This notice describes how we, the Blue Cross and Blue Shield (BCBS) Service Benefit Plan, may use and disclose your protected health information (PHI), and how you can get access to this information. It also includes our legal obligations concerning your PHI. Please review it carefully.
If you have any questions or if you would like additional information concerning privacy practices, call the number for privacy assistance for your local BCBS company. Telephone numbers for your local BCBS company can be found on the back of your member ID card or in the Contact Us section of this website.
Members receive a copy of this Notice at the time of enrollment and annually thereafter.
We are required by law to maintain the privacy of your protected health information and abide by the terms of this notice. We are also obligated to provide you with a copy of this Notice of our legal duties and of our privacy practices with respect to your protected health information.
We will not use or disclose your protected health information for marketing purposes, or disclose your protected health information in a manner that constitutes a sale of protected health information without your written authorization.
We will notify you in accordance with federal law following a breach of your unsecured protected health information.
Routine Uses and Disclosures of Protected Health Information
We are most likely to use and/or disclose your protected health information in the following ways:
- For payment and healthcare operations: We will use or disclose your protected health information to obtain premiums or make payments or to otherwise fulfill our responsibilities for coverage and providing benefits as established under your member contract. We may also use your information for business operations, For example, we may use or disclose your protected health information: (i) to send you information about one of our disease management programs; (ii) to respond to a customer service inquiry from you; (iii) in connection with fraud and abuse detection and compliance programs or (iv) to survey you concerning how effectively we are meeting your health insurance needs.
- For appointment/service reminder: We may contact you to remind you to obtain preventive health services or to inform you of treatment alternatives and/or health related benefits and services that may be of interest to you.
- For use by business associates: We contract with individuals and entities (business associates) to perform various functions on our behalf or to provide certain types of services. To perform these functions or to provide the services, business associates will receive, create, maintain, use, or disclose protected health information. We require business associates to agree in writing to contract terms designed to appropriately safeguard your information.
- For use by covered entities: A Covered Entity is defined as: (1) a health plan; (2) a healthcare clearinghouse; or (3) a healthcare provider who transmits any health information in electronic form in connection with a transaction covered by the Administrative Simplification provisions. We may use or disclose your protected health information to assist healthcare providers in connection with their treatment or payment activities, or to assist other covered entities in connection with certain healthcare operations.
- We may use or disclose your protected health information to the U.S. Office of Personnel Management (OPM) or to your employing agency in connection with payment or healthcare operations, or when required by federal law. For example, we may disclose protected health information to your Health Benefits Officer who will work with you to resolve questions concerning your enrollment. We also will disclose protected health information when responding to your requests for reconsideration for a denied claim. You should continue to follow the process as described in the Blue Cross and Blue Shield Service Benefit Plan brochure to request a reconsideration of any denied claim.
- In some situations, we may choose to follow state privacy or other applicable laws that provide individuals greater privacy protections. If a state law that we follow requires that we not use or disclose protected health information (such as age of majority or parental notification restrictions), then we may not use or disclose that information according to the applicable state law.
- We may use or disclose your protected health information to the extent that federal law requires the use or disclosure. We may use or disclose your protected health information for public health activities that are permitted or required by law. For example, we may use or disclose information for the purpose of preventing or controlling disease, injury, or disability.
- We may disclose your protected health information to a health oversight agency for activities authorized by law, such as: audits; investigations; inspections; licensure or disciplinary actions; or civil, administrative, or criminal proceedings or actions.
- We may disclose your protected health information to a government authority that is authorized by law to receive reports of abuse, neglect, or domestic violence if we believe that you have been a victim of abuse, neglect, or domestic violence.
- We may disclose your protected health information: (1) in the course of any judicial or administrative proceeding; (2) in response to an order of a court or administrative tribunal (to the extent such disclosure is expressly authorized); and (3) in response to a subpoena, a discovery request, or other lawful process, once we have met all administrative requirements of the HIPAA Privacy Regulations.
- We are required to disclose your protected health information to OPM for its Federal Employees Health Benefits (FEHB) Program Claims Data Warehouse.
- We are required to disclose your protected health information to the Secretary of the U.S. Department of Health and Human Services when the Secretary is investigating or determining our compliance with the HIPAA Privacy Regulations, making sure your privacy is protected.
Disclosures to You or Your Personal Representative
We will disclose your PHI to you upon your request.
We will also disclose your PHI to an individual who has been designated by you as your personal representative and who has qualified for such designation in accordance with relevant state law. Before we will disclose protected health information to such a person, you must submit a written notice of his/her designation, with documentation that supports his/her qualification, such as a power of attorney.
Even if you designate a personal representative, the HIPAA Privacy Regulations permit us to elect not to treat the person as your personal representative if we have a reasonable belief that: (i) you have been, or may be, subjected to domestic violence, abuse, or neglect by such person; (ii) treating such person as your personal representative could endanger you; or (iii) we determine, in the exercise of our professional judgment, that it is not in your best interest to treat the person as your personal representative.
Use and disclosure of your PHI is limited to the minimum amount necessary to complete a function as required by OPM or other federal agencies.
Other Uses and Disclosures of Your Protected Health Information
Other uses and disclosures of your protected health information not described in this Notice will be made only with your written authorization. If you provide us with such an authorization, you may revoke the authorization in writing. This revocation will be effective for future uses and disclosures of protected health information. However, the revocation will not be effective for information that we already have used or disclosed, relying on the written authorization.
Protection of Oral, Written, and Electronic Protected Health Information
We have measures in place to protect PHI according to state and federal standards. The measures are designed to protect oral, written, and electronic PHI, and include:
- Security and privacy training for all employees.
- Employee access is limited to need-to-know basis.
- Background checks for all employees and contracted staff.
- Verification of callers prior to discussing PHI.
- Require the use of headsets during calls to protect your PHI from being overheard by other employees.
- Voicemail messages that include members’ PHI are erased daily.
- All users of our electronic systems are required to use strong passwords.
- All users must change their computer passwords periodically.
- Hard drives of laptop computers are encrypted.
- All PHI is stored in a locked environment.
- Employees do not leave written PHI on their desks. If they leave their desks while working with PHI they secure the PHI prior to leaving.
- Printers use a blank cover page when printing any document, including PHI, to avoid inadvertent disclosure.
Your Rights with Respect to your Protected Health Information are as follows:
- You have the right to authorize or deny the release of PHI beyond uses for treatment, payment or healthcare operations.
- You have the right to request we restrict the protected health information we use or disclose about you for payment or healthcare operations.
- You may request that we communicate with you regarding your information in an alternative manner or at an alternative location if you believe that a disclosure of all or part of your PHI may endanger you.
- You have the right to inspect and to receive a copy of your protected health information including medical and billing records as well as other records that are used to make decisions about your healthcare benefits.
- You may request that we amend your information if you believe that your protected health information is incorrect or incomplete.
- You have a right to an accounting of disclosures of your protected health information that are required by the HIPAA Privacy Regulations and that are for reasons other than treatment, payment, or healthcare operations.
- You have the right to a paper copy of this Notice, even if you have agreed to accept this Notice electronically.
You may complain to us if you believe that we have violated your privacy rights. You may file a complaint with us by writing to your local BCBS company privacy assistance contact at the address provided in the Contact Us section of this website.
You also may file a complaint with the Secretary of the U.S. Department of Health and Human Services. Complaints filed directly with the Secretary must: (1) be in writing; (2) contain the name of the entity against which the complaint is lodged; (3) describe the relevant problems; and (4) be filed within 180 days of the time you became or should have become aware of the problem.
We will not penalize or in any other way retaliate against you for filing a complaint with the Secretary or with us.