THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. THE PRIVACY OF YOUR MEDICAL INFORMATION IS IMPORTANT TO US.
We are committed to protecting the privacy of the medical information and other personal information we keep regarding our members. We call this information Protected Health Information or “PHI” throughout this notice. We are required by law to maintain the privacy of your Protected Health Information. We are also required to give you this notice about our privacy practices, our legal duties, and your rights concerning your PHI. We must follow the privacy practices that are described in this notice while it is in effect. This notice is effective as of July 1, 2013 and will remain in place until we replace it.
We reserve the right to change this notice and our privacy practices at any time, provided such changes are permitted by applicable law. We also reserve the right to make the changes in our privacy practices and the new notice effective for all PHI that we already have about you as well as for PHI that we may receive in the future. Before we make a material change in our privacy practices, we will update this notice and send the new notice to our health plan subscribers at the time of the change or as required by applicable law.
You may request a copy of this notice by calling the customer service number on the back of your identification card. You may also obtain a copy from our Web site, www.bluecrossnc.com. For more information or questions about our privacy practices, please contact the Privacy Official by writing to P. O. Box 2291, Durham, NC 27702.
How We Use and Disclose Your Protected Health Information
We may use and disclose your PHI as permitted by federal and state privacy laws and regulations, including the federal health care privacy regulations known as “HIPAA.” If an applicable state privacy law is more protective of your health information or is more stringent than HIPAA, we will follow the state law. For example, some state laws have stricter requirements about disclosing information about certain conditions or treatment for certain conditions such as HIV, AIDS, mental health, substance abuse/chemical dependency, genetic testing or reproductive rights.
If you cease to be a member, we will no longer disclose your PHI, except as permitted or required by law.
We may use and disclose your PHI for the following purposes:
We may use and disclose your PHI for payment purposes or to otherwise fulfill our responsibilities for coverage and providing benefits under your policy. For example, we may use or disclose your PHI to pay claims from your health care providers for treating you, issue statements to explain such payments, determine and coordinate eligibility for benefits, make medical necessity determinations for treatment that you received or plan to receive, obtain premiums, and other purposes related to payment.
Health Care Operations
We may use and disclose your PHI to support various business functions and activities that enable us to provide services to you. These functions may include, but are not limited to: quality assessment and improvement activities; reviewing the competence or qualifications of the health care providers in our network; and legal, auditing, and general administrative services. For example, we may use or disclose your PHI to: (i) inform you about programs to help you manage a health condition; (ii) provide customer services to you or; (iii) investigate potential or actual fraud and abuse. We may also disclose your PHI to the North Carolina Department of Insurance during a review of our health insurance operations. We may also disclose your PHI to non-affiliated third parties where allowed by law and as necessary to help us fulfill our obligations to you. We talk about this more below under “Business Associates,” which is the name HIPAA gives to certain third parties working for us.
You may give us written authorization to use or disclose your PHI for any purpose. If you give us an authorization, you may revoke it at any time by giving us written notice. Your revocation will not affect any use or disclosure permitted by your authorization that has already occurred, but will apply to those in the future. Without your authorization, we may not use or disclose your PHI for any reason except as described in this notice.
Your Family and Friends
We may disclose PHI to a family member, a friend or other persons whom you indicate are involved in your care or payment for your care. We may use or disclose your name, location, and general condition or death to notify or help with notification of a family member, your personal representative, or other persons involved in your care. If you are incapacitated or in an emergency, we may disclose your PHI to these persons if we determine that the disclosure is in your best interest. If you are present, we will give you the opportunity to object before we disclose your PHI to these persons.
Your Health Care Provider
We may use and disclose your PHI to assist health care providers in connection with their treatment or payment activities and certain of their health care operations activities as permitted by HIPAA.
We may receive your PHI for underwriting, premium rating or other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, as permitted by law. We will not use or further disclose this PHI for any other purpose, except as required by law, unless the contract of health insurance or health benefits is placed with us. If the contract is placed with us, we will only use or disclose your PHI as described in this notice. We will not use genetic information for underwriting purposes.
We may contract with individuals and entities called business associates to perform various functions on our behalf or to provide services to you. To perform these functions or services, business associates may receive, create, maintain, use or disclose your PHI, but only after the business associate has agreed in writing to safeguard your PHI. For example, we may disclose your PHI to a business associate who will administer your health plan’s prescription benefits.
Required by Law and Law Enforcement
We may use or disclose your PHI when we are required to do so by state or federal law. We are required to disclose your PHI to the Secretary of the U.S. Department of Health and Human Services when the Secretary is investigating or determining our compliance with HIPAA. We may disclose your PHI in connection with legal proceedings such as in response to an order from a court or administrative tribunal, or in response to a subpoena. We may also disclose your PHI for law enforcement purposes.
Abuse or Neglect
We may disclose your PHI to a government authority that is authorized by law to receive reports of abuse, neglect, or domestic violence.
We may disclose your PHI to comply with workers’ compensation laws and other similar laws that provide benefits for work-related injuries or illnesses.
Public Health and Safety or Health Oversight Activities
We may use or disclose your PHI for public health activities for the purpose of preventing or controlling disease, injury, or disability. We may also disclose your PHI to a health oversight agency for activities authorized by law such as audits, investigations, inspections, licensure or disciplinary actions.
We may disclose your PHI to researchers when an institutional review board or privacy board has reviewed the research proposal and established protocols to protect the privacy of your PHI. We may also make limited disclosures of your PHI for actuarial studies.
We may use your PHI to contact you with information about our health-related products and services, product enhancements or upgrades, or about treatment alternatives that may be of interest to you. We will not use or disclose your PHI for marketing communications unless you authorize us to do so, except as permitted by law. Furthermore, we will not sell your PHI without authorization, except as permitted by law.
Employer or Organization Sponsoring a Group Health Plan
We may disclose your PHI to the employer, educational institution or other organization that sponsors your health plan. We may also disclose summary information about the enrollees in your group health plan to the plan sponsor to use to obtain premium bids for the health insurance coverage offered through your group health plan or to decide whether to modify, amend or terminate your group health plan.
Death and Organ Donation
We may disclose the PHI of a deceased person to a coroner, medical examiner, funeral director, or organ procurement organization to assist them in performing their duties.
Military Activity, National Security, Protective Services
If you are or were in the armed forces, we may disclose your PHI to military command authorities. We may also disclose your PHI to authorized federal officials for conducting national security and intelligence activities, and for the protection of the President of the United States, other federal officials or foreign heads of state.
If you are an inmate, we may disclose your PHI to a correctional institution or law enforcement official for: (i) providing health care to you; (ii) your health and safety and the health and safety of others, or (iii) the safety and security of the correctional institution.
Information We Collect About You
In the normal course of our operations, we may collect information from: (i) You (through information you give us on your applications for insurance or on other forms, through telephone or in-person interviews with you, and through information you provide to an insurance agent or your employer such as your address, telephone number, health status, or other types of insurance coverage you have; (ii) Your Transactions with us, such as your claims history; (iii) Other Insurance Companies that currently insure you or that have insured you in the past, such as your claims history; (iv) Your Employer or Plan Sponsor, such as information about your eligibility for insurance coverage; (v) Your Health Care Providers who currently treat you or have treated you in the past, such as information about your health status; or (vi) Insurance Support Organizations that collect information about your past medical transactions.
Our Policies for Protecting Your Protected Health Information
We protect the PHI that we maintain about you by using physical, electronic, and administrative safeguards that meet or exceed applicable law. When our business activities require us to provide PHI to third parties, they must agree to follow appropriate standards of security and confidentiality regarding the PHI provided. Access to your PHI is also restricted to appropriate business purposes.
We have developed privacy policies to protect your PHI. All employees are trained on these policies when they are hired and thereafter receive annual refresher training. Employees that violate our privacy policies are subject to disciplinary action.
We have developed a variety of other safeguards for protecting your information including: (i) using only aggregate or non-identifiable information when feasible;(ii) requiring confidentiality provisions in our contracts with third parties to protect the confidentiality of your personal information and restrict use and disclosure of this information; (iii)implementing access control procedures such as pass codes to access computer systems; and (iv) using physical security measures in our facilities to restrict access to personal information, including employee badges and escorting guests while in our facilities.
The following is a list of your rights with respect to your PHI:
Right to Access and Inspect Your PHI
You may ask to see or get a copy of certain PHI that we maintain about you. Your request must be in writing. You may visit our office to look at the PHI, or you may ask us to mail it to you, or in certain circumstances, this may include an electronic copy. We will charge a reasonable fee to cover the cost of copying the information. We will contact you to review the fee and obtain your agreement to pay the charges. If you wish to access your PHI, please call the number on the back of your identification card and request an access to PHI form.
Right to Amend Your PHI
You may ask us to correct, amend or delete your PHI. Your request must be in writing. We are not required to agree to make the change. For example, we will not generally change our information if we did not create the PHI or if we believe that the PHI is correct. If we deny your request, we will provide you a written explanation. You have the right to file a statement explaining why you disagree with our decision and providing what you believe is the correct, relevant and fair information. We will file the statement with your PHI and we will provide it to anyone who receives any future disclosures of your PHI. If we accept your amendment request, we will make reasonable efforts to inform others, including people you name, of the amendment and include the changes in any future disclosures of your PHI. If you wish to amend your PHI, please call the telephone number on the back of your identification card and request an amendment of PHI form.
Right to Request an Accounting of Disclosures
You may ask to receive a list of certain disclosures of your PHI that we or our business associates made for purposes other than treatment, payment or health care operations. You are entitled to this accounting of disclosures for the six years prior to the date of your request. The list we provide will contain the date we made a disclosure, the name of the person or entity that received your PHI, a description of the PHI that we disclosed, the reason for the disclosure, and certain other information. We will not charge a fee for providing the list unless you make more than one request in a 12-month period, in which case we may charge a reasonable fee for preparing the list. Your request must be in writing and you may call the number on the back of your identification card and request an accounting of disclosures form.
Right to Request Restrictions
You may ask us to place additional restrictions on our use or disclosure of your PHI for our treatment, payment and health care operations. We are not required to agree to these restrictions. In most instances, we will not agree to these restrictions unless you have requested Confidential Communications as described below.
Right to Confidential Communications
If you believe that a disclosure of your PHI could endanger you, you may ask us to communicate with you confidentially at a different location. For example, you may ask us to contact you at your work address or other place instead of your home address. You may call the number on the back of your identification card to request a confidential communications form. Once we have received your confidential communications request, we will only communicate with you as directed on the confidential communications form, and we will also terminate any prior authorizations that you have filed with us.
Breach of Notification
While we follow our safeguards to protect your PHI, in the event of a breach of your unsecured health information, we will notify you about the breach as required by law or where we otherwise deem appropriate.
Right to File a Privacy Complaint
You may complain to us if you believe that we have violated your privacy rights by contacting the Privacy Official, P.O. Box 2291, Durham, NC 27702-2291. You may also file a complaint with the Secretary of the U. S. Department of Health and Human Services. We will not take any action against you or in any way retaliate against you for filing a complaint with the Secretary or with us.
Right to Obtain a Copy of this Privacy Notice
You may request a copy of this notice at any time by calling the number on the back of your identification card or you may view or download this notice from our Web site. Even if you agreed to receive this notice electronically, you are still entitled to a paper copy of this notice.