The Medica Privacy Notice describes how medical and financial information about you may be used and disclosed under State and Federal law, including the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), and how you can get access to this information.
Please review it carefully.
This notice is intended for Medica members.
Note: The Medica Privacy Notice does not apply to members whose employers are self-insured. If your employer is self-insured, contact your employer for more information about your health plan's privacy practices.
Effective: June 11, 2003
Revised: December 23, 2019
There are several state and federal laws requiring Medica Health Plans, Medica Community Health Plan, and Medica Insurance Company (collectively, "Medica") to protect its members’ personal health information. The most comprehensive regulations were issued under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). These regulations have been updated from time to time. Essentially, HIPAA regulations require entities like Medica to provide you with information about how your protected health information may be used and disclosed, and to whom. This notice explains what your protected health information is. Regulations also describe how Medica must protect this information and how you can access your protected health information. Medica must follow the terms of its privacy notice. Medica may also change or amend its privacy notice as the laws and regulations change. However, if the notice is materially changed, Medica will make the revised privacy notice available to you.
There are also state and federal laws requiring Medica to protect your non-public personal financial information. The most comprehensive regulations were issued under the Gramm-Leach-Bliley Act ("GLBA"). The GLBA requires Medica to provide you with a notice about how your non-public personal financial information may be used and disclosed, and to whom.
When the law permits use and disclosure
The law permits Medica to use and disclose your personal health information for purposes of treatment, payment and health care operations without first obtaining your authorization. There are other limited circumstances when Medica may use and disclose your personal health information without your authorization, such as public health, regulatory and law enforcement activities. Whether personal health information is used or disclosed with or without your authorization, Medica uses and discloses personal health information only to those persons who need to know and only the minimum amount necessary to perform the required activity.
Your privacy rights
The law also gives you rights to access, copy and amend your personal health information. You have the right to request restrictions on certain uses and disclosures of your personal health information. You also have the right to obtain information about how and when your personal health information has been used and disclosed.
These duties, responsibilities and rights are described in more detail inside.
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED UNDER STATE AND FEDERAL LAW, INCLUDING HIPAA, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
THIS NOTICE IS INTENDED FOR MEDICA MEMBERS.
What is PHI?
Medica is committed to protecting and maintaining the privacy and confidentiality of information that relates to your past, present or future physical or mental health, health care services and payment for those services. HIPAA refers to this information as “protected health information” or “PHI.” PHI includes information related to diagnosis and treatment plans, as well as demographic information such as name, address, telephone number, age, date of birth, and health history.
How does Medica protect your PHI?
Medica takes its responsibility of protecting your PHI seriously. Where possible, Medica de-identifies PHI. Medica uses and discloses only the minimum amount of PHI necessary for treatment, payment and operations, or to comply with legal or similar requirements. In addition to physical and technical safeguards, Medica has administrative safeguards such as policies and procedures that require Medica’s employees to protect your PHI. Medica also provides training on privacy and security to its employees.
Medica protects the PHI of former members just as it protects the PHI of current members.
Under what circumstances does Medica use or disclose PHI?
Medica receives, maintains, uses and shares PHI only as needed to conduct or support: (i) treatment-related activities, such as referring you to a doctor; (ii) payment-related activities, such as paying a claim for medical services; and (iii) health care operations, such as developing wellness programs. Additional examples of these activities include:
- Enrollment and eligibility, benefits management, and utilization management
- Customer service
- Coordination of care
- Health improvement and disease management (for example, sending information on treatment alternatives or other health-related benefits)
- Premium billing and claims administration
- Complaints and appeals, underwriting, actuarial studies, and premium rating (however, Medica is prohibited from using or disclosing your PHI that is genetic information for underwriting purposes)
- Credentialing and quality assurance
- Business planning or management and general administrative activities (for example, employee training and supervision, legal consultation, accounting, auditing)
- Medica may, from time to time, contact you with important information about your health plan benefits. Such contacts may include telephone, mail or electronic mail messages.
With whom does Medica share PHI?
Medica shares PHI for treatment, payment and health care operations with your health care providers and other businesses that assist it in its operations. These businesses are called “business associates” in the HIPAA regulations. Medica requires these business associates to follow the same laws and regulations that Medica follows.
Public health, law enforcement and health care oversight
There are also other activities where the law allows or requires Medica to use or disclose your PHI without your authorization. Examples of these activities include:
- Public health activities (such as disease intervention);
- Health care oversight activities required by law or regulation (such as professional licensing, member satisfaction surveys, quality surveys, or insurance regulation);
- Law enforcement purposes (such as fraud prevention or in response to a subpoena or court order);
- Assisting in the avoidance of a serious and imminent threat to health or safety; and
- Reporting instances of abuse, neglect, domestic violence or other crimes.
Employee benefit plans
Medica has policies that limit the disclosure of PHI to employers. However, Medica must share some PHI (for example, enrollment information) with a group policyholder to administer its business. The group policyholder is responsible for protecting the PHI from being used for purposes other than health plan benefits.
Medica may use or release PHI for research. Medica will ensure that only the minimum amount of information that identifies you will be disclosed or used for research. HIPAA allows Medica to disclose a very limited amount of your PHI, called a “limited data set” for research without your authorization. You have the right to opt-out of disclosing your PHI for research by contacting Medica as described below. If Medica uses any identifiers, Medica will request your permission first.
Under some circumstances Medica may disclose information about you to a family member. However, Medica cannot disclose information about one spouse to another spouse, without permission. Medica may disclose some information about minor children to their parents. You should know, however, that state laws do not allow Medica to disclose certain information about minors — even to their parents.
When does Medica need your permission to use or disclose your PHI?
From time to time, Medica may need to use or disclose PHI where the laws require Medica to get your permission. Medica will not be able to release the PHI until you have provided a valid authorization. In this situation, you do not have to allow Medica to use or disclose your PHI. Medica will not take any action against you if you decide not to give your permission. You, or someone you authorize (such as under a power of attorney or court-appointed guardian), may cancel an authorization you have given, except to the extent that Medica has already relied on and acted on your permission.
Your authorization is generally required for uses and disclosures of PHI not described in this notice, as well as uses and disclosures in connection with:
- Psychotherapy notes. Medica must obtain your permission before making most uses and disclosures of psychotherapy notes.
- Marketing. Subject to limited exceptions, Medica must also obtain your permission before using or disclosing your PHI for marketing purposes.
- Sales. Additionally, Medica is not permitted to sell your PHI without your permission. However, there are some limited exceptions to this rule — such as where the purpose of the disclosure of PHI is for research or public health activities.
What are your rights to your PHI?
You have the following rights with regard to the PHI that Medica has about you. You, or your personal representative on your behalf, may:
Request restrictions of disclosure. You may ask Medica to limit how it uses and discloses PHI about you. Your request must be in writing and be specific as to the restriction requested and to whom it applies. Medica is not required to always agree to your restriction. However, if Medica does agree, Medica will abide by your request.
Request confidential communications. You may ask Medica to send your PHI to a different address or by fax instead of mail. Your request must be in writing. Medica will agree to your request if it is able.
Inspect or obtain a copy of your PHI. Medica keeps a designated record set of its members’ medical records, billing records, enrollment information and other PHI used to make decisions about members and their benefits. You have the right to inspect and get a copy of your PHI maintained in this designated record set. Your request must be in writing on Medica’s form. If the PHI is maintained electronically in a designated record set, you have a right to obtain a copy of it in electronic form. Medica will respond to your request within thirty (30) days of receipt. Medica may charge you a reasonable amount for providing copies. You should know that not all the information Medica maintains is available to you and there are certain times when other individuals, such as your doctor, may ask Medica not to disclose information to you.
Request a change to your PHI. If you think there is a mistake in your PHI or information is missing, you may send Medica a written request to make a correction or addition. Medica may not be able to agree to make the change. For example, if Medica received the information from a clinic, Medica cannot change the clinic information — only the clinic can. If Medica cannot make the change, it will let you know within thirty (30) days. You may send a statement explaining why you disagree, and Medica will respond to you. Your request, Medica’s disagreement and your statement of disagreement will be maintained in Medica’s designated record set.
Request an accounting of disclosures. You have the right to receive a list of disclosures Medica has made of your PHI. There are certain disclosures Medica does not have to track. For example, Medica is not required to list the times it disclosed your PHI when you gave Medica permission to disclose it. Medica is also not required to identify disclosures it made that go back more than six (6) years from the date you asked for the listing.
Receive a notice in the event of a breach. Medica will notify you, as required under federal regulations, of an unauthorized release, access, use or disclosure of your PHI. “Unauthorized” means that the release, access, use or disclosure was not authorized by you or permitted by law without your authorization. The federal regulations further define what is and what is not a “breach.” Not every violation of HIPAA, therefore, will constitute a breach requiring a notice.
Request a copy of this notice. You may ask for a separate paper copy of this notice.
TO EXERCISE ANY OF THESE RIGHTS, PLEASE CONTACT CUSTOMER SERVICE AT THE TELEPHONE NUMBER ON THE BACK OF YOUR MEDICA ID CARD, OR CONTACT MEDICA AT P.O. BOX 9310, MINNEAPOLIS, MN 55440-9310.
File a complaint or grievance about Medica’s privacy practices. If you feel your privacy rights have been violated by Medica, you may file a complaint. You will not be retaliated against for filing a complaint. To file a complaint with Medica, please contact Customer Service at the contact information listed above. You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services. To do so, write to the Office for Civil Rights, U.S. Department of Health & Human Services, 233 N. Michigan Ave., Suite 240, Chicago, IL 60601.
About this notice.
Medica is required by law to maintain the privacy of PHI and to provide this notice. Medica is required to follow the terms and conditions of this notice. However, Medica may change this notice and its privacy practices, as long as the change is consistent with state and federal law. If Medica makes a material change to this notice, it will make the revised notice available to you within sixty (60) days of such change.