MEMBER PRIVACY POLICY
If you are a member of a health plan, please consult your health plan’s HIPAA Notice of Privacy Practices for more information about how your protected health information (PHI) is handled.
SCOPE
Your privacy is important to us. As a HIPAA Business Associate, Healthcare Financial Inc. (HFI) shares a commitment with Covered Entities to protect the privacy and confidentiality of Protected Health Information (PHI) that we obtain subject to the terms of a Business Associate Agreement. This policy is provided to help you better understand how we use, disclose, and protect PHI in accordance with the terms of Business Associate Agreements. HFI provides services to Medicaid Managed Care organizations (i.e. health plans) by advocating for their most vulnerable members and help them get necessary SSI/SSDI disability benefits and income.
HFI outreaches to health plan members ONLY when there’s a written contract and agreement for HFI to supplement the health plan’s service offerings to their members.
DEFINITIONS
- Business Associate Agreement (BA Agreement). A formal written contract between HFI and a Covered Entity that requires HFI to comply with specific requirements related to PHI.
- Covered Entity. A health plan, healthcare provider, or healthcare clearinghouse that must comply with the HIPAA Privacy Rule.
- Protected Health Information (PHI). PHI includes all “individually identifiable health information” that is transmitted or maintained in any form or medium by a Covered Entity. Individually identifiable health information is any information that can be used to identify an individual and that was created, used, or disclosed in (a) the course of providing a health care service such as diagnosis or treatment, or (b) in relation to the payment for the provision of health care services.
INFORMATION COLLECTION
We may obtain information about you in a number of ways, including through (A) information you provide to your health plan; (B) information you provide to us directly; (C) information we collect from your health care providers, (D) information we collect from Social Security Administration (SSA) and (E) information we automatically collect:
Information You Provide To Your Health Plan
We collect information about you shared by your health plan. In the course of your interactions with the plan and your health care providers, you may provide biographical and demographic information (including, but not limited to, your name, address, email address, phone number, date of birth, gender, and ethnicity). Additionally, medically related data that may include, but not limited to: medical records, diagnosis, medications, treatment, doctor’s notes.
Information You Provide To Us Directly
We may collect information from you to complete and support your SSI/SSDI application process. Information may include, but not limited to: your name, address, email address, phone number, date of birth, gender, and ethnicity). Additionally, medically related data that may include, but not limited to: medical records, diagnosis, medications, treatment, doctor’s notes.
Information We Collect From Your Health Care Providers
We may collect information about you to complete and support your SSI/SSDI application process. Information may include, but not limited to: medical records, diagnosis, medications, treatment, doctor’s notes.
Information We Collect From Social Security Administration (SSA)
We may collect information about your SSI/SSDI application progress and status.
Information Automatically Collected
If you use our website, certain information may be collected from your computer or device during your interaction with the Websites. Please refer to our Website Privacy Policy.
USE AND DISCLOSURE OF PHI
We may use PHI for our management, administration, data aggregation and legal obligations to the extent such use of PHI is permitted or required by the BA Agreement and not prohibited by law. We may use or disclose PHI on behalf of, or to provide services to, Covered Entities for purposes of fulfilling our service obligations to them, if such use or disclosure of PHI is permitted or required by the BA Agreement and would not violate the Privacy Rule.
In the event that PHI must be disclosed to a subcontractor or agent, we will ensure that the subcontractor or agent agrees to abide by the same restrictions and conditions that apply to us under the BA Agreement with respect to PHI, including the implementation of reasonable and appropriate safeguards.
We may also use PHI to report violations of law to appropriate federal and state authorities.
SAFEGUARDS
We use appropriate safeguards to prevent the use or disclosure of PHI other than as provided for in the BA Agreement. We have implemented administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that we create, receive, maintain, or transmit on behalf of a Covered Entity. Such safeguards include:
- Maintaining appropriate clearance procedures and providing supervision to assure that our workforce follows appropriate security procedures;
- Providing appropriate training for our staff to assure that our staff complies with our security policies;
- Making use of appropriate encryption when transmitting PHI over the Internet;
- Utilizing appropriate storage, backup, disposal and reuse procedures to protect PHI;
- Utilizing appropriate authentication and access controls to safeguard PHI;
- Utilizing appropriate security incident procedures and providing training to our staff sufficient to detect and analyze security incidents; and
- Maintaining a current contingency plan and emergency access plan in case of an emergency to assure that the PHI we hold on behalf of a Covered Entity is available when needed.
MITIGATION OF HARM
In the event of a use or disclosure of PHI that is in violation of the requirements of the BA agreement, we will mitigate, to the extent practicable, any harmful effect resulting from the violation. Such mitigation will include:
Reporting any use or disclosure of PHI not provided for by the BA Agreement and any security incident of which we become aware to the Covered Entity; and
Documenting such disclosures of PHI and information related to such disclosures as would be required for Covered Entity to respond to a request for an accounting of disclosure of PHI in accordance with HIPAA.
YOUR EMAILS
Please note that individualized information transmitted via email correspondence between you and HFI — as opposed to transmission over the Website — is not encrypted. As a result, like most, if not all, non-encrypted Internet email communications, such email correspondence may be accessed and viewed by other Internet users without your knowledge and permission while in transit. For that reason, to protect your privacy, please refrain send PHI through this forum and call your representatives to discuss your matters confidentiality.
DATA TRANSFERS
Any personal information you provide to us may be stored and processed, transferred between and accessed from the United States where we are headquartered.
RETENTION
We retain your personal data as long as permissible by law or up to ten (10) years. When we no longer need the personal information we collect, we either deidentify the information or securely destroy the information.
ACCESS TO PHI
As provided in the BA Agreement, we will make available to Covered Entities, information necessary for Covered Entity to give individuals their rights of access, amendment, and accounting in accordance with HIPAA regulations.
Upon request, we will make our internal practices, books, and records including policies and procedures, relating to the use and disclosure of PHI received from, or created or received by the BA on behalf of a Covered Entity available to the Covered Entity or the Secretary of the U.S. Department of Health and Human Services for the purpose of determining compliance with the terms of the BA Agreement and HIPAA regulations.
OPT-OUT-PROCESS
HFI has elected to follow general guidelines and best practices surrounding the Do Not Call / Contact process, and is committed to honoring the requests of its current and prospective clients (i.e. health plan members) to respect their rights to privacy.
HFI has established and implemented written procedures to honor health plan members’ requests to be excluded from receiving any outreach communications from us by mail or phone (voice, text, or fax) with regards to our services.
Health plan members must provide us the address and phone number(s) at which they no longer wish to receive any outreach communications by mail or phone (voice, text, or fax). Any request to be placed on our internally-maintained Do Not Call / Contact list will be processed within a reasonable amount of time, not to exceed 30 days.
To submit your Opt-Out request:
- Call us 866.627.7434 to speak with one of our representatives to update your preferences.
- Email us via the Contact Us page on this site.
- Send us a letter to Healthcare Financial, Inc. c/o Compliance Department – Do Not Call / Contact List, 2 Heritage Dr, 7th Floor, Quincy, MA 02171.
REVISIONS TO THIS PRIVACY POLICY
HFI is always looking to offer expanded features and functions that make healthcare more efficient and accessible. As additional features and functions are added, updates to this Privacy Policy may be necessary, and we reserve the right, at our sole discretion, to change, modify, add, remove, or otherwise revise portions of this Privacy Policy at any time. When we do, we will post the change(s) on the Websites. Each time you visit this website or any HFI website it is your responsibility to review the most current Terms and Conditions and any other policies, restrictions, conditions and notices on this website or any HFI website you access. By accessing, browsing, and/or otherwise using the Websites following the posting of changes, you accept and agree to be bound by those changes.
CONTACT US
If you have any questions or comments about this Member Privacy Policy, please email us via the Contact Us page on this site, or by sending a letter to Healthcare Financial, Inc. c/o Chief Compliance Officer, 2 Heritage Dr, 7th Floor, Quincy, MA 02171.
All communications should include the individual’s name and contact information and a detailed explanation of the request. HFI will endeavor to respond to all reasonable requests in a timely manner and within any time limits prescribed by applicable law.