NOTICE OF INFORMATION PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Notice is effective September 23, 2013. Revised: March, 2015.
To Our Customers and Potential Customers:
Horizon Blue Cross Blue Shield of New Jersey and its affiliated companies* want you to know that we are legally obligated to keep information about you secure and confidential. Unlike many other financial and health institutions, we do not sell information about you and we do not share your information except to conduct our business—Making Healthcare Work® for you.
As required by law, we publish this Notice to explain the information that we collect and how we maintain, use and disclose it in administering your benefits. We will abide by the statements made in this Notice. Except as permitted by law and as explained in this Notice, we do not disclose any information about our past, present or future customers to anyone. Uses and disclosures not described in this Notice will be made only with your written authorization. When we use the term “Customer Information,” we are referring to financial or health information that is “nonpublic,” including any information from which a judgment could possibly be made about you. When we use the term “Protected Health Information” or “PHI,” we are referring to individually identifiable oral, written and electronic information concerning the provision of, or payment for, health care to you. We refer to Customer Information and PHI collectively as “Private Information.”
Members of self-funded plans
If you are a participant or beneficiary of a self-funded group health plan, we may use and disclose your Private Information as described in this Notice. However, our use or disclosure is dictated by an arrangement with your employer (or other sponsor of your benefits plan) or that plan itself. That plan may use and disclose your Private Information differently than is described here. With respect to your individual rights, you should ask your plan administrator how to exercise those rights, along with any other questions you may have regarding your plan’s privacy policies and practices. This Notice also applies to Horizon BCBSNJ’s employee health benefit plan.
What information do we collect?
In providing your health coverage, we collect Private Information from the following sources:
- Information we receive from you or your policyholder on applications, other forms or websites we sponsor.
- Information we obtain from your transactions with us, our affiliates or others, such as health care providers.
- Information we receive from consumer-reporting agencies or others, such as Medicare, state regulators and law enforcement agencies.
How do we protect Private Information?
Our employees are trained on the need to maintain your Private Information in the strictest confidence. They agree to be bound by that promise of confidentiality and are subject to disciplinary action if they violate that promise. We also maintain appropriate administrative, technical and physical safeguards to reasonably protect your Private Information.
In addition, in those situations where we rely on a third party to perform business, professional or insurance services or functions for us, that third party must agree to safeguard your Private Information. That business associate must also agree to use it only as required to perform its functions for us and as otherwise permitted by our contract and the law. Finally, if we or our business associate causes a “breach” of privacy as that term is defined under federal law, we will notify you without unreasonable delay of the occurrence. In these ways, we carry out our confidentiality commitments to you.
When must we seek your authorization before disclosing Private Information?
There may be circumstances where we will seek your authorization before making a disclosure of your Private Information. This is to ensure that we have your permission to make that disclosure. For example, you may have asked someone who is not your personal representative (or the policyholder) to contact us on your behalf to obtain information about your claims. Before we disclose your Private Information to that person, we would seek your authorization to do so, unless otherwise permitted or described in this Notice. Your written authorization is required for (1) uses and disclosures of Private Information for marketing activities, when such authorization is required by law; (2) uses and disclosures of psychotherapy notes; and (3) uses and disclosures that constitute a sale of your Private Information.
If you give us your authorization, you are permitted to revoke that authorization at any time in writing. We will honor your revocation once it is processed, except to the extent that we have taken action in reliance upon your original authorization, or the authorization was obtained as a condition of obtaining coverage.
Uses and disclosures of Private Information that do not require authorization Most of our routine use and disclosure of your Private Information occurs in administering your coverage. In those instances, we are not required to seek your authorization. For instance, we are generally permitted to make disclosures of your Private Information without authorization for purposes of treatment, payment and health care operations. In this Notice, we provide examples of those routine purposes, although not every use or disclosure that falls into those categories is listed.
Please note that we will limit the disclosure of certain information in accordance with laws governing the special nature of the information (e.g., HIV/AIDS, substance abuse, genetic information). We are prohibited from using and disclosing your genetic information for underwriting purposes. Also, where a state permits minors of a certain age or status to seek treatment without parental consent, information that would normally be provided to our customers may be limited, if requested, and we are informed that treatment was rendered that way. That is because we must protect the privacy of that minor’s information in accordance with those state laws.
We routinely use and disclose Private Information in connection with your health care coverage, to determine your eligibility for coverage and benefits, and to see that the treatment and services you receive are properly billed and paid. To do this, we may share Private Information with health care providers, their billing agents, insurance companies and others. Our payment activities can also include the use of Private Information for: risk adjustment, billing, claims management, collection activities, utilization review, medical necessity determinations, drug rebate contract reporting of drug utilization, underwriting and other rate-setting activities. For example, a claim for medical services rendered to you may be submitted electronically from a billing service on behalf of your provider. Our claims processors will then use your Private Information to process your claim. If we need additional information to process it, we may contact your provider to obtain that information. When we do that, we disclose Private Information to your provider in order to identify and discuss your claim with him or her. Your provider then discloses the needed, additional Private Information that will enable us to properly process your claim. In this example, each of these entities involved—your provider, his or her billing service and Horizon BCBSNJ and/or its affiliated companies—is covered by and must protect and safeguard your Private Information either because they are “covered entities” or “business associates” of covered entities under the federal privacy regulations.
Health Care Operations Activities
We routinely use and disclose Private Information to conduct our health care business, including all the activities that are defined by federal regulation as “health care operations.” They include, but are not limited to: case management and care coordination, utilization review, quality assessment and improvement, network provider credentialing, population-based research to improve health or reduce health care costs, and contacting providers and members with information about treatment alternatives. For example, we may use and disclose Private Information to remind you about the availability or value of preventive care or of a disease management program. Other health care operations activities include compliance and auditing activities, evaluating provider performance, underwriting, formulary development, information systems management, fraud and abuse detection (by ourselves or for other plans or providers), facilitation of a sale, transfer, merger or consolidation of all or part of Horizon BCBSNJ and/or its affiliated companies with another entity (including due diligence related to the transaction), customer service and general business management, among others.
We may use or disclose your Private Information for a number of treatment-related activities. We are permitted to tell you about possible treatment options or alternatives, inform you of health-related benefits or services, inform you of a relevant disease management program that may be of interest to you, and seek your voluntary participation in such programs to help improve your health and assist in the coordination of your overall health care. For example, our diabetes disease management business associate may, after reviewing PHI that we had provided, determine that you might suffer from diabetes. You may then receive a notice that we have enrolled you in our disease management program. If you do not want further contact about, or to participate in, the program, you only need to notify us. Our business associate would then be instructed to not use or disclose your information further, which it must follow due to its contract with us.
Treatment, Payment and Health Care Operations of Other Covered Entities
We may use and disclose your PHI for another covered entity’s treatment, payment and health care operations purposes. For example, we may disclose your PHI when disclosure would facilitate payment for services under another health plan. In addition, we are permitted to disclose PHI to other covered entities so they can conduct certain aspects of their health care operations. We may also disclose it for purposes of their fraud and abuse detection or compliance. But we will only disclose PHI to another covered entity for these purposes if that covered entity has or had a relationship with you.
Disclosures to Family Members
Unless you notify us in writing otherwise, we may disclose your Private Information to certain other family members who are on your coverage. In the context of spouse-to-spouse (or between civil union partners) and parent-to-child relationships, including both minor and adult children, we will deem the spouse/civil union partner or parent on their coverage to be the personal representative of the other spouse/civil union partner and/or the child, as applicable. We will do this unless you notify us in writing that you do not wish that individual to serve as your personal representative. Contact Member Services as described in this Notice to designate or terminate a personal representative involved in your care or coverage.
Under certain exceptional circumstances, such as a medical emergency, we may disclose your Private Information to a person who is involved in your care or payment for that care. We can only disclose your Private Information that is relevant to that person’s involvement with your care or payment for that care.
Additional Reasons for Disclosure
We may also use or disclose Private Information to:
- The certificate holder or policyholder of your coverage, if it is information regarding the status of an insurance transaction, as permitted by law;
- Military authorities, if you are or were a member of the armed forces;
- Further public safety or, when requested by federal officials, for national security or intelligence activities or for the protection of public officials;
- Appropriate bodies for public health activities, including the reporting of child abuse or neglect, adverse events, product defects, or for Food and Drug Administration reporting;
- A health oversight agency for activities such as audits, investigations, licensure, disciplinary actions, or civil, administrative or criminal proceedings. These disclosures are necessary for the government to oversee the health care system and government benefits programs, as well as for compliance with standards and civil rights laws;
- Carry out appropriate research, but only as expressly permitted and limited by the federal privacy rules;
- Communicate with legislators and regulators about legislative and regulatory developments and proposals that may impact access to affordable, quality health care;
- Contact you for fundraising purposes. You have the right to opt out of receiving fundraising communications;
- Appropriate bodies in response to a subpoena or court order, or in response to litigation that directly involves us or your group health plan;
- A correctional institution or law enforcement agency, if you are an inmate or in the custody of law enforcement;
- Plan sponsor employees that are designated by the plan administrator as assisting in plan administration. The federal privacy rules require your plan administrator to obtain certain representations from the plan sponsor about how your information will be protected. This is to ensure that the plan sponsor complies with certain privacy requirements and agrees not to use that information for employment-related and other decisions;
- Conduct permissible marketing type activities, either ourselves or through other companies on our behalf, such as for health-related products or services, or to other financial and health institutions with which we have joint marketing agreements.
- Perform other functions and activities, as permitted by the federal privacy rules.
You should understand that, except as permitted or described in this document, we will not disclose your Private Information without a written authorization from you. And except for disclosures of PHI made directly to you or your personal representative, for your treatment, or pursuant to your authorization, the federal rules require us to use and disclose only the minimum PHI necessary to accomplish our purpose. For example, if we need to disclose your PHI to our utilization review case manager to help determine the medical necessity of a particular claim, we would likely not disclose your entire claim history and medical record. That is because your entire record is probably not necessary to make the determination for that one claim.
Legal Rights Related to Private Information
The federal privacy rules entitle you to inspect and obtain a copy of your PHI that we maintain about you that is included in what is called a “designated record set.” This includes your right to request access to PHI in an electronic format if we hold it that way. But we are not required to maintain it, except for certain documentation related to privacy rules compliance or as may otherwise be required by law.
This does not include information that relates to, and is collected in connection with or in anticipation of, a claim or civil or criminal proceeding involving you. It also does not include information which we are prohibited by law from releasing. You must reasonably describe the information you seek in your written request, and the information must be reasonably locatable and retrievable by us. We may charge you a fee to cover the cost of providing this Private Information. Information is usually provided within 30 days of your request.
You may have a state law right to request, in writing, to inspect and obtain a copy of Private Information about you.
The federal privacy rules create a right to request amendment of your PHI included in the designated record set. We may deny your request under those rules if we determine that our records are accurate and complete or were not created by us, the information is not contained in our designated record set, or access is otherwise restricted by law.
State law may entitle you to request that we amend or delete Private Information about you in our records if you believe the information is incorrect or incomplete. We may deny this request. However, if we do so, we must advise you of the reasons for the denial and advise you of your right to file a statement of rebuttal.
The federal privacy rules entitle you to request restrictions on our use and disclosure of PHI for treatment, payment or health care operations (described in this Notice). We will consider each request, but are not required to agree to any restrictions, except a reasonable request for confidential communications.
The federal privacy rules entitle you to request to receive confidential communications of PHI if disclosing this information by the usual means could endanger you. We will accommodate all reasonable requests, subject to the restrictions and capabilities of our information processing systems. A verbal request may be considered, but must be followed up in writing.
The federal privacy rules entitle you to request to receive an accounting of certain disclosures of your PHI made by us, such as disclosures to health oversight agencies. These do not include disclosures made for purposes of treatment, payment or health care operations, disclosures to you or authorized by you, and for certain other reasons. A similar right may exist under state law.
You have the right to request and obtain a paper copy of this Notice, even if you previously agreed to receive it electronically.
If you wish to exercise any of the legal rights described in this Notice, you must do so in writing. To obtain further information about these rights, or if you would like to make such a request, please contact:Member Services
PO Box 820
Newark, NJ 07101-0820
Via phone: 1-800-355-BLUE
Keeping up to date with our Privacy Practices
It may be necessary to use or disclose your Private Information as described in this Notice even after coverage has terminated. In addition, it may be infeasible to destroy your private information. Thus, we do not necessarily destroy it upon the termination of your coverage. However, any information we keep must be kept secure and private, and used only for permissible purposes.
If you believe that your privacy rights have been violated, you may file a complaint with Horizon BCBSNJ and its affiliate companies by calling Member Services at 1-800-355-BLUE (2583), or by writing to:Privacy Office
Three Penn Plaza East, PP-16C
Newark, NJ 07105-2200
You may also complain to the U.S. Secretary of Health and Human Services. You will not be retaliated against for filing a complaint.
* The Horizon Blue Cross Blue Shield of New Jersey affiliated companies, all of which are independent licensees of the Blue Cross and Blue Shield Association, are: Horizon Healthcare Services, Inc. d/b/a/ Horizon Blue Cross Blue Shield of New Jersey.
Horizon Healthcare of New Jersey, Inc., including its Horizon NJ Health (Medicaid/NJ FamilyCare) line of business.
Horizon Insurance Company
Horizon Healthcare Dental, Inc.
Horizon Casualty Services, Inc.**
** This affiliate is not a covered entity subject to the federal privacy rules.
The Blue Cross® and Blue Shield® names and symbols are registered marks of the Blue Cross and Blue Shield Association.
The Horizon® name, symbols and Making Healthcare Work® are registered marks of Horizon Blue Cross Blue Shield of New Jersey.
© 2013 Horizon Blue Cross Blue Shield of New Jersey Three Penn Plaza East, Newark, New Jersey 07105.