European Union General Data Protection Regulation Policy Notice
Last updated: 10/6/18
BCBSA respects your right to privacy. This Privacy Notice explains who we are, how we collect, share and use personal information about individuals in the European Economic Area (“EEA”), and how those individuals can exercise their privacy rights. This Privacy Notice applies to personal information that we process in connection with www.fepblue.org and the MyBlue portal (the “websites”) and our administration of the Federal Employee Program. Additional information about the personal information that we collect, share and use when you use or interact with our websites and services is available in our Privacy Policy. If you have any questions or concerns about our use of your personal information, please contact us using the contact details provided at the bottom of this GDPR Privacy Notice.
For purposes of this disclosure document, references to “we”, “us” or “our” mean BCBSA, and references to “you” and “your” means individuals located in the EEA.
I. The Personal Information We Collect
We collect the following categories of personal information from or about you:
-
Contact information, such as your first name, last name, email address, physical address and telephone number(s).
- Account and profile information, such as the username and password that you use to log into your account with us.
- Feedback and correspondence, such as information that you provide when you report a problem with your benefits or the services we provide, receive customer support, or otherwise correspond with us.
- Medical information, such as your health records, information about diagnoses and treatments, and other details about your physical or mental condition.
- Health insurance information, such as your membership information, insurance numbers and information about any claims.
- Marketing information, such as your preferences for receiving marketing communications and how you engage with other information that we believe may be relevant to you.
In addition, when you visit our websites, we may collect certain information automatically from your device. Specifically, the information we collect may include information like the IP address of the web page from which you enter our site; the browser name, full version (major and minor), and plugins; the resolution (width/height) and color depth; the operating system; the pages you visit on our site; and the amount of time you spend here. Some of this information may be collected using cookies and similar tracking technology, as explained further in our “Cookies and Similar Technology Policy”. We do not collect and save any Protected Health Information (PHI) on the public section of this site.
From time to time, we may receive personal information about you from third party sources, but only where these third parties either have your consent or are otherwise legally permitted or required to disclose your personal information to us.
II. How We Use Personal Information
We use personal information for purposes related to providing medical care and advice, as well as for Insurance and Health Benefits Administration purposes. The medical care services include but are not limited to: providing medical treatment, consulting with other providers of care and maintaining your medical records. Insurance and Health Benefits Administration purposes include but are not limited to: enrolling members for coverage, processing claims, sending Explanations of Benefits, responding to your questions, providing care management and wellness services, helping you find care providers, notifying you of changes to benefits, reporting financial and other data to third parties and affiliates, and fraud prevention. We may use or disclose your personal data to the U.S. Office of Personnel Management (OPM) or to your employing agency in connection with payment or healthcare operations, or when required by federal law.
We may also use your information for business operations. For example, we may use or disclose your personal information: (i) to send you information about one of our disease management programs; (ii) to respond to a customer service inquiry from you; (iii) in connection with fraud and abuse detection and compliance programs; (iv) to protect our rights, privacy, safety, or property and/or that of you or others; (v) to create anonymous data by removing information that makes the data personally identifiable to you, such as by aggregating data from all of our members to analyze trends and improve our products and services; or (vi) to survey you concerning how effectively we are meeting your health insurance needs. Please review the Notice of Privacy Practices for the Blue Cross and Blue Shield Service Benefit Plan (accessible at https://www.fepblue.org/terms-and-privacy/notice-of-privacy-practices) for additional information on the routine uses and disclosures of your personal information. We use personal information that we collect automatically through our websites to better understand the visitors who come to our Website, where they come from, and what content on our websites is of interest to them. We use this information for our internal analytics purposes and to improve the quality and relevance of our websites to our visitors. For a full list please see our Privacy Policy.
In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests, such as meeting our HIPAA compliance obligations or working with law enforcement.
From time to time we may also ask for your consent to collect, use or share your personal information, such as when required by law or our agreements with third parties.
III. Who Receives Personal Information?
We may disclose your personal information to the following categories of recipients:
- To our Blue Cross Blue Shield Plans, third party service providers and partners who provide data processing services to us or on our behalf (for example, to support the delivery of, provide functionality on, or help to enhance the security of our websites), or who otherwise process or use personal information for purposes that are described in our Notice of Privacy Practices, such as members of our staff and contracted entities, including medical providers, who use personal information in order for us to provide services to you;
- To any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
- To professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us; and
- To any other person with your consent to the disclosure.
These third parties are prohibited from using or disclosing your information for their own purposes, and may only use your personal information as instructed by us and in a manner consistent with this Privacy Notice.
IV. How Long is Data stored?
We store data for as long as is necessary to provide the services and for a reasonable retention period. Our usual storage period is seven (7) years, but legal requirements and our corporate policies might lead to longer or shorter periods.
V. Your Rights with Respect to Your Personal Information
The GDPR also provides Data Subjects with certain individual rights with respect to their personal data. These include:
- The right to be informed about the collection and use of their personal data.
- The right of access to find out what data is stored about them.
- The right to rectification of their personal data if it is inaccurate or incomplete.
- The right to erasure to enable an individual to request the deletion or removal of certain personal data where there is no compelling reason for its continued processing.
- The right to restrict processing to ‘block’ or suppress processing of personal data.
- The right to data portability allowing individuals to obtain and reuse their personal data for their own purposes.
- The right to object to the processing of personal data under certain circumstances.
- Various rights in relation to certain kinds of automated decision making (making a decision solely by automated means without any human involvement) and profiling (automated processing of personal data to evaluate certain things about an individual).
You have the right at any time to request access to and rectification or erasure of personal data that we hold. You can also request restriction of processing of your personal information, and you have the right to data portability. If you would like to exercise any of these rights, please send a written request to our Data Protection Officer at the address listed below. Not all requests can be granted. If your request is denied, you will be provided with the reason for the denial.
VI. Legal Bases for Processing
We only use your personal data as permitted by law. We are required to inform you of the legal bases of our processing of your personal data, which are described below:
| Processing Purpose |
Legal Basis |
|---|---|
| To provide the services | The use of personal information may be necessary to perform the contract that you have with BCBSA and in order for us to provide the services described above. |
| To communicate with you To create anonymous data for analytics For compliance, fraud prevention and safety To improve our products and services |
These processing activities constitute our legitimate interests. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal information for our legitimate interests. We do not use your personal information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). |
| To comply with law |
BCBSA may disclose or use your personal information as permitted or required by law when we believe in good faith it is necessary for safety purposes, required for legal reporting, necessary to protect our legal rights or enforce any applicable rules or to protect the rights of others. |
| With your consent | We will request your consent to use your personal information where required by law, such as where we use certain cookies or similar technologies. If we request your consent to use your personal information, you have the right to withdraw your consent any time in the manner indicated when we requested the consent or by contacting us. If you have consented to receive marketing communications from our third party partners, you may withdraw your consent by contacting those partners directly. |
VII. Choosing Not To Share Your Personal Information
Where we are required by law to collect your personal data, or where we need your personal data in order to provide the benefits to or perform our contract with you, if you do not provide this information when requested (or you later ask to delete it), we may not be able to provide you with your benefits or our products and services. We will tell you what information you must provide by designating it as required or through other appropriate means.
VIII. Complaints
If you would like to submit a complaint, you may contact us at DataProtectionOfficer@bcbsa.com or lodge a complaint with the appropriate data protection authority in your jurisdiction. You can find your data protection regulator by visiting the European Commission website at ec.europa.eu.
IX. Sources of Personal Information
In order to provide services to you, we receive personal information from you, from your providers of medical care, and from other third parties. We need access to your personal information, such as name, address, and medical information, regardless of who provides it, in order for us to provide the services described above.
X. Is Personal Information Used For Automated Decision-Making or Profiling?
We use automated decision-making processes and profiling in the performance of our insurance and plan administration contracts. For example, claims processing is primarily an automated process. We also use profiling to identify individuals who would benefit from care and case management, medication management and other programs offered as part of the health benefits contract. We also use profiling to identify opportunities for communication with you.
XI. Transfer, Storage and Processing
To the extent we transfer personal data out of the European Economic Area as contemplated under the GDPR, we do so in a manner that is consistent with the appropriate safeguards or other legal basis under the GDPR. Please contact us for information on any such transfers or the safeguards applied. Your information collected may be stored and processed in the United States, Europe, or other non-European countries.
XII. Additional Processing
If we intend to use personal information for a purpose other than the original purposes for which we collected the personal information, prior to that additional processing, we will provide you with information on that other purpose and any further relevant information, insofar as you do not already possess such information.
XIII. Updates to this Privacy Notice
We may update this Privacy Notice from time to time in response to changing legal, technical or business developments. When we update our Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make.
You can see when this Privacy Notice was last updated by checking the “last updated” date displayed at the top of this Privacy Notice.
XIV. Data Controller
For the administration of FEP’s overseas program, BCBSA serves as a Data Controller for EU data subjects.
Our address is 1310 G Street, NW, Washington DC 20005.
Our Data Protection Officer can be reached via email at DataProtectionOfficer@bcbsa.com.
You may also contact our EU representative at bcbsa@dpr.eu.com.