Privacy Notice

HOW WE¹ PROTECT YOUR PRIVACY

Effective: June 1, 2024
Revised: May 13, 2024

Summary

We are required to protect members’ personal health information by several state and federal laws. The most comprehensive regulations were issued under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). HIPAA regulations require entities like us to provide you with information about how your protected health information may be used and disclosed, and to whom. This notice explains what your protected health information is, how we must protect this information, and how you can access your protected health information. We must follow the terms of its privacy notice. We may also change or amend its privacy notice as the laws and regulations change. However, if the notice is materially changed, we will make the revised privacy notice available to you.

There are also state and federal laws requiring us to protect your non-public personal financial information.²  The most comprehensive regulations were issued under the Gramm-Leach-Bliley Act (“GLBA”). The GLBA requires us to provide you with a notice about how your non-public personal financial information may be used and disclosed, and to whom.

These duties, responsibilities and rights are described in more detail in the following Privacy Notice.

Medica's Privacy Notice

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED UNDER STATE AND FEDERAL LAW, INCLUDING HIPAA, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

THIS NOTICE IS INTENDED FOR MEMBERS OF MEDICA OR ITS AFFILIATES.

What is PHI?

We are committed to protecting and maintaining the privacy and confidentiality of information that relates to your past, present or future physical or mental health, healthcare services and payment for those services. HIPAA refers to this information as “protected health information” or “PHI.” PHI includes information related to diagnosis and treatment plans, as well as demographic information such as name, address, telephone number, age, date of birth, and health history. We also protect cultural information such as race, ethnicity, language, gender identity, and sexual orientation, the same as all other PHI.

How does Medica protect your PHI?

We take our responsibility of protecting your PHI seriously. Where possible, we de-identify PHI. We use and disclose only the minimum amount of PHI necessary for treatment, payment and operations, or to comply with legal or similar requirements. In addition to physical and technical safeguards, we have administrative safeguards such as policies and procedures that require our employees to protect your PHI. We also provide training on privacy and security to its employees.

We protect the PHI of former members just as it protects the PHI of current members.

Under what circumstances does Medica use or disclose PHI?

We receive, maintain, use and share PHI only as needed to conduct or support: (i) treatment-related activities, such as referring you to a doctor; (ii) payment-related activities, such as paying a claim for medical services; and (iii) healthcare operations, such as developing wellness programs. Additional examples of these activities include:

• Enrollment and eligibility, benefits management, and utilization management
• Customer service
• Coordination of care³
• Health improvement and disease management (for example, sending information on treatment alternatives or other health-related benefits)
• Premium billing and claims administration
• Complaints and appeals, underwriting, actuarial studies, and premium rating (however, we are prohibited from using or disclosing your PHI that is genetic information for underwriting purposes)
• Credentialing and quality assurance
• Business planning or management and general administrative activities (for example, employee training and supervision, legal consultation, accounting, auditing)
• We may, from time to time, contact you with important information about your health plan benefits. Such contacts may include telephone, mail or electronic mail messages. However, we will not use cultural information, such as race, ethnicity, language, gender identity, and sexual orientation, for purposes of underwriting, rate setting or denial of coverage or benefits.

With whom does Medica share PHI?

We share PHI for treatment, payment and health care operations with your health care providers and other businesses that assist it in its operations. These businesses are called “business associates” in the HIPAA regulations. We require these business associates to follow the same laws and regulations that we follow.

Public Health, Law Enforcement and Health Care Oversight

There are also other activities where the law allows or requires us to use or disclose your PHI without your authorization. Examples of these activities include:

• Public health activities (such as disease intervention)
• Healthcare oversight activities required by law or regulation (such as professional licensing, member satisfaction surveys, quality surveys, or insurance regulation)
• Law enforcement purposes (such as fraud prevention or in response to a subpoena or court order)
• Assisting in the avoidance of a serious and imminent threat to health or safety; and
• Reporting instances of abuse, neglect, domestic violence or other crimes.

Employee Benefit Plans

We have policies that limit the disclosure of PHI to employers. However, we must share some PHI (for example, enrollment information) with a group policyholder to administer its business. The group policyholder is responsible for protecting the PHI from being used for purposes other than health plan benefits.

Research

We may use or release PHI for research.  We will ensure that only the minimum amount of information that identifies you will be disclosed or used for research.  HIPAA allows us to disclose a very limited amount of your PHI, called a “limited data set” for research without your authorization. You have the right to opt-out of disclosing your PHI for research by contacting us as described below. If we use any identifiers, we will request your permission first.

Family Members

Under some circumstances we may disclose information about you to a family member. However, we cannot disclose information about one spouse to another spouse, without permission.  We may disclose some information about minor children to their parents. You should know, however, that state laws do not allow us to disclose certain information about minors – even to their parents.

When does Medica need your permission to use or disclose your PHI?

From time to time, we may need to use or disclose PHI where the laws require us to get your permission. We will not be able to release the PHI until you have provided a valid authorization. In this situation, you do not have to allow us to use or disclose your PHI. We will not take any action against you if you decide not to give your permission. You, or someone you authorize (such as under a power of attorney or court-appointed guardian), may cancel an authorization you have given, except to the extent that we have already relied on and acted on your permission.

Your authorization is generally required for uses and disclosures of PHI not described in this notice, as well as uses and disclosures in connection with:

• Psychotherapy Notes. We must obtain your permission before making most uses and disclosures of psychotherapy notes.
• Marketing. Subject to limited exceptions, we must also obtain your permission before using or disclosing your PHI for marketing purposes.
• Sales. Additionally, we are not permitted to sell your PHI without your permission.  However, there are some limited exceptions to this rule—such as where the purpose of the disclosure of PHI is for research or public health activities.

What are your rights to your PHI?

You have the following rights with regard to the PHI that we have about you. You, or your personal representative on your behalf, may:

Request restrictions of disclosure. You may ask us to limit how it uses and discloses PHI about you. Your request must be in writing and be specific as to the restriction requested and to whom it applies. We are not required to always agree to your restriction. However, if we do agree, we will abide by your request.

Request confidential communications. You may ask us to send your PHI to a different address or by fax instead of mail. Your request must be in writing. We will agree to your request if it is able.

Inspect or obtain a copy of your PHI. We keep a designated record set of its members’ medical records, billing records, enrollment information and other PHI used to make decisions about members and their benefits. You have the right to inspect and get a copy of your PHI maintained in this designated record set. Your request must be in writing on our form. If the PHI is maintained electronically in a designated record set, you have a right to obtain a copy of it in electronic form. We will respond to your request within thirty (30) days of receipt. We may charge you a reasonable amount for providing copies. You should know that not all the information we maintain is available to you and there are certain times when other individuals, such as your doctor, may ask us not to disclose information to you.

Request a change to your PHI. If you think there is a mistake in your PHI or information is missing, you may send us a written request to make a correction or addition.  We may not be able to agree to make the change. For example, if we received the information from a clinic, we cannot change the clinic information—only the clinic can. If we cannot make the change, we will let you know within thirty (30) days.  You may send a statement explaining why you disagree, and we will respond to you. Your request, our disagreement and your statement of disagreement will be maintained in our designated record set.

Request an accounting of disclosures. You have the right to receive a list of disclosures we have made of your PHI. There are certain disclosures we do not have to track.  For example, we are not required to list the times we disclosed your PHI when you gave us permission to disclose it.  We are also not required to identify disclosures made that go back more than six (6) years from the date you asked for the listing.

Receive a notice in the event of a breach. We will notify you, as required under federal regulations, of an unauthorized release, access, use or disclosure of your PHI.  “Unauthorized” means that the release, access, use or disclosure was not authorized by you or permitted by law without your authorization. The federal regulations further define what is and what is not a “breach.”  Not every violation of HIPAA, therefore, will constitute a breach requiring a notice.

Request a copy of this notice. You may ask for a separate paper copy of this notice.

TO EXERCISE ANY OF THESE RIGHTS, PLEASE CONTACT MEMBER SERVICES AT THE TELEPHONE NUMBER ON THE BACK OF YOUR ID CARD, OR CONTACT MEDICA AT P.O. BOX 9310, MINNEAPOLIS, MN 55440-9310.

File a complaint or grievance about Medica's privacy practices. If you feel your privacy rights have been violated by us, you may file a complaint. You will not be retaliated against for filing a complaint. To file a complaint with us, please contact Customer Service at the contact information listed above. You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services. To do so, write to the Office for Civil Rights, U.S. Department of Health & Human Services, 233 N. Michigan Ave Suite 240, Chicago, IL 60601.

About this notice

We are required by law to maintain the privacy of PHI and to provide this notice. We are required to follow the terms and conditions of this notice. However, we may change this notice and its privacy practices, as long as the change is consistent with state and federal law. If we make a material change to this notice, we will make the revised notice available to you within sixty (60) days of such change.

FINANCIAL INFORMATION PRIVACY NOTICE

THIS NOTICE EXPLAINS HOW FINANCIAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

THIS NOTICE IS INTENDED FOR MEMBERS OF MEDICA OR ITS AFFILIATES.

How do we protect your information?

We take our responsibility of protecting your information seriously. We maintain measures to protect your information from unauthorized use or disclosure. These measures include the use of policies and procedures, physical, electronic and procedural safeguards, secured files and buildings and restrictions on who and how your information may be accessed.

What information do we collect?

We may collect information about you including your name, street address, telephone number, date of birth, medical information, social security number, premium payment and claims history information.

How do we collect your information?

We collect information about you in a variety of ways. We obtain such information about you from:

• You, on your application for insurance coverage
• You, concerning your transactions with us, our affiliates or others
• Your physician, health care provider or other participants in the health care system
• Your employer
• Other third parties

Under what circumstances do we use or disclose non-public personal financial information?

We use your non-public financial information for its everyday business operations. This includes using your information to perform certain activities in order to implement and administer the product or service in which you are enrolled. Examples of these activities include enrollment, customer service, processing premium payment, claims payment transactions, and benefit management.

We may disclose your information to the following entities for the following purposes:

• To our affiliates to provide certain products and services.
• To our contracted vendors who provide certain products and services on our behalf.
• To a regulatory authority, government agency or a law enforcement official as permitted or required by law, subpoena or court order.

IF YOU HAVE ANY QUESTIONS ABOUT THIS NOTICE, PLEASE CONTACT MEMBER SERVICES AT THE TELEPHONE NUMBER ON THE BACK OF YOUR ID CARD, OR CONTACT MEDICA AT P.O. BOX 9310, MINNEAPOLIS, MN 55440-9310.

---

¹ This Notice of Privacy Practices applies to the following health plans that are affiliated with Medica: Medica Health Plans, Medica Insurance Company, Medica Community Health Plan, Medica Regional Insurance Company, Medica Central Health Plan, Medica Central Insurance Company, Dean Health Plan, Inc., Dean Health Insurance, Inc., and Prevea360 Health Plan. This notice applies to the combined Medica/Dean Health Affiliated Covered Entities (ACE), which are designated as a single HIPAA covered entity as permitted by HIPAA and may be amended from time to time to add new covered entities that are under common control or ownership.

² For purposes of the Financial Notice of Privacy Practices, this notice applies to health plans that are affiliated with Medica.

³ Dean Health Insurance, Inc., along with Dean Health Plan, Medica Central Health Plan, and Medica Central Insurance Company may take part in Organized Health Care Arrangements (OHCAs), including an OHCA with SSM Health and Dean Health System. As part of an OHCA, we may from time to time share your information with other members of the OHCA in order to perform joint health care activities as permitted by HIPAA.