Skip to Main Content
Providers

Medica Administrative Manual  >  Provider Responsibilities > Provider Privacy Policy

Provider Privacy Policy

Providers shall comply with all state and federal laws and regulations pertaining to privacy and protection of patients' health information including, but not limited to, the Health Insurance Portability and Accountability Act (HIPAA) and any applicable state law.

There are numerous state and federal laws requiring Medica to protect its members’ personal information. The most comprehensive regulations were issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended (see 45 CFR parts 160 and 164).  The regulations describe how Medica must protect this information and how members can access their personal information.

Both health plans and health care providers are “covered entities” as defined under HIPAA and, as such, are required to understand and comply with the HIPAA Privacy Rule. For providers who are also a Business Associate of Medica as defined in the HIPAA privacy regulations, see the HIPAA Business Associate Requirements included in Medica’s Administrative Manual.

Read about HIPAA Business Associate Requirements for Providers »

Summary of Medica’s Privacy Practices

For a complete description of Medica’s privacy practices for members, see Medica’s Privacy Notice.

Medica takes its responsibility of protecting members' personal information seriously. Where possible, Medica de-identifies personal information. We use and disclose only the minimum amount of personal information necessary for treatment, payment and health care operations, or to comply with legal, regulatory or accreditation requirements.

In addition to physical and technological safeguards, Medica has adopted administrative safeguards such as policies and procedures that require its employees, business associates and health care providers to protect Medica members’ personal information. 

Medica provides training on privacy procedures to its employees. We protect the personal information of applicants and former members just as we protect the personal information of current Medica members. Medica also protects cultural information such as race, ethnicity, language, gender identity, and sexual orientation, the same as all other personal information of our members.

Under What Circumstances Does Medica Use or Disclose Personal Information?

Medica and its business associates receive, obtain, maintain, use and share personal information only as needed to carry out certain routine activities. Routine activities include: (i) treatment-related activities, such as referring members to a doctor or other provider; (ii) payment-related activities, such as paying claims for medical services rendered; and (iii) health care operations, such as professional peer reviews and development of wellness programs. Other examples of routine activities include, but are not limited to, the following:

  • Enrollment and eligibility, benefits management, and utilization management
  • Customer service
  • Coordination of care
  • Health improvement and disease management (for example, sending information on treatment alternatives or other health-related benefits) 
  • Premium billing and claims administration
  • Complaints and appeals
  • Underwriting, actuarial studies, and premium rating (however, Medica is prohibited from using or disclosing genetic information for underwriting purposes)
  • Regulatory and accreditation oversight, and legal compliance
  • Credentialing and quality assurance
  • Business planning or management and general administrative activities (for example, employee training and supervision, legal consultation, accounting, auditing)
  • Anti-fraud activities

However, Medica will not use cultural information, such as race, ethnicity, language, gender identity, and sexual orientation, for purposes of underwriting, rate setting or denial of coverage or benefits.

Medica has policies that limit the disclosure of personal information to employers. However, Medica must share some personal information (for example, enrollment information) with a group policyholder or its designee to administer its business. The group policyholder or designee is responsible for protecting the personal information from being used for purposes other than administering health plan benefits.

From time to time, Medica may be interested in using or disclosing personal information for purposes other than treatment, payment, health care operations, or as required by law. In these situations, Medica is required to obtain our members’ written authorization before we release the personal information. Our members have the right to decide not to authorize Medica to use or disclose their personal health information in these situations.

Medica protects the confidentiality of sensitive services for our minor members. We do this by sending all written correspondence to patients age 12 and older.

The law also gives our members the right to access, copy, and amend their personal information. Our members have the right to request restrictions on certain uses and disclosures of their personal information. They also have the right to obtain information about how and when their personal information has been used and disclosed.

These duties, responsibilities, and rights are described in more detail in Medica’s Privacy Notice. To obtain a copy of Medica’s Privacy Notice, providers may view the policy online or call the Medica Provider Literature Request Line for printed copies of documents, toll-free at 1 (800) 458-5512, option 1, then option 8, ext. 2-2355.

Please Note: Medica’s Privacy Notice does not apply to members whose employers are self-insured.

If a member’s employer is self-insured, the member needs to contact their employer for more information about their health plan’s privacy practices.

As a convenience for you, here are some examples of topics for the administrative, technical and physical patient health information safeguards required under HIPAA.

Administrative Safeguards:

  • Create and implement written policies and procedures for your entire organization, e.g., clinic, hospital or skilled nursing facility.
  • Train every member of your work force, e.g., practitioners, receptionists, business office staff and volunteers.
  • Provide patients with “Notice of Privacy Practices.”
  • When permitted or required by law, disclose only “minimum necessary” patient information for the purpose intended.

Technical Safeguards:

  • Ensure proper use of computer system firewalls to prevent unauthorized access.
  • Ensure proper use of computer user names and passwords.

Physical Safeguards:

  • Ensure that patient information is displayed in a manner not identifiable to the general public.
  • Ensure that medical records are stored in a secure area inaccessible to unauthorized individuals.

Further information about these and other HIPAA requirements can be found at the following websites:

The information provided above is not intended as legal advice. Please contact your legal adviser for more information regarding HIPAA and other state and federal regulations.

REV 10/2023

Provider Service Center

1-800-458-5512

Monday – Friday, 7 a.m. to 5 p.m., Central Time
Closed Mondays 8 – 9 a.m. for training

Contact information by category

Resources

Claim tools

Electronic transactions

Administrative Manual

Fraud and abuse

Date: 4/25/2024 2:56:49 AM Version: 4.0.30319.42000 Machine Name: PWIVE-CDWEB01