NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Notice describes how Blue Cross and Blue Shield of Arizona (BCBSAZ) may use and disclose your protected health information (PHI). It also describes our legal obligations concerning your PHI and your rights to access and control your PHI. This Notice was prepared in accordance with the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA Privacy Regulations”), as revised.
PHI is individually identifiable health information, including actual medical information as well as your name, address, phone number, identification number or other identifiers, collected from you or created by or received by a health care provider, a health plan, your employer, or a health care clearinghouse and that relates to: (1) your past, present, or future physical or mental health or condition; (2) the provision of health care to you; or (3) the past, present, or future payment for health care provided to you.
We are required by law to maintain the privacy of your PHI. We are obligated to provide you with a copy of this Notice and we must abide by the terms of this Notice. We reserve the right to change this Notice at any time. If we make a material change to our Notice, we will post a revised Notice on the BCBSAZ website, azblue.com. We will provide you a copy of the revised Notice, or information about the changes and how to obtain the revised Notice, in our next annual mailing after the changes have been made.
USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION (PHI)
The following is a description of how we are most likely to use and/or disclose your PHI.
Payment Activities We may use and disclose your PHI for all functions that are included within our payment activities. For example, we will use or disclose your PHI to obtain premiums and to pay claims for services provided to you in accordance with your policy. We may disclose your PHI when a provider or your designated broker or agent requests information regarding your eligibility for coverage under our health plan, or we may use your information to determine if a treatment that you received was medically necessary. Additionally, if you are enrolled in a group health plan, we may disclose your PHI to your employer for it to administer the group health plan if the employer has amended the plan document for the group health plan to limit the uses and disclosures it may make of your PHI. Please see your plan documents for a full explanation of the limited uses and disclosures that the employer may make of your PHI. We may also disclose summary health information to your employer for it to obtain premium bids for the group health plan coverage or to modify or terminate the group health plan. Summary health information has been stripped of information which would directly identify you.
Health Care Operations We may use and disclose your PHI for our health care operations. These functions include, but are not limited to, quality assessment and improvement, reviewing provider performance, business management and administration. For example, we may use or disclose your PHI to provide you with information about one of our wellness or care management programs, to respond to a customer service inquiry from you or in connection with fraud and abuse detection and compliance programs.
Business Associates We contract with individuals and entities (business associates) to perform various functions on our behalf which involve the use and/or disclosure of PHI. Business associates must agree in writing to appropriately safeguard your information. For example, we may disclose your PHI to a business associate to manage our claims processing system, to manage certain aspects of our pharmacy benefits or to maintain certain provider networks.
Other Entities We may use or disclose your PHI to assist health care providers in connection with their treatment or payment activities, or to assist other entities covered by the HIPAA Privacy Regulations in connection with certain health care operations. For example, we may disclose PHI to another covered entity in order to coordinate benefits, if you or your family members have coverage through another carrier.
Underwriting We may use your PHI to determine whether or not to issue coverage to you or to determine premiums for coverage. We will not use or disclose any of your genetic information for underwriting purposes, including determining eligibility for coverage, benefits, deductibles, premiums, contribution amounts, cost- sharing, preexisting conditions or renewal of coverage.
Potential Impact of State Law In some situations, the HIPAA Privacy Regulations do not take the place of state privacy or other laws that provide individuals greater privacy protections. As a result, the privacy laws of a particular state, or other federal laws, rather than the HIPAA Privacy Regulations, might impose a privacy standard under which we will be required to operate. For example, certain information regarding HIV or AIDS, communicable diseases, abortion, or records from certain drug and alcohol abuse programs may be subject to additional restrictions.
Disclosures Based on Your Authorization We must disclose your PHI to you as described in the Individual Rights section of this Notice. Additionally, you may give us written authorization to use your PHI or to disclose it to anyone for any purpose. We will disclose your PHI to an individual you designate as your personal representative and who has qualified for such designation in accordance with relevant state law. However, we may elect not to treat the person as your personal representative if we have a reasonable belief that you have been, or may be, subjected to domestic violence, abuse, or neglect by such person, treating such person as your personal representative could endanger you, or we determine, in the exercise of our professional judgment, that it is not in your best interest to treat the person as your personal representative.
Others Involved in Your Health Care and Disaster Relief Unless you object, we may disclose your PHI to a friend or family member that is involved in your health care. We also may disclose your information to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status, and location. If you are not present or able to agree to these disclosures of your PHI, then we may determine in our professional judgment if the disclosure is in your best interest.
Marketing We may use your PHI to communicate with you face-to-face or about a promotional gift of nominal value. We also may use and disclose your PHI for marketing activities where permitted by law. For other marketing activities, we will only use or disclose your PHI if we receive your written authorization.
Health Oversight Activities We may disclose your PHI to a government agency authorized to oversee health care systems or government programs. The Arizona Department of Insurance is such an entity. Examples would include disclosures for audits, investigations, inspections, licensure or disciplinary actions, or civil, administrative, or criminal proceedings or actions. Oversight agencies include government agencies that oversee the health care system, government benefit programs and other government regulatory programs.
Legal Proceedings We may disclose your PHI: (1) in the course of any judicial or administrative proceeding; (2) in response to an order of a court or administrative tribunal (to the extent such disclosure is expressly authorized); and (3) in response to a subpoena, a discovery request, or other lawful process, once we have met any administrative requirements of the HIPAA Privacy Regulations.
Public Health Activities We may use or disclose your PHI to public health authorities. For example, we may use or disclose information for the purpose of preventing or controlling disease, injury, or disability, or we may disclose such information to a public health authority authorized to receive reports of child abuse or neglect.
Abuse or Neglect We may disclose your PHI to appropriate authorities that are authorized to receive reports of abuse, neglect, or domestic violence. Additionally, as required by law, we may disclose your information to a governmental entity authorized to receive such information if we believe that you have been a victim of abuse, neglect, or domestic violence.
Law Enforcement Under certain conditions, we also may disclose your PHI to law enforcement officials. Some examples of the reasons for such a disclosure may include that it is required by law or some other legal process, it is necessary to locate or identify a suspect, fugitive, material witness, or missing person or it is necessary to provide evidence of a crime that occurred on our premises.
Coroners, Medical Examiners, Funeral Directors, and Organ Donation We may disclose PHI to a coroner or medical examiner for purposes of identifying a deceased person, determining a cause of death, or for the coroner or medical examiner to perform other duties authorized by law. We also may disclose, as authorized by law, information to funeral directors so that they may carry out their duties. Further, we may disclose PHI to organizations that handle organ, eye, or tissue donation and transplantation.
Research We may disclose your PHI to researchers when an Institutional Review Board or privacy board has reviewed the research proposal and established protocols to ensure the privacy of the information, and approved the research, or as part of a limited data set which includes no unique identifiers (information such as name, address, identification number, etc. that can identify you).
To Prevent a Serious Threat to Health or Safety We may disclose your PHI if we believe that the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. We also may disclose PHI if it is necessary for law enforcement authorities to identify or apprehend an individual.
Military Activity and National Security, Protective Services Under certain conditions, we may disclose your PHI if you are, or were, Armed Forces personnel for activities deemed necessary by appropriate military command authorities. If you are a member of foreign military service, we may disclose, in certain circumstances, your information to the foreign military authority. We also may disclose your PHI to authorized federal officials for conducting national security and intelligence activities, and for the protection of the President, other authorized persons, or heads of state.
Inmates If you are an inmate of a correctional institution, we may disclose your PHI to the correctional institution or to a law enforcement official for the institution to provide health care to you, for your health and safety, for the health and safety of others, or for the safety and security of the correctional institution.
Workers’ Compensation We may disclose your PHI to comply with workers’ compensation laws and other similar programs that provide benefits for work-related injuries or illnesses.
Disclosures to the Secretary of the U.S. Department of Health and Human Services We are required to disclose your PHI to the Secretary of the U.S. Department of Health and Human Services when the Secretary is investigating or determining our compliance with the HIPAA Privacy Regulations.
Disclosures Requiring Your Authorization Unless otherwise permitted by applicable law, we will not sell any of your information to a third party without your written authorization.
Other Uses and Disclosures of Your Protected Health Information (PHI) Other uses and disclosures of your PHI that are not described above will be made only with your written authorization. If you provide us with such an authorization, you may revoke the authorization in writing, and this revocation will be effective for future uses and disclosures of PHI. However, the revocation will not be effective for information that we already have used or disclosed, relying on the authorization.
YOUR INDIVIDUAL RIGHTS
The following is a description of your rights with respect to your PHI.
Right to Request a Restriction You have the right to request that we place additional restrictions on our use and disclosure of your PHI. We are not required to agree to any restriction that you may request. If we do agree to the restriction, we will comply with the restriction unless the information is needed to provide emergency treatment to you or unless the use or disclosure is otherwise permitted or required by law.
To request a restriction, you may complete a Restriction Request Form and mail it to the Privacy Office at the address listed in the last section of this Notice. To obtain a Restriction Request Form, please call the BCBSAZ Customer Service number listed on the back of your BCBSAZ identification card, or you may call the Privacy Office at (602) 864-2255 or (800) 232-2345, ext. 2255.
Right to Request Confidential Communications If you believe that a disclosure of all or part of your PHI may endanger you, you may request that we communicate your PHI to you in an alternative manner or at an alternative location. We will accommodate a request for confidential communications that is reasonable and that truthfully states that the disclosure of all or part of your PHI could endanger you. Once a request for confidential communications goes into effect, all of your PHI will be processed in accordance with your instructions unless a particular use or disclosure is otherwise required by law. We will not process requests on a diagnostic-specific basis.
Please note that, even if you request confidential communications, the check for services you receive from a provider could be sent to the policyholder. Additionally, such services may alter deductible figures, coinsurance maximums and other cost sharing items.
To make such a request, you may either call the Privacy Office at (602) 864-2255 or (800) 232-2345, ext. 2255, or mail a written request to the Privacy Office at the address listed in the last section of this Notice. Within 30 days of any verbal request, you must document an oral request in writing. Any written request must include the following information: (1) your BCBSAZ identification number, (2) your date of birth, (3) your desire that we communicate with you in an alternative manner or at an alternative location, (4) what the manner and location are, and (5) your belief that the disclosure of all or part of the PHI in a manner inconsistent with your instructions would put you in danger. If you prefer, you may complete a Confidential Communication Request Form and mail it to the Privacy Office at the address listed in the last section of this Notice. To obtain a Confidential Communication Request Form, please call the BCBSAZ Customer Service number listed on the back of your BCBSAZ identification card, or (602) 864-2255 or (800) 232-2345, ext. 2255.
Right to Access You have the right to inspect and copy your PHI, with limited exception, that BCBSAZ and its business associates maintain.
To request access to your PHI, we may ask you to complete a Request for Access to Protected Health Information & Records Form. You can mail, fax or email it to the Privacy Office at the address listed in the last section of this Notice. To obtain a Request for Access to Protected Health Information & Records Form, please call the BCBSAZ Customer Service number listed on the back of your BCBSAZ identification card, or (602) 864-2255 or (800) 232- 2345, ext. 2255. If you request a copy of the information, we may charge a fee for the costs of copying, mailing, or other supplies associated with your request. If your PHI is maintained electronically, you may request an electronic copy of the information.
We may deny your request to inspect and copy your PHI in certain circumstances as set forth in the HIPAA Privacy Regulations. Under certain conditions, if you are denied access to your information, you may ask us to designate a different licensed health care professional, who did not participate in the initial determination, to review that determination. To make such a request, call the Privacy Office at (602) 864-2255 or (800) 232-2345, ext. 2255. Not all denials of access are subject to review.
Right to Amend If you believe that your PHI is incorrect or incomplete, you may request that we amend your information.
To request that we amend your PHI you must complete an Amendment Request Form and mail it to the BCBSAZ Privacy Office at the address listed in the last section of this Notice. To obtain an Amendment Request Form, please call the BCBSAZ Customer Service number listed on the back of your BCBSAZ identification card, or (602) 864-2255 or (800) 232-2345, ext. 2255.
In certain cases, we may deny your request for an amendment for reasons set forth in the HIPAA Privacy Regulations. For example, we may deny your request if the information you want to amend was not created by us, but by another entity. If we deny your request, you have the right to file a statement of disagreement with us. Your statement of disagreement will be linked with the disputed information and all future disclosures of the disputed information will include your statement.
Right of a Listing of Disclosures You have a right to a listing of certain disclosures BCBSAZ and its business associates have made of your PHI. You are not entitled to a listing of disclosures which were made for our payment or health care operations, pursuant to your authorization or in certain other limited instances. Please note that most disclosures of PHI will be for purposes of payment or health care operations. A listing will include the date of the disclosure, to whom we made the disclosure, a brief description of the information disclosed, and the purpose for the disclosure. Your request may be for disclosures made up to 6 years before the date of your request.
To request a listing of disclosures, you must complete an Accounting Request Form and mail it to the BCBSAZ Privacy Office at the address listed in the last section of this Notice. To obtain the Accounting Request Form, please call the BCBSAZ Customer Service number listed on the back of your BCBSAZ identification card, or (602) 864-2255 or (800) 232-2345, ext. 2255. The first list you request within a 12-month period will be provided free of charge. For any additional lists within that 12-month period, we may charge you for the costs of providing the list.
Right to Notification of a Breach You have the right to be notified if your unsecured PHI was inappropriately accessed or disclosed by us, except when there is a low probability that the information has been compromised.
Right to a Paper Copy of This Notice You have the right to a paper copy of this Notice, even if you have agreed to accept this Notice electronically