or incomplete, You may ask Us to amend the Protected Health Information. You have the right to request an amendment for as long as the Protected Health Information is kept by or for Us. A request for amendment must be made in writing to the Privacy Officer at the address provided at the end of this Notice and it must tell Us the reason for Your request. We may deny Your request if it is not in writing or does not include a reason to support the request. In addition, We may deny Your request if You ask Us to amend Protected Health Information that: (1) was not created by us, (2) is not part of the medical information kept by or for us, (3) is not information that You would be permitted to inspect and copy, or (4) is accurate and complete. If We deny Your request, You may submit a written statement of disagreement of reasonable length. Your statement of disagreement will be included in Your medical record, but We may also include a rebuttal statement.

Right to an Accounting of Disclosures: You have the right to ask for an "accounting of disclosures," which is a list of the disclosures We made of Your Protected Health Information. We are not required to list certain disclosures, including (1) disclosures made for treatment, payment, and health care operations purposes, (unless the disclosures were made through an electronic medical record, in which case You have the right to request an accounting of those disclosures that were made during the 3 years before Your request), (2) disclosures made with Your authorization, (3) disclosures made to create a limited data set, and (4) disclosures made directly to You. You must submit Your request in writing to our Privacy Officer. Your request must state a time period for disclosures which may not be longer than 6 years before Your request. Your request should indicate in what form You would like the accounting (for example, on paper or by e-mail). The first accounting of disclosures You request within any 12-month period will be free. For additional requests within the same period, We may charge You for the reasonable costs of providing the accounting. We will tell what the costs are, and You may choose to withdraw or modify Your request before the costs are incurred.

Right to Request Restrictions: You have the right to request a restriction or limitation on the Protected Health Information We use or disclose for treatment, payment, or health care operations. You also have the right to request a limit on the Protected Health Information We disclose about You to someone who is involved in Your care or the payment for Your care, like a family member or friend. We are not required to agree to Your request. If We agree, We will comply with Your request unless We terminate our agreement or the Protected Health Information is needed to provide You with emergency treatment.

Out-of-Pocket-Payments: If You paid out-of-pocket in full for a specific item or service, You have the right to ask that Your Protected Health Information with respect to that item or service not be disclosed to a health plan for purposes of payment or health care operations, and We will honor that request.

Right to Request Confidential Communications: You have the right to request that We communicate with You only in certain ways to preserve Your privacy. For example, You may request that We contact You by mail at a special address or call You only at Your work number. You must make any such request in writing, and You must specify how or where We are to contact You. We will accommodate all reasonable requests. We will not ask You the reason for Your request.

How to Exercise Your Rights

To exercise Your rights described in this Notice, send Your request, in writing, to our Privacy Officer at the address listed at the end of this Notice. We may ask You to fill out a form that We will supply. To exercise Your right to inspect and copy Your Protected Health Information, You may also contact Your physician directly. To get a paper copy of this Notice, contact our Privacy Officer at the phone number or address listed at the end of this Notice.

Complaints

If You believe Your privacy rights have been violated, You may file a complaint with Us or with the Secretary of the United States Department of Health and Human Services.

To file a complaint with Us, contact our Privacy Officer at the address listed below. All complaints must be made in writing and should be submitted within 180 days of when You knew or should have known of the suspected violation. There will be no retaliation against You for filing a complaint.

To file a complaint with the Secretary of the United States Department of Health and Human Services, mail it to: Secretary of the U.S. Department of Health and Human Services, 200 Independence Ave, S.W., Washington, D.C. 20201. Call (202) 619-0257 (or toll free (877) 696-6775) or go to the website of the Office for Civil Rights, www.hhs.gov/ocr/hipaa/, for more information. There will be no retaliation against You for filing a complaint.

Changes to This Notice

The effective date of the Notice is stated at the beginning. We reserve the right to change this Notice. We reserve the right to make the changed Notice effective for Protected Health Information We already have as well as for any Protected Health Information We create or receive in the future. A copy of our current Notice is posted in our office and on our website.

Foreign Language Version

If You have difficulty reading or understanding English, You may request a copy of this Notice in Your preferred language from our Privacy Officer at the contact information below.

State Specific Requirements

When federal and California privacy laws are different and conflict, and California law is more protective of Your Protected Health Information or provides You with greater access to Your Protected Health Information, then we will follow California law.

Privacy Officer

IF YOU HAVE ANY QUESTIONS ABOUT THIS NOTICE OR IF YOU NEED MORE INFORMATION, PLEASE CONTACT OUR PRIVACY OFFICE: Concern Privacy Office, 2490 Hospital Drive, Suite 310; Mountain View, CA 94040; (800) 344-4222.

2015/rev: 2021/rev: 2025/rev: 2026