What We DoMeet the TeamCase StudiesFAQGet Started
Home / HIPAA Notice

HIPAA Notice

Our commitment to protecting health information.

Last updated: February 1, 2026

Table of Contents

  1. Our Commitment to HIPAA Compliance
  2. Protected Health Information
  3. How We Use and Disclose PHI
  4. Our Safeguards
  5. Business Associate Agreements
  6. Individual Rights Under HIPAA
  7. Breach Notification
  8. Minimum Necessary Standard
  9. Employee Training
  10. Contact Information

OPM Benefits, Inc. ("OPM Benefits," "we," "us," or "our") takes the protection of health information seriously. This HIPAA Notice explains how we comply with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), and their implementing regulations at 45 CFR Parts 160 and 164 (collectively, the "HIPAA Rules").

This notice applies to all protected health information (PHI) that we create, receive, maintain, or transmit on behalf of our clients in connection with our benefits administration services.

1. Our Commitment to HIPAA Compliance

OPM Benefits operates as a Business Associate under HIPAA. As a benefits administration platform provider, we process protected health information on behalf of our clients (Covered Entities and their group health plans) to facilitate benefits enrollment, administration, and fulfillment. We do not use or disclose PHI except as permitted or required by our Business Associate Agreements and applicable law.

Our commitment to HIPAA compliance is embedded in every aspect of our organization, from the way we design our platform to the way we train our employees and select our subcontractors. We have appointed a dedicated HIPAA Privacy Officer and HIPAA Security Officer who oversee our compliance program and serve as the primary points of contact for HIPAA-related matters.

Our HIPAA compliance program includes:

  • Comprehensive written policies and procedures addressing all requirements of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule
  • A formal risk analysis and risk management program, conducted at least annually and whenever significant changes are made to our systems or processes
  • Ongoing monitoring and internal auditing to verify compliance with our policies and the HIPAA Rules
  • A designated compliance committee that meets quarterly to review the effectiveness of our HIPAA program and address emerging risks
  • Regular engagement with external HIPAA compliance consultants and legal counsel to ensure our program reflects current regulatory expectations and enforcement trends

2. Protected Health Information

Protected Health Information (PHI) is individually identifiable health information that is created, received, maintained, or transmitted in connection with health care or health care payment. In the context of our benefits administration services, the types of PHI we may access and process include:

  • Enrollment data: Health plan selections, coverage tiers (employee-only, employee-plus-spouse, family), and effective dates that indicate an individual's health plan participation
  • Dependent information: Names, dates of birth, Social Security numbers, and relationship data for dependents enrolled in group health plans
  • Qualifying life event documentation: Marriage certificates, birth certificates, court orders, or other documentation submitted to support mid-year enrollment changes that may contain health-related information
  • COBRA administration data: Information related to qualifying events, election periods, and continuation coverage that may reveal health plan participation history
  • Health savings account (HSA) and flexible spending account (FSA) data: Contribution elections and account activity that relate to health care expenses
  • Carrier eligibility and enrollment files: Electronic data transmitted to and received from insurance carriers for enrollment processing, including EDI 834 transactions
  • Disability and leave-related data: When administered as part of an integrated benefits program, information related to short-term disability, long-term disability, and FMLA may constitute PHI

We also handle electronic protected health information (ePHI), which is PHI that is created, received, maintained, or transmitted in electronic form. The vast majority of PHI we process is ePHI, and it is subject to the additional safeguard requirements of the HIPAA Security Rule.

3. How We Use and Disclose PHI

We use and disclose PHI only as permitted or required by our Business Associate Agreements and the HIPAA Rules. The following are the primary circumstances under which we may use or disclose PHI:

Treatment, Payment, and Health Care Operations

We use and disclose PHI as necessary to perform our obligations under our Business Associate Agreements, which generally includes activities related to:

  • Payment: Processing benefits enrollments, transmitting eligibility data to carriers, reconciling enrollment files, and administering premium payments and payroll deductions
  • Health care operations: Quality assessment and improvement activities, conducting audits, business planning, customer service, and resolving internal grievances related to benefits administration

As Required by Law

We may use or disclose PHI when required to do so by federal, state, or local law, including for public health activities, judicial and administrative proceedings, law enforcement purposes, and as required by workers' compensation laws.

With Authorization

Uses and disclosures of PHI not described in this notice or not otherwise permitted by the HIPAA Rules will be made only with the written authorization of the individual whose PHI is involved. Any such authorization may be revoked at any time in writing, except to the extent that we have already taken action in reliance on the authorization.

To the Covered Entity

We may disclose PHI to the Covered Entity (our client) that provided the PHI, or on whose behalf we created or received the PHI, for any purpose permitted under the client's own Notice of Privacy Practices.

4. Our Safeguards

We implement comprehensive administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI, as required by the HIPAA Security Rule (45 CFR Part 164, Subpart C).

Administrative Safeguards

  • Security management process: We maintain a formal risk analysis and risk management program that identifies threats and vulnerabilities to ePHI, assesses their likelihood and impact, and implements appropriate measures to reduce risk to reasonable and appropriate levels
  • Workforce security: All employees undergo background checks prior to hire. Access to PHI is granted based on job function using role-based access controls, and access is reviewed and recertified at least quarterly
  • Information access management: We enforce the principle of least privilege, granting access to PHI only to the minimum extent necessary to perform authorized job functions
  • Security awareness and training: All employees and contractors receive HIPAA training upon hire and annually thereafter (see Section 9 for details)
  • Security incident procedures: We maintain documented incident response procedures for identifying, responding to, mitigating, and documenting security incidents involving PHI
  • Contingency plan: We maintain business continuity and disaster recovery plans that ensure the availability and integrity of ePHI, including regular backup testing and recovery exercises

Physical Safeguards

  • Facility access controls: Our offices employ access control systems including badge readers, visitor logs, and security cameras. Server rooms and data centers are restricted to authorized personnel with additional authentication requirements
  • Workstation security: All workstations that access ePHI are equipped with encrypted hard drives, automatic screen locks, and endpoint protection software. Remote access is permitted only through encrypted VPN connections with multi-factor authentication
  • Device and media controls: We maintain policies for the disposal and reuse of electronic media containing ePHI, including NIST 800-88 compliant data sanitization procedures and certificates of destruction from certified vendors
  • Data center security: Our cloud infrastructure is hosted in SOC 2 Type II and ISO 27001 certified data centers with 24/7 physical security, biometric access controls, redundant power and cooling, and fire suppression systems

Technical Safeguards

  • Access control: Unique user identification for all system users, role-based access control with principle of least privilege, automatic session timeout, and emergency access procedures for critical situations
  • Audit controls: Comprehensive audit logging of all access to systems containing ePHI, including user identity, timestamp, action performed, and data accessed. Audit logs are immutable, stored separately from production systems, and retained for a minimum of six (6) years
  • Integrity controls: Data integrity verification using cryptographic checksums, database transaction logging, and regular integrity audits to detect unauthorized alteration or destruction of ePHI
  • Transmission security: All ePHI transmitted over networks is encrypted using TLS 1.2 or higher. EDI transmissions to carriers use encrypted SFTP or AS2 protocols. Internal network communications containing ePHI are encrypted in transit
  • Encryption: ePHI at rest is encrypted using AES-256 encryption. Database fields containing high-sensitivity identifiers (such as Social Security numbers) are subject to additional application-layer encryption with dedicated key management through hardware security modules

5. Business Associate Agreements

As required by the HIPAA Rules (45 CFR 164.502(e) and 164.504(e)), we enter into a Business Associate Agreement (BAA) with each client (Covered Entity) before we create, receive, maintain, or transmit PHI on their behalf.

Our Business Associate Agreements specify:

  • The permitted and required uses and disclosures of PHI by OPM Benefits
  • Our obligation to implement appropriate safeguards to prevent unauthorized use or disclosure of PHI
  • Our obligation to report to the Covered Entity any use or disclosure of PHI not provided for by the agreement, including any security incidents or breaches
  • The requirement that any subcontractors who access PHI on our behalf enter into a Business Associate Agreement with us containing the same obligations
  • Our obligation to make PHI available to individuals who exercise their HIPAA rights, as directed by the Covered Entity
  • Our obligation to return or destroy PHI upon termination of the agreement, subject to applicable retention requirements
  • Our obligation to make our internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of Health and Human Services for purposes of determining compliance

We also maintain BAAs with all subcontractors who create, receive, maintain, or transmit PHI on our behalf, including our cloud infrastructure providers, backup service providers, and any third-party service providers who may access PHI in the course of providing services to us.

6. Individual Rights Under HIPAA

Under HIPAA, individuals have certain rights with respect to their PHI. Because OPM Benefits operates as a Business Associate, these rights are generally exercised through the Covered Entity (your employer's group health plan). However, we are committed to supporting our clients in fulfilling these rights promptly and completely.

Right of Access

Individuals have the right to inspect and obtain a copy of their PHI maintained by a Covered Entity or its Business Associates, as set forth in 45 CFR 164.524. When directed by a Covered Entity, we will provide the requested PHI in the form and format requested by the individual, if readily producible, or in a mutually agreed-upon readable format. We will respond to access requests within thirty (30) days, with a possible thirty-day extension if needed.

Right to Amendment

Individuals have the right to request amendment of their PHI if they believe it is inaccurate or incomplete, as provided in 45 CFR 164.526. Amendment requests should be directed to the Covered Entity, which will instruct us to make the requested amendments in our systems if the request is approved.

Right to an Accounting of Disclosures

Individuals have the right to receive an accounting of certain disclosures of their PHI made by us during the six (6) years prior to the request, as specified in 45 CFR 164.528. This accounting does not include disclosures made for treatment, payment, or health care operations, disclosures made to the individual, or disclosures authorized by the individual, among other exceptions. We maintain detailed disclosure logs to support this right.

Right to Request Restrictions

Individuals have the right to request restrictions on certain uses and disclosures of their PHI, as described in 45 CFR 164.522. While the Covered Entity is not generally required to agree to such restrictions, if a restriction is agreed to, we will honor it as directed by the Covered Entity.

Right to Confidential Communications

Individuals have the right to request that the Covered Entity communicate with them about health matters in a certain way or at a certain location, as provided in 45 CFR 164.522(b). When directed by a Covered Entity, we will accommodate reasonable requests for confidential communications.

Right to Complain

Individuals who believe their privacy rights have been violated may file a complaint with the Covered Entity, with OPM Benefits, or directly with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights. No individual will be retaliated against for filing a complaint.

7. Breach Notification

In the event of a breach of unsecured PHI, we will comply with the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D) and the HITECH Act breach notification requirements.

Our Procedures

  • Detection and investigation: We maintain 24/7 security monitoring and incident detection capabilities. Upon discovery of a potential breach, our incident response team immediately initiates an investigation to determine the nature and scope of the incident, the PHI involved, the unauthorized persons who accessed or used the PHI, and whether the PHI was actually acquired or viewed
  • Risk assessment: We conduct a four-factor risk assessment as required by 45 CFR 164.402 to determine whether the incident constitutes a "breach" under HIPAA, evaluating: (1) the nature and extent of the PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated
  • Containment and remediation: We take immediate steps to contain the incident, mitigate harm, and prevent recurrence, including revoking unauthorized access, patching vulnerabilities, and implementing additional safeguards as needed

Notification Timelines

  • We will notify the affected Covered Entity (our client) of a confirmed breach without unreasonable delay and no later than thirty (30) days after discovery, or sooner if required by our Business Associate Agreement
  • Our notification will include the identification of each individual whose PHI has been or is reasonably believed to have been affected, a description of the incident, the types of PHI involved, and the steps we have taken to investigate, mitigate, and prevent future occurrences
  • The Covered Entity is responsible for notifying affected individuals within sixty (60) days of discovery and, for breaches affecting 500 or more individuals, notifying HHS and prominent media outlets as required by the Breach Notification Rule
  • We will cooperate fully with the Covered Entity in fulfilling these notification obligations and will provide all necessary information and assistance

8. Minimum Necessary Standard

In accordance with 45 CFR 164.502(b) and 164.514(d), OPM Benefits applies the minimum necessary standard to all uses, disclosures, and requests for PHI. This means we make reasonable efforts to limit the PHI we use, disclose, or request to the minimum amount necessary to accomplish the intended purpose.

We implement the minimum necessary standard through:

  • Role-based access controls: Our platform enforces granular role-based access so that each user and system component can access only the specific data elements required for their function. For example, a customer service representative assisting with an enrollment question can view plan selections and coverage details but cannot access Social Security numbers or financial account information
  • Data segmentation: We segment PHI within our systems so that different categories of data (identification, enrollment, financial, health-related) are accessible independently, allowing us to limit access based on the specific task being performed
  • Carrier data transmissions: Our EDI feeds to insurance carriers include only the data elements required by the carrier's enrollment specifications and the applicable HIPAA transaction standards. We do not transmit unnecessary data elements
  • Internal policies: Our workforce members are trained on the minimum necessary standard and are instructed to access, use, and disclose only the PHI needed to perform their specific job responsibilities
  • Regular review: We periodically review our access controls, data flows, and disclosure practices to ensure ongoing compliance with the minimum necessary standard

9. Employee Training

We recognize that HIPAA compliance depends on the knowledge and vigilance of every member of our workforce. Our training program is designed to ensure that all individuals who may access PHI understand their obligations and the importance of protecting health information.

HIPAA Training

  • New hire training: All new employees and contractors receive comprehensive HIPAA training within their first week of employment, before they are granted access to any systems containing PHI. Training covers the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and our internal policies and procedures
  • Annual refresher training: All workforce members complete annual HIPAA refresher training that includes updates on regulatory changes, new threats and vulnerabilities, lessons learned from security incidents (de-identified), and reinforcement of key policies and procedures
  • Role-specific training: Employees in roles with elevated access to PHI (such as implementation specialists, support engineers, and data analysts) receive additional role-specific training on data handling procedures, access controls, and the minimum necessary standard as it applies to their function
  • Training documentation: We maintain records of all training completions, including the date of training, content covered, and verification of understanding, for a minimum of six (6) years as required by 45 CFR 164.530(j)

Security Awareness

  • Ongoing awareness campaigns: We conduct regular security awareness activities including simulated phishing exercises, security tips and reminders, and awareness communications about current threats and social engineering techniques
  • Incident reporting education: All workforce members are trained on how to identify and report potential security incidents, privacy violations, and suspected breaches. We maintain a culture of reporting and do not penalize good-faith reports
  • Clean desk and clean screen policies: Workforce members are trained on physical security practices including securing paper documents containing PHI, locking workstations when unattended, and properly disposing of PHI

10. Contact Information

If you have questions about this HIPAA Notice or our HIPAA compliance practices, or if you wish to report a potential HIPAA violation or security concern, please contact our HIPAA Privacy Officer:

HIPAA Privacy Officer
OPM Benefits, Inc.
200 West Madison Street, Suite 2100
Chicago, IL 60606

Email: privacy@opm-benefits.com
Phone: (312) 555-0180

You may also file a complaint directly with the U.S. Department of Health and Human Services Office for Civil Rights:

U.S. Department of Health and Human Services
Office for Civil Rights
200 Independence Avenue, S.W.
Washington, D.C. 20201

Phone: 1-800-368-1019
TDD: 1-800-537-7697
Website: www.hhs.gov/ocr
Complaint Portal: ocrportal.hhs.gov

No individual will face retaliation for filing a complaint about our privacy or security practices, whether the complaint is made to OPM Benefits, to the Covered Entity, or to the Office for Civil Rights.