How Medica Protects Your Privacy
There are several state and federal laws requiring Medica to protect our members’ personal information. The most comprehensive regulations were issued under the Health Insurance Portability and Accountability Act (HIPAA). These regulations have been updated from time to time. Essentially, HIPAA regulations require health plans to provide you with information about how your protected health information may be used and disclosed, and to whom. This notice explains what your protected health information is. Regulations also describe how Medica must protect this information and how you can access your protected health information. Medica must follow the terms of its privacy notice. Medica may also change or amend its privacy notice as the laws and regulations change. However, if the notice is materially changed, Medica will provide a revised privacy notice within 60 days of the date it is amended.
When the law permits use and disclosure
The law permits Medica to use and disclose your personal information for purposes of treatment, payment and health care operations without first obtaining your authorization. There are other limited circumstances when Medica may use and disclose your personal information without your authorization, such as public health, regulatory and law enforcement activities. Whether personal information is used or disclosed with or without authorization, Medica uses or discloses personal information only to those persons who need to know and only the minimum amount necessary to perform the required activity.
Your privacy rights
The law also gives you rights to access, copy and amend your personal information. You have the right to request restrictions on certain uses and disclosures of your personal information. You also have the right to obtain information about how and when your personal information has been used and disclosed.
These duties, responsibilities and rights are described in more detail below.
Please Note: Medica's Privacy Notice does not apply to members whose employers are self-insured. If your employer is self-insured, you need to contact your employer for more information about your health plan's privacy practices.
Medica's Privacy Notice
THIS NOTICE DESCRIBES HOW INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, UNDER STATE AND FEDERAL LAW, INCLUDING THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
THIS NOTICE IS INTENDED FOR MEDICA INSURANCE COMPANY, MEDICA HEALTH PLANS, AND MEDICA HEALTH PLANS OF WISCONSIN MEMBERS (REFERRED TO AS “MEDICA”).
Medica is committed to protecting and maintaining the privacy and confidentiality of your information. We refer to this information as “protected health information” or “PHI.” This notice describes our privacy practices and our related legal duties. It also describes your rights regarding your PHI.
What is PHI?
As a health plan, Medica has information about our members such as name, address, telephone number, member number, age, date of birth, and health history. In addition, Medica receives information about our members’ health care services. This and any other information that identifies you is called “PHI.”
How does Medica protect your PHI?
Medica takes its responsibility of protecting your PHI seriously. Where possible, Medica de-identifies PHI. We use and disclose only the minimum amount of PHI necessary for treatment, payment and operations, or to comply with legal or similar requirements. In addition to physical and technology safeguards, Medica has policies and procedures that require Medica’s employees to protect your PHI. Medica provides training on privacy and security to its employees.
We protect the PHI of applicants and former members just as we protect the PHI of current Medica members.
Under what circumstances does Medica use or disclose PHI?
Medica receives, maintains, uses and shares PHI to carry out certain health plan activities. Routine activities include: (i) treatment-related activities, such as referring you to a doctor; (ii) payment-related activities, such as paying a claim for medical services; and (iii) healthcare operations, such as developing wellness programs. Other examples of routine activities include:
- Enrollment and eligibility, benefits management, and utilization management
- Customer service
- Coordination of care
- Health improvement and disease management (for example, sending information on treatment alternatives or other health-related benefits)
- Premium billing and claims administration
- Complaints and appeals
- Underwriting, actuarial studies, and premium rating
- Credentialing and quality assessment
- Business planning or management and general administrative activities (for example, employee training and supervision, legal consultation, accounting, auditing)
- Medica may, from time to time, contact you with important information about your health plan benefits. Such contacts may include telephone, mail or electronic mail messages.
With whom does Medica share PHI?
Medica shares PHI for treatment, payment and health care operations with your health care providers and other businesses that assist us in our operations. These businesses are called “business associates” in the HIPAA regulations. We require these business associates to follow the same laws and regulations that Medica follows.
Public Health, Law Enforcement and Health Care Oversight. There are also other activities where the law allows Medica to use or disclose your PHI without your authorization. Examples of these are:
- public health activities (such as disease intervention);
- healthcare oversight activities required by law or regulation (such as professional licensing, member satisfaction surveys, quality surveys, or insurance regulation);
- law enforcement purposes (such as fraud prevention); and
- assisting in the avoidance of a serious and imminent threat to health or safety.
Employee Benefit Plans. Medica has policies that limit the disclosure of PHI to employers. However, Medica must share some PHI (for example, enrollment information) with a group policyholder to administer its business. The group policyholder is responsible for protecting the PHI from being used for purposes other than health plan benefits.
Research. Medica may use or release PHI for research. Medica will ensure that only the minimum amount of information that identifies you will be disclosed or used for research. HIPAA allows us to disclose a very limited amount of your PHI, called a “limited data set” for research without your authorization. You have the right to opt out of disclosing your PHI for research by contacting us as described below. If we use any identifiers, we will request your permission first.
Family Members. Under some circumstances we can disclose information about you to a family member. We cannot disclose information about one spouse to another spouse, without permission. We can disclose some information about minor children to their parents. You should know, however, that state laws do not allow us to disclose certain information about minors – even to their parents.
When does Medica need your permission to use or disclose your PHI?
From time to time, Medica may need to use or disclose PHI where the laws require us to get your permission. Medica will not be able to release the PHI until we have obtained your authorization. In this situation, you do not have to allow Medica to use or disclose your protected health information. Medica will not take any action against you if you decide not to give us permission. You, or someone you authorize (such as under a power of attorney or court-appointed guardian), may cancel an authorization you have given, except to the extent that Medica has already relied on and acted on your permission.
Marketing. Medica is not permitted to sell your PHI without your permission. There are some limited exceptions to this rule—such as for research or public health activities. We are only allowed to contact you, without first getting your permission, to encourage you to use or purchase a particular item or service in a few situations. For example, we can contact you about new or additional benefits under your health plan, but we cannot contact you to tell you about other types of products.
What are your rights to your PHI?
You have the following rights with regard to the PHI that Medica has about you. You, or your personal representative on your behalf, may:
Request restrictions of disclosure. You may ask Medica to limit how it uses and discloses PHI about you. Your request must be in writing and be specific as to the restriction requested and to whom it applies. If Medica is able to provide you with health plan services without using or disclosing your PHI as you request, we will agree.
Request confidential communications. You may ask us to send you PHI to a different address or by fax instead of mail. Medica will agree to do this if we are able, but the request must be in writing.
Inspect or obtain a copy of your PHI. Medica keeps members’ PHI in a designated record set. You have the right to see or get a copy of your PHI. Your request must be in writing on Medica’s form. Usually we will get this to you within thirty (30) days. Medica may charge you a reasonable amount for providing copies. You should know that not all the information we have is available to you and there are certain times when others, such as your doctor, ask us not to disclose information to you.
Request a change to your PHI. If you think there is a mistake in your PHI or information is missing, you may send us a written request to make a correction or addition. Medica may not be able to agree to make the change. For example, if we received the information from a clinic, we cannot change the clinic information—only the clinic can. If we cannot make the change, we will let you know within thirty (30) days. You may send a statement explaining why you disagree with us. Medica will respond to you. Your request, our disagreement and your statement disagreeing with us will be maintained in Medica’s designated record set.
Request an accounting of disclosures. You have the right to receive a list of disclosures Medica has made of your PHI. There are certain disclosures we do not have to track. For example, we do not have to list the times we disclosed your PHI when you gave us permission to disclose it. Your request cannot go back more than six years from the date you asked for the listing.
Receive a notice in the event of a breach. Medica will notify you, as required under federal regulations, of an unauthorized release, access, use or disclosure of your PHI. “Unauthorized” means that the release, access, use or disclosure was not authorized by you or permitted by law without your authorization. The federal regulations further define what is and what is not a “breach.” Every violation of the HIPAA Privacy Rules, therefore, will not constitute a breach requiring a notice.
Request a copy of this notice. You may ask for a separate paper copy of this notice.
TO EXERCISE ANY OF THESE RIGHTS, PLEASE CONTACT CUSTOMER SERVICE AT THE TELEPHONE NUMBER ON THE BACK OF YOUR MEDICA ID CARD, OR CONTACT US AT P.O. BOX 9310, MINNEAPOLIS, MN 55440-9310.
Right to file a complaint or grievance about Medica’s privacy practices
If you feel your privacy rights have been violated, you may file a complaint. You will not be retaliated against for filing a complaint. To file a complaint with Medica, please contact Customer Service at the contact information listed above. You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services. To do so, write to the Office for Civil Rights, U.S. Department of Health & Human Services, 233 N. Michigan Ave. Suite 240, Chicago, IL 60601.
About this notice
Medica is required by law to maintain the privacy of PHI and to provide this notice. We may change this notice and our privacy practices, as long as our change is consistent with state and federal law. If we make a change, we will send you a revised notice by mail or electronically.