European Union General Data Protection Regulation Policy Notice
Last updated: 10/6/18
For purposes of this disclosure document, references to “we”, “us” or “our” mean BCBSA, and references to “you” and “your” means individuals located in the EEA.
I. The Personal Information We Collect
We collect the following categories of personal information from or about you:
Contact information, such as your first name, last name, email address, physical address and telephone number(s).
- Account and profile information, such as the username and password that you use to log into your account with us.
- Feedback and correspondence, such as information that you provide when you report a problem with your benefits or the services we provide, receive customer support, or otherwise correspond with us.
- Medical information, such as your health records, information about diagnoses and treatments, and other details about your physical or mental condition.
- Health insurance information, such as your membership information, insurance numbers and information about any claims.
- Marketing information, such as your preferences for receiving marketing communications and how you engage with other information that we believe may be relevant to you.
In addition, when you visit our websites, we may collect certain information automatically from your device. Specifically, the information we collect may include information like the IP address of the web page from which you enter our site; the browser name, full version (major and minor), and plugins; the resolution (width/height) and color depth; the operating system; the pages you visit on our site; and the amount of time you spend here. Some of this information may be collected using cookies and similar tracking technology, as explained further in our “Cookies and Similar Technology Policy”. We do not collect and save any Protected Health Information (PHI) on the public section of this site.
From time to time, we may receive personal information about you from third party sources, but only where these third parties either have your consent or are otherwise legally permitted or required to disclose your personal information to us.
We use personal information for purposes related to providing medical care and advice, as well as for Insurance and Health Benefits Administration purposes. The medical care services include but are not limited to: providing medical treatment, consulting with other providers of care and maintaining your medical records. Insurance and Health Benefits Administration purposes include but are not limited to: enrolling members for coverage, processing claims, sending Explanations of Benefits, responding to your questions, providing care management and wellness services, helping you find care providers, notifying you of changes to benefits, reporting financial and other data to third parties and affiliates, and fraud prevention. We may use or disclose your personal data to the U.S. Office of Personnel Management (OPM) or to your employing agency in connection with payment or healthcare operations, or when required by federal law.
In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests, such as meeting our HIPAA compliance obligations or working with law enforcement.
From time to time we may also ask for your consent to collect, use or share your personal information, such as when required by law or our agreements with third parties.
III. Who Receives Personal Information?
We may disclose your personal information to the following categories of recipients:
- To our Blue Cross Blue Shield Plans, third party service providers and partners who provide data processing services to us or on our behalf (for example, to support the delivery of, provide functionality on, or help to enhance the security of our websites), or who otherwise process or use personal information for purposes that are described in our Notice of Privacy Practices, such as members of our staff and contracted entities, including medical providers, who use personal information in order for us to provide services to you;
- To any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
- To professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us; and
- To any other person with your consent to the disclosure.
These third parties are prohibited from using or disclosing your information for their own purposes, and may only use your personal information as instructed by us and in a manner consistent with this Privacy Notice.
IV. How Long is Data stored?
We store data for as long as is necessary to provide the services and for a reasonable retention period. Our usual storage period is seven (7) years, but legal requirements and our corporate policies might lead to longer or shorter periods.
V. Your Rights with Respect to Your Personal Information
The GDPR also provides Data Subjects with certain individual rights with respect to their personal data. These include:
- The right to be informed about the collection and use of their personal data.
- The right of access to find out what data is stored about them.
- The right to rectification of their personal data if it is inaccurate or incomplete.
- The right to erasure to enable an individual to request the deletion or removal of certain personal data where there is no compelling reason for its continued processing.
- The right to restrict processing to ‘block’ or suppress processing of personal data.
- The right to data portability allowing individuals to obtain and reuse their personal data for their own purposes.
- The right to object to the processing of personal data under certain circumstances.
- Various rights in relation to certain kinds of automated decision making (making a decision solely by automated means without any human involvement) and profiling (automated processing of personal data to evaluate certain things about an individual).
You have the right at any time to request access to and rectification or erasure of personal data that we hold. You can also request restriction of processing of your personal information, and you have the right to data portability. If you would like to exercise any of these rights, please send a written request to our Data Protection Officer at the address listed below. Not all requests can be granted. If your request is denied, you will be provided with the reason for the denial.
VI. Legal Bases for Processing
We only use your personal data as permitted by law. We are required to inform you of the legal bases of our processing of your personal data, which are described below:
|To provide the services||The use of personal information may be necessary to perform the contract that you have with BCBSA and in order for us to provide the services described above.|
|To communicate with you
To create anonymous data for analytics
For compliance, fraud prevention and safety
To improve our products and services
|These processing activities constitute our legitimate interests. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal information for our legitimate interests. We do not use your personal information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).|
|To comply with law||
BCBSA may disclose or use your personal information as permitted or required by law when we believe in good faith it is necessary for safety purposes, required for legal reporting, necessary to protect our legal rights or enforce any applicable rules or to protect the rights of others.
|With your consent||We will request your consent to use your personal information where required by law, such as where we use certain cookies or similar technologies. If we request your consent to use your personal information, you have the right to withdraw your consent any time in the manner indicated when we requested the consent or by contacting us. If you have consented to receive marketing communications from our third party partners, you may withdraw your consent by contacting those partners directly.|
VII. Choosing Not To Share Your Personal Information
Where we are required by law to collect your personal data, or where we need your personal data in order to provide the benefits to or perform our contract with you, if you do not provide this information when requested (or you later ask to delete it), we may not be able to provide you with your benefits or our products and services. We will tell you what information you must provide by designating it as required or through other appropriate means.
If you would like to submit a complaint, you may contact us at DataProtectionOfficer@bcbsa.com or lodge a complaint with the appropriate data protection authority in your jurisdiction. You can find your data protection regulator by visiting the European Commission website at ec.europa.eu.
IX. Sources of Personal Information
In order to provide services to you, we receive personal information from you, from your providers of medical care, and from other third parties. We need access to your personal information, such as name, address, and medical information, regardless of who provides it, in order for us to provide the services described above.
X. Is Personal Information Used For Automated Decision-Making or Profiling?
We use automated decision-making processes and profiling in the performance of our insurance and plan administration contracts. For example, claims processing is primarily an automated process. We also use profiling to identify individuals who would benefit from care and case management, medication management and other programs offered as part of the health benefits contract. We also use profiling to identify opportunities for communication with you.
XI. Transfer, Storage and Processing
To the extent we transfer personal data out of the European Economic Area as contemplated under the GDPR, we do so in a manner that is consistent with the appropriate safeguards or other legal basis under the GDPR. Please contact us for information on any such transfers or the safeguards applied. Your information collected may be stored and processed in the United States, Europe, or other non-European countries.
XII. Additional Processing
If we intend to use personal information for a purpose other than the original purposes for which we collected the personal information, prior to that additional processing, we will provide you with information on that other purpose and any further relevant information, insofar as you do not already possess such information.
XIII. Updates to this Privacy Notice
We may update this Privacy Notice from time to time in response to changing legal, technical or business developments. When we update our Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make.
You can see when this Privacy Notice was last updated by checking the “last updated” date displayed at the top of this Privacy Notice.
For the administration of FEP’s overseas program, BCBSA serves as a Data Controller for EU data subjects.
Our address is 1310 G Street, NW, Washington DC 20005.
Our Data Protection Officer can be reached via email at DataProtectionOfficer@bcbsa.com.
You may also contact our EU representative at email@example.com.