Commonwealth Health Insurance Connector Authority Policy and Procedures for the Protection of Member Privacy Rights

Last modified December 1, 2022

PURPOSE:

The Massachusetts Commonwealth Health Insurance Connector Authority (the “Health Connector”) is committed to safeguarding the privacy of individuals who apply for and receive insurance through the Health Connector (“Members”) by maintaining the confidentiality, integrity and accuracy of Members’ personal information obtained and used by the Health Connector, in compliance with applicable privacy requirements, including 45 CFR § 155.260 and the latest version Minimum Acceptable Risk Standards for Exchanges (MARS-E). This Policy and Procedures for the Protection of Member Privacy Rights is designed to provide Members with the ability to (1) access, (2) correct, and (3) make decisions about the collection, use, and disclosure of their personally identifiable information (PII) that is obtained or used by the Health Connector and/or its business associates, and to guide Health Connector personnel in implementing mechanisms to ensure Members’ rights are protected, including the processing of appeals of determinations related to such Member rights.

APPLICABILITY:

This Policy applies to all Health Connector employees and third-party contractors involved in the use of Members’ PII. The Policy covers all Members’ PII collected, stored, used, shared, transmitted, disposed of, or otherwise handled by the Health Connector or its business associates. The requirements provided within this Policy cover all Health Connector functions.

POLICY:

Access. Members have the ability to access and review electronic information about them, which is maintained in the Health Connector’s electronic eligibility determination, enrollment and premium billing systems. Additionally, members have the right to request in writing that they be allowed to inspect and copy their PII maintained by the Health Connector and its business associates except under certain limited circumstances explained in this policy, in which case the Health Connector may deny access to records.

Correction. Members have the ability to review and change electronic information about them, which is maintained in the Health Connector’s eligibility determination system, provided that their changed information may be subject to verification. Additionally, the Health Connector will maintain a process for Members to request corrections to their PII in the Health Connector’s control. The Health Connector will provide a timely written response to all such requests. When such a request is allowed, the Health Connector will take steps to make the correction. When such a request is denied, the Health Connector will so notify the Member and permit the Member to submit a statement of disagreement with the denial.

Decisions About Collection, Use and Disclosure. The Health Connector maintains a process to assure that Members may request restrictions as to how the Health Connector will collect, use, or disclose their PII. The Health Connector may refuse to agree to Members’ requested restrictions on the disclosure of PII. When such a request is denied, the Health Connector will so notify the Member and permit the Member to submit a statement of disagreement with the denial.

DEFINITIONS:

Personally Identifiable Information (PII) means information that can be used to distinguish or trace an individual’s identity, such as name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

Reviewer: “Reviewer” is defined as the Health Connector’s Compliance Manager or such other person as the Health Connector’s General Counsel may designate to review requests submitted by Members in accordance with this Policy. Any other Health Connector personnel that get such a request should refer the request to the Compliance Manager for review.

PROCEDURES:

I. General Procedures for Written Member Requests

Request in Writing. Requests made by Members under this Policy must be in writing using the appropriate Health Connector forms. Copies of the forms will be provided upon request and may be made available on the Health Connector’s website. Copies of the forms are attached hereto as Exhibits A(1), B(1), and C(1).

Verifying the Requester’s Identity. The Reviewer will take reasonable steps to verify the identity of the Requester, who must be either the Member who is the subject of the PII, the Member’s legal representative, or the executor or administrator of the Member’s estate. (For purposes of this Policy, references to a request by a Member or Requester will be interpreted to include requests made by a Member’s legal representative or the executor or administrator of the Member’s estate.) The Reviewer may ask for identification or other documentation of the individual’s identity, including signatures, photographic identification, or copies of court appointments.

Time to Respond to Request. The Health Connector will acknowledge requests within 10 working days of receipt of the request and complete review of the request within 30 working days of receipt of the request, unless unusual or exceptional circumstances preclude completing action by that time. If the Health Connector cannot respond to the request within 30 working days, it will extend the deadline an additional 30 working days, and it will give written notice of the extension to the Requester within the original 30-working-day timeframe.

Responses. All responses to requests will be in writing using the appropriate form, a copy of which is attached hereto as Exhibits A(2), B(2), and C(2). The response will state the reasons for the decision in plain language.

Appeals. Members may appeal any written decision issued by the Reviewer. The Health Connector’s Privacy Officer or that person’s designee will review appeal requests and respond to them no later than 30 working days after receipt, unless there is good cause to extend the period. If the Health Connector cannot respond to an appeal within 30 working days of receipt, it will extend the deadline an additional 30 working days, and it will give written notice of the extension to the Requester within the original 30-working-day timeframe. Any decision issued regarding such appeal will be final. Appeal requests can be made using Exhibit D(1) and responses to appeal request will be provided in the form of Exhibit D(2), each such exhibit attached hereto.

II. Procedures for Providing Member Access

Electronic Access. Members have the ability to access the information about them that is maintained in the Health Connector’s electronic eligibility determination, enrollment and premium billing systems. Members may access this information through the Health Connector’s website (https://www.mahix.org/individual) by using their account identification information (user name and password) to log on to their account and review the information contained there. Information includes the application information provided by the Member, the eligibility determinations made in response to the application information, the enrollment of the Members in Health Connector plans, and current account information about premium billing and payments.

Written Request. If a member believes that there is PII about them that is not available through the electronic access described above, that Member may submit a written request for Access to PII on the Request to Inspect or Receive a Copy of PII form (Exhibit A(1)).

Reviewer’s Obligations. When a Member requests access to that Member’s PII, the request will be reviewed by the Reviewer as follows:

  1. The Reviewer will determine if the request was made by the Member.
  2. The Reviewer will determine whether the Health Connector or one of its business associates maintains the information requested by the Member in connection with the provision of insurance to that Member. If the Health Connector or its business associate does not maintain the PII, but the Reviewer knows where it is maintained (e.g., the member’s health plan), the Reviewer shall inform the requester where to redirect the request.
  3. The Reviewer may ask the Requester to clarify scope, applicable time period, etc. of a request if necessary.
  4. The Reviewer will determine whether the request should be allowed or denied, based on the standards stated below.

After completing the above review, the Reviewer will respond to the request using the Health Connector Response to Request for Access to PII form (Exhibit A(2)).

Standards for Review. Generally, a Member has the right to have access to his or her PII. The Health Connector may deny a request for access to PII in the following circumstances, all of which are extremely unlikely or impossible:

  • The requested PII consists of individual psychotherapy notes (It is not likely that the Health Connector would have individual psychotherapy notes for an individual because the Health Connector does not collect medical records.);
  • The PII was created or obtained in the course of research that includes treatment, for as long as the research is in progress, provided that the Requester has agreed to the denial of access when consenting to participate in the research that includes treatment, and the Health Connector has informed the Requester that the right of access will be reinstated upon completion of the research;
  • The PII was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information; or
  • The PII was compiled in reasonable anticipation of, or for use in, a civil, criminal or administrative action or proceeding.

A denial for any of the foregoing grounds will be subject to review via an appeal.

Additionally, the Health Connector may deny a request for PII in the following very unlikely circumstances:

  1. A licensed health professional has determined that access to the PII is reasonably likely to endanger the life or physical safety of the individual or another person;
  2. The PII makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined in the exercise of professional judgment that the access requested is reasonably likely to cause substantial harm to such other person; or
  3. The request for access is made by a Member’s personal representative and a licensed health care professional has determined that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person.

The foregoing three grounds typically involve providers that maintain sensitive medical records-based PII. Thus, it is unlikely that the Health Connector will have occasion to deny access to PII on such grounds because the Health Connector does not collect records from health care providers, facilities, institutions or insurers. However, should such a situation occur, the denial shall clearly state the grounds relied upon and further that the Member whose request is being denied has a right to further review. If the Member exercises the right of further review, the Privacy Officer will arrange to have the matter reviewed by a licensed health professional not involved in the initial decision to deny the request and will promptly provide written notice to the Member about the determination of that review and will take other action required to carry out the determination.

Responses. If access is granted, the Health Connector will notify the Requester in writing that access is granted, and of the means by which access will be provided. The Health Connector will provide access to the information in electronic format if it is able. The Health Connector will use its best efforts to provide records in the format requested, or in the absence of a requested format, in a machine-readable format. The Requester may designate an entity or person to whom the PII should be sent, and the Health Connector should send the information to that person or entity, so long as that choice is clear, conspicuous, and specific.

The Health Connector may provide the Requester with a summary of the PII requested, in lieu of providing access, or may provide an explanation of the information to which access has been provided, if the Requester agrees in advance to such a summary or explanation and to the fees imposed, if any, for such summary or explanation.

If access is denied in whole or in part, the Health Connector will notify the Requester in writing, in plain language, stating the reason for the denial. The Health Connector will make available any requested information that is not covered by the denial. If the Requester has a right to ask for review of the denial, the response shall state how such a review may be requested.

Fees. The Health Connector will assess a reasonable fee for providing copies of PII or producing a summary/explanation of the information. Costs will include the cost of supplies and the labor for preparing a summary/explanation and copying. Postage may be charged to the member if the information is mailed. Fees associated with provision of information in electronic form, or a summary or explanation of such information, will not be greater than the Health Connector’s labor costs in responding to the request. The Requester will be informed of any applicable fees in advance through the response form.

III. Procedures for Requests for Correction

Electronic Access. A Member may review electronic information about them that is maintained in the Health Connector’s eligibility determination, enrollment and premium billing systems. The information contained in the eligibility determination system has generally been provided by the Member subject to verification against external databases. If a Member believes information in the eligibility determination system is incorrect or is no longer accurate due to a change in circumstances, the Member may correct that information themselves in one of two ways:

  1. By logging into their account (https://www.mahix.org/individual) through the Health Connector’s website and make the change.
  2. If the Member is unable or unwilling to do that electronically, the Member may seek the assistance of a customer service representative to make the change by calling 1-877-MA-ENROLL (1-877-623-6765); TTY: 711.

Any new information that the Member provides will be subject to verification in accordance with federal requirements. A Member may not change enrollment or premium billing information electronically. However, if a Member believes that information in those areas is incorrect or outdated, the Member may contact the customer service center to request a correction by calling 1-877-MA-ENROLL (1-877-623-6765); TTY: 711.

Request in Writing. If a Member wishes to correct PII that they believe cannot be corrected through the self-service options described above, they may make a request to correct in writing on the Request to Correct PII form (Form B(1)). The form requires the Member to state the PII in question; the correction that he or she seeks to make; the reason to support that request; and, if applicable, the identification of persons other than the individual with whom the corrected information needs to be shared.

Review Process. All requests to correct will be referred to the Reviewer, who will make a decision according to the following standards.

Standards for Review. The Health Connector may deny the request if it determines that the PII that is the subject of the request:

  1. Was not created by the Health Connector, unless the Requester has provided a reasonable basis to believe that the originator of the PII is no longer available to act on the requested amendment;
  2. Is not in the Health Connector’s control;
  3. Is not available for inspection under the provisions of this Policy regarding access to PII; or
  4. Is accurate and complete.

Procedure for Allowing the Correction. If based on the foregoing procedure, the Health Connector agrees to allow the correction, in whole or in part, it must:

  1. Identify where the PII is located.
  2. If the PII is in paper form, attach a separate paper containing the correction in the file.
  3. If the PII or record is in electronic form, correct the electronic record, when possible, or provide a link to a correction or a note in the electronic record describing the correction.
  4. Notify the Requester that the correction is accepted, using the Response to Request to Correct PII form (Exhibit B(2))
  5. Make reasonable efforts to inform and provide the correction within a reasonable time to:
    1. Persons identified by the individual in the Request to Correct PII form as having received the PII and needing the correction.
    2. Persons, including the Health Connector’s business associates, that the Health Connector knows have the PII that is the subject of the amendment, and that may have relied, or could foreseeably rely, on such information to the detriment of the Member.

Procedure for Denial. If the Health Connector determines to deny the request, it will:

  1. Provide the Member who made the request with a timely, written denial (using the Response to Request to Correct form) that states the basis for the denial and informs the Member of his or her right to submit a written statement disagreeing with the denial and the procedure for submitting such a statement.
  2. If the Health Connector considers it necessary, prepare a written rebuttal to the statement of disagreement, and provide a copy of that rebuttal to the Member.
  3. If the PII is in paper form, attach a copy of the request for correction, the Health Connector’s denial, and the statement of disagreement and rebuttal, if any, to that paper record.
  4. If the PII is in electronic form, take technologically feasible steps to provide a link to the request for amendment, the Health Connector’s denial, and any statement of disagreement or rebuttal.
  5. Include the request for correction, the Health Connector’s denial, and any statement of disagreement or rebuttal, or, an accurate summary of such information, in any future disclosure of the PII or, if not technologically feasible, separately transmit the material.

Actions on Notices of Correction. If the Health Connector is informed by another covered entity that a Member with PII held by that entity and by the Health Connector has requested that the other covered entity amend the Member’s PII, and if that other covered entity has granted the Member’s request, the Health Connector will follow the steps listed in this Procedure with respect to making corrections for the relevant member.

IV. Procedures Regarding Member Decisions About Collection, Use and Disclosure

Right to Request Restrictions to Use Of PII. Members may request restrictions on how the Health Connector collects, uses, and discloses their PII, including situations in which the Health Connector uses a Member’s PII without individual authorization for treatment, payment, and health care operations; and situations in which the Health Connector discloses the information to family members or others involved in their care. The Health Connector does not have to agree to such requests. Requests will be reviewed on a case-by-case basis.

Request in Writing. Requests for restrictions will be made in writing, using the Request to Restrict Collection, Use, or Disclosure of Personal Information form (Exhibit C(1)).

Review. Requests for restrictions will be reviewed by the Reviewer in accordance with the following standards.

Standards for Granting Request for Restrictions. The Health Connector’s decision to accommodate the Member’s request for restrictions will be made by the Reviewer based on the feasibility and business implications of the requested restriction and any applicable legal requirements. The Health Connector may decide not to agree with the requested restrictions. Restrictions are not permitted for collection, use, or disclosure of PII that is:

  1. Required by law;
  2. Required by a court order;
  3. Disclosed to a health oversight agency for oversight purposes;
  4. For certain law enforcement purposes and certain specialized government functions; or
  5. For certain research purposes.

Requests to restrict the disclosure of PII will generally be granted if the disclosure is for the purpose of carrying out payment or health care operations and the PII pertains solely to a health care item or service for which the covered entity has been paid in full.

Response. The Reviewer will notify the Marketplace member in writing of the decision through the Response to Restriction Request form (Exhibit C(2)). If the Health Connector agrees to a request for restriction, then the collection, use, or disclosure of the PII will be restricted as agreed. The restriction applies to applicable PII that the Health Connector has at the time the request is granted and to PII created or received while the restriction is in place. If applicable, the Health Connector will communicate this restriction to any business associates who have PII affected by the restriction and will take steps to ensure that the business associate will implement the restriction.

Revoking a Restriction. The Health Connector may revoke its agreement to a restriction if:

  1. The Member agrees to, or requests the revocation either orally or in writing (any oral agreement will be documented); or
  2. The Health Connector informs the Member that it is revoking its agreement to a restriction; except that the Health Connector may not, without authorization from the Member, revoke a restriction on the use or disclosure of PII if the PII is to be disclosed for the purpose of carrying out payment or health care operations and the PII pertains solely to a health care item or service for which the covered entity has been paid in full.

This revocation will only be effective for PII created after the Health Connector informs the enrollee affected by the termination.

Documentation. A copy of the restriction request, the disposition of the request, and any revocation requests will be kept in the Health Connector’s files for at least ten years from the date the restriction was last in effect.

Download EXHIBITS A through D (PDF)

Website, SMS/Text Messaging, and Chat Privacy Policy

Last modified September 24, 2024

Welcome to the Commonwealth Health Insurance Connector Authority’s (the “Health Connector’s”) website and its text messaging and chat services. Your privacy is one of our top priorities. The following policy applies only to your use of this website and the Health Connector’s text messaging and chat services. As you navigate this website and receive text or chat messages from the Health Connector, you may see links that will take you to websites external to the Massachusetts Health Connector. We strongly suggest that you read the privacy policies for each website that you visit, and any external site that you visit through a link appearing at this site.

Contents:

  • A Privacy Partnership
  • Personally Identifiable Information
  • IRS Authorization
  • Information Voluntarily Provided by You
  • Survey and E-mail
  • Information Automatically Collected and Stored by this Site

A Privacy Partnership

Your privacy with respect to the use of this site and the Health Connector’s text and chat systems results from a partnership between the Health Connector and you, the user. At this website, and through our administration of our text and chat systems, we attempt to protect your privacy to the maximum extent possible. However, because some of the information that we receive through this website and our text and chat systems is subject to the Public Records Law, Massachusetts General Laws Chapter 66, Section 10, and other federal laws we cannot ensure absolute privacy. Some of the information that you provide to us through this site or through our text and chat systems may be made available to members of the public under that law. This page informs you of the information that we collect from you at this site and through our text messaging and chat systems, what we do with it, to whom it may be disseminated, and how you can access it. Based on this information, you can make an informed decision about your use of this site and whether to consent to the use of text messaging or chat. You can maximize the benefits of your privacy partnership with the Health Connector by making informed decisions about whether to share personally identifiable information with us through this site. We recommend that you not share such information with us through our text messaging and chatbot service, except that when using our chatbot service, you will be asked to share your personal information as part of the authentication process. Please review the information on this page about how the Health Connector collects your personal information, and please review the Health Connector’s Notice of Privacy Practices, located at https://www.mahealthconnector.org/site-policies/privacy-policy which describes how we use and disclose that information.

Personally Identifiable Information (PII)

We use the term “personally identifiable information” to mean any information that could reasonably be used to identify you, including your name, address, telephone number, e-mail address, Social Security number, birth date, bank account information, credit card information, or any combination of information that could be used to identify you.

IRS Authorization

By requesting financial assistance to help pay for health insurance—such as Advance Premium Tax Credits (APTC), ConnectorCare, or MassHealth—you have authorized the Health Connector to use tax return information from the Internal Revenue Service (IRS) to determine your eligibility for financial assistance in future years. If you do not want the Health Connector to use your tax return information to complete your eligibility determinations in future years, you can cancel that authorization at any time. However, doing so will mean that you and the people on your application will not be eligible for financial assistance and will have to pay full price for any insurance you receive through the Health Connector. Click here to learn more and to request cancellation of IRS authorization.

Information Voluntarily Provided by You Through this Site and the Health Connector’s Text Messaging and Chat Systems

This site collects voluntary information from you through surveys and e-mails. The Health Connector’s voluntary text messaging system collects your mobile phone number and your responses to queries made by us through text messages.

Survey and E-mail

This site collects voluntary information from you through surveys posted at this website and through any e-mail messages you choose to send to the Massachusetts Health Connector. Surveys may collect personally identifiable information you voluntarily submit, such as name, e-mail address or phone number, so that we may contact you for follow-up to your question, concern or recommendation. Any e-mail messages sent by you to this site will contain personally identifiable information such as your e-mail address and any other information you choose to give us to help us answer your inquiry.

Text Messaging and Chat.

The Health Connector’s voluntary text messaging system collects your mobile phone number and the limited number of messages you can send to us through the system, including a formal confirmation of your subscription to text messaging, a demand that the services be stopped and the “Help” statement, which you may text to us when you need further help. The Health Connector’s chat system collects the information that you type in the chat box when you initiate a query through the chat system or respond to a query from the chat system. When you are using our live chat system, it collects entries that you have made into the chat system while communicating with a customer service representative.

You should not include personal information in any messages that you send via the Health Connector’s text or chat systems, except when you are asked to share your personal information as part of the authentication process for our chatbot service.

The Health Connector’s text messaging system may generate text messages to the number you provide us that disclose information related to your account. This could include messages regarding actions you may need to take on your account, including those related your application, eligibility, or enrollment in coverage. Text messages are an unencrypted form of communication. By agreeing to receive text messages form the Health Connector, you agree to receive text messages regarding your account at the mobile phone number you have provided.

Information Automatically Collected and Stored by this Site

This website does not use permanent “cookies”. However, the site uses temporary “session cookies” to allow visitors to interact with the Massachusetts Health Connector and to use online applications. “Session cookies” do not allow us to personally identify a visitor. These cookies are stored only in memory and are deleted when the user’s browser is shut down.

This site does collect and store your “Internet Protocol (“IP”) address,” (which does not identify you as an individual) indefinitely, as well as information about the date and time of your visit, whether a file you have requested exists, and how many “bytes” of information were transmitted to you over the Web from this site. We use your IP address to access the frequency of visits to this site and the popularity of its various pages and functions. We will not attempt to match any personally identifiable information that you provide to us with your IP address, unless there are reasonable grounds to believe that doing so would provide information that is relevant and material to a criminal investigation.

Public Records Law and the Dissemination of Your Personally Identifiable Information

We do not sell any personally identifiable information collected through this website or submitted to the Commonwealth in conjunction with using functions on the website or through our text messaging or chat services, and there is no direct or online public access to the information. However, once you voluntarily submit personally identifiable information to us related to your use of this site or our text or chat services, its dissemination is governed by the “Public Records Law,” the “Fair Information Practices Act (Massachusetts General Laws Chapter 66A), and other applicable laws and regulations. For this reason, part or all of the information you send us may be provided to a member of the public in response to a public records request. There are pieces of information, such as your mobile phone number, credit card numbers, TIN, username, or password that are not considered public for the purposes of a public records request. We will never share the mobile phone number at which you consent to receive text messages with any third party except, under appropriate circumstances, with law enforcement. For more information on types of data exempted from disclosure under the Public Records Law, please read the Secretary of the Commonwealth’s A Guide to the Public Records Law.

Security

Because e-mail, text messages and chat messages sent to the Health Connector, are encrypted only at rest and not during transit, you should not send messages containing information that you consider highly sensitive to this website or through our text messaging or chat services. We use standard security measures to ensure that information provided by you, including your personally identifiable information, is not lost, misused, altered, or unintentionally destroyed. We also use software to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage. With respect to this site, except for authorized law enforcement investigations, no attempts are made to identify individual site users’ site usage habits.

Policy changes

We will post substantive changes to this policy at least 30 days before they take effect. Any information we collect under the current privacy policy will remain subject to the terms of this policy. After any changes take effect, all new information we collect, if any, will be subject to the new policy.

Contact Information

For questions about your privacy while using this website or using the Health Connector’s text messaging or chat services please contact the Health Connector’s privacy and security officer at ConnectorPrivacy@state.ma.us.

Definitions:

  • Cookies are files that a website can place on your computer. A cookie file contains unique information that a website can use to track such things as your password, lists of Web pages you have visited, and the date when you last looked at a specific Web page, or to identify your session at a particular website. A cookie file allows the website to recognize you as you click through pages on the site and when you later revisit the site. A website can use cookies to “remember” your preferences, and to record your browsing behavior on the Web. Although you can prevent websites from placing cookies on your computer by using your browser’s preference menu, disabling cookies may affect your ability to view or interact with some websites.
  • An “Internet Protocol Address” or “IP Address” is a series of numbers that identifies each computer and machine connected to the Internet. An IP address enables a server on a computer network to send you the file that you have requested on the Internet. The IP address disclosed to us may identify the computer from which you are accessing the Internet, or a server owned by your Internet Service Provider. Because it is machine-specific, rather than person-specific, an IP address is not, in and of itself, personally identifiable information.

Notice of Privacy Practices

Last modified November 22, 2021

THIS NOTICE DESCRIBES HOW INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED, AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

The Health Connector has personally identifiable information about you because it provides you access to health insurance through its role as a health insurance Marketplace. Personally identifiable information (“PII”) includes things such as your name, social security number, and address. The PII about you that the Health Connector collects includes information you provided on your application for coverage, and information about what health plan you enroll in, and the premium you pay. By law, the Health Connector must protect the privacy of your personally identifiable information and provide you with notice of our legal duties and privacy practices. This notice explains your rights and our legal duties and privacy practices.

Required and Permitted Uses and Disclosures

We may use and disclose PII in a number of ways to carry out our responsibilities. The following describes the types of uses and disclosures of PII that federal law requires or permits the Health Connector to make without your authorization:

Payment activities: The Health Connector may use and share PII for payment activities, such as determining if you are eligible to purchase health insurance or to receive federal or state subsidies to help you pay for that insurance; enrolling you in health plans; collecting premium payments; or transmitting subsidy payments to health insurance carriers for your coverage.

Health care operations: The Health Connector may use and share PII to operate its programs, including evaluating the quality of health care services you get, and performing studies to reduce health care costs and improve plan performance.

Other Permitted Uses and Disclosures: The Health Connector may use and share PII as follows:

  • with public health authorities, when authorized by law;
  • with health oversight agencies, for oversight activities authorized by law;
  • in response to a judicial or administrative order, or lawful process, such as a subpoena;
  • for research studies that meet all privacy requirements;
  • to prevent or respond to a serious and imminent health or safety emergency; or
  • to tell you about new or changed benefits and services or health care choices.

Required Disclosures: Generally, the Health Connector must use and share PII when requested by you or someone with the legal right or authorization to act for you; when requested by the U.S. Department of Health and Human Services to make sure your privacy is protected; and when otherwise required by law.

Organizations that Assist Us: In connection with payment and operations, we may share your PII with third party “Business Associates” that perform activities on our behalf. These business associates will be legally and contractually bound to safeguard the privacy of your PII. Except as described above, the Health Connector cannot use or share your PII without your written permission. You may cancel your permission at any time, as long as you tell us in writing. However, we cannot take back any PII that we used or shared when we had your permission.

Your Rights

Uses and Disclosures Requiring Authorization: The Health Connector requires your authorization to

  • Use or disclose your PII for marketing purposes, including treatment notifications; or
  • Sell your PII.

Most uses and disclosures not described in this Notice of Privacy Practices will only be made with your authorization. You may revoke an authorization by writing to the Health Connector at the address below.

Further, you have the right to:

  • Ask to see and get a copy of your PII that the Health Connector maintains. If the Health Connector stores your PII in electronic format, you have the right to receive that PII in electronic format. You must ask for this in writing. The Health Connector may charge to cover certain costs, such as copying and posting.
  • Ask the Health Connector to correct your PII if you believe that it is wrong or incomplete and the Health Connector agrees. You must ask for this in writing along with a reason for your request. The Health Connector may not always be able to grant this request.
  • Ask the Health Connector to restrict certain uses and disclosures of your PII to carry out payment and health care operations. You must ask for this in writing. The Health Connector may not always be able to grant this request.
  • Receive a separate paper copy of this notice upon request.
  • Be notified in the event the security of your PII has been breached.

For more information about your rights, and about how to request to see, correct or restrict your PII, please see the Health Connector’s Policy and Procedures for the Protection of Member Privacy Rights.

The Health Connector must abide by the terms of this notice. The Health Connector may change how we use and share your health information. If the Health Connector makes important changes, we will revise our notice and will provide you a new notice if you are participating in our programs at the time of the revision. That new notice will apply to all of the PII that the Health Connector has about you.

The Health Connector takes your privacy very seriously. If you would like to exercise any of the rights we describe in this notice, or if you feel that the Health Connector has violated your privacy rights, contact the Health Connector in writing at the following address or by email:

Mail:

Attn: Privacy Officer
Massachusetts Health Connector Compliance Unit
P.O. Box 960189
Boston, MA 02196

Email: ConnectorPrivacy@state.ma.us

Filing a complaint or exercising your rights will not affect any health insurance coverage you have through the Health Connector.

For more information, or if you need help understanding this notice, please call 617-933-3095.