Notice of Privacy Practices
Evernorth Products and Services
Effective Date: This Notice is effective as of August 22, 2003, and updated as of July 27, 2021.
This notice describes how health information about you may be used and disclosed, and how you can get access to this information. Please review it carefully.
OUR PRIVACY COMMITMENT
Thank you for giving us the opportunity to serve you. In the normal course of doing business, we create, obtain, and/or maintain records about you and the services we provide to you. The information we collect is called protected health information (“PHI”). We take our obligation to keep your PHI secure and confidential very seriously. We are required by federal and state law to protect the privacy of your PHI and to provide you with this Notice of Privacy Practices (“Notice”) about how we safeguard and use it, and notify you following a breach of your unsecured PHI. When we use or give out (“disclose”) your PHI, we are bound by the terms of this Notice. This Notice applies to all electronic or paper records we create, obtain, and/or maintain that contain your PHI.
Evernorth is a health services company which includes managed health care and insurance products on behalf of clients in the U.S. Evernorth serves health maintenance organizations, third-party administrators, insurance companies, employers and other health care entities. When this document refers to Evernorth, it is referring to Evernorth and its affiliates as a subsidiary of Cigna Corporation (“Cigna”). For purposes under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules, Cigna designated a HIPAA single affliated covered entity (“ACE”) that includes Evernorth products and services (e.g., Express Scripts Pharmacy, Evernorth Direct Health, Inc., Express Scripts Specialty Distribution Services, Inc., Accredo). An ACE is a group of organizations under common ownership or control who designate themselves as a single ACE for purpose of compliance with HIPAA. The list of entities that comprise the Cigna ACE can be found at Cigna.com/Privacy and may be amended from time to time.
THIS NOTICE DESCRIBES:
- How we (that is, each of the subsidiaries that compose the Express Scripts ACE) may use and disclose your protected health information ("PHI")How we (i.e, each of the subsidiaries that comprise the Cigna ACE) may use and disclose your PHI
- Your rights to access and amend your PHI
We are required by law to:
- Maintain the privacy of your PHI
- Provide you with notice of our legal duties and privacy practices with respect to PHI
- Abide by the terms of the Notice currently in effect for the Cigna ACE
HOW WE PROTECT YOUR PRIVACY
We understand the importance of protecting your PHI. We maintain technical, physical and administrative safeguards to ensure the privacy of your PHI.
PERMITTED USES AND DISCLOSURES OF YOUR PHI
HOW WE MAY USE PHI WITHOUT YOUR AUTHORIZATION
- Treatment – We may use and disclose your PHI to health care professionals or other third parties to provide, coordinate and manage the delivery of health care (e.g., helping you obtain services and treatment, such as ordering lab tests). Or your pharmacist may disclose PHI about you to your doctor in order to coordinate the prescribing and delivery of your drugs. Also, we may provide you with treatment reminders and information about potential side effects, drug interactions and other treatment-related issues involving your medicine.
- Payment – We may use and disclose PHI about you to receive payment for our services or premiums for your coverage, manage your account, fulfill our responsibilities under your benefit plan, and process your claims for drugs you have received. For example, we may give PHI to your health plan (or its designee) so we can confirm your eligibility or coverage, or we may submit claims to your health plan, employer or other third party for payment.
- Health Care Operations – We may use and disclose your PHI to carry on our own business planning and administrative operations. We need to do this so we can provide you with high-quality services. For example, we may share your claims information with your doctor if you have a medical need that requires attention. We may use and disclose PHI about you to assess the use or effectiveness of certain drugs, develop and monitor medical protocols, and to provide information regarding helpful health-management services.
- Disclosures to Your Employer as Sponsor of Your Health Plan – Where permitted by law, we may disclose your PHI to your employer or to a company acting on your employer’s behalf, so that entity can monitor, audit and otherwise administer the employee health plan in which you participate. Your employer is not permitted to use the PHI we disclose for any purpose other than administration of your benefits. See your employer’s health plan documents for information on whether your employer receives PHI and, if so, the identity of the employees who are authorized to receive your PHI.
- Information That May Be of Interest to You – We may use or disclose your PHI to contact you about treatment options or alternatives that may be of interest to you. For example, we may call you to remind you of expired prescriptions, the availability of alternative drugs, or to inform you of other products that may benefit your health.
- Individuals Involved in Your Care or Payment for Your Care – We may disclose PHI about you to someone who assists in or pays for your care. Unless you write to us and specifically tell us not to, we may disclose your PHI to someone who has your permission to act on your behalf. We will require this person to provide adequate proof that he or she has your permission.
- Parents or Legal Guardians – If you are a minor or under a legal guardianship, we may release your PHI to your parents or legal guardians when we are permitted or required to do so under federal and applicable state law.
- Business Associates – We arrange to provide some services through contracts with business associates so that they may help us operate more efficiently. We may disclose your PHI to business associates acting on our behalf. If any PHI is disclosed, we will protect your information from unauthorized use and disclosure using confidentiality agreements. Our business associates may, in turn, use vendors to assist them in providing services to us. If so, the business associates must enter into a confidentiality agreement with the vendor, which protects your information from unauthorized use and disclosure.
- Research – Under certain circumstances, we may use and disclose PHI about you for research purposes. Before we use or disclose PHI about you, we will remove information that personally identifies you, obtain your written authorization or gain approval through a special approval process designed to protect the privacy of your PHI. In some circumstances, we may use your PHI to generate aggregate data (summarized data that does not identify you) to study outcomes, costs and provider profiles, and to suggest benefit designs for your employer or health plan. These studies generate aggregate data that we may sell or disclose to other companies or organizations. Aggregate data does not personally identify you.
- Abuse, Neglect or Domestic Violence – We may disclose your PHI to a social service, protective agency or other government authority if we believe you are a victim of abuse, neglect or domestic violence. We will inform you of our disclosure unless informing you would place you at risk of serious harm.
- Public Health – We may disclose your PHI for public health activities and purposes, such as regulatory reporting (e.g. reporting adverse events, vaccination efforts to avert the spread of communicable diseases) or for post-marketing surveillance in connection with FDA-mandates or product recalls. We may receive payment from a third party for making disclosures for public health activities and purposes.
- Judicial and Administrative Proceedings – We may disclose your PHI in the course of any judicial or administrative proceeding in response to a court order, subpoena or other lawful process, but only after we have been assured that efforts have been made to notify you of the request.
- Law Enforcement – We may disclose your PHI, as required by law, in response to a subpoena, warrant, summons, or other appropriate process. In some circumstances, we may also disclose PHI to assist law enforcement with identification of relevant individuals, provide information about crime victims, provide information to law enforcement about decedents, and report a crime.
- Coroners and Medical Examiners – We may disclose your PHI to a coroner or a medical examiner for the purpose of determining cause of death or other duties authorized by law.
- Organ, Eye and Tissue Donation – We may disclose your PHI to organizations involved in organ transplantation to facilitate donation and transplantation.
- Workers’ Compensation – We may disclose your PHI to comply with workers’ compensation laws and other similar programs.
- Fundraising – We may use your PHI to send you fundraising communications, but you have the right to opt out of receiving such communications.
- Specialized Government Functions, Military and Veterans – We may disclose your PHI to authorized federal officials to perform intelligence, counterintelligence, medical suitability determinations, Presidential protection activities, and other national security activities authorized by law. If you are a member of the U.S. armed forces or of a foreign military, we may disclose your PHI as required by military command authorities or law. If you are an inmate in a correctional institution or under the custody of a law enforcement official, we may disclose your PHI to those parties if disclosure is necessary for: the provision of your health care; maintaining the health or safety of yourself or other inmates or ensuring the safety and security of the correctional institution or its agents.
- As Otherwise Required By Law – We will disclose PHI about you when required to do so by law. If federal, state or local law within your jurisdiction offers you additional protections against improper use or disclosure of PHI, we will follow such laws to the extent they apply.
- Health Oversight – We may disclose PHI to a health oversight agency performing activities authorized by law, such as investigations and audits. These agencies include governmental agencies that oversee the health care system, government benefit programs, and organizations subject to government regulation and civil rights laws.
- Creation of De-Identified Health Information – We may use your PHI to create data that cannot be linked to you by removing certain elements from your PHI, such as your name, address, telephone number, and member identification number. We may use this de-identified information to conduct certain business activities; for example, to create summary reports and to analyze and monitor industry trends.
- To Avert Serious Threat to Health or Safety – We may disclose your PHI to prevent or lessen an imminent threat to the health or safety of another person or the public. Such disclosure will only be made to someone in a position to prevent or lessen the threat.
- OTHER USES AND DISCLOSURES OF PHI
- Uses of PHI That Require Your Authorization – Most uses and disclosures of psychotherapy notes (where appropriate), uses and disclosures for marketing purposes and disclosures that constitute a sale of PHI require an authorization. These activities and any other uses and disclosures of your PHI not listed in this Notice will be made only with your authorization unless we are permitted by applicable law to make such other use and disclosure, in which case, we shall comply with applicable law. You may revoke your authorization, in writing, at any time unless we have taken action in reliance upon it. Written revocation of authorization must be sent to the address listed below.
- Additional Protections for Certain Categories of PHI – For certain kinds of PHI, federal and state law may provide for enhanced privacy protection. Such protections may apply to PHI that is maintained in psychotherapy notes; PHI involving alcohol and drug abuse prevention, treatment, and referral; PHI concerning HIV/AIDS testing, diagnosis, or treatment; PHI involving venereal and/or communicable disease(s); and PHI related to genetic testing.
YOUR RIGHTS WITH RESPECT TO YOUR PHI
You have the following rights regarding the PHI we maintain about you:
- Right to Inspect and Copy – Subject to some restrictions, you may inspect and copy PHI that may be used to make decisions about you, as well as records of enrollment, payment, claims adjudication and case or medical management. If we maintain such records electronically, you have the right to request such records in electronic format. You may also have the records send to a third party, including requesting that we share your PHI with a Health Information Exchange (HIE). If you request copies, we may charge reasonable expenses incurred with copying and mailing the records. Under limited circumstances, we may deny you access to a portion of your records.
- Right to Amend – If you believe PHI about you is incorrect or incomplete, you may ask us to amend the information. You must provide a reason supporting your request to amend. We may deny the request in some instances. If we determine that the PHI is inaccurate, we will correct it if permitted by law. If a health care facility or professional created the information that you want to change, you should ask them to amend the information.
- Right to an Accounting of Disclosures – YYou have the right to request an accounting of disclosures of your PHI. This accounting identifies the disclosures we have made of your PHI other than for treatment, payment or health care operations. The provision of an accounting of disclosures is subject to certain restrictions. For example, the list will exclude the following, among others:
- Disclosures to you as well as disclosures you have authorized.
- Disclosures made earlier than six years before the date of your request (in the case of disclosures made from an electronic health record, this period may be limited to three years before the date of your request).
- Certain other disclosures that are excepted by law.
- If you request an accounting more than once during any 12-month period, we may charge you a reasonable fee for each accounting report after the first one.
- Right to Request Restrictions – You have the right to request a restriction or limitation on the PHI we use and disclose about you for treatment, payment or health care operations. You may also request your PHI not be disclosed to family members or friends who may be involved in your care or paying for your care. Your request must be in writing; state the restrictions you are requesting and state to whom the restriction applies. We are not required to agree to your request. If we do agree, we will comply with your request unless the restricted information is needed to provide you with emergency treatment. We will agree to your request to restrict PHI disclosed to a health plan for payment or health care operations (that is, non-treatment) purposes if the information is about a medication for which you paid us, out-of-pocket, in full.
- Confidential Communications – You may ask that we communicate with you in an alternate way or at an alternate location to protect the confidentiality of your PHI. Your request must state an alternate method or location you would like us to use to communicate your PHI to you.
- Right to be Notified – You have the right to be notified following a breach of unsecured PHI if your PHI is affected.
- Right to a Paper Copy of This Notice – You have the right to request a paper copy of this Notice at any time. For information about how to obtain a copy of this Notice and answers to frequently asked questions, please call Customer Service at the toll-free telephone number printed on your customer ID card or 877.279.6391. Even if we have agreed to provide this Notice electronically, you are still entitled to a paper copy. You may obtain a copy of this Notice from our website at Evernorth.com.
- Right to File a Complaint – If you believe we have violated your privacy rights, you may file a written complaint to Evernorth at the address listed below. You may also file a complaint with the Secretary of the U.S. Department of Health and Human Services. You will not face retaliation for filing a complaint.
Written complaints, written revocation of authorization to use or disclose PHI, written requests for a copy of your PHI, amendment to your PHI, an accounting of disclosures, restrictions on your PHI or confidential communications may be mailed or emailed to:
- P.O. Box 188014
- Chattanooga, TN 37422
- Attn: Privacy Office
WE RESERVE THE RIGHT TO REVISE THIS NOTICE. A revised Notice will be effective for PHI we already have about you, as well as any PHI we may receive in the future. We will communicate revisions to this Notice through our website, Evernorth.com.