Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This notice applies to benefit plans offered by Blue Cross Blue Shield of Wyoming. Blue Cross Blue Shield of Wyoming is referred to as “we,” “us,” and “our” in this notice. Persons insured as participants under our benefit plans are referred to as “you” and “your” in this notice.
We Have a Legal Duty to Protect Your Protected Health Information
We understand the importance of keeping your protected health information (PHI) private and make it one of our top priorities. PHI is your personal health information and other information that identifies you, such as your name, address, telephone number, social security number, and benefit plan number. We are required by law to protect the privacy of your PHI and to provide you with notice of our legal duties and privacy practices with respect to your PHI. This notice explains how, when, and why we collect, use and disclose your PHI. It also explains your rights concerning your PHI.
We must follow the privacy practices described in this notice while it is in effect. This notice takes effect February 23, 2017 and will remain in effect until we replace it with a revised notice.
From time to time, it may become necessary for us to revise our privacy practices as described in this notice. We reserve the right to revise the terms of this notice and to make the new privacy practices applicable to all PHI we maintain, including PHI we created or received before we made the revision. When we make a significant revision to our privacy practices, we will revise this notice and mail the revised notice to our benefit plan subscribers.
This notice may be viewed on our website at https://www.bcbswy.com/privacy/notice.You may request additional copies of this notice. Please see the contact information listed at the end of this notice under the paragraph entitled “Questions and Complaints.”
How We May Use and Disclose Your Protected Health Information
We use and disclose PHI for many reasons. Under some circumstances, we are allowed by law to use and disclose your PHI without your authorization. Under other circumstances, we need your authorization to use and disclose your PHI. Unless otherwise required by law, we use and disclose only the minimum amount of information necessary to satisfy the purpose of the use or disclosure. Described below are different categories of our uses and disclosures and some examples of each category.
Our privacy policies set out in this notice apply to your PHI regardless of whether your status as a participant in our benefit plan is active or has been terminated. In many cases, we are required by law to retain the PHI for a set amount of time. We will not destroy your PHI for that set amount of time, even if your coverage with us has terminated. Therefore, even after your coverage terminates, your PHI may be used for many of the purposes described in this notice.
Uses and Disclosures of Protected Health Information Without Your Authorization
Abuse or Neglect: We may disclose your PHI to the appropriate authorities to report child abuse or neglect or when there is a concern that you have been a victim of abuse, neglect or domestic violence.
Business Associates: We may share your PHI with our accountants, consultants and other third parties who we hire for various business activities. These third parties also are required to keep your information private. For example, we may disclose your PHI to auditors who make sure we comply with the laws that affect us. In addition, we may disclose your PHI to consultants who help us review and improve the quality of the health care services that you receive.
Coroners, Funeral Directors and Organ Donations: We may disclose PHI of deceased members to coroners or funeral directors so they can carry out their duties. In addition, we may disclose PHI to organizations that arrange organ donations and transplants.
Genetic Information: We cannot use or disclose PHI that is an individual’s genetic information for underwriting.
Health Oversight: We may disclose your PHI to health oversight agencies that are responsible for auditing, investigating, inspecting and licensing health care entities. These activities are necessary for the government to monitor the health care system, government programs and compliance with laws.
Health Related Benefits and Services: Where permitted by law, we may use or disclose your PHI to contact you about health-related benefits and services, treatment alternatives that may be of interest to you or appointment reminders. For example, your name and address may be used to send you our newsletters that contain general health information. In addition, we may contact you about health-related products that may be added to or replace your existing benefit plan.
Health Care Operations: We may use and disclose your PHI to operate our business and make sure that you receive quality care. Several examples of how we may use and disclose your PHI for healthcare operations include the following:
- To the extent permitted by law, determining if you are eligible to enroll in our benefit plan;
- To the extent permitted by law, determining the premium for your benefit plan;
- Reviewing your doctors’ treatment and services, and evaluating their performance;
- Assisting your doctor in the management of your ongoing care for a disease or medical condition;
- Reviewing for fraud, waste and abuse;
- Responding to your inquiries; and
- Surveying you on how well we meet your health insurance needs.
Law Enforcement: We may disclose your PHI to law enforcement officials in certain situations. For example, we may disclose PHI for legal proceedings, to help identify or locate a suspect, witness or missing person or to provide information concerning a crime on our property.
Legal Proceedings: We may disclose your PHI for legal proceedings if there is a court order, administrative order, subpoena, discovery request or other lawful process.
Marketing/Sale: We will obtain an authorization from you before we use or disclosure your PHI for marketing purposes unless our marketing is in the form of a face-to-face communication with you or we are providing you with a promotional gift of nominal value. In those two situations, an authorization is not required. We will not sell your PHI to anyone without your authorization, except where expressly permitted by law.
Military Activity and National Security: We may disclose the PHI of military personnel to military authorities under certain circumstances. In addition, we may disclose your PHI to federal officials for national security or intelligence purposes, such as protecting the President of the United States or others.
Parental Access: Generally, parents, guardians or other people acting in a similar legal capacity may receive their minor child’s PHI. However, some state laws give minors special protections, and require that we cannot disclose the minor’s PHI to the parents, guardians or others without the written authorization of the minor.
Payment: We may use and disclose your PHI to pay for services that are covered under your benefit plan. For example, we may need to give your insurance information to doctors so they can bill us and receive payment for the treatment you received. We may also use and disclose your PHI to coordinate benefits with other insurance carriers such as your automobile insurance company or Medicare.
Plan Sponsors: If you are enrolled in a health plan through your current or previous employer, you are enrolled in a group health plan. Each group health plan has a “plan sponsor,” the person or group that established the group health plan. In many cases, the plan sponsor is your employer. If your plan sponsor needs PHI to administer their group health plan, they are required by law to establish privacy procedures for receiving PHI from us, and they may use it only as the law allows. If your plan sponsor establishes these privacy procedures, we may disclose PHI to them. Please refer to your benefit plan or other plan documents for an explanation of how your plan sponsor may use or disclose PHI to administer your group health plan.
Public Health and Safety: We may disclose your PHI to government officials in charge of collecting information about public health. For example, we may share PHI with state departments of health about births, deaths, diseases, injuries or disabilities. We also may disclose PHI to law enforcement or other officials to prevent or reduce a serious threat to the health or safety of you, another person or the public.
Required by Law: We may disclose your PHI when we are required to do so by law. For example, we must disclose your PHI to U.S. Department of Health and Human Services officials upon their request, so they can determine whether we are complying with federal privacy laws.
Research: We may disclose your PHI to researchers in limited situations. These researchers are required to establish measures to protect your privacy.
Treatment: We may disclose your PHI to doctors, nurses or other healthcare professionals who ask for it in order to treat you. For example we may use or disclose your PHI to determine whether services requested by your doctor are covered benefits under your health plan.
Underwriting: To the extent permitted by law, we may receive your PHI for underwriting, premium rating or other activities related to the creation, renewal or replacement of your benefit plan (although we are prohibited from using or disclosing any genetic information for underwriting purposes). We will not use or further disclose your PHI for any other purpose, except as required by law, unless the contract of health insurance or health benefits is placed with us. In that case, our use and disclosure of your PHI will only be as described in this notice. If we receive your PHI to determine if you are eligible to enroll in our benefit plan and you do not enroll with us, we will only use or disclose your PHI as required by law.
Workers’ Compensation: We may disclose your PHI as required by workers’ compensation laws and other similar programs that provide benefits for work-related injuries or illnesses.
Uses and Disclosures of Protected Health Information With Your Authorization
Written Authorization: If you provide written authorization, we may disclose your PHI to anyone you authorize for any reason. You may revoke this authorization in writing at any time. Revoking your authorization will not affect any action that was taken before the authorization was revoked. Without your authorization, we may not use or disclose your PHI for any reason except as described in this notice and/or as required by law. If we have them, we must get your written authorization before we disclose your provider’s psychotherapy notes.
Oral Authorization: Family members, friends or other persons may be assisting you with your health care. We may disclose your PHI to these family members, friends or others if you give us your oral authorization. If you are unable to give us your oral authorization, we may disclose your PHI to these family members, friends or others if there is a medical emergency or for disaster relief purposes to the extent we believe the disclosure of your PHI would be in your best interest to help with your health care or with payment for your healthcare.
Other Uses and Disclosures: Your written authorization is required for all other uses and disclosures of your PHI that are not described in this notice.
Your Rights Regarding Your Protected Health Information
Access: You have the right to look at or get copies of your PHI in our control or possession, with limited exceptions. In certain circumstances, you may request electronic copies of your PHI. We will use the format you request unless we cannot practicably do so. You must make your request to obtain access to your PHI in writing. We may charge you a reasonable fee for the costs of your request, which may vary depending on the format requested, but may include copy and postage fees. If you prefer, we will prepare a summary or an explanation of your PHI for a fee.
Amendment: You have the right to ask us to amend your PHI if you believe that it contains a mistake or that an important piece of information is missing. Your request must be in writing and must explain why the information should be amended. We may deny your request in certain cases. For example, we may deny your request if we did not create the information, such as medical information received from your doctor. If we deny your request, we will provide you with a written explanation. You may respond with a statement of disagreement that we will append to the PHI you wanted amended. We will ensure your statement of disagreement is included with all future disclosures we make of that PHI. If we accept your request to amend your PHI, we will make reasonable efforts to inform all relevant persons and entities of the amendment and to include the amendment in any future disclosures of that PHI.
Confidential Communications: If you feel that you could be in danger as a result of your PHI being sent to your main address, you have the right to ask that we send your PHI to a different address or that we communicate with you in a certain way. You must make your request in writing and you must state that the PHI could endanger you if it is not communicated in confidence by the alternative means or at the alternative location you have requested. We will accommodate reasonable requests when possible.
Disclosure Accounting: You have the right to ask us for a list of disclosures that we have made of your PHI. Your request may be for disclosures made up to six (6) years before the date of your request. We will provide you with a list of disclosures, including the date on which we made the disclosure, the name of the person or entity to whom we made the disclosure, a description of the PHI we disclosed and the reason for the disclosure. This list will not include the following:
- Disclosures for treatment, payment or health care operations;
- Disclosures to you or your legal representative;
- Disclosures that you or your legal representative authorized; and
- Certain other disclosures as allowed by law.
If you request this list more than once in a twelve (12) month period, we may charge you a reasonable cost-based fee for responding to these additional requests. In most cases we must respond to your request within thirty (30) days.
Electronic Notice: If you receive this notice on our website or by e-mail, you also may ask for this notice in written form. Please contact us at the address listed at the end of this notice under the paragraph entitled “Questions and Complaints.”
Restrictions: You have the right to ask us to restrict the way we use or disclose your PHI for treatment, payment and health care operations, as described above. However, you may not request that we restrict the uses and disclosures of your PHI that we are required or allowed to make by law. We will consider your request for restrictions, but we are not required by law to agree to them. If we agree to restrictions, we will follow them, except in an emergency situation. Any agreement we make to restrict our use or disclosure of your PHI must be in writing signed by a person authorized to make such an agreement on our behalf. We will not be bound to any agreement that is not in writing. We may terminate our agreement to restrict our uses and disclosures of your PHI upon notice to you. If you do not agree to the termination of the agreement, the termination is only effective with respect to your PHI created or received after we have informed you of our decision to terminate our agreement to restrict our use or disclosure of your PHI.
Breach Notification: In the event of a breach of your unsecured PHI, we will provide you notification of such a breach as required by law or where we otherwise deem notice to be appropriate.
Questions and Complaints
For more information about your privacy rights, or if you want additional copies of this notice, you may visit our website at https://www.bcbswy.com/privacy/notice or call the telephone number on your Member ID card. You may also contact BCBSWY Member Services at 4000 House Avenue, P.O. Box 2266, Cheyenne WY 82003 or at 1-800-442-2376. In order to provide you with the best possible customer service, Member Services may need to transfer your call to the service unit that specializes in your benefit plan. You have a right to get a new copy, including a paper copy, of this notice at any time.
If you believe that your privacy rights have been violated, you may file a written complaint with our Privacy Officer. You also have the right to complain to the U.S. Secretary of Health and Human Services. We support your right to protect the privacy of your PHI. We will not retaliate against you in any way if you choose to file a complaint with us or the U.S. Department of Health and Human Services.
If you have any questions about the complaint process, wish to file a complaint with us, or need the address of the U.S. Secretary of Health and Human Services, please contact our Privacy Officer at the following address and telephone number:
Privacy Officer
4000 House Avenue
P.O. Box 2266
Cheyenne, WY 82003
(307) 634-1393 or (800) 442-2376
Effective Date of This Notice: February 23, 2017
Here is What You Can Do to Protect Your Privacy
BCBSWY wants to help empower members to protect their privacy. Here are a few simple ways you can better secure your privacy data.
- Learn how online tracking works and what you can do about it.
- Secure your devices
- Know about online abuse and harassment
- Change your password frequently
- Use trusted internet networks
Find more information about the topics above at https://consumer.ftc.gov/consumer-alerts/2021/06/your-guide-protecting-your-privacy-online
Know About Online Abuse and Harassment
Learn about what you can do if someone tracks your phone without permission or shares your personal imagery without your consent.
Find more information about the topics above at https://consumer.ftc.gov/consumer-alerts/2021/06/your-guide-protecting-your-privacy-online
How Can Members use HIPAA to Protect Their Information?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. Covered entities, such as doctors, clinics, dentists, etc., must comply with all HIPAA rules. Whereas entities such as fast-food restaurants, car washes or arcades would not be considered covered entities as they do not deal with health information. Learn more about what at covered entity is at https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces the HIPAA Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule.
You can find more information about patient rights under HIPAA and who is obligated to follow HIPAA here: https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html
Please visit the OCR webpage to understand their responsibilities https://www.hhs.gov/ocr/about-us/index.html
File a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html
Please visit the FTC website to understand their responsibilities https://www.ftc.gov/about-ftc
File a complaint with the FTC at reportfraud.ftc.gov
Third-party apps
We want to help our members consider the pros and cons of allowing a third-party app retrieve their health care data. It is important for health care patients to take an active role in protecting their health information. Knowing what to look for when choosing an app can help patients make more informed decisions. Patients should look for an easy-to-read privacy policy that clearly explains how the app will use their data. If an app does not have a privacy policy, patients should be advised not to use the app. Patients should consider the following:
What to Consider
Before using a third-party app, use caution and watch for these things.
An easy-to-read privacy and security policy that clearly explains how the app will use your data and answers the following questions to your satisfaction:
What health data will this app collect? Will this app collect non-health data from my device, such as my location?
Will my data be stored in a de-identified or anonymized form?
How will this app use my data?
Will this app disclose my data to third parties?
Will this app sell my data for any reason, such as advertising or research?
Will this app share my data for any reason? If so, with whom? For what purpose?
How can I limit this app’s use and disclosure of my data?
What security measures does this app use to protect my data?
What impact could sharing my data with this app have on others, such as my family members?
How can I access my data and correct inaccuracies in data retrieved by this app?
Does this app have a process for collecting and responding to user complaints?
If I no longer want to use this app, or if I no longer want this app to have access to my health information, how do I terminate the app’s access to my data.
How does this app inform users of changes that could affect its privacy practices?
What is the app’s policy for deleting my data once I terminate access? Do I have to do more than just delete the app from my device?
Learn more at https://www.bcbswy.com/third-party-apps/