Note on HIPAA and Protected Health Information
The Health Insurance Portability and Accountability Act (HIPAA) regulates and defines protected health information (PHI) maintained by covered entities and business associates. HIPAA requires covered entities to maintain a Notice of Privacy Practices (NPP), which describes how PHI is collected, used, and disclosed by the regulated entity. PHI is part of the larger category of personal information, as defined below, and the terms of an NPP will apply to the collection, use, and disclosure of PHI rather than this Privacy Policy. For example, individually identifiable health information collected on a regulated entity’s website or mobile application is generally PHI, even if the individual does not have an existing relationship with the regulated entity and even if the information, such as IP address or geographic location, does not include specific treatment or billing details. Therefore, most of the information collected, used, and disclosed through use of our online services is PHI and is subject to the applicable Notice of Privacy Practices.
Links to the NPPs of our affiliated entities are included below for review:
We urge you to fully read this Privacy Policy to remain informed. Please be advised that this Privacy Policy constitutes an agreement between you and Highmark Health when you utilize our online services, which includes our enterprise websites, mobile applications, member and patient portals, and our other affiliated online or digital resources, owned or managed by Highmark Health, that refer to this Privacy Policy. Please be advised that some of our online services may have separate or additional terms of use which will apply in addition to this Privacy Policy, and you are encouraged to review such supplemental terms of use. Your ongoing use of our online services confirms i) your acknowledgement and acceptance of the conditions contained in this Privacy Policy and any supplemental terms of use, and ii) your express consent to collect, use, and disclose your information in accordance with applicable law. Please note, our privacy practices are subject to the laws of the places in which we operate; as such, you may see additional region-specific terms that apply only to customers located in those geographic regions, as may be required by applicable laws.
We collect personal information from and about you in a number of ways. Personal information means individually identifiable information such as your name, email address, and demographic information if you choose to complete an online form. We leverage various tools, components, and features (as described below), in accordance with applicable law, to collect personal information to conduct our business operations, including understanding our users, maintaining and optimizing our online services, and customizing your user experience. Most of the information we collect, use, and disclose through use of our online services is PHI.
How you interact with a particular Highmark Health online service will generally determine the type and amount of personal information we collect. For general website browsing, we capture basic information such as your browser type, IP address, device hardware model, referring URL, as well as server log information such as session time, click streams, and crash reports. For other features, such as use of a secure portal, we may need to verify your identity through a login process and collect sufficient personal information to provide a response or administer the service requested.
What follows below are further details regarding the personal information we collect, use, and disclose for our business purposes.
Highmark Health offers online inquiry forms on our corporate-owned websites for account questions or to learn more about our products and services. The personal information we collect on inquiry forms generally includes your name, address, phone number, email address, and the details of your inquiry. By submitting personal information, you grant Highmark Health the right to transmit, monitor, retrieve, store and use your information in connection with the operation of the website. We may use such information to review and respond to your request or communication, or use contracted service providers to do that for us. We may also use information collected through online forms as stated in Section 2 below.
Highmark Health has established secure portals for use by our customers and business partners. When secure portals are accessed, we collect certain personal information, such as user ID and password, IP address, click streams, and related session data. Communications sent by users through these secure portals may also be recorded in transaction logs to monitor content, compliance with applicable law and regulations, or functionality of the services. We may also use information collected through secure portals as stated in Section 2 below.
Our online services may offer interactive chat technology to assist users. That interactive technology collects personal information such as name, date of birth, address, and account number for authentication purposes or to provide customized details as requested by a user, and may also capture session-related information such as web logs to document the interaction. Users are reminded that supplemental terms of use may apply with respect to an interactive chat feature in addition to this Privacy Policy, and users are encouraged to read such terms as well. We may also use information collected through interactive chat as stated in Section 2 below.
You may be invited by your mobile device to use fingerprint, facial recognition, or similar biometric technology to login to our online service. When a biometric login is enabled, our online services recognize that you have selected this as a preference and have been authenticated through your mobile device, and you are permitted to access our online services accordingly. When you use biometric login functionality on our online services, we do not collect any of the actual biometrics (e.g., fingerprints or facial images); that is managed and maintained on your mobile device and by the mobile device manufacturer (e.g., Apple, Samsung).
Our online services may use the location services functionality on your mobile device and thereby collect your geolocation data. We use geolocation data to assist you in finding geographically-based products and services, and to provide you with relevant content based on your location. We may also use information collected through location services as stated in Section 2 below.
Our online services collect certain personal information when being run on a mobile device; for example, if one of our mobile applications is downloaded, we collect information about the device type, its software/operating system, and device identifier. We use this information to assess our general user base and to improve our technical support capabilities. We may also use information collected from your mobile device as stated in Section 2 below.
A cookie is a small text file that is stored on a computer or other internet-connected device when it accesses a digital resource. Cookies can capture user information such as IP address, internet browser and operating system type, the date and time of a digital interaction, session information such as page response times, your search history, saved preferences and password information (if a user elects to have a website remember this information), information about the referring URL, click stream to and through and from our online services.
Highmark Health’s online services use first-party cookies (ones we create and configure) to support our digital resources, monitor their performance, enhance the user experience, and assess information about our user base. We may gather and use information obtained from first-party cookies to provide customers and prospects with tailored content and optimize our offerings.
We also use third-party cookies (ones we do not create or configure), in accordance with the requirements of applicable law, to help assess our user base, understand a user’s digital journey from external sources to our online services, and optimize our offerings in the market. In the event that third-party cookies are used to deliver relevant ads of interest, you can review and manage applicable third-party ad cookies by navigating to the following links provided by the Network Advertising Initiative the Digital Advertising Alliance.
Cookies employed on our online services include the following types:
Most internet browser settings can be modified by users to attempt to block cookies (e.g., choosing a “do not track” or “global privacy control” setting). Also, you should be aware that blocking cookies could prevent a particular online service or certain features from fully functioning. We are not responsible for and make no representations or claims regarding the effectiveness of third party opt-out mechanisms or programs. Please note that if you delete your cookies or upgrade your browser after having opted-out, you will need to opt-out again to reaffirm your selections.
Users may encounter third-party widgets (e.g., Twitter, LinkedIn) on our online services; these widgets (icons) are owned and controlled by third parties and not by Highmark Health. These widgets are provided out of convenience only, and do not reflect an affiliation with or endorsement of the third-party company. If a user clicks a widget, he/she will be redirected to the landing page of that third-party company, and any data collection, use, and disclosure activities will be subject to that third party’s privacy standards (and not this Privacy Policy). Here’s an example: Highmark Health maintains a LinkedIn page, but we have no control over how LinkedIn, as a third party, collects, uses, or discloses information obtained from users when they visit the LinkedIn platform.
When you click a third-party widget and leave our site, Highmark Health makes no representations or warranties regarding third-party platforms or components, their content, data management, or security. To be an informed consumer, you should review the privacy standards of the applicable third parties.
Our online services may contain redirecting hyperlinks or embedded third-party media content, as applicable; an example includes YouTube videos which may exist as tile images that redirect to YouTube when clicked, or as embedded files which begin playing on our web pages when clicked. This third-party content is not managed or configured by Highmark Health, which means we do not control any code which may be linked to this content by the media host, and we do not control any data collection which might occur as a result of such code. By viewing any embedded third-party media content on our online services, as applicable, users acknowledge, accept, and expressly consent to any associated data collection, use, and disclosure which might occur between Highmark Health and the media host.
Highmark Health uses the information collected through our online services for the specified purposes stated in Section 1 above. Additional uses include:
We may also use your personal information to provide you with access to information about additional products, programs, and services offered by our family of companies or our business partners. You may remove yourself from certain communication channels or programs at any time -- just follow the opt-out instructions included in those specific communications.
Highmark Health may disclose your personal information collected through its online services to service providers that are contracted by Highmark Health to support our functions. For example, a service provider may have access to your information to perform a specific task such as sending you a survey or a newsletter. Highmark Health’s service providers are bound by contract to follow robust data privacy and security standards, and to handle your personal information with due care.
Third parties include non-affiliated companies whose platforms or components we may employ or present to our users, but whose data collection and usage activities we do not control, and which are not governed by this Privacy Policy (e.g., third-party widgets referenced above). For example, we may utilize a third party vendor to host certain informational videos. When you click on the link to the video, you are re-directed from our site to the platform of the video host. The host’s data collection and usage activities will govern your interaction with that third-party site and content. Third parties can also refer to other types of entities or bodies that we do not have a contractual or commercial relationship with, but that we share data with as permitted or required by law (e.g., government oversight agencies). Highmark Health generally does not disclose personal information collected through its online services to third parties except as set forth in this Privacy Policy, or as permitted or required by law. At times, personal information may be disclosed to a third party if there is a specific legal basis, if there is a need to complete a transaction requested by the user, or if necessary for providing a service or benefit to the user.
Highmark Health may disclose your personal information to courts, law enforcement, governmental oversight agencies, and other appropriate regulatory bodies as permitted or required by applicable law, or if such disclosure is reasonably necessary to:
Our online services are not generally intended for, nor made available to, children under the age of 13, and we typically do not make attempts to collect, use, or disclose information from children under the age of 13, unless otherwise permitted or required by applicable law.
Some of our entities or product lines may be subject to certain obligations set by the GDPR. With respect to our entities or product lines that may be subject to GDPR, a separate notice aligned to GDPR’s requirements will be made available on the public websites of the applicable entities.
Some of our entities may be subject to certain obligations set by state consumer privacy laws, such as those enacted in California and Colorado, among other jurisdictions. These laws require the posting of a consumer notice regarding data collection, use, and disclosure activities. With respect to our entities that may be subject to this type of requirement, one or more separate notices aligned to those specific state laws will be made available on the public websites of the applicable entities.
Highmark Health reserves the right to change, modify, or update this Privacy Policy at any time and for any reason. Highmark Health will promptly post such changes, modifications, or updates to its online services accordingly. Please review this Privacy Policy periodically to keep informed of any changes. Users are reminded that continued use of our online services confirms i) your acknowledgement and acceptance of the conditions contained in this Privacy Policy, and ii) your express consent to collect, use, and disclose your information in accordance with applicable law.
If you have questions about this Privacy Policy, please contact us by emailing “privacy@highmarkhealth.org” or calling 1-866-228-9424.
1Highmark Health includes the wholly-owned subsidiaries and affiliates making up the Highmark Health enterprise, including, among others, Highmark Inc., Allegheny Health Network, HM Health Solutions d/b/a enGen, HM Home and Community Services d/b/a Helion, and other affiliated businesses such as HM Insurance Group and United Concordia Companies Inc. References to "us," "we," and "our" in this Privacy Policy mean Highmark Health.
(© 2014 Highmark Health — last revised August 2023)
