Privacy Notice

This notice describes how your health data may be used and disclosed and how you can access your data. Please read it in detail.

We care about the privacy of your health data and protect your privacy in keeping with federal law. This notice describes our privacy rules, our legal duty, and your rights about your health data. This notice went into effect on September 22, 2013.

We must give you a copy of this notice and follow the terms of this notice. We have the right to change this notice at any time. If we make major changes to this notice, we’ll post a revised notice on this website. We’ll give you a copy of the revised notice or details about the changes and tell you how to get the revised notice.

Your Protected Health Information, or PHI

Your PHI includes data about you, the health care services you get, and payment for your care. HMSA gets and produces PHI. For example, after you visit the doctor, a claim is sent to HMSA. The claim may have details about your health, symptoms, injury or illness, exam, treatment, and more. Your PHI may be used in several ways, such as to pay your claim or to plan your care.

Your Rights

The law gives you rights about your PHI. As an HMSA member, you have the right to:

  • Ask for and get a copy of this notice at any time.
  • See or ask for a copy of your PHI on paper or in electronic form. There may be a fee for these copies.
  • Ask us to limit how we use and share your PHI. There may be reasons why we can’t agree to your request. Even if we agree, we may still share your records during emergencies or when the law says we have to.
  • Ask for and get a list of third parties that we share your PHI with for certain reasons.
  • Ask that your PHI be sent to you by a different way other than by mail or be sent to a different address. This can be done if you feel your life is in danger.
  • Ask to add to your PHI. In some cases, we may not be able to grant your request, such as if we did not create the PHI. If we deny your request, we’ll tell you why in writing. If you don’t agree, you may send us a letter that says you do not agree.
  • If there is a misuse of your PHI, we’ll let you know about it if we feel it’s needed or if the law says we have to.

You may contact us as noted at the end of this notice about your rights.

Our Duties

The law clearly spells out the duties of health plans. HMSA must:

  • Protect the privacy of your PHI.
  • Give you a notice of our privacy practices.
  • Follow the terms of this notice.
  • Fulfill your request to send PHI in a different way or to a different address. This can be done if you feel you are in danger. Your request must be reasonable and state the other address or the other way you want us to contact you. Also, your request must let us pay claims, send you letters, and collect premiums for your health plan.*
  • Use and share only the PHI we need to do our jobs.
  • Make sure our business associates (BAs) agree to protect your PHI the same way we do.

We won’t use or share your PHI except when the law says we have to or as described in this notice. Also, we won’t ask you to give up your privacy rights to join an HMSA plan or to get care.

* Collecting premiums does not apply to HMSA QUEST members.

How PHI is Used and Shared

There are three key areas where we need to use and share your PHI: to treat you, to pay your claims, and for other health care operations. We may also contract with other parties or BAs to do the work for us, as long as they promise to protect your PHI as we do. Each area is described below.

To treat you: This includes services to provide or manage your health care. As your health plan, we may need to share PHI with your docĀ¬tor or others so they can treat you.

To pay your claims: We need to pay claims from doctors, hospitals, and others for your care. We may also share PHI to collect premiĀ¬ums, to see if you can get care, to set your level of coverage, and to work with other health plans to decide on benefits.

For health care operations: We want you to get quality health care services. To do that, we may get copies of your medical records and your lab test results for quality review, to review provider qualifications, and to track wellness and manage disease. We may also use PHI to set premiums, resolve complaints and appeals, manage our business, and other operations.

Other Ways We Use and Share PHI

At times, we’ll need to use and share your PHI for your own good, to serve the public good, or when the law says we have to. In these cases, we’ll use and share only the smallest amount of PHI needed. Examples are:

To discuss treatment options or other products or services: HMSA or its BAs may use your PHI to send you details on care options or other products or services as allowed by law. This may include data on our provider network and new products or services that only HMSA members can get. It may also include options on other care, health care providers, or settings of care that may work for you. You may contact us if you don’t want to get certain letters. We’ll get your authorization to send you details about a third-party’s products or services if we get financial payment from the third party for doing so or in other cases when the law says we have to.

To others involved in your health care: Unless you object, we may share your PHI with your family members or a friend who’s involved in your health care.

For raising funds: HMSA doesn’t ask its members to raise funds for its own use.

For underwriting: We may use your PHI to create, renew, or replace your health plan or health benefits. We won’t use or share this PHI for any other reasons except when the law says we can or the law says we have to. We won’t use or share genetic data for underwriting uses. If the contract for a health plan or health benefits is placed with us, we’ll use and share your PHI only as described in this notice or as allowed by law.

With your written authorization: Most uses and sharing of psychotherapy notes, some uses and sharing for marketing, and sharing that involves the sale of your PHI will need your authorization. You may also give us authorization in writing to use or share your PHI with someone you name. You may end your authorization in writing at any time. We’ll honor your request unless the PHI has already been shared. We won’t use or share your PHI for reasons that are not allowed by law or not described in this notice unless we get your written authorization.

During an emergency or disaster: During a medical emergency or disaster, we may share your PHI to make sure you can get the care you need or to process payment for your care. We may also need to share your PHI during a disaster to help your family find out how you’re doing and where you are. If you’re not present or are not able to agree to these uses of your PHI, we may need to decide if sharing the PHI is best for you.

To plan sponsors: We may share your PHI with your group health plan sponsor or its legal representative to help them manage your group health plan. Only the smallest amount of PHI needed will be shared.

For health information exchanges (HIEs): We may take part in one or more HIEs. This means that your PHI may be available electronically to treat you, to pay your claim, or for health care operations. Other doctors and health plans that take part in the HIE may have access to this data.

To report to authorities: As required by law, we may share your PHI if we suspect abuse, neglect, or domestic violence.

For research: We may use or share your PHI with researchers when they agree to protect it.

To comply with privacy laws: We may use or share your PHI as required by privacy laws.

For workers’ compensation: We may share your PHI to comply with laws on workers’ compensation or similar programs.

For public health: We may share your PHI with public health or legal staff who work to prevent or control disease, injury, or disability.

For health oversight: We may share your PHI to prevent fraud and abuse, and for audits, investigations, inspections, licenses, and other government activities to monitor health care.

For judicial and administrative matters: We may share your PHI in response to a court or administrative order, subpoena, or other law process, in some cases.

For law enforcement reasons: In a few cases, such as a court order, warrant, or grand jury subpoena, we may share your PHI with law enforcement officials.

For military or national security reasons: In some cases, we may share PHI of armed forces staff with military authorities. We may also share PHI with federal officials for national security reasons.

For More Information or to Report a Problem

For more details on HMSA’s privacy practices, please contact us as noted at the end of this notice.

If you believe that your privacy rights have been breached, you may file a complaint with us as noted at the end of this notice. You may also send a written complaint to the U.S. Department of Health and Human Services. If you choose to file a complaint, we assure you that we won’t retaliate in any way.

Thank you for taking the time to review this notice. As your health plan, we work hard to take care of your PHI. We know this is important to you and we take our duties very seriously.

Write to HMSA at:

HMSA Privacy Office
P.O. Box 860
Honolulu, HI 96808-0860

Honolulu, Oahu

Hilo, Hawaii Island: 808-935-5441

Kona, Hawaii Island: 808-329-5291

Lihue, Kauai: 808-245-3393

Kahului, Maui: 808-871-6295

Write to the U.S. Department of Health and Human Services at:

Office for Civil Rights, DHHS
90 7th St., Suite 4-100
San Francisco, CA 94103

Phone: 415-437-8310
TDD: 415-437-8311
Fax: 415-437-8329

www.hhs.gov/ocr/privacy/hipaa/complaints/index.html