 |
NOTICE OF INFORMATION PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
To Our Customers and
Potential Customers:
Horizon Blue Cross Blue Shield of
New Jersey and its affiliated companies* want you to know that we recognize
our obligation to keep information
about you secure and confidential.
Unlike many other financial and health institutions, we do not
sell information about you and we do not
share your information except to conduct
our business — Making
Healthcare WorkSM for you.
As required by law, we publish this Notice
to explain the information that we collect
and how we maintain, use and disclose it in
administering your benefits. We will abide
by the statements made in this Notice.
Except as permitted by law and as
explained in this Notice, we do not disclose
any information about our past, present or
future customers to anyone. When we use
the term "Customer Information," we are
referring to financial or health information
that is "nonpublic," including any
information from which a judgment could
possibly be made about you. When we use
the term "Protected Health Information" or
"PHI," we are referring to individually
identifiable oral, written and electronic
information concerning the provision of, or
payment for, health care to you. We refer
to Customer Information and PHI
collectively as "Private Information."
Members of self-funded plans
If you are a participant or beneficiary of a
self-funded group health plan, we may use
and disclose your Private Information as
described in this Notice. However, our use or
disclosure is dictated by an arrangement with
your employer (or other sponsor of your benefits
plan) or that plan itself. That plan may use and
disclose your Private Information differently than
is described here. With respect to your
individual rights, you should ask your plan
administrator how to exercise those rights,
along with any other question you may have
regarding your plan’s privacy policies and
practices.
What information do we collect?
In providing your health coverage, we
collect Customer Information and PHI from
the following sources:
- Information we receive from you or your
policyholder on applications, other forms or
Web sites we sponsor.
- Information we obtain from your
transactions with us, our affiliates or others,
such as health care providers;
- Information we receive from consumer
reporting agencies or others, such as
Medicare, state regulators and law
enforcement agencies.
How do we protect Private Information?
Our employees are trained on the need to
maintain your Private Information in the strictest
confidence. They agree to be bound by that
promise of confidentiality and are subject to
disciplinary action if they violate that promise.
We also maintain appropriate administrative,
technical and physical safeguards to reasonably
protect your Private Information. Finally, in
those situations where we rely on a third party
to perform business, professional or insurance
services or functions for us, that third party must
agree to safeguard your Private Information. That
business associate must also agree to use
it only as required to perform its functions
for us and as otherwise permitted by our
contract and the law. In these ways, we
carry out our confidentiality commitments
to you.
When must we seek your
authorization before disclosing
Private Information?
There may be circumstances where we
will seek your authorization before making
a disclosure of your Private Information.
This is to ensure that we have your
permission to make that disclosure. For
example, you may have asked someone
who is not your personal representative (or
the policyholder) to contact us on your
behalf to obtain information about your
claims. Before we disclose your Private
Information to that person, we would seek
your authorization to do so, unless
otherwise permitted or described in this
Notice.
If you give us your authorization, you are
permitted to revoke that authorization at any
time in writing. We will honor your
revocation once it is processed, except to
the extent that we have taken action in
reliance upon your original authorization.
Uses and disclosures of Private
Information that do not require
authorization
Most of our routine use and disclosure of
your Private Information occurs in
administering your coverage. In those
instances, we are not required to seek
your authorization. For instance, we are
generally permitted to make disclosures of
your Private Information without
authorization for purposes of treatment,
payment and health care operations. In
this Notice, we provide examples of those
routine purposes, although not every use
or disclosure that falls into those
categories is listed.
Please note that we will limit the
disclosure of certain information in
accordance with laws governing the
special nature of the information (e.g.,
HIV/AIDS, substance abuse, genetic
information). We are prohibited from using
and disclosing your genetic information for
underwriting purposes. Also, where a state permits
minors of a certain age or status to seek
treatment without parental consent,
information that would normally be
provided to our customers may be limited,
if requested and we are informed that
treatment was rendered that way. That is
because we must protect the privacy of that
minor’s information in accordance with
those state laws.
| • |
Payment Activities
We routinely use and disclose Private
Information in connection with your
health care coverage, to determine your
eligibility for coverage and benefits, and
to see that the treatment and services you
receive are properly billed and paid. To
do this, we may share Private
Information with health care providers,
their billing agents, insurance
companies, and others. Our payment
activities can also include the use of
Private Information for: risk adjustment,
billing, claims management, collection
activities, utilization review, medical
necessity determinations, drug rebate
contract reporting of drug utilization,
underwriting and other rate-setting
activities. For example, a claim for
medical services rendered to you may
be submitted electronically from a billing
service on behalf of your provider. Our
claims processors will then use your
Private Information to process your
claim. If we need additional information
to process it, we may contact your
provider to obtain that information.
When we do that, we disclose Private
Information to your provider in order to
identify and discuss your claim with him
or her. Your provider then discloses the
needed, additional Private Information
that will enable us to properly process
your claim. In this example, each of
these entities involved — your provider,
his or her billing service and Horizon
BCBSNJ and/or its affiliated companies —
is covered by and must protect and
safeguard your Private Information either
because they are "covered entities" or
"business associates" of covered
entities under the federal privacy
regulations.
|
| • |
Health Care Operations Activities
We routinely use and disclose Private
Information to conduct our health care
business, including all the activities that
are defined by federal regulation as
"health care operations." They include,
but are not limited to: case management
and care coordination, utilization review,
quality assessment and improvement,
network provider credentialing,
population-based research to improve
health or reduce health care costs, and
contacting providers and members
with information about treatment
alternatives. For example, we may use
and disclose Private Information to
remind you about the availability or
value of preventive care or of a disease
management program. Other health
care operations activities include
compliance and auditing activities,
evaluating provider performance,
underwriting, formulary development,
information systems management, fraud
and abuse detection (by ourselves or for
other plans or providers), facilitation of
a sale, transfer, merger or consolidation
of all or part of Horizon BCBSNJ and/or
its affiliated companies with another
entity (including due diligence related to
the transaction), customer service and
general business management, among
others.
|
| • |
Health-Related Activities
We may use or disclose your Private
Information for a number of
treatment-related activities. We are
permitted to tell you about possible
treatment options or alternatives, inform
you of health-related benefits or
services, inform you of a relevant
disease management program that may
be of interest to you, and seek your
voluntary participation in such programs
to help improve your health and assist in
the coordination of your overall health
care. For example, our diabetes
disease management business
associate may, after reviewing PHI that
we had provided, determine that you
might suffer from diabetes. You may
then receive a notice that we have
enrolled you in our disease
management program. If you do not
want further contact about, or to
participate in, the program, you only
need to notify us. Our business
associate would then be instructed to
not use or disclose your information
further, which it must follow due to its
contract with us.
|
| • |
Treatment, Payment, and Health
Care Operations of Other
Covered Entities
We may use and disclose your PHI for
another covered entity’s treatment,
payment and health care operations
purposes. For example, we may
disclose your PHI when disclosure
would facilitate payment for services
under another health plan. In addition,
we are permitted to disclose PHI to
other covered entities so they can
conduct certain of their health care
operations. We may also disclose
it for purposes of their fraud and
abuse detection or compliance. But we
will only disclose PHI to another
covered entity for these purposes if that
covered entity has or had a relationship
with you.
|
| • |
Disclosures to Family Members
Unless you notify us in writing
otherwise, we may disclose your
Private Information to a family
member, close personal friend, the
subscriber of your health benefits
plan, or any person who is involved in
your care or payment for that care. We can
only disclose your Private Information that is
relevant to that person’s involvement with
your care or payment for that care. In the
context of spouse-to-spouse (or between
civil union partners) and parent-to-child
relationships, including both minor and adult
children, we will deem the spouse/civil union
partner or parent on their coverage to be the
personal representative of the other
spouse/civil union partner or the child, as
applicable. We will do this unless you notify
us in writing that you do not wish that
individual to serve as your personal
representative. Contact Member Services as
described in this Notice to designate or
terminate a personal representative
involved in your care or coverage.
|
| • |
Additional Reasons for Disclosure
We may also use or disclose Private
Information to:
- The certificate holder or policyholder of
your coverage, if it is information regarding
the status of an insurance transaction,
as permitted by law;
- Military authorities, if you are or were
a member of the armed forces;
- Further public safety or, when requested by
federal officials, for national security or
intelligence activities or for the protection
of public officials;
- Appropriate bodies for public health
activities, including the reporting of child
abuse or neglect, adverse events, product
defects, or for Food and Drug
Administration reporting;
- A health oversight agency for activities
such as audits, investigations, licensure,
disciplinary actions, or civil, administrative
or criminal proceedings. These
disclosures are necessary for the
government to oversee the health care
system and government benefits programs,
as well as for compliance with standards
and civil rights laws;
- Carry out appropriate research, but only as
expressly permitted and limited by the
federal privacy rules;
- Communicate with members, legislators
and regulators about legislative and
regulatory developments and proposals
that may impact access to affordable,
quality health care;
- Contact you for fundraising purposes;
- Appropriate bodies in response to a
subpoena or court order, or in response to
litigation that directly involves us or your
group health plan;
- A correctional institution or law
enforcement agency, if you are an inmate
or in the custody of law enforcement;
- Plan sponsor employees that are
designated by the plan administrator as
assisting in plan administration. The
federal privacy rules require your plan
administrator to obtain certain
representations from the plan sponsor
about how your information will be
protected. This is to ensure that the plan
sponsor complies with certain privacy
requirements and agrees not to use that
information for employment-related and
other decisions;
- Conduct permissible marketing type
activities, either ourselves or through
other companies on our behalf, such as for
health-related products or services, or to
other financial and health institutions with
which we have joint marketing agreements.
- Perform other functions and activities,
as permitted by the federal privacy
rules.
|
You should understand that, except as
permitted or described in this document,
we will not disclose your Private
Information without a written authorization
from you. And except for disclosures of
PHI made directly to you or your personal
representative, for your treatment, or
pursuant to your authorization, the federal
rules require us to use and disclose only
the minimum PHI necessary to accomplish
our purpose. For example, if we need to
disclose your PHI to our utilization review
care manager to help determine the
medical necessity of a particular claim, we
would likely not disclose your entire claim
history and medical record. That is
because your entire record is probably not
necessary to make the determination for
that one claim.
Legal Rights Related to
Private Information
| • |
The federal privacy rules entitle you
to request access, inspection and
copying of your PHI that we maintain
about you that is included in what is
called a "designated record set." But
we are not required to maintain it, except
for certain documentation related to
privacy rules compliance or as may
otherwise be required by law.
|
| |
You may have a state law right to
request, in writing, to inspect and obtain
a copy of Customer Information about
you. This does not include information
that relates to, and is collected in
connection with or in anticipation of, a
claim or civil or criminal proceeding
involving you. It also does not include
information which we are prohibited by
law from releasing. You must reasonably
describe the information you seek in your
written request, and the information must
be reasonably locatable and retrievable
by us. We may charge you a fee to
cover the cost of providing this Customer
Information.
|
| • |
The federal privacy rules create a right
to request amendment of your PHI
included in the designated record set.
We may deny your request under those
rules if we determine that our records
are accurate and complete or were not
created by us, the information is not
contained in our designated record set,
or access is otherwise restricted by law.
|
| |
State law may entitle you to request
that we amend or delete Customer
Information about you in our records if
you believe the information is incorrect
or incomplete. We may deny this
request. However, if we do so, we must
advise you of the reasons for the denial
and advise you of your right to file a
statement of rebuttal.
|
| • |
The federal privacy rules entitle you to
request restrictions on our use and
disclosure of PHI for treatment, payment
or health care operations (described in
this Notice). We will consider each
request, but are not required to agree to
any restrictions, except a reasonable
request for confidential communications.
|
| • |
The federal privacy rules entitle you to
request to receive confidential
communications of PHI if disclosing
this information by the usual means
could endanger you. We will
accommodate all reasonable requests,
subject to the restrictions and
capabilities of our information
processing systems. A verbal request
may be considered, but must be
followed up in writing.
|
| • |
The federal privacy rules entitle you to
request to receive an accounting of
certain disclosures of your PHI made
by us, such as disclosures to health
oversight agencies. These do not
include disclosures made for purposes
of treatment, payment or health care
operations and for certain other
reasons. A similar right may exist
under state law.
|
If you wish to exercise any of the legal
rights described in this Notice, you must
do so in writing. To obtain further
information about these rights, or if you
would like to make such a request,
please contact:
Member Services
PO Box 820
Newark, NJ 07101-0820
or
Privacy Office
Three Penn Plaza East, PP-16F
Newark, NJ 07105-2200
Keeping up to date with our
Privacy Practices
Horizon BCBSNJ and its affiliated
companies will provide you with a Notice
of Information Privacy Practices annually,
as long as you maintain an ongoing insured
customer relationship with us. Our policies
may change as we periodically review and
revise them. We will provide you with a
new Notice if the changes are significant.
It may be necessary to use or disclose
your Private Information as described in
this Notice even after coverage has
terminated. In addition, it may be
infeasible to destroy your private
information. Thus, we do not necessarily
destroy it upon the termination of your
coverage. However, any information we
keep must be kept secure and private, and
used only for permissible purposes.
Complaints
You may file a complaint with Horizon
BCBSNJ and its affiliated companies if you
feel that your privacy rights have been
violated. All complaints must be submitted
in writing. A verbal complaint will be
processed, but we request that it be
documented in writing. To file a complaint,
contact:
Member Services
PO Box 820
Newark, NJ 07101-0820
or
Privacy Office
Three Penn Plaza East, PP-16F
Newark, NJ 07105-2200
You may also complain to the U.S.
Secretary of Health and Human
Services, who is responsible for
overseeing compliance with the
federal privacy law. You will not
be retaliated against for filing a
complaint. If you have any
questions or comments about this
Notice, or want to request another
copy of it, you can call Member
Services at 1-800-355-BLUE, or
contact:
Privacy Office
Three Penn Plaza East, PP-16F
Newark, NJ 07105-2200.
|
