Providers shall comply with all state and federal laws and regulations pertaining to privacy and protection of patients’ health information including, but not limited to, the Health Insurance Portability and Accountability Act (HIPAA) as amended, and Minnesota Statutes, Chapter 144 (“Department of Health”).

Both health plans and health care providers are “covered entities” as defined under HIPAA and, as such, are required to understand and comply with the HIPAA Privacy Rule.

There are several state and federal laws requiring Medica to protect our members’ personal information. The most recent regulations (45 CFR parts 160 and 164) are tied to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The regulations describe how Medica must protect this information and how our members can access their personal information. The following is a summary of Medica’s Privacy practices.

Read more about HIPAA.


Summary of Medica’s Privacy Practices

Medica takes its responsibility of protecting our members personal information seriously. Where possible, Medica de-identifies or encrypts personal information. We use and disclose personal information only to the extent necessary to conduct treatment, payment and health care operations, or to comply with legal, regulatory or accreditation requirements.

Medica uses and discloses only the minimum amount of personal information necessary to perform the required activity. In addition to physical and technological safeguards, Medica has adopted administrative policies and procedures that require its employees, business associates and health care providers to treat personal information as private.

Medica provides training in privacy procedures to its employees. We protect the personal information of applicants and former members just as we protect the personal information of current Medica members.


Under what circumstances does Medica use or disclose personal information?
Medica and its business associates obtain, maintain, use and share personal information to carry out certain routine activities. Routine activities include: (i) treatment-related activities, such as referring our members to a doctor or other provider; (ii) payment-related activities, such as paying a claim for medical services rendered; and (iii) health care operations, such as professional peer review. Other examples of routine activities include:

• Enrollment and eligibility, benefits management, and utilization management
• Customer service
• Coordination of care

There are several state and federal laws requiring Medica to protect our members’ personal information. The most recent regulations (45 CFR parts 160 and 164) are tied to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The regulations describe how Medica must protect this information and how our members can access their personal information.

The following is a summary of Medica’s Privacy practices.

• Health improvement and disease management (for example, sending information on treatment alternatives or other health-related benefits) 
• Premium billing and claims administration
• Complaints and appeals
• Underwriting, actuarial studies, and premium rating
• Regulatory and accreditation oversight, and legal compliance
• Credentialing and quality assessment
• Business planning or management and general administrative activities (for example, employee training and supervision, legal consultation, accounting, auditing)
• Anti-fraud activities

From time to time, Medica is interested in using or disclosing personal information for purposes other than treatment, payment, health care operations, or as required by law. In these situations, Medica is required to obtain our members’ written authorization before we release the personal information. Our members have the right to decide not to authorize Medica to use or disclose their personal health information in these situations.

The law also gives our members the right to access, copy, and amend their personal information. Our members have the right to request restrictions on certain uses and disclosures of their personal information. They also have the right to obtain information about
how and when their personal information has been used and disclosed.

Medica has policies that limit the disclosure of personal information to employers. However, Medica must share some personal information (for example, enrollment information) with a group policyholder or its designee to administer its business. The group policyholder or designee is responsible to safeguard the personal information from being used for purposes other than administering health plan benefits.

These duties, responsibilities, and rights are described in more detail in Medica’s Privacy Notice. To obtain a copy of Medica’s Privacy Notice, providers may go to www.medica.com or request through Medica’s Provider Literature Request Line.

Please Note: Medica’s Privacy Notice does not apply to members whose employers are selfinsured.

If a member’s employer is self-insured, the member needs to contact their employer for more information about their health plan’s privacy practices.

As a convenience for you, here are some examples of topics for the administrative, technical and physical patient health information safeguards required under HIPAA.

Administrative safeguards:

• Create and implement written policies and procedures for your entire organization, e.g., clinic, hospital or skilled nursing facility.
• Train every member of your work force, e.g., practitioners, receptionists, business office staff and volunteers.
• Provide patients with “Notice of Information Practices.”
• When permitted or required by law, disclose only “minimum necessary” patient information for the purpose intended.

Technical safeguards:

• Ensure proper use of computer system firewalls to prevent unauthorized access.
• Ensure proper use of computer user names and passwords.

Physical safeguards:

• Ensure that patient information is displayed in a manner not identifiable to the general public.
• Ensure that medical records are stored in a secure area inaccessible to unauthorized individuals.

Further information about these and other HIPAA requirements can be found by:

• Visiting the American Health Information Management Association (AHIMA) Web site.
• Visiting the U.S. Department of Health and Human Services (DHHS) Web site.

The information provided above is not intended as legal advice. Please contact your legal adviser for more information regarding HIPAA and other state and federal regulations.



Return to Regulatory Reporting.