Notice of Privacy Practices (Download PDF Version)
Version Date: October 18 2022
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE REVIEW THIS NOTICE CAREFULLY.
This Notice of Privacy Practices (Notice) describes the privacy practices of Troy Health, Inc. (dba Troy Medicare). (In this Notice, we may also refer to Troy, we, us, or our). It also applies to the members of Troy Medicare. Troy Medicare is a single entity to comply with the Health Insurance Portability and Accountability Act (HIPAA).
Troy Medicare can share Protected Health Information (PHI) with its health plan delegates for the treatment, payment, and health care operations as allowed by HIPAA and this Notice.
Effective date: This Notice became effective on October 18, 2022.
In this Notice, we describe:
- Information we collect about you
- How we use and share your information
- Times when we must share your information
- Your rights under the law
- How we keep your information safe
- How we comply with the law
- When this Notice may change
Information we collect about you
We get information about you from many sources, including from you. But we also can get it from other insurers and health care providers such as doctors. This is called Protected Health Information (PHI). It includes personal information that may identify you that is not public information. And it includes information about your health, medical conditions, prescriptions, and payment for health care products and services.
It may include:
- Demographic data (like your name and address)
- Health details (like medical history)
- Test results (like a lab test)
- Insurance information (like your member ID)
- Other information used to identify you or that’s linked to your health care or coverage.
How we use and share your information without your authorization
In supplying your health benefits, we may use and share PHI about you in varied ways.
- Health care operations: We may use and share your PHI for our health care operations. Those are actions we need to do to run our health business, including:
- Quality assessment and improvement
- Accreditation by independent organizations
- Performance measurement and outcomes assessment
- Health services planning and development activities
- Preventive health, disease and case management, and care coordination
For example, we may use your PHI to offer you programs for certain conditions, such as diabetes, asthma, or heart failure. We may also use it for other operations requiring use and disclosure, such as:
- Administering reinsurance and stop loss
- Investigating fraud
- Running pharmaceutical programs and payments
- Performing general administrative activities (information systems, data management, and customer service)
- Creating de-identified data (data that no longer identifies you may be used for analytics, business planning, or other reasons).
- Payment: We may use and disclose your PHI to help pay for your covered services when:
- Doing utilization and medical necessity reviews
- Coordinating care
- Deciding eligibility
- Deciding on drug list compliance
- Handling premium payments
- Calculating cost-sharing amounts
- Responding to complaints, appeals and requests for external reviews
We carry out these tasks to make sure we pay for your care the right way.
We may use your health history and other PHI to decide on whether a treatment is medically necessary and what the payment should be. During this process, we may share information with your health care provider.
We may also mail Explanation of Benefits (EOB) forms and other information to the address we have for the member.
- Treatment: We may share your PHI with the health care providers who take care of you – doctors, dentists, pharmacists, and facilities. Sometimes doctors may ask for your medical information from us for their own records.
Disclosures to other covered entities: We may share your PHI with other covered entities or their business associates. This may be for treatment, payment, or certain health care operations.
Additional Reasons for Use and Disclosure without your Authorization
We may use or share PHI about you in providing you with other health related benefits and services. We may also use or share your PHI without your authorization in support of:
- Health Oversight – to health oversight agencies (e.g., agencies that oversee the health care system and government benefit programs) for purposes of oversight activities authorized by law (e.g., investigations, audits, licensure or disciplinary actions).
- Workers’ Compensation – to comply with workers’ compensation laws.
- Law Enforcement – to government law enforcement officials as permitted or required by law.
- Legal Proceedings – in response to a court order or other lawful process.
- Public Welfare – to address matters of public interest as required or permitted by law (e.g., child abuse, public health threats, investigations, disease controls, product recalls).
- As Required by Law – to comply with legal obligations and requirements
- Decedents – to a coroner or medical examiner for the purpose of identification, determining a cause of death, or as authorized by law.
- Organ Procurement – to respond to organ donation groups for the purpose of facilitating donation and transportation.
- Abuse, Neglect, or Domestic Violence – to government authorities, social services or adult protective service agencies, authorized to receive such reports, if we believe you are a victim of abuse, neglect, or domestic violence. We will inform you of such a disclosure, unless doing so would place you at risk of serious harm or not be in your best interest.
- Specialized Government Functions and Correctional Institutions – to authorized government officials for purposes of national security and intelligence activities, protective services for the President, and medical suitability determinations. If you are under the custody of a correctional institution or a law enforcement official, we may disclose your PHI to such parties if certain representations are made (e.g., the information is necessary to provide you with health care or the health and safety of others).
Times when we must share your information
We may share your PHI with people involved in your health care. We may also share with those involved in paying for your care. For example, if a family member or caregiver calls us about a
claim, we may tell them what processing stage it's in. You have a right to stop or limit this kind of sharing (disclosure). To do so, call Member Services.
When we need your okay to use or share your information
If we have not described a use or disclosure above, we will need you to say it’s okay in writing to use or disclose your PHI. For example, we will get your okay for:
- Marketing purposes
- Sharing any psychotherapy notes
- If linked to the sale of your PHI
- For other reasons as required by law
Even if you gave us your okay, you could withdraw it at any time. You just need to let us know in writing. If we haven’t already acted on it, we’ll stop using or sharing your information for that purpose. If you have any questions about written permission, call Member Services.
We must also follow state privacy laws that may be stricter (or more protective of your PHI) than federal law.
Your rights under federal privacy laws
You have the right to:
- Ask us to communicate with you how or where you choose. For example, you may want us to send health information to another person. If it’s a reasonable request, we will make it happen.
- Ask us to limit the way we use or share your information when it comes to health care operations, payment, and treatment. We will consider but may not agree to such requests. You also have the right to ask us to restrict sharing with people involved in your health care.
- Ask us for a copy of PHI that’s part of a “designated record set.” This may include medical records. It may also include other records we keep and use for:
- Claims processing
- Medical management
- Other decisions
We may ask you to request this in writing. And we may charge a reasonable fee for making and mailing copies. Sometimes, we may need to deny the request.
- Ask us to fix your PHI. You need to ask this in writing. And you must include the reason for the request. If we deny it, you may write to us to let us know you disagree.
- Ask us to give you a list of certain disclosures we have made about you, such as PHI we’ve shared with government agencies that license us. This is called accounting. You need to ask for this in writing. If you ask for this kind of list more than once in a 12-month period, we may charge you a reasonable fee.
- Be notified after a breach of your PHI.
- Insurers aren’t allowed to take part in pretext interviews, except in some cases, such as suspected fraud or criminal activity. We don’t take part in those.
You may make any of the requests (if they apply), ask for a paper copy of this Notice, or ask questions about this Notice. You can do this by calling Member Services.
You have the right to file a complaint if you think someone has violated your privacy rights. To do so, send a letter to:
Attn: Chief Compliance Officer
P.O. Box 30516
Charlotte, NC 28230-0516
You may also contact the Secretary of the U.S. Department of Health and Human Services, Office of Civil Rights at: https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf or send an email to OCRMail@hhs.gov, or call 1-800-368-1019, TTY/TDD 1-800-537-7697.
How we keep your information safe
We use administrative, technical, and physical safeguards to keep your information from unauthorized access and other threats and hazards to its security and integrity. We comply with all state and federal laws that apply related to the security and confidentiality of your PHI.
We don’t destroy your PHI even when you end your coverage with us. We may need to use and share it even after your coverage terminates with us. We will continue to protect your information against inappropriate use or disclosure.
How we comply with the law
Federal privacy laws require us to keep your PHI private. We must tell you about our legal duties and privacy practices. We must also follow the terms of the Notice in effect.
When this Notice may change
We may change the terms of the Notice and our privacy policies anytime. If we do, the new terms and policies will be effective for all the information we now have about you. And they’ll apply to any information that we may get or hold in the future.
If we make material changes to our privacy policies, we will promptly revise our Notice. We will also post the revised Notice on our website.
You can ask for a copy of the revised Notice by calling Member Services.
We comply with applicable Federal civil rights laws and Troy Medicare does not discriminate on the basis of race, color, national origin, age, disability, or gender.
If you believe that we have failed to provide language services or discriminated in another way on the basis of race, color, national origin, age, disability, or gender, you can file a grievance by calling Member Services at 1-888-494-8769. TTY users call 711. We are available 8am -8pm Eastern time, Monday through Friday, and from October 1 to March 31, 7 days a week.
GATHERING, USE AND DISCLOSURE OF NON-PERSONALLY-IDENTIFYING INFORMATION
Users of the Website Generally
“Non-Personally-Identifying Information” is information that, without the aid of additional information, cannot be directly associated with a specific person. “Personally-Identifying Information,” by contrast, is information such as a name or email address that, without more, can be directly associated with a specific person. Like most website operators, Company gathers from users of the Website Non-Personally-Identifying Information of the sort that Web browsers, depending on their settings, may make available. That information includes the user’s Internet Protocol (IP) address, operating system, browser type and the locations of the websites the user views right before arriving at, while navigating and immediately after leaving the Website. Although such information is not Personally-Identifying Information, it may be possible for Company to determine from an IP address a user’s Internet service provider and the geographic location of the visitor’s point of connectivity as well as other statistical usage data. Company analyzes Non-Personally-Identifying Information gathered from users of the Website to help Company better understand how the Website is being used. By identifying patterns and trends in usage, Company is able to better design the Website to improve users’ experiences, both in terms of content and ease of use. From time to time, Company may also release the Non-Personally-Identifying Information gathered from Website users in the aggregate, such as by publishing a report on trends in the usage of the Website.
A “Web Beacon” is an object that is embedded in a web page or email that is usually invisible to the user and allows website operators to check whether a user has viewed a particular web page or an email. Company may use Web Beacons on the Website and in emails to count users who have visited particular pages, viewed emails and to deliver co-branded services. Web Beacons are not used to access users’ Personally-Identifying Information. They are a technique Company may use to compile aggregated statistics about Website usage. Web Beacons collect only a limited set of information, including a Web Cookie number, time and date of a page or email view and a description of the page or email on which the Web Beacon resides. You may not decline Web Beacons. However, they can be rendered ineffective by declining all Web Cookies or modifying your browser setting to notify you each time a Web Cookie is tendered, permitting you to accept or decline Web Cookies on an individual basis.
We may use third-party vendors, including Google, who use first-party cookies (such as the Google Analytics cookie) and third-party cookies (such as the DoubleClick cookie) together to inform, optimize and serve ads based on your past activity on the Website, including Google Analytics for Display Advertising. The information collected may be used to, among other things, analyze and track data, determine the popularity of certain content and better understand online activity. If you do not want any information to be collected and used by Google Analytics, you can install an opt-out in your web browser (https://tools.google.com/dlpage/gaoptout/) and/or opt out from Google Analytics for Display Advertising or the Google Display Network by using Google’s Ads Settings (www.google.com/settings/ads).
Aggregated and Non-Personally-Identifying Information
We may share aggregated and Non-Personally Identifying Information we collect under any of the above circumstances. We may also share it with third parties and our affiliate companies to develop and deliver targeted advertising on the Website and on websites of third parties. We may combine Non-Personally Identifying Information we collect with additional Non-Personally Identifying Information collected from other sources. We also may share aggregated information with third parties, including advisors, advertisers and investors, for the purpose of conducting general business analysis. For example, we may tell our advertisers the number of visitors to the Website and the most popular features or services accessed. This information does not contain any Personally-Identifying Information and may be used to develop website content and services that we hope you and other users will find of interest and to target content and advertising.
COLLECTION, USE AND DISCLOSURE OF PERSONALLY-IDENTIFYING INFORMATION
As defined above, Personally-Identifying Information is information that can be directly associated with a specific person. Company may collect a range of Personally-Identifying Information from and about Website users. Much of the Personally-Identifying Information collected by Company about users is information provided by users themselves when (1) registering for our service, (2) logging in with social network credentials, (3) participating in polls, contests, surveys or other features of our service, or responding to offers or advertisements, (4) communicating with us, (5) creating a public profile or (6) signing up to receive newsletters. That information may include each user’s name, address, email address and telephone number, and, if you transact business with us, financial information such as your payment method (valid credit card number, type, expiration date or other financial information). We also may request information about your interests and activities, your gender, age, date of birth, username, hometown and other demographic or relevant information as determined by Company from time to time. Users of the Website are under no obligation to provide Company with Personally-Identifying Information of any kind, with the caveat that a user’s refusal to do so may prevent the user from using certain Website features.
BY REGISTERING WITH OR USING THE WEBSITE, YOU CONSENT TO THE USE AND DISCLOSURE OF YOUR PERSONALLY-IDENTIFYING INFORMATION AS DESCRIBED IN THIS “COLLECTION, USE AND DISCLOSURE OF PERSONALLY-IDENTIFYING INFORMATION” SECTION.
We may occasionally use your name and email address to send you notifications regarding new services offered by the Website that we think you may find valuable. We may also send you service-related announcements from time to time through the general operation of the service. Generally, you may opt out of such emails at the time of registration or through your account settings, though we reserve the right to send you notices about your account, such as service announcements and administrative messages, even if you opt out of all voluntary email notifications.
Company will disclose Personally-Identifying Information under the following circumstances:
• Marketing Communications. Unless users opt-out from receiving Company marketing materials upon registration, Company may email users about products and services that Company believes may be of interest to them. If you wish to opt-out of receiving marketing materials from Company, you may do so by following the unsubscribe link in the email communications, by going to your account settings (if applicable) or contacting us using the contact information below.
• Third-Party Service Providers. We may share your Personally-Identifying Information, which may include your name and contact information (including email address) with our authorized service providers that perform certain services on our behalf. These services may include fulfilling orders, providing customer service and marketing assistance, performing business and sales analysis, supporting the Website’s functionality and supporting contests, sweepstakes, surveys and other features offered through the Website. We may also share your name, contact information and credit card information with our authorized service providers who process credit card payments. These service providers may have access to personal information needed to perform their functions but are not permitted to share or use such information for any other purpose.
Changing Personally-Identifying Information; Account Termination
COLLECTION AND USE OF INFORMATION BY THIRD PARTIES GENERALLY
We take the security of your Personally-Identifying Information seriously and use reasonable electronic, personnel and physical measures to protect it from loss, theft, alteration or misuse. However, please be advised that even the best security measures cannot fully eliminate all risks. We cannot guarantee that only authorized persons will view your information. We are not responsible for third-party circumvention of any privacy settings or security measures.
We are dedicated to protect all information on the Website as is necessary. However, you are responsible for maintaining the confidentiality of your Personally-Identifying Information by keeping your password confidential. You should change your password immediately if you believe someone has gained unauthorized access to it or your account. If you lose control of your account, you should notify us immediately.
Most web browsers and some mobile operating systems include a Do-Not-Track (“DNT”) feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. Because there is not yet a common understanding of how to interpret the DNT signal, the Website currently does not respond to DNT browser signals or mechanisms.