This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

We care about the privacy of your health data. In keeping with federal law, we protect your privacy. This notice describes our privacy rules, our legal duty, and your rights about your health data. This notice went into effect Sept 22, 2013.

We must give you a copy of this notice and follow the terms of this notice. We have the right to change this notice at any time. If we make major changes to this notice, we’ll post a revised notice on HMSA’s website(hmsa.com). We’ll give you a copy of the revised notice or details about the changes and tell you how it can be retrieved.

Your Protected Health Information or PHI

Your PHI includes data about you, the health care you get, and payment for your care. HMSA gets and creates PHI. As an example, after you see your doctor, a claim is sent to HMSA. The claim may have details about your health, symptoms, injury or illness, exam, treatment, and more. Your PHI may be used in several ways, such as to pay your claim or to plan for your care.

Your Rights

The law gives you rights about your PHI. As an HMSA member, you have the right to:

• Ask for and get a copy of this notice at any time.
• See or ask for a copy of your PHI on paper or in electronic form. Or ask us to send a copy to a third party. There may be a fee for these copies.
• Ask us to limit how we use and share your PHI. There may be reasons why we can’t agree to your request. Even if we agree, we may still share your records during an emergency or when the law says we have to.
• Ask for and get a list of third parties that we share your PHI with for certain reasons.
• Ask that your PHI be sent to you by a different way other than by mail or be sent to a different address. This can be done if you think that your life is in danger.
• Ask to add to your PHI. Sometimes, we may not be able to grant your request, such as if we didn't create the PHI. If we deny your request, we’ll tell you why in writing. If you don’t agree, you may send us a letter that says you don’t agree.
• If there’s a misuse of your PHI, we’ll let you know about it if we think it’s needed or if the law says we have to.

You may contact us about your rights as noted at the end of this notice.

Our Duties

The law clearly spells out the duties of health plans. HMSA must:

• Protect the privacy of your PHI.
• Give you a notice of our privacy practices.
• Follow the terms of this notice.
• Fulfill your request to send PHI in a different way or to a different address. You can do this if you think that you’re in danger. Your request must be reasonable and state the other address or another way you want us to contact you. Also, your request must let us pay claims, send you letters, and collect premiums for your health plan.*
• Use and share only the PHI we need to do our jobs.
• Make sure our business associates agree to protect your PHI the same way we do.

We won’t use or share your PHI except when the law says we have to or as described in this notice. Also, we won’t ask you to give up your privacy rights to join an HMSA plan or to get care.

* Collecting premiums doesn't apply to HMSA QUEST members.

How PHI is Used and Shared

There are three key areas where we need to use and share your PHI: to treat you, to pay your claims, and for other health care operations. We may also contract with other parties or business associates to do the work for us as long as they agree to protect your PHI as we do. Each area is described below.

To treat you: This includes services to provide or manage your health care. As your health plan, we may need to share PHI with your doctor or others so that they can treat you.

To pay your claims: We need to pay claims from doctors, hospitals, and others for your care. We may also share PHI to collect premiums*, to see if you can get care, to set your level of coverage, and to work with other health plans to decide on benefits.

For health care operations: We want you to get quality health care services. To do that, we may get copies of your medical records and test results for quality review, to review provider qualifications, and to track wellness and manage disease. We may also use PHI to set premiums, resolve complaints and appeals, manage our business, and other operations.

Other laws may apply to the use and sharing of PHI, including laws for the use and sharing of substance use disorder information 42 C.F.R. Part 2.

Other Ways We Use and Share PHI

At times, we’ll need to use and share your PHI for your own good, to serve the public good, or when the law says we have to. In these cases, we’ll use and share only the least amount of PHI needed. For example:

To discuss treatment options or other products or services: HMSA or its business associates may use your PHI to send you details about care options or other products or services as allowed by law. This may include data about our provider network and new products or services that only HMSA members can get. It may also include options for other care, health care providers, or settings of care that may work for you. You may contact us if you don’t want to get certain letters. We’ll get your authorization to send you details about a third-party’s products or services if we get payment from the third party for doing so or in other cases when the law says we have to.

To others involved in your health care: Unless you object, we may share your PHI with your family members or a friend who’s involved in your health care.

For raising funds: HMSA doesn’t ask its members to raise funds for its own use. We don't use PHI or substance use disorder information for fundraising purposes.

For underwriting: We may use your PHI to create, renew, or replace your health plan or health benefits. We won’t use or share this PHI for any other reason except when the law says we can or the law says we have to. We won’t use or share genetic data for underwriting uses. If the contract for a health plan or health benefits is placed with us, we’ll use and share your PHI only as described in this notice or as allowed by law.

With your written authorization: Uses and sharing of psychotherapy notes, some uses and sharing of substance use information, some uses and sharing for marketing, and sharing that involves the sale of your PHI will need your authorization. You may also it to give us electronically or in writing so we can use or share your PHI with a person or third party you name. You may end your authorization in writing at any time. We’ll honor your request unless the PHI has already been shared. We won’t use or share your PHI for reasons that aren’t allowed by law or aren’t described in this notice unless we get your written authorization.

During an emergency or disaster: During a medical emergency or disaster, we may share your PHI to make sure you can get the care you need or to process payment for your care. We may also need to share your PHI during a disaster to help your family find out how you’re doing and where you are. If you aren’t present or aren’t able to agree to these uses of your PHI, we may need to decide if sharing the PHI is best for you.

To plan sponsors: We may share your PHI with your group health plan sponsor or its legal representative to help them manage your group health plan. Only the least amount of PHI needed will be shared.

For Health Information Exchanges (HIEs): We may take part in one or more HIEs. This means that your PHI may be available electronically to treat you, to pay your claim, or for health care operations. Other doctors and health plans that take part in the HIE may have access to this data.

To report to authorities: As required by law, we may share your PHI if we suspect abuse, neglect, or domestic violence.

For research: We may use or share your PHI with researchers when they agree to protect it.

To comply with privacy laws: We may use or share your PHI as required by privacy laws.

For workers’ compensation: We may share your PHI to comply with laws on workers’ compensation or similar programs.

For public health: We may share your PHI with public health or legal staff who work to prevent or control disease, injury, or disability as allowed to under law.

For health oversight: We may share your PHI to prevent fraud and abuse, and for audits, investigations, inspections, licenses, and other government activities that monitor health care as allowed under law.

For judicial and administrative matters: We may share your PHI in response to a court or administrative order, subpoena, or other law process, in some cases as allowed under law.

For law enforcement reasons: In a few cases, such as a court order, warrant, or grand jury subpoena, we may share your PHI with law enforcement officials as allowed under law.

For military or national security reasons: In some cases, we may share PHI of armed forces staff with military authorities. We may also share PHI with federal officials for national security reasons.

To coroners and medical examiners: In some cases, we may share PHI of decedents with coroners and medical examiners as allowed under law.

Substance Use Disorder (SUD) information: We may use and share your SUD information for treatment, payment, and health care operations as allowed to under law. We won't use or disclose your SUD information in a civil, criminal, administrative, or legislative proceeding against you, unless we receive your written consent or a court order for such use, as allowed under law.

Reproductive Health Care Information (RHI): We won't share your RHI with third parties when the purpose of the information is to identify, investigate or impose liability on you, your health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is allowed under law. For example, we won't share your RHI with law enforcement agencies if the purpose is to investigate or impose liability on you for obtaining services lawfully. In certain circumstances (e.g., for health oversight activities) an attestation must be provided before RHI can be disclosed.

Redisclosure: PHI disclosed in compliance with this privacy notice may be subject to redisclosure and no longer protected by the Privacy Rule.

Use of Artificial Intelligence (AI): We may collect, use, and share PHI using applications with AI to better serve you. We will only use AI as allowed under law.

Nondiscrimination and Language Assistance Services

HMSA doesn’t discriminate, exclude people, or treat people differently because of:

HMSA provides the following services to our members free of charge:

• Language interpretation or translation services for our members with limited English proficiency.
• Sign language services.
• Information in other formats, such as large print, audio, and accessible digital formats.

For More Information or to Report a Problem

For more details on HMSA’s privacy practices, please contact us as noted below.

If you think that your privacy rights have been breached, you may file a complaint with us at the address below. You may also send a written complaint to the U.S. Department of Health and Human Services. If you file a complaint, we assure you that we won’t retaliate in any way.

Thank you for taking the time to read this notice. As your health plan, HMSA works hard to take care of and protect your PHI. We know this is important to you and we take our duties seriously.

Contact HMSA at:

HMSA Privacy Office
P.O. Box 860
Honolulu, HI 96808-0860

Honolulu, Oahu

• Group/Individual Plans: 808-948-5555
• Federal/State/County Plans: 808-948-6499
• HMO Plans: 808-948-6372
• Blue Cross Blue Shield Service Benefit Plan (FEP): 808-948-6280
• HMSA QUEST: 808-948-6486
• HMSA Akamai Advantage: 808-948-6000
• Text Telephone (TTY): 1-877-447-5990
• Toll-free: 1-800-776-4672

Contact the U.S. Department of Health and Human Services at:

Office for Civil Rights, DHHS
90 7th St., Suite 4-100
San Francisco, CA 94103

Phone: 1-800-368-1019 toll-free
TDD: 1-800-537-7697 toll-free
Fax: 202-619-3818
Email: ocrmail@hhs.gov

Website: hhs.gov/hipaa/filing-a-complaint/what-to-expect/index.html