Notice of Privacy Practices for the Blue Cross and Blue Shield Service Benefit Plan

This notice describes how we, the Blue Cross and Blue Shield (BCBS) Service Benefit Plan, may use and disclose your protected health information (PHI), and how you can get access to this information.

This notice describes how we, the Blue Cross and Blue Shield (BCBS) Service Benefit Plan, may use and disclose your protected health information (PHI), and how you can get access to this information in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). It also includes our legal obligations concerning your PHI, and your right to receive a copy of this notice and discuss its contents with a designated person. This notice also outlines how to file a HIPAA complaint. Please review it carefully.

CONTACT INFORMATION
If you have any questions or if you would like to discuss the contents of this notice with a designated person located offsite, or for additional information concerning privacy practices, call the National Information Center at 1-800-411-BLUE(2583) hotline or email at fepblueprivacyquestions@bcbsa.com. You may also reach out to your local BCBS Company. Telephone numbers for your local BCBS Company can be found on the back of your member ID card or in the Contact Us section of this website.

Contract holders receive a copy of this Notice at the time of enrollment. A Notice of Privacy Practices is issued to all Service Benefit Plan contract holders when they enroll and whenever there is a material change to the privacy practices provided in the notice. In situations where there are material changes, the revised Notice of Privacy Practices will be distributed to all contract holders within 60 days of the change.

OUR RESPONSIBILITIES
We are required by law to maintain the privacy of your protected health information and abide by the terms of this notice. We are also obligated to provide you with a copy of this Notice of our legal duties and of our privacy practices with respect to your protected health information.

We will not use or disclose your protected health information for marketing purposes, or disclose your protected health information in a manner that constitutes a sale of protected health information without your written authorization.

We will notify you in accordance with federal law following a breach of your unsecured protected health information.

ROUTINE USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION
We are most likely to use and/or disclose your protected health information in the following ways:

• For payment and healthcare operations: We will use or disclose your protected health information to obtain premiums or make payments or to otherwise fulfill our responsibilities for coverage and providing benefits as established under your member contract. We may also use your information for business operations, For example, we may use or disclose your protected health information: (i) to send you information about one of our disease management programs; (ii) to respond to a customer service inquiry from you; (iii) in connection with fraud and abuse detection and compliance programs; (iv) to survey you concerning how effectively we are meeting your health insurance needs; or (v) for enrollment purposes.

• For appointment/service reminder: We may contact you for care coordination purposes, such as reminding you to obtain preventive health services or to inform you of treatment alternatives and/or health related benefits and services that may be of interest to you.

• For use by business associates: We contract with individuals and entities (business associates) to perform various functions on our behalf or to provide certain types of services. To perform these functions or to provide the services, business associates will receive, create, maintain, use, or disclose protected health information. We require business associates to agree in writing to contract terms designed to appropriately safeguard your information.

• For use by covered entities: A Covered Entity is defined as: (1) a health plan; (2) a healthcare clearinghouse; or (3) a healthcare provider who transmits any health information in electronic form in connection with a transaction covered by the Administrative Simplification provisions. We may use or disclose your protected health information to assist healthcare providers in connection with their treatment or payment activities, or to assist other covered entities in connection with certain healthcare operations.

• We may use or disclose your protected health information to the U.S. Office of Personnel Management (OPM) or to your employing agency in connection with payment or healthcare operations, or when required by federal law. For example, we may disclose protected health information to your Health Benefits Officer who will work with you to resolve questions concerning your enrollment. We also will disclose protected health information when responding to your requests for reconsideration for a denied claim. You should continue to follow the process as described in the Blue Cross and Blue Shield Service Benefit Plan brochure to request a reconsideration of any denied claim.

• In some situations, we may choose to follow state privacy or other applicable laws that provide individuals greater privacy protections. If a state law that we follow requires that we not use or disclose protected health information (such as age of majority or parental notification restrictions), then we may not use or disclose that information according to the applicable state law.

• We may use or disclose your protected health information to the extent that federal law requires the use or disclosure. We may use or disclose your protected health information for public health activities that are permitted or required by law. For example, we may use or disclose information for the purpose of preventing or controlling disease, injury, or disability.

• We may disclose your protected health information to a health oversight agency for activities authorized by law, such as: audits; investigations; inspections; licensure or disciplinary actions; or civil, administrative, or criminal proceedings or actions.

• We may disclose your protected health information to a government authority that is authorized by law to receive reports of abuse, neglect, or domestic violence if we believe that you have been a victim of abuse, neglect, or domestic violence.

• We may disclose protected health information about a decedent to law enforcement for criminal investigation or to coroners or medical examiners to determine cause of death.

• We may disclose your protected health information: (1) in the course of any judicial or administrative proceeding; (2) in response to an order of a court or administrative tribunal (to the extent such disclosure is expressly authorized); and (3) in response to a subpoena, a discovery request, or other lawful process, once we have met all administrative requirements of the HIPAA Privacy Regulations.

• We will not use or disclose genetic information for underwriting purposes, but we may use genetic information for other allowable purposes, such as determinations of medical appropriateness where you seek a benefit under the plan, coverage or policy.

• We are required to disclose your protected health information to OPM for its Federal Employees Health Benefits (FEHB) Program Claims Data Warehouse.

• We are required to disclose your protected health information to the Secretary of the U.S. Department of Health and Human Services when the Secretary is investigating or determining our compliance with the HIPAA Privacy Regulations, making sure your privacy is protected.

DISCLOSURES TO YOU OR YOUR PERSONAL REPRESENTATIVE
We will disclose your PHI to you upon your request.

We will also disclose your PHI to an individual who has been designated by you as your personal representative and who has qualified for such designation in accordance with relevant state law. Before we will disclose protected health information to such a person, you must submit a written notice of his/her designation, with documentation that supports his/her qualification, such as a power of attorney.

Even if you designate a personal representative, the HIPAA Privacy Regulations permit us to elect not to treat the person as your personal representative if we have a reasonable belief that: (i) you have been, or may be, subjected to domestic violence, abuse, or neglect by such person; (ii) treating such person as your personal representative could endanger you; or (iii) we determine, in the exercise of our professional judgment, that it is not in your best interest to treat the person as your personal representative.

Use and disclosure of your PHI is limited to the minimum amount necessary.

OTHER USES AND DISCLOSURES OF YOUR PROTECTED HEALTH INFORMATION
Other uses and disclosures of your protected health information not described in this Notice will be made only with your written authorization. For example, authorization is required for use or disclosure of psychotherapy notes with certain exceptions. If you provide us with such an authorization, you may revoke the authorization in writing. This revocation will be effective for future uses and disclosures of protected health information. However, the revocation will not be effective for information that we already have used or disclosed, relying on the written authorization.

PROTECTION OF ORAL, WRITTEN, AND ELECTRONIC PROTECTED HEALTH INFORMATION
We have measures in place to protect PHI according to applicable law and industry standards, such as security and privacy training for all employees.

YOUR RIGHTS WITH RESPECT TO YOUR PROTECTED HEALTH INFORMATION ARE AS FOLLOWS:

• You have the right to authorize or deny the release of PHI beyond uses for treatment, payment or healthcare operations.

• You have the right to request we restrict the protected health information we use or disclose about you for payment or healthcare operations.

• You may request that we communicate with you regarding your information in an alternative manner or at an alternative location if you believe that a disclosure of all or part of your PHI may endanger you.

• You have the right to inspect and to receive a copy of your protected health information contained in a designated record set at limited cost or, in some cases, free of charge. We will provide you with access to the PHI in the form and format requested, if readily producible in that form and format, or if not, in a readable copy form, or other form and format as mutually agreed upon. You have the right to transmit an electronic copy of your PHI in an EHR to a third party.

• You may request that we amend your information if you believe that your protected health information is incorrect or incomplete.

• You have a right to an accounting of disclosures of your protected health information that are required by the HIPAA Privacy Regulations and that are for reasons other than treatment, payment, or healthcare operations.

• You have the right to a paper copy of this Notice, even if you have agreed to accept this Notice electronically.

COMPLAINTS

You may complain to us if you believe that we have violated your privacy rights. You may file a complaint with us by writing to your local BCBS company privacy assistance contact at the address provided in the Contact Us section of this website.

You also may file a complaint with the Secretary of the U.S. Department of Health and Human Services. Complaints filed directly with the Secretary must: (1) be in writing; (2) contain the name of the entity against which the complaint is lodged; (3) describe the relevant problems; and (4) be filed within 180 days of the time you became or should have become aware of the problem.

We will not penalize or in any other way retaliate against you for filing a complaint with the Secretary or with us.