We take the issue of online privacy very seriously. And you should, too. All the information we collect from you -- our users -- or that you provide to us is secured and maintained in accordance with a variety of state and federal laws and regulations, as well as our robust corporate standards. What follows are the details, sometimes a lot of them, concerning the information we collect, use, and disclose (and why), and our approach to maintaining your privacy. Transparency is our goal and achieving that and keeping you informed requires some length, so we urge you to read this document in its entirety.
Some Important Definitions You’ll Need To Understand
There are key definitions you’ll meet again and again in this document, and you’ll want to understand them up front -- consumer platforms, users, you/your, personal information, and third party/third parties.
Note on HIPAA and Protected Health Information
- Highmark Inc. NPP
- Allegheny Health Network NPP
- HM Insurance Group NPP
- United Concordia Companies Inc. NPP
- Reference to “users” means any individual visiting, using, and/or providing personal information via one of our consumer platforms. In short, “users” equals “you” when you are visiting or using any of our consumer platforms.
- The term “personal information” means any individually identifiable information about a user -- this includes, for example, demographic information such as your name or date of birth; contact information such as address, phone number, or email address; customer-related information such as account number or other identifier; financial information such as payment card or account number for online payments; and digital presence information such as internet protocol (IP) address, click streams (your clicking activity on a page or site), or cookie ID.
1. What We Collect
We collect personal information from and about you in a number of ways. We leverage online forms, secure portals, third party links/icons, interactive chat, biometric login, location services, mobile device data, and cookie and tag technologies to collect personal information.
How you interact with a particular Highmark Health consumer platform will generally determine the type and amount of personal information we collect. For general website browsing, we may capture limited personal information such as your browser type, IP address, device hardware model, as well as server log information such as session time, click streams, and crash reports. For other features, we may need to verify your identity through a login process and collect sufficient personal information to provide a response or administer the service requested.
What follows below in Sections 1 and 2 are further details regarding the personal information we collect with our information-gathering tools, and our specific and general uses and access to and disclosure of your personal information associated with those tools.
Highmark Health invites users to contact us using inquiry forms available on our corporate-owned platforms for account questions or to learn more about our products and services. The personal information we request on inquiry forms generally includes your name, address, phone number, email address, and the details of your inquiry. We may use such information to review and respond to your request or communication, or use contracted service providers to do that for us. We may also use information collected through online forms as stated in Section 2 below.
Highmark Health has established secure portals for use by members and patients. When you access them to review your health and benefit-related information or to contact your health plan or physician’s office regarding certain inquiries, such as reviewing claims or requesting prescription refills, we collect certain personal information, such as your user ID and password, IP address, click streams, and cookie ID. Communications sent by or to members or patients who choose to use these secure portals may also be recorded in transaction logs to monitor content, compliance with applicable law and regulations, or functionality of the services. If the information collected is deemed to be PHI as noted above, its use and disclosure will be subject to HIPAA and an applicable NPP. We may also use information collected through secure portals pre-password as stated in Section 2 below.
Our consumer platforms may offer interactive chat technology to assist users. That interactive technology may collect personal information such as name, date of birth, address, and account number for authentication purposes or to provide specific plan benefit details in a personalized response. It may also capture session-related information such as web logs to document the interaction. If the information collected is deemed to be PHI as noted above, its use and disclosure will be subject to HIPAA and an applicable NPP. We may also use information collected through interactive chat pre-password as stated in Section 2 below.
You may be invited by your mobile device to use fingerprint, facial recognition, or similar recognition and biometric technology to login to our consumer platforms. When a biometric login is enabled, our consumer platforms recognize that you have selected this as a preference and have been authenticated through your mobile device and you are permitted access. When you use biometric login functionality on our consumer platforms, we do not collect any of the actual biometrics (e.g., fingerprints or facial images); that is managed and maintained on your mobile device and by the mobile device manufacturer (e.g., Apple, Samsung).
Our consumer platforms may use the location services functionality on your mobile device and thereby collect your geolocation data. We use geolocation data to assist you in finding local care sites, communicating about geographically-based products and services, and other relevant content based on your location. We may also use information collected through location services as stated in Section 2 below.
Our consumer platforms may collect certain personal information when being run on a mobile device; for example, if one of our mobile applications is downloaded, we may collect information about the device type, its software/operating system, and device identifier. We use this information to assess and analyze information about our general user base and to improve our technical support capabilities. We may also use information collected from your mobile device as stated in Section 2 below.
Cookies -- yes, we use them
A cookie is a small text file that is stored on a computer or other internet-connected device when it accesses a digital resource. Cookies can capture user information such as IP address, internet browser and operating system type, the date and time of a digital interaction, session information such as page response times, your search history, saved preferences and password information (if a user elects to have a website remember this information), information about the referring uniform resource locator (URL), click stream to and through and from our consumer platforms, and similar details.
Highmark Health’s consumer platforms may use first-party cookies (i.e., ones we create) to support our digital resources, monitor their performance, enhance the user experience, and assess information about our user base to help inform our decisions about content delivery. We may gather and use information obtained from first-party cookies to provide customers and prospects with tailored messaging. We may also employ cookies on third party websites to facilitate the delivery of our services and help study users’ activities online over time.
Highmark Health may use third party advertising cookies to serve our ads on other websites and digital properties. Advertising companies may also use information obtained from cookies placed on your device in order to measure advertising effectiveness and to provide non-Highmark Health advertisements they deem of interest to you on other platforms. If you would like to review and manage and/or opt-out of third party cookies used for targeted advertising, you may navigate to the following links provided by the Network Advertising Initiative (http://optout.networkadvertising.org/?c=1) and the Digital Advertising Alliance (http://optout.aboutads.info/?c=2&lang=EN).
Cookies that may be employed on our consumer platforms include the following types:
- Strictly necessary: cookies which enable various underlying resource features and functionalities such as authenticating users.
- Functional: cookies which support enhanced browsing experience and personalization.
- Performance/Analytics: cookies which help us evaluate the effectiveness of digital resources, understand user patterns, and measure errors.
- Targeting/Advertising: cookies which help us learn your tendencies and develop a profile to serve you relevant content and ads we deem of interest.
Most internet browser settings can be modified by users to attempt to block cookies (e.g., choosing a “do not track” option). If you choose to block cookies using your browser settings, Highmark Health’s consumer platforms may not respond to these choices. Also, you should be aware that blocking cookies could prevent a particular consumer platform or certain features from fully functioning. We encourage you to keep cookies enabled for an optimized user experience.
Third Party Platforms
Some of the features and components you encounter on our consumer platforms are owned and controlled by third parties. That means we do not manage data collection, use, or disclosure activities within their features or components, even though we may receive information from them about you. Here’s an example: Highmark Health maintains a Facebook page, but we have no control over how Facebook, as a third party, collects, uses, or discloses information obtained from users when they visit that page. Here’s another one: One of our mobile applications can be downloaded or updated through Apple or Google, but we have no control over Apple’s or Google’s collection of information from your mobile device during that download or update.
2. General Uses And Access To and Disclosure Of Personal information
Highmark Health uses your personal information collected through our consumer platforms for all the specific purposes stated in Section 1 above. Additional general uses include to:
- Provide relevant and tailored health care messaging.
- Administer clinical care and insurance benefits and provide information regarding general well-being.
- Provide product, program, and service updates, event notices, details about new offerings, and announcements of interest.
- Update and maintain information about users.
- Monitor the effectiveness of our consumer platforms and features.
- Ensure our digital resources function as intended and meet our users’ expectations.
- Help us authenticate you as an authorized user and unique individual.
- Evaluate your individual experience across our digital properties and help us assess and optimize our products, programs, services, and digital offerings.
- Carry out our marketing, advertising, and general commercial business purposes.
We may also use your personal information to provide you with access to information about additional products, programs, and services offered by our family of companies or our business partners. We will use the contact information you provide to communicate with you via phone, email, text, and/or regular mail, according to your preferences. You may remove yourself from certain communication channels at any time -- just follow the opt-out instructions included in those specific communications.
Access By Employees
Personal information of our users is utilized to conduct routine business operations. Employees of Highmark Health and its family of companies are required to maintain the confidentiality of your personal information and to use strict standards of care in handling this information. This is enforced by written confidentiality statements, corporate policies, training, and state or federal laws or regulations. Employees who do not conform to these requirements are subject to disciplinary sanctions.
Disclosure To Service Providers
Highmark Health may disclose your personal information collected through its consumer platforms to service providers that are contracted by Highmark Health. Highmark Health’s service providers are legally bound by contract to follow the same or similar standards of confidentiality as followed by Highmark Health, and to handle your personal information with due care.
Disclosure To Third Parties
Other than as set forth in Section 1 above, and as permitted or required by law, Highmark Health generally does not disclose personal information collected through its consumer platforms to third parties without the permission of the user. Personal information may be disclosed to a third party if there is a specific legal basis, if there is a need to complete a transaction requested by the user, or if necessary for providing a service or benefit to the user. For example, personal Information such as IP address may be disclosed to third party advertising networks to display ads of interest to you.
Disclosure To Comply With Law, Respond To Legal Requests, Prevent Harm, and Protect Our Rights
Highmark Health may disclose your personal information to courts, law enforcement, governmental oversight agencies, and other appropriate licensure bodies as permitted or required by applicable law, or if such disclosure is reasonably necessary to:
- Comply with legal obligations.
- Comply with legal process and to respond to claims asserted against Highmark Health.
- Respond to verified requests in relation to a criminal investigation or alleged or suspected illegal activity, or any other activity that may expose us or any of our users to legal liability.
- Protect the rights of Highmark Health, its employees, customers, or the public.
For instance, personal information may be shared with public health authorities to contain the spread of infectious diseases.
California Consumer Privacy Act (CCPA) and Sale of Personal Information
Highmark Health does not sell your personal information collected through our consumer platforms for monetary consideration. However, under some circumstances and according to some state laws (such as CCPA), a transfer of personal information to third parties, even without monetary consideration, may be considered a “sale” of your personal information. See Section 4 below for more information regarding CCPA.
Retention of Personal Information
Anonymizing Personal Information
Your personal information may be anonymized by Highmark Health -- which means stripped of individual identifiers -- and aggregated with other data sets, and used for internal business purposes without permission.
3. Security, Privacy, and Data Governance
Highmark Health uses reasonable, industry-standard information security practices and technology. Security controls include, where appropriate, encryption, application/system authentication and access management, network firewalls, threat monitoring, incident response, and workforce education. Users who communicate with Highmark Health using unsecured means, such as a personal e-mail account or SMS texting, should be aware that there is always some risk of the potential interception or misuse of your information when communicating in unsecured ways.
Internal Privacy And Data Ethics Program
Highmark Health’s data governance program guides the overall management of the availability, usability, integrity, confidentiality, and security of data under Highmark Health’s control and custody. It encompasses the people, processes, and technology to streamline and govern the proper handling of data.
4. Other Relevant Data And Consumer Protection Laws
Children’s Online Privacy Protection Act (COPPA) and similar state laws
Our consumer platforms are not typically directed at or made available to children under the age of 13, and we typically do not make attempts to collect, use, or disclose information from children under the age of 13. Pursuant to some state laws, minors can independently consent to receive medical care without the consent of a parent or legal guardian; in these circumstances, some of our consumer platforms, such as secure patient portals, are offered to minors for use in connection with their health care.
Highmark Health also makes reasonable attempts to comply with applicable state laws governing advertising and marketing to children, including the Delaware Online Privacy Protection Act, which prohibits marketing to children under the age of 18.
European Union General Data Protection Regulation (GDPR)
Highmark Health has determined that some of our business segments are subject to obligations set by the GDPR. For further detail regarding our disclosures to data subjects located in the European Union or European Economic Area, please navigate to our GDPR Statement.
Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA)
Highmark Health does not sell covered information as defined by the NPICICA. Users who would like to inquire about the selling of covered information under the NPICICA can contact us using the information provided in section 5 below.
Questions And Concerns
(© 2014 Highmark Health — last revised June 2020)