Notice of privacy practices

This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

Our legal duty to protect the privacy of your health information

At Capital Blue Cross, we are legally required to protect the privacy of your health information. Protected Health Information (PHI) includes information that we’ve created or received about:

• your past, present, or future health or condition
• the provision of healthcare services to you, or
• the payment of these healthcare services.

Your PHI includes your name, address, member identification number, etc. We must provide you with this notice about our legal duties and our privacy practices with respect to how we use and disclose your PHI. We are also legally required to notify you if there is a breach of your unsecured PHI. With some exceptions, we may not use or disclose any more of your PHI than is necessary to accomplish the purpose of the use or disclosure.

We are legally required to follow the privacy practices that are described in this notice. This notice will remain in effect until we replace or modify it. However, we reserve the right to change the terms of this notice and our privacy policies at any time as long as such changes are permitted by law. Any changes may apply to the PHI we have already collected before we make the changes. Before we make an important change to our policies, we will change this notice and provide written notification in our next annual mailing to our subscribers. The revised notice will be posted on our website on or prior to the effective date of the change.

How we may use and disclose your PHI

One of our primary goals is to safeguard your PHI. We have policies and procedures in place throughout our organization to protect your information. These policies and procedures include: training all employees on appropriate uses, disclosures, and protection of PHI; limiting employee system access to only the PHI needed to perform job duties; ensuring secure disposal of confidential information; using unique user IDs and passwords, etc. This protection covers oral, written, and electronic forms of PHI. In addition, Capital Blue Cross policy restricts us from sharing your information with employers who sponsor group health plans, unless they provide us with the required certification or agreement to ensure that PHI is adequately protected and only used for Plan administrative purposes.

Under the law, we may use and disclose PHI for many different reasons. Below, we describe the different categories of our uses and disclosures and give you some examples of each category. Without your written authorization, we may not use or disclose your PHI for any reason except those described in this notice.

We are required by law to obtain your written authorization for any use or disclosure of your psychotherapy notes, for any use or disclosure of your PHI for marketing purposes (except as described in “Health-Related Benefits or Services,” below), or for any sale of your PHI.

You may give us written authorization to use your PHI or to disclose it to anyone for any purpose. If you give us an authorization, you may revoke it in writing at any time. You may obtain a form to revoke any authorization you provide us by using the contact information at the end of this notice. Your revocation will not affect any use or disclosure permitted by your authorization while it was in effect.

Treatment

We may disclose your PHI to a healthcare provider who requests it in connection with your treatment. For example, we may share PHI that we’ve received through our medical management programs with your physician for use in providing services to you.

Payment

We may use and disclose your PHI to conduct payment activities related to your health benefits contract. Examples of this would include using and disclosing PHI to determine eligibility, pay claims, and conduct utilization review. A specific example of a payment disclosure would be sharing your PHI with our pharmacy benefits manager to allow for the payment of your drug claims. We may also disclose your PHI to another organization that is subject to federal privacy rules for its payment activities.

Healthcare operations

We may use and disclose your PHI to support other business activities. Examples of this would include using and disclosing PHI for quality assessment and improvement activities; medical management programs, like case management and disease management; and premium rating. A specific example of a healthcare operations disclosure would be sharing your PHI with our health management vendor. We may disclose your PHI to another organization that is subject to the federal privacy rules and that has a relationship with you to support some of their business activities. We may disclose your information to help these organizations conduct quality assessment and improvement activities, review the competence or qualifications of healthcare professionals, or detect or prevent healthcare fraud and abuse.

Family, friends, and others involved in your healthcare

We may provide your PHI to the extent necessary to obtain help from a family member, friend, or other person that you indicate is involved in your care or the payment for your healthcare. This may involve sharing claim payment information with a Human Resources representative from your employer if you’ve asked he or she to get involved on your behalf.

Group health plans and plan sponsors

We may disclose your PHI and the PHI of others enrolled in your group health plan to the group health plan or the plan sponsor to permit it to perform plan administration functions. Please see your plan documents for a full explanation of the limited uses and disclosures that the plan sponsor may make of your PHI in providing plan administration functions for your group health plan.

You or your personal representative

We may disclose PHI to you for any reason or to your personal representative. Your personal representative would be your legal guardian, someone who has power of attorney over your healthcare decisions, or your parent if you are an unemancipated minor under the age of 18. A personal representative would also include an executor, or an administrator acting on behalf of a deceased individual or the estate.

Underwriting

We may receive your PHI for underwriting, premium rating, or other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits. We will not use or disclose demographic information and/or your genetic information for underwriting purposes. We will not use or further disclose your PHI for any other purpose, except as required by law, unless the contract of health insurance or health benefits is placed with us. In that case, our use and disclosure of your PHI will only be as described in this notice.

Health-Related Benefits or Services

We may use your PHI to inform you about health-related benefits and services or treatment alternatives that may be of interest to you.

Research, death, organ donation

We may use or disclose your PHI for research purposes in limited circumstances. We may disclose the PHI of a deceased person to a coroner, medical examiner, funeral director, or organ procurement organization for certain purposes.

Public health and safety

We may disclose your PHI to the extent necessary to avert a serious and imminent threat to your health or safety, or the health or safety of others. We may disclose your PHI to a government agency authorized to oversee the healthcare system or government programs or its contractors, and to public health authorities for public health purposes. We may disclose your PHI to appropriate authorities if we reasonably believe that you are a possible victim of abuse, neglect, domestic violence, or other crimes.

Required by law

We may disclose your PHI when we are required to do so by law. For example, we must disclose your PHI to the U.S. Department of Health and Human Services upon request for purposes of determining whether we are in compliance with federal privacy laws. We may disclose your PHI when authorized by workers’ compensation or similar laws.

Process and proceedings

We may disclose your PHI in response to a court or administrative order, subpoena, discovery request, or other lawful process, under certain circumstances. Under limited circumstances, such as a court order, warrant, or grand jury subpoena, we may disclose your PHI to law enforcement officials.

Law enforcement

We may disclose limited information to a law enforcement official concerning the PHI of a suspect, fugitive, material witness, crime victim, or missing person. We may disclose the PHI of an inmate or other person in lawful custody to a law enforcement official or correctional institution under certain circumstances. We may disclose PHI where necessary to assist law enforcement officials to capture an individual who has admitted to participation in a crime or has escaped from lawful custody.

Military and national security

We may disclose to military authorities the PHI of Armed Forces personnel under certain circumstances. We may disclose to authorized federal officials PHI required for lawful intelligence, counterintelligence, and other national security activities.

State confidentiality laws

Certain state regulations provide for greater privacy protections for an individual with any of the following medical conditions: HIV, mental health, or substance abuse. We will use and disclose your PHI only in accordance with these more restrictive regulations.

Your individual rights

You have the following rights with respect to your PHI.

The right to request access to your PHI

In most cases, you have the right to look at or obtain a copy of your PHI that we maintain. You may obtain a form to request this access by using the contact information at the end of this notice. If you request a copy of your PHI, there may be a charge. If you request that records of your PHI be mailed, you will also be charged for postage.

The right to request an amendment to your PHI

If you believe that the PHI we have about you is incorrect or incomplete, you have the right to request that we correct or update this information. Routine member requests to change member-initiated information, such as updating address information, correcting the spelling of a name, etc., can be handled most efficiently by contacting Member Services. For other information, you may obtain a form to request an amendment by using the contact information at the end of this notice. If you are requesting changes to information that we did not create, but that we received from another source such as from your group health plan or from your provider, we have the right to refer you back to the creator of this information to make your request.

If we deny your request, we will provide you with a written explanation of the denial and explain your right to file a written statement of disagreement with the denial, which may be attached to all future disclosures of your PHI to which the disagreement relates. If we accept your request to amend the information, we will make reasonable efforts to inform others that need to know about the change to your information.

The right to receive an accounting of certain disclosures of your PHI

You have the right to receive a list of certain instances in which we have disclosed your PHI to others over the previous six years. This list will not include any disclosures that we make for purposes of treatment, payment, healthcare operations, including disclosures to your group health plan sponsor for these purposes. This list will also not include permitted disclosures to: you, family, friends, and others involved in your healthcare or payment for your healthcare; personal representatives; authorized officials for correctional institutions and other law enforcement custodial situations or for national security purposes; or others as permitted by your written authorization.

This list will not include disclosures we make that are incidental to disclosures we are permitted to make or disclosures of information in a “limited data set” that does not include your name, address, or certain other identifying information. You may obtain a form to request this accounting by using the contact information at the end of this notice. We will provide you with the date on which we made the disclosure, the name of the person or entity to whom we made the disclosure, a description of the PHI we disclosed, and the reason for the disclosure. We will provide this list at no charge, but if you make more than one request in a 12-month period, we may charge you a reasonable, cost-based fee to respond to this request.

The right to request confidential communications

You have the right to request that we send your PHI to you by alternative means or to an alternative location if this is required to avoid harm to you. For example, we typically send Explanations of Benefits (EOBs) to the subscriber and not to the individual member. A member may request that his/her EOB be sent to the member at a different address if the member believes sending the EOB to the subscriber could endanger the member. You may obtain a form to request confidential communications by using the contact information at the end of this notice. We must accommodate your reasonable request as long as it permits us to continue to collect premiums and pay claims under your health plan.

The right to request a restriction on uses and disclosures of your PHI

You have the right to ask that we place additional limits on how we use and disclose your PHI. However, we are not required to agree to such requests.

The right to receive a written copy of our notice of privacy practices

You have the right to receive a paper copy of this Notice of Privacy Practices at any time, even if you have received this notice via our website or by electronic email. You can request a paper copy of this notice by using the contact information at the end of this notice.

Effective date

This notice is effective on September 23, 2013.

If you have privacy questions or complaints

If you are concerned that we may have violated your privacy rights, you may register your complaint with us by sending your written complaint to:

You also may submit a written complaint to the U.S. Department of Health and Human Services. We will provide you with the address to file your complaint with the U.S. Department of Health and Human Services upon request.

We support your right to protect the privacy of your health information. We will not retaliate in any way if you choose to file a complaint with us or with the U.S. Department of Health and Human Services. If you want more information about our privacy practices, have any questions or concerns, or want to act on any of your individual rights, please contact the Capital Blue Cross Privacy Office toll-free at:

Telephone: 866.987.4241

You can also view a PDF version of the Notice of privacy practices.